Are Identity Theft Services Worth The Cost?

The Consumer Federation of America just published a report on identity theft services entitled "Are Identity Theft Services Worth The Cost?" The conclusion is that many are not, and that regulation is needed in that industry. It is a very interesting read.

Posted Mon, Mar 23 2009 by jesper | no comments

Filed under: Privacy

Please do not e-mail my social security number

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS - the U.S. tax department) reporting that they paid me, as well as send me a form called a 1099 form that I can use to report this money on my tax return.

A few days ago the comptroller for the publisher sent me an e-mail asking for my social security number (my national ID number for any non-Americans that are unfamiliar with the term). As is my custom, I responded that I really do not care to e-mail my social security number, but if he gives me a phone number I will gladly call him and let him know. This he did. I called, and within 15 minutes of the call I received a form California DE 542 in the mail. The DE 542 is required by the state of California when money is paid to a contractor, or a contract is entered into to pay money to a contractor. Its purpose is to permit the state to track payments to parents who do not pay their child support. Not only do I not need this form as I am not a resident of California; it also contains, you guessed it:

my social security number.

At this point I started wondering what part of "I do not wish to have my social security number transmitted by clear-text e-mail" was unclear. I sent a message to the sender that informed him that this could quite possibly be considered a data breach and require notification under Washington State SSB 6043, which requires formal breach notification. As of today, I am still awaiting a response. Any response.

Just because I felt like griping to someone, I forwarded the e-mail to my favorite accountant. Her response was "yeah, I know lots of CPA firms who e-mail around unencrypted 1040s." (A "1040" is the U.S. federal tax return form). I was absolutely floored. Last week credit card processor Heartland reported that they had experienced what may very well be the largest data breach in world history. Many banks are replacing every single one of their credit cards because of it. In fact, I took a call from a distressed bank manager just this morning asking whether it would be prudent to do so (the answer was "yes"). Yet, does that not pale in comparison to the number of unencrypted 1040s e-mailed around by tens of thousands of accountants every year, and the untold millions other tax-related forms that traverse unencrypted network channels?

If you steal my credit card number, I can call the bank and ask them to issue me a new number. A few days later, I have a new card. The bad guy can, at worst, incur a few hundred dollars in charges, maybe a few thousand if they are really lucky. Yet, credit card data is somehow seen as the primary piece of data that needs protection. How many news reports have you read that discuss a computer breach and include the words "no credit card numbers appear to have been compromised?" Have we completely lost sight of the fact that there may be other pieces of information that need protection?

Consider the corollary. If you steal my social security number, you can take over my house, get any number of credit cards in my name, give me a criminal record, get a driver's license in my name... And, how do I clean it up? If I call the Social Security Administration and ask for a new number because my existing number has been compromised they would simply laugh at me. Only in exceptionally rare circumstances do they issue new numbers. In some states I am permitted, if my social security number has been compromised, to put in a credit report freeze, but the burden is on me, as the victim, to prove that my information has been compromised before I can get a freeze. If I am deemed worthy of getting the barn door closed after the horses have fled, I get to pay $30-60, per freeze, per credit bureau, requested by certified mail. And each freeze may only be good for 90 days. That's only in some states. Other states prohibit credit freezes, and a few, more progressive ones, actually permit consumers to close the barn door before the horses run away. The freeze usually still costs money, and usually is still time-limited, and usually still requires that you use certified mail to each credit bureau to request it. Fortunately, you can "thaw" the freeze by making a single phone call and typing in a four-digit pin.

What is wrong with this picture? Why are accountants and comptrollers still e-mailing around the source data - social security numbers; while we as consumers only seem to care about the derived data - the credit card number? Why is there a Payment Card Industry (PCI) Data Security Standard that, while widely ignored, attempts to set data protection standards for cardholder data; but no Social Security Number security standard that establishes requirements for protection of social security numbers and liability for anyone who compromises someone else's Social Security Number?

Why do we not see any Attorney's General up in arms over that one? Who is going to help me protect the source data?

 

Posted Tue, Jan 27 2009 by jesper | 12 comment(s)

Filed under: Security Pontification, Security

Kip Hawley: "No, the TSA is Necessary Because This is War!"

CBS News did a story a few days ago on the Transportation Security Administration (TSA). Basically it was a tit-for-tat between Bruce Schneier, security pontificator extraordinaire, and Kip Hawley, the administrator of the TSA. Mr. Hawley's maintans that the TSA provides a necessary service because we are at war, and the obvious battleground, apparently, is airplanes. Surely, we must all realize that just because the terrorists used airplanes once, they can't possibly have enough imagination to go for another target next time. Mr. Schneier, wisely, disagrees, points out all the flaws in what the TSA does, and calls the whole thing "Security Theater;" a term whose origins are not entirely undisputed, but that is beside the point.

The interesting thing with this story is that neither of Messrs. Schneier and Hawley were quoted as addressing the currently most glaring flaw in the entire air transportation security apparatus. If one of our enemies actually wanted to terrorize the populace, why take on the risk of blowing up another plane? Just for fun, head on down to your local airport this week. Walk into the terminal area and take a look at the security line. At Dulles (IAD), Los Angeles (LAX), Chicago (ORD), Denver (DEN), Atlanta (ATL), John F. Kennedy (JFK), etc, the picture is the same. There will, at any given moment, be 500 to 1,000 people in line.

It took 5 terrorists per plane (four on one plane) to blow up the planes on September 11, 2001. Together, they managed to kill 2,751 people. That's  145 victims per attacker. Take those 19 terrorists, strap them full of explosives, and position them strategically in the lines the TSA has created leading up to the security checkpoints. I guarantee you that each one of them will kill 145 people, or more. Better still, have them get in line with a bag full of explosives, then leave the bag and step out of line. They will probably have two to three minutes to make a get-away before the bag explodes before anyone even so much as looks at those bags. One might even have more if one chats up the people next to oneself in line to watch the bag while the attacker runs to the restroom. Suddenly, we have the prospect of a devastating, coordinated attack that is far more insidious, far more deadly, and far more difficult to prevent, than the attacks of September 11. This one you can't inspect away. You can't put a security checkpoint to get into the security checkpoint.

The TSA, single-handedly, created this vulnerability by making the airport security checkpoints so incredibly inefficient (and, one might add, ineffective) that the lines leading up to them back up with hundreds, or, in the case of Dulles, even thousands, of people. If the terrorists really wanted to erode confidence in our transportation infrastructure, why not make the security checkpoints the most dangerous part of it?

Mr. Hawley, in your final few weeks, how are you going to protect the public you are sworn to protect from this attack? How are you going to prioritize our safety while we are waiting in line so that your spiffily dressed officers can declare us as posing no risk to the traveling public?

Posted Wed, Dec 24 2008 by jesper | 6 comment(s)

Filed under: Security Pontification

One "Hacker" Attempts to Rule The World

Wired, always a source for amusement and interesting literature, just carried a story on a "hacker" (the magazine's use of the term equates to "criminal") who attempted to dominate the market in stolen credit cards. It's a neat story about an unsavory character who is not going to get enough prison time. 

If you are too busy to read it, here is a synopsis:

---

Once upon a time, there lived in a far away land an evil dark lord. He lived in a dark castle with all kinds of dark objects around him. His most priced possession was the Mirror of Omniscience, which let him see into the lives of everyone else in the kingdom. His highest ambition was to take over the world and become ruler over all the land.
..
Luckily, there was a handsome and strong prince who wanted to preserve the beauty and way of life in this delightful communist enclave. The prince was deeply in love with the most beautiful woman in the whole kingdom. However, the dark lord had imprisoned her soul in his dark castle. So, the handsome prince set out to rescue her and save the kingdom from the impending disaster.
...
and the handsome prince broke the Mirror of Omniscience, and they all lived happily ever after.

Posted Wed, Dec 24 2008 by jesper | 1 comment(s)

Filed under: Security Pontification

You need to manually undo your MS08-078 mitigations

Just as an FYI, for those of you that used Microsoft's recommended mitigations for MS08-078. If you unregistered the MSXML Island object you need to manually re-create the registry entries after you install the patch to restore the functionality. The patch does not re-create the registry entries. Unfortunately, it appears Microsoft removed the actual registry entries from the bulletin and removed the work-around information from the advisory altogether, so unless you created a backup copy, you will need to look at an untouched system to find out what the registry entry was.

Or, you can just copy this into a text file called “WhyDidTheyRemoveTheInformationINeed.reg” and double-click it:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}]
@="MsxmlIsland"

 [HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}\InProcServer32]
"ThreadingModel"="Apartment"
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,\
78,00,6d,00,6c,00,33,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}\TypeLib]
@="{D63E0CE2-A0A2-11D0-9C02-00C04FC99C8E}"

Posted Thu, Dec 18 2008 by jesper | 3 comment(s)

Filed under: Windows Security, Windows Vista, Mitigations

Lock your USB Token

Recently, Lev Bolotin of Clevx gave me a production sample of a USB token with a keypad on it. It's a pretty neat idea for certain uses. My immediate thought went to BitLocker in Windows Vista. You can store the BitLocker key on a USB stick, but you cannot prevent anyone who gets their hands on the USB stick from stealing the key. Nor can you require a PIN and the USB stick to unlock your drive. With Lev's stick, however, you can put a PIN on the USB stick itself. Unless you enter the PIN on the device before sticking it into the computer the stick won't give up the BitLocker key. In other words, you finally get the option for both a USB stick and a PIN to unlock your BitLocker volumes. 

I also like IronKey as a safe and secure USB stick. IronKey also permits multiple volumes, something that Clevx' technology currently does not have. In other words, IronKey lets you have one encrypted volume and one unencrypted one, both on the same stick. However, IronKey requires software installed on your computer to access the encrypted volume. This precludes its use to provide a second factor for BitLocker because the BitLocker key has to be available prior to booting the operating system, and IronKey's software cannot run unless the operating system is running. If you put your BitLocker key on the IronKey it must be on the unencrypted partition.

Clevx's PIN technology is currently available from Corsair in the Flash Padlock product.

More on BitLocker is available in Byron Hynes excellent TechNet Magazine article. I still run BitLocker on all my Vista computers.

Posted Tue, Dec 16 2008 by jesper | 8 comment(s)

Believe it or not; DRM for Zune is down!

Shocking, yes, I know, but in only four hours this evening Microsoft has managed to alienate over 150 additional customers with its insistence on Digital Rights Management (DRM). This time it is the DRM component of the Zune store that is down, according to the 164 posts so far over on the Zune forums. OK, so realistically, that probably means that about 100 times that many customers have been alienated, including my oldest son who is unable to use the $15 worth of Zune points that his mother just purchased for him because "Error C00D12F6: Can't verify your media usage rights. A local firewall may be blocking access to the Zune service".

Rest assured, it is not a firewall problem. It is just that the DRM servers on the Zune site are horked up, again. No DRM: no buying music. No buying music: unhappy son. Perhaps the best part of this was that a few customers who called the Zune support line (1-877-438-9863) to get help were told to reset their DRM components. That turns out to not be the best move they made tonight as after doing so they can no longer play ANY of the music they have purchased on the Zune store. Ever.

I will take guesses at this point for when the industry will FINALLY get it that DRM, while completely useless in combating actually piracy, is extremely useful in combating customer satisfaction.

If you really wanted to defeat the Zune DRM it really is not that hard. For one, you could use FairUse4WM. Alternatively, my old friend Rob Hensing, in the Security Engineering group at Microsoft recommends using the old trick of burning the songs on CD and ripping them again to remove the DRM from legally purchased music. Those ideas work for music. If your fancies turn to DVD movies on your Zune, there are some suggestions for how to do it from Microsoft employees on the TechNet and MSDN blogs sites. Keith Combs apparently prefers the Xilisoft DVD Ripper Platinum. Andy Pennel appears to have figured out how to rip DVDs to play both on his Zune and his Media Center PC, but won't tell you how on his MSDN blog. Probably a wise move considering he just admitted to a Federal Crime on a company-sponsored blog. Wouldn't want to give the prosecutor too much information now, would we? Rohan Thomas, however, discusses how to leverage new Silverlight features when ripping your DVDs on his MSDN blog. Steve Makofsky, over on the MSDN blogs, apparently uses DVD Decrypter and Nero Recode to get his DVD movies into a format suitable for playing on devices. That is the same piece of software Keith Combs used.

Did I mention, by the way, that Amazon sells music without DRM? It will play for sure on any device you have now or in in the future.

Posted Mon, Dec 15 2008 by jesper | 6 comment(s)

Filed under: Security Pontification

What do you think, should I do it?

I get a fair bit of blog spam - comments advertising everything from sexual enhancers to fake anti-malware. This one just came in this morning:

Sweet! I can turn off all the blog spam just by e-mailing the criminals? Or, could it possibly be that this is a clever ruse find out what my e-mail address is so they can send their junk there too? Hmm. I think I'll just forward this to abuse@gmail.com.

Posted Sun, Nov 16 2008 by jesper | 2 comment(s)

Filed under: Security Pontification

Fun Experiences at Airport Security

For a while I've been thinking about writing something about interesting times I've had at various airport security checkpoints; security theater, as they have come to be known. There is the obvious shoe removal arguments and the ill-defined rules on electronics (my camera is larger and has more electronics than most laptops, but that can stay in the bag, laptops can't), but there have been more interesting stories. Got any of your own? Share them!

Around November 2001 a colleague of mine and I flew to New York on business. On the way back we went through Kennedy airport. I was wearing a pair of boots, which the TSA (was it even TSA then?) required me to remove, even though shoes were not normally removed at the time as airport security hadn't yet figured out that you could bomb a plane with them. The lady scanned them for explosives and then handed them back saying "these are OK." I was so relieved because I had explicitly asked for the non-exploding boots when I bought them.

Not TSA related, but still: the same year I was traveling through Boston with my competition shotgun. It was broken down into three pieces and stuffed into a very solid, and quite short, aluminum case. When I went to check in I told the check in agent that it needed special screening. She asked me to open it and then asked what it was. I responded that it was a shotgun. She took two steps back from the counter, threw her hands up in the air, and exclaimed "Is it unloaded?" I felt like answering "What? It has to be unloaded? But what if I want to use it during the flight?" Fortunately for me, I didn't.

Several years later I was flying from Seattle, this time with a rifle. Firearms require special screening so after checking in they called a sky cap to carry it for me over to the TSA because I am no longer allowed to touch it at that point at Seattle Tacoma International Airport. Note that at other airports I am perfectly well allowed to touch it as they usually make me hand carry it to the checkpoint. Once I got there the Transportation Security Officer (TSO) asked me for the keys and then struggled with the case for a while before opening it. I offered to help, but he refused as I were not allowed to touch it. He poked around the foam in the case for a while, but all the while refused to lift the rifle. I informed him that the foam is removable and he was welcome to do so as it would make it far less likely I would try to sneak a bomb on the plane. He ignored me. When he was done with that I asked if he was finished and he said "not quite," which turned out to be nearly the only two words this friendly gentleman said to me the entire time. He then turned around, grabbed the explosives swab - and proceeded to swab my rifle down for explosives! I tried asking him how he thought the bullets come out of it! Unfortunately, the airline agent that was with me was laughing so hard I couldn't make myself heard. We both stopped laughing when the TSO explained that he did not find any explosives. It turns out that the Explosives Trace Detection (ETD) units used for explosives swabbing can evidently only detect ammonia-based explosives. Lesson: I wonder when the TSA will realize the giant hole in failing to detect smokeless gun powder?

This year, again with a rifle, I asked why the TSO was so careful not to touch the rifle. Apparently, they are not trained in handling firearms and are afraid they will explode if they touch them. Silly me, I thought they were federal law enforcement officers. Now I realize they are not. They're mostly just people like you and me, except they save lives; and I work in real security.

Shoes again: apparently kid shoes are no threat. I travelled with my three-year old a few years ago. As we went through the check-point they made me remove my shoes for screening, but she could keep hers on. I'm not sure if they were too small to pose a threat (presumably if they were actually bombs there may not have been enough explosives in them to blow a hole in the plane?) or whether they just figured I would be willing to blow myself up but not to sacrifice her. I asked them what size shoes must be to pose a threat, but they refused to answer, citing national security concerns.

A year or so after September 11, I went through Minneapolis airport. Going through the security checkpoint I asked the TSO if he wanted me to put my clothes and underwear in a separate bin or whether I could put them in the same bin. He went beet red and disappeared. The replacement officer told me to take this very seriously and make sure I remove even the smallest piece of metal, like my neck chain, because the scanner was so sensitive this time. I went through without incident. When I got comfortably ensconced in seat 47 E I stuck my hand in my pocket and discovered the three-inch pocket knife I had forgotten to remove. I contemplated briefly calling the TSA and asking if the machine was actually plugged in but decided that would just cause them to empty the whole airport and then arrest me so I figured I'd better let sleeping dogs lie. Amazingly, even with this incredible breach of security, I got home safely.

Right after September 11, 33 days in fact, we were moving from the Boston area to Seattle. Consequently, we had a one-way ticket. When we got to the airport everyone except I received boarding passes stamped with "SSSS". The Secondary Supplemental Security Screening (SSSS) was new at the time so we did not know what that meant.  Now we know that it involves getting roughly patted down, your privates squeezed by an inconsiderate TSO, and having your bag torn open, the contents spilled all over the filthy floor, and left to somehow repack your dirty underwear, in the jetway, while the rest of the plane boards, gloating at your misfortune. The selection criteria for being singled out for SSSS are top-secret for national security reasons. There is no apparently truth whatsoever that you are subjected to it if you have a one-way ticket, bought your ticket with cash, changed it the day of the flight, wear a Sikh turban, or have a last name of "Hussein." At any rate, back in October 2001, the system was implemented by airline personnel, who informed us politely (remember when anyone at the airport was polite?) that we would receive the extra screening. I asked them what that entailed and they informed me that they had to look inside our carry-ons, and pat us down; all except me because I was apparently left out due to my advanced frequent flier status. The follow-up question was obvious: what if you have no carry-ons? Then there is no extra screening of those. Consequently, I was left holding six carry-ons and a diaper bag while the bemused gate agent patted down my four-week old daughter for any firearms she may have slipped through the metal detectors in her diaper.

There are probably more stories. What's your most outrageous one? I've heard of many, like the federal marshal who was permitted to fly with a loaded hand gun but had his nail clippers confiscated, and the TSO that held a leatherman knife and failed to recognize it. If you just want to read some others, read Jeffrey Goldberg's article in the Atlantic Monthly.

Posted Sat, Nov 15 2008 by jesper | 10 comment(s)

Filed under: Security Pontification

XP Antivirus in the News

Several helpful people just pointed me to some articles on XP Antivirus and its various variants. In case you do not remember, XP Antivirus was the subject of an article I wrote for The Register a few months back.

It turns out that the scammers got hacked, and the hacker posted some internal accounting details on the web. As suspected, this is a sophisticated business making millions of dollars. It even appears to have an affiliate program.

In case you have not seen the articles yet, here are a few:

http://www.iht.com/articles/2008/10/30/technology/virus.php
http://www.smh.com.au/news/technology/security/russian-scammers-cash-in-on-popup-menace/2008/11/04/1225560814202.html
http://www.scmagazineuk.com/Hacker-reveals-Russian-software-company-behind-anti-virus-scam/article/120152/

Thanks to Marc Michault, Phillippe Jan, and Jason Grubè for all pointing me to articles on this topic.

Posted Fri, Nov 7 2008 by jesper | 1 comment(s)

Filed under: Windows Security

Is MS08-067 Wormable?

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update.

The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various outlets that it was wormable "on older systems." Michael Howard backs that up with some interesting analysis on the SDL blog. The Secure Windows Initiative (SWI) blog also discusses the issue and points to a number of mitigations designed to reduce the "wormability" on newer operating systems. By "older systems" Microsoft really means "not Vista and Server 2008." This leads to the question of why the vulnerability cannot be used to create a worm on Windows Vista and Server 2008, and whether the claim is correct or not.

The claim that MS08-067 cannot be used to create a worm on Vista and Server 2008 is based largely on two defenses used on those operating systems. The first is that the vulnerable end-point is not anonymously accessible on those operating systems. That's a pretty good defense out on the general Internet. However, on a corporate network it provides little defense. Anyone with user-level credentials on a host can exploit the vulnerability. Thus, if a single computer gets infected and then is brought inside the corporate network, it can infect any other computers on the corporate network by authenticating to them. It would take a little more coding to write an exploit that does that, but it is certainly not an impossibility.

The second defense is Address-Space Layout Randomization (ASLR). ASLR causes the addresses used for code in memory to change from execution to execution. Each time you execute a program it will be loaded into a portion of memory; but, under ASLR, that memory is offset at one of 256 possible memory locations. Many exploits rely on knowing where in memory certain structures are. Prior to ASLR those locations were deterministic within an Operating System, Serice Pack, and Patch Level combination. However, under ASLR, they are, as I mentioned, no longer deterministic. This makes exploitation much more difficult.

However, do these defenses, and specifically, ASLR, really make a vulnerability "not wormable?" I would argue that the answer is "we do not know" but that it is tending toward "no." The problem is that we really do not understand the spreading patterns of worms well enough to make a claim one way or the other. Let us take a neutral scientific approach to understanding this claim.

Worms rely on spreading from computer to computer. Each computer that is infected with the worm can infect countless additional computers. The only thing that moderates it is time. The spread, however, is exponential. The more infected computers there are, the more computers there are that can spread the infection. Eventually, some form of critical mass is reached at which point the spread turns uncontrollable. Unfortunately, we do not know where that inflection point is.

To see how this works, let us take a hypothetical worm, and let us assume that ASLR is not used. Let's say the infection takes 1/8th of a second per computer. In other words, if computer A is infected and targets the worm at computer B, 1/8th of a second later, computer B is ready to start infecting computer C. In one second, a single computer, computer A, can spread the infection, directly or indirectly, to 64 other computers. The total impact of the worm is t/r^2, where t is the time and r is the rate of spread measured in the time it takes to infect an additional computer. Using that formula, we can see that after 1 second 64 computers could be infected. After 2 seconds, 256 computers can be infected, and so on.

Now let's apply ASLR to this. Using ASLR, the memory address space is allocated over 256 possible addresses. In other words, under a very tight assumption the infection will fail in all but 1/256 cases. The assumption is that we cannot predict where the locations are, and that the randomization will actually cause the infection to succeed in only one case of 256. Let us just say this assumption holds because it lets us analyze a worst-case scenario for the worm. Under ASLR then, we can consider the rate of spread to be 1/256th that of the non-ASLR worm. In other words, rather than infecting the next computer in 1/8th of a second, computer A can only infect one new computer in 32 seconds. This, obviously, slows down the spread of the worm, but is it enough? The spread is still exponential. It just takes longer to spread. Consider this chart:

This chart maps the number of infected computers over a 24-minute period, assuming there is an infinite number of computers to infect, and ASLR is in use on all of them. It is clear from this graph that the spread is exponential. After 24 seconds, 2,025 computers are infected. By contrast, without ASLR, it would take less than 6 seconds to infect that many computers. The point, however, is that ASLR would not stop a worm, it would only slow it down. What we do not know is whether slowing down a worm is effectively enough to stop it. My inclination would be to say that it is probably not enough unless we can slow it down by many orders of magnitude.

In addition to ASLR, the affected service on Windows Vista and Server 2008 would only restart twice before staying down indefinitely. This is important because unsuccessful exploitation would almost certainly cause the service to crash. However, I do not consider that as a defense against worms, because more than likely, the user would at that point either restart the computer or just the service. Given that the restart behavior would only serve to further slow the spreading rate. It would not change the exponential nature of the spread. Again, we arrive at the same conclusion: none of the defenses make a vulnerability non-wormable. They merely slow the spread down.

This is important because there is a risk that people will avoid patching because a vulnerability is not wormable. Make no mistake, remotely exploitable vulnerabilities are still wormable, and within an hour, you could easily have your entire corporate network infected. As if that weren't bad enough, using a remotely exploitable vulnerability, someone with far worse intentions could take over your computers and use them as an entry point into your network. For that the criminal needs only one computer, not a whole network of them. Wormability, or lack thereof, is irrelevant against a targeted attack, which means that ASLR is essentially irrelevant against a targeted attack. in most cases the attacker needs a computer, not a particular computer. Being able to only gain a foot hold on one computer in 256 is likely to be enough because after the initial entry, the vulnerability plays no further part in the compromise of your network. In other words, do not consider ASLR to be a reason not to patch some particular vulnerability.

Now, do I think we will see a worm for MS08-067? No. Not in the traditional sense of Blaster. The time of worms, like Blaster, that are inherently non-destructive, has passed. At this point, criminals are not interested in simply writing worms that self-replicate. They are interested in one of the three big things: money, ideology, or national supremacy. While we may still see massive worms, they will be fundamentally different than the ones of old, and they will probably take a bit longer to write. The new breed will be more targeted, more silent, more deliberate, and more dangerous. Once the objectives change, so do the attack patterns.

In short, please do not use wormability, or lack thereof, as a decision factor in deciding whether to patch a vulnerability or not. Wormability is an irrelevant and potentially dangerously misleading metric.

Posted Tue, Nov 4 2008 by jesper | 5 comment(s)

Filed under: Security Pontification, Security, Thinking differently

Need a spare Windows box?

Have you ever found yourself in urgent need of another Windows box? Or, have you wanted to build a web application on Windows, but without having to buy servers? Or maybe you just want to have a network of Windows machines that you can test your new Server Isolation strategy on? You're in luck! Amazon yesterday launched its new Windows on EC2 service. Inside of five minutes you can be ready to log on to your very own Windows on EC2 instance and get started on all those projects!

EC2 is Amazon's Elastic Compute Cloud, a network of virtual servers where you pay only for what you use. Use it for two hours and you get charged for two hours. Use it for a month and you get charged only for a month. It's an eat-all-you-want server where you pay only for what you eat. You can even get it with SQL Server pre-installed.

As if having the ability to build your very own virtual network of Windows computers at minimal cost were not enough, there is even a security whitepaper on how to do it safely. Maybe you will even find some comfort in the familiar name involved in the project?

 

Posted Fri, Oct 24 2008 by jesper | no comments

Revisiting the Immutable Laws

For many years I, and many others, have been referring to the immutable laws of security when trying to explain why something works, or does not work, a particular way. However, I've always wondered how immutable the laws really are? I finally sat down and went through them. The result is a three-piece article series in TechNet Magazine. The first installment just hit your favorite newsstand, or web browser, as the case may be. The second and third pieces will be in the November and December issues of TechNet Magazine.

Posted Mon, Sep 22 2008 by jesper | 8 comment(s)

Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer.

For the past couple of years I've been telling people that the future of attacks are against people, not networks. In June I got further confirmation of that. A notification came in from my blog that I had a new comment to approve. The comment was just a link, looking like this one:

 A Comment has been posted to Jesper's Blog: Hey, Mozilla: Quotes Are Not Legal in a URL by Google Images:
images.google-us.info/index.html Google Images

This looked suspicious enough so I started investigating a bit. What I found just hit the net on The Register. I thought it made an interesting tale of how the bad guys are trying to monetize their handiwork. Sandi has also written about this on her blog here, and here, and here...

On a very much related note,  I will actually do a live walkthrough of this type of attack at TechEd EMEA ITPro in Barcelona this coming November. Yes, that's right, I'm going back to TechEd. Hope to see you there!

Posted Fri, Aug 22 2008 by jesper | 8 comment(s)

Filed under: Security, Thinking differently

Security is About Passwords and Credit Cards, Part 3

The final installment in my series called "Security is About Passwords and Credit Cards" is now up on TechNet Magazine. This part of the series discusses updating technologies, including how not to abuse them, messaging about security, and the checkbox syndrome. It ends with the final comments about what we, as an industry, need to do better on to improve our users' ability to protect themselves.

Posted Sat, Aug 9 2008 by jesper | 1 comment(s)

Filed under: Security Pontification

Search

This Blog

• Home

Tags

Community

Archives

Links

• My Microsoft Blog
• Steve's Blog
• Susan's SBS blog
• Alun Jones is a great guy, with great insight
• Aaron Margosis' blog

Syndication

• RSS for Posts
• Atom
• RSS for Comments
• Email Notifications
  Go

News

• The Windows Server 2008 Security Resource Kit is available!
  . You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
  Or, if you need to know about Vista instead, there is:
   
  
  If you need a more general approach to help you Protect Your Windows Network, there is a book for that too
  

  There is now a mobile version of the blog.