I wanted to comment on three failures related to the recent IE 0day.
FAIL #1 - REPORTERS
The blogosphere started debating the merits of German and French recommendations that users dump Internet Explorer.
However, those governments made no such recommendations. Their Internet security agencies recommended that users switch browsers TEMPORARILY, until Microsoft fixed the bug. It is a reasonable thing to recommend: if hackers can easily break in to a software application, it is reasonable to recommend that you stop using that application until the problem is fixed. Implicitly, they both recommended going back to IE once Microsoft fixed the problem.
I tracked back to find the source of these false claims. They appeared to come this story from Tony Bradley at PCWorld where he misrepresents what Germany/France have said. Yet, he references two stories (here and here) that get their facts right.
For the record, the German bulletin from BSI says "Therefore BSI recommends that until Microsoft makes a patch available, to use an alternative browser". The French bulletin from Certa says "Pending a patch from the publisher, Certa recommends using an alternative browser". (I speak both French and German, these are the correct translations).
FAIL #2 - US-CERT
The equivalent of the German BSI and French Certa is the US-CERT. What did they say about the issue?
I went to their page at http://www.us-cert.gov/ and found nothing. Their National Cyber Alert System ignored the issue. They didn’t publish an advisory until AFTER Microsoft published a patch on January 21.
That's bad, really bad. This IE bug was big. IE6, the one most commonly exploited, has 20% market share, and an versions combined of IE have over 60% mare share. US-CERT should have created a bulletin telling people hackers were widely exploiting browsers with this bug.
The measure of an "emergency response team" is not how well they respond to "normal" events, but how well it respond to "emergencies". The US-CERT does a lot of good work for computer security, but they failed at responding to this emergency. This is a problem, one that that cyber czar should look into.
FAIL #3 - Microsoft?
The bug itself isn't a failure. Bugs happen. Nobody has figured out how to create bug free software. In fact, Microsoft is probably the best in the industry at ridding their code of such bugs, with things like the SDL and operating-system protections like DEP.
Yet, it took a full week to release a patch for this bug, and it appears that Microsoft knew of the bug months ago. That’s a big window for an 0day out in the wild.
Microsoft used to respond faster, but their response time for major vulnerabilities is getting worse every year. That is because they employ directory or indirectly half of the security industry, and influence the other half. If Microsoft drags its feet not fixing a bug, and a researcher gets frustrated and publishes the bug, Microsoft will blackball them from the industry. Researchers keep quiet because they are afraid of Microsoft.
I know this because that's what Microsoft has threatened me with. We found a trivial Wifi vuln in Windows Mobile several years ago. It was never patched, largely because the mobile provider (Cingular, now AT&T) refused to patch it. Since we could not publish the bug until after the patch, this meant we could never publish the bug. We know of lots of researchers finding bugs in Windows Mobile that never get published for precisely the same reason.
It's a reasonable stance for Microsoft to take. There are lots of evil researchers who try to create havoc by making it difficult for vendors to fix the bugs they discover. Some bugs are difficult to fix, and indeed may take a year to fix, during which time the researcher shouldn't release details. Yet, Microsoft has successfully driven this idea too far the other direction, with the consequence that they are taking too long to patch bugs.
Another problem Microsoft has is "out-of-band patches". In theory, they patch precisely 12 times a year, on the second Tuesday of the month. Patching bugs at irregular times was expensive for them, and since each patch was a surprise to their customers, expensive for their customers. This schedule is cheaper and easier for everyone.
Yet, there are still surprises. I forget, but I think there were three out-of-band patches last year, and now one so far this year.
So, I asked Microsoft what they had budgeted for out-of-band patches. Microsoft’s response was nothing, because such out-of-band patches should never occur. I was surprised by the answer: emergencies will continue to occur, and Microsoft should plan for them. I would bet money that another IE 0day is going to occur in the next 12 months, Microsoft should plan for that as well.
Microsoft is still the best at eliminating bugs and responding to them, but I would call their response to this IE bug a failure. Moreover, Microsoft is getting worse every year at responding to bugs, not better.
UPDATE: The above text about Microsoft is pretty harsh, but I'd like to repeat that Microsoft is still the best at eliminating bugs and responding to them. Also, I like Microsoft, and I believe they are as an ethical and moral company with occasional lapses by individuals, as opposed to a company like Apple which is unethical from the top down. I'm afraid of Microsoft not because they are a lion that might eat me, but because they are an elephant that might step on me by accident.
Friday, January 22, 2010
Tuesday, January 12, 2010
Twiguard update week 3
Lets recap: the first week of our test we got 1250 hits, the second week netted 1741. The third week total is 1427. At first this seems like the number is dipping until you factor in sites being removed from the blocked list. Of the 1427 more than half are Urls that were not flagged last week. 784 URLs were flagged this week that were not flagged last week while several URLs are no longer flagged as malicious. Next week is the last week for this exercise. After that we will start over with a set of URLs that are publicly available so anybody can duplicate my effort.
The point of the exercise is to judge how well a traditional "bad site list" can keep up with the way threats from social networks like Twitter can spread.
The point of the exercise is to judge how well a traditional "bad site list" can keep up with the way threats from social networks like Twitter can spread.
Wednesday, January 06, 2010
Its awesome how accurate TwiGUARD is at picking out Spammers, here is an example. Below is the TwiGUARD stats we collected on this account...
ID:Username:First Seen Date:Last Seen Date:Folscore
| 174597 | BTLife7 | 2010-01-06 19:24:00 -0500 | 2010-01-06 19:24:00 -0500 | 100 |
Keep in mind a folscore of greater than 75 is considered bad.
Tuesday, January 05, 2010
Decrypting USB flash drives is easy
According to this Slashdot article, a company has successfully decrypted USB flash drives. In our experience, this is probably true. Several years ago, we put a USB sniffer on the bus and found that most USB flash drives can be trivially broken.
It's a familiar story. Hackers don't break encryption, they break how encryption is used. In this case, hackers didn't break AES, they broke the fact the vendors didn't encrypt the drive with the password.
This is why you should distrust marketing messages like "military grade encryption" or "FIPS certified encryption". Sure, the encryption is secure, but that doesn't mean the vendor hasn't done something boneheaded, like leaving the password in clear-text.
If you are concerned about your USB drive, the easiest way to check it is to use a USB sniffer. There are lots of freeware and open-source products, as well as expensive hardware sniffers. You can check what is being sent to the drive in order to decrypt it. We have seen all sorts of weird things, such as the software asking the drive for the password (which we then see being sent in the clear over the USB bus). In this case, it appears that the software asks the drive if the password is correct, but then unlocks the drive using a fixed string.
There are only a few chipsets out there for USB drives. Regardless of the vendor name and the case on the outside, most drives are often the same on the inside. This is why there is a chain of failure. A vendor like Kingston doesn't know the innards of the chip. They simply build a product around it, and ship it through their channels. They trust that the chipset vendor knows what they are doing. This is why you can never trust encrypted USB drives: there is nobody that stands behind them. It would suggesting using a product like TrueCrypt or PGP disk on top of the flash drive, because these guys do stand behind their encryption.
It's a familiar story. Hackers don't break encryption, they break how encryption is used. In this case, hackers didn't break AES, they broke the fact the vendors didn't encrypt the drive with the password.
This is why you should distrust marketing messages like "military grade encryption" or "FIPS certified encryption". Sure, the encryption is secure, but that doesn't mean the vendor hasn't done something boneheaded, like leaving the password in clear-text.
If you are concerned about your USB drive, the easiest way to check it is to use a USB sniffer. There are lots of freeware and open-source products, as well as expensive hardware sniffers. You can check what is being sent to the drive in order to decrypt it. We have seen all sorts of weird things, such as the software asking the drive for the password (which we then see being sent in the clear over the USB bus). In this case, it appears that the software asks the drive if the password is correct, but then unlocks the drive using a fixed string.
There are only a few chipsets out there for USB drives. Regardless of the vendor name and the case on the outside, most drives are often the same on the inside. This is why there is a chain of failure. A vendor like Kingston doesn't know the innards of the chip. They simply build a product around it, and ship it through their channels. They trust that the chipset vendor knows what they are doing. This is why you can never trust encrypted USB drives: there is nobody that stands behind them. It would suggesting using a product like TrueCrypt or PGP disk on top of the flash drive, because these guys do stand behind their encryption.
Twiguard update week 2
In a follow up to last weeks post on how quickly established blacklist systems can respond to social networking threats I have rerun the same list of URLs through an updated Google Safe Browse install. Last week this list produced 1250 hits, this week it has produced 1741 hits. That is around a 39% increase in a week. This alone is not bad but if you think about how quickly a scammer of phisher can set up a new site and lure in victims even a few hours can make a big difference in curbing infections. I will rerun this test in a week and report the results, by then I should have enough data to start creating pretty charts!
Twiguard does more than just collect bad urls, it collects bad users as well. We have created a formula for evaluating a Twitter profile and their 20 most recent tweets and assigning them a score between 0 and 100. The closer to 100 the score is the more likely the profile is a spammer/malware/somebody you don’t want to talk to. We call this score the "follow score" or folscore in programs. Below is a screen shot of out database where we have tracked unique users for 8 hours. We ended up with 61255 users of which 5144 had a score of 75 or higher. Anything above 75 is our threshold
for confidently marking a profile as dangerous. The average profile score is 9 with about 8% of all observed users falling into the over 75 range. We are constantly tweaking the algorithm when we find false positives or statistical outliers. At this time all the users that have been identified spreading banned users have a follow score of 90 or higher so I am feeling confident about the accuracy.
As an example my Twitter account is donicer and I have a score of 4 and I am almost positively sure I am not a spammer!
Twiguard does more than just collect bad urls, it collects bad users as well. We have created a formula for evaluating a Twitter profile and their 20 most recent tweets and assigning them a score between 0 and 100. The closer to 100 the score is the more likely the profile is a spammer/malware/somebody you don’t want to talk to. We call this score the "follow score" or folscore in programs. Below is a screen shot of out database where we have tracked unique users for 8 hours. We ended up with 61255 users of which 5144 had a score of 75 or higher. Anything above 75 is our threshold
for confidently marking a profile as dangerous. The average profile score is 9 with about 8% of all observed users falling into the over 75 range. We are constantly tweaking the algorithm when we find false positives or statistical outliers. At this time all the users that have been identified spreading banned users have a follow score of 90 or higher so I am feeling confident about the accuracy.As an example my Twitter account is donicer and I have a score of 4 and I am almost positively sure I am not a spammer!
Subscribe to:
Posts (Atom)
