Back From Black Hat

re: Back From Black Hat

Chris — Thu, 10 Aug 2006 06:35:31 GMT

Something stupid, but about the bluepill... while i agree their isn't a solid way to protect against everything especially with someone sitting down with admin priviledges... perhaps vista needs to be better at autohealing the kernel after a modification to its kernel takes place.

If Microsoft knows what the kernels supposed to look like shouldn't an automated roll back be possible based on the current vista versioning?

It's just a thought and i'm by far not a security guru but it just appears that if you can't block everything, perhaps just blocking isnt the only way to bite the bullet... Perhaps in this case a good offensive recovery of the kernel to heal itself would remove the damage that a change like a bluepill could create.

re: Back From Black Hat

Timothy — Fri, 11 Aug 2006 00:29:44 GMT

I really think it's silly when people get all excited about malware/exploits that require administrative privileges to execute. You can also format the hard drive as an admin without the OS complaining, what's your point?

That being said, I think it is good that the Windows team is analyzing these strategies, such as bluepill, to further protect admins from shooting themselves in the foot by running 100% of the time as admins. But I still have no sympathy for someone who is exploited while being an admin.

re: Back From Black Hat

Larry — Tue, 22 Aug 2006 12:54:54 GMT

Actually, the problem doesn't have anything to do with Vista per se, it is more of a hardware problem. Here is a link to the blog of the woman (Joanna Rutkowska) who developed the "Blue Bill":

http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

If you read her blog, the "Blue Pill" exploits a weakness in the AMD "Pacifica SVM technology." This technology is available in certain 64-bit versions of AMD processors and it has nothing to do with the operating system. Here is a quote from her blog:

"I would like to make it clear, that the Blue Pill
technology does not rely on any bug of the underlying
operating system. I have implemented a working
prototype for Vista x64, but I see no reasons why it
should not be possible to port it to other operating
systems, like Linux or BSD which can be run on x64
platform.

Her exploit works by creating an undetectable "Virtual Machine" in which "malware" could run. These kinds of undetectable programs are generally called "Root Kits" and they use various technologies to work.

Microsoft Research wrote an article about using Virtual Machine technology for creating a root kit several months ago, but it used commercial software to create the Virtual Machine:

http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

Because this technique required a commercial virtual machine, it was not a very practical way to create malware.

Joanna's accomplishment was to exploit the new AMD SVM technology to inject the malware without rebooting the machine. She claims that it may be possible to do the same thing with Intel's Virtual Technology (VT), but she hasn't tried it.

On her blog, there is a lengthy discussion about ways that the exploit might be detected and whether it might be possible to prevent an infection. Some people feel that the Intel Virtual Technology is not as vulnerable and would allow for easier detection of the "Root Kit".

Bottom line is that her hack exploits a microprocessor weakness and there may be no way to prevent it, no matter what operating system you are using. I suspect that the ultimate solution will require changes to microprocessor architecture.

re: Back From Black Hat

Stephen — Tue, 22 Aug 2006 16:15:05 GMT

Just a quick comment on the Admin aspect of this post.

I work around many different OS's and you always hear arguments why people need 'Administrator/root' privledges for thier system. As far as I am concerned any no one should be on a system with Administrative/Super User privledges to begin with. Why do you think *NIX makes you create a 'USER' account during OS Installation.

Proper security practices need to be taught to all...create a normal user (No Privledges to destroy the system) and if you need to install something you can 'Run As...' or you can 'SU...' to get it on the system.

Just my 2 cents worth and hope that it is worth it.

re: Back From Black Hat

Gerk — Tue, 22 Aug 2006 22:49:11 GMT

Stephen,

You wrote "Proper security practices need to be taught to all..."

I think your failing to account for one simple fact in stating that users should run as a 'normal' user. A significant amount of Windows software simply does not function without admin privileges. Though this problem is slowly (ever-so-slowly) correcting itself, it still continues to drive the need.

Years ago I remember upgrading my wife's account to admin on our home box because she could not RUN Microsoft's "Picture It" photo editor without being an admin. More recently, my wife can't use her XP Home 'user' account on her Toshiba notebook computer because the battery power-level indicator fails to function without being an admin. This seems silly, but the notebook fails to initiate the screen dimming on low power or the safe shutdown prior to power outage.

So yes Stephen, in an ideal world no one gets admin rights. Unfortunately it will be a very long time before software allows this to become the norm.

MSDN Flash Ireland - International Resources - 1 Sept 06

Robert Burke's Weblog — Thu, 31 Aug 2006 11:32:15 GMT

Web Resources

&nbsp;

[SQL Server and Data Access] 2006 PASS Community Summit: Microsoft SQL...

re: Back From Black Hat

Paul Hudson — Fri, 08 Sep 2006 16:32:31 GMT

I can't see the problem here. If an admin trashes the server, they may find it difficult to find gainful employment in the future.

If the admin does something stupid, then they have to fix it. Hopefully, they are intelligent enough to know how to fix it.

re: Back From Black Hat

Chris G. — Wed, 13 Sep 2006 10:39:47 GMT

It has been quite evident and ever-so-publicly stated in recent history that many have it in for any OS with the Microsoft tag. That being the case I must say that I am rather pleased with the RTM Vista. Granted the "Blue Pill" scenario worked rather well but to be fair how often is someone going to get anonymous access to SU on a remote machine running Vista? We would do well to remember most Malware is injected into a system through user error. Granted the lsass ports are still open however I have yet to be able to infect my PC running Vista through a remote port eventhough they are open. i.e. The following exploits were tested and failed to root on my Vista machine. {DCom and Dcom2, NetDevil, lsass, All seven Optix mods, Upnp, netbios} Also the following modded viri failed to infect my host pc trying to root and remote execute RBot, Ago(all variations), RXBot(All Var's),NLX (new dcass modd),aIRC, all sassers, DNSX (New Aug 06 mod), phatbot and mods.
Now My point? 80% of Malware comes from the remote execution of scripts by malicious users. Malicious scripts have yet to be able to access the Vista kernel. The farthest I was able to get on my journey to infect my Test PC was the User Account control popping up alerting me of a script trying to run on a Optix Bot Variation. In order to achieve this feat I had to SU and install the remote execute script by hand.
I believe the moral of this story is, Unless you are planning on leaving your remote desktop turned on to accept all connections with admin access while leaving the User Account Control and windows firewall and defender turned off, RTM Vista provides a more stable, more secure core than most *nix platforms and OS X.

re: Back From Black Hat

Chris G. — Wed, 13 Sep 2006 10:40:36 GMT

Windows Vista Security : Back From Black Hat

Windows Vista Security : Back From Black Hat — Wed, 27 Sep 2006 00:22:53 GMT

PingBack from http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/07/691441.aspx

Back From Black Hat at Vistalogy

Back From Black Hat at Vistalogy — Sat, 06 Jan 2007 05:33:40 GMT

PingBack from http://www.vistalogy.com/2006/08/07/back-from-black-hat/

The Capslock Assassin » Blog Archive » Windows Vista @ Black Hat

The Capslock Assassin » Blog Archive » Windows Vista @ Black Hat — Tue, 30 Jan 2007 13:59:22 GMT

PingBack from http://capslockassassin.com/?p=6

re: Back From Black Hat

Dean — Mon, 12 Feb 2007 03:54:36 GMT

Baa, just an annoyance and just barely better security!

Vista is just overlapping guest privileges even when when the user is logged on as Admin..

Then, instead of blocking them, it asks.. COME ON! If you spent one day in my shoes where you see first hand that that people NEED admin rights to be able to use their computers and to ask them if they want to run something A CABILLION TIMES will only annoy them.

The MAC commercial sums it up very well.. Yes I hate to agree with a drugged out, burnt out, hippy, (the founders of MAC, a bunch of "blue box" making stoners).. But, that commercial is very accurate.

Is MAC the answer? NO.. MAC sucks, if you live in the real world with numbers, applications, and games.. There is a reason 90% of the computer world use Microsoft. That is why they make viruses for them.. Why would they make a virus for something no one is using?

ANYWAY..

Guest account=NO (can not do crap)

Admin all the time=N0 (to many holes)

Asking a cabillion questions=NO (then still allowing the teen, kid or average user to still allow it, WILL NOT WORK)

What is the answer?

Well, if I told you, I would not make a living... I have been doing my system from about 2000. Works good.

Am I for real?

http://www.cbs13.com/video/?id=15413@kovr.dayport.com

http://www.cbs13.com/video/?id=15410@kovr.dayport.com

re: Back From Black Hat

Dean — Mon, 12 Feb 2007 07:55:32 GMT

Ha, another crap feature of UAC, you have to reboot to turn it OFF or ON! Ha, with my CPULOCK, you just turn it on and off at will.

I have only spent about 10 min playing with Vista, but, I like the look and feal.