Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
Excellent NAP + FCS demo
February 24, 2008
Check out this demo by Jeff Sigman of the Microsoft Network Access Protection product group, showing off the new integration of that product with the Forefront Client Security (anti-virus, etc) product. Cool technology.
Be sure to watch the video all the way to the end, where he included some outtakes. Funny guy!
Permalink | Comments (1)Secret new Microsoft product actually looks kind of cool
February 22, 2008
Am I the only one who had never heard of Windows Home Server until yesterday? Maybe I just wasn’t the target audience, but the product certainly isn’t being marketed aggressively, despite the fact that it’s actually kind of cool (although based on old technology - Server 2003 - which is probably why it’s being kept quiet).
http://www.microsoft.com/windows/products/winfamily/windowshomeserver/default.mspx
There’s also a reasonably funny guerilla marketing effort. The children’s book is good for a laugh.
Permalink | Comments (0)http://code.google.com/p/creddump/
From its author:
“creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:
* LM and NT hashes (SYSKEY protected)
* Cached domain passwords
* LSA secrets
It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.
It is also the first tool that does all of these things in an offline way (actually, Cain & Abel does, but is not open source and is only available on Windows).”
Permalink | Comments (1)Conversations at ShmooCon this past weekend gave me the idea that having trusted devices attached to a VoIP network would mitigate some attacks (and would also be really cool!). For one thing, requiring trusted hardware would, in theory, make PC-based attacks on the voice network much harder to launch, since the voice traffic handling hardware wouldn’t talk to the untrusted PC (or another untrusted handset, for that matter).
A scalable solution would require a TPM certificate hierarchy, though, which would in turn require cooperation between the OEMs and their customers in order to provision and manage keys. I’m not claiming that would be a trivial task. But in order to realize the true benefits of unified communications, it may be a necessary step.
Here’s another recent article about VoIP security. I note that, in general, the threats discussed therein would not be mitigated by trusted hardware (and encryption can be implemented without it).
Permalink | Comments (0)Some very reputable researchers at Princeton have published a paper, basically about data retained by modern RAM even after it’s powered off.
http://citp.princeton.edu/memory/
Permalink | Comments (0)ShmooCon 2008 - Day 3 recap
February 19, 2008
Wrapping up my reporting on ShmooCon 2008 (http://www.shmoocon.org/), Day 3 (Sunday) held a special place in my heart, since I finally gave my talk on “Hacking Vista Security” and could then stop stressing out about it! The Shmoo people say they’ll be posting slides and videos by the end of the week. Additional resources for folks who want to play around with the security tools I discussed:
http://www.jwsecure.com/dan/2007/06/06/more-information-about-the-ipsecping-sample-code/
http://www.jwsecure.com/dan/2007/10/23/new-vista-security-demo-videos-uploaded/
The final highlight of the con: the talk entitled “PEAP: Pwned Extensible Authentication Protocol” by Josh Wright and Brad Antoniewicz. Based on their earlier work (see http://asleap.sourceforge.net/), they showed some interesting wireless password cracks against PEAP and TTLS. A couple of interesting notes about the latter: it seems that few network administrators lock down the trusted root certificates list applicable to WiFi server authentication on the client, nor do they specify the server DNS name(s). The result is that anyone with a valid VeriSign cert, for example, can act like a wireless authentication server in that network. This can be a key factor in exposing the underlying password auth to brute-force.
Permalink | Comments (1)Well, I’m back in Seattle, having spent a fantastic weekend in Washington, D.C. for ShmooCon 2008 (http://www.shmoocon.org/). Continuing from my previous post about Day 1:
Day 2 had more great talks. First, John Kindervag and Jason Ostrom talked about “VoIP Penetration Testing: Lessons Learned”. Check out their VoIP Hopper tool at http://voiphopper.sourceforge.net/. They did some cool demos showing how a PC can make itself look like a VoIP phone and easily bypass an internal VoIP VLAN, thus placing itself on the internal data network. That’s particularly scary when you consider that VoIP phones are being installed in lobbies, conference rooms, and other semi-public areas. Anybody who has access to such an area can launch this attack. The moral of the story is that VLANs are not a security feature!
Then Shanit Gupta did a talk called “Got Citrix? Hack It!” Pretty cool, although he was relying on the availability of the conference WiFi network for many of his demos, and that network happened to be down at the time. Well, probably shouldn’t rely on the wireless network at a hacker conference, right? Anyway, we has able to show some portions of his demo. Generally, how to violate the application sandbox restrictions that are supposed to be enforced within a Citrix window. For example, if you can get a File Open window, then right-click on an application binary within it, then you can probably run that app on the server. Ditto for navigation and printing tricks from within the browser.
Finally, there was a secret unannounced talk by Mati Aharoni (I think), one of the guys behind Backtrack (http://www.remote-exploit.org/backtrack.html). He showed two live demos. The first was how to modify a tool such as netcat in such a way that it’s no longer flagged as dangerous by anti-virus. This is done by creating a modified version of the tool that decodes itself at runtime. Pretty cool to see him put that all together live! Still, that hack requires that the tool have a writable .text section. I guess in response I’d want my AV to block all PEs with that characteristic, except for perhaps a white list. Plus, if certain encoded versions of a given tool proliferate, it’s just a matter of time before they end up getting flagged as well.
Permalink | Comments (1)ShmooCon 2008 - Day 1 recap
February 16, 2008
I’m in Washington D.C. this weekend for ShmooCon 2008. The first day (US-EST) has officially passed, and what a day it has been! Registration started at 1pm with a long line of seemingly all 1200 attendees at once. Okay, probably not. In fact, we got through the line in just a few minutes - that’s efficiency for you!
The first talk of the con was h1kar1, who reported on a project consisting of an open-source, brute-force attack on the GSM session key derivation algorithm. See http://wiki.thc.org/. In other words, if you use a GSM phone (for example, anything from AT&T or T-Mobile in the US), your conversations can be scanned and decrypted in a matter of seconds by commercial hardware costing under US $1 million. Of course, governments could already do that via various means, but it’s different when a wide variety of private sector entities have that kind of power.
Later this evening I did an interview with Hak5. Man, those guys have the love, lugging that video equipment around and giving people like me a chance to talk about our work. Thanks a lot, Hak5 folks!
Looking forward to tomorrow (today, EST) …
Permalink | Comments (1)Microsoft blogger email account p0wned
February 11, 2008
Check out this poor guy -
http://www.shahine.com/omar/WhatWillYouDoWhenItHappensToYou.aspx.
Some tips for avoiding his fate:
-
Don’t use WiFi. In fact, if you really care about your data, don’t use WiFi ever, anywhere, including in your home. Relax that recommendation if you know what you’re doing and have configured a strong key and admin password on your wireless router. And note: corporate certificate-based wireless access, such as what Microsoft campus uses, is secure.
-
Don’t use the same password for multiple sites. If one site is compromised, then your accounts at all of the other sites that share that same password are compromised as well.
-
Ditto for password recovery phrases. Those are generally bad news anyway, because they tend to be easy to guess, especially by a hacker who has obtained other information about you.
-
Always use SSL. For example, you can access Gmail via https://www.gmail.com. Too bad encryption isn’t the default on the free email systems.
-
Check your machine for spyware. If your browser periodically crashes, you probably have spyware installed. If you install a lot of software off the internet, you probably have spyware. If someone has hacked one of your accounts, you may have spyware. Go to a reputable security vendor, download their latest spyware cleaner, and run it.
Stay safe. We’re all in this together …
Permalink | Comments (0)Tons of deployment information from Microsoft IT
February 3, 2008
I finally tracked down a link to the mother load of best-practice deployment information made available by Microsoft’s internal IT team (MSIT).
I’ve worked with the MSIT folks - particularly in corporate security - for many years and can tell you that they are in a unique position: they deploy and support nearly every major technology that Microsoft creates, and they do it before those products are even stable enough to sell to the public. At Microsoft this practice is called “eating your own dogfood”.
Thus, while managing and debugging those internal deployments, MSIT develops tremendous expertise which is of great value to Microsoft’s customers. That expertise is shared in the form of whitepapers, solutions, and best practices. These are available via IT Showcase.
To hop directly to the security-specific stuff, click here.
Permalink | Comments (0)
