Category: Security

Security IS a Serious Concern for Microsoft

Lorin Olsen

Disclaimer: For a number of years, I have been very critical of Microsoft’s relatively poor security posture. Nevertheless, I have applauded Microsoft when it took positive steps (like XP SP2). But since that time, I have joined Microsoft. That doesn’t mean that you should discount my commentary. Rather, you should accept it with a modicum of skepticism.
I have been with Microsoft for over two weeks. That’s insufficent time to render a judgement on the company’s actions. However, it is sufficent time to assess what I’ve seen.
1. Microsoft is taking code security very seriously. I spent almost ten hours in conference sessions devoted to the security aspects of our new product line. I have walked away with the knowledge that code will not be shipped if it does not meet minimum code standards.
2. Microsoft is engaging a much wider pre-availability audience. This includes public betas and wide technology previews. Some of this is to tantalize our customers with the new features of our products. But most of this effort is designed to leverage the “many eyes” concept to promote higher code quality.
3. Microsoft is dedicated to securing resources within the company. When I arrived on site, I was issued a smart card that is used to encrypt objects and data streams on my laptop. That doesn’t sound like much. But let me tell you that some corporations will not take these steps simply because they require an incrmental investment. And Microsoft is willing to make that investment rather than risk corporate assets. BTW, I have used a number of VPN and encryption products in the past. But the Microsoft deployment is incredibly simple.
4. During the TechReady conference, I spoke with members of the Vista development team. They highlighted the importance of the Trusted Platform Module (TPM) infrastructure. And Vista will take full advantage of the TPM 1.2 infrastructure. In the meantime, I’ve determined that my new tablet supports TPM 1.1. So I’ve enabled the TPM infrastructure on my system. And I’ve set aside a USB thumb drive for the storage of my H/W certificate. At the same time, I’ve installed the Toshiba TPM software so I can test the current (Windows XP) support. So far, I’m impressed with what Microsoft and the hardware vendors have come up with. I can encrypt columes and/or directories using hardware encryption. More importantly, the TPM sub system keeps trakc of the H/W and S/W platform. And the system will not boot if any tampering is detected. In short, the anti-theft measures are impressive. I can’t way to see how this is integrated into the core OS.
-CyclingRoo-

Tags: ,

Sony Sells Spyware

Lorin Olsen

It’s been an extraordinarily busy couple of days in the malware detection business. Sony has been all over the news – and the news isn’t so good for them. [Sony BMG Kills Daft DRM CD Rootkit Scheme, Sony Learns a Hard Lesson, Microsoft will identify the XCP software as malware, Sony halts production of CD’s] In an effort to protect the intellectual property of Sony BMG musicians, Sony has embedded some pretty nasty software on the computer systems of their consumers – including me.
If you want to know the grim details, you should read the recent posts over at Sysinternals (Mark Russinovich’s blog). But here are the highlights. Sony has contracted with a DRM technology vendor to “protect” its music from computer piracy. The DRM scheme they have chosen does not allow the customer to use customary PC tools to listen to the music. Instead, the software requires the consumer to install a special player. And along with that player comes a whole bunch of other stuff – including rootkit technology that can be exploited by others for even more nefarious purposes.
My viewpoint is simple. I bought an album from a band I truly love. And in the process, I have been exposed to some very nasty exploits. But it is not the fault of the artists. In fact, the bassist for Switchfoot even went so far as to describe how to defeat this DRM scheme. He didn’t do this to anger his label. Rather, he did this so that his fans could put their music on their iPods. The band and I have both been used. If a vendor places hidden technology in a product, and that technology monitors customer behavior w/o first informing the customer of the monitoring, then that technology should be classified as spyware.
Fortunately, I have removed the spyware from my system – at least, I think I have. I went through Sony BMG’s multi-step process to remove the software. I gave them my name, my email address and I gave them system identifying data – just so I could get their spyware off my system. It took almost three days to get everything off, but I think it’s gone. But I now have so little trust for Sony BMG that I will use any scanning tools at my disposal to ensure that this thing is gone. I’ve used RootKitRevealer. And I will use the Microsoft Windows Anti-Spyware tools when they become available. And I’ll use whatever else I can find to ensure that this stuff is gone.
Why? It’s simple. Sony lied to me. They invaded my system because they felt they couldn’t trust me. Worse still, they eventually relented and “offerred” a means to fix the problem. But they only offered half-steps. They wanted me to install a “service pack” for their spyware – so that it couldn’t be exploited. But I chose to decline that offer and requested complete removal instead. In the final analysis, they forced me to jump through a Cheerio to solve the problems they caused when they invaded my system.
There is nothing that I have done to warrant this treatment. Indeed, I’m one of the good guys. I bought the CD. The funny thing is that I thought about getting it from iTunes first. But I wanted to send a message that people still buy CD’s from stores. Well, I got punished for sending that message. And now, I no longer trust the record labels. I still love Switchfoot. But Sony BMG just lost future business from a good customer.
P.S. If you want to learn more about rootkits, I recommend Greg Hoglund’s book at Amazon.com.
-CyclingRoo-

Tags: , ,

Morning Grind #6

Lorin Olsen

I am looking forward to a great week. God has shown me His grace and mercy by allowing me to spend yet another day within His glorious creation. And there are a lot of wonderful (and challenging) things happening today.

  • The Sacramento Bee (via BroadbandReports) has a piece on the hysteria surrounding WiFi piracy. As expected, the MSM piece is light on substance and heavy on fear. But the basic point (that you should increase the security of your WiFi infrastructure) is absolutely correct.
  • ABCNews.com has a piece on Internet security today. Everytime I read stuff in the MSM, I am reminded that I must stay at least one step ahead of the malcontents. Hence, I am staying with my current firmware until WPA2 is available on alternative firmware builds.
  • The past few days have been a challenge. Last week, my debit card was suspended. Apparently, someone in Poland had gained access to my card number and was starting to charge against my account. I am glad that Bank of America suspended the account. But I am amazed at how inconvenient check-writing has become. I now understand just how dependent I have become on my plastic debit card. It’s odd. I didn’t think I used it much, until I didn’t have it.
  • After any number of pre-finals, Brainslayer has released DD-WRT v22. This is an exceptional firmware build and I have used it for many months. But I will tell you that I will not be using this release. I have decided that I truly want/need WPA2 support. So I am using Rupan’s test build of HyperWRT 2.1b1. But Brainslayer has noted that v23 of DD-WRT will incorporate WPA2. So whenever the new bits arrive, I will be back on DD-WRT.
  • CyclingNews has a good interview with Alexandre Vinokourov. Vino spoiled all the fun for the TdF sprinters (includuing Robbie McEwen). But Vino’s outlook is quite refreshing. “What counts for me is attacking all the time, that is an ability that I have.” And he sure demonstrated it yesterday. Anyone want to bet on where Vino lands? We’ll find out RSN.

I’m looking forward to a great day.
-CyclingRoo-

Tags:

Success Through Layers

Lorin Olsen

Do you remember when Mom told you that the best way to stay warm on a cold day is to use many layers of clothing? And do you remember the best cake you’ve ever had? For me, it was the layered wedding cake I ate over twenty-one years ago! And most of us remember that the best way to describe/categorize any given technology is to discuss it in the context of the seven layers of the OSI model.
In that vein, I would note that the best way to stay secure is to utilize a multi-layered defense. Part of any multi-layered defense must be the ability to re-direct access requests away from known threat sources. If you can bypass known trouble spots, you can avoid many problems.
With that sage advice in mind, I’ve decided to update my local “hosts” file to re-direct “known bad” destinations to my local (“good”) IP address. Specifically, I have implemented the hpHosts file as a means to maintain a comprehensive list of “known bad” destinations. The previous link describes the how-to’s necessary to implement a new hosts file using the hpHosts file. It’s fairly simple. Just make sure you shut down the DNS Client first, if you’re running Windows XP. Otherwise, you’ll run into some performance penalties.
-CyclingRoo-

Tags:

When Is WiFi Use Theft?

Lorin Olsen

By now, everyone has probably read the news of the man who was arrested for “stealing” an unsecured WiFi signal. As I have read the news stories, several thoughts have come to mind:

  • How can someone be guilty of theft when he was not on the land of the property owner? Indeed, the signal was being broadcast onto public property.
  • On the other hand, mail messages move through public space. The mere transit of public property does not vacate the right to have security of transit for paper-based mail. And what about phone lines? They sit on public property. [Actually the phone companies have been granted easements by public landholders – i.e., the government.] So standing on public property shouldn’t “permit” you to exploit a wireless signal.
  • How can someone be gulty of theft when the signal was not encrypted and the router was completely unsecured?
  • On the other hand, if I leave my unlocked briefcase in an airport restroom, this does not give anyone the right to open the unsecured briefcase. Of course, shame on me for not locking my briefcase. And shame on me for leaving my valuable documents in an unsecured container on public property. But the fact that a lock has not been enabled does not give someone the right to open the briefcase.
  • How can anyone own a wireless router and not take even the most basic of precautions? People don’t seem to realize that sensitve data is being broadcast beyond their property line.
  • In the past, I’ve done some “war walking” to demonstrate (in)security. Should I turn myself in?

But let’s put aside the ethical discussion for a moment. What should we do?
As individuals, we should secure the wireless infrastructure that we have installed. Here are a few basic steps you should follow:

  1. Locate the Router or Access Point Appropriately
  2. Change Default Administrator Passwords
  3. Change the Default SSID
  4. Disable SSID Broadcast
  5. Turn on Encryption
  6. Enable MAC Address Filtering
  7. Assign Static IP Addresses to Devices

In addition to these simple steps, you should also check out good security sources on the Internet. Tony Bradley has an excellent series of tips on the About.com network. Tony also has some great links to books and other articles.
Once you’ve secured your own systems, start thinking about those around you. As wireless consumers, we should urge the many wireless device manufacturers to simplify the process of enabling security. Linksys (a wireless hardware manufacturer) and Broadcom have created the SecureEasySetup program. Buffalo has endorsed the AOSS program. These two technologies were recently compared over at Tom’s Networking. I won’t recommend one program over another. But both programs do one simple thing: they make the process of enabling secuirty far simpler.
If you aren’t secured, what are you waiting for? Highly publicized arrests ought to alert you to the fact that some folks will use your wireless infrastructure – if you let them. After all, you have locks on your front door, don’t you?
-CyclingRoo-
*Update 7/8/05* – Declan McCullagh has a pretty good article about this subject at C|Net’s News.Com site.

Tags: