Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
Informative paper on CSRF
October 31, 2008
This is an excellent concise introduction to Cross-Site Request Fogeries, including some scary examples of real sites that until recently had such vulnerabilities, and recommended mitigations.
Permalink | Comments (0)Link here. I have to agree with the commentary that’s been written elsewhere on this: you can’t replace human insight, intuition, and training when it comes to physical security. Delegating that responsibility to a technology, such as RFID in this case, is risky.
The same is true of national intelligence gathering, by the way.
Permalink | Comments (0)It never occured to me that this was possible.
Here is a portable GPS simulator, for example. Pretty rugged looking!
Permalink | Comments (0)I’m a big fan of using virtualization to reduce the cost of software development, primarily when it comes to the lab environment for testing. So far, VMware Server has been my favorite product for that, overall.
Thus, I was quite curious when a colleage told me this week that VMware Server 2.0 had been released. I decided to download it and give it a shot.
First reaction: the new VMware server console is web-based, which is disappointing. I tend to interact heavily with the virtualization console, modifying configurations and switching between VMs. In my experience, very few web UIs are as usable as a typical, professionally-done “thick” client UI. Without consistent window focus behavior, keyboard shortcuts, and tabbing behavior, the interaction is always slower for a power user.
As a result of the migration to the web UI, after completing a default installation on Windows Server 2003, clicking on the VMware Console shortcut now brings up the default browser, which is IE7 in my case. The console pages are served by Tomcat 6, which is installed with the virtualization services and everything else. Two more complaints: why install another web server when IIS is already present and listening - is it really that hard to support IIS too? Second, I now realize why the 2.0 download is about four times larger than the 1.x ones were - there’s a lot more bloat with the web server and everything else.
A server certificate is created during installation, presumably in order to support TLS from the VM admin client. However, the cert uses only a 1024-bit key, has no usage restrictions, and is valid for 19 years. A zero-config default is sometimes a good thing, but this gives the impression that TLS support is just a marketing checkbox and not an actual security consideration.
Also, since that self-signed cert isn’t trusted by default, the user gets a nasty warning page in IE7 each time it’s opened. It would have been better to provide stronger defaults for the cert with the option to change and/or trust it during initial setup.
One more complaint - the admin web page prompts me for my Active Directory credentials each time I bring it up, even though I’ve already used them to login to Windows. Moving the VMware site to the Local Intranet security group in IE doesn’t fix the problem, even though my “automatically provide credentials” option is enabled. Is that another drawback for not using IIS?
On the plus side, the new workflow for creating a VM is really good (aside from not being able to use a keyboard) - simple and intuitive, although it might be challenging for someone who hasn’t configured a VM before.
Fortunately, the new VM viewer client uses the same old keyboard shortcuts. So once you’re connected to the client, things are smooth again. This is an area where VMware has a definite edge over Windows Hyper-V. Since I typically access the VM host over RDP, I rely on having a different set of keyboard shortcuts for the VM host versus the remote session host. With VMware, those keys are different. With Hyper-V, they’re not.
I decided to test VMware Server 2.0 using the PDC build of Windows 7 x64, just to see if I could try to get things to break. I told VMware I was creating a Windows Server 2008 x64 VM, since that seemed to be the closest option. The really excellent news here is that there were no problems getting the product installed and logged in for the first time.
Minor complaint about the Win7 OOBE (Out of Box Experience) dialogs - the Password Hint for the first user is now required. Wasn’t it optional in Vista? Password hints should be optional; most people, myself included, are just going to type of random crap in there, and it would be better if we didn’t have to type anything.
As from that, first impressions of Win7? Seems pretty solid for a pre-release version of Windows. It looks a lot like Vista, but historically Microsoft doesn’t update the look & feel until just before RTM in order to avoid leaks.
The first notification you see after the default user auto-logon is a warning that there’s no anti-virus installed, which is probably a good reminder to have. Clicking on the warning brings up IE8, and first thing it does is ask you if you want to enable the Suggested Sites feature, which apparently tries to guess additional websites you’d be interested in based on your browser history. Not stated is the implicit question as to whether you want Microsoft to know every website you visit (assuming they don’t already).
The second thing I noticed was that the shutdown icon, visible from the Start menu, had changed to indicate that an update was available. Bringing up the Windows Update control panel, I was reminded about the out-of-band Windows Server Service patch from two weeks ago, which also applies to Windows 7. It’s pretty rough that the product had an ‘important’ security patch before it was even in people’s hands. That’s life when you’re dealing with complex software, I guess.
Anyway, those are my initial impressions of VMware Server 2.0 and Windows 7. I’ll follow-up as I discover more.
Permalink | Comments (7)IronRuby
October 28, 2008
Saw a cool PDC talk yesterday on the IronRuby project. It was a great introduction to using Ruby in the context of rapid development for .NET.
Unfortunately, the project is still code-only: you have to connect SubVersion and build it yourself. But they’re close to having full support for the Ruby Gems, at which point they’ll post Beta binaries.
Permalink | Comments (0)Windows parallel programming with C++
October 27, 2008
Just saw a good PDC talk, delivered by Rick Molloy of Microsoft, on the new Parallel Pattern Library for C++. More info on their blog and on the MSDN concurrency page.
Permalink | Comments (0)Here’s an interesting service I just learned about in the PDC 2008 expo: Microsoft offers a separate tier of services and support to ISVs. By separate, I mean in addition to what you get as a Gold Partner, but not as expensive or long-term as a Microsoft Consulting Services engagement.
Permalink | Comments (0)Check out Bluehoo, a Bluetooth-based social engineering site based on the just-announced Microsoft cloud computing platform, branded Windows Azure.
(Not sure if Bluehoo will be available today, though. “Highly scalable computing” notwithstanding, I’m sure it’s getting slammed right now …)
Permalink | Comments (0)I’m at the Los Angeles convention center, waiting for the PDC keynote. The room is giant; there’s apparently seating for 7000 people!
Keynotes are usually a mixed bag, in my experience. Sometimes they’re pretty boring. But, as a buddy of mine observed, we’ve come all this way (and paid all this money). Might as well try to take it all in.
One cool feature - the huge screens at the front of the keynote room are displaying a continuous Twitter feed. Just mark your tweets with “PDC2008″ and they’ll show up. Nice touch on the part of the organizers.
Another comment: PDC attendees are being given a hard drive this year with all of the samples and stuff. Unfortunately, they aren’t handing out the drives until after the last keynote, so we don’t get them until tomorrow afternoon. Bummer. Can’t wait to see what’s on it.
Permalink | Comments (0)MS08-067 and the ripple effect of Windows security bugs
October 24, 2008
I was surprised to find an email from one of our outsourced service providers in my inbox two days ago, saying that they had to do emergency maintenance on their servers. Specifically, to take them offline and install the patch for MS08-067, a wormable RPC vulnerability in the Windows Server service.
The patch was deemed by Microsoft to be worthy of out-of-band release. Based on what I’ve read about it, I applaud that decision. It’s a severe bug. Waiting until November to publicly release the patch would have been a bad idea.
A certain amount of chaos ensues when such a patch is released. For example, the service I mentioned above was down with relatively short notice - and I’m paying for it regardless. But that outage was handled professionally.
As another example of chaos, this eWeek article includes a suggestion by a security professional that organizations bypass their internal testing process and just deploy the patch immediately to all affected servers. That’s bad advice. After all, the notes accompanying the patch explain how the threat can also be mitigated via a firewall. And if the patch were to cause a compatibility problem, what good is a broken server?
Another example: do a web search on MS08-067 and take a look at some of copies of the original bulletin that appear. Not all of them are complete, and most of them lack links to additional authoritative information. Incomplete, or even innacurate, information moves like wildfire on the internet.
The chaos, as well as the replication of incomplete information, is happening for a reason: lots of companies, and millions of users, are dependent upon Windows in some way. Service providers and news organizations are trying to keep up.
Millions of dollars in commerce, and probably much more than that, is dependent upon Windows. Whether it’s direct access to critical line-of-business applications, something indirect like hoping that your bank’s network doesn’t crash before you cash your paycheck, or even something mundane like checking internet email from home (or blogging; that probably falls into the mundane category as well), most people in industrialized countries are affected by Windows, good or bad.
This is a tremendous amount of responsibility. I used to work at Microsoft and I know what that feels like.
Thus, I think it’s fair to ask what’s being done to prevent problems like MS08-067 from happening in the first place. Frankly, the question didn’t even occur to me until I read this blog post from Michael Howard. It’s an informative post, and I especially recommend reading it if you have a development background.
However, in light of the responsibility, mentioned above, which must be born by Microsoft, as well as the cost paid by the industry in testing and deploying each new patch, the response laid out in Michael’s blog post is inadequate. Microsoft is not doing enough to prevent this problem from recurring.
I’ll summarize a few points made in that post: first, that it’s difficult to design automated tools that can catch the kind of buffer overflow bug that led to this bulletin. It’s not stated whether such tools exist elsewhere, but it is stated that Microsoft’s tools can’t do it. I accept this claim at face value, but there’s more to be said. I’ll come back to this.
Second, the observation is made that security features in Windows Vista and Server 2008 mitigate, although don’t eliminate, the threat. My observation: the patch still needs to installed on those systems. Plus, the majority of the deployed base is predominantly Windows XP SP2 and earlier on the client, and Windows Server 2003 and earlier on the server. So I don’t find the comments to be relevant. While the new security features point to a positive trend from a technology perspective, the blog post doesn’t explain what’s being done to reduce the impact of these bugs, as well as of the patches themselves, on Microsoft’s customers. How is TCO being reduced in this area?
Third, the claim is made that Windows Vista, as well as Microsoft’s Security Development Lifecycle process, came out as winners (I’m paraphrasing). That’s true from a certain perspective. After all, the catastrophe scenario of another widespread internet worm was probably averted. But in light of the observations above, this claim strikes me as insensitive to customer perception.
Finally, the one action item, so to speak, accepted by the blog post on Microsoft’s behalf is to do a better job of fuzz testing (aka fuzzing). Here’s my concern, though: fuzzing is a non-deterministic technique. Is that really the best Microsoft can do?
This brings me back to the first point regarding automation tools. The timing of this patch, coinciding with Microsoft’s earnings announcement, is … awkward. The company netted well over $4 billion this quarter. Think about that, then consider, again, the impact of each security bug and each out-of-band patch on the bottom line of each of Microsoft’s millions of customers, due to downtime, servicing, and testing.
Microsoft must do a better job of reducing TCO. Making a significant, new investment in proactively and deterministically finding and eliminating security bugs should be a key pillar in their strategy for doing so. I can’t and don’t accept that a company with that kind of profits can’t do better than updating their fuzz testing heuristics.
Permalink | Comments (0)
