Today I enjoyed a presentation of a company that has gone through the process of evaluating one of their products with conformance to ITSEC (similar to Common Critera). The Swedish company Stoneridge develops a product that monitors and records the behavior of the driver, a system used in many heavy vehicles for increased road safety et cetera. This is, according to the presenters, a law in the US, and will soon become one in European Union and Sweden.

They described the process from their perspective, and I reacted on three issues:

(1) They described the problems with updating/patching the Security Target, when for example fixing a bug. If the bug where to be in one of the code segments classified as Security Enforcing or Security Related, a long and costly process would have to be taken for each time this is done. They provided a piece of code for example:

If ( X > 60 ) then { … }
changed to
If ( X > 59 ) then { … }

It wasn't all clear to them or the evaluators that this simple change wouldn't affect security, and it was thus close that a large part of the evaluation process would have to be re-done. In the end, they were allowed a less thorough evaluation of that specific update.

The problem with this, as I see it, is if changes to the code become to expensive for the vendor, there is a chance that they might be even more reluctant to disclose vulnerabilities, and in the end even to produce patches. This might in the end produce a system that has more undisclosed vulnerabilities and unpatched flaws than an unevaluated competitive product. If ITSEC and Common Criteria hasn't got a painless solution for certifying updates/patches, perhaps in an incremential way, products will most likely be kept secretly vulnerable.

(2) After the presentation I asked one of the presenters, whom was a software developer consultant at the company, how and if ITSEC had influenced her in here way of coding. She responded with a clearly pronounced Yes, and further stated that she is more thorough and aware of security issues. She also mentioned that the long and expensive process of doing updates to the Security Target made her act faster in turns of alerting other parties in the company and in the development process. These statements show that certifications like these indeed is positive from a security perspective.

(3) I also asked if they had calculated or evaluated the costs of transforming the product and development processes, as well as the entire organisation structure and physical defense. They responded that they had no such figures, but indicated that the costs where indeed huge. I plan to ask here if she can get that information from someone else at their company.

Slashdot has posted an excellent interview with Microsofts Security VP Mike Nash. This is the first time I see an honest attempt from Microsoft to respond to comments without sounding like pure politicans. Make Nash has put a great deal of effort into answering the questions in a detailed manner. While I disagree with some of his points, I think this is a great step taken. Allthough the interview turned out fine, I can imagine the nerves of Microsofts PR-people having a hard time right now :)

I recommend reading the entire interview.

While picking up what I've missed during the weekend, when I were snowboarding in the Swedish "alps" (well, more like snow covered hills, actually), I came across Bruce Schneiers words on the US Department of Defense, DoD, and their plans to fund popular Open Source projects with approximately 1.3 million dollars lapping over the the three upcoming years.

According to an article in eWeek, the money will fund source code auditing of projects such as KDE (who I'm a dedicated user of), Apache, the Linux kernel and also Free and OpenBSD among others. The work will be performed by the company Coverity Inc, led and supervised by Standford University. One aspect that I find interesting and impressive is Symantecs involvement, where they will provide advices in their area of expertise.

Commercial forces are necessary for open source projects to be taken seriously. Just look at Apache, Mysql, Snort, Nessus, Ethereal amongst others, they all offer commercial services related to the products. This is another example, where companies can be guaranteed, more or less, that someone with necessary expertise actually is auditing the code for security related vulnerabilies - Something that otherwise can be questioned.

This discussion is related to several previous posts, like the WMF-related ones. I want vulnerabilities to be discovered, and when they are, published publically so that other defensive mechanisms can be used in order to temporarily "patch" the problem. I find undiscovered bugs and unpublished vulnerabilites a bigger problem than the lack of patches itself.

I recently found out about the security company Matasano. They only consist of five researchers, but WOW what an impressive line up.

jeremy rauch
For over 10 years Jeremy Rauch has been at the forefront of information security. An original member of the ISS X-Force and a co-founder of SecurityFocus, Jeremy is the discoverer of numerous security vulnerabilities in widely-deployed commercial products. Jeremy is also a former principal engineer for optical switching at Tellium.

thomas ptacek
Thomas Ptacek brings over 10 years of product development and security research experience to Matasano. Thomas has owned technical operations at Chicago's most popular ISP, authored Insertion, Evasion, and Denial of Service, a landmark paper which broke every shipping intrusion detection product on the market, and at Arbor Networks led the development of a security product deployed on the backbone of virtually every tier-1 ISP worldwide.

david goldsmith
Co-author of the first published i386 stack overflow, David Goldsmith is a respected consultant, trainer, and researcher with over eleven years of experience. David co-founded @stake, managed its critical NYC office, and led Symantec Security Academy. David invented firewalking, which reverse-engineers firewall rules from remote firewalls and authored security tools for ISS and Network Associates

window snyder
Co-author of Threat Modeling, Window played a pivotal role in Windows XP Service Pack 2, the most important Win32 security update since i386 protected mode. As a senior security strategist for Microsoft, Window's responsibilities also included Windows Server 2003 and Microsoft Exchange. Prior to Microsoft, Window was a founding team member at @stake.

dino dai zovi
Author of numerous papers and presentations on exploitation techniques, 802.11 wireless attacks, and OS kernel security, Dino comes to Matasano from the Attack and Exploitation Team at Bloomberg. Dino's career spans over 7 years and includes key roles at @stake, and the IDART Red Team at Sandia Labs. He has spoken at security conferences including IEEE, DEFCON, CanSecWest, and PACSEC.

An impressive list to say the least. You might remember that @stake was founded by the hacking group l0pth, most famous for l0pthcrack. Thomas Ptacek is one of my favourites among the security industry, with his groundbreaking ideas on intrusion detection. Other people that I look up to is Marcus Ranum, Dave Aitel and of course Metasploit author H.D Moore. They have some neat wisdom and knowledge of security, and all participate openly in discussions. This is something I miss from all the self-proclaimed "experts" here in Sweden, or Europe in general.

I'm using a somewhat automated process in order to keep my FreeBSD 6.0 server free from obvious flaws and vulnerabilities. I use the unoffical (as in not supported by the Freebsd security team) program Freebsd-update to detect, fetch and install binary versions of patches when available.

FreeBSD Update is a system for automatically building, distributing, fetching, and applying binary security updates for FreeBSD. This makes it possible to easily track the FreeBSD security branches without the need for fetching the source tree and recompiling (except on the machine building the updates, of course). Updates are cryptographically signed; they are also distributed as binary diffs using my binary diff tool, which dramatically reduces the bandwidth used

This system serves me with an e-mail when patches are available. The binary nature of this system is especially nice, since my host is somewhat slow, and applying these patches just takes a moment compared to what a recompilation would take. This system can actually be compared to Debian's APT.

Freebsd-update is not part of the base system, which means it has to be installed afterwards. Luckily, it is available as a package, and we use pkg-add with the suffix -r to fetch the package from a remote source. (if you are running cornshell, csh, use rehash to make the command available after installation)

onesome# pkg-add -r freebsd-update

Now copy the default configuration-file in place

onesome# cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf

Freebsd-update is now ready to be used, and patches is checked for availability and fetched if executed with the fetch-switch.

onesome# freebsd-update fetch
Fetching updates signature...
Fetching hash list signature...
Examining local system...
Fetching updates...
/boot/kernel/ipfw.ko...
/usr/bin/cpio...
/usr/bin/edit...
/usr/bin/ee...
/usr/bin/ree...
/usr/bin/texindex...
/usr/share/man/man1/cpio.1.gz...
Updates fetched

In this case, 7 updates/patches were available. We use freebsd-update install to install them

onesome# freebsd-update install
Backing up /boot/kernel/ipfw.ko...
Installing new /boot/kernel/ipfw.ko...
Backing up /usr/bin/cpio...
Installing new /usr/bin/cpio...
Backing up /usr/bin/edit...
Installing new /usr/bin/edit...
Backing up /usr/bin/ee...
Recreating hard link from /usr/bin/edit to /usr/bin/ee...
Backing up /usr/bin/ree...
Recreating hard link from /usr/bin/edit to /usr/bin/ree...
Backing up /usr/bin/texindex...
Installing new /usr/bin/texindex...
Backing up /usr/share/man/man1/cpio.1.gz...
Installing new /usr/share/man/man1/cpio.1.gz...

The boot/kernel/ipfw.ko affects the kernel, which makes a reboot appropriate for the patch to be activated.

In order to find out about available patches, I run freebsd-update with the cron-argument. The following row in /etc/crontab checks for patches every night at 5, and delivers an e-mail to root (which I have forwarded to an active mail-account) if patches are found .

0 5 * * * root /usr/local/sbin/freebsd-update cron

The mail does the same thing and has the same output as freebsd-update fetch, with the mail-part as extra functionality. I recommend checking out the manpage for freebsd-update, as it has more functionality than what I've presented here (like rollbacks).

I've ordered a network hub for placement centrally in my local network. Until now i've been running a low-end switch which has done a great job shuffling packets from and to my computers in the network. However, I miss some functionality.

While testing applications and tools I feel the need to be able to passively monitor all parts of the traffic on the network. The traditionall way of doing this is either by having a switch with mirror-functionality (often referred to as a SPAN-port available on high-end switches) or by using a network TAP, which basically is a small device similar to a hub but with very few ports.

Hubs (multiport bridges) as we all know have some issues due to traffic being duplicated on all ports, which causes huge amounts of collisions on a busy day. However, this is not really an issue for me, as I mainly run one or two computers at the same time, with none performing bandwidth-intensive tasks. A hub will give me the functionality I'm looking for, for a low price when compared to the other alternatives.

I've ordered a Linksys ETHERFAST 5 PORT 10/100DESKTOP, and I hope to get it later today.

The WMF-vulnerability was a necessary evil for the industry, i think. But still, it seems that many fails to take the lesson. Some argue that the vulnerability was drastically overrated and exaggerated - You know, "there were no major incidents" and "this vulnerability wasn't wormable due to the need for user intervention". They fail to see the picture.

Today I read a paper-issue of the Swedish magazine Computer Sweden, where two chief security officers from to large companies commented on Microsoft's way of handling the issue. They give them an "OK", with the above "quotes" acting as some sort of evidence. What is it with people and automated attack code? Just because a "vulnerability" isn't wormable doesn't mean it can't do damage. This vulnerability was EXTREMELY easy to exploit in an directed structured attack - Which if successfull would do loads more damage than a worm which mainly clog our networks, or spyware that mostly install software that slows down our computers - Worms, spyware and viruses are far from the worst-case scenario. I bet almost anyone would go for the bait of a carefully crafted mail (use your imagination) with a seemingly related image. Now imagine you won't notice the difference with observing an exploited image from a ordinary one. No errors, no lagg - Nothing. This is more than possible.

People seems to have the idea of hackers being dumb, altough the same people cannot for the world understand how the blackhat side of Security works. How are encrypted data broken without access to the key? How does reverse engineering and heap-based exploits work? How did someone manage to take down our IIS-server, or place an FTP warez distribution site on our DMZ? I wonder if people focus on automated attacks simply because they are simple to analyse, to understand, and to document - They are more or less static. A directed attack will have it own characteristics, simply because each network looks different, runs different services et cetera, and thus cannot be understood by passively observing some security-related mailing list or news site that happens to discuss the exploit.

I've also seen people saying "the antivirus software were successfull in detecting attacks at the vulnerability". This also shows a lack of understanding in the relationship between vulnerability, exploit and how signature based systems does it. This WMF-vulnerability was detected by antivirus-softwares and most intrusion detection systems by signatures based on the exploits, not on the actual vulnerability. That's why a single signature didn't detect different exploits, and why new versions of the exploits avoided detection. Again, the antivirus software only detected the attacks that were clearly public, but a modification of one of the available exploits would probably go through without detection. Smart attackers won't publish their exploit-code on some webpage, or send it in a mail to thousands of persons. They will use it in a directed attack, against a chosen victim.

This whole issue reminds me on something i read before Christmas. Three people from security-related companies were interviewed for comments on 2005 as a year of security. The Security Officer from the antivirus company Trend Micro said something like "2005 was a good year for security, without the traditional summer-worms". Talk about being narrow sighted. We have never seen so many serious computer breaches as in 2005. How many times did you read "20 000 customers credit card information stolen" during 2005? I can almost promise you that these were the effects of directed attacks, and not by worms, viruses or spyware.

Update
I just came across Wikipedia's coverage of the WMF-vulnerability. This is the best one i've seen yet, and features all aspects of vulnerability, patches, history et cetera

Update
The british parlament was hacked during the Christmas days. The attackers exploited the WMF-flaw by carefully crated e-mails to a number of persons. This is an example of a directed attack. An it was not even that sophisticated.

Today SANS published The 2005 Information Security Salary and Career advancement Survey. A short description of the survey:

Salaries are rising, but the survey also has data on
(1) which certifications matter for which security jobs, (2) what makes security people angry, and (3) what matters for career advancement in security

One interesting part of the survey, is that Highschool graduates and people with Bachelor degrees has pretty much the same wages, whereas Masters and people with Doctorate degrees have drastically higher wages.

Not that wages are everything.. but I hope this means I made the right choice when I decided to study for a Master degree (when having a Bachelor). It doesn't necessarily mean that these facts apply to Europe too, but one can hope :)

There have been alot of noise about the "recent" WMF-vulnerability targeted at all versions of Windows since 3.11. I've participated in discussions regarding Microsofts way of handling this issue in various swedish forums, such as at IDG.se comments. My comment there followed with an private discussion by mail with the Chief Security Advisor at Microsoft here in Sweden. We have different opionions on the issue, so to speak :)

A side note - I installed Gimp today to convert a PNG-file to a Tiff-file, which is the format of images that my publisher at IDG requests. I use the Linux distribution Kubuntu on my workstation, and thus the package system APT. Here's the output of that installation:

neewt@twosome:~$ sudo apt-get install gimp
Password:
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
gimp-data libgimp2.0 libwmf0.2-7
Suggested packages:
gimp-help-en gimp-help gimp-python libgimp-perl gimp-data-extras
Recommended packages:
gimp-svg
The following NEW packages will be installed:
gimp gimp-data libgimp2.0 libwmf0.2-7
0 upgraded, 4 newly installed, 0 to remove and 51 not upgraded.
Need to get 5441kB of archives.
After unpacking 30.4MB of additional disk space will be used.
Do you want to continue ? Y
Get:1 http://se.archive.ubuntu.com breezy/main gimp-data 2.2.8-2ubuntu6 <2079kB>
Get:2 http://se.archive.ubuntu.com breezy/main libgimp2.0 2.2.8-2ubuntu6 <404kB>
Get:3 http://se.archive.ubuntu.com breezy/main libwmf0.2-7 0.2.8.3-2 <153kB>
Get:4 http://se.archive.ubuntu.com breezy/main gimp 2.2.8-2ubuntu6 <2805kB>
Fetched 5441kB in 9s (559kB/s)

neewt@twosome:~$


Note, Unpacking libwmf0.2-7 (from …/libwmf0.2-7_0.2.8.3-2_i386.deb) and Setting up libwmf0.2-7 (0.2.8.3-2). Here's the description of that package:

Description: Windows metafile conversion library
Windows metafile (WMF) is a picture format used by many Windows
programs, e.g. Microsoft Word. libwmf is a library for interpreting
metafile images and either displaying them using X or converting them
to standard formats such as PNG, JPEG, PS, EPS and SVG(Z)...

Can't help imagining if this opensource library also is vulnerable - But I doubt it. I'm not even sure what this specific library have the function and method that is vulnerable in Microsofts case.