Bringing Social To The Kernel

Imagine a world where you can login to your computer once and have full access to all of the functionality in your computer, plus seamless access to all of the web sites you visit on a daily basis. No more logging into each site individually, your computer’s operating system takes care of that for you.

That world may be coming quicker than you realize. I was listening to a recent episode of the PaulDotCom security podcast today. In this episode, they interviewed Jason Fossen, a SANS Security Faculty Fellow and instructor for SEC 505: Securing Windows. During the conversation, Jason mentioned some of the changes coming to the next version of Microsoft’s flagship operating system, Windows 8. What he described was, in a word, horrifying…

Not much information is out there about these changes yet, but it’s possible to piece together some of it. Jason mentioned that Windows 8 will have a broker system for passwords. Basically, Windows will store all of the passwords necessary to access all of the various services you interact with. Think something along the lines of 1Password or LastPass. The main difference being, this happens in the background with minimal interaction with the user. In other words, you never have to explicitly login to anything beyond your local Windows workstation.

Initially, Microsoft won’t have support for all of the various login systems out there. They seem to be focusing on their own service, Windows Live, and possibly Facebook. But the API is open, allowing third-parties to provide the necessary hooks to their own systems.

I’ve spent some time searching for more information and what I’m finding seems to indicate that what Jason was talking about is, in fact, the plan moving forward. TechRadar has a story about the Windows 8 Credential Vault, where website passwords are stored. The credential vault appears to be a direct competitor to 1Password and LastPass. As with other technologies that Microsoft has integrated in the past, this may be the death knell for password managers.

ReadWriteWeb has a story about the Windows Azure Access Control Service that is being used for Windows 8. Interestingly, this article seems to indicate that passwords won’t be stored on the Windows 8 system itself, but in a centralized “cloud” system. A system called the Access Control Service, or ACS, will store all of the actual login information, and the Windows 8 Password Broker will obtain tokens that are used for logins. This allows users to access their data from different systems, including tablets and phones, and retain full access to all of their login information.

Microsoft is positioning Azure ACS as a complete claims-based identity system. In short, this allows ACS to become a one-stop shop for single sign-on. I log into Windows and immediately have access to all of my accounts across the Internet.

Sounds great, right? In one respect, it is. But if you think about it, you’re making things REALLY easy for attackers. Now they can, with a single login and password, access every system you have access to. It doesn’t matter that you’ve used different usernames and passwords for your bank accounts. It doesn’t matter that you’ve used longer, more secure passwords for those sensitive sites. Once an attacker gains a foothold on your machine, it’s game over.

Jason also mentioned another chilling detail. You’ll be able to login to your local system using your Windows Live ID. So, apparently, if you forget your password for your local user, just login with your Windows Live ID. It’s all tied together. According to the TechRadar story, “if you forget your Windows password you can reset it from another PC using your Windows Live ID, so you don’t need to make a password restore USB stick any more.” They go on to say the following :

You’ll also have to prove your identity before you can ‘trust’ the PC you sync them to, by giving Windows Live a second email address or a mobile number it can text a security code to, so anyone who gets your Live ID password doesn’t get all your other passwords too – Windows 8 will make you set that up the first time you use your Live ID on a PC.

You can always sign in to your Windows account, even if you can’t get online – or if there’s a problem with your Live ID – because Windows 8 remembers the last password you signed in with successfully (again, that’s encrypted in the Password Vault).

With this additional tidbit of information, it would appear that an especially crafty attacker could even go as far as compromising your entire system, without actually touching your local machine. It may not be easy, but it looks like it’ll be significantly easier than it was before.

Federated identity is an interesting concept. And it definitely has its place. But, I don’t think tying everything together in this manner is a good move for security. Sure, you can use your Facebook ID (or Twitter, Google, OpenID, etc) already as a single login for many disparate sites. In fact, these companies are betting on you to do so. This ties all of your activity back to one central place where the data can be mined for useful and lucrative bits. And perhaps in the realm of a social network, that’s what you want. But I think there’s a limit to how wide a net you want to cast. But if what Jason says is true, Microsoft may be building the equivalent of the One Ring. ACS will store them all, ACS will verify them, ACS will authenticate them all, and to the ether supply them.

Digital Armageddon

April 1, 2009. The major media outlets are all over this one. Digital Armageddon. The end of computing as we know it. Again. But is it? Should we all just “Chill Out?”

So what happens April 1, 2009? Well, Conficker activates. Well, sort of. It activates the latest revision of its auto-update algorithm, switching the number of domains it can find updates on from 250 per day to 50,000 per day. Conficker, in its current form, isn’t really malicious beyond techniques to prevent detection. In order to become malicious, it will need to download an update to the base code.

There are two methods by which Conficker will update its base code. The first method is to download the code via a connection to one of the 50,000 domains it generates. However, it does not scan all 50,000 domains at once. Instead, it creates a random list of 500 of the 50,000 generated domains and scans them for an update. If no update is found, Conficker sleeps for 24 hours and starts over by generating a new list of 50,000 domains, randomly picking 500, and contacting them for an update. The overall result of this is that it becomes nearly impossible to block all of the generated domains, increasing the likelyhood that an update will get through. On the flip side, this process appears that it would result in a very slow spread of updates. It can easily take days, weeks, or months for a single machine to finally stumble upon a live domain.

The second method is to download the code via a peer-to-peer connection between infected hosts. As I understand it, the peer-to-peer mechanism has been active since revision C of Conficker has been in the wild. This mechanism allows an update to spread from system to system in a very rapid manner. Additionally, based on how the peer-to-peer mechanism works, it appears that blocking it is difficult, at best.

So what is the risk here? Seriously, is my computer destined to become a molten heap of slag, a spam factory, or possibly a zombie soldier in a botnet attack against foreign governments? Is all hope lost? Oh my , are we all going to die!

For the love of all things digital, pull it together! It’s not as bad as it looks! First off all, if you consistently update your machines and keep your anti-virus up to date, chances of you being infected are very low. If you don’t keep up to date, then perhaps you should start. At any rate, fire up a web browser and search for a Conficker scanner. Most of the major anti-virus vendors have one. Make sure you’re familiar with the company you’re downloading the scanner from, though, a large number of scam sites have popped up since Conficker hit the mainstream media.

If you’re a network admin, you have a bigger job. First, I’d recommend any windows machines you are responsible for are patched. Yes, that includes those machines on that private network that is oh-so impossible to get to. Conficker can spread via samba shares and USB keys as well. Next, try scanning your network for infections. There are a number of Conficker scanners out there now thanks to the Honeynet Project and Dan Kaminsky. I have personally used both the proof-of-concept python scanner, as well as the latest version of nmap.

If you’re using nmap, the following command line works quite well and is incredibly fast :

nmap -sC –script=smb-check-vulns –script-args=safe=1 -p139,445 \
-d -PN -n -T4 –min-hostgroup 256 –min-parallelism 64 \
-oA conficker_scan

Finally, as a network admin, you should probably have some sort of Intrusion Detection System (IDS) in place. Snort is an open source IDS that works quite well and has a large community following. IDS signatures exist to detect all known variants of Conficker.

So calm down, take a deep breath, and don’t worry. I find it extremely unlikely that April 1 will result in anything more than a blip in network activity. Instead, concentrate on detection and patching. Conficker isn’t Skynet…. Yet.

 

Windows 7… Take Two… Or Maybe Three?

Well, looks like the early information on Windows 7 might be wrong.  According to an interview with Steven Sinofsky, Senior Vice President of Windows and Windows Live Engineering at Microsoft, there are a few details you may have heard that may not be entirely true.  But then again, it seems that Mr Sinofsky did tap dance around a lot of the questions asked.

First and foremost, the new kernel.  There has been a lot of buzz about the new MinWin kernel, which many believe to be integral to the next release of Windows.  However, according to the interview, that may not be entirely true.  When asked about the MinWin kernel, Mr Sinofsky replied that they are building Windows 7 on top of the Windows Server 2008 and Windows Vista foundation.  There will be no new driver compatibility issues with the new release.  When asked specifically about the minimum kernel, he dodged the question, trying to focus on how Microsoft communicates, rather than new features of Windows.

So does this mean the MinWin kernel has been cut?  Well, not necessarily, but I do think it means that we won’t see the MinWin kernel in the form it has been talked about.  That is, very lightweight, and very efficient.  In order to provide 100% backwards compatibility with Vista, they likely had to add a lot more to the kernel, moving it from a lightweight, back into the heavyweight category.  This blog post by Chris Flores, a director at Microsoft, seems to confirm this as well.

The release date has also been pushed back to the original 2010 date that was originally stated.  At a meeting before the Inter-American Development Bank, Bill Gates had stated that a new release of Windows would be ready sometime in the next year or so.  Mr Sinofsky stated firmly that Windows 7 would be released three years after Vista, putting it in the 2010 timeframe.

Yesterday evening, at the All Things Digital conference, a few more details leaked out.  It was stated again that Windows 7 would be released in late 2009.  Interestingly enough, it seems that Windows 7 has “inherited” a few features from it’s chief competitor, Mac OSX.  According to the All Things Digital site, there’s a Mac OS-X style dock, though I have not been able to find a screenshot showing it.  There are these “leaked” screenshots, though their authenticity (and possibly the information provided with them) is questionable at best.

The biggest feature change, at this point, appears to be the addition of multi-touch to the operating system.  According to Julie Larson-Green, Corporate Vice President of Windows Experience Program Management, multi-touch has been built throughout the OS.  So far it seems to support the basic feature-set that any iPhone or iPod Touch supports.  Touch is the future, according to Bill Gates.  He went on to say:

“We’re at an interesting junction.  In the next few years, the roles of speech, gesture, vision, ink, all of those will become huge. For the person at home and the person at work, that interaction will change dramatically.”

All in all, it looks like Windows 7 will just be more of the same.  With all of the problems they’ve encountered with Vista, I’ll be surprised if Windows 7 becomes the big seller they’re hoping for.  To be honest, I think they would have been better off re-designing everything from scratch with Vista, rather than trying to shovel in new features to an already bloated kernel.

Useful Windows Utilities? Really?

Every once in a while, I get an error that I can’t disconnect my USB drive because there’s a file handle opened by another program.  Unfortunately, Windows doesn’t help much beyond that, and it’s left up to the user to figure out which app and shut it down.  In some cases, the problem persists even after shutting down all of the open apps and you have to resort to looking through the process list in Task Manager.  Of course, you can always log off or restart the computer, but there has to be an easier way.

In Linux, there’s a nifty little utility called lsof.  The name of the utility, lsof, is short for List Open Files, and it does just that.  It displays a current list of open files, including details such as the name of the program using the file, it’s process ID, the user running the process, and more.  The output can be a bit daunting for an inexperienced user, but it’s a very useful tool.  Combined with the power of grep, a user can quickly identify what files a process has open, or what process has a particular file open.  Very handy for dealing with misbehaving programs.

Similar tools exist for Windows, but most of them are commercial tools, not available for free use.  There are free utilities out there, but I hadn’t found any that gave me the power I wanted.  That is, until today.

I stumbled across a nifty tool called Process Explorer.  Funnily enough, it’s actually a Microsoft tool, though they seem to have acquired it by purchasing SysInternals.  Regardless, it’s a very powerful utility, and came in quite handy for solving this particular problem.

 

In short, I had opened a link in Firefox by clicking on it in Thunderbird.  After closing Thunderbird, I tried to un-mount my USB drive, where I have Portable Thunderbird installed, but I received an error that a file was still open.  Apparently Firefox was the culprit, and closing it released the handle.

The SysInternals page on Microsoft’s TechNet site list a whole host of utilities for debugging and monitoring Windows systems.  These can be fairly dangerous in the hands of the inexperienced, but for those of us who know what we’re doing, these tools can be invaluable.  I’m quite happy I stumbled across these.  The closed nature of Windows can be extremely frustrating at times as I cannot figure out what’s going on.  I’m definitely still a Linux user at heart, but these tools make using Windows a tad more bearable.

Vista… Take Two.

With Windows Vista shipping, Microsoft has turned it’s attention to the next version of Windows.  Currently known as Windows 7, there isn’t a lot of information about this latest iteration.  From the available information, however, it seems that Microsoft *might* be taking a slightly different direction with this version.

Most of the current talk about the next version of Windows has centered around a smaller, more compact kernel known as MinWin.  The kernel of any operating system is the lifeblood of the entire system.  The kernel is responsible for all of the communication between the software and the hardware.

The kernel is arguably the most important part of any operating system and, as such, has resulted in much research, as well as many arguments.  Today, there are two primary kernel types, the monolithic kernel, and the micro kernel.

With a monolithic kernel, all of the code to interface with the various hardware in the computer is built into the kernel.  It all runs in “kernel space,” a protected memory area designated solely to the kernel.  Properly built monolithic kernels can be extremely efficient.  However, bugs in any of the device drivers can cause the entire kernel to crash.  Linux is a good example of a very well built monolithic kernel.

A micro kernel, on the other hand, is a minimalist construct.  It includes only the necessary hooks to implement communication between the software and the hardware in kernel mode.  All other software is run in “user space,”  a separate memory area that can be swapped out to disk when necessary.  Drivers and other essential system software must “ask permission” to interact with the kernel.  In theory, buggy device drivers cannot cause the entire system to fail.  There is a price, however, that of the system call required to access the kernel.  As a result, micro kernels are considered slower than monolithic kernels.  MINIX is a good example of an OS with a micro kernel architecture.

The Windows NT line of operating systems, which includes XP and Vista, uses what Microsoft likes to call a “hybrid kernel.”  In theory, a hybrid kernel combines the best of both monolithic and micro kernels.  It’s supposed to have the speed of a monolithic kernel with the stability of a micro kernel.  I think the jury is still out on this, but it does seem that XP, at least, is much more stable than the Window 9x series of releases which used a monolithic kernel.

So what does all of this mean?  Well, Microsoft is attempting to optimize the core of the operating system, making it smaller, faster, and more efficient.  Current reports from Microsoft indicate that MinWin is functional and has a very small footprint.  The current iteration of MinWin occupies approximately 25 MB of disk space and memory usage of about 40 MB.  This is a considerable reduction in both drive and memory usage.  Keep in mind, however, that MinWin is still being developed and is missing many of the features necessary for it to be comparable with the current shipping kernel.

It seems that Microsoft is hyping this new kernel quite a bit at the moment, but watch for other features to be added as well.  It’s a pretty sure bet that the general theme will change, new flashy gadgets and graphical capabilities, and other such “fluff” will be added.  I’m not sure the market would respond very nicely to a new version of Windows without more flash and shiny…  Windows 7 is supposedly going to ship in 2010, but other reports have it shipping sometime in 2009.  If Vista is any indication, however, I wouldn’t expect Windows 7 until 2011 or 2012.

Meanwhile, it seems that Windows XP is still more popular than Vista.  In fact, it has been reported that InfoWorld has collected over 75,000 signatures on it’s “Save Windows XP” petition.  This is probably nothing more than a marketing stunt, but it does highlight the fact that Vista isn’t being adopted as quickly as Microsoft would like.  So, perhaps Microsoft will fast track Windows 7.  Only time will tell.

Vista

It’s been a while since Microsoft release their newest OS, Vista, and yet the complaints just haven’t stopped.  I just ran across this humorous piece about “upgrading” to Windows XP and decided it was time to write a little bit about Vista.

I can’t say I’m an expert by any means as I’ve only had limited experience with Vista at this point.  What experience I did have, however, was quite annoying and really turned me away from the thought of installing it.  Overall, Vista has an interesting look.  It’s not that bad, in reality, though it does seem to be a bit of overkill in the eye candy department.  It feels like Microsoft tried to make everything shiny and attractive, but ended up with a shiny, gaudy look instead.

My first experience with Vista involved setting up a Vista machine for network access.  Since setting up networking involves changing system settings, I was logged in as an administrator.  I popped open the control panel to set up the network adapter and spent the next 15 minutes messing around with the settings, prompted time and again to allow the changes I was making.  It was a frustrating experience, to say the least.  Something that takes me less than a minute to accomplish on a Windows XP machine, or even on a Linux machine, takes significantly longer on a Vista machine.

I also noticed a number of pauses, quite noticeable, as I manipulated files.  This happened on more than one machine, making me think there’s something wrong with the file subsystem in Vista.  I’ve heard it explained as a DRM mechanism, checking for various DRM schemes in an attempt to enforce them.  Either way, it’s slow and takes forever to accomplish simple copy and paste tasks.

One of my more recent experiences was an attempt to get Vista to recognize a RAZR phone.  I never did get that working, even with Motorola’s Vista compatible software.  I tried installing, uninstalling, and re-installing the software several times, rebooting in between, enduring the stupid security dialogs all the while.  Vista seems to have recognized the phone, but would not allow the user to interact with it.

They say that first impressions are the most important and, up to this point, Vista has not made a good impression on me at all.  If and when I do move to Vista, it will be with me kicking and screaming the entire way…

Getting screwed again by DRM

I’m definitely no fan of Digital Rights Management (DRM) in it’s current form.  It’s intrusive, prevents me form taking advantage of something I purchased, and is generally an all around nuisance.

Take, for instance, DRM “enhanced” music.  Most DRM licenses only allow you to listen to the music on authorized devices, and limits the number of devices you can put the music on.  Some even go as far as to limit the number of times you can listen to a specific track.  For some users this is ok, but what about those of us who change music players on a regular basis?  Now we have to be concerned about the type of DRM being used and whether or not it’s compatible with our new player.  It’s truly a nightmare.

There are even more issues with DRM, though.  Let’s take a look at modern games.  For consoles, DRM isn’t much of an issue yet.  Every console is the same, so there are no compatibility problems if you have to get a new console, or if you want to take your game to a friend’s house to play.  Downloaded content is a little trickier as it is often tied to the console it was downloaded on.  Unfortunately, in many situations, if the console fails and you get a replacement, you must re-purchase the downloaded content.  This isn’t always the case, but it does happen.

For PCs, however, the landscape is a little different.  DRM is used to prevent piracy of games.  Unfortunately, with the wide number of PC configurations, this can cause incompatibility problems.  But even beyond the compatibility issues, there are sometimes worse problems.

Take, for instance, SafeDisc DRM by Macrovision.  SafeDisc has been around for years and is often the cause of incompatibility problems with games.  SafeDisc requires a special driver to be loaded into Windows that allows the operating system to validate the authenticity of games that use the SafeDisc DRM scheme.  Apparently, Microsoft thought it would be useful to bundle a copy of the SafeDisc driver with Windows and has done so since Windows XP shipped about 6 years ago.

Recently, Elia Florio, from Symantec, discovered a vulnerability in the SafeDisc driver.  This vulnerability allows an attacker to escalate their privileges, ultimately allowing them full control of the operating system.  Thanks to Microsoft bundling this driver with Windows, even non-gamers are susceptible to this attack.

This highlights a major problem with DRM.  Ensuring security is a pretty tough, complex job.  The more complex the programming is, the harder it is to keep secure.  DRM is intentionally complex, intending to prevent theft.  As a result, it becomes very difficult to ensure that the code is secure.  This is a perfect example of that problem.  Unfortunately, it seems that this will only grow to be a larger problem as time goes on, unless we stamp out DRM.

Macromedia apparently has a fix for this problem on their website, and Microsoft is working on a solution as well.  Microsoft has refused to commit to a delivery date, though.  I would encourage you to update this driver as soon as possible, or, if you are a non-gamer, remove it completely.

ISO Recorder Power Toy

I recently had the need to create an .ISO image of a CD. The CD burning software on my computer, however, only created proprietary images. Being my laptop for work, I didn’t want to purchase better software, so I googled around on the net a little bit.

I came across a little utility created by Alex Feinman called ISO Recorder. It runs on Windows XP, Windows Server 2003, and the dreaded Windows Vista. After installation, it adds two options to your right-click menu, “Create ISO Image File” and “Copy CD to CD”.

The Create ISO option appears whenever you right click a folder and allows you to create an image of everything in that folder. This includes folders on your hard drive, so creating an ISO is as simple as moving the relevant files into a single folder. Very convenient.

Alex also has a command-line CD burning utility called CreateCD. I have not had occasion to use this particular piece of software, but it does look interesting. Using this utility, you can automate the creation of ISO images, great for automated backups.

Both of these utilities are free for personal use. Alex does provide a PayPal link for donations, so if you find this software useful, send him a few bucks to show your appreciation!

Windows .ANI Vulnerability

Another day, another vulnerability… This time it’s animated cursors. You know, those crazy animated cursors Microsoft included in one of their Plus! packs back in the day?

Well, it seems that there’s a stack overflow exploit in the way they’re handled by the OS. In a nutshell, when it copies the data into memory, it doesn’t properly check the size of the memory being copied. The result is that memory is overwritten and the stack overflows.

The Zero-day Emergency Response Team has a pretty good writeup on their site about the exploit as well as a patch to resolve the problem. This is a pretty big security issue, so I recommend at least checking out the info on their site.

This vulnerability affects Windows 98, 2000, XP, Server 2003, and Vista. The Internet Storm Center also warns that other unsupported versions of Windows, probably Windows 95 and ME, are also likely affected. Neither ZERT nor Microsoft are likely to release a patch for Windows 95 or ME. Additionally, they have a nice matrix that explains which mail clients are vulnerable to this as well.

Microsoft has released an out-of-cycle patch for this vulnerability. You can find the relevent files on their advisory page, bulletin MS07-017. Patches for Windows 2000, XP, Server 2003, and Vista are available. If you still use Windows 98, the ZERT patch is your only option.

Update : eEye had released a patch back on March 30th for this vulnerability. However, this patch only ensures that .ANI files are loaded from the SystemRoot and not anywhere else. While this helps prevent most exploits, if an attacker can somehow gain access to the SystemRoot, the system is still vulnerable.

Please take special note : This is being actively exploited in the wild. This is a serious remote access vulnerability which can lead to your computer being compromised. Please make sure you have an anti-virus program installed and up-to-date. And remember, your first line of defense is you. Be responsible, know the risks, install the patches, and keep yourself safe.