Technology for Mortals

The Windows SMBv2 zero-day vulnerability (disclosed vulnerability with no software fix) appears to be more dangerous than initially thought.  The vulnerability does not affect the Release to Manufacturing (RTM) version of Windows 7 or Windows Server 2008 R2, but it does affects Windows Vista and Windows Server 2008.  The danger is no longer just a system crash or reboot, it can lead to a full system compromise.

In the absence of a patch, Microsoft released some instructions for disabling SMBv2.  For your convenience, I’ve packaged two REG files that you can download that enable and disable SMBv2 in Windows Vista and Windows Server 2008.  So until a software patch is available, you need to disable SMBv2 double clicking the disable-SMBv2.reg file and then rebooting.  The workaround does not break your ability to serve files, but it does reduce your SMB file serving speeds down to Windows XP and Windows Server 2003 levels which would result in a moderate decrease in performance.  When the patch becomes available and you have applied the patch, just run the enable-SMBv2.reg file and reboot.

Researches at the University of California, San Diego, have used a new programming technique to hack a voting machine. What is really scary about this attack, is that the researchers did not need the source code or other unlikely insider information to do it. All they needed was the information that someone would have by having possession of a voting machine. The electronic voting movement makes a lot of sense as a principal; it would hopefully eliminate a lot of waste, improve accuracy, speed up result, and reduce or eliminate controversy. Unfortunately, electronic votes represent one of the top, say, five juciest targets for a hacker imaginable (right next to pwning a bank, a nuclear missile silo, a nuclear power plant, and the Hubble Space Telescope, I’m guessing). In my opinion, the world of computer science has not invented the hack proof system (other than one that is powered off), so I beleive that we are not ready for electronic voting.

J.Ja

There is a serious exploit against WordPress out in the wild that allows an attacker to reset your password.  It works on every version of WordPress and there is no official patch yet which is pretty scary.  There is a temporary workaround and it appears that WordPress.com has already applied this workaround.  This workaround can be found here and I have already applied it to my site and you should too if you are running WordPress.

Basically, all you need to do is replace some text in your wp-login.php file.  Just go in there and change:

if ( empty( $key ) )

to

if ( empty( $key ) || is_array( $key ) )

Now if someone tries to reset your password using this exploit, they will get slapped down with the message “Sorry, that key does not appear to be valid.”  Now that’s music to my ears.

I have verified that this solution works by testing the exploit on my own site.  Without this modification, I can nuke my admin password.  My mail function was broken and the system wouldn’t even send me a new password via email, and I had to reset the password from my backup.  With this modification, the exploit doesn’t work.

Update 8/12/2009 – WordPress.org has released WordPress 2.8.4.  I think that patch only adds the modification above, but it might include other patches too.  I hate these full upgrades, because you gotta backup first and hope nothing breaks or resets.  I hate these full upgrades, because you have to backup first and hope nothing breaks or resets.  I may skip this upgrade since I did the manual fix which is easier.

Last Friday, a new version of Adobe Flash came out which patched the most recent critical flaws in Flash Player. Yet because the update process isn’t automatic, most of you have not updated your Flash Player in your web browser. The fact that Adobe makes the manual update process a pain to use and forces you to install yet another download manager and tries to get you to install yet another browser toolbar doesn’t help. The end result is that most of your computers are vulnerable to websites that display malicious flash content.

Read the rest at DigitalSociety.org

Mozilla has patched a very critical flaw in Firefox that allows attackers to pose as a legitimate Firefox update server and implant harmful code into a victim’s computer. Firefox 3.0.13 and 3.5.2 are no longer vulnerable to this attack and the update should automatically run. It would be prudent to check it manually under the Firefox “Help” menu and open the “About” window.

See the full story at DigitalSociety.org »

Security researcher Moxie Marlinspike gave one of the more interesting and terrifying presentations at BlackHat 2009 in Las Vegas yesterday. Marlinspike demonstrated how the X.509 digital certificates used by Secure Socket Layer (SSL) to secure online communications such as eCommerce and online banking were was completely broken.  This allowed Marlinspike to pose as the Mozilla update server for users on the same local area network such as a hotspot which allows him to distribute malware in the guise of of a Mozilla Firefox update.

Read the rest at DigitaSociety.org.

Mass media and blogosphere hysteria ensued after several ISPs (including AT&T) responded to customer complaints and blocked an IP address that was transmitting massive amounts of Denial of Service (DoS) traffic. For something as routine as and essential as blocking a malicious attack from a computer on the Internet, all hell broke loose late Sunday evening and early Monday morning because the IP address belonged to a popular image sharing site called 4chan whose members are infamous for perpetrating porn flooding pranks on YouTube as well as organizing DoS attacks against other websites.

Read the rest at DigitalSociety.org

F-Secure is getting some news coverage because one of their bloggers claim that they have identified a security failure in Windows 7 Release Candidate.  Their blogger Mikko writes that Windows 7 still hides file extensions which allows virus writers to easily trick users in to launching executable files that were disguised as ordinary document files.  Mikko showed some screenshots of how this supposed vulnerability would be exploited but there is a mistake in Mikko’s analysis.

The mistake is that when you create an executable file on your own computer, it will just launch silently without any warning.  But if you actually tried to download such a file from a website or save/open it from an email attachment, Windows Attachment Execution Service (introduced with Windows XP SP2) will warn you that it is an executable which is actually more explicit and obvious than hoping the user understands what three letter file extensions qualify as an executable.

To prove the point, I downloaded a file called test.txt.cmd from my own website.  You can download the zipped version here and verify for yourself.  I decompressed the file and launched the file and I got the following warning.  Had someone emailed me this file, I would have gotten the exact same warning.  In light of this warning, there is no chance I would mistaken this file as a plain old .TXT text file.

Furthermore, if the executable had required system-level privileges, I would have gotten an additional UAC warning message in either Windows Vista or Windows 7.

Now I am not suggesting that hiding file extensions is a good thing.  In fact, I hate it and I always disable that feature on any Windows computer I use.  But I do not think it’s accurate to portray this as a security failure in Windows 7 or anything after Windows XP SP2.

Update 4/30/2009 – Microsoft support helped me fix the problem using an internal script/utility called au_check_v78f.exe to clear out my update database which may have been corrupted.  Hopefully, they will make this tool public.

For anyone who has more than one computer running Office 2007 or if you may need to run the update on a future reinstall, I would suggest that you download the Office 2007 SP2 update here rather than use Windows Update.  That’s because the file is just shy of 300 MB and it’s a big hassle to have to download the file more than once.

Be aware that the update does require a reboot.  Also note that it may take some time for Outlook 2007 to reprocess your email data file the first time you run it after the SP2 update.  Then once I’m all done, redo “check for updates” under Windows Update and hopefully it removes Office SP2 from the list of items that need to be downloaded and installed and you will still see a bunch of other smaller Office updates.  On my desktop system for some reason, Windows Update insists that I need to download Office 2007 SP2 and install it even though it’s already installed.  I didn’t see this problem on my laptop.  I’ve reported the issue to Microsoft and hopefully they’ll have a remedy for this because this would be very annoying for IT people.

Of course if you’re an IT shop, you should be using WSUS to distribute the updates centrally.  That works infinitely better than pulling updates “from the cloud” because you’re getting the updates from the local area network.

I’ve been privately talking about the theoretical dangers of HTTPS hacking with the developers of a major web browser since 2006 and earlier last month, I published my warnings about HTTPS web hacking along with a proposed solution.  A week later, Google partially implemented some of my recommendations in an early Alpha version of their Chrome 2.0 browser by implementing a client-side list of websites that should only operate in secure HTTPS mode regardless of any redirection trickery.  This week at the Black Hat security conference in Washington DC, Moxie Marlinspike released a tool called SSL Strip which exploits the weak manner in which SSL is implemented in HTTPS (PDF presentation from Black Hat) which means the vulnerability is no longer just theoretical.  Since this issue is fairly complex, I’ll try to summarize it in a nutshell in this article.

The problems with HTTPS

Web browsers always start off using HTTP which has zero security.  No one actually manually types in “HTTPS” or “HTTP” and they generally just type “gmail.com” for example and expect the web browser to magically re-route them to a secure sign-in.  Unfortunately, that relies on a mechanism that redirects the user from an insecure HTTP page to a secure HTTPS page.  Yet this redirect can easily be blocked by a hostile man-in-the-middle which is exactly what SSL Strip does.  This means the user never gets taken to the secure authentication page leaving their username and password in the clear for the hijacker to see and take.

The user could in theory recognize that they were not redirected to a secure website and the web browser could even try to give the user positive feedback about a secure website with icons like a padlock or light up the address bar green or some other color, but nearly all end users ignore these signs.  That means in practice, relying on people to ensure their own security and safety will almost always result in failure.

It is time we think outside the box beyond ineffective positive or negative feedback systems and do this seamlessly and automatically for the end user.  When we think about all other implementations of SSL such as SSLVPN or Outlook email over SSL, we don’t expect end users to make security decisions on what a digital certificate should look like or whether there should be one at all.  To do this for the HTTPS web browser implementation of SSL is simply a way of shifting the IT responsibility to the end user which not only poses undue burden on the end user, but almost certainly ensures that the wrong security decision will be made.

How to make HTTPS secure

There needs to be an automated mechanism that ensures the end user’s security which requires zero knowledge or participation from the end user to work.  We can create such a secure mechanism with minor changes to DNS and web browsers.  First, we use DNS to publish a list of websites that must operate in HTTPS through custom DNS records.  Second, the web browser will automatically force a connection to an HTTPS page if instructed to do so by DNS and it will maintain a list of websites that are only to operate in secure HTTPS mode.  We do this second part because we cannot always assume that DNS is trustworthy especially in the case of wireless hotspots.  The DNS mechanism would only work as a toggle on to force HTTPS for all future web browsing sessions but it would not be permitted to toggle off HTTPS unless it was a trustworthy DNSSEC server.  This means that once a user successfully visits a secure website for the first time, they will always remain secure for that website even if they cannot trust the DNS server they’re using on public wireless hotspots.

However, this leaves open the possibility that a user in an untrusted network with a hostile DNS server might connect to a new website they’ve never connected to before in an insecure manner.  This is a relatively small vector of attack with a very small window of opportunity for success, but this too could be mitigated to a certain extent.  Web browsers could come with a pre-populated list of HTTPS-only websites, but maintaining a list of every website in the world would be difficult.  However, we could at least cover all the major sites like Gmail, Hotmail, and every online banking and shopping establishment.  We could also mitigate this problem with DNSSEC if the end user was hard coded to a trusted DNSSEC server, but this would be difficult to manage and the mechanism wouldn’t work if the malicious wireless hotspot blocked off all access to external DNS or DNSSEC servers.

The bottom line is that if we can lock down 99% of the secure websites that people are likely to visit, we can minimize the danger of stolen user credentials and security breaches.  Now that there is a real and tangible threat to HTTPS in the form of a tool like SSL Strip that hijacks any HTTPS website, the time to act on these recommendations for securing HTTPS is now.  We need leadership from Microsoft, Mozilla, Apple, and Google today to secure the most important application on the Internet today.  Google has already made some strides with a partial implementation, but we need a full implementation of these recommendations and we need everyone to jump on board.