August, 2008

Security-stuffed Internet Explorer 8 beta 2 now available

Microsoft has just released Internet Explorer 8 beta 2 this afternoon. As I wrote earlier this week, this release of IE is filled to the gills with new privacy and security features, so much so that it looks to me to be as significant an upgrade as Service Pack 2 was for Windows XP. I haven’t had a chance to put it to work yet, but plan to do so this weekend. Like a lot of other people, I essentially stopped using IE altogether several years ago when Firefox 1.0 was released, and I haven’t really looked back since. At the time, Firefox represented a serious leap forward in security and reliability from where IE was. Microsoft has been steadily pushing that security rock back up the hill since then, and it looks like they’ve made some really good progress. And being the paranoid that I am, the privacy feature set in IE 8 looks mighty enticing, so it’s going to get a good tryout. We shall see. If you decide to check it out, let me know what you think.

Microsoft makes privacy a priority in IE 8

Microsoft is planning to add a significant number of privacy enhancements in Internet Explorer 8, including a new private browsing mode called InPrivate. The list of new features addressing privacy concerns is impressive and reflects the growing concern in the industry and the user community at large about the amount of private information that websites routinely collect from visitors, much of it without their knowledge. The most significant addition is the InPrivate browsing mode, which enables users to control whether IE saves a record of their online movements. In this mode, IE 8 will not save cookies, passwords, browsing history or any other record of the user’s browsing session.

As Microsoft’s Andy Zeigler explains:

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
• New history entries will not be recorded
• New temporary Internet files will be deleted after the Private Browsing window is closed
• Form data is not stored
• Passwords are not stored
• Addresses typed into the address bar are not stored
• Queries entered into the search box are not stored
• Visited links will not be stored

I love this. Love it. There are ways to accomplish virtually all of these things manually in the current version of IE, but it takes quite a bit of doing and let’s face it, most users are not going to take the time to go in and make all of the necessary adjustments. They’re just not. So giving them all of these features wrapped up in a neat little package is a nice move. The next beta version of IE 8, which is due for release by the end of August, also will include a feature called InPrivate Blocking that tells users when they’re visiting a site that may have some visibility into their browsing habits.

Also coming in IE 8 is a feature called InPrivate Subscriptions, which consumes special RSS feeds from Web sites that specify which content from those sites that IE will block. Obviously it remains to be seen how these features work in practice, but it certainly looks like Microsoft has taken Web privacy to a much higher plain in IE 8.

Intrusions hit Fedora, Red Hat Enterprise Linux servers; some OpenSSH packages compromised

The maker of Red Hat Enterprise Linux and Fedora said that hackers have gained access to key servers in what appear to be two separate incidents. Red Hat Inc. found last week that someone had compromised several Fedora servers, including one that is used to sign Fedora packages. The company said that although the server was accessed illegally, they don’t believe that the passphrase used to get to the key used to actually sign the packages was compromised.

Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stroed on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In the Red Hat Enterprise Linux incident, the attacker was able not only to compromise some servers, but also to use the RHEL key to sign some OpenSSH packages. The compromised packages were for RHEL 4 and 5, and Red Hat has published a blacklist of the affected packages. Red Hat also has released updated versions of the compromised packages.

Pwnie Awards video is online

The guys behind the Pwnie Awards at Black Hat have posted a video of this year’s ceremony, which was full of hilarious moments. The highlight is Dan Kaminsky’s reaction to winning the Pwnie for most overhyped bug for his DNS discovery. Let’s just say he was less than happy about it. The Pwnie video may not be completely safe for viewing at work, at least without headphones. But it’s worth an hour of your time.

Is vulnerability research still necessary?

The recent publicity surrounding the DNS cache-poisoning vulnerability and other high-profile bugs has had the unfortunate effect of dragging the battered, bloated corpse of the full-disclosure debate back above ground. Like a lot of other people in the industry, I’ve completely lost my taste for that discussion. The really interesting question is not whether disclosure of vulnerabilities and release of exploit code is necessary or ethical, but whether exploit development itself has any real value anymore. In one sense, it is now far more valuable than it has ever been, as some security companies and a few select government agencies are willing to pay quite a nice price for new vulnerability and exploit information. I’ve heard from a number of researchers that remotely exploitable server-side bugs in applications like Windows Server 2008 or Oracle databases can be worth well north of $50,000 if you know the right buyer. And that’s on the legitimate market.

But in the broader sense, the question is much more nuanced and the answers far from certain. For the researchers themselves, the intellectual satisfaction and pride of finding a new bug is a significant draw. In a recent podcast I did with Dino Dai Zovi, he described the feeling of creating a new, working exploit as “awesome” and said that once you’ve done it, you keep going back to the well. Most of the researchers I know got into the game as a result of intellectual curiosity, a desire to see how things work as well as how they fail. Few, if any, of them went in thinking that they’d make a living on their research, but many of them have been able to do just that.

The question remains, however: Does this research benefit anyone other than the researchers themselves? I believe it does. We know that no software maker is turning out perfect products. Microsoft, Oracle Corp. and others have implemented very strong security development programs, but they will never find every problem or think of every possible attack vector. The memory-protection attacks outlined at Black Hat by Mark Dowd and Alexander Sotirov are a perfect example. Microsoft’s threat modeling program identified many of the threats and the company implemented a number of new protections, such as DEP, ASLR and SafeSEH, but the researchers still found ways around them through the browser. Microsoft will respond and address those attacks, but without Dowd and Sotirov’s work, who knows whether those issue would have been found. Indeed, Sotirov told me in an interview yesterday that Microsoft officials were happy they brought the attacks to light so the company could address them in a future release.

It appears that many of the software vendors agree, as they have been hiring researchers a pretty good clip for a few years now. What a researcher does with his findings is another story altogether, but at least for now, I think there’s still quite a bit of value to be derived from the work.

Judge tosses gag order against MIT students

Every once in a while things work the way should. Not often, but sometimes. Tuesday was one of those times, when a federal judge in Boston threw out the gag order that had prevented three MIT students from talking about research they’d done on security vulnerabilities in the Boston subway system. The order, which was imposed nearly two weeks ago, was the result of a law suit by the MBTA, which feared publication of the students’ work at Defcon would result in a spike in rider fraud on the system. The agency contended that even allowing the students to talk about their presentation was a violation of the Computer Fraud and Abuse Act, but Judge George O’Toole disagreed. From a blog post by the Electronic Frontier Foundation, which is representing the students:

The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act. MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers “verbal transmission,” such as talking to people at conferences. Judge O’Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people.

This is a nice victory for the students, but there never should have been a restraining order, let alone a law suit, to begin with, especially considering that all of the material that the students were planning to present is already online. So, the law suit is still hanging over their heads, but this move by Judge O’Toole is a step in the right direction and may be an indicator of things to come in the suit, as well.

Researcher Matt Miller joins the Microsoft security team

Several years ago, the idea of hiring security researchers to work at large software companies was something of a novelty. Vendors such as Microsoft, Oracle Corp., IBM and others took a dim view of this, reasoning that there was no way to know whether someone who was prone to breaking their applications could be trusted in a corporate environment. This was a big topic of conversation in the industry, especially among the researchers, and there was a lot of back-and-forth on mailing lists and at a conferences about who was selling out and who was staying true.

Of course, that was all before security research became a mainstream profession, one at which guys like Dave Aitel, HD Moore, David Litchfield and others could make a legitimate living. And now, it seems that there are more researchers inside the belly of the beast than outside. Microsoft has been especially active in hiring researchers, and they’ve just struck again with the news that Matt Miller is joining the Microsoft Security Science team. Miller, also known as Skape, has been doing serious research on Windows exploitation for years and is a major contributor to Moore’s Metasploit Project, as well. Miller is also the author of WehnTrust, a host IPS.

Michael Howard, Microsoft’s resident security development lifecycle chief, announced Miller’s hiring in a blog post: “It’s wonderful to see us hiring more talent like Matt.”And I think he’s right on. I never understood the argument that hackers/researchers needed to stay independent (read: unemployed) in order to do good work. What better place to get a chance to attack the guts of Windows than Redmond? If you look around right now, some of the most innovative research is being done by researchers with corporate backing: Mark Dowd and Alex Sotirov’s Windows memory protection attacks, Billy Hoffman’s AJAX ninjitsu, Billy Rios and Nitesh Dhanjani’s phish poisoning, and Jose Nazario’s continued mastery of the botnet scene.

The idea is to hire the smartest people and let them tackle the hardest problems, right? With Miller’s hiring, you can put one more in the Redmond column.

Hackers take over Discovery Channel on Prototype This!

You have to hand it to Joe Grand. He’s clearly got this whole work thing figured out. Grand’s day job as the head of Grand Idea Studio Inc. is essentially to sit around and come up with clever ideas for new products and then help build them. His company helped in the design and build process for the Chumby, a brilliant Internet-delivery system, and he’s also designed the Defcon badges for the last three conferences.

In his spare time, Grand, who was known as kingpin during his days in the L0pht, has been working on a TV show for the Discovery Channel called Protoype This, which is sort of a do-it-yourselfer’s fantasy. In the show, which debuts Oct. 15, Grand and his three co-hosts work to build innovative projects under tight deadlines and with little in the way of money to work with. Grand’s role on the show is as the electronics and hardware guy, a role he knows well. Some of the projects on the slate include a personal airbag system and a huge water slide simulator.

I had a chance to talk to Grand a few months ago when I was working on a story about @stake and its influence on the security industry.  He’s a really smart and funny guy, so I’m guessing that the show will be well worth checking out. I’m hoping to get Joe on my new Nameless Security Podcast sometime in the next few weeks. Stay tuned.

Russian cyberwar! Yes, no, maybe so?

The specter of cyber-warfare has been looming over the Internet since its earliest days. Once people figured out that they could send malicious traffic to remote computers, it was only a matter of time before discussions turned to how this could be useful in the context of military operations. Given that the Internet’s predecessor was developed on a contract for the Department of Defense, this was a logical school of thought. But despite all of the theories, speculation and postulating, the number of confirmed incidents of one country launching government-sponsored attacks against another country’s networks is essentially zero. Everyone thinks it’s happening and lots of people have suggested that China, Israel, the U.S. and a couple of other countries have been using directed attacks in this way, but there’s no way to know for sure.

So when the shooting war between Russia and Georgia began last week, security experts and non-experts alike were quick to point to the fact that there had been some recent DDoS attacks against Georgian government sites. It’s cyberwar, I tell you! The Russians had it all set up weeks ahead of time! And they’re getting help from the Russian Business Network (RBN) too. It certainly fits together nicely, doesn’t it? RBN is notorious for hosting malware sites and all manner of other garbage, and has been implicated in some attacks as well. So why wouldn’t they join the party and DoS their neighbors?

Well, as it turns out, that string of pearls doesn’t add up to a necklace. The guys at the Shadowserver Foundation, who first noticed the Georgian DDoS attacks and follow botnet and online crime activity closely, posted a terrific analysis of the ongoing attacks against Georgian government sites and came to a logical conclusion: The Russian government isn’t DoSing anyone. Or at least not these targets.

What I can say, without a doubt, is that only the perpetrators know for sure who is behind it. At this point, everyone is speculating on who is behind the denial of service attacks. With that in mind, I’ll offer a few more facts of what we do know, and offer my own personal opinions.

First, as Steven mentioned, we have seen at least six different C&C servers involved in the latest round of attacks. We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we’ve tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn’t seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don’t strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:

• Adult video websites
• Prostitution websites
• White supremacy websites
• Carder websites (sites that trade in stolen credit card numbers)
• Online gambling websites
• Virtual currency websites (think PayPal, but not nearly that legitimate)
• Russian news websites
• Random Russian websites
• Many other websites

I just do not see why a government entity would attack those types of websites. Now, what does seem to be the case is that some number of these botnets are either “DDoS for hire” or “DDoS for extortion” services. The pattern of the sites that attack is reasonably regular, and it’s rare to see them go after a non-commercial site of some sort.

So there you have it. As tantalizing as the prospect of an all-out cyberwar is to headline writers and military talking heads everywhere, it’s probably not the case here. But what about the RBN, you say? Glad you asked.

The other speculation is that this is somehow related to RBN. Again, nobody has any proof of that, including me. I’m in the camp that thinks RBN was nothing more than a hosting provider who provided “bullet-proof” hosting. I don’t think they, themselves, were posting malicious websites or posting child pornography. They hosted it, for sure, but that’s all they did. So, I also don’t think RBN (or whatever they became after being shut down) is actively attempting to deny service to anyone.

Who’s behind the Georgian DDoSes? It’s impossible to be sure, but it really just looks like a bunch of “patriotic” operators inside Russia. It’s not Russia itself and it’s not RBN.

Done and done.  I guess we’ll just have to wait until the next Cricket World Cup to see the West Indies DoS England out of contention.

Update: Jose Nazario at Arbor Networks Inc., who knows from botnets and DoS attacks, also has an excellent analysis of the Russia-Georgia situation. His conclusion is the same: no evidence to point to state-sponsored attacks.

Software security is all grown up (or at least walking on its own)

The software security sector has become one of the more crowded and diverse markets in recent years as vendors with application scanners, static-analysis tools, pen testing teams and hordes of consultants have raced to address the need for better, more secure software. This task once was the province of the big consulting firms and the highly specialized shops like Foundstone Inc., @stake (now Symantec Corp.) and Cigital Inc. But a growing emphasis in both the private sector and the government market on producing better quality code from the start has created a major growth spurt.

How big has it gotten?  Somewhere in the neighborhood of $275 million to $300 million in 2007, according to numbers gathered by Cigital CTO Gary McGraw. That number isn’t going to scare the firewall market anytime soon, but it’s nothing to sneeze at either. More than half of that revenue number came from the various software security tools vendors, including HP’s SPI Dynamics unit, IBM’s Watchfire group and smaller players like Cenzic Inc. and WhiteHat Inc. But a big chunk also came from the companies selling so-called white-box analysis tools, such as Fortify Software Inc. and Ounce Labs Inc.

As McGraw points out:

This is a telling development. The source code analysis space is now larger than the black box testing tools space, showing that enterprises are spending money wisely and looking to fix problems, not just identify them from the operations side. Step one in solving software security problems (even when we’re only talking bugs) is knowing exactly where in the code the problem exists. White box analysis is superior to black box analysis in that respect. Plus, the move to encompass source code of any sort is a very nice expansion of software security outside of the “strictly the Web” (port 80) thinking that somewhat hampered the first generation of tools.

This is all for the good. Writing good, reliable software is a notoriously difficult task that even the largest and most well-funded development organizations in the industry still struggle with. Putting more resources into security testing and analysis of code before it goes into production won’t find or fix every problem, but it should help eliminate a lot of the common security and reliability bugs that crop up.