The BFC Computing Weblog

I got a National Cyber Alert System alert today about the Microsoft Internet Explorer security vulnerability, now that Microsoft has a patch out. The trouble is, everybody has known about this since last week, and anybody finding out about it today is already hopelessly in trouble.

There's nothing wrong with a notification, "hey, you should ensure this patch is applied," but that's not the purported purpose of the Cyber Alert System.

Thank goodness for the ISC which is group of volunteers doing a much better job than the large government bureaucracy charged with the task.

There’s been much made of the revelation that Diebold voting machines run an install of McAfee Anti-Virus, and that it’s caused trouble with the voting software.

The arguments against it typically boil down to:

• Your voting machines shouldn’t be use for anything else
• Your voting machines should be secured against anybody installing software on it
• You can’t verify the operation of MAV so it could possibly tamper with votes
• You should be running an operating system which is not so easily infected

Those arguments all have merit, but skip the fundamentals - the software image on a voting machine should not be running on read/write media, that is hard drives. If that basic criteria isn’t met, AV software might actually be a good idea, but missing the fundamentals is no excuse for dirty hacks.

I build my first appliance computer that could run from a CD in a CD-ROM drive in 2002. It’s neither new nor a difficult concept. When you need things to be secure, in that case under HIPAA regs, in this case for votes, you mount your media device (hard drive, flash memory, etc) with the ‘noexec’ flag, and then no software installed on the read/write media can be run from that media. Since you can’t write to the CD, software can’t be run from there either. You provide a stripped down OS image to make doing any more than the minimum very difficult, certainly requiring physical access to the machine.

This isn’t to say your machine shouldn’t be kept secure - of course it should, and the BIOS needs to be correctly configured (many of you know the security problems with certain BIOS configurations) - but read-only media and a good Q/A process obviates the need for anti-virus software. Certainly some software selection choices can make this difficult, but any good architecture starts with the requirements and works towards software selection, not the other way around. Assuming good security is a requirement.

I’ve written before about the limited usefulness of plausible deniability, especially in relation to software like TrueCrypt, a hard drive encryption program.

The gist of plausible deniability with TrueCrypt is this: You have multiple encrypted hard drive partitions. When your enemy forces you to reveal your keys, you reveal the low-cost key, and the enemy sees some data that he doesn’t care about and sends you on your merry way. The ‘real’ stuff you want to hide is still hidden.

This works if two conditions are true:

• The enemy doesn’t know you employ a product with plausible deniability
• The enemy can merely detain you

If those conditions aren’t true, you’re in big trouble. Say a violent group gets you and your data. They know TrueCrypt has plausible deniability, and they really want your data. You’re going to be tortured until they get what they want, it’s that simple, and ugly.

Now, the worst possible scenario is that you can’t give up ‘your data’ because it doesn’t exist. But only you know that. The bad guys think you have it and they know you have plausible deniability. You’re completely screwed.

For this reason I’ve been against plausible deniability systems for defending against all threats (yes, TrueCrypt would still be fine from hiding that porn you have stashed away on your home PC).

This changed when Cal Harding introduced the concept of Complete Deniability. That is, you can prove that you have no more plausible deniability.

Here’s how it can work: With TrueCrypt, you could have a utility that, once inside a locked data set, could be given a set of keys and ensure that those keys account for all readable data and all blocks of the storage device. Because TrueCrypt is open source, the bad guys can trust this utility to verify that you’re no longer hiding anything. They can review the source and compile it themselves, if they wish.

But, good news for you, you get to go home. Because even bad guys don’t like to waste their time and you’re not otherwise terribly interesting. Odds are you’re not getting your laptop back once the bad guys find your porn bank, though.

Sure enough, Microsoft has come back and offered to buy only part of Yahoo! this time (the part it cares about, obviously). This doesn’t prove my conjecture that it only cares about Zimbra, but it sure doesn’t rule it out!

In the past I’ve covered security problems in various software packages I don’t use or recommend, and I haven’t been doing that for some time, but I don’t think I wrote a note to that effect. Going forward I’ll try not to replicate the work US-CERT is doing and avoid pointing out anything less than problems that are highly out of the ordinary, like the recent debian OpenSSL problem or where official channels are just simply too slow.

People are a tizzy about some ‘magical’ technology NBC got Microsoft to put into its Zune to prevent ‘unauthorized’ episodes from playing. Of course, a he-said, she-said spat ensued, and they’re probably both lying. Anyway, this magic isn’t, it’s just watermarking. It’s well-defined how to make this unnoticeable and non-trival to remove. NBC just adds watermarking to the shows before they air, the Zune detects the watermark, and refuses to play the file unless there’s also an authorization key.

The trick with this approach is that it’s 100% DRM; hardware player support is required, and any other player will not have a problem. Also of note, this does nothing to stop copying, it’s just a revenue-enforcement model and is anti Fair-Use.

Nah, neither GE nor Microsoft would do something like that… good on Apple for refusing to play Evil Ball.

Spin off Zimbra again.

Microsoft’s talk about gettting all Webby is just the party line.

Zimbra is the most significant competition to Exchange and Microsoft’s stranglehold on ‘The Enterprise’ and the real reason that Microsoft wants to own Yahoo!.

Of course this won’t happen - I think the Yahoo! guys are smart and bought Zimbra so that Microsoft would finally acquire them. And they know what the Exchange monopoly is worth to them, so they can hold out until Microsoft gives.

This group is looking to block the deal with government intervention on these grounds.

Here’s a Washington Post piece about the Storm worm, and it being traced to St. Petersburg, and the international relations around that.

This is largely posted to have for future reference for when I get the ‘conspiracy nut’ look when I explain that Windows security problems are largely Russian-mafia related.

I was reading about the latest* Windows vulnerability over at the ISC diary and they point out there the vector is a bunch of old vulnerabilities and that the folks involved are tied up in banking fraud.

So, why wouldn't they exploit the latest vulnerabilities to get a bigger victim base? Is it because they're too lazy or incompetent to program for them?

No, I think they know exactly what they're doing. By choosing to target unpatched machines they're purposely limiting their user base. They're limiting it to people who are clueless about security.

If you were a bank fraudster, whose account would you rather tackle, that of somebody who is fanatic about patching their Windows machine or someone who is security ignorant to the point of not having patched their machine in over a year? Why even bother with Mac or Linux users, if you have this perspective...

Notice, one of the exploits dates back to 2003. I wouldn't be surprised if they push victims who were exploited through this one to the top of the list.

* I had to pick between two critical flaws today for 'latest' - allow me the literary license.

I’ve been trying to lay off the ‘Windows bad news’ posts here, but this one is just too important to ignore.

There’s an article called “Windows is Spyware” over at ZDNet talking about a newly discovered (and confirmed) behavior whereby Microsoft patches Windows XP (and apparently Vista) machines without the knowledge or consent of the machine’s owner. I’m pretty sure this means you can’t use Windows in an environment where you’re governed by HIPAA, PCI, or federal security regs, at least without some serious egress filtering to the Microsoft sites at the firewall.

The most amusing point from the article is this:

They seem to think that they own Windows and you and I are just renting our copies. Maybe we should read the lease.
          

Duh. It says right in the EULA that’s exactly what you’re doing, and in fact the new EULA with Windows XP SP1 stated that Microsoft could do this kind of updating (though they weren’t at the time). Anybody who has requirements incompatible with these kinds of EULA’s needs to find a vendor for their OS that doesn’t impose such clauses. Even at that you’re at the mercy of the new vendor’s benevolence, so open source operating systems are the only real choice if real control and security are the criteria.

Does anybody have a source for accurate IP ranges of the Windows update servers?

[hat tip -> Glen]