- Users want OS X to remove elevation prompts
- Dilbert Meets The Computer Security Industry
- Comment to my Two Internets column
- One reader's response to my Weighing the Cost of Compliance article
- Phillip Oechslin responds to my Rainbow Table column
- Partial List of Sandbox Products
- Call for GreenBorder Beta Testers
- Intro Article on Full Disk Encryption
- Excellent VM detection and breakout presentation
- PDF XSS exploit
January 27, 2007 | Comments: (0)
Users want OS X to remove elevation prompts
Users want Apple to remove OS X elevation prompt
Similiar to a behavior in Windows Vista, Mac OS X has long required a secondary authorization to be completed when performing root tasks, even if logged in as the root account already. Although the Mac OS X mechanism works differently than Windows User Account Control (UAC), the effect is the same: It prevents unauthorized tasks requiring elevated privileges that the user has not explicitly authorized. Like Windows Vista, the simple elevation prompt attempts to stop "drive-by" downloads and malicious executions.
I'm a big fan of them. In Windows Vista, using group policy or a registry edit, you can turn on or off UAC, or have a little control over when it prompts a logged in user. I'm assuming this is not the case in OS X, as at least 30 or more people have signed an online petition asking for it to be removed all together.
Personally, I wouldn't want an elevation prompt to be removed. There is too much value. While visiting an unknown web site a few weeks ago in Windows Vista, a zero-day attack was launched against my system. The only way I knew it was happening, was the unexpected UAC dialog box prompting me for my permission to execute something with admin credentials. I returned to the web site, in a Virtual PC session, with Windows XP Pro SP2, and the malware siliently installed itself. I'm a fan of UAC for life.
Yes it's a little annoying, but after a few weeks of using it, you almost don't even notice the elevation dialog box. If anything, the risk is that the average user will click to allow the elevation every time they are prompted, even if initiated by some malicious software program. Still, when I really needed UAC, it saved me.
I encourage all readers to resist the impulse to turn UAC (or the Mac OS X equivalent) off. There is a reason why the vendors felt it important enough to annoy their power user base.
Posted by Roger Grimes on January 27, 2007 03:40 AM
January 26, 2007 | Comments: (0)
Dilbert Meets The Computer Security Industry
My former boss at Foundstone, Mark Curphey, has moved on from Foundstone and into his holiday house in the South of France while he builds a prototype for a new start-up. Man, I want to move on like that.
--Caution: Links contain some words that may not be appropriate for some audiences.---
As the leader of Foundstone and serious crypto guy, Mark has some interesting observations. While his own new blog has some serious security stuff and will be following the ups and downs of a brand new start-up, he has also started a blog poking fun at the security industry in general. Each week they publish a cartoon via RSS. In future they will have online Bulls--t Bingo which will drive a BullBoard Top 10.
The cartoons are an indicting, inside look at the computer security industry. You'll chuckle as you nod your head. Spot-on as my Brit friends would say. If you're a fan of Dilbert or Get Your War On, you'll love the dialog in these cartoons. My only regret is we don't get a daily dose.
Maybe some humor will clean up the industry? If not, at least it should make you chuckle.
Posted by Roger Grimes on January 26, 2007 05:06 AM
January 22, 2007 | Comments: (0)
Comment to my Two Internets column
Comment to my two Internets column.
------
Hello,
I was just reading your article "A Tale of two Internets" and I had to
respond. While I agree there is an overwhelming need to change our
current email system to provide authenticated identification of email sources, your solution of creating a "new internet" at a premium cost would be one of the worst social outcomes I can imagine. Those with little monetary resources would be relegated to a "ghetto" internet where they are more likely to become victims while those who can afford the "Internet/S" (i.e.-elite internet) would be protected and secure. Looking at your last few paragraphs... "Would I join?" I have to say that I might... email authentication is a good and necessary goal. But... Would most of my students and many people I know be able to afford to join... no. Creating an economic class system would not be the best way to implement this solution. A system like this needs to be implemented in the emailing world in general. Truly universal "universal authentication and... loss of default anonymity " is what would truly discourage online attackers. Protecting a few and leaving the majority open to predators would still provide a vulnerable target and make it less likely that these internet criminals would even be pursued since their victims would have less of a voice in society.
I applaud your call for authentication but I think the way it's implemented needs to protect everyone or it would lead to more problems for us as a society.
Posted by Roger Grimes on January 22, 2007 11:49 AM
January 19, 2007 | Comments: (0)
One reader's response to my Weighing the Cost of Compliance article
One reader's response to my Weighing the Cost of Compliance article:
Dear Roger:
A bit behind in my reading, I just came upon your piece “Weighing the Cost of Compliance” in the 8Jan issue. You suggest “hold your nose as you overspend” on regulatory compliance.
There is another way, especially when dealing with overlapping regs. It’s Risk Management, and it is something I deal with every day in terms of surviving regulatory audits – and litigation eDiscovery requests as well.
Even if an organization could bring their risk of non-compliance down to zero, it might not be cost effective. Given two overlapping regulations, the penalty for transgressing one might be an acceptable risk, the figurative slap on the hand. Conversely, the penalty for the other might be a massive fine or even executive imprisonment. Does it make sense to treat the two regulations equally?
I am not suggesting ignoring regulations. I am saying, “Manage the risks.”
And in self-interest, I must say that Records Management is one of the best, most cost-effective ways to manage the risks.
If you would like to discuss this further or, perhaps, write about it, please contact me.
Thanks for your work.
Posted by Roger Grimes on January 19, 2007 07:16 AM
January 18, 2007 | Comments: (0)
Phillip Oechslin responds to my Rainbow Table column
Rainbow Method and Table creator Phillip Oechslin emailed me regarding my recent column on Rainbow tables.
Here's his email.
Hello Roger,
I just saw your online article on CSO online in Australia.
I thought you might interested to know that rainbow tables can also be used to crack office documents. The default encryption scheme of Word and Excel has the same default as Windows password hashes, it is predictible (there is no salt or randomness).
We have a product that cracks a Word or Excel document in minutes, whatever the password (any length or complexity, since what we crack is not the password but the resulting 40 bit key that is used to encrypt the document).
I could get you a evaluation version if you wanted to test (would have to send you a DVD with the 4GB of tables). Alternatively I could crack a few documents for you.
There is info on this on our product page:
http://www.objectif-securite.ch/en/products.php
Well and you write: "Rainbow tables are closely related to a cracking technique pioneered by Philippe Oechslin".
Actually rainbow tables have been invented by Philippe Oechslin. I should know. I coined the name rainbow table in my research paper presented at Crypto 2003.
http://lasecwww.epfl.ch/pub/lasec/doc/Oech03.pdf
BTW, we have a large article in the February issue of Hackin9
(http://en.hakin9.org/) magazine about rainbow tables and how we optimize their implementation.
regards,
Philippe
Posted by Roger Grimes on January 18, 2007 06:42 AM
January 18, 2007 | Comments: (0)
Partial List of Sandbox Products
List of Sandbox Products from Bill Stout, GreenBorder employee:
(begin message)
For freeware you might want to consider Sandboxie (authored by Ronen Tzur in Israel). It prevents malware from writing to your system in most cases, it's recommended by SANS, and it's free.
Also you may consider freeware from Bufferzonefrom Trustware in Israel.
Check their online forum for any questions you may have on compatibility and stability.
Be aware freeware has limitations; they may not prevent malware from reading sensitive data, or all keyloggers, or block access from the sandbox to local network services. First read their FAQs, forums, and comparison tables before installing.
You can also download eval versions of paid software for a limited amount of time. If you contact support they often issue additional licenses for longer usage periods.
You might also check out DefenseWall ( by Ilya Rabinovich somewhere in (Russia)) - $29.
GreenBorder has evaluation software available, but not freeware. We have a consumer version and a centrally configured 'Enterprise' version.
See http://www.greenborder.com for product and marketing info. We're going to launch a beta today of a vastly better Enterprise release which also would work well for a small home network, later today I'll post to the beta announce list and to beta forums. Beta access can also be requested though 'beta at GreenBorder.com'.
Bill Stout
I.T. and Security at GreenBorder, Inc.
(end of message)
Posted by Roger Grimes on January 18, 2007 01:28 AM
January 18, 2007 | Comments: (0)
Call for GreenBorder Beta Testers
GreenBorder is calling for Beta testers for their 3.0 product.
Bill Stout, GreenBorder employee and email friend recently wrote me about his company's call for beta testers. Here's his email:
(start of message)
Please also mention our call for beta testers to sign up for the GreenBorder Corporate 3.0 product, I've created a link here:
http://www.greenborder.com/registration/betasignup/infoworld.
The basic differences between the 2.7/2.8 product you reviewed previously and the 3.0 product is; IM is protected, only Outlook attachments are protected (users complained about protecting the message itself), the server is much more lightweight (runs on XP), and all the compatibility issues we learned in the Pro product have been applied, except it doesn't officially support FireFox (we use a BHO in IE to open in the proper environment, FireFox doesn't support BHOs). Naming may be confusing, the old corporate product was named 'GreenBorder Professional', the follow-on consumer product was named 'GreenBorder Pro', and the new corporate product is 'GreenBorder Corporate'.
Bill
(end of message)
I gave GreenBorder mixed reviews when I wrote about it a long time ago in InfoWorld (click here). It was among the first "sand box" products that I had covered to protect Internet Explorer traffic.
My overall opinion of sand box products in general has not changed since then, but since my initial review, the sand box vendors space has become a lot more crowded. Some people and companies swear by them.
My general feelings are that sand box products can provide a lot of malware protection value to many environments, especially if your current anti-malware defenses aren't doing the tricks against email worms and spyware, but all the sand box products that I've reviewed in the past could be easily circumvented by existing malware.
Bill Stout tells me that it is more difficult than ever for malware to "escape", but I haven't tested that theory myself, yet.
GreenBorder's call for beta testers is probably partial marketing, as much as it is a call for real beta testers, but if you're interested in a sand box product for IE/Outlook, etc., GreenBorder is one of the top contenders to experiment with.
Posted by Roger Grimes on January 18, 2007 01:11 AM
January 18, 2007 | Comments: (0)
Intro Article on Full Disk Encryption
Nice intro article on Full Disk Encryption.
From Saqib Ali:
An article on how to use freely available Full Disk Encryption (FDE) products to protect the secrecy of the data on your laptops.
FDE solutions helps to prevent data leaks in case the laptop is stolen or goes missing. The article includes a brief intro, benefits, drawbacks, some tips, and a complete list of FDE solutions in the market.
http://www.full-disk-encryption.net/intro.php
Posted by Roger Grimes on January 18, 2007 01:09 AM
January 18, 2007 | Comments: (0)
Excellent VM detection and breakout presentation
Breaking out of virtual machine software programs.
Since I wrote my column on Virtual Machine (VM) security vulnerabilities (click here), I've received many emails asking how I can break out of VMWare, Xen, or any of the other VM technologies?
Essentially, the majority of VMs "hook" interrupts and APIs on the host operating system. It's the way they work. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far, I haven't found the VM that protects against this, although various host OSs are doing more and more to prevent interrupt vector table manipulation on their own.
If you are an assembly language programmer (like I am), it is fairly easy to write a short demonstration program. I have written two, but I'm under NDA with the vendor that paid me to do the work. But what I did wasn't rocket science, and with just a little digging, you too can find the weaknesses (if you're a threat modeler).
Read this summary on other detection and break-out techniques:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
This excellent SANS presentation covers some other techniques, as well as, discusses some of the items that are relevant to break out attacks.
Posted by Roger Grimes on January 18, 2007 12:56 AM
January 03, 2007 | Comments: (0)
Researchers have disclosed a medium criticality exploit that allows a malciously crafted web page/email to use a PDF document to create a cross-site scripting exploit.
It's been the hot topic of several forums today. You can read one of the announcements here.
Posted by Roger Grimes on January 3, 2007 02:36 PM
January 01, 2007 | Comments: (0)
Must have GPO utility for Windows administrators
Don Jones in his Dec. 2006 Redmond Magazine column discusses Special Operations Software's free Gpupdate tool. You can download it here.
Specop's Gpupdate tool allows you to force remote Windows domain computers to pull down the most up to date GPOs. It's very cool and useful. Normally, GPOs are client-side pulled by the workstation every 45-90 minutes, by default, depending on the GPO re-apply interval setting, or you have to go to each computer and execute gpupdate /force. Wouldn't it be nice to make a GPO change and then push it out to everyone immediately? Now you can.
Download and install specop's Gpupdate tool. It can be installed on W2K3 or XP Pro SP2. It requires Microsoft's .NET Framework 2.0 (you can get it at here) and Active Directory Users and Computers. It doesn't work with the Group Policy Management Console (GPMC), but it's so cool that we can easily forgive this oversight. Also, after installing, you must run a one-time Forest scheme extension command (discussed in the accompanying documentation).
After that, simply right-click any OU, user, computer, etc. in Active Directory Users and Computers, and choose the Gpupdate option. It will query and look for all the active participating computers, and tell you which did and didn't take the push.
This latter feature is awesome. It lets you quickly identify computers that aren't working right with Group Policy for one reason or another (e.g. firewall, not joined to the domain, etc.). It displays a bar graph of success and failures, and individually identifies each computer. You can watch as a failure suddenly becomes a success in front of your eyes.
This reason alone is why you should have this utility.
It also lets you start (Wake-on-Lan stuff), restart, and shutdown computers.
Kudos to Specops and Don Jones for bringing this useful utility to my attention. I'll use it for all my clients.
Posted by Roger Grimes on January 1, 2007 05:33 AM
January 01, 2007 | Comments: (0)
Web sites for OpenBSD users.
Continuing my OpenBSD blog thread, many readers are sending me OpenBSD-oriented web sites. Here they are:
www.openbsd.org
OpenBSD Journal http://undeadly.org
OpenBSD101 www.openbsd101.com
I'll keep adding as I get them.
From Tim on 1/5/06:
http://www.unix-tutorials.com/tutorials.php?os=OpenBSD
http://www.openbsdsupport.org/
http://www.bsdguides.org/guides/openbsd/
http://www.onlamp.com/topics/bsd/OpenBSD
http://www.xs4all.nl/~hanb/documents/topic.html
http://www.nomoa.com/bsd/
http://www.harrysufehmi.com/phpwiki/index.php/OpenBSDFullyLoaded
http://www.pingwales.co.uk/tutorials/
The final site listed isn't OpenBSD specific, but does include some tutorials that focus on OpenBSD
Posted by Roger Grimes on January 1, 2007 05:20 AM
January 01, 2007 | Comments: (0)
Here are some factual corrections to my OpenBSD column.
My recent OpenBSD column is generating lots of online press in some of the OpenBSD forums. As expected, I'm portrayed as an idiot who has never installed or used anything but Windows.
You can read one of the forum comments here.
Geez, I wonder why more people don't use OpenBSD? Could it be the overly friendly community?
[Actually, with that said, some of the comments were supportive. In any online community you get all kinds, helpful and not so helpful.]
With that said, I want to make sure that I correct anything I said incorrectly in the column. Here are some corrections/additions I agree with:
I said OpenBSD has only had one remote exploit in the kernel. That was incorrect. It has only had one remote exploit in the default install, which includes a lot more than the OpenBSD kernel (bsd). That's a big oversight and needs to be corrected.
\bin and \sbin should be /bin and /sbin, of course.
I said that OpenBSD is shipped with all non-essential services disabled by default. There are some services enabled by default (i.e. sendmail, cron, time, sshd (if you choose to accept the default)...but again these are essential or else the OpenBSD team would not turn them on.
I said that OpenBSD was harder to install and configure than most Linux distros. That's still true, but it isn't much harder, and there are many, many tools (pkg_add, ports, etc.) that make it a piece of cake compared to how tough it used to be years ago.
I said, "They worked hard to scrub every proprietary and non-open piece of source code out of the kernel." That should be applied to all of the default install.
I said FTP supports HTTPS. It should be clarified that OpenBSD's ftp command supports it, but not the FTP protocol. You should be using something else to transfer files anyway, like scp.
I'll print more clarifications in this space as I get them.
Notice that I didn't correct that I'm an idiot.
Posted by Roger Grimes on January 1, 2007 04:05 AM
TOP STORIES
Microsoft's post-Yahoo optionsNet neutrality bill introduced
MS adds $3 million to Big Easy
AMD's Java improvement efforts
Leopard at 6 months
Intel still investing in WiMax
Yahoo tests aggregated search
Developers vs designers
Sun defends JavaFX Script
Botnet spams 60B a day
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
