.:Computer Defense:.

... and for his first trick, Ladies and Gentlemen, he will make Windows Server 2003 SP2 appear magically in front of you... as though out of thin air.

Ryan has already blogged about this over at numerophobe.com but I think there's information worth mentioning again and other information that's worth bringing up. This was definitely a quite little release... not nearly as loud as previous service pack releases from Microsoft have been, and the regress issue that Ryan talks about is quite interesting...

I thought I'd provide a couple of links that are worth reading:

• What's new in SP2
• Top 10 Reasons to Install Windows Server 2003 SP2
• List of Updates in Windows Server 2003 SP2
• Security Bulletins Included in Windows Server 2003 SP2 (Microsoft Claims this is Vulnerabilities Fixed in SP2, more information below on that)
• Windows Server 2003 SP2 Data Sheet
• Windows Server 2003 SP2 Release Notes

Now the Security Bulletins list is interesting... Microsoft provides a list of these bulletins, however on the SP2 main page they refer to the list as "List of Security Updates in SP2". Here's my problem with that... ISC has released a list of CVEs that are supposedly fixed in SP2, there are several listed without related MS Advisory numbers... yet according to Microsoft every one of their security updates in SP2 was covered, at some point, by an MS Advisory. This is contradictory information. Microsoft actually provided an explanation for one of these issues back when it was first reported... they didn't feel it was important enough to warrant it's own patch. Yet they still don't consider it a security update in this service pack, even though they apparently fixed it.

And now.... The second trick.

Perhaps Microsoft feels that by limiting the assigned MS Advisory Numbers, they can limit the number of vulnerabilities that affect their platforms. If that's the case we have an explanation for the Windows XP Patch that was released quietly on Patch Tuesday... sans MS Advisory Number and therefore not a patch. The patch is related to a race condition in the memory manager. Now perhaps a race condition isn't all to serious, perhaps it causes a DoS when it occurs, but that's still a vulnerability and in this case it's a vulnerability that causes a blue screen. In the old days ("ping of death") a blue screen was a serious issue... now it seems that Microsoft is ignoring them as being vulnerabilities. Perhaps Microsoft and OpenBSD got together and discussed what is and is not a vulnerability. I guess Microsoft has made it clear via their conversations with ISC (relayed via the 'Missing Microsoft Patches' list) that they don't consider a Denial of Service worth patching these days. Is this a cost cutting measure on their part or just pure laziness? In either case I wonder how long until privilege escalation is no longer worth covering and then... maybe we won't even need to cover remote code execute. Regardless failure to provide patches for public issues is irresponsible and disgust with this process should be expressed by the public.

Perhaps an interesting concept would be IT Watchdogs... more organized than anything currently out there. There are plenty of government watchdogs. So why not legislation that creates an IT Watchdog... Computers are an integral part of life and we can no longer afford these magic acts. We need real action... not deceptions and "misnaming to save from diluting the meaning of the word". A government legislated watchdog... or perhaps a private watchdog (but then who's to give them any power or control) would be great.... paid for by tax payers dollars (I know... that'd never fly). The watchdog would be comprised of IT/IS professionals and be tasked with keeping track of all vulnerabilities (including those that vendors feel dilutes the meaning) that are reported to a vendor or published publicly. The watchdog would also be tasked with ensuring that certain time lines are maintained... no more of this 150 days to patch garbage. A consortium of vendors and professionals could decide on the requirements (patches within 30 days, 60 days or 120 days for example)... or varying time lines... 30 days for remote code execute, 120 days for DoS. They would also as a group determine fines or levies that a vendor would pay should they not meet the required deadlines... $10,000/missed patch for example... perhaps a sliding scale here dependent on the revenue of the vendor and the levy rate... per day accruals or per month accruals for example...

It's time we stop dealing with magic and leave that to children's birthday parties with black hats and white rabbits. We need to deal with the truth.

I know... I'd laugh at the title as well... So let me clarify a few things. I'm not calling this a backdoor... I'm quoting the original post over at McAfee Avert Labs. I also don't agree with the issue here... to put it into a single sentence, it basically says, "If I have physical administrative access to your computer, then I can get system access." I did some testing of this on both XP and Vista (since it's apparently a legacy "backdoor" back as far as 2000) and I'd like to shed some light on it. If this isn't clear yet, I agree with Bill on this subject.

Let's start by declaring what exactly we're looking at. A common accessibility feature in Windows is known as "Sticky Keys" (those of you with your minds in the gutter can take a short break for the toilet humour). This feature is activated by tapping the Shift Key 5 times. The concept with the "backdoor" is that if you replace the Sticky Keys executable (sethc.exe) with another application (perhaps cmd.exe), the new application will be executed when you press Shift 5 times.

So XP first, since this is a legacy backdoor. If I rename sethc.exe to sethc.bak and then copy over cmd.exe, by the time I go to rename it Windows File Protection has restored sethc.exe. Ok, so that's easy enough to bypass... now I've got sethc.exe which is actually just cmd.exe. I press Shift 5 times and sure enough a command prompt opens. Now Vinoo, the author of the McAfee article, claims that you will have system privileges. To test this I used whoami from the Windows Resource Tookit. Surprise, Surprise... I'm still my user... not System.

Now let's go on to Vista, and I'll admit, I didn't spent very long on my testing... but here's what I found out. Sticky Keys still runs if you press the Shift key 5 times. So let's see if we can "backdoor" it like we did with XP... Sure enough, we can't... We don't have permission to rename it... UAC kicks in but even with that, because of TrustedInstaller, we can't rename it. So Vinoo has provided a method of taking ownership of the file. In the end, I encountered a minimum of 3 UAC prompts and I had to launch an Administrative command prompt. I had to change who I assigned ownership to, since copying the files while in a GUI required my user to have access, not Administrator but that's a minor point. The interesting thing is that if you are logged in you get a standard user command prompt... this was misleading in Vinoo's write-up, the only time you get a system account is if you make use of this from the login screen.

So that sounds like a backdoor and probably a pretty good one... It leaves you a way to come back to the computer later... and as Vinoo says we're talking about insider threats here. If that's the case, one has to question the security of these companies in the first place, allowing their users administrator access to the systems. Essentially that's what it comes down to, an Administrator can backdoor the computer... not an end user, but an Administrator... I'm sure that a malicious insider could find easier ways to get into the system... All this proves is what is already known:

1. System access is a hop, skip and a jump from Administrator Access
2. Users shouldn't be trusted with Administrator Access

This has been hyped up quite a bit more than it should have been...

This is just a quick heads up since it actually concerns me as well (being a Rogers customer)... Websense has published an alert on a new phishing attempt targeting Rogers customers..

The text of the email is:

Rogers is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access suspended?

Your account access has been suspended for the following reason(s):
March 12, 2007: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Rogers account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is RR-257-057-154.)
To remove the limitation click on the following link:

Regards,
Rogers Security Departament

At this point, I can't say how wide spread this is. I've checked 3 Rogers Accounts that we have as well as a couple of "spam" accounts I maintain and I haven't seen anything yet... However it is a concern. Currently, Rogers highlights email specifically from Rogers Internet in blue if you used the web-based Yahoo! solution. It would be nice if Rogers (and other ISPs offering web-based mail) were to provide that same service... If you've sent the email, highlight it so users know it's legit, that little bit of extra warning.

So All you Rogers customers... take care when clicking email... If you are concerned about the validity of an email... contact Rogers @ 1-888-ROGERS-1

I'd heard people say that the DST change was going to be the next Y2K.. They were right.... it was Y2K... Absolutely nothing happened. Nothing major anyways.... no explosions... There have been a few small problems though.

So far, the Internet Storm Center is reporting the following:

• Problems with certain models of Cisco Phones
• Problems with Symantec Backup Exec 10d and 10.1
• Problems with APC

If anyone has heard of other problems feel free to leave them in the comments or fire me an email and I'll be sure to add them to the list.

A Proof of Concept memory corruption has been released on milw0rm. This is coming from the author of the Internet Connection Sharing DoS. I'm wondering if we'll see an excess of MS exploits this month given their decision not to patch any of the existing flaws.

As I've mentioned, we've been in the process of a move, and now that we're in the new place and getting settled, there's the issue of mail. Everyone knows what a pain it can be when your mail goes to your old address... so we've done the standard, contact companies and apply for a 6 month address change with the post office. However that still missed a few days immediately after the move (essentially this week) so the fiance was checking the mail at the old place each day on her own. She received an interesting letter a few days ago...

It was a letter from her bank, stating that she had recently used her card at a business suspected of copying debit cards and PINs. As a result they had lowered her daily maximum limits and were monitoring her account. This is impressive, since her and I use our debit cards interchangeably and anywhere she's used her debit card, I've most likely used mine... yet I haven't received any such letter from my bank. This is where her banks courtesy stopped though.

Yesterday she went into pick up her new bank card and set it up... She also had to change her address since we had *JUST* moved... the process took her about 30 minutes (not bad all things considered). During the 30 minutes she asked which business she'd used her debit card at that was suspected of card copying. The bank refused to tell her because the company was under investigation. Now I can see two reasons for them doing this:

1. They value the privacy of the company more than they do the privacy of my fiance.
2. They don't want to ruin the investigation.

Now #2 would require that the criminals have some intelligence (copying your own bank card would be a great way to see who was on to you) and that seems unlikely since they're in the process of being investigated before having a chance to use the card. The first reason seems more likely, I'm guessing they don't want to tarnish the company's name in case they end up being innocent.

This is what bothers me... We tend to be creatures of habit... we reguarly frequent the same stores and restaurants. In the last couple months, I can't think of anywhere we've used the debit card that would be out of the ordinary for us... So there's a good chance we'll revisit the place and use the bank card again and if we do that, my fiance will have to under go this process again and once again risk losing money.

I realize this could be damaging to the business but as far as I'm concerned the customer is the number one priority and in this case they should be made aware of the business that is under investigation. Now you don't need to go out with press releases and news conferences regarding the name of the business but you should, at the very least, inform the people that have been affected by this. When you don't you are saying you value the privacy of the business above the privacy of the individual and that's just wrong.

Hey Hey,

Just a quick post to direct you towards the nCircle blog. I've posted a challenge over there... (with prizes)  involving remote application detection of the WinNY P2P File Sharing Application.

Feel free to jump over and take a look at the requirements, prizes and rules and take a shot at it.

Good Luck,
HT

There's an article over on Ars Technica that talks about the new beta of VMWare ACE 2. This software, which allows you to build pre-configured and locked down VMs for distribution has gone to the next level with a very nice addition. You can now load the VMs onto Thumb Drives and distribute the drives, when the drive is plugged in a version of VMWare Workstation will install and load the VM. I can see this as being the next means of mass marketing. Some companies (Microsoft for example) are already providing trial versions of their new software via the Virtual Appliance Marketplace. Now they can get company branded thumb drives, load them with their demo software and mail it to prospective customers... and VMWare stands to make money in the process... It's win, win for everyone.

Also, the VMWare Fusion Beta (VMWare for OS X) is available.

Wireless technology is becoming more and more popular... especially in homes with multiple computers in different rooms, when you don't want to drill holes in the wall... For this reason, apartment buildings seem to be ripe for the picking... I recently moved (yesterday and today) and apart from a $580 bill from the movers, things well relatively well... except the box containing my "networking components" is buried... That's fine... Tomorrow is dedicated to packing but my computers were disconnected on Friday and for a geek that's a long time to go with next to no internet access.... ok... maybe not such much geek and a little more addict... but whatever.

So we needed the movie listings.... (We saw Wild Hogs today) and realized we had a problem.... well two problems..

1. The box with the "networking components" was buried
2. The phone book was at the bottom of a box somewhere

Solution? Open the laptop and check out what's around... nothing fancy (no looking for hidden SSIDs or anything like that) just a simple connect dialog.. The result... 8 APs... 4 WEP, 1 WPA and 3 Unsecured.... Sure enough, I had my movie listings in under 5 minutes.

Now, I was borrowing the internet and had no malicious intentions...  but what if I did... or what if I'd forgotten torrents open and left my laptop on while I went to the movie.... and let's say I did that... What if you had a 2GB cap because you paid less for it since you were just checking your email occasionally... At $1 / 100 MB for overage fees... that could cost the person.. With a truly malicious individual you're entering a whole new ball game.

It amazes me that this happens... The technology is cheap and people want plug and play...  It should "just work".... Those famous, or perhaps infamous, words... "I don't care as long as it works"... "Do what you need to I just want it to work". The home user doesn't care about security and doesn't want to be hindered... And with parents getting their kids the DS Lite or the PSP (which both support wifi) it's getting worse... My older linksys wireless router requires, and nintendo tells me to do this, that I disable WEP in order to connect the DS.

So what do we do about wireless security?

• Solution: Hide (don't broadcast) the SSID
• Problem: A tool like kismet is going to find the "hidden" SSID in less time then it took you to check the "Don't broadcast my SSID" checkbox.

• Solution: Enable MAC Address Filtering
• Problem: It's relatively simple to watch the traffic for a valid MAC Address and then change your MAC. Hell, all it takes in linux is ifconfig hw ether

• Solution: Enable WEP
• Problem: It can be easily cracked.

• Solution: Enable WPA
• Problem: You may need to buy a new router (this is enough of a deterrent for many people) and in many cases the password is trivial to crack (short passwords / dictionary worsds)

• Solution: Enable WPA2
• Problem: You may need to buy a new router

• Solution: Disable DHCP
• Problem: A smart attacker will figure this out and start testing standard "router-assigned" addresses... or even watch traffic for valid IPs..

Really... there isn't a great solution for people that "just want it to work" and to keep out the malicious people... My personal preference however is 802.11x (which most people don't have at home) or a captive portal... This isn't for the non-geek usually though... Ideally I'd like to see something better... but in the mean time people do what you can to protect yourself....

A car alarm doesn't always stop a car from being stolen but thieves will most likely go for the running car with the unlocked doors sitting next to it. Wireless is really the same way...