.:Computer Defense:.

I was attempting to add the list of applications Corrine suggested to the "ComputerDefense.org Outbound Rules List" and when I reached Opera, I ran into a problem. http://www.opera.com takes you to a page where you can click to begin a download. The next page is a redirect with a "Click here if your download doesn't start" button. Both the redirect and the link take you to http://www.microrpm.ca/pub/opera/win/910/en/Opera_9.10_Eng_Setup.exe and this site is currently unavailable to me... Interestingly enough Opera doesn't allow you to access a mirrors list to select a different mirror should the one you want to use be unavailable.

[LATEST UPDATE] 2/17/2007 - Added 4 New Applications.

I've decided to compile a list of "standard" applications and create outbound rules bound to the applications and their default install locations that users can import into the Windows Vista Firewall (should they want to enable outbound filtering but not want to sit and configure each of their programs individually)...

I'm more than willing to create additions to the list (assuming I know the software to be "safe"). So please provide comments with applications you'd like to see included.

I'm also considering writing an application that will create a list based on your installed applications and let you choose which ones to allow access for... This will generate a file you can then import into the firewall.

In the meantime this list is small but it will grow as suggestions come in... Any vendors that would like to be added to this list are more than welcome to provide me with their software and I'll add it.

Current List:

• Internet Explorer
• Mozilla Firefox
• AIM6
• MSN Messenger
• FileZilla
• PuTTy
• X-Chat 2
• FoxIt Reader (Requested by Corrine)
• Mozilla Thunderbird (Requested by Corrine)
• Opera (Requested by Corrine)
• Trillian (Requested by Corrine)

As I said leave comments for additional software you'd like to see (preferably with links to the products homepage).

Download: Outbound Rules.txt

This time the culprit is Preston Gralla, writing for ComputerWorld... in his article entitled "New Vista firewall fails on outbound security". I thought we were supposed to capitalize significant words in titles... Some of you may recognize Preston's name... he was the journalist who proclaimed "Justice Prevails" when an innocent school teacher was found guilty when porn accidentally appeared on a school computer screen due to spyware.This time, instead of attacking an innocent school teacher, this so called "computer expert" decides to take on the Vista firewall.

Preston makes some interesting claims... I'm going to attempt to cover some of the more "controversial" comments here:

Normally, to configure the Window Vista Firewall, you choose Control Panel, then Security, then Turn Windows Firewall on or off. You'll see the screen shown in the figure below.

You can actually go Control Panel --> Windows Firewall but since Gralla is attacking Microsoft here he needs to make it seem like it takes longer.

To work with outbound filtering, you instead have to use the Microsoft Management Console, specifically the Windows Firewall with Advanced Security Group Policy applet, by typing wf.msc at the Search box or command prompt and pressing Enter.

Most people that I know who want to look at their running services are going to type services.msc in the Run Dialog (available via 'Windows Key' + R in Vista) or in the search box (a Run Dialog replacement), so why not make the firewall available via the same means? That being said, you can actually go Control Panel --> Administrative Tools --> Windows Firewall with Advanced Security. Yes... you can navigate to it with a GUI and in the same number of clicks it takes Preston to access the basic features of the Windows firewall.

So, why does the Windows Firewall have basic and advanced features? Well, most personal firewall products do, so why shouldn't this one. It's also fairly simple to navigate to and in the expected place... in fact I had no idea where I'd find it, I just knew there would be a GUI... It was in the first place I looked. One might call it intuitive placement.

Every rule in the Windows Firewall allows outbound connections, though. Click the Outbound Rules icon on the left side of the screen, and you'll see all the outbound rules. As you can see from the figure below, every outbound rule allows outbound connections. None block connection.

This was one of my favourite comments. The Outbound Rules list is populated with a collection of Allow statements for core Windows functions. Oh No!!! We're allowing core functionality. I'm not really sure what Gralla was thinking here but common sense tells me that these should be here. The idea is that the list is pre-populated with rules that will allow Windows to function unhindered should you decide to enable Outbound Connection Blocking. Let's think of this like Cisco IOS... when ACLs are enabled there is an implicit 'deny any any' at the end of the ACL list. Now think of the Windows Firewall as two ACLs... an Inbound ACL and an Outbound ACL. These rules have implicit 'deny any any' at the end of their lists, which means you would only put allow rules in them. Any CCNA can confirm this for you.

Making matters worse, there is no way for an individual or IT staffer on his own to create an all-purpose rule that will block malware from making outbound connections. You can only create a rule to block a specific piece of malware. That is an extremely difficult task, requiring that you know quite a bit of information about that piece of malware, including its location on your PC, the port it uses to make outbound connections and so on.

To stop all malware from making outbound connections, you'd have to know all those details of all the thousands of pieces of malware in existence, and create rules for each one individually. But even that wouldn't work, because you wouldn't know about malware that has not yet been detected.

In short, as a practical matter, it's an impossible task.

This is a long statement, but it makes me laugh yet again. I would suggest that Mr. Gralla look to gain at least a basic understanding of how firewalls work. What he describes in his first sentence is a mythical rule that doesn't exist. I bet that every Sys Admin on the planet would pay a pretty penny for an "all-purpose rule that will block malware from making outbound connections." This rule doesn't exist, in fact it couldn't exist. Let's say my malware communicates with a parent server by submitting information via an HTTP POST to port 80 or better yet over SSL to port 443. This will look like regular traffic and a rule that blocks outbound access to ports 80 and 443 would block your browser from functioning as well. Mr. Gralla doesn't seem to get that this is why you have an implicit 'deny any any'... because that blocks all malware by blocking all outbound traffic. You then allow specific programs, protocols or ports. Strangely enough what would be considered the norm for any network security setup is exactly how the Windows Firewall works in Vista.

As a side note, a nice feature of Vista is that it allows multiple networks... They are classified as Domain, Public and Private... and seem to correlate to the Work, Public and Home settings that Vista presents to the user every time a new network is discovered. Each of these networks can have their own inbound and outbound settings (for default block and allow).

Competing firewalls often use built-in intelligence to allow certain programs to make outbound connections, and then issue alerts when other programs make connections. You're told the program name and executable and given a recommendation as to whether the program should be allowed. You can then block or allow the program to make a connection on a one-time or permanent basis.

First, I'd like to look at the first sentence here... then I'd like to point out to Mr. Gralla that these are the Outbound Allow rules that he was complaining about only paragraphs before. Then he mentions the fact that Vista lacks a user friendly "Allow this program to access the internet" pop-up box. I covered this previously in my Agnitum post but I'll address it again. You see software that provides these pop-ups makes it very easy to fool the user... they also allow the user to become complacent. What Microsoft has done is similar to iptables in Linux and ACLs in Cisco routers. You need to predefine programs that are allowed to access the internet. Let's take my HTTP/HTTPS malware above and let's name it firefox.exe. Next, let's install it to C:\Program Files\M0zilla Firefox\. Most users are going to see that pop up and quickly allow it if the functionality exists (such as the functionality in Norton Security Suite or ZoneAlarm Firewall)... Why? Users like to "click-through"... they think that having the firewall is enough. I commend Microsoft for not including the user-friendly pop-up boxes... This is actually a great improvement to the security provided by firewalls. We all know that a balance must be found between security and user friendliness... This option sure beats providing enough user friendliness that you allow the users to make the firewall useless. Users will allow firefox.exe when they configure their Windows Firewall... then the malware at C:\Program Files\M0zilla Firefox\firefox.exe will be silently blocked.

Another side note, when blocking outbound connections, certain software, such as Microsoft Internet Explorer, will allow you to diagnose connection issues (if you haven't already allowed it in your outbound rules) and it will notify you that an outbound policy is in place on the firewall.

In the end, I think that the sub title really says it all, "Preston Gralla discovers it's impossible to practically configure outbound filtering." Nobody else will have a problem, but Mr. Gralla will. Another nice feature of the Windows Firewall is that it allows you to export and import rules and configurations... I'm quite tempted to build a standard setup and provide the exported setup to Mr. Gralla. In the mean time this should be evidence enough that Preston Gralla is not an infosec (or even IT) expert and that there is no point in reading any future articles he writes.

You know... I've written about this a lot... to recap:

• Agnitum provides "research" into Vista Firewall
• Company B is better than Company A, claims Company B
• A fine line between blogging and advertising

This time the culprit is Bill of BillP Studios and WinPatrol. WinPatrol is free malware software, but a paid version is also offered. With the introduction of Vista, which includes Windows Defender, WinPatrol is looking to become a tool of the past. I suppose I should add a disclaimer of sorts here that I regularly read Bill's blog and quite often agree with what he says... today just isn't one of those times.

So, in a recent post Bill addresses the dozen patches that Microsoft released this month... and he picks on in particular to target... MS07-010. Bill actually goes so far as to call it "one of the most important updates I’ve seen and one of the most embarrassing for Microsoft." This is beyond far fetched... He even compares it to the issue that Kryptonite had, where a pen could open their bike locks. This made me laugh since the flaw, while being most publicized against Kryptonite because of their popularity, affected several brands of bike locks which would mean that the flaw patched by MS07-010 affects many anti-malware products.

Bill also claims that users who have not yet patched are at immediate risk... I guess my definition of immediate risk varies from his. This was a privately reported vulnerability and there's nothing to indicate that it's in the wild... to me that implies lower risk than many things, including past Microsoft vulnerabilities. Now that the patch is out, I suppose malicious individuals could reverse the patch and determine how to take advantage of this vulnerability but the risk is still not "immediate" in my eyes.

Also, to put this out as being such an emergency, which is how I read it as being portrayed when I look at Bills post, is incorrect... Flaws are discovered all the time in AV and Anti Malware software... Does that make each of them more important, more embarassing and a bigger emergency than the last?

Let's take a look at this:

• Trend Micro Products UPX Processing Buffer Overflow Vulnerability
• Sophos Anti-Virus SIT/CPIO File Processing Vulnerabilities
• Sophos Anti-Virus Visio File Parsing Buffer Overflow
• McAfee Multiple Products LHA File Handling Buffer Overflow
• Symantec AntiVirus RAR Archive Decompression Buffer Overflow

I could go on, but this points out that every major AV vendor has had a processing problem in the past two years. Should the vendors get it right the first time? I'd hope so, but you have to allow for problems... it's something you have to accept if you're in IT. Processing a file type that isn't native to you or your product presents a learning curve and unless your company has experts on the file format they aren't necessarily going to get everything right the first time... or it could be a simple coding mistake and programmers are human you have to expect them..

To attack Microsoft over something that every vendor in the industry has had a problem with is juvenile... it also shows a lack of understanding that vulnerabilities can and will exist... Nobody is perfect.

Sometimes being in Infosec is a lot like being in a Soap Opera... which makes it fun to sit and watch from an outside point of view... You get attacks, name calling, insults, flame wars... When a blog moves to another site, it's like they've died and come back to life... It's a world filled with drama, suspense and occasionally the unrealistic...

A great example of the drama that is infosec has been created as a result of a press release from Acunetix, stating that "70% of websites are at immediate risk of being hacked".   Of course, these number *NEED* to be challenged... otherwise, we wouldn't have drama. The result.. a post on Network World with an "expert" calling the survey a crock. The response from Acunetix is posted on Network World with a response from their "expert".

Now Thomas Ptacek and Jeremiah Grossman have both commented on the issue and provided feedback... both saying that if anything Acunetix's numbers were actually low.

Then to add the humourous portion of our soap, Ptacek provides a humourous follow-up on Network World "expert" Joel Snyder's response... While it was a response to draw a laugh, it does provide a realistic read between the lines type feel.

Stay tuned for summary of tomorrow's edition of "Days of our InfoSec Lives"

In the past I've heard mention of "bump keys" or "lock bumping". I never really looked into this and often thought to myself, "Big Deal... I've got three different locks to get into my apartment... not all three will be vulnerable to it." I also doubted that it was as big a deal as it is, I'd heard of the young girl who'd done it at DEFCON (read about it here, with video and background information on "lock bumping") but I still wasn't convinced of the risk.

I had since forgotten about this issue, until a link to an article in the Columbus Dispatch popped up today. I did some looking around and found this video on YouTube which shows how to make a bump key and then demonstrates it's operating. The video actually created some controversial discussion on whether or not demoing the process to create a bump key was a good idea. I think people need to realize that the information is out there for the malicious people to find if they really want to... Putting the information on somewhere like YouTube just makes it easier for the masses to get to. The Engadget article, linked above, has a picture of a bump key and the theory behind it... that's more than enough to create the key off of. There are plenty of other places as well.

Anyways, this concept had me quite intrigued, so of course, being the kind of person I am, I had to try it out.. I grabbed an old key that was laying around and an extra deadbolt that I have for playing around. It took me about 15-20 minutes to file down the 5 valleys on the key (and I was using a bulky old file)... Being that the deadbolt is assembled but not mounted made it interesting.. I had to apply pressure to the key, hold the deadbolt and "bump" it with a screwdriver all at once... In the end I managed to do it three times in a row in a period of about three minutes. Since I don't know the legality of such items in Canada, I figured my best bet after testing it for myself was to destroy the key... you'd be amazed at how fast a file cuts right through one. If anyone has any further information on the legality of such "tools/toys" in Canada, please let me know... I may actually contact a lawyer to investigate this further.
This is rather scary and has me seriously considering keypad locks.

We've all heard it before... Don't run telnet because it's a plain text protocol, it's an inherent security risk... Which is true, SSH just makes more sense and plenty of people are using SSH these days. This doesn't mean that everyone is though, so... *ATTENTION SOLARIS ADMINS** If you're still running telnet on Solaris 10 or 11 (SunOS 5.10 or 5.11)... Turn it off. An email was released on Full Disclosure earlier with a new 0-day for Solaris 10/11 that's so easy it makes my skin crawl. This pdf was linked in the email which gives details and a small shell script to perform the exploit. It seemed surprising that this existed and had not been previously found, so of course I had to try it out.

C:\Documents and Settings\treguly>telnet -l "-fbin" X.X.X.X

Last login: Sun Feb 11 00:24:44 from XXXX
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=2(bin) gid=2(bin)
$

The result is more than a little frightening...

A Hat Tip for this goes to Maynor and the Errata Security Blog for informing me of this issue.

[UPDATE] While it was initially rumoured that this didn't affect the root account, this is not the case... root logins are possible... it is dependent on configuration. More info on the nCircle Blog.

This is actually pretty interesting... Considering that the event organizer contacted Apple before ever starting the event, has been praised by the local Apple store, has been mentioned on the Apple website and has Apple employees attend his events...

I was clued into this via an Engadget story, which was inspired by a BoingBoing post.

You can read the email conversations between Clint (organizer of iPod Mondays) and Apple on iPodMonday.com.

You can also read an article on this issue in the Des Moines Register.

I was reading through the latest blog postings and there was an interesting article on Security Fix, regarding Brian Krebs' installation and use of Parallels, popular virtual machine technology available for OS X, Windows and Linux. Apparently, the default for the software is to allow the VM full access (read, write and delete) the the host file system. This introduces a interesting security risk. Other VM technology that offers this technology provides it in a "default off" state... Allowing the user to knowingly turn it on and create the risk on their own. The fact that this is "default on" is dangerous to users that don't know about it. Some Mac users claim they use a Mac because it is, let's not say immune but, unlikely to get a virus... Others have also implied that they use Parallels because they visit some websites that just don't function properly outside of IE... These users, perhaps unknowingly, are now susceptible to additional threats... threats that wouldn't otherwise be prevalent on their systems. Now it can, and will, be argued that many Windows viruses aren't going to be threats to Mac users... This is true... but viruses are quite often malicious and nothing else... Viruses that scavenge email addresses from text files will now parse the entire OS X file system and since anything present in /Volumes can, apparently (I don't run parallels myself), be accessed this means that office file shares could also be at risk, home file shares at risk. How about viruses designed to corrupt Word or Excel documents... It sounds like it's time for Parallels to listen to it's already vocal users and change this feature to "default off". If the feature is left "default on", hopefully users will continue to comment to Parallels staff. Additionally, let's hope they include a nice *BIG* warning about this, we don't want people to think they're getting a completely secure sandbox environment when they aren't.
Now I'm off to address some errors in some of the comments in that article... just wanted to point this issue out to non-readers of Security Fix.

I just wanted to throw up a quick 2-minute post to direct all my readers to a new blog... Ryan, a colleague of mine at nCircle, has launched his own blog. Take a few minutes, wander on over and check it. He'll definitely have some interesting stuff to say in the future.