I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.
The cost is accuracy. When users don't get visual feedback from what they're typing, they're more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:
Users get pissed off.
Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they'll become easier to memorize and easier to use.
The benefits of password masking are more obvious:
Security from shoulder surfing. If people can't look over your shoulder and see what you're typing, they're much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that's much harder than looking at the screen. Surveillance cameras are also an issue: it's easier to watch someone's fingers on recorded video, but reading a cleartext password off a screen is trivial.
In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers. You might not trust the person standing next to you enough to let him see your password, but don't feel comfortable telling him to look away. Password masking solves that social awkwardness.
Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you've got all sorts of problems.
A security "signal." Password masking alerts users, and I'm thinking users who aren't particularly security savvy, that passwords are a secret.
I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.
This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.
Password masking is definitely important on public terminals with short PINs. (I'm thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.
And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There's a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.
One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.
A reader mentioned BlackBerry's solution, which is to display each character briefly before masking it; that seems like an excellent compromise.
I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That's what I was reacting to when I said "I agree."
So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.
Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that's "not toxic or anything?" It's not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn't take terrorists to make this happen.
Blocking the release of this information doesn't protect the citizens of the United States in any way. It's just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that "blurs" national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack -- the shoe bombers of the world -- above our right to know what's going on around us so that we can make informed decisions. The same secrecy that defends torturers.
Can anyone guess the entry codes for these door locks?
There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234.
The plant caladium steudneriifoliumpretends to be ill so mining moths won't eat it.
She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten most of the leaves' nutrients.
Its body carries two reactive chemicals that only mix when a predator attacks it. The injured aphid dies. But in the process, the chemicals in its body react and trigger an explosion that delivers lethal amounts of poison to the predator, saving the rest of the colony.
The dark-footed ant spider mimics an ant so that it's not eaten by other spiders, and so it can eat spiders itself:
M.melanotarsa is a jumping spider that protects itself from predators (like other jumping spiders) by resembling an ant. Earlier this month, Ximena Nelson and Robert Jackson showed that they bolster this illusion by living in silken apartment complexes and travelling in groups, mimicking not just the bodies of ants but their social lives too.
Now Nelson and Robert are back with another side to the ant-spider's tale - it also uses its impersonation for attack as well as defence. It also feasts on the eggs and youngsters of the very same spiders that its ant-like form protects it from. It is, essentially, a spider that looks like an ant to avoid being eaten by spiders so that it itself can eat spiders.
My previous post about security stories from the insect world.
Warning: MagpieRSS: Failed to parse RSS file. (not well-formed (invalid token) at line 12, column 12) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
It's been a long time, but that doesn't mean we have not been busy. I'm going to go ahead and do what I should have done a while back, so here's where our up-to-date project website is now at. At...
Aidan Lynch and Daragh Murray from Dublin City University have written a cool new extension to the honeyclient which they call the email honeyclient. This extension allows you to use Outlook to grab email URLs and send them back to...
Recently, a whole bunch of World of Warcraft (WoW) player accounts were compromised via a keylogger being installed on the users' machines. The infection epidemic was so bad that Blizzard Entertainment set up customer service lines for weekend support. This...
Dan Hubbard of Websense also gave a talk on honeyclient technology at ToorCon 7. It's good to see this technology area talked about in the security community. We really need to move away from reactive intrusion detection technologies, given that...
I've just posted my slides from the latest honeyclient talk at ToorCon 7. The slides can be downloaded here. I had a great time at ToorCon, and will talk more in detail about that on my personal weblog soon....
I will be speaking about honeyclients at the upcoming ToorCon 2005. If you are planning on attending ToorCon, or if you're in San Diego, please stop by and say 'hi'. There will be new information presented at ToorCon, and I...
Microsoft released a technical paper, entitled Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. The paper can be downloaded here. I read the paper and thought it was very interesting. 'HoneyMonkeys' is Microsoft's term for...
Since RECON, I've been busy with my day job, and with travelling. Finally, over the long weekend, I was able to fix a bug in the previous honeyclient release. Namely, the MSIE browser caching mechanism was giving me some problems....
I just posted the slides that were used during yesterday's honeyclient talks at RECON. They are now downloadable off the main page. I am still in Montreal today, and will be returning home tomorrow. Today, I enjoyed sightseeing around the...
I gave a talk today at RECON on honeyclients. Also, the world's first open-sourced honeyclient has just been released during my talk. Download the latest tarball from the download section on the main page. Talking to the people at RECON...
I thought that this article from eWeek highlighted only the beginning of what we will start to see with increasing frequency - multi-staged attacks. I just called this attack 'Cerberus-like' because it is a three step attack. Basically, the first...
How could it be that a company in Russia is building a business around infecting other people's machines? 'No way!', you say. Well, this article from Information Week has the details. This Russian company (which I will not link directly...
According to this Slashdot post, Microsoft has their own version of a honeyclient, which they call 'honeymonkeys'. I have to say, that's a cute moniker. More importantly, though, this goes to show that it's becoming increasingly important to actively seek...
Next time you try and access Google, be careful how you type. This article in eWeek points out that typing 'googkle' instead of 'google' lands you at a malicious site that then attempts to install beasties such as backdoors and...
This article talks about how attackers are now using fake weblogs to entice users to click on certain links. Once those links are accessed, malware such as keyloggers and trojans are uploaded to the victim host from the malicious server....
SANS Internet Storm Center, InfoCON: green (07/03/09)
Remote exploitation of a stack-based buffer overflow vulnerability in Motorola Inc.'s Timbuktu Pro could allow attackers to execute arbitrary code with SYSTEM privileges.
Remote exploitation of a stack based buffer overflow vulnerability in Unisys's Business Information Server could allow an attacker to execute arbitrary code with the privileges of the affected service.
This vulnerability allows remote attackers to execute code on vulnerable installations of Adobe's Shockwave Player. User interaction is required in that a user must visit a malicious web site.
A denial of service (DoS) vulnerability exists in the Cisco Physical Access Gateway. There are no workarounds available to mitigate the vulnerability. This vulnerability has been corrected in Cisco Physical Access Gateway software version 1.1.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple WebKit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
There exists a vulnerability within a function of the ToolTalk database server (rpc.ttdbserverd), which when properly exploited can lead to remote compromise of the vulnerable system.
Webmedia Explorer's search, tag, bookmark parameters have been found to contain a security vulnerability that allows remote attackers to cause cross site scripting vulnerabilities.
This vuln can only be exploited against environments where the administrator has chosen to install phpMyAdmin following the *wizard* method, rather than manual method.
A remotely exploitable vulnerability has been discovered in Microsoft Office Excel products. Specifically, the vulnerability is due to a design error encountered when parsing Excel files which contain malformed records. Remote attackers can exploit this vulnerability by enticing target users to open a malicious Excel file.
Microsoft Excel can be exploited through an array-indexing error when processing certain records. This can be exploited to corrupt memory via a specially crafted Excel file. Successful exploitation may allow execution of arbitrary code.
The vulnerability is caused due to an integer overflow error when processing the number of strings in a file and can be exploited to cause a heap-based buffer overflow via a specially crafted Excel file. Successful exploitation allows execution of arbitrary code.
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of messaging applications that make use of the libpurple library. User interaction is not required to exploit this vulnerability.
A vulnerability in Opera's browser allows attackers that can inject and open an HTML file to overflow an internal buffer used by the 'file://' URL interpreter and cause it to execute arbitrary code.
Stack-based buffer overflow in the Network Manager in Castle Rock Computing SNMPc 7.1 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long community string in an SNMP TRAP packet.
A vulnerability in PacketTrap's TFTPD allows remote attackers to cause the TFTP server to fail by sending it a pipe (|) character as the filename that is being uploaded.
Thomas Duebendorfer Google Switzerland GmbH and Stefan Frei Communication Systems Group, ETH Zurich, Switzerland looked into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera.
This paper sheds light on a modified approach to triggering web attacks through JavaScript protocol handler in the context of opening a PDF in a browser.
This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.
This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.
The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing: * Linksys WRT160N
Verified Identity Pass's (VIP) defunct Registered Traveler program Clear said it could sell the personal information it collected from customers to another provider of expedited airport security services if the government approves of the arrangement.......
The California software company that says some of its code was used in the Green Dam Internet filtering software without permission is under attack.......
Researchers have discovered a server hosted in China that contains more than 68,000 FTP passwords, including a number for well-known sites such as the BBC, Cisco, Amazon and Bank of America.......
For a short time last Thursday afternoon, the spike in Internet searches about Michael Jackson following the news of his death caused Google to think that it was the target of a distributed denial-of-service (DDoS) attack.......
Former US Department of Homeland Security (DHS) National Cybersecurity Center director Rod Beckstrom has been chosen to take over for Paul Twomey as CEO and president of the Internet Corporation for Assigned Names and Numbers (ICANN) when Twomey steps down at the end of the year.......
Details are sketchy at this point, but is Facebook undergoing an XSS worm attack? I checked with my Aunt, and she thinks someone may have stolen her password and hijacked her account to send out those messages to all her...
With the recent Orkit worm, and a few MySpace worms, web/XSS worms are a very interesting topic. Here's someone's attempt on the Ph4nt0m group discussion site who is trying to create a sustainable, growable XSS worm. It seems that the...
The Virus Bulletin conference is coming up later this year, but the call for papers closing is only a month and a half away. VB is a nice, fun conference where a lot of top - and rising - AV...
The First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08) has a CFP that closes soon. From the CFP: Overview As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive...
A friend pointed this out to me. Evidently the Sla.ckers.org website is hosting a "Diminutive XSS Worm Replication Contest". Their mission: to see who an write a new XSS worm (like the MySpace one, the recent Orkut one, etc). The...
Morning, everyone. I know Wormblog has been very, very silent lately as I've been very busy with work. However, I'll wake it up and post a conference call for papers that applies here. I'm on the PC for WORM07, so...
This isn't the first time a worm (self replicating code) has hit a a large online game, and it wont be the last. Via various news outlets (like this BBC story, Slashdot, and the official Second Life blog: [PST 2:44PM]...
A nice, thorough analysis of a Yahoo! instant messaging worm by Rahul Mohandas, showing how he decoded the exploit, reverse engineered it, and it's effects. Very good example, and something you can learn from. This paper attempts to document an...
I can't let another week go by and not post a paper on worm modeling. This one looks at a more rigorous model of how a "Flash Worm" would work. Some decent math, it's worth the effort to make sure...
I had a great time at WORM06 in Fairfax last week, and in my scramble to get work done in preparation for a day out of the office Wormblog updates slipped. This paper comes from a conference on swarm intelligence...
China's Ministry of Industry and Information Technology says the Green Dam mandate has only been delayed. Publisher Jinhui Computer System Engineering is reportedly testing a version of Green Dam for Apple's Mac computers, which have been exempt. Tests found Green Dam to be vulnerable to malware and ineffective, even blocking images of Garfield.
Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.
This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model. It's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction is required which is unlike current mobile malware.
So Comodo?s promise to remove SafeSurf Toolbar happened but not to finish their agreement with A$k/IAC. Instead, the new version of Comodo is now bundled with HopSurf Toolbar which is IAC/Ask.com too. The installer become worst because there?s no EULA presented in addition to known method of misleading people by offering unnecessary third party service/component in a SECURITY software. Note that it is a security software that should offer clean installer no?
What's New In 3.10.101801.529? ============================== NEW! COMODO Secure DNS is introduced as a new free service NEW! COMODO HopSurf Toolbar - COMODO SafeSurf Toolbar has been discontinued and superseded by COMODO HopSurf Toolbar NEW! CIS now allows the users to change the URL for the program and virus updates IMPROVED! CIS now has a better support for Windows Security Center integration in Windows Vista SP1 and later IMPROVED! AV engine now supports more archives and has better detection capabilities IMPROVED! Direct disk access false alerts have been reduced FIXED! Some applications do not run when CIS is installed in Vista 64 bit FIXED! Antivirus scans excluded folders FIXED! Firewall does not show some connections under high load FIXED! Firewall sometimes causes the PC to freeze in windows XP 32 FIXED! cfp.exe crashes when HIPS alerts timeout
That NEW! COMODO Secure DNS is introduced as a new free service is from DNSadvantage.com/Neustar, Inc. and again, this NEW! COMODO HopSurf Toolbar - COMODO SafeSurf Toolbar has been discontinued and superseded by COMODO HopSurf Toolbar means you need to agree with (not included EULA in the installer) the EULA in using Ask Toolbar/IAC/Ask.com service. See HopSurf EULA online: https://accounts.comodo.com/hp/management/eula or http://www.hopsurf.com/license.jsp
New partner, new site reports We?re very pleased to announce that, as of today, Sunbelt Software has joined Google as a data partner, providing updated data about badware websites to our Clearinghouse. (See the press release.) Sunbelt?s research director, Eric Howes, has helped us out for a long time as part of our working group, and it?s great to have the company on board in a more formal way. The new data allow us to extend and deepen our analysis of, and insight into, the badware website landscape.
Kaspersky Lab court ruling sets precedent for the anti-malware industry
Kaspersky Lab, a leading developer of secure content management systems, informs that the 9th U.S. Circuit Court of Appeals has ruled in Kaspersky Lab's favor in claims brought by Zango.
In a precedent-setting case for the Internet security industry, the 9th U.S. Circuit Court of Appeals ruled last week that Kaspersky Lab is entitled to immunity under the safe harbor provision of the Communications Decency Act from a suit claiming that its software interfered with the use of downloadable programs by customers of Zango.
The court ruled that Kaspersky Lab, which classified online media company Zango's software as malware and "protected" users from it accordingly, could not be held liable for any actions it took to manufacture and distribute the technical means to restrict Zango software?s access to others, as Kaspersky Lab deemed it ?objectionable material.?
Zango sued Kaspersky Lab to force the company to reclassify Zango's programs as nonthreatening and to prevent Kaspersky Lab's security software from blocking Zango's potentially undesirable programs. In a landmark ruling for the anti-malware industry, the 9th U.S. Circuit Court of Appeals affirmed a lower court ruling that Kaspersky Lab is a provider of an ?interactive computer service? as defined in the Communications Decency Act of 1996.
The court decision stated: ?Kaspersky contends that Zango's software is adware, and possibly spyware. Spyware, which is often installed on a computer without the user's knowledge or consent, covertly monitors the user's activities and exposes the user to the risk that his or her passwords and confidential information may be stolen? As its software qualifies, Kaspersky is entitled to Good Samaritan immunity.?
The ruling protects a consumer?s choice to determine what information and software is allowed on their computing systems, and protects the ability of anti-malware vendors to identify and label software programs that may be potentially unwanted and harmful to computer users. Kaspersky Lab's software is designed to do just that. Users can adjust the settings to allow certain programs of their choice to come through at all times.
Finally, as a way of saying thank you to our loyal Windows customers, we are excited to introduce a special time limited offer! We will offer people in select markets the opportunity to pre-order Windows 7 at a more than 50% discount. In the US, this will mean you can pre-order Windows 7 Home Premium for USD $49.99 or Windows 7 Professional for USD $99.99. You can take advantage of this special offer online via select retail partners such as Best Buy or Amazon, or the online Microsoft Store (in participating markets).
This program begins tomorrow in the U.S., Canada and Japan. The offer ends July 11th in the U.S. and Canada and on July 5th for Japan or while supplies last. Customers in the UK, France and Germany, can pre-order their copy of Windows 7 starting July 15th and will run until August 14th (or supplies last) to ensure folks don?t miss out on this. Act fast if you want to be the first in line to get Windows 7 at this screaming deal! Note: The special low pre-order price will vary per country.
I missed the above message. Thanks to CoU member, Weasel for noting it!
Many people are not happy to receive a new PC with many crapplications. What they do is they reformat the new hard-drive to fresh install the system or they will use PC Decrapifier to remove the crapplications.
Many of us are not happy to see installers of software that have add-ons. Those add-ons are either third party or from the same vendor that is not always needed to run or operate the program that you want to install. See the growing number of software with add-ons at Calendar of Updates.
Today, I decided to check for updates for Windows (I have it turn off as I check for updates all the time anyway). What WU offered to me is an optional Office Live add-in with add-on!
People have to deal or watch for some much add-ons and add-ins already :(
The beta version of Microsoft 's security software is a hit. The software giant announced Wednesday on its Web site that it had reached the U.S. limit on downloads for Microsoft Security Essentials -- which was only made available Tuesday.
The general release of the free software is expected this fall.
"Alert!" said a posting on the Web page for the security software. "Thank you for your interest in joining the Microsoft Security Essentials Beta. We are not accepting additional participants at this time. Please check back at a later date for possible additional availability."
Limit Reached Within 24 Hours
The beta became available Tuesday morning and reached the limit for the U.S. and Israel within twenty-four hours. Microsoft had said it would allow 75,000 downloads for users in the U.S., Israel and Brazil.
According to news reports , the limit for the U.S. and Israel was reached at about 5 a.m. PDT Wednesday. The limit of 20,000 downloads for Brazilian users hadn't been reached, meaning 55,000 downloads were reserved for U.S. and Israel.
It's a dangerous combination: 140,000 followers and a Twitter account that generates its Tweets from other pages via auto feeds. Unknown attackers have exploited the Twitter account of venture capitalist and former Apple evangelist Guy Kawasaki to spread links to malware. The link in a Tweet allegedly lead to sex videos involving American actress and singer-songwriter Leighton Meester: "Leighton Meester sex tape video free download!"
Microsoft Corp. today announced the start of the Windows 7 Upgrade Option program enabling consumers and small businesses to receive Windows 7 when they purchase a qualifying Windows Vista personal computer starting June 26, 2009. Under the program, designated PCs pre-installed with premium versions of Windows Vista will qualify for licenses of the equivalent Windows 7 product.
For more details on Windows 7 pricing and offers please see the company's announcement at www.windowsteamblog.com
Microsoft Corp. today announced Microsoft Hohm, a new online application that enables consumers to better understand their energy usage, get recommendations and start saving money. Microsoft Hohm uses advanced analytics licensed from the Lawrence Berkeley National Laboratory and the U.S. Department of Energy to provide consumers with personalized energy-saving recommendations. Microsoft Hohm is an easy-to-use tool that helps consumers lower their energy bill and reduce their impact on the environment. The beta application is available at no cost to anyone in the United States with an Internet connection and can be accessed directly by visiting http://www.microsoft-hohm.com
The new version 2010 products incorporate the advantages of advanced Host-based Intrusion Prevention System (HIPS) technology in the Application Control module that assigns a security rating to previously unknown malware; unique Sandbox technology embodying virtualization technologies and providing a dedicated secure runtime environment; and the innovative Kaspersky Security Network that uses information from millions of users to dramatically reduce response times to new threats and replenish reputation databases with the most up-to-date information about clean and infected files.
The version 2009 products that were released last summer for personal use have won recognition from tens of millions of users all over the world, demonstrated their efficiency and reliability in hundreds of comparative tests, and established themselves as leaders in the global market. They are now succeeded by the new Kaspersky Lab products Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010, based on the very latest developments in IT security.
An even more secure environment is provided in Kaspersky Internet Security 2010 as the product integrates the ?Safe Run? functionality based on the new Sandbox technology ? unique for Internet Security Suites product range. ?Safe Run? enables the user to run new software in an isolated environment that protects the operating system from all malicious changes. Statistically, it has been demonstrated that vulnerabilities in operating systems and trusted applications are often exploited by hackers to attack applications that make use of the Internet.
The ?Safe Run? function makes surfing the Internet using various web browsers much safer and easier, as well as allowing any number of other applications to be run simultaneously. A green border around the application window also makes it easy for the user to see that it is protected.
Vulnerable: Office OCX Word Viewer 3.2.0.5 Office OCX Word Viewer 3.2
Word Viewer ActiveX control is prone to multiple denial-of-service and code-execution vulnerabilities. Exploiting these issues allows remote attackers to crash applications that employ the vulnerable controls (typically Microsoft Internet Explorer). Attackers may also execute arbitrary code in the context of an affected user.
Word Viewer ActiveX Control 3.2.0.5 is reported vulnerable; other versions may also be affected.
Make sure you have the latest version of Adobe Shockwave Player. The current version is 11.5.0.600. You can get it from http://get.adobe.com/shockwave/
As Twitter becomes increasingly abused by hackers, Finjan Software has released a free browser add-on with a new feature that scans links and warns if they point to a page containing malware.
The SecureTwitter component is wrapped into SecureBrowsing, a plug-in for either the Firefox or Internet Explorer browsers, said Yuval Ben-Itzhak, Finjan's CTO.
SecureTwitter is designed to warn people about links that people post on the micro-blogging service. Because of Twitter's 140-character limit, most of the URLs posted have been shortened using services such as Bit.ly or TinyURL.
The server that this blog used to run on has suffered a hardware failure. Please use the alternative server here momusings.blogsome.com. Apologies for any issues this may cause.
Where will you be at midnight tonight? May I suggest that you may want to consider being at your computer at that time? Why? Because Facebook has something going on at that time that is vital for you personally and your business that's far more important than sleeping ever will...
A great deal of your success on Twitter is based on what you choose to Twitter about. We covered this a bit in last week's article, but it's worth reconsidering and going deeper. The key is to recognize that every follower you have on Twitter is earned, and that every...
I sometimes wear ties. Mind you, I'm dragged kicking and screaming into the ancient and abominable art of male torture through neck binding, but I still occasionally put one on. And I get bored with them, so I'm always on the lookout for good looking ones. So when I saw...
Are you actively using http://www.twitter.com to build your business? If you're not, you're probably making a huge mistake. Twitter, in case you're not aware, is a service where people post up to 140 character updates on topics of interest to them. Those updates go out to the people who have...
Boilerplate language: Boilerplate language is a media release refers to what is traditionally the final paragraph of the release, which provides generic information about the company. It usually tells whether the company is publicly or privately traded, its stock ticker, where it's based, the brands it owns, what it does,...
It seems you can?t turn anywhere today without bumping into talk of economic stimulus. Whether you?ll be entitled to some of that money or not, you can use it to build your business. How? Through using it to get more PR! Here are some story pitches that astute marketers like...
?The power of bloggers to influence thought, to reach large numbers of people and even to eclipse the impact of traditional media is huge and will grow even larger in the near future,? Blogging and Social Media expert Don Crowther announced today at the 2007 Blogword and New Media Expo...
Using outrageous online video to promote your business When Andy Jenkins wanted to promote the product improvements in his online traffic and conversion training system called StomperNet, he decided to use a powerful new online tool - online video. As a marketing professional, you're probably already aware that: - Video...
I was shocked this week to see an ad by Ford for their Mustang. It shows a father and son in a dark parking lot. The son's driving, he peels out, runs a bit, then stops. The father turns to him and says "That's what I'm talking about. This is...
Want to use a picture of a person in your marketing? Here's how to make your choice. Psychological and marketing studies tend to reveal similar results, which state that when you choose a picture for an advertising or publicity campaign look for: (Please don't consider this sexist or get offended,...
Here's an announcement about a 40th wedding anniversary: "Mr. And Mrs. Ron Tennell of Flat Rock are celebrating their 40th wedding anniversary. She is taking a trip to Europe while he will be gambling on a riverboat in southern Indiana." Isn't it nice to see a close couple? :...
Those of you who have been in contact with me for awhile know that I'm a huge fan of pay per click marketing. It's one of the greatest marketing tools currently available to generate huge numbers of targeted potential buyers to your webpage or online sales letter. One of the...
I like my neighbor, with one small exception - he raises pit bulls. He's got 8 of them, with 3-4 rotating in to live right next door all the time. Justified or not, the entire neighborhood is scared of them, with parents being unwilling to let their kids play outside...
One of the most frequently asked questions we receive is which press release distribution service we recommend. First, let me make a distinction. We have found that there are two types of press release distribution services. - Ones that get your release out to lots of different sites on the...
A recent study designed to measure whether people perceived men or women to be safer drivers came up with an interesting answer: "As a passenger, I feel safer with: 35% a male driver 23% a female driver 42% other" What's an other? Apparently, whatever they are, they drive really safely!...
In my experience the concept of "policy" is a hard one for many developers to get their heads around, they don't immediately grok what "policy" is or what its supposed to do and it conjures up eastern european cold war regimes. Unfortunately policy is a central concept throughout information security. I have been thinking that we need another way to express the same concept to developers. What developers really interact with are Policy Enforcement Points, Policy Decision Points, and Policies....
Inspired by the new federal IT dashboard, here is a sample infosec dashboard that details where information security groups elect to invest their shareholders' money
Last week, I blogged about using threat models to identify and locate countermeasures. Now, I would like to add a little more detail and context. Recall, the purpose of the threat model is to map threats to countermeasures, but he catalyst comes through some part(s) of the attack surface. There are several attack surface models out there, I use a simple one where the attack surface is the sum of the data + method + channel, that entail the ways...
MetriCon and the SecurityMetrics list have for several years been host to the most interesting discussions on Security Metrics. This year the MetriCon 4.0 Workshop will be held on Tuesday, August 11, 2009, in Montreal, Quebec, co-located with the USENIX Security Symposium. The formal Call for Participation is still available for your review. As with all MetriCon events, MetriCon 4.0 is by invitation; invitations for attendance-only remain available. If you wish to attend, communicate via email to the MetriCon 4.0...
From Michael Santoli in Barrons IN TALKING TO MARKET PEOPLE OVER THE YEARS, it's clear that the sharper traders and more astute analysts share a couple of traits. The first is to inquire, "What are you hearing?" before they offer their view, and the second is to ask, "Where could I be wrong?" after they do. The article goes on to discuss "the spirit of challenging the assumptions of the comfortable consensus"; asking the "where could I be wrong?" question...
Last night, I saw RIchard Monson-Haefel talk on 9 things every software architect should know. The funniest line was on EJB "I feel like I had a kid and he grew up and went on a crime spree", Richard's list of 9 things: 1. People are the plarform (ui is often the weakest link) 2. "All solutions are legacy" (My old partner used to say nothing more permanent than a temporary solution) 3. Data is forever (everything changes - new...
Heartland update from WSJ: Heartland Gets Religion on Security Aside from the scale, the breach stood out from the hundreds of others reported each year because Heartland had recently passed a security audit. Carr says that one lesson he?s learned from the breach is that the industry?s security standard, called Payment Card Industry or PCI, doesn?t go far enough. It?s the ?lowest common denominator,? he says, adding that the audit didn?t detect the vulnerability that led to the hack even...
Threat models are a very good way to make implicit security threats and mechanisms, into explicit threats and mechanisms, so that you can write requirements, build, and test that they do the job you intend. As a starting point, I like to use a modified version of STRIDE, which among other things cleanly maps threat to mechanism. This way when starting a new project, for example with SOA Web services, you can identify where the standards will help you. Threat...
In one of my favorite Richard Thieme talks at Black hat, he exhorted us to look to the edges to find where the new realities are forming. The consensus reality of today is one thing, but the new realities creep in from the edges outside of today's norms. Sports has been one area in American life where we can clearly see this happen. We have had Jackie Robinson breaking the color barrier in baseball long before Martin Luther King Jr...
A somewhat common refrain that you hear from security thought leaders is that secure coding is too hard and we shouldn't even bother trying. I have never understood this stance. Of the the thousands of developers I have met, trained and worked with, I am still waiting to meet the first one who actually wants to write weak, insecure code. Sure lots of systems are poorly designed, but just because we have always built our cities out of wood does...
Historians (especially economic historians) widely believe that nations that discover a single huge natural resource (e.g., oil or gold) always rue the day. For several reasons (in addition to the crippling corruption that always occurs), the natural resource skews (screws...
The other day, there was a bunch of news coverage (here's the article in the Financial Times) of a recently-released report from Shop.org about how consumers (in the U.S.) spent more in 2006 on clothes and accessories (e.g., shoes) than...
Time is the entrepreneur's most precious commodity. For most entrepreneurs, the VC fundraising process is very time-consuming. Bad combination. In an attempt to help, I have previously offered tips to entrepreneurs on navigating the VC process -- The Ten Commandments...
I'm looking for advice on prudent use of the Unsubscribe button on commercial spam. As does everyone these days, I get a lot of spam (and that, even though, here at Mayfield, we have deployed every anti-spam technology known to...
There is a well-known lament by advertisers: I know half of my advertising spend is wasted; I just don't know which half. This is usually attributed to one of three famous, early entrpreneurs of mass consumer product companies and retailers,...
Recently, I?ve been considering investment opportunities in entertainment media (as part of some broader thinking about how brand advertising (as opposed to performance-based advertising) will move online). In connection with that, I?ve been also musing about whether there is a...
I spend a lot of time with internet consumer services startups. Currently, a meme circulating in this area is whether something fundamental has changed in the paths to liquidity open to startups in this space ? a fundamental change that...
Some more thoughts on carefully choosing your co-founders. Startup teams form in many different ways. Often, the ?core? founder does some homework and recruits the founding team. Sometimes, teams are, more or less, recruited by a VC who has a...
In my last post, I advised entrepreneurs seeking VC funding to think carefully about choosing their co-founders. I claimed this decision is often gotten wrong and that, not infrequently, one or more co-founders leave the company with an amount of...
If you want to raise money from VC?s, here?s a really tough, really important question you ought to ask yourself very early in the process: ?How many co-founders should I have?? Having the wrong ?answer? to this question can make...
Warning: MagpieRSS: Failed to parse RSS file. (mismatched tag at line 82, column 147) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Came across a cool tool today for Linux firewall admins: cutter. Heard of it? It allows you to "cut" internet connections on a firewall. Something like:
# cutter 192.168.2.55 3400
That kills all network connections from 192.268.2.55 using port 3400. A simple tool, but something I could use several times a week. Link - via digg.
On an unrelated note, I hope to transition this feed over to the main site, under a specific article category. I recommend subscribing to the new feed now so you don't miss the switch.
This report seems to be generating a lot of buzz, I'm not sure why. I guess most don't understand the cellular infrastructure enough to know this has been going on for years. Certainly real time tracking is possible, but I'd be more curious to see the log retention policies of the large wireless companies. Since most people leave their cells on 24/7 (thanks to extended batteries), it's quite possible that a company w/ a 6 or 12 month archive could create an amazingly accurate map of your life. I'll have to research the technical aspects of the 3rd generation wireless rollouts happening now (EVDO, EDGE, etc) - but my initial guess would be that these require more towers creating a denser coverage map. This increase certainly generates an even more accurate tracking model.
Hey all - it's been a while. In case you didn't notice, we redesigned the main site. I'm not sure how this will affect the security blog just yet, I might move the feed over to the new site based on sections - we shall see. But I'll post any changes here. Please check it out. Also - starting a new feature: podcasts. The first episode of Taming Tech deals with content management systems, but security themed episodes are forthcoming. Check it out!
Bruce Schneier nails the Sony rootkit story. I didn't pay much attention to it, because I haven't purchased a CD in close to 2 years (thanks iTunes). But I skimmed the news stories coming out and each time my jaw dropped a little further: 500k machines infected including government boxes, cloaking software, Sony's CEO making silly statements... But the real story, as Bruce Schneier points out - why the hell didn't any Antivirus software (or IDS for that matter), detect this software sooner? We are collectively paying these companies billions of dollars for what?
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.
Thanks Bruce, for shining a light on the overlooked aspect of the Sony story. It's really making me rethink our industry's so called defense mechanisms.
An OK article that reiterates what I have feared for quite some time. We've moved passed the nerdy age of hacking. They're becoming more sophisticated and zeroing in on profit...
Forget the outdated hacker image of a spotty anarchic teenager holed up in his bedroom defacing the Web sites of global organisations, today's hackers are not only older but more determined than ever to claim your cash and identity.
...ran a heroin distribution ring that was violent and tightly knit, making it difficult for informers to penetrate it, federal authorities say.
The gang also had a secret weapon: It cultivated a police officer to dig into a law enforcement database to figure out which of its customers might be undercover informers...
But I'm not sure I agree with the chief of police's comments:
"This case personifies exactly the effectiveness of the system," the chief said. "We had intelligence that somebody was running people's names involved in narcotics cases without a legitimate reason, and we ran those names and found out who it was, and took the appropriate action."
Mokwa said officers use REJIS on a daily basis, and tightening security would be burdensome. "You have to rely upon the integrity of officers to use the system properly," he said. "To change it, you would have to restrict their access."
To suggest that there's no room for improvement in security is silly. Sure - they found out that someone was running inappropriate queries - but how long did it take them? What kind of details were they able to reveal? How could the whole thing have been prevented? Such an attitude cannot be comforting to undercover officers in the field...
This made me smile. Glad to see he's back on his feet.
Michael Lynn, the hacker who hit the headlines in July for exposing a Cisco router flaw is now employed by arch-rival Juniper, according to the vendor. Juniper declined to reveal what role Lynn is occupying.
The security researcher was dramatically sued by Cisco earlier in the year after he discovered a Cisco router IOS flaw and defied the networking giant and then-employer ISS to publicise the flaw at a hacking convention in Las Vegas.
Lynn was widely regarded as a hero by many in the internet community in the wake of the scandal but many doubted if he could again find gainful employment as a security researcher.
For its part, Cisco was widely castigated for its heavy-handed tactics in stopping Lynn from further publicising his findings, with some commentators suggesting that the internet could be at threat if similar whistle-blowers are discouraged to come clean on flaws.
We at RedTeam are really looking forward to BruCON which is bound to happen in a little less than three months, so we eagerly follow the BruCON Blog. Maybe that’s why we were the first to solve the the PDF reverse engineering challenge they posted a couple of days ago. Apart from the fun diversion [...]
When you’re doing a lot of pentests, you have your standard procedures on how to approach a new test. There is of course always the creative approach, finding the unusual bugs and vulnerabilities, the whole “thinking outside the box” thing. But let’s be honest: A thorough pentest is not all fun and games. There’s also [...]
When RedTeam finds vulnerabilities in some generally available software, we go the usual way of writing advisories. These findings usually occur during pentests. We of course do not immediately release whatever we found to the public, but go through a process I want to describe in a little bit more detail here. I’m doing [...]
Last weekend, members of RedTeam, of the mwollect Alliance and a few other people from Aachen participated in the DEFCON 17 CTF Qualifiers. The team hosting the DEFCON CTF this year provided fun challenges of varying difficulty. Minor quirks were the Java-Applet based scoring system that was quite unresponsive at times, the fact that only [...]
We finally released the Whitepaper for our JBoss Application Server talk (the one we held e.g. at the hack.lu 2008 and the 16th DFN-CERT).
The paper gives you a more detailed overview about the JBoss AS internals we used in the attacks, as well as a complete description of the individual exploitation techniques.
The only catch [...]
On June 17th 2009, we will give the talk “Sicherheit und Industriespionage: Ein Realitätsabgleich” (in German) at the IHK Aachen. The event happens together with the Verfassungsschutz NRW (North Rhine-Westphalian office for the protection of the constitution) and the Landesinitiative secure-it.nrw.
The talk focuses on examples from penetration tests and real cases of industrial espionage. [...]
As seen on a hoster’s website explaining how to use PuTTY on Windows to connect to their serial console:
I’m convinced greying out the server’s key fingerprint will make sure those pesky hackers won’t mess with the system…
The new design for RedTeam Pentesting’s homepage is finally online. Took us a while, as normal office life is quite busy and we did the whole technical stuff ourselves (especially Lutz, who’s apparently not only very skilled in breaking websites, but also in building them ;). I guess we all owe him for making our [...]
“Hi, my name is John Doe.”
“Hi John.”
“I work for company X. We are currently planning a penetration test for company Y and need some good pentesters for this. Are you interested?”
“Well, sure. So you want RedTeam Pentesting to conduct a pentest for your client?”
“No, we just need one of your pentesters. He’ll be working under [...]
RedTeam released 4 new advisories today, concerning vulnerabilities in the IceWarp eMail Server:
RT-SA-2009-001: IceWarp WebMail Server: Cross Site Scripting in Email View
RT-SA-2009-002: IceWarp WebMail Server: User-assisted Cross Site Scripting in RSS Feed Reader
RT-SA-2009-003: IceWarp WebMail Server: SQL Injection in Groupware Component
RT-SA-2009-004: IceWarp WebMail Server: Client-Side Specification of “Forgot Password” eMail Content
We found those during a [...]
On May 19th 2009, we will give our JBoss talk (in German) at the Center for Computing and Communication of RWTH Aachen University (see their announcement). As we have more time than at the DFN CERT, we will be able to demonstrate all attacks live and generally go into a little bit more detail. You [...]
The Technology Centre Aachen, where our offices are located, is celebrating its 25th anniversary on May 8th, 2009.
RedTeam will support the event by joining the exhibition in the foyer with our booth. We’ll show how to eavesdrop on DECT phones, so feel free to come by. Bring your own DECT phone for added fun, so [...]
The Eindhoven Institute for the Protection of Systems and Information (EiPSI) celebrated its first anniversary last Friday. The opening in 2008 was already a very nice event, and I was looking forward to the announced talks for the anniversary.
As expected, I wasn’t let down this time either. The first speaker was Andy Clark from [...]
Explaining to others what you do for a living is complicated enough as it is if you’re a pentester. Whoever invented the term “penetration tester” must never have thought about the consequences for all those poor girls and guys having to tell their job’s official name to other people. The reactions normally range from “you’re [...]
As you may have noticed, I finally came around to at least change the ugly default theme to something more suitable. There were so many more important things to do here at RedTeam, I just didn’t have the time to set up the blog and pretty much left it in its default state.
I still have [...]
We are happy to announce that as of April, a new member is reinforcing our pentesting team. Alexander Neumann[0] is the new man on board who will live the glorious life of a penetration tester: Working night shifts, not getting your exploits to work, abusive use of caffeine, finding the final vulnerability to root the [...]
Generally, dealing with vendor support sucks. Either you have someone who doesn’t understand your problem or they tell you that it is not covered by the support contract. We were therefore pleasantly surprised that this is not always the case.
Some weeks ago, we had a problem with the laser printer at RedTeam’s headquarters. It started [...]
The 16th DFN-CERT Workshop is over and it was again a very nice event. The talk about JBoss Application Server insecurities we gave seemed to be well received, as we got a lot of positive feedback. The German slides are now online at our publications page, btw.
The other talks were quite interesting, as always. Dr. [...]
On March the 17th, we’ll be delivering a talk at the 16th DFN Workshop “Sicherheit in vernetzten Systemen” (security in networked systems) in Hamburg for the third time in a row. This year, it’ll be the talk “Bridging the gap between the enterprise and you - or - Who’s the JBoss now” which was already [...]
The last time our printer broke down (which happened for the first time, so this is not about bashing our printer manufacturer) it showed these messages in the display:
Which reminded me why we always tell our clients to treat their printers like servers, security-wise. Additionally, never trust a machine with a LIBDecisionImpl.cxx. Who knows if [...]
Yesterday, I gave a talk at the Eindhoven Institute for the Protection of Systems and Information (EiPSI) in the context of their seminar with the title “Practical Security and Crypto: Why Mallory Sometimes Doesn’t Care”. The EiPSI is a research institute at the Eindhoven University of Technology.
The talk has real world examples of mistakes made [...]
Seems like all those stories about people getting hacked because they’re using their hotel’s un- or WEP-encrypted wireless made some markedroids think. One of our last hotel rooms provided the following service:
The first three German lines roughly translate to
fast - comfortable - secure
[X] tap-proof
[X] free of radiation
Good ol’ ethernet cable. Now they just need someone [...]
The German Linux Magazine kindly asked us to give a talk at the CeBIT this year, and we are of course happy to join in.
The talk (in German) will be held at the Open Source forum on March 06, the security day, at 2:30 - 3:15pm, with the title “Überraschende Angriffsvektoren: Weit verbreitet, oft übersehen” [...]
A new customer, about some experiences with other companies:
“Well, sometimes they find five vulnerabilities and report only four, so they have something ready for the next time.”
This is something that always bothers me, this attitude that a pentest is only successful if you can show new vulnerabilities. If we test a system for a second [...]
There’s a new security conference coming up this year, located in Brussels. BruCON will have its debut from September 18-19 2009 and aims
to become the best and most fun hacking (*) and security event in Belgium and W. Europe.
The Call for Papers is open since January 25, so you still have time to submit. [...]
As I’ve stumbled across this phenomenon more than once in the last time during work, I’d like to write a little bit on Flash, how to pass parameters to it and why this is important from a security perspective.
Flash applications (you know, those pesky little buggers ending in .swf that are always crashing your browser [...]
Holy sh*t, this really works. Thank you guys, well done!
BTW, tests with our own DECT equipment (no, we don’t use DECT telephones for work. So don’t even think about it) showed that it suffices to press buttons like “internal call” or “dial” to make the telephone open the microphone and send to its base station.
When travelling by train, you often have the problem that you occasionally want to leave your place without taking all your luggage with you (coffee in the morning, a six hours drive with the train, you know the drill).
So you either need some travel companion having an eye on your valuable stuff, like your laptop, [...]
Last Sunday, two of us went on a journey to Brussels, to attend an aircrack-ng workshop organised by its main author Thomas d’Otreppe. Driving through Brussels was quite an adventure, but we got rewarded with a nice parking lot nearby okno, were the workshop took place. Across our parking lot, we also found some [...]
You have probably noticed, that our blog farm moved to a new software. Instead of antville, our blog is now based on wordpress thanks to Max. It’s true, that the old blogging software did itch a little, but now with a PHP based solution, we fear worse to come. ;-) In case you wonder: Yes, [...]
Now for the 2^2th time some of us are going to the hack.lu security conferrence, taking place from October 22nd to October 24th in Luxembourg, Luxembourg.
We really enjoyed being there in the past and are looking forward to the CTF this year. This year, all of us will attend the conference, so maybe we [...]
The last weeks we have been busy moving to a bigger office. More details will be posted soon. Until then, here is a picture of our awesome new front door:
When we went to New York for a meeting with one of our customers, we used the public transportation system there (as parking a car in NYC is suicide). If you’ve never been to the states and experienced their overuse of silly warning labels, you won’t believe what you’ll find on the MetroCard backside:
Right, who’d [...]
These days, one of our pentesters wanted to get some money at an ATM. Being in this business for some time makes you notice things others would miss, though:
Doing skimming at an ATM frequented by a pentester? Tough luck ;).
Of course, he immediately notified the bank and the police. You’ll never guess what their comment [...]
Recently, we had to test something for its physical security. Thus, we needed to produce a highly customised attack tool in our laboratory:
But as this weapon of mass hacking awesomeness could not be used for everything, we also needed to do some good old hacking by hand. Literally. Unfortunately a major line of defense of [...]
As you may know, we have been at the EiPSI grand opening. The egg we got as a giveaway 0wn3d my mobile phone:
So, who says cryptographers only break theoretical constructs? ;-)
As we are usually not allowed to talk about where we are working, we cannot publish comments or photos about the cities we visit. But last time, we were invited for a shooting with the second german television (ZDF) in Kiel at the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), so we can publish some [...]
One of the reasons we were so busy the last week is that we were in Kiel at the Independent Centre for Privacy Protection
Schleswig-Holstein. There, we had a shooting for the german TV show ZDF Frontal21 about the security of MFPs (Multi Function Peripherals). The show will air on June the 3rd, 9:00pm. Oh, and [...]
We are rather busy these days, but could not help sharing the fun:
This morning, we wanted to rent a car, like many times before. So, we logged in with our corporate account:
And now, have a look at the brand new source code of the login form:
Sixt effectively removed the login for all of their business [...]
The situation: We had a client application, binary only. With a lot of voodoo, one can trick it into displaying secret stuff (including passwords). But we could neither use copy and paste nor the printing button.
The problem: We need to get the complete list and (like always in pentests, we had not much time). You [...]
What have Whitfield Diffie, Bruce Schneier and Dan Bernstein in common? They were all present at the opening of the new Eindhoven Institute for the Protection of Systems and Information, short EiPSI. A good friend of mine who is working there told me about the event and that it would definitely be worth to [...]
Here it is, the easter bunny greeting card (see the previous post). I didn’t want to withhold this one from you, as it only got such a short air time.
Oh, and I dare you to click it! ;)
Tomorrow (2008-03-26), the WDR will broadcast a report in its Servicezeit Familie program about the dangers of online banking.
They asked us for an interview and a live demonstration of a real attack against online banking systems using the iTAN, which we kindly provided. The (Windows XP) box of the victim gets trojanised by us (via [...]
In two weeks, we‘ll be attending the Sicherheit 2008 security conference in Saarbrücken.
We’ll be presenting in two tracks. The first presentation is a peer-reviewed paper about a graph-theoretic approach to estimating the costs of penetration tests and how to efficiently distribute the given time for the tests, which will run in the academic track. The [...]
Another banking story:
Day 1: Got my new account data.
Day 2: Everything works as expected. Changed the initial password (5 digits) to a more secure one (more chars).
Day 3: Everything works as expected (with new password).
Day 4: Everything works as expected.
Day 5: Can’t login. Account has been disabled. Called the bank.
The answer: “Well you have [...]
After having noticed several intrusion attempts on their intrusion detection system (IDS), this city decided to upgrade to an intrusion prevention systems (IPS):
Some days ago, we had an on site pentest for one of our customers. The test was an internal pentest, meaning that we got an office inside the building to simulate an internal attacker. So every day, we went there, entered the building, went to "our" office and tried to hack their network from there [...]
There will always be people who leave the keys on the car door in a in a public parking lot:
Funniest thing about it: “Nett” is the german word for “amiable/nice”.
Once ago last year a member of our team went to a medium size company for an appointment. Some weeks later one of my friends told me the following:
“(Smiling). Do you have an actual business connection with $medium_size_comany?”
- “You know, we generally do not talk about our customers. But why are you asking?”
“Well, an employee [...]
You may remember this story. These days, we had to upgrade a little bit…
Chaos in the laboratory, or: what’s cooking?
Harvesting fingerprints produced with wood glue and graphite.
Mixing dental compound…
…to produce a finger form.
Heating up some gelatine for producing fake fingers.
As I can assure you, the team had much fun not staring at their screens exploiting [...]
About this time of the year in 2005, RedTeam Pentesting moved into the offices at the center of technologie in Aachen. Browsing through my archives, I found several pictures that made me feel as if we moved in just yesterday.
Getting the internal cabling of the office and the internet uplink working:
Buying furniture…
…and assembling it.
Well, time [...]
Now, you might think that companies ordering a pentest are really happy if the penetration testers are not able to hack their systems.
Wrong! Recently, after a pentest, a CEO told us this:
Tuesday morning the admin rushed in the CEO’s office. He even forgot to knock on the door. The admin spluttered: “They are in!” and [...]
This week we went to Munich for the SYSTEMS fair.
Luckily we did not get caught in the strike that hit the German railway system shortly after. This years visit was not only for meeting some of our customers and prospective customers. We were also thinking about having a booth at the fair in 2008.
Unfortunately the [...]
As announced in the blog we were at hack.lu in Luxembourg last week. As every year we made this a team event booking a mini van for the ride and a room for five persons to stay. The atmosphere at hack.lu was great like in the last years. It is a rather small conference with [...]
Next week, a(n) (in)famous security conference will take place in Luxembourg. Last year, HackLu2006 was a highlight and I was really happy that we had the chance to be there. Not only the conference itself, but a cool CTF and a lot of nice people let us have a really good time all three days.
We [...]
Recently I talked to a sysadmin of a rather big company on the phone. He offered to send a configuration file to us by e-mail. I remarked that this file might contain passwords and that it should at least be encrypted before sending it, because everyone knows “e-mails are the postcards of the internet”. He [...]
As you might know from former entries in this blog, we often use rental cars for travelling. Sometimes, people forget things in the cars. The other day, I opened a small compartment for coins inside a car and found this:
Yes, it’s a Maestro card. If you know the PIN, you can get money from ATMs. [...]
We’ve released a new advisory today:
Alcatel-Lucent OmniPCX Remote Command Execution
It’s the same old story: unfiltered user input gets passed to the ping command on the host system over the web interface. You’d think that this type of vulnerability became extinct after the 80’s. But who am I kidding.
So, don’t skip testing for this because it [...]
Recently, RedTeam Pentesting was asked to answer a list of questions regarding ways to measure and manage IT security. The article (in German) can be found online at All About Security, an independent IT security portal.
As a major part of the questions were related to pentesting we spent some time to answer them in [...]
On a quite regular basis we receive applications for jobs, diploma theses or internships. Seems like we are doing an
interesting job.
Most of these applications reach us via e-mail and have a CV and references attached. As pentesters we tend to examine these documents closely, so here are some examples of what you should avoid [...]
It is always a very hard task to rate the risk of a security issue. When we started doing pentests some years ago, we used a rating from 1 to 5 (very low, low, medium, high, very high). It turned out fast that it is hard to tell wether a vulnerability has to be rated [...]
We published two new advisories about security vulnerabilities in Fujitsu-Siemens products found during a penetration test:
rt-sa-2007-002: Fujitsu-Siemens
ServerView Remote Command Execution
rt-sa-2007-003: Fujitsu-Siemens
PRIMERGY BX300 Switch Blade Information Disclosure
Heise also runs a news item:
German: Lücken in
Server-Produkten von Fujitsu Siemens
English: Holes in
Fujitsu Siemens’ server products
Today we are trying to reach the security contact of a big IT company. First attempt: We called the main number and got connected to the network security guy.
“… are you responsible for security issues?”
-”No, but I can give you the direct number of our CEO”
Woah, the CEO’s number? For security issues? Okay, called [...]
… are all pentesters terrorists?
London Police has a new Anti-Terrorist Hotline on air. Now take a look at this poster and decide yourself: Are we all supected beeing terrorists now?
- We are making pictures of security arrangements!
- We need transport a lot!
- We are traveling a lot and you can be sure, we are vague [...]
Max Moser has released a paper called Busting The Bluetooth Myth – Getting RAW Access. In this cool piece of paper, he explains how to transform a normal USB bluetooth device into a sniffer. Yeah, looks like you do not need these very expensive sniffers any longer!
Now we just have to wait for some free [...]
Security is always a compromise - usually between best possible protection and both required effort and usability of the resulting system (short: your laziness). If you do some password cracking its not so much one’s own effort, but the effort of the box doing it that counts. And with CPUs, effort comes with heat [...]
Core published a security advisory about an icmp6 packet crashing OpenBSD. The timeline is interesting. heise-security has an article about the reaction of the OpenBSD team online: “Report states that OpenBSD developers played down critical vulnerability”.
Customer Care(tm) with RedTeam Pentesting: Mileage after a two-day trip across Germany.
Good thing that all kilometers where inclusive in the contract of the rental car we had.
A **** hotel somewhere in belgium. Some rooms reserved for a industrial meeting. Hey, free wifi. What the hell is that: TCP port 995 (POP3 over SSL) and port 993 (IMAP over SSL) are dropped. 110 (POP3) and 143 (IMAP) are open for outgoing connections. Am I the only one thinking of espionage? Are there [...]
Next Monday, February 26th, we will repeat our talk “IT-Security aus dem Nähkästchen - oder - Das kann mir nicht passieren”. The presentation was first held at 14. Workshop "Sicherheit in vernetzten Systemen" in Hamburg (see here) and will be repeated next monday at the local Chaos Communication Club in Aachen. The talk will start [...]
We pay some money for search marketing and one of the providers (not google) we use, is not able to send us a correct bill (there was an increment of VAT in Germany), the hotline asked me to login and send them an e-mail through their web interface. That’s easy, I thought, and tried to [...]
Next week, on February, the 7th and 8th, DFN-Cert GmbH will host a it-security confernce called 14. Workshop "Sicherheit in vernetzten Systemen" in Hamburg. Although Joanna Rutkowska will hold the keynote, most of the talks will be in german. We will give an overview about usual but not that technical bugs, found in pentests in [...]
I’m home, finally, and able to post this wrap up of days 2,3 and 4. I really wanted to blog all this after each day, but I just wasn’t able to do it, because I always fell asleep immediately after coming home. So excuse me for this entry to be so long, as it covers [...]
So much for keeping up with blogging. The last two days where quite exhausting, having the normal congress from 8:30 am to about 6:30 pm and evening events from 7:30 pm on. I do have much I want to blog, but at the moment I’m just too tired. So forgive me if I have to [...]
This week, while my fellow colleagues are working in the office, I took the chance to travel to Nuremberg for the Heise Open Source Meets Business Congress.
After not getting much sleep because I arrived late last night, I went to the first day of the congress today. The keynotes and talks where quite interesting but [...]
Having seen Dan Kaminsky’s great talk about visual bindiffs we played a little with his tool named hardcorr and I wrote some little GTK-Perl to quickly navigate the binaries. It seems like you can visualize a lot of things with it nicely. Like for example the autocorrelation of Linux intial TCP sequence numbers, which are [...]
Once upon a time, there was a really popular tv show called “WDR Computerclub” in Germany. It quickly became some kind of “cult show” in german tv. The show was cancelled in 2003, to the regret of many viewers, but the “two Wolfgangs” (as both moderators have the name Wolfgang) started the show again in [...]
When you do business dealings with banks, you oftentimes get those little giveaways which are supposed to make you feel all welcome and stuff.
So we didn’t think much of it when we received those nifty little calendars after our last visit:
But you may imagine our surprise when we found out that those calendars weren’t all [...]
Yesterday Linux 2.6.18.3″>Linux 2.6.18.3 came out. A quick look into the changelog revealed:
commit c721af6db5992d16fbd93855666eafa616512e00
Author: Adrian Bunk
Date: Wed Nov 15 17:01:46 2006 +0100
[PATCH] security/seclvl.c: fix time wrap (CVE-2005-4352)
initlvl=2 in seclvl gives the guarantee
“Cannot decrement the system time”.
But [...]
It were busy days, those last ones. As soon as our guys returned from the Hack.lu (not all of us were there), we went off to the next fairs and conferences, namely the Systems 2006 in Munich and the “NRW Forschungstag IT-Sicherheit“.
Systems 2006
From October the 23.-27., the Systems has opened its doors for the interested [...]
While the planned CTF at the hack.lu this year did not take place, HackerJoe had a nice surprise for everyone when he announced on Saturday that he spontaneously set up a CTF. Actually, it rather was a wargame consisting of 7 stages, with the one completing stage 7 first being the winner. We of course [...]
From October the 10th to 13th, the Security Essen 2006 has opened its doors for everything security related. Originally only an exhibition for physical surveill^W security technology, it has now added an extra hall just for IT related security. Being curious if it’s worth being an exhibitor in the future, we went there yesterday to [...]
Okay, I know this is on short notice, but as I didn’t get any specific time I believe the interview will be on air at 11:45am (today), as it should have been the last time.
A little text about the whole thing can be found on the Eins Live Homepage under the title “Hacken lernen in [...]
The german radio station Eins Live visited us for an interview these days.
Together with Lexi Pimenidis, postgraduate at the RWTH Aachen, we talked about teaching and researching IT security in university, pentesting as our daily work and the usual hacker clichés.
The interview will be aired at 11.45am local time tomorrow (08.09.2006), listen in if you [...]
We had a nice evening at the Chaos Computer Club Cologne yesterday, where one of us held a talk about Penetrationtesting. Everybody was very friendly and there were a lot of interesting discussions after the talk. It was pretty crowded, though. Some even watched from outside the building through the windows. Luckily it was not [...]
Obviously penetration testers are not the only kind of people that excell at finding new and creative solutions to a given problem. The author of this manual for a LCD monitor came up with a solution to fingerprints on the screen that is truely more creative than simply cleaning the surface: “Leaving the screen white [...]
The Chaos Computer Club Cologne invited us to give a talk about pentesting.
The talk “Hacking for Security - Penetrationtesting” will be held on Thursday, August 31st, and starts at 8pm. The anouncement is already online. So, if you are interested in network security and pentesting, like to meet some cool C4 people in cologne and [...]
Warning: MagpieRSS: Failed to parse RSS file. (duplicate attribute at line 174, column 207) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Windows Security Logging and Other Esoterica (06/19/09)
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond.
In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.
The exceptions are the logon events. The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096). The logon failure events (529-537, 539) were collapsed into a single event 4625 (=529+4096).
Other than that, there are cases where old events were deprecated (IPsec IIRC), and there are cases where new events were added (DS Change). These are all new instrumentation and there is no ?mapping? possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can?t say that the old event xxx = the new event yyy because they aren?t equivalent. The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS, not just formatting changes in the event representation in the log.
Of course I explained earlier why we renumbered the events, and (in the same place) why the difference is "+4096" instead of something more human-friendly like "+1000". The bottom line is that the event schema is different, so by changing the event IDs (and not re-using any), we force existing automation to be updated rather than just misinterpreting events when the automation doesn't know the version of Windows that produced the event. We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of, and have special casing for, pre-Vista events and post-Vista events with the same IDs but different schema.
So if you happen to know the pre-Vista security events, then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100, and subtracting 4. You can do this in your head.
However if you're trying to implement some automation, you should avoid trying to make a chart with "<Vista" and ">=Vista" columns of event ID numbers, because this will likely result in mis-parsing one set of events, and because you'll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).
I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works. But, I still get questions on how to reduce noise from object access events. The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I'd clean up the answer a bit and share it with the world. In general the same is true for any type of object, although there are a few more knobs to control for DS objects.
Object access audit is generated when the system access control list (SACL) on the object matches the access that was performed on ALL of the following conditions:
Object - the object that was accessed must have either an explicit or inherited SACL. The access performed is compared against the ACEs in that SACL.
Success or failure of activity - every audit access control entry (ACE) in a SACL will be either of type AUDIT_SUCCESS or AUDIT_FAILURE. The access performed must match the access type of the ACE for the rest of the ACE to be considered.
User account - the accessing user's token is compared against each ACE matching the access type. If the user, or a group the user belongs to, matches the SID in the ACE, then an audit might be generated.
Access - the access being performed must match the audited accesses in the access mask in an otherwise matching ACE.
The specific auditing algorithm is discussed here.
So the way to reduce the number of audit events (566 on Windows Server 2003, 4662 on Windows Server 2008, or one of the new DS Change events on Windows Server 2008) is to cause one or more of those conditions to fail, except in the specific cases that you care about.
The SACL which will generate the most audit events is "Everyone:Success & Failure:All accesses" on the domain head with OI,CI (object inherit & container inherit flags) for all object types. This SACL matches all of the above conditions in all cases. (Incidentally I think that this is pretty close to the default SACL- with the exception of failures- for Windows 2000 Active Directory installations, and SACLs are not updated when DCs are upgraded from version to version. Windows Server 2003 has much more conservative SACLs for new installations of AD.)
To reduce noise, I offer the following suggestions, addressing each of the above conditions:
Audit only the objects that you care about. User accounts and groups already are well-audited with "Account Management" auditing, so don't audit them with DS access. Perhaps audit OUs, or other DS objects. Use the Object Type and attribute type restrictions that you have in DS Access auditing. Also, in Windows Server 2008, you can affect auditing on a per-object basis by adjusting the SearchFlags attribute in the AD schema for the object. SACLs are more easily reversed so are probably a more acceptable method of controlling audit for most organizations.
Audit successful accesses only. Failed accesses are common and are NOT indicative of any security problem; in fact many failures are not even explicit requests by the user but are just normal requests made by the OS, and the OS will re-try with less access if the operation fails. In my experience failure auditing is primarily useful for troubleshooting, not for security.
Audit the "Everyone" group. Although this matches any user, you will not accidentally miss any accesses that you care about due to failing to audit a user account who has access to the objects in question. The only time that you would NOT audit "Everyone" is if you had an application or service account which was very noisy; in that case you'd need to create a group with all accounts EXCEPT the noisy accounts, and audit that group.
Audit only the accesses that you care about. Specifically, read accesses occur much more often (in my experience, a conservative estimate is about a 100:1 ratio) than write accesses. If you restrict your auditing to "write" type accesses (including change, delete, change permissions, create, etc.) then you will end up generating far fewer events. Auditing for read access is very noisy. If you must audit for reads, consider auditing fewer objects, perhaps only auditing reads on the container object instead of the objects in the container, or on one "interesting" object in any given container as a "canary".
I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off.
As I have written about previously, this method of user activity tracking is unreliable. It works in trivial cases (e.g. single machine where the user doesn't have physical access to the power switch or power cord), and it works most of the time in simple cases where there is good network connectivy and the user is not trying to evade detection. If the user has physical access to the machine-- for example, can pull out the network or power cables or push the reset button-- and if the user is actively trying to evade time tracking, then the only reliable solution is to surreptitiously put a video camera (subject to local laws) in a place that can monitor the user's presence in front of the keyboard (yes I am aware of research done to track sound of keyboard clicks, etc.).
There is no way to instrument the OS to account for someone who just backs away from the keyboard and walks away. The screen saver, if configured, will come on after a configurable delay since the last keypress or mouse movement. Yes, if you know the SS delay then you could just work that into your calculations. However the workstation does not lock until the screen saver is dismissed (some of you might have noticed that when you bump the mouse to dismiss the screensaver, sometimes you see your desktop for a fraction of a second- that?s because your machine isn?t locked while the screen saver is being displayed). And the events don't tell you whether the workstation was locked or auto-locked so you don't really know whether to add in the screen saver delay factor. Plus, prior to Windows Vista, there is no workstation lock event at all, only an unlock event, which is constructed in a way which makes it difficult to correlate with the original logon event.
So the bottom line is, I don't advocate or recommend this method for tracking the time a user spends at the keyboard. If I were hypothetically called as an expert witness, I would testify that such a method is unreliable and trivially circumvented. You have been warned, I've beaten that dead horse enough I guess.
Given that you are disregarding all my contrary advice, how are you going to accomplish this?
First, we need a general algorithm.
Use time (for a given logon session) = Logoff time - logon time
Now, what about the cases where the user powers off the machine, or it bluescreens, or a token leak prevents the logoff event from being generated, etc.? We can use the BEGIN_LOGOFF event to handle token leak cases. We can use the shutdown event in cases where the user does not log off. And in case of crashes, the only event we can use is the startup event. Note that each of these introduces increasing levels of uncertainty.
Logoff time = (logoff time | begin_logoff time | shutdown time | startup time)
This is good, but what about the time the workstation was locked?
Workstation lock time = unlock time - lock time Total workstation lock time (for a given logon session) = SUM(workstation lock time)
How about remote desktop & terminal server sessions, and fast user switching? You can connect and disconnect from logon sessions, during which time the user technically isn't using the computer.
Session idle time = session connect time - session disconnect time Total session idle time (for a given logon session) = SUM(session idle time)
How about times when the machine was idle? We can estimate that by looking at the time the screen saver was in place and adding the screen saver timeout.
Console idle time = (screen saver dismiss time - screen saver invoke time + screen saver delay) Total console idle time = SUM(console idle time)
Putting all of this together and modifying our original formula, we get:
Use time (for a given logon session) = Logoff time - logon time - SUM(workstation lock time) - SUM(session idle time) - SUM(console idle time)
When we expand it, it is not quite so pretty:
Use time (for a given logon session) = ( (logoff time | begin_logoff time | shutdown time | startup time) - logon time ) - SUM(unlock time - lock time) - SUM(session connect time - session disconnect time) - SUM(screen saver dismiss time - screen saver invoke time + screen saver delay)
You have to be very careful that you only look at events that are properly contained chronologically between two other appropriate events, to avoid accidentally pairing the wrong logon and logoff events, or pairing a lock workstation event from one logon session with a different logon session. The best correlation field is the Logon ID field, the next best are timestamp and user name. At various times you need to examine all of these fields.
Now, which event IDs correspond to all of these real-world events?
They are all found in the Security event log. The pre-Vista events (ID=5xx) all have event source=Security. The Vista/WS08 events (ID=4xxx) all have event source=Microsoft-Windows-Security-Auditing.
* prior to Windows Vista, there was no event for locking the workstation. Unlocking the workstation generated a pair of events, a logon event and a logoff event (528/538) with logon type 7. These events had the same user name as the "original" logon session and were completely enclosed chronologically by the logon/logoff events for the "real" logon session, but did not contain the Logon ID of the original logon session or other unambiguous correlator. This makes correlation of these events difficult.
All of these events are generated in the Logon/Logoff audit policy category, although on Windows Vista and Windows Server 2008 they are scattered among the various subcategories in this audit policy category. The audit event spreadsheet that Ned wrote has all the policy subcategory mappings as well as the event descriptions.
Sorry that this is more of a do-it-yourself than a solution-in-a-box, but this is pretty difficult to script and so far I haven't worked on a project that required this.
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I can just answer with a link :-)
There are two DWORD registry values which affect backlog transmission. Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters.
EventRetentionPeriod, if present, is expressed in hours (I forget the default). It takes precedence over MaximumEventAge, which is in days (default=1). Both of these values control the backlog of events that will be sent from agents to the collector on agent connect, but as mentioned, EventRetentionPeriod wins any conflict. MaximumEventAge used to control database retention in early beta builds but does not anymore, since the database moved to a partitioning mechanism. You might encounter MaximumEventAge if you are migrating from ACS beta to Operations Manager 2007 ACS.
Grooming is now governed entirely by the grooming algorithm. The grooming algorithm is simple: partitions will be deleted by the next grooming job as soon as they are eligible for deletion.
Think of (partitionDuration * numPartitions) as the retention period before data is groomed from the database.
partitionDuration = dtConfig[5]
numPartitions = dtConfig[6]
Note that dtPartition[<partitionId>].LastCreationTime defaults to 12:00am 1/1/2000 (collector local time). After successful execution of the close partition script, this field?s value is set to max(dtEvent_<partitionId>.CreationTime) for the partition in question. There is an implication here that if you update status to 2 without updating LastCreationTime, then the partition is immediately eligible for grooming assuming your clock is accurate.
The partition switch offset (time of day to switch partitions) value in dtConfig has no effect on grooming, other than that grooming will not occur during a partition switch.
Grooming runs at startup and immediately after checkpointing. The default checkpoint interval is 198 seconds but this interval can be configured by the DWORD registry value CheckPointInterval on the collector, in the same location as the other registry values. A successful checkpoint logs an event in the database, event ID 0 with a source of ?_acs? (you might have seen these on an ?idle? ACS and wondered how they got there?)
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don't properly get looked up.
Some background: the event log in Windows prefers to log invariants such as message IDs, parameter message IDs, SIDs (security IDs which represent users and groups, etc.), and GUIDs (globally unique IDs which represent objects in Active Directory), rather than the actual names of the objects. At view time the viewing application is expected to look up the name associated with the invariant and display it to the user.
The reasons that Windows does this are (1) that it enables localization, so that English speakers can see "Administrator" and French speakers can see "Administrateur", and (2) that it provides rename safefy- many objects are rename-able, such as domain accounts and other AD objects.
Anyway in ACS we had to solve the problem of how to store mountains of log data in a database, make it queryable in meaningful ways, preserve original format, present to users in a recognizable/understandable format, etc.
The way we chose to solve our several problems was to take strings that contained an invariant and append the translated name or string.
For example: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9} would be translated to: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}=?dnsNode?
and %%7685 becomes: %%7685=?Write Property?
As I mentioned, though, we ran into a problem recently. Some of our customers were monitoring AD objects with ACS and noticed that ACS was not translating the GUIDs for certain objects. When they manually looked up the GUIDs they noticed that they were for AD-integrated DNS objects.
After investigation, we found that AD was logging certain audit events for the objects, before all the attributes of the objects had been populated- DNS was populating the objects in multiple operations per object and each operation causes a separate event. So ACS, which operates as close to real-time as we could get, was actually noticing the first event and asking AD "what's this?" before DNS had finished updating AD with things like the object's name. The difference in time was literally only milliseconds.
Anyway I didn't really feel it was an ACS bug and wanted to file a bug against Windows DNS Server. However the Operations Manager team has prototyped a configurable behavior for the ACS agent that lets it wait a very short time (configurable number of ms) and retry, when it fails to look up an AD object because the object doesn't exist. This might be released as a public patch and/or in a future Service Pack.
I thought you might appreciate stories of the kinds of weirdness we run into.
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects. See the story here.
Well duh. The whole theory of crime and punishment is that if you do something bad, you get punished, and punishment is something that is unpleasant, so you try to avoid it, hopefully by not doing the crime. See? One would hope that a judge would understand this concept.
I could understand if the judge said "this is just a stupid kid, he doesn't deserve to do 20 years", and gave the kid probation, community service and a big fine. I don't know if New Zealand has such options, or if the judge has latitude in sentencing. There is probably more to the story than is being told. But you don't take over a million computers that don't belong to you, personally making tens of thousands of dollars, and not realize that you're doing something wrong. Unless you're a sociopath. And in either case, you either need punishment (for doing something you know is wrong) or separation from society for the protection of society while you get treatment (if you are a sociopath). So whatever the case, the judge got it wrong, and as a result is practically encouraging future behavior of the same sort.
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks around getting field delimiting correct.
The tool's command to query events from a log is "qe", and takes a log name as a parameter.
If you want to specify a query expression, then you can use XPath with the /q switch. The easiest way to do this is to use Event Viewer to build a filter for just the events that you want, and then copy just the XPath expression out of the XML tab of the filter dialog in Event Viewer. Be careful to copy only the filter expression and not the XML that surrounds it.
Finally, the default output format of wevtutil is XML. However it dumps each event as XML, but does not include a root element- in other words it's not well-formed XML by default. To include a root element you need to include the /e switch and a root element name.
I put this all together in a batch file, with an example XPath filter that just gathers interactive logon events (event ID=4624, logon type=2). You can save this as a .cmd file and run it as an administrator on Vista or WS08 and it will pull up a list of your interactive logons in Internet Explorer (or your default XML handler application if you've changed the registration). It has to run as admin because it accesses the security event log.
If you're really good (better than me, which is not hard) you could write an XSL style sheet and put this into a report format.
Good luck!
@echo off
REM (C) 2008 Microsoft Corporation
REM All Rights Reserved
set outputfile=%temp%\interactive-logon-events.xml
if "%1" NEQ "" set outputfile=%1
REM The next command is all one line and has no carriage returns
REM The only spaces in the XPath are around the AND keywords
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > %outputfile%
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.
Even better, they documented all the events in spreadsheet format, and that's propagating to the Microsoft Download Center. I'll publish the link when it's online.
2008-04-17 UPDATE: Brian just sent me the link: here is the spreadsheet.
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in Auditing in Windows Server 2008?"
Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit, and he invited me to write a chapter about auditing for it, which I did. So you, dear reader, are getting information straight from the horse's mouth, so to speak.
Anyway I think the book hits store shelves on March the 10th. A number of distinguished individuals contributed to the book: Susan Bradley, Darren Canavor, Kurt Dillard, Roger Grimes, Brian Komar, Alun Jones and others.
I'd also like to send out special props to my auditing posse: Raghu (who was the primary developer for auditing for Vista & WS08) and Ned (who is the resident guru for auditing in Microsoft Customer Support Services), both of whom made significant contributions. Raghu introduces the new "special group logon tracking" feature, and Ned contributed a spreadsheet mapping all the events (360-ish) to the policy category and subcategory and giving other key information about each event; this is included on the CD bundled with the book, along with an XML file defining the schema for all the events and event messages. Ned's also working on getting a version of the spreadsheet available for download from the Microsoft download site.
In other news, the Windows Server 2008 Security Guide is also out, and yes, yours truly contributed in small part to the auditing guidance in there too, although I seem to have been overlooked in the credits (in all fairness my work delta from the Vista Security Guide was really small so maybe it did not meet their "credits bar").
Anyway, download the security guide and buy a copy of the book. Buy more than one copy of the book, and give copies to your friends and loved ones. Nothing says "Happy Anniversary, Honey" quite like a book or white paper about computer security. OK, so maybe I should stick to computer security and stay away from relationship advice. Flowers work well in my experience.
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.
Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver). This file is pointed to in the collector?s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).
The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.
The collector (as explained elsewhere) also reads AcsConfig.xml to get its persistent state and configuration for all known agents, to know what logs/sources to collect for each agent/agent group, etc. This is all read into in-memory state for each agent.
At connect time, the agent sends version information- what the OS and agent version and service pack are, etc. The collector first looks in its in-memory agent state to see what configuration applies to the agent. Then it looks in its transformation tables and extracts the appropriate version-specific transformation instructions for the events that the collector is configured to collect from that agent. Then it packages these instructions and sends them to the agent.
The agent starts reading events, transforming them according to its instructions from the collector, and sending the transformed events to the collector. The collector finishes the transformation, services real-time subscriptions and loads the events into the database as appropriate.
If the agent encounters an event that is it configured to send (by log/source) but does not have transformation instructions for, then it simply builds a copy the event string for string and sends the copy of the event to the collector as an ?unschematized? event. The collector will handle this event without problems but will not extract non-header user fields (no primary/client/target user fields) and will not add string type information.
I?ll take Windows Server 2003 (build 3790), Event Log: Security, Event Source: Security, Event ID: 644 as an example.
Here?s the WS03 schema for 644 (excerpt from %systemroot%\system32\security\adtserver\EventSchema.xml in the path ?Schema\Log[@Name=?Security?\Source[@Name=?Security?]\Version[@MinBuild=?3790?]\Event[@SourceId=?644?]?).
The instructions are all applied in order. ?Call? instructions are executed agent-side; ?Param? instructions are executed server-side.
These instructions can be translated as:
·Take string 1 from the original event and make it string 1 in the new event. It is of type ?typeUserDn?.
·Take string 3 from the original event and make it string 2 in the new event. It is of type ?typeComputerName?. Note that we are doing reordering here by appending original string #3 before original string #2. Nifty, eh?
·Take string 2 from the original event and make it string 3 in the new event. It is of type ?typeTargetSid?.
·Take string 4 from the original event and make it string 4 in the new event. It is of type ?typeClientUser?.
·Take string 5 from the original event and make it string 5 in the new event. It is of type ?typeClientDomain?.
·Take string 6 from the original event and make it string 6 in the new event. It is of type ?typeClientLogonId?.
·Take string 4 from the original event and treat is as a user name, and take string 5 from the original event and treat it as a domain name, look up the associated SID and make it string 7 in the new event. The new string is of type ?typeClientSid?.
·Take string 3 from the new event, treat it as a SID, look up the user/domain name associated with it and append the user name as string 8 to the new event and the domain name as string 9 to the new event. String 8 is of type ?typeTargetUser? and String 9 is of type ?typeTargetDomain?.
See the reordering? Now here is an instance of the event with the original event data. If you?re not familiar with the XML, it?s the XML output of Crimson, the new eventlog service introduced in Vista/WS08, but this is a WS03 [pre-Crimson] machine; we're looking at a saved event log (evt) file.
<Data>SERVER34</Data> // String 2 ? looks like a machine name, confirmed by string 4
<Data>%{S-1-5-21-5998314728-109421381-169156293-611111}</Data> // String 3 ? definitely a SID
<Data>SERVER34$</Data> // String 4 ? definitely an account name (machine account)
<Data>CONTOSO</Data> // String 5 ? looks like a domain name
<Data>(0x0,0x3E7)</Data> // String 6 ? definitely a logon ID
<Data>-</Data> // String 7 ? empty null string at the end of the event (ignored by ACS)
</EventData>
</Event>
When the event arrives at the collector, type information is applied, and then the user fields (typePrimary*, typeClient*, typeTarget*) are extracted from the string data section and the strings that are left are re-numbered starting at 1 (no reordering occurs).
Here?s a chart of what the event looks like at the various points in the system. The changes at each step are shown in red.
Original Event in Event Log
Client-Side Transformation at Agent
Server-Side Normalization (WMI/SQL output)
Field
Content Description (implicit)
Field
Content Description (implicit)
Field
Content Description (explicit)
Client User
Client User
typeClientUser
Client Domain
Client Domain
typeClientDomain
Client Sid
Client Sid
typeClientSid
Client Login Id
Client Login Id
typeClientLogonId
Target User
Target User
typeTargetUser
Target Domain
Target Domain
typeTargetDomain
Target Sid
Target Sid
typeTargetSid
String01
typeUserDn
String01
typeUserDn
String01
typeUserDn
String02
typeTargetSid
String02
typeComputerName
String02
typeComputerName
String03
typeComputerName
String03
typeTargetSid
String03
String04
typeClientUser
String04
typeClientUser
String04
String05
typeClientDomain
String05
typeClientDomain
String05
String06
typeClientLogonId
String06
typeClientLogonId
String06
String07
String07
typeClientSid
String07
String08
String08
typeTargetUser
String08
String09
String09
typeTargetDomain
String09
To finish off a description of transformation, there are 7 transformation functions, each of which can optionally take 2 integers as parameters. Note that there is no ?destination event? field specifier; all references are only to the original event. That?s because when constructing the destination event, any data added to the event is always appended- it is constructed from beginning to end- so the implicit destination field is ?at the end of the event as it is now?.
Function
Parameter 1
Parameter 2
Description
AppendString
Reference to a string parameter in the source event in the event log
Unused
Appends the referenced string to the event which will be sent to the collector
AppendStringFromTable
Reference to a constant string in the statically defined <Strings> table (1-based) in the relevant Source\Version element in EventSchema.xml
Unused
Appends the referenced constant string to the event which will be sent to the collector
AppendProcessNameFromPid
Reference to a string parameter in the source event in the event log (source string is expected to be a numeric process ID)
Unused
Looks up the process image path name for the referenced PID and appends it to the event which will be sent to the collector
AppendTimeFromDatetime
Unused
Unused
Not Implemented/No Action
AppendSidFromNames
Reference to a string parameter in the source event in the event log (source string is expected to be a user name)
Reference to a string parameter in the source event in the event log (source string is expected to be a domain name)
Looks up the SID for the account represented by the specified user and domain names, and appends the SID to the event which will be sent to the collector
AppendNamesFromSid
Reference to a string parameter in the source event in the event log (source string is expected to be a security ID)
Unused
Looks up the user name and domain name for the account represented by the specified SID, and appends the user name and the domain name as separate strings to the event which will be sent to the collector
AppendNumber
Unused
Unused
Not Implemented/No Action
Out of range params cause the transformation instruction to be ignored and skipped. Non-integer params or other XML formatting/malformation problem (including non-UTF8 formatting) cause an EventSchema.xml parsing error at collector startup which in turn causes collector startup failure.
So that?s ACS transformation in a nutshell. I hope this helps you guys understand ACS functionality a little better.
Shortly I will finish my write-up on AcsConfig.xml but that is a simple file and not too hard to figure out if you are into experimentation.
Here are some cool things that you can try with the event schema file if you are adventurous:
1.Drop fields. We have modified eventschema.xml successfully to cause it not to collect certain fields (e.g. logon GUIDs) of certain events:
<CallName="AppendString"Param1="1"Param2="0" />
<CallName="AppendString"Param1="2"Param2="0" />
<CallName="AppendString"Param1="3"Param2="0" />
// try deleting a line here
// or, to preserve ordering of subsequent strings
// try replacing ?AppendString? with ?AppendStringFromTable (param1=1)?
<CallName="AppendString"Param1="4"Param2="0" />
<CallName="AppendString"Param1="5"Param2="0" />
<CallName="AppendString"Param1="6"Param2="0" />
2. Add an event source. Some caveats are:
·You must have a unique, well-formed GUID for the new source
·You have to get events of the new source into the log (try ?AuthzReportSecurityEvent? from MSDN)
·You have to modify AcsConfig.xml to tell the agent(s) to collect the new source
NB I have used the C/C++ comment syntax throughout this post but note that ACS does not support either C/C++ nor XML style comments in the XML config files it uses
Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong.
The logon event (528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type. This is a code that is passed into the logon API that tells the authentication system in Windows which policy to check the logon against. Windows has separate policy checks for network logons, interactive logons, etc., so that you can allow users to access a system in some ways but not in others.
The logon type code is, in C/C++ parlance, an enumerated value- it's an ordered list of numeric values, each with an associated name, and these are defined in a publicly available file in the source code (ntsecapi.h). In the source code, the values are always referenced by name.
Today on one of the internal aliases someone actually found a logon event with a logon type of 0- I have never personally seen one of these before and 0 is not defined in the SECURITY_LOGON_TYPE enumeration, so I would have assumed that it was a bug- but it turns out that we are aware of this case and use it occasionally for system logons.
Two more of our partners, Enterprise Certified and NetPro, have released compliance solutions on top of ACS.
Another of our partners with ACS-based compliance solutions, SecureVantage, has started a new blog where ACS is a frequent topic.
Anyway I'm pleased to see that ACS is becoming a successful platform and I'm happy to answer ACS questions! To you ISV's out there, Joseph and I welcome your questions as well (if we aren't already talking to you). Let us know who you are so we can stay in touch with you!
OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere.
In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the auditing message file. I'm guessing that it was one of our localization engineers, but I don't know- I was over in the support side of things at the time. I stumbled across the message one day while looking at source code.
Here's Björn's momentous message: "Björn grüßt den rest der welt". Basically Björn says hi to everyone. He's a friendly guy.
This is string resource zero in the message table resource- it's not a code resource, it's properly formed and it's not used by the code anywhere. You would not know it exists unless you slog through source code (like me) or use a hex editor or string dumper to analyze binaries AND happen to be so bored that you pull out an NT 4.0 RTM German CD and examine msaudite.dll. NT4 RTM CD's are pretty rare, btw, because we replaced them with slipstream SP1 CD's very shortly after release.
If I remember correctly somebody else came along in a later service pack and changed Björn's name to their own (maybe it was Ulli? I can't remember and I'm too lazy to find the source- it requires a lot of effort to dig that far back). I do remember that shortly thereafter there was a huge Easter Egg crackdown here at Microsoft probably brought to a head by the Excel 97 Flight Simulator. Björn's message of goodwill to mankind was erased forever.
I did a search using the Officially Santioned Search Engine and the other one too; evidently the internet has forgotten Björn's message. But I still remember, Björn.
Anyway I thought you might like this bit of arcana. If you are bored, have a hex editor and a German NT4 CD, knock yourself out...
I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined.
The short answer is, by design. (Yes, bad design.)
The longer answer is that the shell team is working around the fact that there is no "tell me if this user account has a blank password" API.
When in a workgroup (not domain joined), Windows XP displays a welcome screen that has little pictures (called "tiles") for each user who is permitted to log on to the computer.
The shell team wanted the experience that when you click on a tile, that you will immediately be logged on if your password is blank (we have good data that a large percentage of home users have blank passwords). They only want you to be prompted for a password if you actually have a password. Fair enough, and it also helps with accessibility for people for whom typing is challenging.
The XP Welcome Screen, when it is initialized each time it is to be displayed, attempts to log on each user for which a tile will be displayed, using a blank password. Users with non-blank passwords will cause failures in this case (other users will cause logon success events followed by logoff success events). [2007-11-21 correction]
The Welcome Screen uses the result of these logon attempts to decide whether to display a password box when you select a user's tile. If the user has a blank password, they will be logged on instead of being prompted for a password.
Why are they logging on the account? Well it turns out to be the easiest way to tell if your password is blank. We don't have a "is your password blank" API- that would be a security disaster- and we would prefer that the shell team not go mucking about in the SAM, retrieving hashes and computing the blank password hash for each account so that it could compare them.
I asked for this behavior to be changed prior to XP's release. Specifically I asked that the blank password check be moved from Welcome screen initialization to tile selection- this would still cause logon failures but many fewer of them. I was declined. I asked for fixes to it in SP1 and SP2 and was declined. At this point we will not be revisiting this "feature"; the Welcome Screen was redesigned to eliminate this problem.
The shell team who designed the Welcome Screen did not feel that auditing was a common scenario for workgroup machines, and I didn't (and still don't) have any business case to dispute that.
The Microsoft Security Response Center (MSRC) (06/30/09)
During the security bulletin webcast for June 2009, we answered a wide array of questions around the 10 bulletins we released. Of primary interest to customers, based on the number of questions we received on the topic, is the RPC issue addressed by MS09-026. As this issue affects third party products that utilize RPC in Windows, customers wanted to know if there is a way to tell if their third party product was vulnerable. First, we are not aware of any applications that are vulnerable to this issue at this time. Second, we recommend that you consult with your application developer as they are in the best position to analyze their code for this issue. To help with this, the Security Research & Defense team posted guidance to their blog on ?How a developer can know if their RPC interface is affected?.
The video of this month?s webcast is just over an hour long as we had 10 bulletins and a couple of advisories to cover. The Q&A portion starts at around 39 minutes in if you want to skip to that portion.
Every month in the webcast, we cover an aggregate severity and exploitability index ratings slide that we think is useful as a quick reference when doing a risk assessment. Here is that slide for your reference in case you were not able to attend the webcast or print the slides out during the webcast:
Finally, there are two additional items I want to mention that we covered in the webcast this month:
First, we put out a call for feedback on the Exploitability Index. The index provides customers with guidance on the likelihood of functioning exploit code being developed in the first 30 days for vulnerabilities addressed in our bulletins. This index has been available now for 9 months and we want to get your feedback on it positive or negative and how you use it in your risk assessments. To submit your feedback, simply email it to msrcteam@microsoft.com.
The second thing we covered that I wanted to mention here is that Office Update is retiring. Starting August 1, 2009, we will discontinue support for Office Update and the Office Update Inventory Tool. At that time, to continue receiving updates for Office products, you will need to use Microsoft Update. For more information see the FAQ (http://office.microsoft.com/en-us/downloads/FX010402221033.aspx).
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Summary of Microsoft?s monthly security bulletin release for June 2009.
Today we released 10 new security bulletins. 6 of those affect Windows with two rated as critical, three rated as important and one as moderate. The remaining four all have an aggregate rating of critical and affect Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.
In addition to these new bulletins, we are releasing the remaining updates for MS09-017 which now includes updates for Microsoft Office for Mac (versions 2004 and 2008) and Microsoft Works 8.5 and 9.0. You may recall that we released this bulletin last month with updates only for versions of PowerPoint that run on Windows. Please refer to last month?s bulletin blog post for more information.
This month we are also releasing two security advisories. The first advisory, 969898, is for a new set of ActiveX kill bits. The list of kill bits in this rollup includes an update for Microsoft Visual Basic 6.0 SP6, and ActiveX controls developed by Microgaming, eBay, and HP (click the company names to view their security release for these kill bits).
The second advisory, 971888, is providing a non-security update for DNS devolution. While this is a non-security update, it changes the security configuration of systems it is applied to and that is why we are releasing it with an advisory. This advisory is also related to the WPAD issue for which we originally released Security Advisory 945731 and subsequently Security Bulletin MS09-008. With the release of this new advisory, we are closing out Security Advisory 945731. Security Advisory 971888 and the associated KB article go in to detail on DNS devolution and how the update changes the configuration. If you have any follow up questions, our live webcast tomorrow would be a great place to ask them.
Concerning open advisories going in to this month, with the release of MS09-020, Security Advisory 971492, which discusses an issue with Internet Information Services, specifically in WebDAV, is now closed. And, as we noted in our Advance Notification (ANS) blog post last week, we do not yet have an update ready for the DirectShow vulnerability discussed in Security Advisory 971778. Our security teams are working hard on this issue but the update has to meet the right quality bar before we can release it. We continue to monitor the threat landscape through our Software Security Incident Response Process (SSIRP), and will provide updates to the advisory if needed. We continue to encourage customers to review the mitigations and workarounds in the advisory and check out the ?Fix It For Me? solution in Knowledgebase Article 971778. Additionally, please refer to these blog posts for more information on this issue:
On the Anti-Malware front, the Microsoft Malware Protection Center (MMPC) has added one new malware family: Win32/InternetAntivirus which is a fake online scanner that leads to a rogue downloader. For details, please refer to the MMPC Blog.
In the video below, Adrian Stone from the Microsoft Security Response Center (MSRC) and I go in to a little more detail on issues customers should be thinking about when considering the deployment of this month?s updates.
This month?s release addresses 31 total vulnerabilities with 15 rated as ?1? on our Exploitability Index, meaning there is a high likelihood that reliable exploit code may be developed in the next 30 days.
Some of these vulnerabilities are already publicly known. For example, CVE-2009-1532 addresses the first IE 8 vulnerability. This vulnerability in a pre-release version of IE 8 was first revealed in March 2009 at CanSecWest in the Pwn2Own contest. In the final release, a mitigation was put in to place to protect against ASLR+DEP .NET bypass used in the contest, so right now, there is no known way to attack this issue in the default configuration of IE 8 on Windows Vista (see the write up in our Security Research & Defense blog for details). Regardless, MS09-019 addresses the underlying vulnerability which is rated as Critical on Windows XP and Windows Vista but due to IE 8?s built in mitigations, it only rates as a ?3? for Windows Vista on the Exploitability Index while Windows XP is rated as ?1?.
The IE 8 vulnerability does not affect Windows 7 RC (build 7100) but does affect Windows 7 Beta. Updates for beta versions of Windows 7 will be available via KB969897.
Customers running Windows 2000 domains should pay particular attention to MS09-018 as CVE-2009-1138 affects Windows 2000 domain controllers and LDAP server. This is a remote code execution vulnerability that is reachable over the network. While this vulnerability was privately disclosed, we give it a ?1? on the Exploitability Index.Finally, the three Office related updates (Excel, Word and Works Converters) all have an aggregate severity rating of Critical due to the Office 2000 platform. All other affected platforms are rated as Important. If you are still on the Office 2000 platform, please note that it reaches the end of its product lifecycle on July 14, 2009. That is the last day we would release security updates for Office 2000 if there are any to release at that time.
As always, check the Security Research and Defense blog for additional technical information on these updates. If you have questions or would like more information about this month?s release, please plan to attend our regularly scheduled security bulletin webcast tomorrow, Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC ?7). Click HERE to register.
Thanks!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights*
May 10, 2009: Updated to correct third party ActiveX control company names.
Today, we published our Advance Notification indicating that next Tuesday, June 9 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 10 security bulletins consisting of:
·Six updates affecting Windows. Two Critical, three Important, and one Moderate.
·One Critical update affecting Internet Explorer.
·One Critical update affecting Word.
·One Critical update affecting Excel.
·One Critical update affecting Office.
You may have noticed that we are not announcing an update for the DirectShow vulnerability addressed in Security Advisory 971778. Our security teams are working hard on a security update that addresses this issue to protect customers, but we do not yet have an update that has reached the appropriate level of quality for broad distribution. We continue to monitor the situation closely and suggest customers follow the guidance provided in the advisory. This includes the ?Fix It For Me? solution in the associated Knowledge Base article, which provides a quick and easy workaround to protect customers from possible attacks. If this doesn?t work in your environment, please reference the KB article for several other possible workarounds.
In addition to the new bulletins, we will also release updates for the remaining affected products in security bulletin MS09-017. In May, we released this bulletin with updates for the Windows platform due to active attacks and available updates for the entire platform to protect customers immediately. Updates for affected versions of Office for Mac and Microsoft Works had not yet reached the quality bar for release but will be ready to go on Tuesday. For more information on this decision, please reference last month?s MSRC and SRD blogs.
On release day, look for additional information on both this blog and the Security Research and Defense blog. If you have questions or would like more information about this month?s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC ?7). Click HERE to register.
As always, this preliminary information is subject to change.
Thanks!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights*
We?ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we?re working on a security update to address the issue.
Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.
The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn?t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we?ve verified that it is possible to direct calls to DirectShow specifically, even if Apple?s QuickTime (which is not vulnerable) is installed.
Our investigation has found three workarounds that you can implement to protect yourself and we?ve documented these in the security advisory. In addition, we?ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD)blog.
Most importantly, we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we?ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called ?Fix it? that can automatically apply simple solutions to your system. We?ve gone ahead and built a ?Fix it? that implements the ?Disable the parsing of QuickTime content in quartz.dll? registry change workaround. We have also built a "Fix it" that will undo the workaround automatically.
To automatically implement the workaround, go to the KB article for the advisory. In the KB article, there?s a section titled ?Fix it for me?. Click on the ?Fix this problem? button under "Enable Workaround" in that section. You will then be offered an installer package from the Microsoft website. After you?ve confirmed that you trust the source of this package, run it on your system. The package will automatically set the appropriate registry keys on your system to implement the workaround. When you want to undo the workaround, click on the "Fix this problem" button under "Disable Workaround" in the same section.
This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege. Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
At this time, we are not aware of any known attacks that attempt to use this vulnerability.
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
To better help understand the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog.
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Summary of Microsoft?s monthly security bulletin release for May 2009.
Today we released one security bulletin, MS09-017, affecting our PowerPoint products. This update addresses several vulnerabilities including the issue described in Microsoft Security Advisory 969136. In that advisory, we noted that we were aware of limited, targeted attacks.
The security of our customers is important to us and due to these active attacks, we have released the updates for one product line (all versions of Microsoft Office for Windows) so that the majority of our customers can protect their systems. We are able to do this because the updates were ready within the predictable release cycle for the entire product line. Updates for the additional products (Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0) will be released when testing is complete and we can ensure high quality. When ready, we will revise the bulletin and notify customers.
Risk and Impact
To help with risk assessment and impact analysis, Microsoft provides detailed information in the vulnerability information section of the bulletin as well as the Exploitability Index. The aggregate severity of the bulletin is critical and we give it a 1 on the Exploitability Index which means consistent exploit code is likely (and indeed already in the wild for one vulnerability in this update). Of the 14 vulnerabilities being addressed, there are some things to note:
We are only (currently) aware of active attacks against CVE-2009-0556.
We are not aware (currently) of any active or reliable exploits of CVE-2009-0556 against affected versions of Office for Mac.
Microsoft Office 2007, Microsoft Office 2008 for Mac, Microsoft Office PowerPoint Viewers, and Microsoft Works versions 8.5 and 9.0 do not contain the CVE-2009-0556 vulnerability.
When we released Microsoft Security Advisory 969136 on April 2, 2009, both the Security Research & Defense and the Microsoft Malware Protection Center (MMPC) teams posted analysis to their blogs. This information provides valuable insight in to the active exploits.
The bulletin is rated critical only for Microsoft Office PowerPoint 2000 SP3. All other versions have an aggregate rating of important.
The only vulnerability that affects all products in the affected products list is CVE-2009-0224. This vulnerability was responsibly disclosed, is rated critical on Microsoft Office PowerPoint 2000 SP3 and important for all the other affected products.
Mitigations and Workarounds
For mitigations and workarounds, I will simply reiterate the information previously stated in the Security Research & Defense blog:
There are a couple workarounds you can apply in your environment to protect yourself from potential attacks. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the MS09-017 security bulletin. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the MS09-017 security bulletin.
More Information
In the following 8 minute video, I sit down with Adrian Stone from the MSRC to cover this release in a little more detail:
As always, our friends in the MSRC have provided further analysis in the Security Research and Defense blog so have a look at that and if you have questions, please join us for our regular live webcast tomorrow (Wednesday May 13, 2009) at 11:00 am PDT (UTC ?7). Click HERE to register.
On the malware front, the Microsoft Malware Protection Center (MMPC) has added two new items to the Malicious Software Removal Tool (MSRT): Win32/Winwebsec and Win32/FakePowav.B. Customers can download the Malicious Software Removal Tool (MSRT) here. Additional details can also be found on the Microsoft Malware Protection Center blog.
Support
Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Thanks,
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights*
Summary of the May 2009 Advance Notification for the 5/12/2009 security bulletin release.
Today we are letting customers know that next week we will be releasing one security bulletin affecting Microsoft Office PowerPoint with an aggregate severity rating of critical. Customers should review the Advance Notification and prepare appropriately for deployment.
The update should not require a restart unless the updated files are in use at the time they are installed. Customers can also detect systems requiring the update using the Microsoft Baseline Security Analyzer. Note that since this is an Office related update, it will not be available via Windows Update but will be available through the Microsoft Update service.
We are also planning to release at least one high priority, non-security update and additional detections to the Microsoft Windows Malicious Software Removal Tool.
After the bulletin is released, look for additional information on both this blog and the Security Research and Defense blog. If you have questions or would like more information about this month?s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, May 13, 2009, at 11:00 am PDT (UTC ?7). Click HERE to register.
As always, this preliminary information is subject to change.
Thanks!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights*
Customers have heard us say over the years that the threat environment is an ever-evolving one. That means that one of our jobs in working to keep customers safe is to continually monitor the threat environment and make changes to adapt to it.
Today, we?re announcing modifications in Windows that adapts to recent changes in the threat environment. Specifically, we?re announcing changes to the behavior in AutoPlay so that it will no longer enable an AutoRun task for devices that are not removable optical media (CD/DVD.). However, the AutoRun task will still be enabled for media like CD-ROM. There are more details on the change over at the Windows 7 blog as well as at the Security Research and Defense (SRD) blog.
The reason we?re making this change is that we?ve seen an increase, since the start of 2009, in malicious software abusing the current default AutoRun settings to propagate through removable media like USB devices. The best known malicious software abusing AutoRun is Conficker, but it?s not alone in that regard: there is other malicious software that abuses this feature. You can get more details on this change and others in the threat environment from the Microsoft Malware Protection Center?s blog.
Because we?ve seen such a marked increase in malicious software abusing AutoRun to propagate, we?ve decided that it makes sense to adjust the balance between security and usability around removable media. We?ve tried to be very measured in this adjustment to maximize both customer convenience and protection. Since non-writable media such as CD-ROMs generally aren?t avenues for malicious software propagation (because they?re not writable) we felt it made sense to keep the current behavior around AutoPlay for these devices and make this change only for generic mass storage class devices.
This change will be present in the Release Candidate build of Windows 7. In addition, we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
During this month?s webcast we were able to address 15 questions in the time allotted, but have included the additional questions asked in this QA post. Most of the questions centered on the MS09-013: the Windows HTTP bulletin, MS09-014: Internet Explorer Bulletin, and MS08-015, the Blended Threat bulletin. We did address additional questions regarding the other bulletins, as well as, questions concerning Product Support Lifecycle.
Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Thanks!
Al Brown
*This posting is provided "AS IS" with no warranties, and confers no rights.*
This is Jerry Bryant letting you know that we have published the security bulletin webcast video. As you know, on Tuesday, we published a quick overview of the 8 bulletins we released on that day. Yesterday we conducted a live, public webcast, where we went in to more detail on each bulletin. The recording from that webcast is embedded below. Usually we include the questions and answers portion along with this but this month we will point you to the transcript which should be published here by tomorrow.
As always, we encourage you to register for and attend our monthly bulletin webcasts by going to http://www.microsoft.com/technet/security/current.aspx where you will find the registration links and other valuable security update information.
Thanks!
Jerry Bryant
*Postings are provided "AS IS" with no warranties, and confers no rights.*
April is here and is turning out to be a typical, busy month, if one can call it that. In general, when we have a large release, the number of updates ranges from 7-12. With this in mind, we released eight security updates this month: 5 rated as Critical, 2 rated as Important, and one rated as Moderate.
This bulletin addresses two remote code execution vulnerabilities in Microsoft Excel. An attacker could exploit the vulnerability by sending a user a malformed Microsoft Excel file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.
A rating of Critical has only been assigned to Microsoft Office Excel 2000. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Microsoft Office Excel 2000, the user will first be prompted with a dialog box. This functionality is already built in to newer versions of Microsoft Office.
This bulletin addresses four remote code execution vulnerabilities in Microsoft WordPad and Microsoft Office text converters. An attacker could exploit the vulnerability by sending a user a malformed file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.
A rating of Critical has only been assigned to Microsoft Office Word 2000 Service Pack 3. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Office Word 2000 Service Pack 3, the user will first be prompted with a dialog box. This functionality is built in to newer versions of Microsoft Office. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates. One of the mitigations is blogged about in greater detail than the bulletin. You can find this information on the Security Defense & Research blog.
The last thing I will mention is the fact that the Microsoft Security Intelligence Report Volume 6provides insights into document file formats vulnerabilities and common exploitation techniques.
This bulletin addresses privately reported remote code execution vulnerability in Microsoft DirectX and is rated as Critical. An attacker could exploit this vulnerability by sending a malformed MJPEG file to a user of a system. If a user opened the file, code execution of the attacker?s choice would run in the context of the logged in user. Unregistering the quartz.dll or disabling the decoding of MJPEG content in Quartz.dll is a temporary measure that can be used while testing and deploying the update. Please see the bulletin to understand impact of the workarounds as they affect functionality.
This bulletin addresses several elevation of privilege vulnerabilities in Microsoft Windows and is rated as Important. The elevation of privilege vulnerabilities are commonly known as Token Kidnapping and was first described in Microsoft Security Advisory 951306. A supplemental blog will be posted here as well as a technical deep dive on the Security and Research Defense blog. It can be found here: http://blogs.technet.com/srd/
Microsoft Windows HTTP Services (WinHTTP) contains three vulnerabilities, two of which could allow for remote code execution running in the context of the logged on user. The bulletin is rated as Critical. WinHTTP is a technology within itself. As such, Internet Explorer does not use WinHTTP services.
Internet Explorer contains several remote code execution vulnerabilities and is rated as Critical. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. This security update also addresses a vulnerability first described in Microsoft Security Advisory 953818. As you will see, MS09-015 also addresses this Advisory. Details as to why can be found in both bulletins.
This bulletin addresses a vulnerability in SearchPath which could allow for an elevation of privilegeand is rated as Moderate.It?s worth mentioning here that this security update addresses the issue detailed in Advisory 953818: ?Blended Threat from Combined Attack Using Apple?s Safari on the Windows Platform?. Among other information in the bulletin I want to note that we added a new api as a defense in depth measure. It is called SetSearchPathMode. This new API allows for a per-process mode when using the SearchPath function to locate files. This allows applications to force the current directory to be searched after the application and system locations. This defense in depth measure is not enabled by default. Please see the bulletin for additional information.
This bulletin address vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) and is rated as Important. These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.
There are several mitigating factors noted in bulletin; one of which I will note here regarding the cross-site scripting (XSS) vulnerability. ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).
My colleague Jonathan, in the MSRC, is providing guidance as it relates to suggestions for prioritization of the security updates. This information can be found at the Security Research & Defense blog site.
As a postscript to this posting I want to share some thoughts with you regarding the advisories.
Of the eight updates, five address vulnerabilities that Microsoft has issued security advisories for:
The question becomes, why does it take so long for Microsoft to release a security update?
When we here at Microsoft are asked this question: our answer is ?we want to get this right.? Or to put it another way, we are constantly asking ourselves during any given release cycle ?are we doing the right thing for our customers?? If as a result of any given investigation, we find a variant of a vulnerability we are fixing; do we dig deeper to make sure we cover all our bases, or do we just fix what we can see and ship the update because of external pressures? ?Are we doing the right thing for our customers??
If we find, at the 11th hour, an application compatibility issue that breaks third party software, do we ship anyway because we don?t want to get bad press? ?Are we doing the right thing for our customers??
Do we spread out the release of open advisories so no one notices, but not ship them when ready? ?Are we doing the right thing for our customer??
I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later.
*Postings are provided "AS IS" with no warranties, and confers no rights.*
April 14: Updated to include hyperlinks for bulletins
As you can see from the April 2009 release summary, we addressed the Token Kidnapping issue with bulletin MS09-012.This issue allowed an attacker to gain full control of a server if the attacker can first run malicious code on the server as a lesser privileged user.
This issue was originally presented by Cesar Cerrudo in March of 2008 at Hack in the Box (Dubai) 2008.In April of 2008, we released an advisory to inform customers of actions they could take to protect themselves.We also updated the advisory in October of 2008, alerting customers to the availability of proof-of-concept code that demonstrates how to attack systems using token kidnapping techniques. Today we?ve released an update that protects from these issues without having to deploy workarounds.This release has been a long time in the making, so I wanted to take a moment and provide some insight into what it took to resolve this issue for customers.
First, what is Token Kidnapping? This is an elevation of privilege vulnerability that could allow an attacker to go from authenticated user to LocalSystem privileges.An attacker can escalate their privileges on a system if they can control the SeImpersonatePrivilege token.An attacker would need to be executing code in the context of a Windows service to use this exploit.For a more detailed look at the issue, refer to the SRD blog found here.
This case presented some interesting challenges in preparing the update to address the issue.First, there are two updates included in this bulletin.The first update addresses service isolation, while the second addresses processes running as service accounts.In order to secure these items, we took the work we did in Windows Vista to provide additional service hardening and implemented it in older operating systems like Windows XP, and Windows Server 2003.These changes are low-level and deeply engrained in the OS.When making these types of changes, many of the applications that have been written in the 5 to 10 years since the OS was released could be impacted as we are changing infrastructure.Typically, we only change code to this degree in a service pack release to ensure it receives the proper level of testing.
However, given the security risk, and even though we provided workarounds, we wanted to secure customers automatically.So we made the changes, and then did extensive testing to ensure this update is high-quality and did not impact existing implementations. For this bulletin, we ran over 600,000 different test scenarios, with over 6,000 variations tested in one configuration alone.We also needed to ensure we were not breaking 3rd-party applications by introducing this change.As a result, 2,500 application compatibility tests were also run.In addition to this testing, we selected over 1,000 systems within Microsoft to test the update before we released, and some key customers signed NDAs to do even more testing in their lab environments to make sure we didn?t break Line-of-Business application scenarios.One thing we did notice is that some 3rd-party applications may need to be updated to receive the same security benefits provides by this update.To facilitate this, the update also provides an infrastructure to 3rd-parties to isolate and secure their services.In Windows XP and Windows Server 2003, all processes running under the context of a single account will have full control over each other.This update provides 3rd-parties the ability to isolate and secure their services that hold SYSTEM token and run under the NetworkService or LocalService accounts. For more information on the usage of this registry key, see Microsoft Knowledge Base Article 956572.
While this update took some time to complete, our hope is that the majority of customers are protected either through the guidance we released a year ago or the update we released today.It is never an easy process to bring infrastructure from a newer OS to an older OS, but we considered this an important enough issue to do so.As you would expect, it wasn?t always an easy road, so I would like to thank all of the folks internally and externally that helped bring this update to the worldwide community.Specifically, I?d like to thank the following people who were key contributors in bringing this update to the world:
Cesar Cerrudo, Argeniss Information Security
Bruce Dang, MSRC Engineering
Nick Finco, MSRC Engineering
Anoop KV, Windows Serviceability
Vikas Mittal, Windows Serviceability
And special thanks go out to all of the many developers and testers who help made this release possible.
Jerry Bryant again. Here is the overview video for the April 2009 bulletins. Please join us tomorrow at 11:00 am PDT (UTC ?7) for our bulletin webcast where we will cover this months updates in more detail and try to answer all of your bulletin related questions.
We?ve seen some activity in the Conficker space in the past two days and this has caused some questions from customers. Specifically, there have been reports of two possible new variants of Conficker. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have done a thorough analysis of both of these and have determined that there?s really only one new variant, which they?re calling Conficker.E. Most importantly, the signatures that protect against Conficker.A are also effective at protecting against Conficker.E. The other possible new variant is only a slightly modified version of Conficker.D and our Conficker.D signatures protect against it. Also, our virus encylopedia entry for Conficker.D has been updated to include information about this slightly modified version.
There?s more detailed information on Conficker.E on the MMPC blog and in the encyclopedia entry. But at a high level, this has similar propagation methods to Conficker.B (attempting to exploit MS08-067, attacking weak passwords on administrative shares and spreading via removable media like USB drives).However, it also has instructions so that it will also delete itself on May 3, 2009.
The important thing is that our guidance for protecting yourself remains the same. If your systems and security software are fully updated, you don?t need to be concerned about Conficker.
As always, we?re continuing our work with the Conficker Working Group and will update you as we have new, important information.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights*
Warning: MagpieRSS: Failed to parse RSS file. (not well-formed (invalid token) at line 1, column 2) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Our newest portfolio company, HeyZap, is looking for the fourth member of their team. HeyZap is a platform for game developers to get wide viral distribution for their flash games and monetize them. They are looking for: a talented engineer...
I love Hacker News (aka news.ycombinator.com). I read it at least once a day and it sends this blog more traffic than anything other than Google and Twitter. This is the refer log for AVC for the past month. But...
I just spent a half hour composing a longish thoughtful post on the art of saying no in the venture capital business. It was inspired by Brad Feld's post on the same topic a few days ago. However, when I...
A survey of VCs by Polachi Inc. has been making the rounds of the internet the past couple days. I was asked to participate in this survey but did not (not for any reason in particular). I looked over the...
Let's say you want to track how something you are working on is doing. You can look at it's web traffic on comScore, Compete, Quantcast, Alexa, etc. You can check out how it is doing on Google Trends. But if...
Antivirus programs vary in effectiveness, and "how good is my AV protection" has less to do with whether you are using free or commercial ware and more about how frequently you update virus signatures and how aggressively you set the virus inspection. Certain antivirus software offer an advanced feature that allows you to specify the level of detection and at higher levels, you should expect some false positives, i.e., that some files that are not viruses may appear enough like a virus to be flagged as one, even if the file is perfectly benign. Let's consider an example...
The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy,
Susan Crawford, a visiting associate professor at Yale Law School, was recently asked to give testimony to the U.S. House of Representatives' Committee on the Judiciary, Task Force on Competition Policy and Antitrust Laws. The subject of the hearing was, broadly, net neutrality and free speech on the Internet, or specifically, whether Internet access network providers should be allowed to discriminate based on the origin and content of traffic they transport. In her testimony, Susan speaks to three issues that form the bases of the net neutrality issue...
Users have a longer "product" life cycle to manage than vendors, one that includes hype cycle management. The hype cycle begins before a product announcement. Hype that sparks the cycle takes many forms: new standards and regulations, demonstrations of prototypes at trade shows, trade pub and street talk. Soon, *THIS NEW THING* is widely heralded as the most disruptive technology since, well, the last most disruptive technology. Consider this tale of two C*Os and their experiences with the iPhone...
Senior editor Kelly Jackson Higgins interviews me, Rod Rasmussen (Internet Identity) and Joe Nazario (Arbor Networks) on the potential impact ICANN SSAC's Advisory, Fast Flux Hosting and DNS, could have in shaping future countermeasures to fast flux attacks.
WebProNews reporter Jason Lee Miller does an admirable job of characterizing the debate over the existence or non-existence of domain name front running in his article, Domain Frontrunning: A Ghost In The Machine. I like this guy...
In BlogID 671, I mention that a simple NS query on any root name server will confirm that IANA has included IPv6 addresses of 6 authoritative root name servers in the hints and root zone files. The simple "dig" example I gave will only return as many complete resource records as the root name server can fit into an RFC 1035 compliant, UDP-encapsulated DNS response. If you want to see all the resource records for all the root name servers...
IANA has implemented the recommendations of ICANN's Security and Stability Advisory Committee (SAC 018) by adding AAAA records for six the thirteen listed authorities for the root zone.
Who is Cary Duffy Marsan and why is she so interested in IPv6 when (apparently) few others are?
Cary Duffy Marsan is Senior Editor, Enterprise Applications for Network World magazine. Why she is interested in IPv6 is a mystery, but she has done some "responsible journalism" by publishing a series of articles on IPv4 address exhaustion (February 2008) and transition (switching) to IPv6 (December 2007)...
ICANN's SSAC has published the results of its study and analysis of domain name front running. The report (SAC 024) reviews 120 claims submitted by Internet users following an Advisory SSAC issued in October 2007 where the committee defined domain name front running and identified the many ways one could (theoretically) obtain information about an Internet user's interest in a domain name and use that information to preemptively register the domain.
My SSAC committee's Advisory on Fast Flux Hosting and DNS is now available. The SSAC Advisory describes variations of fast flux hosting, identifies current measures to detect and combat fast flux, and offers additional measures...
Imagine my amazement when I received a call from a reporter asking for an interview regarding the Internet disruption in Egypt from the New Jersey Star Ledger. In addition to discussing how businesses should react to disruptions of this sort (calmly, they are rare and recoverable events, largely due to the fact that *survivability* was one of the most important, original design objectives for the Internet), I wandered off topic with staff writer Kelly Heyboer about the role her newspaper played in my high school days.
SANS Internet Storm Center, InfoCON: green (07/03/09)
Hey everyone, sorry it has taken so long to get around to recording another podcast episode! T ...(more)...
Warning: MagpieRSS: Failed to parse RSS file. (syntax error at line 1, column 54) in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238 Warning: MagpieRSS: Failed to fetch http://loop.interop-comdex.com/index.xml (HTTP Error: connection failed () in /homepages/12/d142459691/htdocs/rss2html/magpierss/rss_fetch.inc on line 238
Want a peek at a couple things our designers and front edge team have been working on? These widgets were just short-term exercises that we hope will get you excited about the things to come. If you love it or hate it, let us know by hitting the feedback link at the bottom of the page!
Learn about the makings of the !exploitable Crash Analyzer tool. It's the only tool of its kind that increases efficiency, reduces cost, and improves security by providing automated crash analysis and security risk assessment.
.NET Services are a set of highly scalable building blocks for programming in the cloud. In this brief screencast, you'll learn about the registration process, the SDK and the built-in samples - everything you need to know in order to get started.
The Windows 7 Release Candidate is now available. Download, install, and actively test the Windows 7 RC code to help get your software and hardware solutions ready.
Windows Server 2008 R2 release expands on existing technology and adds a host of new features. In this series of on-demand webcasts, you'll get to know Windows Server 2008 R2, learn about what's changed, and get a jump start on developing for this new platform.
Download this document to help set data privacy guidelines for developing your software products and services, based on Microsoft's internal guidelines and experience with incorporating privacy into the development process.
The Windows 7 release candidate is now available. Download, install, and actively test the Windows 7 RC code to help get your software and hardware solutions ready.
Take advantage of this resource that includes a full listing of the latest webcasts and how-to videos covering the technologies included in the Azure Services Platform: Windows Azure, .NET Services, SQL Data Services, and Live Services.
In the last of a three-part series of videos on Windows 7 rraphics architecture, David Blythe, Senior Architect in the Desktop and Graphics team, and Yochay Kiriaty, Technical Evangelist, discuss many new updates and improvements on Windows 7 architecture and how this improves the user experience.
Windows 7 will be available in stores beginning October 22. An important milestone on the path to general availability (GA), the release to manufacturing (RTM) code for Windows 7 will be available to Microsoft partners at the end of July, as will the RTM code for Windows Server 2008 R2.
Learn more about the basics behind encryption algorithms and practices used to create cryptographic schemes, symmetric and asymmetric encryption algorithms, the SHA256 hash encryption algorithms, and how to implement them in a simple application.
Download chapters from three great books on Visual Studio 2008: Programming Microsoft LINQ, Introducing Microsoft Silverlight 2, Second Edition, and Programming Microsoft ASP.NET 3.5.
Listen or watch 16 influential community and Microsoft developers, interviewed at Tech·Ed, talk about their recommended must-have resources for the summer. Check back weekly for the next installment in the series or subscribe and take it with you.
Find videos designed to help Web developers and designers of all skill levels experience the power of the Web using Internet Explorer 8. Check back often, as new videos are added regularly.
In the second of three overview videos, David Blythe, Senior Architect in the Desktop and Graphics team, and Yochay Kiriaty, Technical Evangelist, discuss what's new in Windows 7 graphics and how developers can tap into the new APIs.
The SDL Process Template for VSTS integrates the policy, process, and tools of the SDL v4 into Visual Studio Team Systems 2008, and eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment.
Heads up! The Windows 7 Beta will expire on August 1, 2009, so be prepared and plan to rebuild your PC with either the release candidate (RC) or another valid version of Windows before July 1, 2009. You will receive a warning two weeks prior to July 1; after this date, your PC will begin shutting down every two hours.
In this case study, YOURasp had been hosting WAEC's sites on Linux, and decided to run the new PHP-based Web site on the Windows Server 2008 Datacenter operating system. In less than one week, the company deployed a virtual failover cluster that handled up to 10K service requests per minute during the election.
Windows 7 will be available in stores beginning October 22nd. An important milestone on the path to general availability (GA), the release to manufacturing (RTM) code for Windows 7 will be available to Microsoft partners at the end of July, as well as the RTM code for Windows Server 2008 R2.
The Azure Services Training Kit includes a comprehensive set of technical content including hands-on labs, presentations, and demos that are designed to help you learn how to use the Azure Services Platform.
In the first of three overview videos, David Blythe, Senior Architect in the Desktop and Graphics team, and Yochay Kiriaty, Technical Evangelist, give you a quick tour of Windows 7 Graphics architecture, its different components, and how they affect and improve the user experience in Windows 7.
This video will show you several ways to create and apply reusable styles in WPF (in the control, in a resource section elsewhere in the window markup, and in the app.xaml file) and how styles cascade and can be overridden.
Check out the Windows Internet Explorer 8 Readiness Toolkit, the first place to look when you are ready to optimize Web sites and applications for Internet Explorer 8.
SAIC, a security consulting company, and the SANS Institute, a security training company, have recently joined the Microsoft SDL Pro Network to support Microsoft's commitment to make the SDL more accessible to every developer. These companies will guide and support you in implementing the SDL into your environment to better protect your customers.
Live Services is a set of building blocks within the Azure Services platform for handling user data and application resources. Click here to explore the Live Framework, and explore all the documentation, SDKs, libraries, code snippets, and much, much more.
Watch this webcast to get an overview of Windows XP Embedded and find out more about the development tools used to build custom operating system images.
Learn new development skills with free step-by-step training plans and premium technical content, and get valuable discounts on select certification exams and Microsoft Press training kits.
The SDL Process Template for VSTS integrates the policy, process, and tools of the SDL v4 into Visual Studio Team Systems 2008. It eases adoption of the SDL, enables auditable security requirements and status, and demonstrates security return on investment.
Watch this webcast to get an overview of Windows XP Embedded and find out more about the development tools used to build custom operating system images.
Find out how Web development can be faster and easier with Windows Internet Explorer 8 Developer Tools, and learn more about developer tools to use in exposing how the browser interprets a Web page. In these webcasts, podcasts, and virtual labs, we explore the built-in Internet Explorer 8 features that can help developers build standards-based Web applications.
Watch this video in which Todd Miranda explains how a breakpoint is triggered by default and demonstrates how to use advanced breakpoints to only trigger when certain hit count conditions are met.
Learn new development skills with free step-by-step training plans and premium technical content, and get valuable discounts on select certification exams and Microsoft Press training kits.
How does Visual WebGui solve the complexity of using the model view controller (MVC) pattern in Web development in a light, simple, and productive way? Watch this webcast to find out.
Download chapters from three great books on Visual Studio 2008: Programming Microsoft LINQ, Introducing Microsoft Silverlight 2, Second Edition, and Programming Microsoft ASP.NET 3.5.
Take advantage of this resource that includes a full listing of the latest webcasts and how-to videos covering the technologies included in the Azure Services Platform: Windows Azure, .NET Services, SQL Data Services, and Live Services.
Self-assess your current state of security in development and create a strategy and roadmap to progressively attain measurable security improvements with the Security Development Lifecycle Optimization Model.
Find videos designed to help Web developers and designers of all skill levels experience the power of the Web using Internet Explorer 8. Check back often, as new videos are added regularly.
Download the Windows Azure SDK that includes APIs, tools, documentation, and samples needed to develop Internet-scale applications to run on Windows Azure.
Reduce your cost of development by identifying and mitigating potential security vulnerabilities in the design phase of the SDL, when they are relatively easy and cost-effective to resolve.
The Windows 7 release candidate is now available. Download, install, and actively test the Windows 7 RC code to help get your software and hardware solutions ready.
!exploitable Crash Analyzer is a Windows debugger extension that provides automated crash analysis and security risk assessment in a tool that every developer and tester can use.
Dion Hutchings discusses Windows Embedded CE, the ideal handheld platform with hardware support and software components to satisfy the requirements of connected, service-oriented handheld devices.
Self-assess your current state of security development and create a strategy and roadmap to progressively attain measurable security improvements with the Security Development Lifecycle Optimization Model.
Heads up! The Windows 7 Beta will expire on August 1, 2009, so be prepared and plan to rebuild your PC with either the Release Candidate (RC) or another valid version of Windows before July 1, 2009. You will receive a warning two weeks prior to July 1; after this date, your PC will begin shutting down every two hours.
If you want to explore current and soon-to-be-released Microsoft technologies, including the Azure Services Platform, Visual C++, Visual Basic, Visual C#, Visual Studio 2008, and the upcoming Visual Studio 2010, visit our Web site and register today.
Watch Matt Hester demonstrate how Internet Explorer 8 implements box-sizing and vertical text from the W3C's CSS3 working draft, including the two box-sizing properties of content-box and border-box and the writing-mode for vertical text.
MSDN Code Search Preview to search for code samples across the MSDN Library, MSDN Code Gallery, and CodePlex. Take advantage of advanced filtering, filter by language, and more to help you find code samples.
The Microsoft .NET Services SDK contains APIs, tools, documentation, and samples needed to develop applications that take advantage of the Access Control Service, Workflow Service, and the Service Bus.
Find videos designed to help Web developers and designers of all skill levels experience the power of the Web using Internet Explorer 8. Check back often, as new videos are added regularly.
Implement the Microsoft Security Development Lifecycle (SDL), the industry-leading software security assurance process, in your organization with the help of the SDL Pro Network, a group of consultants and trainers specialized in application security.
