forkb0mb.org - Windows

TSA Withdraws Subpoenas Against Bloggers

nospam@example.com (TJE) — Fri, 01 Jan 2010 18:04:50 -0500

TSA Withdraws Subpoenas Against Bloggers

In the wake of public outcry against the Transportation Security Administration for serving civil subpoenas on two bloggers, the government agency has canceled the legal action and apologized for the strong-arm tactics agents used.

Travel writer and photographer Steven Frischling, who was served with a subpoena by two TSA agents on Tuesday, told Threat Level that he received a phone call Thursday evening from John Drennan, deputy chief counsel for enforcement at TSA, telling him the administration was withdrawing its subpoena.

/*
"Strong-arm tactics;" couldn't have said it better myself. I'm glad to hear that, given the publicity, they decided that they didn't want the negative PR and would do The Right Thing(tm). If only every case of over-reaching abuse of power could get this level of publicity. Sadly, people's privacy rights are trampled nearly every day, it just doesn't get the press that this case did.

In case you missed it, Slashdot linked to an article on the New York Times regarding the TSA subpoenas entitled "TSA Subpoenas Bloggers, Demands Names of Sources". You may want to read it first to familiarize yourself with the issue before reading the article about the TSA withdrawing the subpoenas.
*/

...

A second blogger who was also served a subpoena on Tuesday, Christopher Elliott, was also told his subpoena was being withdrawn. Elliott had refused to cooperate with the agent who served him the subpoena and had indicated to the TSA that he would be challenging the subpoena in federal court next week.

..

Frischling said the two agents who visited him arrived around 7 p.m. Tuesday, were armed and threatened him with a criminal search warrant if he didn’t provide the name of his source. They also indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job.

"They came to the door and immediately were asking, 'Who gave you this document?, Why did you publish the document?' and 'I don’t think you know how much trouble you’re in.' It was very much a hardball tactic," he told Threat Level.

/*
So much for the First Amendment which includes freedom of the press. Granted, he was not obligated under any law to turn over the name(s) of his source(s), but they made it clear that if he did not cooperate, they would make his life unnecessarily difficult.
*/

The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices.

The agents then tried to image his hard drive, but were unable to do so.

/*
There goes the Fourth Amendment, as well. The Fourth Amendment states, and I quote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, ..."
*/

/*
I have the utmost respect for those who protect us from would-be attackers; I just feel that they go about it in the wrong way and overstep their boundaries. The TSA, CIA, NSA, FBI, and ATF have to be right every single time; while an attacker only needs to be right 1 time to be effective. That certainly makes the job of those who protect us very difficult.

"An ounce of prevention is worth a pound of cure" is most certainly true; but it also doesn't make sense to use a cannon to kill a mosquito.

If I were to be traveling, I would use the internet to transfer all files to before heading to the airport, and use strong encryption on my hard drive. That way, I am not entering the airport with any data on my computer, and anything left on the hard drive for the operating system and applications would be inaccessible due to the strong encryption. Unfortunately, if they cannot access the data easily, I believe the TSA has the ability (but I don't think the right) to confiscate your laptop indefinitely. If it takes them a thousand years to break your encryption and search your data - only to find nothing of use - you may never get your equipment back. Might I recommend GPG (for files) and the Linux cryptoloop driver (for file-systems - I recommend at least AES-256, if not AES-384, AES-512, or Twofish - all of which available in the Linux kernel)? It appears that FreeBSD also supports encrypted partitions. A Google search reveals several options for protecting your privacy on Windows; one appears to be a feature built into Windows XP, though I'm not sure I'd trust it to be free of back-doors. If you're looking for free, you might look into TrueCrypt. DISCLAIMER: I've never used TrueCrypt myself, so I cannot comment on it's features.
*/

Miscellaneous Microsoft Docs

nospam@example.com (TJE) — Wed, 18 Jun 2008 01:18:06 -0400

/*
Miscellaneous Microsoft Docs

Occasionally I come across some Microsoft articles that are of use to myself or those I know. I've gathered a list of Windows Server 2K3 and IIS 6.0 commands and tools that will help in automating processes.

How to Restart IIS
Additional Resources for the IIS 6.0 Metabase
Command-Line Tools Included in IIS
Using Command-Line Administration Scripts
Starting and Stopping Services (IIS 6.0)
*/

Wine 1.0 Released

nospam@example.com (TJE) — Wed, 18 Jun 2008 01:09:54 -0400

Wine 1.0 Released

It took them 15 years. During those years, the project grew from something that didn't work, to something that sometimes under special circumstances could maybe perhaps work, to something that sometimes just worked, all the way to something that works in a number of pre-defined cases. You won't believe it, but Wine 1.0 is here.

/*
I don't believe it! I haven't used Wine in quite some time (when I was unable to get PartyPoker to work through it!), I'm hoping this 1.0 release will stablize a lot of the bugs I'd seen previously. I mean, how hard is it to emulate a broken OS? Logic would dictate that you handle X this way, but no, it has to be Windows-compatible, so you take the wrong way. Their developers must be extreme masochists.

Check out the Application Compatibility List at AppDB.
*/

Microsoft Windows XP Dies June 30, as Planned

nospam@example.com (TJE) — Fri, 04 Apr 2008 01:38:21 -0400

Microsoft Windows XP Dies June 30, as Planned

Microsoft will shutter its Windows XP line June 30, as planned, ceasing sales of Windows XP Professional and Windows XP Home to retailers and direct OEMs, Microsoft confirmed to eWEEK April 3.

The statement from Redmond executives ends weeks of speculation that Microsoft would extend the life of the operating system as users turn up their nose at Vista, the operating system meant to supplant XP, and OEMs argue lighter versions of desktops and notebooks don't have the juice to run Vista.

/*
This is a perfect time for someone (Linux, Apple, etc)... anyone... to really start chipping away at their desktop monopoly. I don't care who it is; choose your own OS, but someone is facing a very lucrative opportunity to snatch up a good chunk of the desktop market.

eWeek is also carrying an opinion piece entitled "Windows is Caught Between Mac and Linux". Both articles are worth a read.
*/

EU Fines Microsoft Record $1.35 Billion

nospam@example.com (TJE) — Wed, 27 Feb 2008 20:30:55 -0500

EU Fines Microsoft Record $1.35 Billion

Microsoft was fined a record 899 million euros ($1.35 billion) by the European Commission on Wednesday for using high prices to discourage software competition in the latest sanction in their long-running battle.

The executive arm of the European Union said the U.S. software group defied a 2004 order from Brussels to provide the information on reasonable terms.

/*
Nobody actually expected them to provide useful documentation "on reasonable terms."
*/

"Microsoft was the first company in 50 years of EU competition policy that the Commission has had to fine for failure to comply with an antitrust decision," Competition Commissioner Neelie Kroes said in a statement.

...

Kroes took a wait-and-see attitude about Microsoft's announcement of last week, noting it had promised change on four other occasions without results.

"A press release, such as that issued by Microsoft last week on interoperability principles, does not necessarily equal a change in a business practice," she said.

/*
A few other choice quotes from this article. This kind of news always brings a smile to my face.
*/

Windows Server 2008 Features Address Linux Challenge

nospam@example.com (TJE) — Sun, 20 May 2007 15:17:48 -0400

Windows Server 2008 Features Address Linux Challenge

Some of the changes in the upcoming release of Windows Server 2008 are a response to features and performance advantages that have made Linux an attractive option to Microsoft customers.

...

"We also have server core, which doesn't have the GUI [graphical user interface], so I would say that is a response to the options people had with Linux that they didn't have with Windows," he said.

/*
Wow! Microsoft is finally catching on to the fact that wasting CPU cycles on a GUI is pretty lame. All of those cycles could be going to servicing requests.
*/

Microsoft’s Advisories Giving Clues to Hackers

nospam@example.com (TJE) — Mon, 16 Apr 2007 22:33:07 -0400

Microsoft’s Advisories Giving Clues to Hackers

The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the MSRC (Microsoft Security Response Center) about how much information should be included in the pre-patch advisory.

Using clues in the workarounds section of the advisory, Errata Security researcher David Maynor said he was able to pinpoint the source of the vulnerability without much trouble.

...

In the wake of Maynor's comments above, I asked the MSRC if there's a legitimate gripe that about the level of details included in its advisories and was told that it's a "delicate balancing act" to avoid giving too much clues while ensuring customers have adequate pre-patch protections.

/*
It really must be a delicate balance. Usually within 24 hours of a patch being posted, the fix has been reverse-engineered and at least an underground exploit floating around for it. How many admins do you know that patch all of their servers within 24 hours of a show-stopper like this? Not many.

This does bring up an interesting point, though. How much can you give customers to protect themselves without giving the blackhats enough to start circulating exploits?
*/

Notes On Vista Forensics, Part Two

nospam@example.com (TJE) — Sun, 15 Apr 2007 23:14:58 -0400

Notes On Vista Forensics, Part Two

User files and applications:

One of the first things to note about users' data files is that they're not where they used to be! Instead of the familiar "Documents and Settings" folder we must instead look to a new folder called "Users". Other folders which typically fall under the scope of an examination have also moved so examiners running scripts which expect certain files or folders to be in specific locations may need to do some editing.

/*
Nothing like a Windows 95-style shakeup. Move things around, hide things, all makes for an easy transition to the new version! :)
*/

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge. Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points. First, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations. Second, the data on the device is AES-128 encrypted.

/*
I thought I was the only one that thought it was a neat trick to use thumb drives as swap space! A $15 1 GB USB flash drive will give you 1 GB of swap space that's not nearly as fast as real RAM, but in my testing, has shown 5 times the throughput of a SATA drive. Here's to hoping Microsoft finally realizes that it is a lot faster to access your "anonymous pages", or swap, without going through the filesystem layer (i.e., the pagefile.sys paging file).

First, if it's being used as swap space, what is the use in having a copy in RAM as well? Flush it from the RAM and use the flash volume, otherwise, you're making 2 copies of transient data which is essentially worthless.

Second, if it's using 128-bit AES encryption, you're going to double or triple the amount of time it takes to swap in a page. Now, not only are you swapping, but you're chewing up a lot of CPU time to {de,en}crypt this data. Yet another classic example of a decent idea hampered by the implementation.
*/

Notes On Vista Forensics, Part One

nospam@example.com (TJE) — Sun, 15 Apr 2007 22:48:06 -0400

Notes On Vista Forensics, Part One

"While the fundamental principles of computer forensics remain largely unchallenged, the landscape upon which investigators operate is constantly changing. A combination of new technologies and changing habits of use means that forensic examiners must always strive to keep up to date with the latest developments. One of the most anticipated new product releases this year is the Microsoft operating system Windows Vista. Vista was under development for a long time with Microsoft promising a raft of new features together with major improvements to security."

...

Forensic professionals should note the following:

"BitLocker Drive Encryption" is available in the Enterprise and Ultimate editions.
"Encrypting File System (EFS)", "Shadow Copy" and "Complete PC Backup and Restore"
are available in the Business, Enterprise and Ultimate editions.
"Scheduled and Network Backup" is available in the Home Premium, Business, Enterprise and Ultimate editions.

/*
Encrypted filesystems are great if you can handle the overhead of on-the-fly {en,de}cryption. I imagine the home user chosing to ditch the encryption for a slightly faster computer; anyone remember DoubleSpace for DOS? The exact same trade-off this time but it's security instead of capacity.
*/

"What exactly is BitLocker, though? In a nutshell, BitLocker provides AES encryption of all data on a Windows Vista volume (note the term, "volume" rather than "disk," despite the name) combined with integrity checking of the boot process used to load the OS. The primary purpose of these features is to protect data even if an attacker manages to circumvent the operating system or remove the hardware storage device."

/*
Basically, this is saying that if you try to install another OS with a multiboot loader, such as Linux, the encryption used one the "volumes" will cause one of two things: (a) it won't allow you to install to the master boot record and your install of Linux will not boot, or (b) it will break the integrity of the entire volume and thus Windows will refuse to boot or access the data. Given Microsoft's anticompetitive practices, I'm going to say it's most likely the former.
*/

Microsoft Windows Help File Unspecified Heap Overflow Vulnerability

nospam@example.com (TJE) — Sat, 14 Apr 2007 12:47:43 -0400

Microsoft Windows Help File Unspecified Heap Overflow Vulnerability

"This vulnerability presents itself when the application handles a specially crafted Windows Help ('.hlp') file.

A successful attack may facilitate arbitrary code execution in the context of a vulnerable user who opens a malicious file. Failed exploit attempts will likely result in denial-of-service conditions."

/*
It looks like there's a proof-of-concept in the wild for this one, too. This is a specially crafted .hlp file. I advise against trying to open it until you know what it does.
*/

A Reality Check for Vista

nospam@example.com (TJE) — Fri, 08 Sep 2006 18:22:21 -0400

A Reality Check for Vista

Judging by the grief that Microsoft is getting over delays in the release of Windows Vista, and the buzz surrounding the price it plans to charge for the next generation operating system, you'd think we were all hankering to get our hands on this hot new piece of software.

Don't believe the hype: There won't be lines around the block at midnight when Vista hits store shelves early next year, analysts say.

/*
This is not an article from Linux.com or similar, this is coming from Business 2.0!

I'll cut to the chase...
*/

So here's a modest proposal: Boycott Vista. Keep your old Windows XP PC around. Don't buy a new one. That's the only way we have to let Microsoft know Vista is an overhyped, late, and pointless update to XP - a perfectly fine operating system.

/*
I don't know about "a perfectly fine operating system", but it's certainly better than Windows 98. I think Microsoft has reached the breaking point of their creative curve. What can Microsoft produce in Vista that's so revolutionary that everyone will want to upgrade? Nothing.
*/

With Exploits Out, MS Braces for Worm Attack

nospam@example.com (TJE) — Fri, 11 Aug 2006 19:50:41 -0400

With Exploits Out, MS Braces for Worm Attack

A network worm attack exploiting a critical Microsoft Windows vulnerability appears inevitable, security experts warned Aug. 10.

Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

Even before the release of Microsoft's patch, the US-CERT (Computer Emergency Readiness Team) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent.

/*
Looks like the next Worm du Jour. Go figure...
*/

Windows PatchGuard 'Hindering Security'

nospam@example.com (TJE) — Fri, 11 Aug 2006 19:14:51 -0400

Windows PatchGuard 'Hindering Security'

A protective feature in Windows is locking out the good guys, but letting in a lot of bad guys, according to security software makers.

Microsoft designed PatchGuard to safeguard core parts of Windows, including Vista, against malicious code attacks. But some security companies say that the feature makes it harder for them to protect Windows PCs, as it locks them out of the kernel, the core of the operating system.

...

Microsoft's push into the security market has put many defence providers on guard. Symantec, especially, looks wary; it has said it will compete with Microsoft as long as there is a level playing field. Now, for the first time, Symantec is saying that Microsoft is limiting the security choices of consumers — which could be interpreted as anticompetitive behaviour.

/*
Of course it's anticompetitive behavior. This is Microsoft. They're plain and simple trying to push Symantec and others out of the market.
*/

"PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista," said Yankee Group analyst Andrew Jaquith. "Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use 'black hat' techniques to bypass the restrictions."

/*
Let 'em use "black hat" techniques. It's about time someone uses them for something useful. Advertising companies have been using these "black hat techniques" to install spyware/adware via Internet Explorer for ages now.
*/

Homeland Security: Apply MS06-040 Patch

nospam@example.com (TJE) — Thu, 10 Aug 2006 19:43:05 -0400

Homeland Security: Apply MS06-040 Patch

Less than 24 hours after Microsoft shipped a dozen bulletins with security fixes for 23 serious software vulnerabilities, the U.S. government's Department of Homeland Security issued a firm notice to Windows users: immediately apply the patches in the MS06-040 bulletin.

In a somewhat unusual move, the DHS warned that the patches cover a remote code execution vulnerability that could be used in a network worm attack similar to Blaster, Slammer of Sasser.

"Windows users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch," the agency said in an public advisory.

/*
Why is it the same thing over and over again? If you're running Windows, you absolutely must enable automatic updates. There are just far too many patches to try to keep track of them manually.

What puzzles me is what interest the DHS has in protecting the end-user PCs of millions of average people. Sure, an advisory to all DHS and government employees would be routine, but a public advisory? They need to find better ways of spending their time. If they decide to start "reminding" everyone to update their Windows machines every time a new vulnerability is found, they'll not have the resources left to track the turrrists.
*/

Unpatched Powerpoint Flaw Exploited

nospam@example.com (TJE) — Sun, 16 Jul 2006 05:48:34 -0400

Unpatched Powerpoint Flaw Exploited

Online criminals are taking advantage of an unpatched security hole in Microsoft's Office products again. Security experts say they've spotted a flaw in the Powerpoint slide-presentation program being exploited in the wild.

/*
This has really been a bad month or so for Microsoft. First Word, then Excel, now PowerPoint? It just goes to show that you shouldn't open attachments from non-trusted sources. I recommend GnuPG for verifying authenticity.

This author of this article apparently doesn't know much about Microsoft's security track-record. It leads you to the conclusion that due to "some of the work Microsoft has done in hardening the security of the Windows operating system" that vulnerability researchers have been forced to "look for lower-hanging fruit in applications that run on top of Windows." Searching for bugs in Microsoft software has always been like shooting fish in a barrel. Nothing has changed, just a few researchers shooting into a different barrel lately.
*/

0-day Exploit for Microsoft PowerPoint

Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted.
From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written.
This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend).

Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be.

/*
This is an update from the Internet Storm Center's handler's diary. They also link to a FAQ. Thanks to PacketStormSecurity for linking to PoC's 1, 2, and 3.
*/