Order of the Bath

Archive for the ‘Security’ Category

Gpg4Win and Enigmail

22 Jun 2007 17:40 by Rick

There is currently a problem that Enigmail, the OpenPGP extension for Thunderbird doesn’t work with Gpg4Win. The latter is the GUI version of GnuPG for Windows. The versions tested were Enigmail 0.95.1 and Gpg4Win 1.1.0 but I understand other versions are affected.

There seems to be some dispute as to which program is at fault and the most seen recommendation is to un-install Gpg4Win and install the plain command line version of GnuPG. Although there is some overlap, both provide a key management GUI for instance, this would lose some of the useful disk management functions of Gpg4Win.

I have discovered that there is a much easier fix. In Thunderbird, go to the OpenPGP ==> Preferences menu item and in the “Files and Directories” window, tick Override and enter C:\Program Files\GNU\GnuPG\gpg.exe. Now stop and restart Thunderbird and every thing works just fine.

Posted in email, Security, Technical, Windows | Comments Off on Gpg4Win and Enigmail

Computer error nearly costs SNP election

21 Jun 2007 18:52 by Rick

Gerv Markham reports that they used MS Excel to count the votes in the “Highlands and Islands” constituency and due to a coding error forgot to count any votes for the SNP. Had a alert agent not spotted this the SNP would have been two seats down rather that one up overall in the Scottish Parliament. See the full report for the details.

Posted in Miscellaneous, Security | Comments Off on Computer error nearly costs SNP election

Virus Scare

16 Jun 2007 13:39 by Rick

I had a bit of a fright this morning; AVG (free) kept saying that it had found an infected object but it wouldn’t put it in the Virus Vault where it should go. I was bothered because I don’t do viruses, I consider myself too smart for that (lookout, the sky is falling in). I see a few go past in email and I used to have trouble when my anti-spam system kept a copy of recent emails in plain text (it now keeps them in a database, so that is resolved). I have just installed a trial of Prevx so wondered if that may have triggered something but I don’t think so.

Some analysis and a few blunders later I discovered.

The infected file was in C:\System Volume Information\_restore{DF9 …a lot of hex… F08}\RP108\A0024948.exe. If I remember rightly this is the System Restore area. I don’t recognise the file name, perhaps System Restore mangles them?
This accounts for why my working (LUA) account could not vault it, because I don’t have access.
It is reported as I-Worm/Stration.DJC. This is normally distributed by ICQ (which I don’t use) but has been seen recently in spam email—I am unlikely to have executed any attachments.

The blunder was that (in a panic) I deleted the system restore area before scanning the system; I seem to drop out of Security Analyst mode when I come home. Anyway I did a full system scan and a run of the Kaspersky Online Scanner for good measure. Nothing else was found.

What I don’t understand is

How it got there. I thought System Restore was backing up things that changed during an install so that you could back them out later. If that is the case, it should have been live on my system before whatever install replaced it and there should be some other traces left.
Why AVG should have been looking there in Resident Shield mode anyway. I thought it only checked files that you accessed, and that is not likely to be one of them.

It will, no doubt, remain a mystery.

Posted in email, Security, Technical, Windows | Comments Off on Virus Scare

Executable White-listing

12 Jun 2007 16:07 by Rick

It is one of the fundamental rules that, if you want a really secure system, you start by switching everything off and then just enable what you need. This goes for firewalls and accounts for why many that come pre-configured in routers are not very good because they have to let so much through to enable all potential customers to operate; and why ZoneAlarm (the basic version only) is so good because it asks you before enabling anything.

Based on this, the principle behind all Antivirus software is flawed from the start. It is trying to detect what is bad by various means and then blocking it. You can never win at this game; you are always trying to catch up with the perpetrators which is why we now have to accept daily updates and I have seen some offering them hourly. It is also why they can justify a subscription pricing model rather than a one off cost.

But you can go some way towards this goal very easily; just don’t run your day-to-day activities from an administrator account. Administrator accounts should be for administration—that is installing software, taking backups and doing system updates. What you need to do is create another account and using the facility provided in Windows XP, mark it as LUA, a “Limited User Account”. 95% of software works perfectly well in this mode. If you use some very old programs that you have to run then you may have some problems but they can usually be circumvented. However I will (and you should) complain like mad if a new program does not work when run in this way; it is just negligent of the author. The big advantage of the limited user account is that when you are browsing and reading mail and something nasty does get in, then it no longer has access to the heart of the machine and the damage it can do is limited. Most bad-ware will try and install itself in system folders and the machine registry and that is just not possible in this mode. Think of it as running a power tool with the guards in place. You do need to lift the guards sometimes, but not with the power on and only to change the blade.

This article by Marcus Ranum (beware, some strong language) takes this concept a stage further. Here he describes how he has fought to get the complete control he wanted so that only the programs he specified would run. First he tried to use Windows Execution Control. I don’t know the facility nor if this is a fair evaluation of the mechanism but it failed miserably for him. Subsequently he tried using a product called PrevX. The main problem here was that they annoyed him with their marketing techniques but it did look doubtful that it was really doing what it said it did. [I could ask here how someone apparently so experienced in security matters could possibly get infected so often but I suppose that, during research, he may be deliberately working on the margins of safety].

Finally (so far) he found a ~~free-ware~~ product called Exe Lockdown from Horizon DataSys. I tried for quite a while to locate the download as it doesn’t seem to be linked anywhere but eventually found it here. If it does what it says on the box then it should work in a very similar way to ZoneAlarm i.e. maintain a table of permitted programs to execute and if you try to run one not in the list, come up with an “Allow or Deny” prompt. It adds one extra detail which may be of use for those controlling systems used, for example, by children; it asks for the Administrator password before permitting the change. Otherwise it all looks very straight forward.

It works because viruses and other bad-ware need to execute to do anything to your system. If they are not known then they will have to ask and there is a reasonable chance that you may notice at this point and deny them. It is not foolproof though; it will not catch macro viruses such as those embedded in documents or script codes such as Java-script in web pages but it will stop many so it is very valuable and the others will be partially controlled by your LUA.

[Update: Well it was a good idea. First the version I found was only a limited function demo. The link to buy the real thing went nowhere and I couldn’t get it to work anyway. If anyone knows of a program with a similar function then I would be very glad to hear of it.]

Posted in Security, Technical, Windows | 1 Comment »

Red faces at Symantec

30 May 2007 15:43 by Rick

Symantec Security Response Researcher Ron Bowes has written an article which claims that a unix based system that uses sudo can be compromised by manipulating the search path.

When you cut all the waffle about spelling mistakes, “.” in the path and scripts executed in error, what he is saying comes down to (using bourne shell) …

$ echo "echo 'exploited!'; whoami" > /tmp/mount $ chmod +x /tmp/mount $ PATH=/tmp:$PATH $ export PATH $ sudo mount /dev/cdrom Password: exploited! root $

However the writers of sudo(8) were not as dumb as all that. If it was that easy it would have been blown years ago and, in fact, would not have been worth creating at all. I don’t know if he actually tested the code that he wrote but if he did, and it worked, then he had a seriously broken sudo implementation.

The “main” protection offered by sudo, to pick up on a point made by Mr. Bowes, is that it checks that the path to the command about to be executed matches the one permitted by the sudoers(4) table. /tmp/mount does not match /sbin/mount so it will not be granted root authority—indeed it will not be executed at all by sudo, the real one will be.

Posted in Security, Technical | 5 Comments »

Software Subscriptions Scam

17 May 2007 15:19 by Rick

Those of you who have signed up for an annual software subscription such as an Anti-Virus product need to read the article at Windows Secrets this week. It seems that you may have signed up for automatic debit from your credit card every year and it can be very difficult to get out of. The companies involved aren’t backstreet operators either, but big names like Microsoft (One Care scheme), McAfee, Checkpoint (ZoneAlarm) and Symantec (Norton).

What some have done is buried the information in those impenetrable EULA documents that no one reads. The best of them had the information clealy up-front, but still ticked by default. Although it is only a couple of clicks to sign up to these services, and they are convenient, it can be much harder to cancel, sometimes a phone call to the USA. Sometimes the cancellation doesn’t work even then so you have to try to contact a live (and intelligent) body to get a refund.

Posted in Miscellaneous, Security | Comments Off on Software Subscriptions Scam

eVoting

3 May 2007 11:05 by Rick

I haven’t been able to find any decent report of the electronic voting trials taking place today in the local council elections, the best is probably Jason Kitcat. I have these comments to make about the principle:

It is not presently (nor in the foreseeable future) possible to construct a secure, Internet-based system for remote electronic voting.

Dr. Rebecca Mercuri, Bryn Mawr College, 2002

The main reason is that you have many conflicting and contradictory requirements. You need to check that the mechanism to vote is actually available; the entitlement of the person to vote; that they vote only once; that privacy is maintained; that no coercion has taken place; that the voter gets positive feedback that their vote has been cast as they directed; and that the candidates and other observers get an unambiguous assurance that count mechanism is accurate and unbiased. Note that some of these are not the same requirements as for commercial transactions; that interaction is deliberately not anonymous (else you won’t get anything delivered nor charged), nor are the requirements for all elections the same.

No voting system is going to meet all these requirements but the added factor in remote electronic systems is the possibility of automation generating sufficient mis-votes to influence the outcome. Proving identity is not done at the ballot box but the attendants are going to notice gross abuse; Privacy is weakened by numbered ballot slips but it takes a manual, obvious and difficult cross reference to trace back each vote, unlike electronic systems where the identity and the vote cast can easily be in the same or linked databases; no one can twist your arm when marking your cross; you put the slip in the locked box personally; representatives of all interested parties can see the count, where the actual voting slips are present laid out on the table and they can oversee any queries that arise.

Introducing the internet into this is to shroud the whole process in a dense fog. You cannot rely on the security of the entry device (home PC) nor the transport mechanism (ISP to global internet). No amount of encryption can compensate for the huge number of home systems that are vulnerable and exposed. It is analogous to leaving ballot boxes unsupervised on street corners for a few days as you have no way to tell how the voting slips arrived. To continue the analogy, how can the voter recognise a genuine ballot box—read “spoofed voter web sites”. Finally, if you get your vote to the correct system, the opportunities for that server, connected to the world, to be attacked are not insignificant. In a recent case, personal details of applicants for NHS positions were exposed alongside their names; this is despite the system requirement to strip off these details before recording the data at all.

There are arguments in favour of electronic polling stations but the systems used must be independently audited (not proprietary black box systems) and provide a printed feedback confirmation of the vote cast which can be deposited in a ballot box in case a manual count is needed e.g. in case of system failure, compromise or dispute.

Dr. Mercuri goes on to say

To say that “it is probably impossible to make any system perfect” and then use this as an excuse to impose a horribly imperfect and flawed process on the voting public, is sorely misguided.

Posted in Miscellaneous, Security | 4 Comments »

Due care and attention

28 Apr 2007 10:43 by Rick

Envelope returning Driving Licence
This is how at least one of our public bodies looks after our valuable identity documents. And they tell us to take care!?

To those who may not know, every Briton over about 25 would recognise this as a Driving Licence.

Posted in Miscellaneous, Security | Comments Off on Due care and attention

Identity credentials

29 Mar 2007 12:42 by Rick

There are three well known factors than can be used to establish a personal identity (this word is used here as a relative not an absolute i.e. who you are with respect to the service you wish to obtain).

Something you Know—such as a password or anything else not easily guessed.
Something you Have—such as a swipe card or warrant.
Something you Are—such as a fingerprint or other metric that is an integral part of the body.

Using all three of these becomes “three factor authentication” the holy grail of identity management.

The caveat of “relative identity” is important because people hold a number of separate identities at different times and places. For example at one moment you may be “mummy” and at another, “teacher.” In the shop you would be “customer” and at work “employee.” It is important to note that these are truly independent and don’t need to relate to each other in any way nor require the same degree of authentication.

In many cases reputation plays a key role. If you are behind the counter and the sign over the shop says “Jones—Butcher” then it matters not at all if your name is really Jones, but if you serve good meat then customers will come back with confidence. If someone else takes your place they will be less sure. Similarly if next day you are in the Bakery, then you will need to establish your reputation again before they will trust your bread.

Each of the first two factors have serious weaknesses when used on their own. Passwords can be forgotten, disclosed or compromised requiring an elaborate secondary mechanism for resetting them; cards can be lost, stolen or forged. Used together they are quite effective and form the mechanism of many well known authentication systems—ATM, chip and pin, Secure-id tokens and the better door entry swipe cards for example.

In theory the third, the “Are,” has the potential to be both an absolute (unique in the population) and sufficient (for the same reason) but in practice obtaining and validating such a metric is often beyond the capability of the systems available. Thumb prints have been used for login to a lap-top or starting a car for instance, but the experiments with facial recognition have been a disaster.

The factors are only valid if they are kept completely independent of each other. It becomes meaningless if you tattoo your password on your hand or store your finger-print on your passport but an exceptions are made, e.g. a photograph (a weak “Are” factor) on an employee id card ties the card to the person before using it to gain entry. This guards against loss or theft (to some extent) but not forgery; for that you need to ensure the uniqueness of the document. At validation this would mean comparing a master copy with the one presented, a relatively simple account lookup. For issuing new documents it means cross checking against all others issued, not just the person standing in front of you; this is a much harder empirical search.

Let us consider some traditional and modern examples. I have selected a few to illustrate both the wide variety of situations where we evaluate identity and the different means and rigour by which we do it.

Let’s look at correspondence; try a telephone call—the recipient may be partially identifiable in respect of having answered the call but the caller is anonymous (disregarding caller-id) unless they give you a name. Voice “Are” identification is not reliable even for people we know well. This explains the lengths the credit card company will go to establish who you are before discussing account details. Face-to-face conversation is little better, you have only substituted another unreliable “Are” factor, your face, but that is about all unless you can identify them from another source. A chat room/forum is even worse, the law may now require proof of age (somehow) for obtaining an account but little else. Your tag (name) is your own choice and there are no secondary means of identification. Try an email; even with ISP or domain addresses, the only requirement is that the user pays the bill. The service provider will know rather more but will only reveal it when legally obliged. Disposable email addresses are available which are not tied to anything. Perhaps you should write a letter; A name is now tied to a house address (an unusual “Have” factor) which needs to be valid because without it you won’t get a reply. There may be a signature but there is often nothing to validate it against. BUT—the question to ask is does it matter? No, not always! If you get an email of thanks for a helpful web page, does it really matter who sent it? Would they have sent it if they had to positively and absolutely identify themselves?

Other examples are financial transactions: You have an account number; depending on how secret this is kept this can vary from a “Know” factor to virtually useless. The Americans have hit this problem with their Social Security Numbers. It can be used to authenticate that the account owner is entitled to the service but not that the person giving the number is that person so requires additional verification. On a cheque, the signature is a very weak “Are” factor which, in theory, is validated against a master copy held by your bank or in association with the “Have” factors, the guarantee card and pre-printed cheques. Use your credit card then you “Have” the card and you “Know” the pin (or on old systems you use your signature which is, in theory, verified from the card). But if you are not present, by phone or web site for instance, then you “Have” the card but have to prove it by giving the secondary security number. How about cash; this is the best known of the “Have” tokens. It doesn’t matter at all who you are, only that your authority—the ready cash—is valid. Extraordinary measures have been take to ensure that it is hard to forge. At the extreme is the contract which requires identifiable witnesses present who know you and are prepared to vouch for your identity. They may also be required to be recognisable members of a community such as professionals.

Now you could argue that a simple National Identity Card would solve all of our problems but that would be to disregard my early point that the absolute and incontrovertible identity that this would attempt to give is not always necessary or desirable; and at what cost? After all, it is only a single factor “Have” token which attempts by some magic to connect itself to your “Are” existence by means of biometrics. None but the blinkered are convinced that this is even possible beyond the photo-id and signature we already have.

Posted in Miscellaneous, Security | Comments Off on Identity credentials

Safe login

23 Mar 2007 12:06 by Rick

Now you have a good password and you have kept it somewhere safe then you need to consider how you login with it. When you go to the entry page is there a little padlock at the bottom of the screen? Is it closed? If not then the page is not secure; it has not been encrypted. These days most of the important ones are done properly but sometimes you find one that is not; one of my web-mail pages was like this. This is important because without it, your account name and password are being transmitted over the internet in clear plain text. Generally the risk is low but if you use a wireless connection, especially a public one, then anyone can see what you are sending.

One thing that is worth a try is to change the http: on the front of the web address to https: This means “secured” and sometimes it works and gives you an encrypted connection. What has happened here is that your supplier has set up the system but has been too lazy to tell you about it or switch it on automatically. If you find that this is the case, change your bookmark (favourite) so that it always goes to this version of the address and you will be safe in the future.

If even this doesn’t work then complain to your supplier—if it is worth a password login, then it is worth securing! If it is important to you then change supplier if you get no satisfaction.

Posted in Security, Technical | Comments Off on Safe login

^ Top