From Source to Secure

Windows 7 and Windows Server 2008 R2 RTM is Official

2009-07-23T03:51:06Z

Well the moment we’ve been waiting for is here. Windows 7 / Server 2008 R2 has officially been released to manufacturing. That means we’re now just waiting for the packaging machines.

Brandon LeBlanc posted a video about the RTM and sign-off process in this blog post.

One of the best things about this release is it’s predictability. We locked the feature set down early, so our OEM and hardware partners had lots of time to work on drivers, and customised installs.

One of my favourite things about Win 7 is it’s performance. It’s the first time in any operating systems’ history that the minimum machine specs went down rather than up.

The feedback from everyone on improvements, annoyances, bugs, and religious debates has been almost overwhelming. So we did as much as we could to get it incorporated into the product.

The Server side is loaded with great benefits that will allow companies to have more powerful servers, that cost less to run, and save them money. There announcement is listed in this post.

IF you are interested in when you will be able to get the real RTM build, rather than the tweaked and leaked ones, read Brandon’s post on it.

(and as some friendly advice, it’s best not to post complaints about things in the build you just installed because if you got it before today or Aug 6th most likely, it’s been pirated and probably trojaned.)

Tech Ed Security Track News

2009-07-21T16:55:29Z

Hi Gang,

Well things are lining up nicely for Tech Ed AU/NZ 09. I was finally able to finalise the security track. This year one of our highlight speakers is Michael Howard.

Michael will be running two sessions on the SDL for us and a special 1/2 day SDL workshop. So watch Commnet and sign up as seats will be limited.

Corneliu is back discussion .NET 4.0 security, and Orin Thomas of Microsoft Press fame will be doing some interesting sessions on mobile security and how to stop rogue administrators.

Jamie Sharp will be discussing Stirling and the new bits of Threat Management Gateway.

We’ll have plenty more great sessions. Stay tuned!

Security Features vs Security Bugs

2009-07-21T16:04:04Z

Several times when I've been talking with customers about implementing an SDL, or what they should be doing to secure their in-house developed applications, I get asked a similar branch of questions.

· Why do we need to review the design if we review the code?

· Why do we need to scan the code, if we are going to penetration test?

· But we are using an authentication library, and we are using PKI, so why do we need to do a security review?

A lot of this comes down to the difference between security features, and security bugs. This is an important distinction and hopefully this article will lend some clarity to why we do all the things we do in an SDL.

Security Features

Security Features are normally driven by regulation, policy, or best practice. Security Features are components you build into your system to handle certain aspects in order to control access to the system. An example of a security features is an authentication / authorisation system. You may be using Active Directory, Open LDAP, or some other kind of system to prove a users identity, and verify that they are allowed to access the things they are requesting access to. Implementing certificate based digital signatures, or using a centralised input validation system are other examples of security features.

Some of the things that identify security features for your application are architecture and design decisions, your choice of libraries or third party components to use, and taking advantage of platform features to provide secure access to your system.

Security features are normally tested by a test team during user acceptance testing. They determine if indeed access to certain assets is restricted to only authorised users, and inversely, that authorised users can get to everything they need to.

Some of the tools used to test security features are your regular testing suites and automated test tools. Test Director comes to mind as one of these. Or even the performance, or load tests build into Visual Studio Team Test.

Most people think that these things are what we mean by creating secure software and in fact this is a large part of it, but there is more to it. Consider this; did you implement your security features, securely?

Security Bugs

Security bugs come from implementing things incorrectly. They are most commonly thought of as vulnerabilities. They can be created in any component of the system and will be there regardless of the security components you build into your system. In actual fact, the security components you build can have security bugs. These are the things that attacker take advantage of to exploit systems.

Some of the things that identify a security bug are validation failures, cross site scripting vulnerabilities, unexpected input that allows your authorisation components to be bypassed. They are normally created by mistakes during development. They are in a word, bugs.

You test for security bugs with fuzz testing, penetration testing, and automated vulnerability scanners. This is where you are not testing for the presence of an authentication mechanism, but how can you break or bypass it. Attackers look for these kinds of problems.

The kinds of tools you use to look for these problems are static code analysis tools such as FX Cop, CAT.NET, and other commercially available tools such as Fortify 360. These are the kinds of problems that penetration tester look for and exploit with other tools like Nessus, Metasploit, and CANVAS.

Now a combination of the two, say failure to implement an input validation system, can compromise your perfectly implemented authentication / authorisation system. These implementation level bugs are more insidious because they are harder to detect, and easy to overlook, especially if project timeframes are short.

Don't confuse security features such as secure firewalled networks, AD integration, and Enterprise Library input validation, with security bugs which can occur in any of these. It is this distinction that drives the multi-level security review and testing approach.

Here is a table that will help define things:

	Security Feature	Security Bug
Example	AD Integration, Enterprise Library Validation Block, Enterprise Library Logging, Input validation components, Firewalls, IPSec	SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Buffer Overflows
Identified During	Architecture Review, Design Review, Threat Modeling,	Code Review, Code Scanning, Penetration Testing
How to test for	User testing, Unit Testing	Pen Testing, Fuzz Testing
Category	Component, Sub System, Dependencies, Library, API	Vulnerability, Mistake, Bug, Accident
Problem Prevention	Best Practice, Standards, Policies	Training, paying attention to detail

The next time a security guy asks you if you have put your developers through secure app dev training, or if you are using an SDL, and code scanning, he’s not referring to you using AD integration and if you have good data access control. He’s asking if you implemented them correctly.

So remember, make sure you do the right thing, and do the thing right.

Finally, answers on the Web – Bing

2009-06-11T11:17:28Z

Bing and the world Bing’s with you, Search and you Google alone…

I must admit I wasn’t a real huge fan of the search results that I got with Live. But I think someone was listening.

We introduced Bing to the world and I have to tell ya, it’s all it’s cracked up to be and more. I love the instant answers part of it. Not just for search but for things like flight schedules and even math equations if you are so inclined.

Bing is so much more than a search engine. It’s an Answer Engine. For example here is some of the stuff you can do with the Instant Answers features:

Find instant answers

Need a quick answer instead of a hundred links to websites that might contain your answer? Use our Instant Answers to get what you need fast.

Instant answers are available in the following categories:

Conversions

Convert units of measurements for distance, weight, time, volume, and temperature. You can also include mathematical expressions in some conversion questions to get a calculated, converted answer.

To see the conversion answer in action, try some of these examples:

How many seconds in a day
What is 50 degrees F in Celsius
How many kilometers in a light year

Flight Deals

Get quick access to flight deals and cheap tickets.

To see the flight deals answer in action, try some of these examples:

Deals on specific routes: flights from Seattle to Boston
Deals from a specific city: flights from San Diego
Deals to a specific city: flights to Boston

Flight Status

Make sure you're not late to the airport using the flight status answer.

To see the flight status answer in action, try some of these examples:

flight status for United
flight status
ua820

Hotels

Find a great place to stay wherever you're going with the hotels answer.

To see the hotels answer in action, try some of these examples:

Vegas hotels
hotels in Orlando
San Francisco hotels

Math

Find basic mathematical operators, exponents, roots, factorials, modulo, percentages, logarithms, trigonometry functions, and mathematical constants. In the search box, type the equation that you want to solve or the constant that you want to find the value of.

The following examples show some of the calculations and conversions that you can type in the search box.

Calculations: Get answers to arithmetic problems. For example:
- 5+3/1-(6*2)
- sqrt 9
- sin 100 * 50
- 32% of 54
Equation solver: Solve simple algebraic equations. For example:
- 4x=19
- 2y^2 + 5y + 10 = 40
- Solve 2x + 7 = 4

Note

For more mathematical symbols that you can use in expressions and equations, see Mathematical notations for use with Math Answers

Financial quotes

Go to http://www.bing.com/.
In the search box, type ticker symbols (Letters and numbers that are used to represent companies in stock markets.) for up to nine companies, funds, or indexes, followed by stock or quote.
Click the search button or press ENTER.

Statistical information

Go to http://www.bing.com/.
In the search box, type what you want to find. For example, population of China, or cars in US.
Click the search button or press ENTER.

So of course now I’m off to investigate just how much information can be found out on a person or company through this very powerful Answer Engine. Stay Tuned.

Security Camp Oz on Again!

2009-06-11T10:31:29Z

Hello everyone! Well Security Camp Oz is on once again this year. After a bit of a break due to well, chaos, we’re all ready to go again.

If you’d like to attend, check out the new web site at http://www.securitycampoz.com and submit your registration in the SCO Forums.

While you’re there let us know who you’d like to see as a speaker this year. We have also opened up the Call For Papers if you would like to submit one yourself.

We hope to see you there!

Tech Ed AU/NZ Call for content – Security Track

2009-05-13T02:31:32Z

The Tech•Ed 2009 season kicks off next week in LA, and the show comes to Australia and New Zealand in mid-September. We’ve just opened the Call for Content tool so now’s the time to submit that great idea for a session. Details about how to submit are at the bottom of this post.

Here are the rules for submitting content and what we’ll cover/not cover if the track owners select your session(s).

All the way through the process you’ll be able to review your submission and track its status. This is the first time we’ve opened up the Call for Content publically like this and we’re likely to receive many more proposals than we’ve got slots to fill, so please don’t be disappointed if your submission isn’t selected.

Tips for Successful Submissions

Write a descriptive, fun and enticing title
Target 300-400 level technical content; 200 level content is in low demand
Describe content that is new, unique or significantly refreshed from a previous presentation.
Take a solution oriented approach
Align your topic to the technologies listed for the track
Ensure there is no marketing in your content
Showcase your speaking experience
Focus on currently released technologies, technologies in beta or technologies that will be released within 12 months of Tech·Ed
Include one or more live demos. Historically, sessions with strong demos receive higher audience scores

By the way, Tech•Ed veteran Greg Low’s done a wonderful screencast series on presenting at large events. Well worth a look if you’re considering submitting content for any event.

Tracks and Technologies

There are 13 tracks at Tech•Ed this year and each one is owned by one or more local Microsoft folk. Here are the tracks, a quick abstract of what they will cover and the owner of each track. You may want to use this to guide your submission.

Windows Client and Server

Owners: Jeff Alexander, Philip Duff, Adam Hall and Deannah Templeton.

The basis of any strong data centre now and for the future starts with the core operation system. The Windows Server® family of products provides you with the best solution to build your IT infrastructure for any size organization. From the Essential Server Solutions to Windows Server 2008 R2, this track shows you the solutions and set of technologies to ensure success.
In addition, this track covers the comprehensive set of management products and solutions enabled by the Microsoft® System Center product suite as well as various Windows Management Technologies to help you gain back control of your environment. The sessions presented provide you with in-depth guidance and technical background in "Managing the Data centre" and "Managing the Desktop" while also covering the management of heterogeneous IT environments.
Finally, the Windows Client and Server track has everything you need to know about adoption, deployment, management, and virtualization of the Windows® Desktop Environment, including a technical introduction into Windows 7 and Microsoft® Internet Explorer® 8. Come learn best practices and hear about the advancements in the Windows Client technologies which will help you manage and accelerate your desktop deployment efforts. Get real-world guidance from our industry experts via sessions that span client-side development, readying applications for your OS roll-out, deployment tools and technologies, virtualization, and much more.

Office System

Owners: Alistair Speirs, Ian Palangio and Paul Quirk

The Office and SharePoint® track provides IT professionals and developers with a deep technical arsenal for the 2007 Microsoft® Office system. Come and learn from industry experts the best practices and advice on how to architect, design, deploy, and implement world-class solutions built on the Office and SharePoint platform technologies. Be prepared to learn more about the next wave of innovations while also going deep into 2007 Office system products and technologies such as SharePoint Server 2007, Office Enterprise, Open XML File Formats, InfoPath® 2007, SharePoint Designer, Project Server 2007, and SharePoint Online. As an IT professional, learn about Office server and client applications with sessions covering security, deployment, management, customization, and administration. As a developer, learn how to take your ASP.NET expertise to the fast-growing SharePoint ecosystem, how to craft the next generation of "Office Business Applications" and about the latest techniques for creating applications involving Microsoft Office, composition, collaboration, software-plus-services, VOIP, Open XML, Silverlight™, and more!

Unified Communications

Owners: Johann Kruse and Paul Dolley

Microsoft unified communications technologies use the power of software to deliver complete communications-messaging, voice, and video-across the applications and devices that people use every day. The Unified Communications track strengthens your knowledge of Microsoft Unified Communications platform and technologies, including Microsoft Exchange Server, Microsoft® Office Communications Server 2007 R2, Microsoft Office LiveMeeting and Microsoft® Exchange Online. Explore how you can streamline your organization's communications, build presence aware applications, roll out an on-premise, hosted messaging and collaboration system, and much more!

Web

Owner: Michael Kordahi

The Web and User Experience track brings you all the latest information on cutting-edge Web technologies and provides you with the latest in developing great user experiences from the Windows® desktop to mobile devices to cross-browser and cross-platform on the Web. Get the latest information on Windows Presentation Foundation, XAML, Microsoft® Expression® Studio, and Microsoft® Silverlight™, as well as all the in-depth coverage of Microsoft® Internet Information Services (IIS), ASP.NET, ASP.NET AJAX, Microsoft® Internet Explorer®, Windows Live™ Platform, and Commerce Server. Whether you are interested in taking your ASP.NET development to the next level, or finding out how you can use your .NET development skills to build rich experiences that run in the Safari browser on the Mac, the Web and User Experience track is for you.

Developer Tools and Practices

Owner: Dave Glover

Your knowledge of development languages and proficiency with the tools you use to create software are the core of your skill set. The Developer Tools, Languages, and Frameworks track is packed with deep technical training that covers the best of Microsoft® Visual Studio® 2008, and the upcoming Visual Studio® 2010. Get in-depth information on building mission-critical software using Microsoft® Visual Basic® and Visual C#®. Amplify your application development impact with Application Lifecycle Management (ALM) best practices using the Visual Studio Team System. Acquire the skills that you need to make an immediate impact in your organization while preparing for future versions of Visual Studio.

Architecture

Owner: Nigel Watson

The Architecture track offers sessions focused on Architecture of technology and Architecture as a practice. Elements include the architectural process of translating business vision, intent, and strategy into effective technological change in the Enterprise; addressing the skills of creating, communicating, and improving the key tenets, principles, and models that describe the Enterprise's future state and enable its transformation, evolution, or migration.

SQL and BI

Owner: Ron Dunn

The Microsoft® SQL Server® data platform helps your organization manage any data, any place, any time with the security, reliability and scalability that your mission-critical applications require. The SQL and BI track offers the knowledge you need to maximize your Microsoft SQL Server investments and gain the skills needed to seamlessly run a mission-critical environment. Gain insights into future SQL Server technology investments so you can rest assured knowing the bets you make today will continue to pay off in the future.
Now more than ever, your business needs a quick means of getting the right information to the right people so that they can make smarter, more informed decisions. Microsoft's Business Intelligence solutions enable you to do just this. The SQL and BI track also offers sessions covering how to integrate, analyse, and report on all of your corporate data easily using the Microsoft Business Intelligence platform, end-user tools, and analytics applications. Learn how to build custom, robust Business Intelligence solutions using Microsoft® SQL® Server 2005 and 2008 (Integration Services, Analysis Services and Reporting Services) and the 2007 Office system (Microsoft® Office Excel®, Excel Services and Microsoft® Office SharePoint® Server technologies) and how to easily manage them.

Security

Owner: Rocky Heckman

Security continues to be a major concern for almost every company in business today, and technology professionals are always looking for ways to improve and bolster their security strategies and tactics. Microsoft brings unique capabilities together to deliver comprehensive, integrated solutions across IT security, identity, access, and management. The Security, Identity, and Access track provides guidance and technical detail on Microsoft® Forefront™ products, identity-based access technologies, Windows® security technologies, and more!

SOA and Business Process

Owner: Graham Elliott

Organizations of all sizes use technology to automate, manage, and improve business processes, and many are using SOA to create a more flexible set of IT assets. Designing, building, deploying, and managing these distributed applications can be difficult and complex. There are a range of capabilities, products, and technologies that you will need to understand in order to do your job effectively. The SOA and Business Processes track helps to explain these choices, give you concrete approaches to designing distributed applications particularly around loosely coupled service oriented architectures, and to show you the Microsoft products and technologies that you will use to develop and manage these systems. See products such as Microsoft® BizTalk® Server 2009, .NET LOB Adapters and the Microsoft® .NET Framework 3.5, in addition to some major new technologies that are in development and soon to be released.
With a multitude of new tools and technologies in the middle tier, Microsoft's broad platform offering has created tremendous opportunities for you as a developer. Our experts show you products and technologies that provide successful strategies to take advantage of the platform and development tools.

Dynamics

Owner: Catherine Eibner

The Microsoft Dynamics suite of products provide a comprehensive platform for developing and deploying applications and services for retailers, manufacturers, wholesale distributors, and service companies, doing business domestically or in multiple countries. With these tools in hand, people in every key position in your organization can contribute to the success of your company. Microsoft Dynamics enhances all lines of business in your organization and delivers exceptional benefits. Come and hear how to deploy enhance and leverage the base Dynamics products and integrate them with Line of Business Applications through the extensive services interfaces provided.

Mobility

Owner: Rick Anderson

With the increasingly mobile nature of computing today, the Windows Mobile® track gives you the background that you need for selecting, developing for, and securely managing Windows Mobile phones. Did you know you can build for Windows Mobile with Microsoft® Visual Studio® skills you already have? Did you know that you can securely manage your mobile devices with Microsoft® System Center Mobile Device Manager? Find out this and much more in the Windows Mobile track

Azure Services Platform

Owner: Greg Willis

With the new Azure Services Platform, developers can take advantage of an Internet-scale cloud services platform hosted in Microsoft data centres to build new applications in the cloud or extend existing applications quickly and easily, using a flexible and interoperable platform. The Azure Services Platform track explores Azure's cloud operating system and set of developer services, including Windows Azure, SQL Services, .NET Services, and Live Services. Sessions provide an overview of services currently in Community Technology Preview (CTP) and beta release, in addition to discussions on the future of the Azure Services Platform and the possibilities it provides for your business to reduce costs and accelerate innovation.

Virtualisation

Owner: Amit Pawar

With today's IT budget constraints, virtualization enables you to maximize your current hardware investments and provide increased services. The Virtualization track covers all of Virtualization from the desktop to the data centre. Learn about Microsoft's virtualization strategy, as well as our current solutions: Windows Server® Hyper-V, Microsoft® Hyper-V™ Server, App-V, MED-V, System Center Virtual Machine Manager, and Terminal Services (Remote Desktop Services). Sessions include real-world lessons from both Microsoft and industry experts. Come learn all about the present and future of Virtualization at Microsoft.

Submitting a topic

So how do you go about submitting a session? Go to the Call for Content tool and register with your email address and the RSVP code TechEdANZ. Fill in all the details and hit submit. You can come back to the site at any time to update or review the progress of your submission.

Stop Looking At Me You’re Invading My Privacy!

2009-03-13T07:28:45Z

NOTE: The views and opinions expressed herein in no way reflect those of my employer or colleagues. They are all my own and I take responsibility for them.

I read a little article recently about a guy name Rob Spence in Canada who plans to install a camera in his fake eye. (similar articles are at http://deadlinescotland.wordpress.com/2008/12/10/robs-all-seeing-eye-set-for-tv-screens-396/ and here http://blog.wired.com/gadgets/2008/12/eye-spy-filmmak.html )

He wants to record things he sees. He has even been colloquially dubbed a ‘life caster’ along with a couple others who are doing this such as Justin Kan http://www.justin.tv/justin.

They say that they aren’t going to record things like gyms, private events, etc. According to Rob

“Spence is willing to turn off his camera in spaces such as gyms, theaters or private events. But he will be making many of those decisions on the spur, every day”

So then again, he might decide to record you in the gym, even the locker room.

But this guy is an armature film maker. He wants to record his life experience with this project.

This means recording people on the street, without their knowledge. He may even get famous from his little films and you would be the star…voluntarily, and unbeknownst to you of course.

We live in a world where privacy is becoming a bit concern. These guys claim to be doing this to heighten people’s awareness of privacy but it’s just their word on it.

Now I'm not a big fan of over reacting or freaking out and going overboard with being politically correct. but this even freaks me out.

Yeah sure the government has been able to secretly record you for many decades but I have nothing to hide from them. This guy, or other ‘life casters’ are just people, with no legal jurisdiction to record me, my life, or anything about me.

That bugs me, especially if they plan to turn it into a film and make money off of it. They don’t have to have a warrant, your permission or anything else other than line of sight.

So what does this say about privacy? In some EU countries where there is a right to privacy on the books, will this kind of thing be banned? In the US where there “is a reasonable expectation of privacy” you may be on the short end of the stick.

Yes I realise we are on surveillance video all of the time, but that is controlled and there are legal precedents around how it can be used.

What would you do if you saw a person recording you with a hand-held video camera? Not just a tourist recording the scenery that you happen to be walking through, but following your actions with his camera. It normally freaks people out.

In fact if you do it at a Sydney beach, you will get arrested. But this guy will be able to do that, for personal (ewww) use, or even profit with no restrictions on how he can use the video.

Where do we draw the line? At least with a hand-held camera you can see it and have a reasonable understanding if you are being filmed by private person or not and chose to leave the area. With eye cameras, you won’t be able to protect yourself because you won’t know you’re being filmed and more importantly you won’t know what will be done with the video.

Hey I’m not a supporter of an Orwellian government, but this is going too far in my opinion.

Bitlocker To go

2009-03-01T13:57:00Z

Well with Windows 7 coming up, there’s been a bit of talk around Bitlocker To Go.(BTG) BTG is essentially Bitlocker for external drives. It’s full volume encryption for all your USB drives.

Jeffa and I have been talking about it quite a bit recently and there seems to be a lack of understanding on how it works. So I thought I would post this information.

Technically, you could have bitlockered a USB drive in Vista, but it was NOT a supported scenario. In Windows 7, not only is it supported, but encouraged.

There are even supporting GPO entries that you can set that will require all external drives to be encrypted. More on these in another post.

So back to BTG.

BTG is very similar to Bitlocker on the host. It still uses a 3 key system to protect the drive. so what you end up with is this:

The volume is encrypted with AES 128 with a Diffuser as the default (although you can use 256 bit AES) based on a Full Volume Encryption Key (FVEK)
{NOTE for the real geeks: The full key size is always 512 bits. The AES-CBC Componenet and the Sector Key compoenent are both always provided with 256 bits of key material so the full key is 512 bits. You can use smaller key sizes and the system will pad them out. This allows the system to accomodate larger key sizes without chaing the key management system.}
The FVEK is then encrypted with 256bit AES based on the Volume Master Key (VMK)
The VMK is encrypted and protected with a Key Protector that is based on a user defined password.

For more detail see the Bitlocker Architecture article.

Using BTG on a USB drive is really easy. Once you’ve inserted the drive and it’s been recognized by the system, just go to the Bitlocker Drive Encryption in Control Panel.

Just select Turn On Bitlocker next to the external drive you want to encrypt.

When you first set it up, you are presented with a choice on how you want to unlock the drive.

If you are using a Smart Card as your login, you can chose to save the key on there. If you do this, you’ll need your Smart Card every time you want to access the external drive.

In this case I selected ‘Use a password to unlock the drive’

You are presented with the traditional Bitlocker selection on where to save your recovery key.

Don’t worry, it’s smart enough not to let you save the recovery key on the drive you are trying to encrypt.

Once you’ve found a suitable location, you can start the encryption process.

Once you’ve started the encryption process, you can remove the drive before it is complete. However the system does tell you to pause the encryption before removing the drive. If you don’t…well, let’s just say you’ve been warned.

Once encryption is complete, and you remove, then reinsert the drive you are presented with the password dialog to access the drive.

If you chose to ‘Automatically unlock on this computer from now on’ the system will store your password (the Key Protector password) in an encrypted section of the registry. So the next time the drive is inserted, if you are the person logged on and have access to that registry key, the Key Protector password will be automatically entered for you and the drive will be accessible.

I would strongly suggest actually using the Context menu on the drive and selecting Eject when you want to remove the drive from the machine. Technically you should be doing this with all your USB drives, but with a Bitlockered one, you really need to get into the habit “just in case”.

But what if you chose not to unlock the drive?

When you try to access it you will get an access denied error. If you try to do a ‘dir’ from an Admin command prompt you’ll see that the volume isn’t even bound to the system. (go ahead, try it).

Now if you were to set the System Files Visibility on your machine and look at a USB drive protected by BTG, you’ll notice some files on there.

These files are indeed the keys to the drive. It’s the FVEK, and the VMK. You may also notice that they are stored in the unprotected section of the drive. I’m sure some sensationalist’s our there are freaking out just waiting to break a story on how you can use these keys to decrypt the drive so BTG is broken. Well, get a grip, that’s not the case.

As I said earlier, the FVEK is encrypted with the VMK, and the VMK is encrypted with the Key Protector which is hopefully locked safely away in the noggin of the user.

There’s not much point in trying to brute force the keys to get to the data on the drive. They are encrypted with the same strength stuff that’s used on the drive data anyway. If you are that determined to brute force something you may as well just target the drive data.

Good luck with that. With today’s computing power, and presuming that you have to go through an average of 52% of the keyspace before you find the right key, it’s going to take you about 20,000,000,000,000,000,000 years to do it. I plan on being dead by then do if you get to my data in 20 Quadrillion years, you just have the time of you life.

BTG is a great way to protect all of those external drives you have. You can protect a USB drive for each client, or account, or just keep your kids pictures safe from prying eyes if you happen to drop your USB key in the parking lot.

No, you probably can’t open it up on the local Wal-mart photo Kiosk. But you should be able to open it up on any bitlocker capable machine providing you remember the password. Such as Windows Vista or Windows Server 2008

In fact, BTG includes a Bitlocker Reader application on the USB drive. When you open the drive on a Vista machine it looks something like this:

You’ll notice that the drive has the Bitlocker icon on it. If you open it, you see the following:

You can see the BitlockerToGo exe there ready to serve you:

Once you run it you are asked for the password for the drive. If you enter it correctly the BTG Reader starts and presents you with the following dialog.

Now you are ready to access your files. But, you have to drag them to the local computer to use them. This will allow the on access decryption to decrypt the file as it copies it to your system all ready to use.

So give it a try. I personally use it on my external drives. Especially those that contain my laptop backups, and any client data that I’m working on. I don't tend to lose drives, but if I ever did, I know that the data on them would be very safe.

Toolbar with Trojan sauce

2009-02-11T15:02:48Z

Recently I’ve been giving presentations at the Canberra Security Interchange Group meetings about hacking, Web 2.0 and other security things. The last one was an introduction on rootkits. I’m pleased to say that the interest was high so I’ll be doing a ‘rootkits in depth’ presentation in April.

Anyway, Derek Knight posted this to a mailing list that I read. http://www.avertlabs.com/research/blog/index.php/2009/02/10/trojan-bundles-legit-social-network-toolbar-with-backdoor/

It’s all about a Trojan that masquerades as a toolbar for a German social networking sight.

I think the part that struck me a bit ironically is that I was having a chat earlier tonight on Facebook with someone. I had even said that I don't like Facebook applications because they are basically tools for spammers and phishers to pharm email addresses and personal information about people.

Here’s an example of someone taking advantage of the proliferation of Web 2.0 personal data sprawl.

I think we’re becoming way too cavalier with our personal data, and how blindly we allow things to access our personal data on these kinds of sights. Facebook itself isn’t too bad if you use it correctly. But if you put all of your personal information on there, and leave it open to the public, anyone can read it and I promise, not everyone that sends you a friend request out of the blue has good intentions.

Now even if you don’t make the information publically available, if you add an application to Facebook, and accept it’s little agreements, it can still access all your data and harvest it or do whatever it wants to with it. So be careful about how you use these social networking sights. A little healthy internet paranoia is a good thing these days.

The Storm is Rising

2009-02-03T04:58:00Z

Catchy title huh? But what do I mean by that. Hackers take advantage of this kind of chaos, are you ready?

You know when your grandma told you to save your pennies for a rainy day, well the rain is here…a lot of it. In case you hadn’t noticed, a large portion of the civilised world is in the deepest recession in 60 years. This kind of mass economic meltdown is serious business for anyone in the IT Industry. Especially if you are responsible for security. There are three big and common issues that will sneak up on you during times like this.

Data Loss
Poor merging of access control systems
Malicious insiders

Data Loss

Here is why this is such an issue right now. First, one of the things that happens a lot in these kinds of situations is that companies vanish, especially small to medium ones. They are either shut down over night, or they are subsumed by a larger company that was smart enough to save money for a rainy day.

In the fist instance, those companies have lots of proprietary data that has to go somewhere. So let’s give them the benefit of the doubt and say that they didn’t owe anyone anything so they aren’t being liquidated. What happens to the drives their data is on? The most commons ones I’ve seen are:

The hardware is auctioned off
It’s given to employees as parting gifts
Or it’s destroyed

So what if they are lower on the capability maturity model scale and don’t have well established IT policies regarding data destruction? What happens to your data that was stored on those drives? I have seen countless accounts of people buying laptops off of eBay, or at liquidation auctions. When the buyer got them home, they booted up their shiny new toy and it was just like the last guy left it complete with corporate data.

Do you think the buyer is going to report that to authorities so that all the affected people can be notified? NO. his new toy would get confiscated.

Maybe you should start protecting that sensitive data now…just in case. Use Bitlocker. It’s easy, fairly painless and fixes this problem. Maybe you shouldn’t carry around so much old email and old client data on your laptop. If you don’t need it for your current work, keep it on your share at the office. If you really don't’ need it, delete it!

Maintain good data retention policies, and keep that stuff from falling into the wrong hands because you didn’t have time to wipe the drive before the company folded. Sad thought, but very realistic given the current situation.

Poor Merging of Access Control Systems

So what about the other case? The case where instead of just closing, a company is purchased by a larger one? This situation faces a different set of problems.

When you merge two companies, well when one eats the other, you have to combine networks, user authentication systems, and line of business systems. All of these things have to be mashed together to get to one stable system that everyone uses. This can be pure chaos.

Think of all the little things that complicate this as well. Not everyone gets to keep their jobs during these things. So who is responsible for restricting the accounts of people that didn’t make the move? The old company, the new company? During all the chaos of merging, did anyone remember to not include their accounts in the import? Did their data shares get deleted, imported, or abandoned?

How about all of the various CRM systems? Which customer base do we start with? Can we do a smooth import, if we can do one at all? Did we get all of the customers and if we did, are we sure we didn’t overwrite good current information with outdated information?

This kind of chaotic environment provides a ripe hunting ground for hackers. They know that authentication and authorisation systems are being merged and will likely be fairly loose with lots of spare Admin rights floating around until things settle down.

The know that line of business applications are being merged, loaded, deployed, dropped and security reviews are the last thing on the IT Departments mind when everyone is struggling to maintain a plausible bottom line.

What normally happens is that the LOB applications from the child company get dropped onto existing hardware from the new parent company. This causes things to break so configuration on the box is changed until the thing starts working. ‘Just until we sort it out’ of course.

This weakens the security of the existing applications as well as the new temporary squatter applications. So here we open another hole for bad guys to start poking things into.

Malicious Insiders

Then there is my favourite bad issue. The Malicious Insider. I’m sure by now we all know someone who got laid off. I would imagine we all also know someone who probably wasn’t happy about it. What kind of damage do you think they can do before they make it out the door? How many employees had too many privileges? Like the ones that never got revoked after they took on a new position, or when they were given Admin rights for the duration of a long dead project so they could get things done…that were never revoked?

Hey, I know for a fact that the badge I had as a contractor for a place I worked at about 5 years ago, still works and I can still get into the buildings with the door pass. And it’s not a trivial organisation either.

With all of the chaos in these times, the criminal, and malicious elements will flourish. They will take advantage of chaotic merged authentication / authorisation environments. They may even be able to do it with a laptop they picked up on eBay that still had the VPN intact. Or perhaps they used to work for the company and after a layoff they want revenge.

All of the line of business applications that got squashed onto existing hardware are fighting for resources, and have recently changed host configurations. They are ripe for the picking.

In times like these, when you think that you can least afford to think about security, with all the other crap hitting the fan, is the time when you need to think about it the most. Sun Tzu instructed us to take advantage of chaos in your enemy’s camp, and you can bet the bad guys are doing just that. Don’t get caught out because you were distracted. Keep someone on watch in the security space!

IT Departments are flooded with work trying to keep things going while they are loosing staff left and right to budget cuts. They are busy, life is chaotic, and they have too much to do for any of it to be done well. Not to mention the pressure of looking for a new job in case this one vanishes on them.

For the management out there, don't be too hasty to cut back on IT by dropping contractors and staff from your IT budget. If you must, make sure they have a proper hand-over of everything they know or you may find yourself in an untenable situation.

For those of you protecting LOB applications, keep your defences up. If new apps come in that require too many config changes, raise the alarm. Make sure you aren’t leaving yourself wide open because you had to do a bunch of rush deployments. If you do, keep track of all the things you have to go back and shore up in big red letters on the calendar.

Make sure that all of the corporate and legal data handling policies are adhered to. Don’t get sloppy when trying to auction equipment or give stuff to those loyal employees. Remember that the law won’t care if you were having a bad day.

Make sure that when the unenviable situation occurs where people are escorted to the door that their accounts are properly restricted and their badges, VPN, and other access is cancelled. Don’t create an enemy with the keys to your network.

If we all pay attention, we can get through this without too many headlines.

Get Well Steve J.

2009-01-15T04:36:03Z

All kidding and competition aside, Steve Jobs is a pioneer in the industry. Finding a niche that created a strong fan-base among Apple consumers. Get Well Soon.

http://money.cnn.com/2009/01/14/technology/apple_jobs/index.htm

Conficker Removal with MSRT

2009-01-14T03:07:00Z

1. Symptoms to help you determine if you are infected

· Account lockout policies are being tripped

· Domain Controllers are being hammered

· Network congestion

· Sluggish Client Behavior

2. Steps to help you recover

Patch and clean – apply MS08-067 and review this info on weak passwords

· Weak Password and Lockout policy info

What you should know about strong passwords: http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc
http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp

Password Best Practices:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp

Accounts Passwords and Lockout Policies:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Account Lockout and Management Tools:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

· Passgen is a tool that allows you to reset local passwords on large blocks of systems:
http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-book.aspx

3. Malware Removal

1. MSRT - The updated MSRT will be live Tuesday 13 January; however you must remember that conficker breaks automatic updates, so we will need to also reference these KBs for manual download information and alternate enterprise deployment steps:

KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

http://support.microsoft.com/kb/890830

KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

http://support.microsoft.com/kb/891716

2. FCS/ OneCare

3. Competitive AV

4. Manual Cleanup - This template supplies the manual cleanup steps and a script. (in a separate post)

See these blog posts for additional resources
http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3aWin32%2fConficker.B

http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx

Manual removal of Conficker

2009-01-14T03:02:45Z

Conficker Clean batch file including MSRT

================================

Microsoft support has created a simple batch file, ConfickerClean.txt, that can be used to help removal of the malware on workstations and remediate some of the collateral damage that was done by the malware. The batch file is attached, but a Microsoft Security Support engineer will need to provide the supporting files via another method as they are executables. The batch file has details about what changes and files are needed.

ConfickClean-v10.zip msrtrun-v2.txt

Manual Steps

===========

The following are detailed steps that will help us manually remove the malware from a system if your current Anti-Virus software is not able to or the automated methods provided are not used.

1. Do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

2. Stop the Server service and Task Scheduler service. This removes the Admin shares from the system so the malware cannot spread via this method and disables the scheduled task that gets added to the system by the malware. Please note that the Server service should only be disabled temporarily, especially on production servers as this will impact network resource availability.

a) You may not be able to disable the Task Scheduler service via the UI in Vista and WS2008. To disable it do the following

1. Open Regedit

2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule

3. Open the value called Start

4. Change the setting from 0x2 to 0x4

5. After the reboot, the service will be disabled

3. Download and manually install MS08-067 - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

4. Reset any local admin and domain admin passwords to a complex password using guidance located here - http://technet.microsoft.com/en-us/library/cc875814.aspx

5. Run Regedit and drill down to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

On the right-hand pane, open netsvcs (highlited below) to see all the service names listed..

6. In the netsvcs listing, scroll down to the last couple entries in the list… if the machine is infected you will see a random looking name like the one below

In the example below, gzqmiijz is the name of the malware service…

7. Delete the malware entry (make sure you have a blank line feed under the last legitimate entry as below)

8. Now ACL down the SVCHOST registry key so it cannot be written to again

9. Right Click on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost and choose Permissions

10. On Permissions Click on the Advanced button

11. On the Advanced, click on the Add button

12. In the Select User, Computer or Group selection box, enter Everyone and click Check Names and click Okay after it resolves the Everyone group

13. On the Permissions Entry window, change “Apply onto” setting to “This key only” and check the Deny column for Set Value

14. Click OK, Click OK again

15. Click Yes on the prompt

16. Click OK.

17. Now that you know the name of the malware service, go to the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%BadServiceName%

In our example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ gzqmiijz

18. Right click on the above malware service key and choose Permissions (note on Win2k you must use Regedt32 to set permissions):

19. Click “Advanced”

20. Place a check on the following two items and click OK

- Inherit from parent entries that apply to child objects..

- Replace permission entries on all child objects…

21. After refreshing regedit (by hitting the F5 key) you will be able to see and edit the malware dll loading as a ServiceDll

22. At this point you can edit the above key so that the malware dll does not load…

23. There may be an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that launches the malware that needs to be removed.

24. Check for Autorun.inf on any drives on the system, open with Notepad and verify it is really an Autorun.inf or not. Here is a sample of what a normal autorun.inf would look like the following and be 1-2kb in size –

[autorun]

shellexecute=Servers\splash.hta *DVD*

icon=Servers\autorun.ico

25. Remove the Autorun.inf if not valid.

26. Reboot the system.

27. Go to the path of the malware listed above

28. Edit the permissions on the file to include Full Control for Everyone

29. Then remove the file, in this example - %systemroot%\system32\emzlqqd.dll

30. Enable the BITS and Automatic Updates services via the Services.msc.

31. Remove all AT created scheduled tasks. Do this by running “AT /Delete /Yes”

32. Turn on the viewing of hidden files with the following command:

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f

33. Turn off Autorun to help mitigate any reinfection:

a) First download and install update http://support.microsoft.com/kb/953252, for Vista and WS2008, apply http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

b) The reference to MS08-038 for Vista and WS2008 has nothing to do with the malware exploiting this vulnerability. The security update contains the same fix as listed in KB953252, which is needed for the following registry key to function properly.

c) Then run the following command -

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

34. If the machine appears to be reinfected, then it is likely that one of the auto start locations did not get removed, such as the AT job or the Autorun.inf.

35. If possible, update the machine with all other missing Security Updates using Windows Update, WSUS, SMS, SCCM or your 3^rd party patch management product. If you use SMS or SCCM, you will need to re-enable the Server service otherwise it may not be able to update the system.

36. There are other collateral damage items that this malware has caused. Please review the write up listed above for Conficker.b.

Against the Clueless

2009-01-07T23:04:49Z

A while ago I went with a work colleague of mine when he presented at a user group meeting.

To cut to the chase, there was a Mac bigot there. Of course, as all Mac fanboys, he felt he had to attack us because we work for Microsoft. Now I'm not sure what it is about the Apple Zombies, but they are more blindly fanatical about their precious little niche than any group I tend to encounter. Even the Linux guys can speak intelligently and are open to conversations and other points of view. But Mindless Mac Masses tend to be completely blinded to the realities of real computing.

Yes, I have concrete examples. Here's one of them.

During the presentation, here are some of the comments the individual in question had: (MFB = Mac FanBoy)

Presenter discussing the Subsystem for Unix Applications in Vista Svr 2008

MFB: "So why is Microsoft doing this, are they trying to stay relevant!?"

Are you kidding me? Windows has from 90% to 95% of the desktop market share according to non-Microsoft sources.

Mac by contrast has from 8% to 3% according to those same sources respectively. In the server market Windows is growing including surpassing Unix, as it's competition looses market share. Apple servers are nowhere to be seen in major implementations, and Mac desktops will struggle for years to get out of single digit market share if they ever do. Trust me, in the desktop/server/online world it's Apple/Mac that needs to be worried about remaining relevant. Hey if you want a proprietary music player that will hold your music hostage and is more important as a fashion statement then Apple is quite relevant to you.

MFB: "Spam is all Microsoft's fault."

Me: "Excuse me, what was that?"

MFB: "Yeah if they didn't have such an insecure OS there wouldn't be any spam. It's all because of Microsoft bot networks."

First of all, Microsoft does not run Bot networks. Even though this guy seemed to think we did. He's convinced that we have secret bits in the OS that allow us to control any computer running Windows. I will admit there is more Windows targeted malware to support bot networks out there than there is for other OSes. But that stands to reason, no one writes software for less than 4% of a market. Just try to buy games for a Mac. Well, that weren't written by Apple. But at least we're doing something about Botnets. Microsoft has a massive investment in researching and shutting down botnets. MFB's have enjoyed a protective little bubble that they do their computing in. But I suppose that's why other than desktop publishing outfits, and some labs, everyone uses Windows or Linux as a desktop too. But in no way is SPAM Microsoft's fault. Saying that is like saying DRMed Music is iTunes fault.... Then again, when you are locked into a proprietary system like the Apple ecosphere you wouldn't know that you should be able to play your music on something other than your iPod.

Me: "And with the security improvements in Vista, we're doing even more to prevent bad guys from being able to establish botnets."

MFB: "Oh yeah the popups stuff. Vista is so insecure that everyone just turns off that popup thing."

Me: "You mean the UAC dialogs? They've been toned down in SP1. But there's a lot more to UAC than that."

MFB: "Yeah but it sucks. Mac is a lot more secure."

Me: "So have you ever tried it? Have you seen a lot of these dialogs?"

MFB: "No. I run a MAC. I don't have to worry about security."

Me: "What about the popups on your Mac when you aren't running as Admin?"

MFB: "I don't get them because I always run as Admin. With a Mac I can do that because it's more secure."

Me: " Ok, so tell me how it's more secure?"

MFB: "Well, it's just better. There aren't as many viruses for the Mac."

Me: "True, but lack of attackers does not make something more secure. It just makes it less likely to be attacked because there's fewer targets and less of value on them usually. How is the Mac more secure than Vista?" (yes I know I was getting flippant.)

MFB: "Well, it just is."

I think that exchange speaks for itself. Why don't any of these MFBs ever complain about stuff they've actually experienced. They always just spout off hearsay, conjecture, and blindly attack Windows. Get a grip. If you have a legitimate complaint great, tell us, we'll listen. This reminds me of an experience Jeff Jones had at BlackHat. He tells about it here. So it's not just me!

With my restraint thinning out, I quipped. "Well the best thing you can do for your Mac is run Vista on it." At that point he got truly violent and literally threatened bodily harm. MFB: "Wow, you want to get your face punched in?" I see when pressed for facts they resort to their baser instincts. Perhaps Mac Addicts just aren't as evolved as the rest of the computing community.

Now me and my friend had been sitting there taking this and other forms of abuse stoically and as professionally as we could. But we decided that there are just some people you can't reason with. So I decided to let the Mac community live in it's little bubble. After all, the needs of the many (over 90% of the computing population) outweigh the needs of the few.

Guest appearance of...ME

2008-08-31T14:37:48Z

For some of out Tech Ed Promotion. Jeff Alexander has recorded some Vodcasts/VideoBlogs/Etc. He did save the best for last of course. Which means that he posted his interview with Me at: http://blogs.technet.com/jeffa36/archive/2008/08/31/teched-vodcast-interview-with-rocky-heckman.aspx

This is probably his best post to date.