May 2011

The MSRC – now and then

It’s amazing to compare how the Microsoft Security Response Center handles vulnerability disclosures versus how things were just 10 or 12 short years ago.

Here’s a typical disclosure process 10 years ago (based on a very true story):

Us: (sending an email to we’ve discovered a vulnerability in an office product. Here are the technical details. Can you confirm the issue and let us know when it’s patched?
Microsoft: Thanks for reporting, bla bla, we’ll get back to you soon

[about a week passes]

Us: Hi MSRC, any news about our office vulnerability?
[no reply]
[Sending a personal email to an MSRC friend to speed things up]
Microsoft: Oh, thanks for reminding us. We’ll check with the office team

[another few days pass]

Us: Hello? Anybody there?
Microsoft: Oh, yes. That vulnerability thing. Here’s what we decided: (a) It’s not a vulnerability. (b) it’s not a problem with the office product but with the world (or the RFC) (c) The office team can’t recreate it (d) even if the vulnerability was real, it wouldn’t be exploited in real world scenarios
Us: are you kidding us? Did you actually look at the sample code we gave you?
[a few days pass. We are pondering if to go complete full disclosure or give them time to digest]

Microsoft: Ok, this time we actually read your advisory and yes, it seems to work. But it’s just a denial of service. Nobody will ever exploit it because of … [something that heap spraying/DEP bypass/code mutation made look ridiculous about a year later]
Us: [starting the get mad] look guys. We sent you PoC code. You actually want us to write an exploit code for you?
Microsoft: yes, that would help convince our developers

[Us, spending time writing code so that Microsoft is convinced to fix their own products based on free information while wasting our precious time]

Us: here it is
Microsoft: oh, wow, it really does run code. Ok, we’ll fix it in the next release cycle which should be right after the democratic primaries of 2012.

Us: Ok, forget it. We’re going full disclosure

Microsoft: no, wait wait wait. We found your name on the world wide web and now realize you’re legit. Ok, we’ll fix it. Happy now? We might even mention your name in our advisory if/when that happens.

If it sounds familiar, that means you were disclosing vulnerabilities to vendors in the early 2000’s or late 1990’s. If you think I’m exaggerating, it’s only because you didn’t.

But here’s the amazing thing. Just a few years later, some radical changes started to happen. The big dysfunctional dinosaur that was MSRC became an efficient, friendly and if I didn’t know it, I would think it’s a different company altogether. Here’s a real recent discussion:

Us: Hello MSRC, here’s information about an office vulnerability
Microsoft: Hi, thanks for reporting. I checked the information, went over the sample code and have some technical questions [some intelligent questions here, basically they are doubting the findings but being really careful to check all the angles first]

[technical discussion continues for a couple of days with questions and answers going back and forth]

Microsoft: Ok, we get the picture now. Thanks for reporting. Here’s the guy that is going to be responsible for your case.
[a few days pass]
Microsoft: Ok, we now know it’s a […] vulnerability and not a […] one. We’ll pass it to the relevant team, just wanted to keep you posted
[further proactive updates and niceties continue until disclosure time. Credits, the end.]

What could have possibly caused this radical change that made MSRC focus on the technical side instead of the PR, not to mention being so research-friendly? New team? New procedures? Full disclosure forced them to see the truth? Too many beers at defcon finally showed them the light? Whatever they are taking, I wish they could spread some around. Most of the other vendors could use that. Yes, I’m looking at you Google.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CONfidence 2011 Wrapup

As always it was a pleasure to go to CONfidence, the atmosphere in this event is unique and has a very un-commercial feel to it.

It started off with Lock Picking presentation by Deviant Ollam, which quite convincingly proved that your weakest point is physical security, and then gave everyone a run for their money with offering locks and lock picking tools to give people the feel of how easy (or in some cases not that difficult) it is to pick a lock – especially if it just looks tough but is actually a cheap knockoff.

The day then split to two distinctive tracks, I picked the Stuxnet one and learn less on that but more on cybercrime, cyberwarfare and how the United Nations Interregional Crime and Justice Research Institute is handling / looking out on that. Bottom line, a lot to do, little being done now and things are still shaking on the legal and control part of it – with many countries doing it and little threat of “political” issues for them.

After the launch break I got to hear a lecture about Gadu-Gadu vulnerabilities, unfortunately I did not catch the guy’s name so I cannot tell you what it is, but his lecture proved that XSS can be more than just a web site hack with Gadu-Gadu having XSS issues that would allow the execution of code. According to him, the vulnerabilities have been reported but discarded by the vendor as a non-threat, well no one in the audience felt that was a shocker.

Sitting on Mario Heiderich’s lecture proved to me once again that XSS is an endless mine of goodies, with SVG now becoming more and more acceptable, and having been built without much security in mind – SVG is the new XSS goldmine. So many issues, so little time to present them, should be Mario’s trademark 🙂

I didn’t have the time to sit on any other lectures during that day, so I will skip to day 2

Chris Valasek’s heap spraying and analysis proved once again that he should be dubbed the Heap Spray King with a new method to cause the apparently unexploitable hole in IIS FTP’s server to become exploitable by using ground breaking research of how to cause fragmentation and reassembly of heap blocks to allow in the end for the EIP to be under our control – with the promise to release the exploit – more to come from this great guy.

Alexey Sintsov showed us that even the most small and simple “holes” such as allowing to resolve hostnames on a compromised host can be easily turned to a full fledged remote controlling mechanism, though not new, the way it was presented showed that it is not just theoretical but actually quite easily made into practice.

Michele Orru presented his BeEF – Browser Exploitation Framework – and the ability to – once you have compromised a host by getting him to visit your website – control a remote browser and get it to do what you want. In his demo he compromised a host that had access to a vulnerable JBoss server and using the browser got the JBoss to reverse open a shell on the server – effectively gaining him root access – nice!

Aleksandr Matrosov, Eugene Rodionov showed how x64 operating systems are getting compromised by TDL rootkits and how they have researched cleanup methods – and successfully done so. Apparently the method of used by the TDL rootkit is going back to infecting your MBR – remember those methods? feels like a time warp.

Michał Sajdak proved that lack of security can even happen to security aware companies like CISCO or to their bought of companies Linksys – using simple methods of command injection (such as ;/bin/ls) he was able to completely compromise a CISCO device. A simple web scan of that application would have discovered this vulnerability – I cannot say why that product came to market with such an obvious vulnerability.

At that point again, I had to leave the conference.

It was great, see you next year.

Things I saw that were weird and cool at the same time:
1) The CONFidence treasure hunt was wacky, with tasks such as bring a nude stripper to gain points or have a tattoo of a sailor on your arm for double points
2) Wii and PS3 stations proved once again to be packed with hackers showing their skills
3) Barbecue and beer idea was a hit
4) Giving speakers a free beer as a drink on stage was weird but a good idea on how to release pressure from the speaker

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Aurasma: Graffiti meets YouTube

A company called Autonomy, which has been selling image search technology, has launched an apparently freely available (open?) project called Aurasma.  At the moment only available on iPhone 4, this allows you to “augment” the reality (that the mobile device sees) by adding video to overlay it.

In this article, a BBC reporter/commentator opines that this is a cute trick, but only that.  I’m going to go out on a limb and predict that this assessment is short-sighted (albeit only if the technology expands to other platforms).  Given that YouTube users are uploading 48 hours of video to the site every minute of the day, I suspect that the ability to create video graffiti, and “tag” it to any vista, location, or object, will be irresistable.

Apparently the company thinks this will be a platform that companies will use to create ads, to promote their products or shops at related locations.  They probably will.  However, myriad users will be creating other content, for the same images, and we will have SEO (Search Engine Optimization) battles that will make the malware and phishing sites we see now pale in comparison.  The Tokyo Chamber of Commerce or tourism board may wish to overlay video over certain landscapes or landmarks, but how will they stand up against thousands of geeks who’ve all seen Godzilla?

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

REVIEW: “The Black Swan”, Nassim Nicholas Taleb

BKBLKSWN.RVW   20110109

“The Black Swan”, Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
%A   Nassim Nicholas Taleb
%C   One Toronto Street, Unit 300, Toronto, ON, Canada  M5C 2V6
%D   2007
%G   978-1-4000-6351-2 1-4000-6351-5
%I   Random House/Vintage/Pantheon/Knopf/Times/Crown
%O   U$26.95/C$34.95 800-733-3000
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   366 p.
%T   “The Black Swan: The Impact of the Highly Improbable”

I was irritated into reviewing this book.  I knew that the title referred to events which are rare, and therefore seen as unlikely or impossible, but which, once observed, are obviously true.  I had heard this book (and idea) discussed in terms of risk analysis, but the mere fact didn’t strike me as terribly useful.  To a certain extent we deal with such issues all the time in business continuity planning.  So, when, during yet another conversation on risk analysis, one participant insisted that we should all read this text, I responded that the earth might fall into the sun, soon, and therefore I couldn’t see risking what little time I had left reading Taleb’s work.

The participant insisted that we weren’t going to fall into the sun for a long while, and therefore I should read the book.  Having now read it, I can say that this person didn’t understand one of the author’s main points.

In the prologue, Taleb describes a Black Swan event as one which is rare, has an enormous impact on the world, and is explainable after the fact.  During the course of the work he presents a number of examples.  A great deal of the text, though, discusses, disparages, and even rants against efforts to predict future events or outcomes, particularly those which rely on models.  The author notes that many of these models fail to take certain factors into account.  This is quite true: a model, by its very nature, must be limited.  A map of Canada, the full size of Canada, would be accurate, but not very portable, and thus not useful.  In the same way, any model is a heuristic, giving a quick indication of operation on the basis of a very limited set of factors.  Taleb’s thesis about rare events seems to take second place to his assertion that you can go badly awry by relying on a model which fails to take all factors into account.

My “earth into the sun” example, therefore, fits well into the theme of the book.  As far as we understand, we have probably billions of years before we spiral into the sun.  On the other hand, some rare event may make this happen much sooner, and we’ll all be impacted (if you’ll pardon the expression).  And, if it does happen, you can bet that, in the few weeks or hours between the event and our incineration, there will be plenty of people who will be building models to explain why it did happen.

This statement is undoubtedly true.  But is it helpful?  Much of the author’s work is addressed at the issue of investment, and particularly “playing” the stock market.  He notes that an investor, by betting on black swan events, can make a large return (since black swan events have a large impact).  This declaration is also true, but you can’t bet on all possible events, so which ones do you choose?  For example, computer equipment retailers who “bet” on tablet computers last year would, this year, be in a very strong position.  Those who did the same thing twenty-three years ago would have been stuck supporting the Newton.

Taleb keeps repeating (and repeating, and repeating, and repeating: his few points are duplicated many times over through nineteen chapters) that just about everyone tries to avoid risk on the basis of what they have seen in the past.  In fact, not only many studies but also common observation show that this isn’t the case.  The general public loves to gamble.  Studies of “successful” people (business leaders, etc.) indicate that they are more prone to gambling and risk-taking than the general public, and, in fact, foolishly so.  (“Leaders” have a strong tendency to gamble even when it is quite clear that taking the small but sure return is the better deal.)

Is this, in fact, evidence that Taleb is correct, and that we all should be risk-takers, betting on black swans?  No.  As he, himself, points out in a different context, some risk-takers win, and become “successful,” while a lot of risk-takers lose, but disappear into the general population.  (Or just disappear.)

The central point about making predictions on the basis of insufficient knowledge is emphasized most repetitively in regard to investments and finance.  The author does suggest a method for ventures: keep 90% of your funds in the most conservative undertakings, and invest the 10% in wildly speculative “positive” black swans.  Of course, this doesn’t guarantee that any of your wild investments do pay off, but at least you will have your 90%.  Unless a “negative” black swan comes along and wipes them out.

The book is, actually, fairly fun to read, but annoying to review.  Taleb has good facility with language, and writes in an amusing, if scattered, manner.  As a means of passing the time, the text is fluid, entertaining, and even has some points worth thinking about.  However, in terms of this review series, I must consider whether the tome is useful or not, and I’m not certain that it is.  Taleb presents some salient warnings, but makes any number of statements ( several of them outrageous) without going to the trouble of backing them up.  (This fact is rather ironic in view of his repeated denigration of academics and technical authors who cannot write clearly and “properly.”  He even admits, almost up front, that a friend “caught [him] red-handed” by challenging him to “justify the use of the precise metaphor of a Black Swan,” and he had to confess “this book is a story.”)

To take a page from the way Taleb writes, I could point out that his “Extremistan” bears a strong resemblance to the age of the dinosaurs.  They developed the largest land-dwelling creatures ever to walk on earth, lasted much longer than we humans have, and, some models show, were able, simply because of their immense numbers, to effect climate in ways that we have only recently been able to do by pumping their remains out of the earth and burning them.  They were also subject to a black swan event in the shape of an asteroid, which left, as their descendants, only Taleb’s much maligned turkeys.

There are certainly holes in this argument, but it is as entertaining, and as valid, as much of what Taleb writes in the book.

In the end, I have to agree with Taleb’s mother: there is some use in this book, but an enormous disparity between what the author thinks it is worth, and what it is actually worth.

(No ballet dancers were mentally harmed in the reviewing of this book.)

copyright, Robert M. Slade   2011     BKBLKSWN.RVW   20110109

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Complexity is killing us

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Shaw’s idiot spam filter again

And, once again, Shaw has cut off my outbound email.  For no reason that I can determine.  This time tech support aren’t even answering messages.

Maybe I should make the point that if I can’t answer my email, I have more time to blog about their lousy service …

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

A recent flight …

Security wanted to open up my suitcase and look at the bag of chargers, USB sticks, etc, and was concerned about the laser pointers.  He decided they were pens, and I didn’t disabuse him of the notion.  Why disturb the tranquility of his ignorance?

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Kindle Book Sharing

This post won’t be about security, but still something that is worth mentioning.

If you want to share your Kindle content with your colleague? you can either loan it to him (but then he has two weeks to finish the book!) or you can just swap Kindles (devices) after deregistering them both, and reregistering them both, remember to put everything outside your Collections or they will get “lost” in the swapping.

I just tried it with a work colleague and it worked great!


    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.