Noticed over at Securabit some information on how Microsoft virtualization of Windows XP may re-introduce some previously-thought mitigated vulnerabilities. This includes XP Mode in Windows 7. Historically, some vulnerabilities in XP have been reduced in importance due to other protections such as DEP, SafeSEH, and ASLR. But during some virtualization scenarios, memory outside the normal protected boundaries could still be attacked. In essence, this means in certain situations, an attacker could leverage vulnerabilities and bypass those protections. I’m grossly simplifying this description, so follow the link trail from Securabit to get the details.

Is this a Big Deal? I don’t think so, but it certainly is worth the press/time and is very interesting in concept.

The bottomline for Windows 7 XP Mode is it shouldn’t be relied upon or used terribly extensively. If you need it so an app will work, use it only for that app. Also, this does not mean you can break into the host by popping the guest XP system; this is still just an XP guest issue.

Over a year ago, a paper flew out across Full-Disclosure from Erez Metula talking about .NET rootkits. I promptly lost my notes on it, but after finding and reading up on it, I have to say this is pretty exciting stuff (check the whitepaper, skim the pdf if you want, but it is less detailed). Two take-aways I got from a quick skimming:

1. You can replace .NET .dll files that Microsoft trusts just by deploying to the proper “folder” (bypassing the GAC process). Sure, this requires admin rights, but what then? This isn’t a penetration or priv escalation technique so much as it is a persistance technique.

2. You can do lots of cool shit inside a .dll file, whether you’re subverting the framework or some app that uses ASP.NET on top of the framework.

This brings up a few ideas on how to protect systems that run such code.

a. File integrity monitoring on framework files or files inside the general assembly.

b. Egress monitoring on network perimeters (not necessarily external!) to detect if something is being shipped out (such as with SendToURL or ReverseShell). To an extreme, this could be also done on the server itself so it is only talking to systems it should be talking to, not just network-prohibiting.

c. Do you know what code your developers are writing and executing on your servers? Code reviews and lifecycle integrity… I don’t know enough to speak about what privilege level .NET code is executed under, but I would be willing to bet an interested developer can do whatever he wants on a server that executes his code. This holds true for anyone that has access to the server to install something or run code or get administrative rights.

d. Um, don’t run as an administrator. This applies more to users, as they may visit a web page and allow code to run, which then rootkits their framework. Then again, this isn’t the only reason to stop running as admin while browsing the web.

e. If you can spare the energy, tracking regularly accumulating files/folders may help as well. If an attacker is gathering credentials on the server, they either need to ship them out or store-and-retrieve them. This point helps detect the “store” part.

I’ve recently finished reading Freedom, the sequel to Daemon by Daniel Suarez. I made a longer post which I have yet to clean up and release, but wanted to throw out this idea. (I highly recommend the books!)

I just read a post on isc.sans.org about an SEO poisoning attack. This reminds me of all the efforts to legitimize malicious accounts, sites, and activities. For instance, want to avoid the malware-radars on Twitter? Make a ton of accounts, follow each other, and get a few dozen or hundred randomly posted tweets. You’ll blend right in!

(Tiny, TINY spoiler here for Daemon, but not for Freedom. I’m really not giving anything away that will spoil the plot.)

In Daemon/Freedom, the daemon creates this new system which is based in part on reputation. As users in the daemon’s system, you can vote up or vote down other users based on your interactions with them.

This still suffers from problems of gaming the system, just like we see malware attempting to do today. You get enough “people” going, and you can inflate your scores. Likewise, this breaks down when you don’t have people voting based only on rational reasons and instead vote on popularity or for irrational reasons. Ashton Kutcher was the first person to 1 million followers on Twitter. Would it be appropriate for him to be the most powerful user in any legitimate system that has real world ramifications? Probably not.

Ever wonder what Microsoft stores in their services about you, or how that might be used to aid criminal investigation? Seems an internal document has been floating around that discusses Microsoft’s lobal Criminal Compliance Handbook. Some thoughts…

First, if you live in the US (or China, and others) don’t be naive and think businesses can keep what you do secret, even in the face of a subpoena or government influence. Many of these services and tools (like Skype, AIM, GMail, your cell phone provider, landline phones, ISP, etc) wouldn’t be allowed if there were not ways to intercept or request stored information from them to track down criminals. Simply because of that, you know they have to have some method of easy records requesting or eavesdropping capabilities (like the guy in that secret closet at AT&T!). Don’t get me wrong, I’m not necessarily saying this is a bad thing; I actually do favor having that capability to use for authorized purposes. It’s just really difficult to maintain that ethical level of “authorized.” Lots of people were shocked to hear that Google has a web site to request subpeona materials. I wasn’t shocked they have that capability, although I was a bit shocked that it was just a web portal that was apparently poorly protected.

Second, even if it’s not true in practice, it’s nice to read that Microsoft internally does not want to do things like record IM conversations or store your email after you’ve opted to delete it (or at least they don’t want to provide such to authorities, but I bet that lines up with what THEY want as well). Honestly, I really wouldn’t expect Google to be quite as satisfactory in this regard. It is my impression that they want to record, keep, index, and correlate as much as possible, even things you’ve marked or thought were deleted or not recorded.

Third, transparency should not be scary. Is this doc scary to read? Actually, no it is not. The only thing this leaves is whether all of this really is done in practice, but seeing the doc does nothing to challenge that, in and of itself. A doc that says all this, but in practice they do the opposite and save much of this information in personally-identifiable/correlatable form would be a bad thing. But otherwise, I think everything in this doc is actually somewhat reasonable.

Fourth, just to reiterate, I’d be shocked if Google could even begin to do this same thing.

Picked up from the infosecnews mailing list.

Bless his heart, I’m glad Rothman is back and blogging! I really enjoy his opinions and, quite honestly, I think we align up pretty well in our feelings and editorials. It’s like having a security soulmate!

Rothman recently posted a nice opine about product reviews. Honestly, I put most of my value in products based on just 2 things. My own experiences hands-on. And experiences of others who are hands-on and not either hand-picked from the vendor or have any stake whatsoever in pimping one product (vendor “partners”) or not pimping another. Basically, if I know you work as a net admin and you use product A, I’ll ask how you like it and what’s good/bad. And hopefully I get decent answers because if I pick up that I should hate McAfee products, can I tell my boss (and his boss) that it’s because CN hates on them on Exotic Liability’s podcast? I’d like I need to have some real responses, and that often only comes through hands-on with products, either myself or others I can trust.

I would love a venue for real reviews, kinda like HardOCP is to me for computer hardware. However, Mike’s right, I’m not sure there is money in it. I mean, I’m certainly not going to pay for the review results, and I’m not sure these industries have enough players to be properly compared to computer hardware review sites or video game reviews in gaming mags. Most IT product reviews I read in mags and sites are met immediately with skepticism. Are these two in bed with each other? Is that a paid-for ad on page 76 for the same product you’re “objectively” reviewing? Do they mention anything negative at all, or criticisms, or their competition? Hell, I even dismiss articles in Insecure when the author is the CTO…

Then again, half the beauty with HardOCP runs in line with what I value in researching a product: being able to ask questions on a forum to people who have real-world experience with said products. So maybe the real problem is finding a security-specialized community-building forum for discussing products, offtopic junk, and attacks. Yeah, I like the Security Catalyst community, but I really feel like I should be wearing a tie in there and refrain from community-building offtopic posts like, Best Super Bowl commercial. Or things you can bullshit about in IM or IRC. What if Infragard had an online forum that was protected but allowed anything you wanted to talk about without being too confusing and splintered into subforums? Then again, all it takes is a copy-and-paste and “sensitive” information is leaked. Pooh.

I’m stopping before I ramble some more… I think it’s time to start idling in IRC more and participating in some nice forums…digital social networking, if you will.

Check out this sobering reminder of just how powerful your Blackberry (or any mobile device) can be these days in a post at Veracode titled, Is Your BlackBerry App Spying On You (includes a video).

This is just me organizing some notes on building a new gaming rig. The last one I built 2 years ago still works great, but I want to transition it over to be my day-to-day Ubuntu desktop, and use this new one as an excuse to dive into Windows 7. So far, I have purchased nothing, and may not even pull the trigger, but at least I know what I want for now. I already have plenty of boxes and not enough uses for them!

Budget: In the past I’ve been budget-conscious and always planned to upgrade parts as the years go by. I’ve learned that I really just don’t upgrade much beyond peripherals or a few non-core pieces. Likewise, I’ve never really splurged on a system for myself. So this year, I’m planning on splurging with parts and pieces that should last quite some time. I’m not shying away from spending $3,000 on the system, and the parts listed below do approach that figure. Ten years ago I would scoff at such a budget, but I guess this is what happens when you get older and more fiscally responsible!

Use: First, gaming. Second, I also use this system for media ripping and burning and some pmp management (not with iTunes!!). I have no plans to rip and/or burn blu-ray media, but I think it is worth having that capability since I already want the blu-ray player option. Third, I pay bills and do banking on it. I don’t install software beyond gaming, and I don’t run strange media files or other files on it. Basically, I treat this system like a trusted box that I intend to do my sensitive stuff on. Since this isn’t my Windows “bitch box” that gets crap loaded on it, I can both trust it more and keep games running smoothly. This is not my day-to-day desktop where I check email and ESPN and blogs. I use Ubuntu for that. I also have other systems running Windows that I can do more experimental things on including a VMWare server. Hell, this box is big enough to leverage VirtualPC and run something in it to play with…

Notes not represented in the below parts: I already have decent 2.1 speakers, headset, keyboard, mouse, a 24″ monitor (2 if I wanted to use it on this system) and I KVM the input devices with my day-to-day Ubuntu box. I will also run a second liquid cooling loop that will hit, at a minimum, the graphics card.

Motherboard: ASUS P6X58D Premium LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 309.99

or
Motherboard: GIGABYTE GA-X58A-UD7 LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 349.99

or
Motherboard: ASUS P6T Deluxe V2 LGA 1366 Intel X58 ATX Intel Motherboard – 289.99


CPU: Intel Core i7-920 Bloomfield 2.66GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 130W Quad-Core Processor – 288.99


Motherboard: GIGABYTE GA-P55A-UD3 LGA 1156 Intel P55 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 134.99
CPU: Intel Core i7-860 Lynnfield 2.8GHz 8MB L3 Cache LGA 1156 95W Quad-Core Processor – 279.99
CPU cooling: CORSAIR Cooling Hydro Series CWCH50-1 120mm High Performance CPU Cooler – 77.89
Case: Corsair Obsidian Series 800D CC800DW Black Aluminum / Steel ATX Full Tower Computer Case – 269.99
or
Case: COOLER MASTER CM690 II Advanced Black Steel body / Plastic + Mesh bezel ATX Mid Tower – 99.99
PSU: CORSAIR CMPSU-850HX 850W ATX12V 2.3 / EPS12V 2.91 80 PLUS SILVER Certified Modular Active PFC Power Supply – 169.99
Memory: G.SKILL Ripjaws Series 6GB (3 x 2GB) 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) – 169.99

Memory: G.SKILL 4GB (2 x 2GB) 240-Pin DDR3 SDRAM DDR3 1333 (PC3 10666) Dual Channel Kit Desktop Memory – 106.99
Graphics: SAPPHIRE 100281SR Radeon HD 5870 (Cypress XT) 1GB 256-bit GDDR5 PCI Express 2.0 x16 – 409.99
CD-RW: LITE-ON Black 24X DVD+R 8X DVD+RW 8X DVD+R DL 22X DVD-R 6X DVD-RW SATA CD/DVD Burner – 26.99
Blu-ray: Pioneer Black 12X BD-R 2X BD-RE 16X DVD+R 5X DVD-RAM 8X BD-ROM 4MB Cache SATA Internal Blu-ray Burner – 199.99
Blu-ray: LG Black 8X BD-ROM 16X DVD-ROM 40X CD-ROM SATA Internal Combo LG Blu-ray Reader & 16X LightScribe DVD±R DVD Burner – 89.99
Soundcard: ASUS Xonar DX 7.1 Channels PCI Express x1 Interface Sound Card – 89.99

Windows OS: Windows 7 Ultimate 64-bit – 179.99

HD: OCZ Vertex Series OCZSSD2-1VTX120G 2.5″ 120GB SATA II MLC Internal Solid State Drive (SSD) – 429.00

or
HD: Intel X25-M Mainstream SSDSA2M160G2R5 2.5″ 160GB SATA II MLC Internal Solid State Drive (SSD) – 499.00

HDx2: Western Digital Caviar Blue WD5000AAKS 500GB 7200 RPM 16MB Cache SATA 3.0Gb – 55.99×2

HDx2: Western Digital Caviar Blue WD6400AAKS 640GB 7200 RPM 16MB Cache SATA 3.0Gb/s 3.5″ Internal Hard Drive – 69.99×2
or
HDx2: SAMSUNG Spinpoint F3 HD103SJ 1TB 7200 RPM 32MB Cache SATA 3.0Gb/s 3.5″ Internal Hard Drive – 89.99×2

All main parts from Newegg. Other watercooling and misc parts from FrozenCPU.

If you didn’t read Krebs when he wrote for the Washington Post for whatever reason ( I myself was a spotty reader), and you’re into security, you should give him a fully new try at his new personal blog, because it’s good. Consider it part of your A-list. A recent article made me sigh sadly: a bank sues a customer who was a victim of a cyber heist. None of the issues here are new, but collectively they illustrate the frustrations we face in securing a digital world while also dealing with real world culture. The comments after the article are as important as the article itself.