Windows 95 Turns 10 - 29 August 2005

Ten years ago, last week, saw the introduction of one of the most influential software applications of the modern computing era (August 24, 1995). Microsoft released their Windows 95 Operating System to eager PC users, the first 32-bit Operating System for personal computer users running IBM-PC compatible systems. IBM and Apple looked on in interest, as Microsoft was finally releasing their much-hyped next generation Operating System, which would bring to the mass market many features which OS/2 (IBM), and System 7.5 (Apple) had provided to their respective users. Although not a true Operating System at that stage - it was a graphical application which rested on top of a modified MS-DOS, it was a resounding initial success.

For many years, IBM-PC compatible users had dismissed the mouse and the graphical user interface (the GUI), as merely toys, something that 'real' computer users could do without. The release of Windows 95 changed that approach, and allowed Microsoft to aggressively pursue their goals of increasing the size of the Personal Computer industry. This was spectacularly achieved with Windows 95, and the following consumer version of Windows 98. Unfortunately, a large number of the new computer owners (and users) had no in-depth knowledge of how their systems worked, preferring to remain in the position of knowing how to achieve the tasks that they needed to, ant not much more.

Even with this success, it may have laid the seeds for the persistent security problems facing Microsoft Windows users, even now. While the security of the competing consumer, and business, Operating Systems was not all that advanced, Microsoft's mass market appeal made it more susceptible to future abuses, as it fostered the introduction of a large, semi computer-literate userbase. The slow recognition of the emerging importance of the Internet was an extremely costly mistake for Microsoft. The addition of an Internet browser (Internet Explorer) was such a late inclusion that it was not present on retail copies of Microsoft Windows 95, but was on the OEM versions.

The power of the new Operating Systems gave software developers a very useful development environment, and the low level of security knowledge at the time meant that developers were not too concerned with possible abuses of their applications such as buffer overflows. In the gold rush to release software, security took a back seat, along with multi-user management (especially difficult in a single user Operating System), and the after-effects are still being felt now, as the descendants of this coding approach are being exploited in the modern networked computing environment.

Some of the sharper historical wits have highlighted a unique coincidence with the release date of Windows 95. August 24, AD 79, was the date that Mt. Vesuvius erupted, burying the cities of Pompeii and Herculaneum. Perhaps a parallel can be drawn with the effects of Windows 95 on modern computing.

In some more positive news for users of Microsoft's Internet Explorer, it has been suggested that the anti-phishing component of Internet Explorer 7 will be provided to users of Internet Explorer 6, via a plugin to the MSN Toolbar. In addition to needing Internet Explorer 6, Windows XP with Service Pack 2 installed will be needed as the underlying system. There is no news as to whether other versions of Internet Explorer, or Microsoft Windows, will have the protection made available.

The recent Zotob worm release, covered in last week's column, has already seen a number of arrests over the creation and released of it. Because of the relation to the earlier Mytob worm, authorities are confident that they have arrested the originators of that worm as well. Given the willingness of companies that have been hit with damaging worms to call for severe punishment (to hide their inability to protect their systems), and the history of the German teenager (Sven Jachsen) who released a Sasser variant, it is likely that the people currently in custody are to face some significant jail time. The arrests were carried out in Morocco and Turkey, and it is not known whether there will be any attempts to extradite the suspects to other countries to face different legal systems - although the FBI are currently indicating that they will not be seeking extradition. From the reporting surrounding the case, it appears that the teenage Moroccan was the author of the Zotob and Mytob worms, writing them for the Turk, who paid for their creation.

The FBI was involved with tracking down the suspects, and utilised technical assistance from Microsoft in finding the source of the worms. The Moroccan teenager was known online as Diabl0, an identity which was already known as the originator of the worm. Various security mailing lists were fully aware of the identity Diabl0, but not the real person behind it. It was suggested that the slipup was the result of the Turkish hacker attempting to move funds from users whose systems had been compromised, but the case is still under investigation. The tracking and identification of the suspects was achieved through electronic means only, separating it from Sven Jachsen's case, where he was identified by associates.

The popular open-source media player, mplayer, has recently been found to be vulnerable to a memory overflow attack which can result in the execution of code of choice by remote attackers any time that a specially crafted audio or video file is opened. The existence of mplayer has been a boon for a lot of Linux users, who have otherwise been at a loss for being able to replay audio and video without booting into another OS. All versions prior to 1.0pre7try2 are vulnerable, and the recommendation is to upgrade to this version. While it is not known whether it is being actively exploited, it could become the basis for a worm that would spread through Linux based systems (one of few possible chances).

With similar news circulating for a while now, another set of weaknesses has been found in the various in-room electronic services provided in many hotels around the world. While most of the vulnerabilities that have been disclosed to date are the result of an incorrect installation and setup, the most concerning reports suggest that the core services are vulnerable to various active and passive attacks, including capture of all traffic crossing the network (i.e. view other hotel clients' mail and websurfing), and insertion of content of choice (i.e. reprogram all television channels to show the adult PPV movie, which has also had payment restrictions bypassed). When traveling and staying in a hotel which offers these sort of facilities, it is important to apply the same sort of caution to your online activities, as you would in an Internet cafe. Essentially, any network connection made from such an environment should not be considered a trusted connection, and you should apply your own internal checks and balances to ensure against compromise.

The Coming Storm - 15 August 2005

A broad range of vulnerabilities have been disclosed and patched by Microsoft with their monthly patch release. The impact of the vulnerabilities range from local user privilege escalation (e.g. normal -> admin), through remote Denial of Service, to potentially total compromise of a vulnerable system. Exploits for a number of the issues are already in active circulation, and have been for some time. For detailed description, reference should be made to the applicable security updates from Microsoft. It is strongly recommended that all Windows users update to the latest security patches.

The vulnerabilities are being actively exploited on a wide scale. Although exploits were circulating prior to the patch releases, there has been an explosion in the number of attacks, with the start of the working week in the US expected to be a critical turning point. The Universal Plug and Play vulnerability is expected to become a major exploitation route, with multiple examples of exploits currently circulating.

A number of months ago, Microsoft announced the existence of their Honeymonkey network. Similar to a Honeypot, which is a fake server which is designed to lure malicious attackers to demonstrate their skills, a Honeymonkey is a system which is designed to actively surf a network and monitor for any automated style attacks. According to SecurityFocus, the Microsoft project has already identified nearly 300 sites which launch automated attacks against standard Windows XP systems, including one claimed 'zero-day' exploit. A 'zero-day' exploit is an exploit which has been released without the target software vendor being aware of the vulnerability being exploited. The exploit in question uses the JView vulnerability which was mentioned last month in this column. The JView vulnerability is just one symptom of the underlying COM Object instantiation problem, and the early news notification was suggesting that exploits were in the wild at the time (so it appears that Microsoft missed the boat on this one, again). The vulnerability exploited by the so-called 'zero-day' exploit was fixed in the recent 'Black Tuesday' updates from Microsoft.

News surfaced a little more than a week ago about moves by the US Government, through the FCC, to expand the Communications Assistance to Law Enforcement Act (CALEA). This is apparently being done to ensure that law enforcement agencies will still be able to conduct wiretaps even if alternative communications technology such as VoIP is being used. The practical implementation of the expansion is requiring networking hardware vendors to include a 'backdoor' in all their products, which can allow for access by law enforcement agencies as required. There are significant privacy and security concerns which arise from this expansion of the CALEA. From a security standing, it creates a known weakness in all networking hardware, a weakness which will not remain secret forever. Privacy activists are worried, because the access being granted allows for all the traffic flowing through the hardware to be grabbed (even if the CALEA provisions don't allow it).

Some observers have suggested that it is a slippery slope trying to maintain an effective balance between privacy and oversight. Although it has been said multiple times, the Internet is not a medium for storing or transmitting information that should not be seen by everybody. It is not a suitable place to store confidential information, and users should not expect to maintain confidentiality. Wireless technologies and the rise in broadband connections only makes it more difficult to ensure that adequate trust exists. Assuming that the Internet is anything other than that is a dangerous and naive stance to take, and is what leads to people getting themselves into trouble unintentionally.

One industry which has introduced strict rules in an attempt to enforce a reasonable level of information security is the Medical sector. Laws such as HIPAA are designed to ensure that adequate steps are taken in order to protect client privacy and medical results. Efforts to digitise medical records are fraught with greater risk of information disclosure, although it can expedite the net care delivery, which is the desired outcome. Various Governments in different countries have attempted to implement electronic medical records management, with varying levels of success, such as the OACIS system in South Australia, and the NHS Medical Record System in Britain. The NHS project has been a spectacular failure in terms of money spent, and lack of deliverable results. The Times came out with an article which claims that a large number of end users are becoming demoralised with the system, and that the £6 billion GBP system might be better off being written off. The project is already the most expensive Information Technology project in Britain, and the article claims that there are fears that the total cost of the project could explode to £30 billion GBP over the next 10 years. In a spectacular example of shooting the messenger, the report which prompted the article blamed the disaffected users for the delays in implementing the project.

Another company which has recently been shooting messengers publicly, is Oracle (of course Cisco has done it, too). As a part of their series on Information Security specialists, ZDNet Australia interviewed the Chief Security Officer at Oracle. The resulting article was more of a PR piece than a detailed look at the security practices at Oracle, which makes it like the other articles in the series by lacking real depth of technical information. What did make the article, however, was clear indication that Oracle (amongst other companies) prefers to shoot messengers who are bearing information that they don't want to know about, or admit to. One of the responses by the Oracle CSO appeared to be establishing an 'us and them' approach to security vulnerabilities, denigrating the input from independent security researchers.

When a short lead time is given between vulnerability notification and public release (such as a matter of days), it places software vendors in a bind as they are unable to produce results, even if they throw resources at fixing issues. When the software vendors have had several hundred days to fix reported vulnerabilities, however, their complaints about unethical treatment from the independent researchers wear a little thin, especially if the vulnerabilities remain unfixed.

In the defence of the software vendors, it does become difficult to implement security fixes without breaking other functionality that the application has. This is especially true with any large scale application or product line, where the codebase is immense. As a result, being able to respond in a timely manner with a fix is sometimes near to impossible.

Snake oil is still being sold by the marketers, as the 'unbreakable' databases from Oracle aren't as secure as they are made out to be, and the 'self defending' network hardware from Cisco can't prevent against itself being attacked. If your security is not at a suitable level, then people will tell you about it.

In shorter news, Japanese online music purchasers have recently gained access to a localised iTunes Music Store, and have celebrated the access by purchasing a million tracks within the first four days. Australian online music buyers are still unable to utilise the popular online music store, with rumours suggesting that the holdup has been as a result of music companies holding out for a better deal.

Multiple news agencies were reporting mid last week on the settlement between Microsoft and notorious Spammer, Scott Richter. The settlement is conditional on the lifting of bankruptcy claims by Scott Richter, and his company OptInRealBig.com, along with compliance with extant anti-spam laws, and acceptance of three years oversight of his operations. Notorious as a former 'Spam King', as one of the top 3 global spammers, Richter has since cleaned up his act significantly, recently being removed from a list of Known Spam Operators. The $7 million USD settlement also includes a statement of contrition by Richter.

Grab a Coffee and Sit Back - 01 August 2005

The increased paranoia since the London attacks on July 7 is seeing a number of efforts to implement higher levels of monitoring and privacy data access by various Government agencies. One of the programs being implemented is a graphical overlay of security incidents over satellite imagery. The admission that the information might be up to 50 layers deep could prove more hindrance than benefit in the long run, by contributing to the information overload. Recently, the US TSA (Transportation Security Administration) were caught out overstepping their information collection provisions, and then caught out lying about it. The program in question is the successor to the CAPPS system, now known as Secure Flight. While the first two incidents are not related directly to the London attacks, the increased interest in CCTV proliferation and physical searching of travellers is a more direct response.

A new claim, by the same firm that claimed that $200 billion USD in productivity was lost by websurfing at work, is that free web space services are being used to a greater extent to carry spyware, malware and other inappropriate content. While the news from Websense is being widely reported, it does not come as a surprise to security professionals. Any time that a resource is available for free, people will come along and abuse it. At the same time, others who can not afford their own space will use it to distribute their own valid content. Seasoned Internet users will understand how simple it is to obtain free Internet space without requiring any form of identity validation, and they will understand that it is this capability which attracts the seamier side of the Internet.

This highlights a unique property of URLs. As a namespace, they are also a brand space, which allows site visitors to quickly identify the trustworthiness of a site based on the name in the address bar. Unfortunately, this is also open to exploitation, as seen by URL obfuscation attacks and phishing exploits, which appear in the browser as a legitimate URL, with a lot of gibberish attached to the end, but in reality are actually obscured addresses of other sites.

Arising in a discussion which followed the above news was an anecdote which suggests that the lack of trust with these sort of services nearly brought an individual's undoing. While they were applying for a job, they were contacted by someone claiming to be from the recruitment agency and to expedite their application, they could fill out a set of electronic forms. The forms covered some fairly personal details, and the email address did not match up with the recruiting firm. The end result was that the forms were legitimate, but it is an excellent example of a social engineering attack (i.e a con) which would be more likely to succeed than most.

An early controversy from the current DefCon conference in Las Vegas involves rumoured attempts at censorship by Cisco. The researcher in question has resigned their position with a commercial security research company (ISS), in order to present the information about Cisco router vulnerabilities. The content of his presentation, meant to be included in the conference notes, had been physically ripped out of each copy of the notes, and the suspicion is that Cisco applied pressure to ISS and DefCon to prevent the presentation which would publicly damage them. Cisco and ISS went so far as to file a restraining order against the researcher, and DefCon. DefCon is one of the best known hacker conventions held each year, and public announcement of security vulnerabilities in the forum is guaranteed to attract interest from both sides of the Information Security spectrum.

The researcher in question ignored these actions in order to present on how vulnerable Cisco networking equipment was to compromise. But, in order to do this, he submitted his resignation from ISS in order to present as an independent. The vulnerability used to demonstrate the attack had been patched in April, but it was stressed that the attack would succeed against any memory overflow vulnerabilities.

Because Cisco hardware supports a significant percentage of the Internet's infrastructure, the vulnerabilities disclosed at DefCon could have significant, wide ranging effects. Historical weaknesses have largely been only Denial of Service style attacks. The recently announced vulnerabilities are much more serious, allowing the attacker to run code of their choice on the equipment (essentially a total compromise of the hardware). The difference with attacks targeted at network hardware is that attacks directed at computers allow for control of a computer, but attacks directed at network hardware allow for control of the complete network.

The recommendation for operators of Cisco equipment is to continually ensure that they keep their hardware up to date with the latest patches and updates.

The fallout from the announcement of the vulnerabilities has caused deep division in the security community, lining those who believe in Full Disclosure up against everyone else. The release of the information is a perfect example of information wanting to be free. The attempt to suppress the release only made it more desirable for people to get possession of it. It guaranteed that far more attention will now be directed at Cisco products where, before, the content of the presentation might have been lost in the background noise at DefCon.

According to at least one analyst, the information released at DefCon was the result of information previously published on a Chinese site. The advisory released by Cisco supposedly protects against the actual vulnerability that was being investigated at the time (but does not prevent the theory being described from working against other flaws), and is in relation to the IPv6 implementation on their hardware. If router owners have applied the update from April, they will be protected for this one instance of the flaw. IPv6 is the next generation of Internet addressing, and is designed to provide enough address space for all possible devices that could connect to a network / the Internet. The current Internet addressing model, IPv4, is rapidly running out of space for new devices, and it has resulted in the creation of NAT addressing, which allows one public IP, even though numerous other devices are accessing the network from behind it.

Some people are annoyed that Cisco did not announce the fix, instead they 'streamlined' it with the April update. It looks like the spin being applied by Cisco and ISS PR representatives is contradictory. If the techniques described are not critical, as these companies are trying to elaborate, then why are they entering crisis mode in trying to suppress the availability of the information released? Cisco representatives even posted to security mailing lists telling everybody to ignore the document that most had in their possession, and to forget what they had read. This technique doesn't work, as various companies have found, such as Microsoft losing part of their Windows source code (via a third party breach), Cisco having their IOS source code stolen, Valve having the source code to Half-Life 2 stolen, and many other cases. Paranoid people have already suggested that this flaw has long been used for Intelligence agencies and other bodies to surreptitiously tap into traffic of interest, without alerting network managers that anything is out of place.

Microsoft has released to MSDN members the first beta release of their upcoming Windows release. Originally known as Microsoft Longhorn, the renamed version is Microsoft Vista, and also includes the first beta released of Internet Explorer version 7. For web developers and standards advocates, it appears that the rendering engine for Internet Explorer 7 has not been modified from the previous versions. Enhancements that it introduces include tabbed browsing, and a phishing detector.

The early reviews of the releases do little to instill faith in the upcoming products. It appears that IE 7 maintains most of the flaws that bugged web developers from IE 6, and earlier. The tabbed browsing enhancement brings it into line with most current browsers, but the User Interface modification that allows the tabs has caused some confusion and consternation amongst reviewers. The menus (File, Edit, etc) have been removed from the top of the active window to the line just above the rendered page. This places them below the tabs, and below the address bar. Unfortunately, this gives the impression that the menus are specific to those tabs, when they are application-wide. This is a major problem from a UI perspective, and will only cause confusion from less-experienced users. At least it is only the first beta, so there is some hope that these issues will be resolved prior to the final release.

The phishing filter is also a concern for security minded reviewers. The filter works by reporting the website address being viewed back to Microsoft, which then compares it against a list of known bad sites, before reporting whether it is a phishing site. The downside is that there needs to be a certain number of users who succumb to the phish before the Microsoft solution will be able to identify the site to others. This requires an extra set of connections for each website being visited, slowing down the user experience, and has the ability for Microsoft to identify an IP address and browsing habits even closer than any Internet marketing firm or spyware. The other concern from this is that phishers rarely establish dedicated domains for their efforts, preferring to use hacked sites, compromised cable or business systems, or elements of their bot networks. The blacklist established by Microsoft will have the same potential for abuse which spam blacklists have, and it will be more effective at trapping legitimate sites than phishing sites.

In an effort to slow down the spate of illegal network connections via unsecured wireless hotspots, people are beginning to be charged for accessing them without the express permission of the network owners. While using network bandwidth and resources without permission may be morally reprehensible, and laws exist which dictate penalties for such access, the rapidly changing nature of small scale networks, and laptop Internet connection technology is a threat to these laws. The rapid increase in people connecting to networks, in particular the Internet, who are not particularly Information Technology savvy has created a strange void where a user may be unknowingly connecting to a wireless access point that another person has unknowingly left unsecured.

For people who actively seek out unsecured networks, increasing the size of their receiving antenna helps them to pick up weak signals, such as might arrive in a carpark after being attenuated by the walls of a building, or it allows them to access networks at a range much longer than normal. One of the most common, and cheapest techniques for increasing the size of an antenna is to use a "Pringles" can. The obvious advantages of this approach is that they are commonly available, cheap, and people carrying them do not draw too much attention, at least until now. A representative of the Sacramento Sheriff's Departmen Sacramento Valley Hi-Tech Crimes Task Force stated that "They're[Pringle can antennas] unsophisticated but reliable, and it's illegal to possess them" (later reporting suggests that this is a mis-quote and the officer was not inferring that it was illegal to own or use them, but they should be - by treating them like burgling tools which are illegal to possess). While this statement appears counter-intuitive, it actually relates back to use of the electromagnetic spectrum for transmission of data.

With most wireless Internet access operating on the 2.4 GHz band (the same as your microwave), there are strict rules and compliance required to operate a transmission station. Modification to an approved device will render the device non-approved (as per section 15 of the FCC rules), and it should then cease to be used for transmission purposes. The other aspect is illegal network usage and resource consumption, as covered by a number of anti-hacking and computer misuse laws. However, given that most antenna modifications are homebuilt, another section of the FCC rules (15.23) appears to allow the use of them, provided that basic restrictions are followed.

TippingPoint, a subsidiary of 3Com, has announced that they will be buying vulnerabilities from security researchers, in an effort to stop them from publicly releasing security vulnerabilities which can be turned into active exploits by hackers. Various security lists have debated the ethics and morals behind such an idea, and how it can introduce unwanted liability for the purchasing party. With payment for vulnerabilities, it forces researchers, who want to get paid, to lose their anonymity. Quite a number of independent researchers have had poor working relations with the major software vendors, and are likely to balk at the suggestion that they hand over their hard work for someone else to work with, knowing that the software vendors will know who they are. Because of the perceived bad treatment, quite a number of security researchers have developed a strong desire to be a thorn in the side of some software vendors, either out of spite, or as an attempt to force them to acknowledge their software flaws, and improve upon them. Anecdotal evidence suggests that this is not the first time that 3Com has taken to paying for vulnerability reports. A number of other companies also offer bounties to internal teams for discovering bugs in flagship products.

The oft-repeated reason for implementing a plan like this is that if someone is capable of breaking in to your systems, then you would be better off paying them to keep your systems safe from other hackers (and themselves). The drawback to this approach is that it is essentially a willing form of 'protection money', or legalised extortion, and only lasts until the next hacker with a chip on their shoulder comes along and breaks in. Historically, this was known as 'Danegeld' in the British Isles - the protection money payed to the Vikings to get them to stay away.

The idea of paying researchers for newly discovered vulnerabilities has opened a proverbial can of worms amongst security minded individuals, with a fair mix of individuals arguing vehemently for both sides of the argument - that such actions are, and aren't, ethically and morally permissible.

Some have come out to say that the vast majority of security fixes amount to a single character in a single line of code being changed. They then go on to argue that the delay in creating and distributing these fixes causes problems as ethically bound security researchers run out of patience for an official move from the vendor.

The intentions of the company that is going to pay for the vulnerabilities has been called into question. Their main commercial product is an IPS, an Intrusion Protection System. The company would stand to gain significantly from suppressing announcement of vulnerabilities reported to them. By sharing this privileged information with their customers, protecting them against the exploits for that particular vulnerability, it gains them more value for the longer periods that they can extend the time before public announcement.

Finally, in Russia it appears that some people have finally had it with Spam in their email . The Russian spammer responsible for the most Russian spam, Vardan Kushnir, was found beaten to death in his Moscow apartment at the start of last week. Vardan was responsible for spamming almost every Russian email address with spam for his English learning centres, 'The Centre for American English', 'The New York English Centre', and 'The Centre for Spoken English'. It is estimated that more than 200 million emails were sent out for these centres. A number of observers have opined that it is impossible to annoy so many people and not expect some sort of retribution once you get discovered, even if that retribution was, itself, illegal.

Rumours are surfacing that the spammer's death was the responsibility of the Russian Mafia, and that, due to his profile in the spamming business, he was killed because of some indiscretion. The Russian Mafia appears to be the leading organised crime body which is utilising modern technology as a part of their crime activities. Distributed Denial of Service attacks are threatened against online casinos or other high cashflow online entities, spam is sent for profit, worms and viruses are created and distributed to obtain machines for zombie networks, and to leak personal financial data, phishing takes place to gain access to banking accounts online, and an ability to drain them at will.