Archive for the 'Microsoft' Category

Dec 04 2013

Everyone’s moving to PFS

Last month I wrote about Perfect Forward Secrecy (PFS) for the Akamai corporate blog.  But if you’d asked me two months earlier what PFS was, you would have seen me madly scrambling for Google to find out more about it.  And I’m not alone; before this summer only a few deeply technical engineers had heard of PFS, almost everyone else had either never encountered it or dismissed it as an unnecessary burden on their servers.  Except the NSA managed to change that perception over the summer.

Now most companies are looking at PFS, or looking at it again.  In a nutshell, PFS is a method used with SSL that creates a temporary key to transmit the session keys for the browser session and then dumps key from memory afterward.  You can use words like ‘ephemeral elliptic curve cryptography’, but the important part of this is that PFS enables a method of encrypting SSL communications that don’t rely on the master key on the server to protect your traffic, it creates a new key every time.  This means that even if that master key is somehow compromised, it doesn’t allow access to all the traffic for that SSL certificate, the attacker must crack each and every session individually.   Which means you have to have a lot more computing power at your disposal to crack more than a few conversations.

PFS is a good idea we should have instantiated some time ago, but it’s got a downside in that it requires a lot of server overhead. But having to view our own governments as the enemy has given tech companies around the globe the impetus to make the change to PFS.  Google is moving towards encrypting all traffic by default, with PFS being part of this effort.  Facebook has moved in the same direction, with PFS also being a critical piece in the protection puzzle.  And Twitter.  And Microsoft.  And … you get the picture.  Companies are moving to use PFS across the board because it gives them a tool they can point to in order to tell users that they really care about securing end user communications.

I have to applaud these companies for taking this step, but even more, I have to hand it to Google, Yahoo, Facebook, and Microsoft for challenging the current status quo of National Security Letters and the secrecy they entail.  There are more questions than answers when it comes to how NSL’s are being used, if they’re necessary and if they are even something a country like the US should be allowing.  Technology is great and it’ll help with some of the problems we’re just starting to understand, but the only long term changes are going to come if we examine the current issues with the NSA and other agencies slurping up every available byte of data for later analysis.  Changes to the laws probably won’t stop anything immediately, but we have to have the conversation.

Using PFS is just a start in to what will be fundamental changes in the Internet.  Encryption everywhere has to become an integral part of the Internet, something privacy boffins have been saying for years.  It may be too late for this to be an effective measure, but we have to do something. PFS makes for a pretty good first step.

No responses yet

Dec 03 2013

Santa Claus is coming … to your tablet?

Published by under Humor,Microsoft

Okay, this is just something cute for Christmas:  a tablet based Santa Claus tracker.  It appears that the actual application is only for Windows phones and Windows 8 systems, but there’s a web based version everyone can use.  Now, my Spawn are too old to be fascinated by this, but I’m sure there are a few people who have kids young enough to find this interesting.  I wonder if it’s hackable?

No responses yet

Jun 19 2013

Microsoft Bounty Program: Katie Moussouris at FIRST

When Katie Moussouris is so excited about something she’s almost vibrating, you know it has to be big.  So when she came Chris John Riley and I earlier this week and said she had news from Microsoft, we had to make time to talk to her.  Katie’s been working on the Microsoft Bug Bounty program for over three years and it’s no wonder; getting a company like Microsoft to recognize the importance of working with the researcher community as early in the process as possible, and getting the funding to make it happen is no small feat.

The basics of the three programs are like this:  Researchers who develop novel, new exploitation techniques (not just bugs, but new techniques) can receive $100,000 for the technique.  If they also come up with a mitigation technique for the exploitation, they can receive another $50,000.  The third program is specific to IE 11 which gives researchers the opportunity to earn $11,000 per bug for the first month of the beta for IE 11.

It’ll be interesting to see how other companies respond to Microsoft’s move.  Rather than simply wait for the vulnerability pimps resellers to bring up exploitation techniques and vulnerabilities to Microsoft once the product has been released, this encourages them to do the same during the development lifecycle, and at a healthy rate.  Will other vendors be able to do the same, will they cast aspersions on Microsoft’s efforts, or will they simply pretend it never happened?  Only time will tell.

FIRST 2013 – Katie Moussouris of Microsoft on the Bug Bounty Program

No responses yet

Nov 04 2011

Open Tabs 11/04/11

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

No responses yet

Oct 04 2010

Network Security Podcast, Episode 216

Despite catching some kind of ConFlu at HacKid, Zach manages to join Martin for a sniffle-filled show. Rich is off in London, speaking at RSA Europe 2010 (or, well, sleeping).

Network Security Podcast, Episode 216, October 12, 2010
Time: 32:45

Show Notes:

No responses yet

Apr 06 2010

Network Security Podcast, Episode 192

Published by under Microsoft,Podcast

Martin, Rich, and Zach talk with special guest Katie Moussouris, Senior Security Strategist at the Microsoft Security Response Center. Katie has been doing some work on ISO work item 29147 (“Responsible Vulnerability Disclosure”) and shares with us her experiences in this process, as well as her thoughts on software security improvement. Oh, and Rich gawks about some new gadget which shan’t be named.  We went a little long tonight because Katie has so much experience in the real world, but we think it was worth it.

Network Security Podcast, Episode 192, April 6, 2010
Time:  40:25

Show Notes:

No responses yet

Nov 08 2009

Ethics of spilled COFEE

Last year Microsoft released a tool called COFEE (Computer Online Forensic Evidence Extractor) to law enforcement agencies around the nation and around the world a couple of years ago.  While COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers; you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics, writes a report and generally gives a quick and dirty analysis of the computer.  It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that you already have on your computer and could run manually any time you want.  It’s a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.

In the last 48 hours, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download.  Which, of course, means that it’s now available on any number of bittorrent sites.  The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild.  Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.  The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.

It needs to be pointed out that is owned and jealously guarded by Microsoft.  I won’t be surprised if they start going after people to get this removed from the Internet.  Surprisingly the folks at What.cd say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement.  It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself.  Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.

Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool?  Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy?  Should we be reporting people who make it available?  Or should we be reviewing the tool ourselves and proposing ways to make it better?  This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference.  While this is interesting, it’s nothing top secret or even that revolutionary.  I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised. 

Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools.  There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it.  For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased. 

If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use.  I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret. 

 

8 responses so far

Jan 08 2009

Get your free Windows 7 Beta

Published by under Microsoft

This is a real offer, Microsoft is letting MSDN, TechBeta and TechNet customers download beta versions of Windows 7.  They say it’s less resource intensive than Vista, so maybe I’ll try it on my wife’s computer when we replace it.  Though I’m not sure she’d let me survive the experience if it made a new computer that’s less stable then the one she has now.  My other option is to create a virtual machine on my main system.  If my experience with Vista is any way to measure it though, Windows 7 will painfully slow and unusable.  This makes me glad I subscribed to TechNet.

No responses yet

Dec 18 2008

Investing in my career

I made two fairly major purchases this week, even though I had to use the credit card to make them, something I hate doing.  Both are aimed at promoting my long term health, one physical, the other career.  The first was to get a small amount of exercise equipment and order the DVD’s for the P90x system.  I’m sure anyone who’s following the security guys in Twitter has heard more than their fair share about P90x lately and Chris Hoff has gone so far as to create a new blog of his own to monitor his progress with the P90x system.  I probably won’t go as far as he has with the blog, but I think I will follow his example and take a ‘Week 0′ picture and occasional pictures after that.  I’m not starting the program until after Christmas myself, mostly because I’ll be heading out for the in-laws for a week and don’t want to start something this hard then stop for a week.

The second purchase I made was to get myself a membership in Microsoft’s Technet Plus.  I’ve had access to TN+ several times before through employers and I’d used it a lot to build and rebuild servers, test out new programs and generally learn aspects of Microsoft programs I wouldn’t normally have access to.  Unluckily the last time I had access to TN+ was just after XP came out and when Vista came out the only reason I got to try it at all was that I happened to recieve a copy of Vista Ultimate at an event I attended.  Not that I ever successful upgraded a system to Vista, but at least I got to try.

The truth is, TN+ is also a tax writeoff for me.  I haven’t earned much from Google Ads this year, but it’s more than the cost of the TN+ subscription and this will help me conteract what little tax burden there is.  But more importantly, this is an investment in my own continuing education for security and technology.  I work from home and while I get a chance to see different networks and OS’s with every new client, it’s not the same as getting your hands into the guts of a server and administering it yourself. 

So I’m viewing the purchase of TN+ as in investment in my technical skills for the future.  And that’s how I’m selling it to my wife as well.  I put a lot of time in to reading blogs, writing my own blog and creating the podcast, but the amount of money I’ve put into furthering my skills has been minimal the last few years.  My training comes through going to events like RSA, Black Hat and Defcon.  I don’t have a lot of time and energy to read security books, but several of the publishers occasionally send me those to read and review.  I often think about investing in a Masters Degree.  It’d be expensive and time consuming, but it’s a piece of paper that helps you go a lot further in life than a BS will.  But until my wife finishes her own college courses and gets a job, any further courses for me will have to wait.

What other venues should I be spending money on to further my career as
a security professional?  Is there something I’m neglecting that might
eventually catch up to me?  How are you investing in your career?  Are you investing in your career monetarily or are you making your investments in time and energy instead?  I know there are a lot of people out there who are beginning their careers who are curious about how to get into security, but I’m wondering how the people who’ve been in the field for years are continuing to improve their skills and preparing for that next step up or making themselves as ‘recession proof’ as possible.  I don’t think anyone in this field can afford to say they’re resting on their laurels.

7 responses so far

Apr 30 2008

Microsoft giving police tools they can get for themselves

Published by under Government,Microsoft

This was looking like it could have been a great story for the conspiracy theorists in all of us: Microsoft is helping law enforcement agencies by giving them USB keys with forensics tools to help with cybercrime investigations. It can ‘decrypt passwords and analyze a computer’s internet activity’, something every good law enforcement agent needs. The Computer Online Forensic Evidence Extractor (Cofee) offers up 150 commands (what do they mean by ‘command’? Is that 150 tools or one tool with 150 commands?) and makes it easier for beleaguered cops to perform an investigation.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

3 responses so far

Next »