Monday, 31 January 2011

Elevation of Privilege Revisited

A Game Of Cards

I've written about Adam Shostack's brilliant computer security card game Elevation of Privilege once or twice before. Now that we are finally in possession of our first in-house manufactured deck, I'm busy pulling together an introductory course that hopefully will include enough background for us soon to organise an actual game. One in which people can genuinely participate and have fun, learning a little more about computer security and privacy in the process.

One useful resource in this endeavour is a complete list of all the threats included on the cards of the EoP deck. If you have such a deck, this information is available printed on a small set of special cards. Another good resource is the Microsoft TechNet Wiki, where Alun Jones aims to have a page for each of the six STRIDE suits:
At the time of writing the first two are available as a work in progress; they do already contain some useful threat examples and mitigation strategies.

However, like all SDL material now, the game is Creative Commons licensed, which means that the full list of card threats can also be reprinted for nonprofit purposes. Here then are the suits, the cards, and their threats. Note: ACLs = Access Control Lists; see Glossary.


Spoofing describes any threat allowing an attacker to:
Pretend to be someone or something else.

2 - An attacker could squat on the random port or socket that the server normally uses
3 - An attacker could try one credential after another and there’s nothing to slow them down (online or offline)
4 - An attacker can anonymously connect, because we expect authentication to be done at a higher level
5 - An attacker can confuse a client because there are too many ways to identify a server
6 - An attacker can spoof a server because identifiers aren’t stored on the client and checked for consistency on re-connection (that is, there’s no key persistence)
7 - An attacker can connect to a server or peer over a link that isn’t authenticated (and encrypted)
8 - An attacker could steal credentials stored on the server and reuse them (for example, a key is stored in a world readable file)
9 - An attacker who gets a password can reuse it (Use stronger authenticators)
10 - An attacker can choose to use weaker or no authentication
J - An attacker could steal credentials stored on the client and reuse them
Q - An attacker could go after the way credentials are updated or recovered (account recovery doesn’t require disclosing the old password)
K - Your system ships with a default admin password, and doesn’t force a change
A - You’ve invented a new Spoofing attack


Tampering describes any threat allowing an attacker to:
Alter or destroy data, where this would normally be disallowed by the application.

2 - [no card]
3 - An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto
4 - Your code makes access control decisions all over the place, rather than with a security kernel
5 - An attacker can replay data without detection because your code doesn’t provide timestamps or sequence numbers
6 - An attacker can write to a data store your code relies on
7 - An attacker can bypass permissions because you don’t make names canonical before checking access permissions
8 - An attacker can manipulate data because there’s no integrity protection for data on the network
9 - An attacker can provide or control state information
10 - An attacker can alter information in a data store because it has weak ACLs or includes a group which is equivalent to everyone ("all Live ID holders")
J - An attacker can write to some resource because permissions are granted to the world or there are no ACLs
Q - An attacker can change parameters over a trust boundary and after validation (for example, important parameters in a hidden field in HTML, or passing a pointer to critical memory)
K - An attacker can load code inside your process via an extension point
A - You’ve invented a new Tampering attack


Repudiation describes any threat allowing an attacker to:
Perform an action, then deny that they ever did it.

2 - An attacker can pass data through the log to attack a log reader, and there’s no documentation of what sorts of validation are done
3 - A low privilege attacker can read interesting security information in the logs
4 - An attacker can alter digital signatures because the digital signature system you’re implementing is weak, or uses MACs where it should use a signature
5 - An attacker can alter log messages on a network because they lack strong integrity controls
6 - An attacker can create a log entry without a timestamp (or no log entry is timestamped)
7 - An attacker can make the logs wrap around and lose data
8 - An attacker can make a log lose or confuse security information
9 - An attacker can use a shared key to authenticate as different principals, confusing the information in the logs
10 - An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation
J - An attacker can edit logs and there’s no way to tell (perhaps because there’s no heartbeat option for the logging system)
Q - An attacker can say “I didn’t do that,” and you’d have no way to prove them wrong
K - The system has no logs
A - You’ve invented a new Repudiation attack

Information Disclosure

Information Disclosure describes any threat allowing an attacker to:
Expose information to someone not authorised to see it.

2 - An attacker can brute-force file encryption because there’s no defense in place (example defense: password stretching)
3 - An attacker can see error messages with security sensitive content
4 - An attacker can read content because messages (say, an email or HTTP cookie) aren’t encrypted even if the channel is encrypted
5 - An attacker may be able to read a document or data because it’s encrypted with a non-standard algorithm
6 - An attacker can read data because it’s hidden or occluded (for undo or change tracking) and the user might forget that it’s there
7 - An attacker can act as a ‘man in the middle’ because you don’t authenticate endpoints of a network connection
8 - An attacker can access information through a search indexer, logger, or other such mechanism
9 - An attacker can read sensitive information in a file with bad ACLs
10 - An attacker can read information in files with no ACLs
J - An attacker can discover the fixed key being used to encrypt
Q - An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn’t encrypted
K - An attacker can read network information because there’s no cryptography used
A - You’ve invented a new Information Disclosure attack

Denial of Service

Denial of Service describes any threat allowing an attacker to:
Degrade or deny service to users.

2 - An attacker can make your authentication system unusable or unavailable
3 - An attacker can make a client unavailable or unusable but the problem goes away when the attacker stops
4 - An attacker can make a server unavailable or unusable but the problem goes away when the attacker stops
5 - An attacker can make a client unavailable or unusable without ever authenticating but the problem goes away when the attacker stops
6 - An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops
7 - An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away
8 - An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away
9 - An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away
10 - An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away
J - An attacker can cause the logging subsystem to stop working
Q - An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10:1
K - An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100:1
A - You’ve invented a new Denial of Service attack

Elevation of Privilege

Elevation of Privilege describes any threat allowing an attacker to:
Gain privileges they would not normally have.

2 - [no card]
3 - [no card]
4 - [no card]
5 - An attacker can force data through different validation paths which give different results
6 - An attacker could take advantage of .NET permissions you ask for, but don’t use
7 - An attacker can provide a pointer across a trust boundary, rather than data which can be validated
8 - An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary
9 - There’s no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them
10 - There’s no reasonable way for a caller to figure out what security assumptions you make
J - An attacker can reflect input back to a user, like cross site scripting
Q - You include user-generated content within your page, possibly including the content of random URLs
K - An attacker can inject a command that the system will run at a higher privilege level
A - You’ve invented a new Elevation of Privilege attack

In addition to these special suit summary cards, the full deck also contains Instruction and Strategy cards.

Friday, 28 January 2011


When It Happened

Sitting alone in my little office with the door to the adjacent factory area open, as the people there worked cheerfully building their circuit boards, wiring harnesses and custom housings, I was preoccupied with the authoring of some graphics software. Subconsciously listening to the joking going on next door, and to the music of BBC Radio One coming from their tiny communal FM radio. The door to the reception area opened, and my boss appeared there. Glancing at my face, he told me to cheer up. Then he disappeared again, having assured me that "It might never happen."

But then it had just happened. Why did nobody seem aware of it yet? Everything appeared to be continuing as normal. Yet only a moment earlier, loud and clear the radio announcer's voice had punched through the humdrum chatter and pop, telling me that Space Shuttle Challenger had just exploded on launch. That was exactly twenty five years ago today, at this hour, as I'm sitting and writing these words now. My brain took a snapshot of that moment, one that I can still examine today, as if it were a physical photograph.

Looking Back

Like many people at the time, I'd lost much of my initial interest in the American space program. It had seemed routine for a while. As if they had it down to a fine art, a daily set of procedures that always resulted in exactly what it should: yet another successful mission, with no big discoveries or artifacts to share with the world's mass media. Then, the newspapers got wind of NASA's latest publicity scheme: the first civilian in space. Christa McAuliffe, a teacher from Concord High School, New Hampshire, was to fly in the next shuttle and present lessons to her class from space.

Clearly the idea was a successful one, as every news network carried images and interviews with the first space teacher. The concept captured the public imagination. Without the big dramatic climax of say, the moon landings I'd watched since age 10, or the unwelcome suspense of Apollo 13, NASA seemed to have found a cost effective, everyman route, to promote simultaneously itself, and space travel, and science. When I heard the terse announcement that day, all I could think of was that teacher, racing skywards and full of hope, optimism, and the educational purpose that was her life's work.

Thank You

My real life heroes are those champions of the promotion of the public understanding of science: Carl Sagan, Charles Simonyi, Richard Dawkins, and so on. But real life space heroes, pioneers like Christa McAuliffe and her crew mates, combine that dedication with a commitment to exploration. True leaders of mankind, always risking and sometimes losing their lives, they follow remorselessly their vision of a larger and more enlightened universe, and in so doing they create it, for us all to inhabit one day.

Photo: NASA. Christa McAuliffe is in the back row, second from the left. Each January, NASA's Day of Remembrance honours the fallen crews of Apollo 1, Challenger and Columbia, and all of those who have given their lives in the cause of exploration.

Thursday, 27 January 2011

Simple Regex #1: Metacharacters

Useful Concepts: Opacity

Oh sure, I know there's no shortage of guides to regular expression on these Internets. However, questions about them continue to land on my desk with a satisfyingly fitting regularity. So I've decided to write about them, starting with this one. Colleague C wants to parse some data from Discogs, the music database / marketplace. Credits on individual tracks follow a comma separated format like this:
Piano, Guitars [Lead, Bass, 12 String Acoustic], Drums, Kitchen Sink
followed by the artist's name. What C wants to do, is to parse each individual instrument or grouping of instruments, ending up with something like this:
Guitars [Lead, Bass, 12 String Acoustic]
Kitchen Sink
Obviously the "wrinkle" is that bracketed sections can contain commas, which we don't want to act as field separators. In fact (and this is key to the answer), we don't care at all what's inside the bracketed areas. Everything after a left bracket, up to and including the first right bracket if any, should be preserved just as it is. Such is frequently the situation with string encodings; separators and terminators are implicitly "escaped" when parenthesised. We may also term such bracketed content "opaque", meaning that our parser "cannot see inside it" - to discern, for example, those commas.

My First Metacharacter

That being the case, we might as well treat an entire bracketed expression as a single, inscrutable and indivisible (meta)character. One example of a pattern matching such an expression is:
which is to say, a literal left bracket "[", followed by any number of non-"]" characters (the sub pattern for such a sequence is shown underlined), followed by a final right bracket "]". For the sake of clarity and language independence I'll be omitting pattern delimiters in most of my examples; you should add your own enclosing @"" or // as appropriate for your environment. Now we can say that each match in our output is a sequence of atoms, where every atom is one or other of these:
  • any single character, which is neither a comma, nor a left bracket;
  • a bracketed expression, as recently defined above.
Here then is the pattern that matches one of our newly identified atoms:

Note the use of the OR operator "|" between the two underlined sub patterns for matching (1) a single character, and (2) a bracketed expression. Now, a match can be expressed as a sequence comprising any number of atoms:
Here the underline spans a single atom. If we now test this solution, we find that it has two bugs. It intersperses zero-length matches between the desired ones, and it preserves spaces after commas in the input string, manifesting these as leading spaces in the second and subsequent output matches. Both issues can be addressed by insisting that a match additionally starts with at least one non-comma, non-space character (prepended and underlined below):
[^, ]([^,[]|\[[^\]]*])*
And that, assuming only that bracketed expressions aren't nested, is one final answer to the case of the Discogs Parsing Regex.

Previously: Regex Fuzzing; Quantum Regex.

But I'm Tryin', Ringo

The Path of the Righteous

Jules in Pulp Fiction is having a hard time interpreting Ezekiel 25:17, as three conflicting analyses compete for his approval. And this morning, one month after Microsoft's Cloud Data Breach, we find ourselves in a perfectly analogous quandary. How to interpret this Windows Azure spam promotional email from Reading?

Come in We're Still OPEN

At first I thought they were trying to reassure me, that despite the forementioned breach of customers' confidential data security, "We're still trading! Yes I know, it's incredible! We're still in business!"

Then, Colleague P suggested it might instead indicate the ongoing status of that breach: "Customer data still available! We're still w-i-d-e open!"

But that shit ain't the truth. The truth is - upon subsequent, more sober reflection - that the intended interpretation (becoming clear only after you read into it at least a little further) is just this: "We are open 24/7/365." Still open, in other words, during holidays.

Windows Azure: We're Still Open. What an odd email to receive, as Tweeter CloudClip-Azure muses. You can't help bracing yourself for the inevitable and apparently imminent follow-up promotion. Windows Azure: Closing Down Sale.

A famous advertising campaign in the mid-1980s, by the now defunct British Rail, and sporting the tag line We're Getting There, was universally ridiculed from its launch day. This Azure email campaign seems almost as easily avoidable a case of foot-in-mouth as that one.

Wednesday, 26 January 2011

Your Fave Browser

An Arresting Ambiguity

Today's "Technology" sidebar has a new number one, which caught my attention:
Parallel Programming with .NET
- Parallel Computing Virtual Labs on MSDN
Clicking through to Stephen Toub's introduction, I'm immediately whisked along by his infectious enthusiasm:
Interested in trying out the support for parallel computing in Visual Studio 2010 or .NET 4, but don’t have either installed? No problem. You can now use the MSDN Virtual Labs site to try these out from the comforts of your favorite browser.
All right! Actually I do have both installed, but no matter, this looks like fun. My favourite browser is currently Firefox, so I should be able to right-click, Open Link in New Tab, then launch one of the five parallel computing virtual labs on offer...

Okay, so I guess that answers that whole question about "how can they do that without ActiveX?" They can't. But the part I hadn't realised before, is that whenever a Microsoft guy says your favorite browser, he means IE6!

Tuesday, 25 January 2011

Security Digest #16

A Time Of Contrasts

The first story from January's Security and Privacy archives is reminiscent of a certain Wikileaks / Facebook platitude, recently memed via Saturday Night Live's Bill Hader, speaking in the persona of Julian Assange (emphasis mine):
I give you private information about corporations.
For free.
And I'm a villain.
Mark Zuckerberg gives your private information to corporations.
For money.
And he's Man of the Year.

Honour Among Hackers

All of which leads us to consider these several and various attitudes towards device jail breaking, as recently exhibited by Apple, Sony, and Microsoft.

Apple tried first in 2009 to have the jail breaking of the iPhone ruled illegal under America's Digital Millennium Copyright Act (DMCA). The land of the free disagreed, and in July 2010 went further by declaring there was "no basis for copyright law to assist Apple in protecting its restrictive business model." The iPhone was of course first hacked by George Hotz...

Next up came Sony, in the wake of the 27th Annual Chaos Communication Congress and the comprehensive obliteration of its PS3 security system, at the hands firstly of the fail0verflow group, and the subsequent samurai sword strike from the hand of... George Hotz. Sony's response, described by the Electronic Frontier Foundation as "sending a dangerous message to researchers and gamers", was to sue everyone involved. Not only with the DMCA hammer, but also with a highly creative slew of Computer Fraud and Abuse claims.

Finally, having already leaked details of their upcoming fix for the ChevronWP7 hack, Microsoft - predictably enough - reacted to a post by who-else-but George Hotz, threatening next to break Windows Phone 7 "in a way they won't like". The reaction of this particular giant multinational corporation was... offer the hackers free T-shirts. And a free phone. Also, to offer a meeting, for the purpose of discussing how Microsoft might in future support “homebrew” apps, in a way that benefits all parties.

This just might turn out to be a very shrewd way to start building a much needed, fiercely loyal, customer base.

Photo source: istartedsomething.

The Hack List 2010

PCWorld Magazine's Business Center carries Tim Greene's report on the Top 10 Web Hacking Techniques of 2010, as voted by a panel of experts and open voting:
  1. Padding Oracle Crypto Attack
  2. Evercookie
  3. Hacking Autocomplete
  4. Cache Injection HTTPS Attack
  5. CSRF Bypass via ClickJacking / HTTP Parameter Pollution
  6. IE8's Universal XSS
  8. JavaSnoop
  9. Firefox CSS History Grab
  10. Java Applet DNS Rebinding
#1 was covered previously in my Twenty Questions post. For useful details on the rest, see Tim's article. The list was sponsored by Black Hat, OWASP and White Hat Security, and will be the subject of a presentation at IT-Defense 2011 conference in Germany next month.


M'learned colleague Scale This! draws attention to the ITProPortal story, Microsoft Suffers Cloud Data Breach, with the comment that it's really about web app security. Backtrack to PCWorld, where we find Microsoft Cloud Data Breach Heralds Things to Come.

The issue, it emerges, has nothing to do with hacking, legal or otherwise. It's been a simple matter of misconfiguration of BPOS. Nothing uniquely cloudy about that, aside from the prevailing weather conditions above the head of some poor IT guy somewhere.

It may indeed be a herald of things to come. Maybe in today's computer journalism, "The Cloud" is already interchangeable with "The Server"?

That's January's wrap.

Conficker: Mission Accomplished

"Complete Success" (Patient Dead)

Between 2008 and 2010 the Conficker Working Group (CWG), a heterogeneous association of researchers in computer security, studied and fought against the eponymous malicious software worm. When that process got under way, in 2009 the US Department of Homeland Security's Science and Technology Directorate set up and funded a project designed to preserve a permanent record of the "Lessons Learned" - the hope being that a template could be discerned for subsequent application in similar situations.

The Rendon Group conducted that research, working independently, interviewing members of the CWG and constructing the definitive account of their experience and findings. Yesterday they published their report (PDF).

Among the successes of the CWG, this document highlights the "unprecedented act of coordination and collaboration" between organizations and individuals around the world, in both the public and private sectors. Academic researchers, domain registry operators, AV vendors, ICANN, and the blue hats at Microsoft, joined in a "very successful" effort to pre-register and otherwise block domains from being used to update the malware. Essentially they cut off the worm's author from communicating with the botnet.

Remediation of infected computers is generally regarded as one of the most disappointing outcomes of the study, with millions of Conficker A and B infections still active.


The report's recommendations list the following urgent requirements "if the cyber security community is to stay ahead of impending threats":
  • private sector collaboration
  • public-private information sharing
  • support to law enforcement
  • resources
  • legislative reform
There is also much necessary detail on the thorny subject of how to manage such a group effort as it grows. What should the essential collaborative infrastructure look like? There appears to have been a consensus that "volunteers" should continue to do most of the work, with nobody wishing to exceed the figure of 4 or 5 paid, full time staff.

The report concludes that "The group as a whole saw little participation from the government. One person put it as zero involvement, zero activity, zero knowledge." Most tellingly, one interviewee remarked, "People put in hours of unpaid work on nights and weekends, often at the expense of their own free time or time with their family."

Today, at least eight working groups modelled on the CWG are busy tackling other threats. Some of these groups' efforts have already led to arrests. How long will commercial enterprise, banks, and credit card companies, continue to depend on such unpaid, idealistic armies of volunteers, to protect their profits from growing gangs of well-resourced and professionally organised thieves?

Sunday, 23 January 2011

Sunday Dinner

My Cod Here

This isn't just a sea food platter for two. This is Marks & Spencer citrus cured Loch Fyne gravadlax with honey and dill dressing, salmon flakes, dressed mozarella crab, prawns, spiced prawns, king prawns in seafood sauce, calamari, French stick, pinot noir, and champagne. The occasion? Well you see, it was a Sunday.

Oh and also, we had a day off work together (which hardly ever happens).

Photo by Linda. Click to embiggen its cromulent scrumptiousness.

Tuesday, 18 January 2011

Microsoft Security Essentials 2

It's been two or three weeks since Microsoft released, to no fanfare whatsoever, version 2 of Security Essentials (MSE), the beta (illustrated in the above video) having been available since July 2010. This is their free security solution for Vista and Windows 7. And yes, XP too. Although you won't find that fact advertised too prominently, there's a good argument saying that XP still represents the biggest nest of exploited vulnerabilities out there.

Superficially similar to its predecessor, September 2009's Morro (itself the successor to the subscription-based Windows Live OneCare), MSE2 offers real-time protection for "your home PC", guarding against malicious software such as viruses, worms, and various other malware / spyware. But in fact MSE2 offers quite a lot more in terms of integration, with for example IE, and Windows Firewall.

Network based exploits are defended against by the new Network Inspection System. Overall performance is improved, detection and cleanup capabilities enhanced. Then too, there's...
  • control of the maximum CPU usage during scheduled scans (default 50%);
  • automatic removal of quarantined files after a given time (disabled by default);
  • the option to opt out of Microsoft SpyNet (not recommended!);
  • fine grained control of real-time protection functionality.
OEMs may pre-install MSE2 on consumer-bound PCs, providing malware protection out of the box, at no cost. And needless to say, automatic updates are... erm, yes. Precisely.

Free download:

Saturday, 1 January 2011

Tweets - December 2010