Maximum Security
 
Security: freedom from danger; safety; protection; freedom from doubt or anxiety; something that makes one secure; freedom from want or poverty; the securing of buildings, valuables, government secrets, and the like from intrusion or theft.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+serving to make secure+

Begin 2 QuBitize

   
Microsoft Addresses the Security Issue

Microsoft's crucial new hire

Bill Gates' recent company-wide memo outlining Microsoft's vision for Trustworthy Computing has generated lots of attention, both good and bad.

To some, it is more Microsoft rhetoric wrapped inside a public relations campaign designed to postpone accountability for producing secure products until they can get .NET out the door. For others, they see it as a long awaited public asseveration that Microsoft has finally put security above all else, and that they are embracing the responsibility of securing today's (and tomorrow's) Internet.

It should come as no surprise to you that I number myself among the latter group.

I can't help but notice that when Bill Gates makes a decree that speaks directly to securing his products, people consider it nothing but PR. But when Larry Ellison embarks on a blatant PR campaign of misinformation, people say he is raising the bar for security. Go figure.

Regardless, the memo comes at a good time. As the sun sets on Howard Schmidt's days as Microsoft's chief security officer, and he prepares for his new role as the number two man at the United States' Critical Infrastructure Protection Board, Microsoft CTO Craig Mundie is already looping in key Microsoft employees in his search for a replacement. Word on the street is that Mundue may even create additional positions in order for Microsoft to fully leverage the opportunity they have at this pivotal time in the company's history.

Schmidt's egress is fortuitous. Though he was instrumental in the formation of Microsoft's "trustworthy computing initiative," and the accompanying powerhouse team of security experts -- including people like Eric Schultze, David LeBlanc, and Jesper Johansson -- he was not exactly a Braveheart when it came to firing up the troops for battle.

And that is just what Microsoft needs.

I have long said that in order for Microsoft to truly change the way its products are produced, it would take a mandate from the top. Individual groups and departments, no matter how separately committed they are, can't impact the direction of the company if the corporate executives are not doing the steering.

This is the perfect occasion for Microsoft to illustrate their commitment to security and to solidify their new priorities of security before functionality. Gates flat-out said that the entire company must put security first, and there is no way for him to back out of it now.

Microsoft has spoken much of security lately, and has rolled out programs like the CTI and the Strategic Technology Protection Program. Brian Valentine has also promised a complete code-level review as the basis for Win2k's Service Pack 3. Now they need to get someone in as chief security officer who can act as a catalyst to bring the fragments of the company together into a unified force to finally take security as seriously as they need to.

Of course, even with management reforms, Microsoft still has a challenge ahead in putting the "Trustworthy" into "Trustworthy Computing."

If every programmer on staff were to build security directly into the development model and the company was to produce a robust and secure platform in .NET, Microsoft's new chief security officer will still have the job of earning the world's trust and getting the public to buy into the concept. Frankly, I don't know which job will be harder.

I was thinking about making some predictions on who they might seek out in order to fill this crucial position, but I'm having a hard time coming up with any viable candidates. This person is going to be in the capacity of literally changing the face of global security, and will have a massive responsibility on their shoulders.

It can't really be someone from the inside, as logic would dictate that it was the current management that got them into trouble in the first place. It's got to be someone who has the intelligence to see what the right thing to do is, and who has the confidence to get it done.

In some bizarre world in a parallel universe, I actually see someone like Bruce Schneier in that position. Someone in his capacity could make a world of difference -- someone who would fight for security instead of playing the cover-your-rear game all day. You know, someone who would stand up for what they thought was right and not be intimidated by Bill.

I don't know who it will end up being; I just hope that Bill and Steve, along with Craig and the rest of the big-wigs at Microsoft, see this as the critical decision that it is. We are all watching, and this will tell us exactly how serious Microsoft is about our security. I hope they get it right.


Security hole in IE reveals data in cookies


A newly reported vulnerability in Microsoft Corp.'s Internet Explorer allows hackers to steal or corrupt "cookie" information on a user's desktop through a malformed address at a Web site or in an HTML e-mail.

The vulnerability means a user's personal information, such as a credit card number or home address, could be stolen by a malicious site, if other sites have stored that data on the user's hard drive. The flaw involved Microsoft's Internet Explorer 5.5 and 6.0 browsers.

Microsoft rated the hole as a high security risk, but it hasn't yet come out with a patch. For now, the software manufacturer urges users to do a work-around by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft's TechNet site.

Microsoft spokesman Christopher Budd said the company faces a challenge in making consumers aware of the problem. "We are working with the press. We view the press as instrumental in getting out to the consumer base. As far as getting the word out, we are going high and low... because clearly we have an interest in getting the word out."

He said Microsoft is taking measures such as creating easy downloads at consumer-oriented security sites to get patches.

"They don't have to worry or dig into the technical [side]. We put a lot of effort into our bulletins," Budd said. "We've taken great pains to describe this in as plain English as possible. There's not going to be a single easy answer to this."

The vulnerability raises more questions over Microsoft's ability to securely manage personal data through its .Net and Passport services.

"I don't have faith in Passport anyway. It's like Swiss cheese. It's just another hole in the Swiss cheese called Passport," said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within The Open Group, a IT user advocacy group.

To be fair, however, Rubenstein said, Web sites that don't store data securely or that store sensitive information on cookies also must share the blame. "A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk," she said.

The magnitude of the hole also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and don't know how to apply work-arounds.

"People like my mom, who are on the Internet, aren't aware of these things," Rubenstein said. "How is she going to learn about that, unless someone is checking on security issues for her?"

In the statement posted yesterday, Microsoft said, "A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information. In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail ... The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones."

That is, instead of restricting a Web site to access only those cookies it stored on the user's hard drive, Internet Explorer allows Web sites to grab cookies from other sites.

Microsoft was notified of the vulnerability Nov. 1 by a Finnish security firm, Online Solution Ltd., another Microsoft spokesman said. At first, the firm agreed to work with Microsoft, he said, but then decided it would be a good marketing opportunity to publicize the vulnerability.

Microsoft said in its advisory that the person who discovered this vulnerability has irresponsibly and deliberately made this issue public only a few days after reporting it to Microsoft.

Microsoft released this statement that it said it received from Online Solution's CEO: "Finding and reporting of this kind of vulnerability is a great marketing opportunity for us ... we are willing to postpone the publication if we can find any way to work together so that our company would otherwise benefit from this. Otherwise, we don't see any reason to not report this bug and use it for our marking purposes."

Online Solutions responded by saying it believed a week was sufficient time for Microsoft to come up with a patch, and that Internet Explorer users were entitled to know of the vulnerability.


Windows Media Player must be patched to fix IE

A trivial scrap of malicious JavaScript can defeat entirely the Platform for Privacy Preferences (P3P) 'protections' Microsoft has integrated into Internet Explorer 6, all because of a dodgy 'feature' in Windows Media Player (WMP).

According to a post by privacy advocate Richard M. Smith to the BugTraq mailing list Tuesday, WMP generates by default a serial number which can be grabbed by a Web site using the simple exploit. The number can be used as a 'super cookie', as Smith calls it, enabling a nosey third party to track a victim's on-line comings and goings regardless of their cookie handling rules.

Even if all cookies are deleted and privacy policy set to reject them, the WMP number can be used to track users because it's stored in the Windows Registry. It can be read with a simple ClientID request, as Smith illustrates with a demo Web page. The hole affects both IE6 and older versions of Netscape, Smith says.

The coding here is embarrassingly simple:



ID=WMP WIDTH=1 HEIGHT=1>





"Once the ID number is available to a JavaScript program, it can be sent back to a Web site either by appending it to the URL of a Web bug or storing it in a regular Web browser cookie," Smith explains.

The only fix is for users of older versions of WMP to patch their systems, and then to select the option in WMP which disables the wonderful 'feature' allowing their players to be uniquely identified. (Why anyone in his right mind would desire such a thing is quite beyond me; but the feature, incredibly, is enabled by default.)

Once a user turns off the option, a unique WMP number will be generated for each IE session, so long-term tracking is impossible.

"However, asking the average user to solve an Internet Explorer privacy leak by manually changing settings in a different program seems a bit much to me. Especially considering that there are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," Smith notes.

And indeed, the idea that a media application might be causing a Web browser to leak data in spite of its own security settings would be counter-intuitive to the casual user or computing newbie.

It's only after we've become familiar with Microsoft's habits in security engineering that such a thing begins to make perfect sense.

What Billg's new security effort will cost

If Chairman Gates actually meant what he said in his recent memo calling for dramatically improved security in all MS products, then there are going to be some immense changes going on in Redmond. Changes in how software is created; changes in how features are integrated into them; changes in product development schedules; changes in disclosure practices. Indeed, we can determine just how serious Microsoft is by tracking the metamorphosis which a real shift towards security will necessitate.

We spoke recently with Counterpane Internet Security CTO Bruce Schneier, who has a pretty clear idea what a security-serious Microsoft would look like.

Schneier is cautiously optimistic, and for now would give MS the benefit of the doubt. Microsoft can do this, he says. But it will be difficult, and it will require an extraordinary shift in the Redmond culture.

For one thing, Schneier says, MS is simply going to have to open its protocols to evaluation and peer review. They simply won't succeed otherwise.

"I'm not talking about making it open source, but rather public source," he told us. "There is no way to achieve trustworthiness other than publication."

Next, the EULA (End User License Agreement), which absolves the company of all liability, "will simply have to go." Schneier reckons that a lot of what motivated Gates to take on security is the looming threat of liability litigation.

Now, Billg himself has said that product features will have to take a back seat to security for the company to earn the trust of consumers. But this will be exceptionally painful to MS software designers accustomed to working into their projects every slick bell and whistle they can think of.

"Putting security ahead of features is not easy," Schneier says. "Microsoft is going to have to say things like, 'We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out.' They're going to have to stop all development on operating system features while they go through their existing code, line by line, fixing vulnerabilities, eliminating insecure functionality, and adding security features."

Another mark of MS' commitment to security will be visible when the company ceases to treat vulnerabilities as a public relations problem, and deals with them openly and honestly.

Microsoft's most recent inclination has been to discourage vulnerability disclosure, and persuade customers to make use of auto-update, which patches the system behind their backs. The user never knows what was wrong, or whether the fix being applied is effective. This is obviously not a way to cultivate trust, and it will have to be abandoned if MS really wants a shiny new reputation suggestive of good security.

"When Netscape was serious about public scrutiny, they paid $1,000 for each security bug reported to them. Microsoft can no longer threaten, insult, or belittle independent researchers who find vulnerabilities in their products," Schneier observed.

This all sounds like a radically different Microsoft from the one we know and love, and that's just the point. The company quite simply cannot achieve the goals set forth in the Billg security declaration and remain unchanged.

It's undeniable that MS has the resources, both human and financial, to accomplish what it sets out to do. It's also undeniable that the company has an almost neo-Confucian tendency to substitute form for substance.

But as Schneier points out, there will be signs that can't be faked, and which will indicate just how serious the Beast is with its Trusted Computing initiative. The question remains, is this a PR stunt, or is it news?


Windows XP still under scrutiny

Differences of opinion continue to swirl over a potentially problematic Universal Plug and Play service in Microsoft Corp.'s Windows XP operating system.

The FBI's National Infrastructure Protection Center last week revised a recent security bulletin, removing a recommendation that systems administrators consider disabling the UPnP service in Windows XP (see story).

After "careful review" of technical materials, the FBI agency stated that it is "satisfied" that a patch corrects a vulnerability that could lead to system compromise and "affords substantial and adequate protection" against the critical vulnerability that could lead to denial-of-service attacks.

But some security experts continue to recommend that, in addition to installing the patch, users disable the UPnP service, which lets PCs discover and use newly added network-based devices, such as printers, that advertise themselves as being available.

Marc Maiffret, chief hacking officer at Aliso Viejo, Calif.-based eEye Digital Security, the security firm that notified Microsoft about the UPnP vulnerabilities shortly after Windows XP was launched, charged that the UPnP protocol is "half-assed" and needs to be scrutinized more closely with security in mind. "Until they actually redo it, it's not something people should be using," Maiffret said.

"It just allows for a lot of ways that you can manipulate systems or services to basically use UPnP to either hide attacks or use UPnP as a jump point for other attacks," Maiffret said. Microsoft's patch fixes the problem "as far as what we know now," but since people aren't using UPnP, the service should be disabled, he said.

Russ Cooper, an analyst at TruSecure Corp. in Herndon, Va., and moderator of the Windows NTBugTraq mailing list, said UPnP "offers many more opportunities for problems," and Microsoft shouldn't have released the UPnP capability until the protocol was well thought out.

"Microsoft had to modify the UPnP protocol as defined by the UPnP Forum in order to patch against vulnerabilities demonstrated by eEye," Cooper said. "If the only way to protect against the vulnerabilities is to modify the protocol, the protocol is flawed."

The first version of the UPnP architecture was ratified in June 2000 by the UPnP Forum, a nonprofit group of more than 400 vendors from the consumer electronics, computing, home security, home appliance, computer networking and related industries. The forum defined and published UPnP device and service descriptions to help devices connect to each other and simplify home networking.

Mark Lee, chairman of the UPnP Forum and a lead Windows product manager at Microsoft, said the forum has a security working committee that proactively looks to make sure that UPnP is a secure technology and checks out various scenarios in which UPnP technology is going to be used. He said the UPnP Forum is open to input from industry participants. "If there are ways to make the technology better, we're ready and able to listen," Lee said.

A Microsoft spokesman said the company remains committed to UPnP technology and doesn't believe that "enabling UPnP in and of itself poses a security risk."

"There is great customer interest in UPnP, especially as more UPnP-capable devices are becoming available," said Scott Culp, manager of Microsoft's Security Response Center. "Folks who don't want UPnP can certainly turn off the service, but just applying the patch is sufficient to return it to safe operation."

Roger Gariepy, chief information technologist at Air Products and Chemicals Inc. in Allentown, Pa., said he's not sure he would "turn on a system that allows non-directly-attached devices to automatically plug into the PC." He added, "I don't think we're going to have a lot of UPnP-capable devices in the corporation."

The UPnP service is enabled by default in Microsoft's Windows XP operating system, which was launched Oct. 25. It can be activated in Windows ME and installed in Windows 98 and 98SE via the Internet Connection Sharing client that ships with XP.

Maiffret said eEye Digital Security notified Microsoft about the denial-of-service vulnerability in the UPnP service on Oct. 26. He said the firm told Microsoft about two more vulnerabilities, distributed denial of service and buffer overflow, in November.

Microsoft announced the vulnerabilities on Dec. 20, upon releasing its patches. A company spokesman defended the time lag, noting that the company had to develop patches for four operating systems with more than 20 language versions for each.

"All told, we developed well over 100 different versions of the patch," the spokesman said. He also noted that the testing requirements were significant. "Our testers worked around the clock to complete the testing in time to release the patch prior to Christmas week."

Gariepy noted that security vulnerabilities aren't unique to Microsoft. "All operating system vendors need to address this far more seriously than they have in the past," he said.




prE tehk shEn por faVor PABlo Bley aka Paul Alan Bley 1:10 AM


 
Powered By Blogger TM