g m g D e s i g n . c o m

This “evilgrade” is definitely not new:

Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

But when the “hypothetical” becomes the easy and pragmatic, the threat is taken more seriously.

The solution is for software companies to digitally sign their updates:

Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it’s safe" from the attack, he says.

Very weird. Just noticed that a pseudo-blog site plagiarized a blog post I wrote some time ago. The copy-cat site is: freeofstate.org/new/?p=7590. Looks like a straight copy, word for word. May have been done by a bot rather than a person.

Is this the future of blogging: bots that copy other peoples’ blog entries in an effort to ride their virtual coat tails? It seems the answer is probably yes.

Straight from Joanna Rutkowska’s blog site…

1) Security by Correctness
2) Security by Isolation
3) Security by Obscurity

The first (correctness) sounds unattainable in its complete form, but new frameworks are an improvement. I.e., memory attacks are more difficult in .NET-compiled code vs in native code. The third item, obscurity, refers to randomness, such as ASLR (randomized base addresses), or executables whose runtimes are obfuscated, randomly and at runtime (huge downside: difficult to debug in the field… as someone who does that sort of thing, that one really resonates).

Item #2, isolation, looks intriguing. We do that to an extent (different low-priv usernames, JVM sandboxing), but virtualization gives us the capacity to do that to a much greater extent. So, one compromised VM won’t affect anything else (well, ideally).

As Bruce Schneier likes to say: “security is hard.” And he should know, being a security guru. There’s no silver bullet, but leveraging the three approaches above, taken together—and with a healthy dose of common sense on the part of the user—yields a more secure operating environment.

Phoenix Technologies is putting Linux not just on the desktop, but in the BIOS (basic input-output system). Most people only sporadically access the BIOS (to change the boot sequence, for eg), and many people have undoubtedly never heard of it. Having a quick-boot version of Linux (called HyperSpace) at users’ fingertips would be a big paradigm shift.

From an economic/market standpoint, this is exciting.

But from a security standpoint, I’m concerned. I loathe the idea of the BIOS becoming a major attack vector for malware. I’d love to get details on what steps are i place to protect the BIOS from the sort of infection that would require the BIOS to be flashed to correct.

A well-known security guru comments that SCADA is woefully insecure (definition of SCADA).

The WSJ claims that state-sponsored hackers have penetrated the US’s electrical grid (though Bruce Schneier, a security guru, seems to doubt the claim).

Researchers demo BIOS attack that survives hard-disk wipe.

Some people say I’m paranoid about computer security. To those people, I say: don’t use online banking.

At least not on their own spyware-ridden machines.

Pretty good read on the subject, for paranoid types.

EDITED (2/18):

Here’s the abstract of the paper:

The increasing mobility of computing devices combined with frequent stories of privacy breaches and identity theft has thrust data encryption into the public eye. This heightened awareness of, and deman for, encryption has resulted in the development of a number of strong encryption solutions that emphasize usability. While encryption can help mitigate the threat of unintentional data exposure, it is equally capable of hiding evidence of criminal malfeasance. The increasing accessibility and usability of strong encryption solutions present new challenges for digital forensic investigators, whose traditional response methodologies leave them largely unprepared to deal with pervasive strong encryption.

In this paper we address the shortcomings of the traditional forensic response methodology with respect to encryption. We develop and discuss a variety of practical techniques for dealing with the use of encryption to conceal evidence. Our research highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from memory to facilitate the analysis of encrypted media in a forensically sound manner. We also present a proof of concept tool capable of automatically extracting key material from a volatile memory dump and using it to decrypt an encrypted disk image.

The technical community has largely rejected Windows Vista. Later this year, Microsoft will release Windows 7, their next version of their flagship desktop OS. Unlike previous releases, this one will almost certainly be on time. The reason lies largely in the slow adoption of Vista by businesses. Consumers who purchase new PCs get Vista b/c that’s what OEMs offer, and most don’t question it. It’s geekdom that, for the most part, has rejected Vista.

Vista offers major enhancements over Windows XP (its predecessor). Ironically, most of these enhancements appeal directly to technical people, esp security-conscious people. So, what about Vista inspires irrational hate from bespeckled nerds? The following:

1. “annoying popups” prompting confirmation for system-level changes
2. higher hardware/resource requirements

That’s it, really. Those popups refer to UAC: user account control. It’s touted as a security feature to protect applications from making system-level changes without authorization. In reality, the goal is to push ISVs (independent software vendors, read: software companies other than Microsoft) to produce software that writes to user folders rather than “system” folders like the “program files” directory, the “c:\windows” directory, etc.

The higher resource requirements–even after disabling Aero, Vista’s cool new interface–is a valid complaint. The constant complaining about UAC (the “annoying popups”) is nonsense. Most users won’t face more than a handful of UAC prompts at all. They’ll occasionally upgrade their OEM software or sporadically install new applications. That’s it.

Geeks like to make system-level changes all the time. They’ll run into as many UAC prompts in a day as the average person does in a year. Good reason to hate UAC? No, because it can be trivially disabled and later re-enabled. And software geeks have no problem negotiating the enabling and disabling of security features.

The real reason geeks hate Vista

Because they’re supposed to. Because other Slashdot users loathe it. Because it’s Microsoft, and Microsoft is eeevil.

It’s hard to stress this enough. Don’t use an administrative account unless you really need to. Regardless of the operating system you use–Windows, Mac, Linux, or whatever–you can create a standard/restricted user account and use that for most tasks. And you should definitely use a limited account for web surfing.

According to ZDNet, 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts. In other words, malware that somehow manages to execute on a user’s machine either won’t work or will effectively be contained by using a limited account. Malware that attempts to terminate or evade anti-virus scanners will likely fail if the user is logged in as a limited user.

Reason interviews security guru Bruce Schneier. Lots of practical, in-perspective advice.

Blogs, search engines, e-commerce sites, video and social-networking portals are thriving today thanks in large part to the notice-and-takedown regime ushered in by the much-maligned copyright overhaul. A decade ago, when the DMCA was enacted, these innovations were unheard of, embryonic or not yet conceived. Now, Google has grown into one of the world’s largest companies, and its video-sharing site YouTube has left an enduring mark on public discourse. The Mountain View, California, company is one of many that openly acknowledges the DMCA’s role in its success, a view shared by public interest groups.

That’s from a blog-article on Wired magazine’s site. Tech geeks dogmatically hate the DMCA, but the article makes a compelling case that it’s a good thing overall.

My last post on full disk encryption offered suggestions for protecting your machine from “offline” attack scenarios. I.e., if a tech-savvy thief steals your laptop and tries to read your personal/business data (bypassing the Windows login prompt is trivial), FDE protects the data on your machine from being compromised by a knowledgable and determined thief.

But FDE does not protect you from “online” attack scenarios; i.e., where the operating system has booted. Online attacks may–or may not–refer to attacks that occur over the web. Increasingly though, network-facing services and applications provide entry points into client computer systems (web browsers, email clients, and such). I’ll list some simple (but often neglected) steps to avoid infection of your client system.

First, I’ll assume you’re using either Windows XP or Vista. If you’re using MacOS, these suggestions may also apply (conceptually if not pragmatically). If you’re using Linux, you almost certainly already know these suggestions.

1. Log in as a regular, non-priviledged user. Don’t use an administrative account (an account that is a member of the Administrators group) for day to day tasks. If malware somehow executes on your machine, it will typically run within the context of the logged-in user (exception: if malware exploits a system service).
2. Apply DEP (Data Execution Prevention) on all programs/services. By default, DEP is not applied to all processes (for compatibility reasons). Do yourself a favor and enable it for all processes.
3. Keep software and anti-virus up to date.
4. Use common sense.

There you go. Just 4 steps (forget those silly “top 10″ lists). Surprisingly, most of the top 10 lists out there say nothing about DEP, even though DEP (aka, NX/XD) offers hardware-assisted protection from a common software attack (buffer overflow exploits).

Logging in as a non-priviledged user is also one of those items that’s excluded from most top 10 computer security lists. Log in as a standard user (not a power user). If you need to run a program that requires admin privs, do a “run as.” If you’re using Vista and the application is UAC-aware, you will automatically be prompted to run as a higher-priviledged user.

Item 3, keeping software & anti-virus defs up to date actually is covered by the top 10 lists. It’s obvious, but I’ll say it anyway. Use anti-virus and keep it up to date. Keep your Windows updates up to date (by default, Windows will do this automatically and occasionally require you to reboot). Keep other non-Microsoft software up to date as well.

Use common sense. That’s tough given the rather cogent malware, utilizing both technical attacks and social engineering (like, emails that look legit that coax you into downloading and installing software). Don’t fall for it. Be suspicious of emails, and demand digital signatures for software that you download (and be careful where you download software). Be quasi-paranoid about trusting email attachments and “urgent notifcations” from your bank. If it looks suspicious, it’s probably a scam.

I’m calling this blog “laptop security” but it applies to desktops as well. I focus more on laptops b/c they’re so much more mobile and, therefore, easily lost/stolen.

If you’re not already aware, FDE stands for full disk encryption, and it’s a technology that allows you to encrypt the entire disk. I’ll skip some techno-distinctions in this blog entry (like the difference between a volume and a drive) for simplicity. Windows Vista (Ultimate) includes a FDE feature called BitLocker Drive Encryption that can be used right out of the box if you have that edition of Vista.

Home users can also use TrueCrypt for FDE. The feature, called “system encryption” within TrueCrypt, allows you to encrypt your Windows system (all partitions) with a passphrase. BitLocker, by contrast, relies on a TPM micro-chip or, alternately, a USB stick for authentication.

Other FDE solutions have been around for quite a while. But with FDE available built-in in Vista and with the open-source TrueCrypt software now supporting FDE (previously, you could create encrypted partitions and container-based encrypted volumes), there are few excuses left to not adopting FDE on your home system to protect your financial documents and personal information.

Note that FDE does not replace good security practices. FDE protects against what is known as “offline attacks”; it does nothing if someone (or malware) tries to attack your system after having already booted. Additionally, FDE can be defeated under some circumstances, like a poorly chosen passphrase or a “cold boot” RAM attack (though there are mitigations for that scenario).

I’ll discuss common, everyday security from time to time on this blog for those who are interested on a continuing basis (in layman’s terms). Thoughts and suggestions are welcome.

Finally occurred to me to try out a feature built into most versions of Windows Vista: ReadyBoost. Without going into a lot of detail, ReadyBoost potentially makes your computer faster and more responsive. Depending on your AutoPlay settings (and group policy), it’s probably as simple as putting a USB stick in an available slot in your machine and enabling ReadyBoost when prompted. Or, worst case: access the drive’s properties via Explorer and enable via the “ReadyBoost” tab.

 The web is full of more info on ReadyBoost, so if you’ve never heard of it, do a Google search on it first. Here are some impressions:

* It seems to work. On my older desktop (1 GB of RAM; single AMD Athlon64 processor), it appears to be more responsive (though I didn’t actually benchmark it).

* Works with BitLocker (which requires me to insert a USB stick on startup to boot the OS), though I had to do a few things to get all that working smoothly.

* ReadyBoost supports using an SD memory card instead of a USB memory stick. That’s good for aesthetic reasons (since SD cards are smaller & more subtle), but my old desktop doesn’t have an SD slot (my laptop does, but I use that slot and it’d be a pain to swap out the ReadyBoost card for the other card every time I wanted to copy pics to my PC).

Some quick facts on ReadyBoost:

* Speeds up your PC (specifically, operations that involve reading memory that has been paged to disk); instead of reading from the pages on disk, it reads from the pages that have been written to the USB/SD memory device (which tend to provide substantially faster random access times). So, the info is replicated on the USB/SD device; it’s not an extension of virtual memory, but another copy of some of the paging file on disk. (Bottom line: if you remove it all of a sudden, Windows just reads your paging file on disk.)

* The paging info on the USB/SD device is encrypted using AES (128 bit). If the device is lost/stolen, the data is irretrievable by the thief.

* You can leave your ReadyBoost USB (or SD) card plugged in constantly. No need to take it out during reboots.

Very interesting paper on DRAM analysis to bypass full disk encryption programs like BitLocker, dm-crypt, TrueCrypt, and FileVault (many other FDE suites are presumably vulnerable as well).  Here’s a more layman-readable version a la a blog post.

The gist is this: if you use software-based FDE (that includes software+hardware solutions like BitLocker with a TPM), this attack vector can still get to your data if: a) the computer is on, even in low-power “standby” mode, and even if a password is required to access the machine (as in, a screen saver or password prompt after bringing machine out of standby); b) FDE solution uses a “transparent operation mode,” like BitLocker+TPM in basic mode; c) some other instances.

Hibernation mode might be safe, depending on the FDE solution you use (seems to be safe when using BitLocker, provided that you’re not using transparent operation mode, of course).

How to stay safe? Several options exist.

• Shut down your machine when you’re not using it for a while. Another is to make use of hibernation mode instead of standby mode (evidently, that works with some FDE solutions but not others; the idea is that if you’re prompted for a password/PIN/token upon bringing the computer out of hibernation, you’re safe; otherwise, you’re probably not safe).
• Use a hard drive that includes on-board full disk encryption such as the Seagate FDE.2 Momentus drive.
• Physically secure machine.
• Purchase RAM that degrades quickly when powered off or uses encryption to secure contents (does this option exist yet?)