[SecurityRatty] tag: urge

MS08-067 and the SDL

Wed, 22 Oct 2008 21:09:00 +0000

Hi, Michael here.

No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL).

Before I get into some of the details, it's important to understand that the SDL is designed as a multi-pronged security process to help systemically reduce security vulnerabilities. In theory, if one facet of the SDL process fails to prevent or catch a bug, then some other facet should prevent or catch the bug. The SDL also mandates the use of security defenses, because we know full well that the SDL process will never catch all security bugs. As we have said many times, the goal of the SDL is to "Reduce vulnerabilities, and reduce the severity of what's missed."

In this post, I want to focus on the SDL-required code analysis, code review, fuzzing and compiler and operating system defenses and how they fared.

Code Analysis and Review

I want to start by analyzing the code to understand why we did not find this bug through manual code review nor through the use of our static analysis tools. First, the code in question is reasonably complex code to canonicalize path names; for example, strip out ‘..' characters and such to arrive at the simplest possible directory name. The bug is a stack-based buffer overflow inside a loop; finding buffer overruns in loops, especially complex loops, is difficult to detect with a high degree of probability without producing many false positives. At a later date I will publish more of the source code for the function.

The loop inside the function walks along an incoming string to determine if a character in the path might be a dot, dot-dot, slash or backslash and if it is then applies canonicalization algorithms.

The irony of the bug is it occurs while calling a bounded function call:

_tcscpy_s(previousLastSlash, pBufferEnd - previousLastSlash, ptr + 2);

This function is a macro that expands to wcscpy_s(dest, len, source); technically, the bug is not in the call to wcscpy_s, but it's in the way the arguments are calculated. As I alluded to, all three arguments are highly dynamic and constantly updated within the while() loop. There is a great deal of pointer arithmetic in this loop. Without going into all the gory attack details, given a specific path, and after the while() loop has been passed through a few times, the pointer, previousLastSlash, gets clobbered.

In my opinion, hand reviewing this code and successfully finding this bug would require a great deal of skill and luck. So what about tools? It's very difficult to design an algorithm which can analyze C or C++ code for these sorts of errors. The possible variable states grows very, very quickly. It's even more difficult to take such algorithms and scale them to non-trivial code bases. This is made more complex as the function accepts a highly variable argument, it's not like the argument is the value 1, 2 or 3! Our present toolset does not catch this bug.

Ok, now I'm really going out on a limb with this next section.

Over the last year or so I've noticed that the security vulnerabilities across Microsoft, but most noticeably in Windows have become bugs of a class I call "onesey - twosies" in other words, one-off bugs. There is a good side and a bad side to this. First the good news; I think perhaps we have removed a good number of the low-hanging security vulnerabilities from many of our products, especially the newer code. The bad news is, we'll continue to have vulnerabilities because you cannot train a developer to hunt for unique bugs, and creating tools to find such bugs is also hard to do without incurring an incredible volume of false positives. With all that said, I will add detail about one-off bugs to our internal education; I think it's important to make people aware that even with great tools and great security-savvy engineers, there are still bugs that are very hard to find.

Fuzz Testing

I'll be blunt; our fuzz tests did not catch this and they should have. So we are going back to our fuzzing algorithms and libraries to update them accordingly. For what it's worth, we constantly update our fuzz testing heuristics and rules, so this bug is not unique.

Defenses

If you want the full details of the defenses, and how they come into play on Windows Vista and Windows Server 2008, I urge you to read teh SVRD team's in-depth analysis once it is posted.

A big focus of the SDL is to define and require defenses because we have no allusions about finding or preventing all security vulnerabilities by attempting to get the code right all the time, because no-one can do that. No one. See my comment above about one-off bugs!

Let's look at each SDL mandated requirement and how they fared in light of this vulnerability.

-GS

The -GS story is not so simple. A lot of code is executed before a cookie check is made and the attacker can control the overflow because the overflow starts at an offset before the stack buffer, rather than at the stack buffer itself. So the attacker can overwrite other frames on the call stack, corresponding to functions that return before a cookie check is made. That's a long way of saying that -GS was not meant to prevent this type of scenarios.

ASLR and NX

The code fully complies with the SDL, and is linked with /DYNAMICBASE and /NXCOMPAT on Windows Vista and Windows Server 2008. There are great defenses when used together, and reduce the chance of a successful attack substantially. Also, the stack offset is randomized too, making a deterministic attack even more unlikely.

Service Restart Policy

By default the affected service is marked to restart only twice after a crash on Windows Vista and Windows Server 2008, which means the attacker has only two attempts to get the attack right. Prior to Windows Vista, the attacker has unlimited attempts because the service restarts indefinitely.

Authentication

Thanks to mandatory integrity control (MIC) settings (which comes courtesy of UAC) the networking endpoint that leads to the vulnerable code requires authentication on Windows Vista and Windows Server 2008 by default. Prior to Windows Vista, the end point is always anonymous, so anyone can attack it, so long as the attacker can traverse the firewall. This is a great example of SDL's focus on attack surface reduction; requiring authentication means the number of attackers that can access the entry point is dramatically reduced.

Firewall

We enabled the firewall by default in Windows XP SP2 and later, this was a direct learning from the Blaster worm. By default, ports 139 and 445 are not opened to the Internet on Windows XP SP2, Windows Vista and Windows Server 2008.

Summary

The $64,000 question we ask ourselves when we issue any bulletin is "did SDL fail?" and the answer in this case is categorically "No!" No because as I said earlier the goal of the SDL is "Reduce vulnerabilities, and reduce the severity of what you miss." Windows Vista and Windows Server 2008 customers are protected by the defenses in the operating system that have been crafted in part by the SDL. The development team who built the affected component compiled and linked with the appropriate settings as described in "Windows Vista ISV Security" and Writing Secure Code for Windows Vista so that their service is protected by the operating system.

The team did not poke holes through the firewall unnecessarily, in accordance with the SDL.

The team reduced their attack surface, in accordance with the SDL, by requiring authenticated connections rather than anonymous connections by default.

We know that the SDL-mandated -GS has very strict heuristics so some functions are not protected by a stack cookie, but in this case, there is no buffer on the stack, so there will be no cookie. We know this. There are no plans to remedy this in the short term.

Fuzzing missed the bug, so we will update our fuzz testing heuristics, but we continually update our fuzzing heuristics anyway.

In short, based on what we know right now, Windows Vista and Windows Server 2008 customers are protected because of the SDL-mandated defenses in the operating system, and because the development team adhered to the letter of the SDL to take advantage of those defenses.

Chalk one up for Windows Vista and later and the SDL!

As usual, questions and comments are very welcome.

African officials urge use of IT for disaster management

Sun, 20 Jul 2008 20:00:00 +0000

African countries need to make better use of ICT in order to do a better job of managing both natural and man-made disasters, according to a cross section of political and technology officials speaking at an International Telecommunications Union forum in Lusaka last week.

Apple does about-face, fixes Safari's 'carpet bomb' bug

Thu, 19 Jun 2008 09:00:00 +0000

Apple has updated the Windows version of Safari, patching four flaws including one that prompted rival Microsoft to urge users to stop using Apple's browser.

Researchers urge ransomware victims to try file-recovery app

Mon, 16 Jun 2008 09:00:00 +0000

Moscow-based Kaspersky Lab is telling ransomeware victims of Gpcode.ak how to recover data thought lost to the extortionists.

Hurricane season officially begins in 24 hours and many are doing nothing about it.

Fri, 30 May 2008 23:50:00 +0000

I was watching the weather channel yesterday to see what the weekend would be like and was surprised to learn that the price of oil is being blamed for people's lack of preparation leading up to hurricane season.

According to the broadcaster, 50% of people living in areas that are most likely to be hit by hurricanes have not conducted any disaster planning whatsoever. Of people surveyed, 30% admitted that they will wait until they hear warnings on the television before they do anything. The report said that this is the first time since Huricanes Katrina and Rita struck, that people were so poorly prepared.

One very interesting fact that 95% of people do not realize is that garages are the most vulnerable area of a dwelling to be hit by a Hurricane. The Hurricane will tear off the roof of the house right after gaining access to the property through the garage. We would urge all of our readers living in areas susceptible to hurricanes to make sure that their garages are well secured. Times may be tight and the cost of fuel is becoming more and more burdensome but there is no point losing your house when you just may have been able to prevent it.

If you didn't realize this fact about your garage, check it out today. Time may be running out.

Parents can't afford to let their guard down when it comes to their children's safety

Fri, 23 May 2008 00:35:00 +0000

I was very fortunate last night to have been able to attend a presentation in Richmond by the well known Criminal and Behavioral Profiler, Dr. Clinton Van Zandt.
Dr. Van Zandt adressed a dinner which was organized by the Private Investigators Association of Virgina. Attendees were kept spell bound by inside sories involving the Jon Bennet Ramsey murder, The Unibomber, The Beltway Snipers and more.

Last month I was also fortunate to have been able to hear Col. Dave Grossman speak eloquently and passionately about the tragic school shootings in which he has been called in to assist educators and parents understand. One thing is clear from listening to both men, parents need to be ever mindful of the fact that they are their children's protectors. They are the sheepdogs, ever on the lookout for marauding wolves.

If you are a parent, or an educator or a security professional, I strongly urge you to read up on the teachings of these learned men and jump at the opportunity to hear them live if at all possible. I personally guarantee you that you will not be disappointed.

Spring ISD mobile devices stolen along with personal student information

Sun, 18 May 2008 19:01:44 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Spring Independent School District ("Spring ISD")

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
~8,000

Types of Data:
"personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday"

Breach Description:
"Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information. The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen."

Reference URL:
Spring ISD News
Houston Chronicle
ABC Channel 13 News

Report Credit:
Spring ISD

Response:
From the online sources cited above:

Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information.

The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen.
[Evan] The fact that the district allows personal student information to be stored on mobile devices is very troubling. There is no mention of encryption, so I will assume that there was none. This is very careless.

The coordinator's computer bag was stolen from her vehicle between 5:30 and 7 p.m. Wednesday when she stopped to run an errand near Mason Road and Beltway 8, on her way home from work

The coordinator had the laptop, Curry said, because the job responsibilities often require her to work nights and weekends.
[Evan] Fine. This is the reason why many organizations use laptops. The problem is the lack of control and security. If an organization decides to employ laptops, then the organization MUST ensure that they are adequately protected.

The flash drive contains the Texas Assessment of Knowledge and Skills (TAKS) results of third and fifth graders who have taken the first round of reading and math tests, eighth graders who have taken the first round of math tests and 11th and 12th graders who have taken the exit level retest.

In addition, the drive contains the students’ personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday.
[Evan] Why in the *&^$ does a testing coordinator have Social Security numbers on a laptop and/or flash drive?! A Social Security number should have no correlation to testing scores.

This also applies to students who are in those testing groups but were absent when the testing took place.

Personal phone calls were made to the parents of these students on Thursday, letters were sent home with students and the letters are being mailed to homes also in an effort to help parents quickly take steps to protect their children from identity theft.

"The district immediately contacted federal agencies to make them aware of the theft, and we are checking to see whether there is any thing else we can do on behalf of the individual students. In the meantime, we urge parents to use the information we have provided," said Regina Curry, assistant superintendent for communications and community relations.

The theft is being investigated by the Harris County Sheriff’s Department and every effort is being made to recover the equipment.

The district has reported the incident to the Texas Education Agency Test Security Task Force and will comply with whatever action they require.

"This incident is highly regrettable and the district is looking at potential security precautions to protect the students’ personal information in the future," Curry said.
[Evan] I'm sure that the district regrets the incident, but careless acts have consequences and this should have been known beforehand.

Anyone with information about the theft is urged to call the Harris County Sheriff's Office Burglary and Theft Division at 713-967-5770 or the Spring ISD Police Department at 832-764-4911.

Commentary:
I try to be politically correct in many of my comments although sometimes I push the boundaries. I can't think of a word right now that adequately expresses my thoughts. Where was common sense? It could be argued that many breaches we read about entail a certain amount of dumbness, but this one definitely strikes a chord.

Who in their right mind would allow highly-confidential personal information to be carried around on mobile devices? Without encryption? When it isn't necessary? It puzzles me.

I feel like I should say more, but my high blood pressure has gone high enough for the day. I should rest.

Past Breaches:
Unknown

A coward exposes personal information on 40% of Chileans

Fri, 16 May 2008 09:56:50 +0000

Technorati Tag: Security Breach

Date Reported:
5/10/08

Organization:
Chilean Government

Contractor/Consultant/Branch:
None

Victims:
Chilean residents

Number Affected:
~6,000,000

Types of Data:
"names, addresses, telephone numbers and taxpayer identification numbers"

Breach Description:
"An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy problems in the country. The data was posted early Saturday morning on Fayerwayer.com, a popular Chilean technology blog."

Reference URL:
Fayerwayer.com Alert
ABC News
The Tech Herald
International Herald Tribune
vnunet.com

Report Credit:
JI Stark, Fayerwayer.com

Response:
From the online sources cited above:

ORIGINAL POST TEXT GOOGLE TRANSLATED
Something really horrible has just come to our comments. Moments after writing about the purchase of Inquisitor by Yahoo, an anonymous comment left three links to download two files that contain databases in CSV of public and private institutions where there is sensitive information of millions of Chileans, like RUN - Role purely national identification number Chilean -, socio-economic data, electoral, educational, addresses, and telephone numbers individuals, among others.

We urge that these files if they see us please not download or disseminated by any electronic means.

It is extremely dangerous what can happen - and what can happen to you, as the only disseminate is an offence punishable by law - in the case that such senstive data failling to the hands unscrupulous. It seriously.

Update 02:46 AM (GMT -4): The team of FireWire is doing everything in its power at this time to cooperate and ensure that this situation is resolved as soon as possible.

Update 03:25 AM (GMT -4): The topics in our forums with links to the files were deleted. The FireWire forums require registration, so that data - although most likely false, including IP's mask - will be put in the hands of the authorities.

Update 04:45 PM (GMT -4): The Cybercrime Brigade of the Investigative Police of Chile already contacted us, told us about the progress of the investigation that is already under way and we extend all cooperation that is within our grasp.

END OF ORIGINAL POST TEXT

A hacker has obtained the personal details of around six million Chileans from government and military servers and posted them on a technology blog.
[Evan] "Anonymous Coward" posted the information in the comments of the purchase of Inquisitor by Yahoo posting on www.fayerwayer.com. href="http://www.fayerwayer.com.%3C/span%3E%3Cbr%3E%3Cbr%3EThe">

The hacker, who calls himself "Anonymous Coward," posted three compressed files of data that included names, addresses, telephone numbers and taxpayer identification numbers for Chilean residents, said Leo Prieto, Fayerwayer.com's director.

The data was taken early Friday from servers at the Education Ministry, the electoral service and the military

it was first reported to police early Saturday by Leo Prieto, the administrator of a local technology-oriented Internet site who discovered links to the information online.

Among the data was a list of students who receive preferential public transportation rates, including one of President Michelle Bachelet's two daughters

Despite the information's prompt removal from the Internet, some people may have downloaded it "and it may still be around on the Internet,"

over the following days the files started popping up on other sites including Google's Blogger
[Evan] You can't un-disclose confidential information. Once the confidentiality of information has been compromised, it is always going to be compromised.

Reports claim that the hacker performed the stunt to highlight poor levels of data protection in Chile.
[Evan] What idiot would pull such a stunt and claim such a ridiculous justification?

In a note accompanying the files, Anonymous Coward said he posted the databases to draw attention to the poor data protection measures in the country
[Evan] This is the worst way to draw attention to poor data protection. What "Anonymous Coward" did was create 6,000,000+ enemies and put his/her very well being at risk. He/she caused an extraordinary amount of harm to almost 40% of Chile's population and made a complete ass out of him/herself.

El Mercurio reported that it had access to some of the data, including a file in which the hacker said he intended "to demonstrate how poorly protected the data in Chile is, and how nobody works to protect it."

The files include tips on what to do with the data and how best to access it.

"Chile may be on the other side of the world, but the scale of this data breach should not be ignored," said Graham Cluley, senior technology consultant at security firm Sophos.

"No matter how moral or ethical the motive, this prank was irresponsible and has left almost 40 per cent of Chile's population at risk of identity theft."

Cluley added that all organisations around the world should see this as a wake-up call and ensure that all personal and sensitive information is stored securely.
[Evan] You would think that the 94,000,000 credit card numbers stolen from TJX, or the 26,500,000 Social Security numbers on the stolen Veterans Affairs laptop, or the 25,000,000 personal records lost on CDs from HM Customs and Revenue would wake organizations up. There is still this illogical thought in organizations that "this will never happen to us". It DOES and IT WILL. I'm not even going to get into information security personnel that lack skill and have business leaders fooled into thinking that they are doing the right thing(s).

"Whether or not the loss results in a fine is almost irrelevant; the consequences of falling victim to such an attack can mean irreversible damage to reputation and customer confidence."
[Evan] I couldn't agree with Mr. Cluley any more. This is a guy that "gets it".

Commentary:
Unbelievable. The evil in some people. So let's say that "Anonymous Coward" is caught (I think chances are better that 50/50). Now what? How do you punish someone whose actions put 6,000,000 people at risk of losing their identities. These people will live with some level of fear for a very long time. Punishment will be severe, but how severe is enough? This will be an interesting story to follow.

Let's not lose sight of another issue with this breach. What is the Chilean government doing to protect confidential information and what does it intend to do in response to this breach? Obviously the government needs to secure information better, but how will they respond to 40% of their residents being exposed to fraud and all that comes with it? I don't know what can be done short of re-assigning government issued identifiers to Chilean residents. This breach (or series of breaches) could be very costly to residents, the Chilean economy and the government.

Past Breaches:
Unknown

Cornerstone Fitness for Women information found in discarded file cabinet

Mon, 05 May 2008 10:01:48 +0000

Technorati Tag: Security Breach

Date Reported:
4/30/08

Organization:
Cornerstone Fitness for Women

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers and in many instances Social Security numbers copies of checks and credit card information

Breach Description:
"EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin."

Reference URL:
KRGV-TV Newschannel 5
The Monitor
The Brownsville Herald

Report Credit:
KRGV-TV Newschannel 5

Response:
From the online sources cited above:

EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin.

This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone.

He had Lisa's contract from Cornerstone Fitness.

He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account.

He also had about 30 other contracts.

It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. (Sammy Zumwalt, the person that called Ms. Cortez)

All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards.

Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg.

The center shut down several months ago.
[Evan] This isn't the first time that we have read about an organization vacating a location and leaving sensitive information behind (unsecured). Just in the past few months there was Affordable Realty in March, and Union Mortgage and First Magnus in February.

The paperwork was in Zumwalt's room for several weeks.

Recently, he decided to go through the stack of papers and came across the sensitive information.

Zumwalt turned the contracts over to NEWSCHANNEL 5.
[Evan] Why NEWSCHANNEL 5 and not the police or the Texas Attorney General? Do you think somebody wanted their 15 minutes of fame?

"At this point, we don't know what happened. This is not our usual practice. We are investigating it. We've been in the business for 10 years and this is the first time we hear of something like this. " (Joseph De la garza, one of the fitness club's owners)

NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile.

Cornerstone tells NEWSCHANNEL 5 they carefully guard all sensitive client information.

State Sen. Juan "Chuy" Hinojosa, D-McAllen, urged Texas Attorney General Greg Abbott to investigate, according to Jerry Strickland, a spokesman for the attorney general's office.
[Evan] I guess this is one good thing about reporting it to the media instead of the authorities. Mr. Hinojosa sees it on TV and pushes for an investigation.

"A lot of businesses are being very careless in the way they handle personal information," Hinojosa said. "Businesses (are required) to shred all information they no longer need."
[Evan] Oh yes, very true.

Victim Reaction:
"I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number.

Denise Grant told NEWSCHANNEL 5, "You never realize how important this information is until you have to try to prove that you are who you say you are." (a woman who claims to have been an victim of identity theft before)

Commentary:
Well, we all know (or should know) that this type of breach is nothing new, but I am keyed in on what Mr. Hinojosa stated, "A lot of businesses are being very careless in the way they handle personal information".

What will urge businesses to be more careful and secure personal information better? More laws? More costly fines? More laws mean more compliance. More compliance means more cost to companies. More cost to companies means more expensive goods and services. Seems that the same argument holds true for fines.

Maybe we should stop using a single identifier for all things personal (i.e. Social Security numbers). Do you think that the credit bureaus and the rest of the financial industry would go for such a radical idea? Do you know how the credit bureaus make money (I won't go into this now)? This would be a tough battle to fight.

An easy to implement solution does not exist. We have walked so far down this road that I think we may have gotten a little lost.

I have ranted long enough. On to the next breach, right?

Past Breaches:
Unknown

Woule the Do not Track registry work like the Do not call registry?

Wed, 16 Apr 2008 10:21:05 +0000

Im not sure how good an idea this is. Im on every do not call list I can find and I still get calls.
I do believe if you use my data to make a profit, you should reimburse me a lil.

clipped from news.yahoo.com

Consumer groups urge “do not track” registry

WASHINGTON (Reuters) -
Two consumer groups asked the
Federal Trade Commission on Tuesday to create a “do not track
list” that would allow computer users to bar advertisers from
collecting information about them.