Thursday, January 27

Microsoft Attack Surface Analyzer - Review

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.

The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).

This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.

I decided to test this tool out with software that I had not previously installed to see what kind of value this could bring to the average security analyst.  The Google Cloud Connect for Microsoft Office is a new product that allows Google Apps collaboration within the Microsoft Office product suite.  Shouldn't be any security impacts from this combination right?


After installing the ASA tool itself and running it from the icon installed in the Windows 7 start menu.  The interface prompts the analyst to run the initial baseline scan and save the results to a .cab file.


The tool provides a progress report as it collects the information about your system.  This includes all of the expected types of data that this type of comparison would use.  It does take a few minutes as it includes scans of both the filesystem and registry.


With both baselines recorded now we generate a report by comparing the baseline scan with the post installation scan.  This is useful as you can create multiple scans with different installation options and compare them to each other and to the original baseline to determine what changes are made.

The resulting HTML (and javascript) report provides three tabs, the first summarizing the conditions of the analysis and tombstone information regarding the versions of tools, OS, etc.


There is a tab that summarizes the details of the security issues, and includes helpful explanations of each of the issues if you aren't already familiar with them.  In Google Cloud Connect's case, there were three security issues reported:
  • Directories With Weak ACLs - related to the use of NT SERVICE\TrustedInstaller (needs more investigation to see why this was reported)
  • Processes With NX Disabled - GoogleCrashHandler.exe included in the software does not use DEP security options (why not?)
  • Services Vulnerable To Tampering - The Google Update service that was installed is also susceptible to tampering by the NT SERVICE\TrustedInstaller account.




The Attack Surface tab describes each of the areas assessed in which changes were introduced and details regarding what changed in each area.  This is the most valuable component to me as it describes the specific changes to the operating environment that resulted from the installation of the software.

In our case here is what the Google Cloud Connect software changed:
  • New Service - Google Update Service
  • New Running Processes - google crash handler and a .NET framework utility
  • 113 New Registered COM Controls - IE mostly but controls used within the software.
  • 3 New Internet Explorer Silent Elevation Entries / Preapproved controls - Google Update plugin - This is interesting as it looks like this gets added to the list of approved protected mode controls - more investigation needed here.
  • 1 New TCP Port - Established outbound TCP port on 49336.  This is likely the port used by the google update service and checks for updates during the install.  Not sure more investigation likely here as well.
  • 6 New Named Pipes


Overall this tool is extremely helpful in understanding the changes made to the Windows OS environment from the installation of software.  It will detect things like new services being installed, such as the google update service that you might not have realized was being installed.  I recommend using ASA to analyze software that you intend to install and make sure you know what you're installing and what effect different installation options have.

Thursday, January 20

Business Browsing Insecurity

Just finished my talk on browser insecurity for the Calgary ISACA chapter.  Thank you to those who attended.  The intention of the topic isn't to scare people, but to help inform those that only hear from vendor's regularly regarding the state of their controls.

Here is a link to the presentation in both pdf (with speaking notes) and the ppt formats.

PDF Presentation
PPT Presentation

If anyone wants to continue any of the discussions we had afterward please feel free to email or call me.

Wednesday, January 5

PCI-DSS Version 2.0 - Standard Effective

If you've stayed connected to the PCI-DSS world, you'll know that version 2.0 of the standard was released late last year.  As of January 1st, 2011 stage 2 has begun, which means the standard becomes effective.  Which unfortunately only means that stakeholders (merchants, processors, etc) should start using the new standard and not the old, not that the standard provides effective security (that would be nice if you could just announce that kind of thing).  Here is a link to the standard's lifecycle to make this more clear.

Keep in mind that you can still use the old standard for compliance reporting for 14 months, but if the new standard is available, its likely a good idea to get a handle on the changes and how they'll affect your compliance program.

Monday, January 3

Encryption Fails - Embedded SSL Keys - PS3 root keys

A couple of noteworthy failures in the implementations of encryption.

The littleblackbox project over at google code aims to provide a list of all of the private keys embedded into device firmware by vendors that are too lazy to create unique private keys for devices.  This includes consumer devices, some commercial devices, basically anything that has a private key embedded in common firmware shipped with the device.  Once you have the private keys you can then decrypt future communications from the devices (read: admin interface traffic, SSL vpn session negotiation, etc).

This affects lots of products and software including many of the popular dd-wrt devices.

Want to add to the list of recognized private keys, simply download the binwalk tool and feed it a firmware file from your device.

It also appears that the root encryption key from Sony's PS3 game console has been discovered and posted by Geohot on his site.  Here is a video from fail0verflow's explanation of the weaknesses in the PS3 security model.

Google's Michael Z Releases a Contentious New Tool - cross_fuzz

Lcamtuf or Michael Zalewski has released a tool to test browsers for security issues by parsing the DOM object model, injecting values into a large number of objects, and triggering garbage collection by destroying the created objects.  A more detailed explanation of the tool and how it works can be found here:

http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

The interesting part is that Microsoft had previously asked to have the tool's release delayed due to an un-patched vulnerability discovered in the IE browser, exploitable on XP.  Michael declined to delay the release stating that he had reason to believe that possibly nefarious individuals were aware of the bug, and may be exploiting it in the wild.

Some commentary over at Slashdot here

Interesting start to 2011!