Microsoft patching

This is just to give everyone an idea of the escalation that happens in the information security field. . . .

 

Most of us know about Microsoft’s “Patch Tuesday”.  In case you don’t, this is the day every month that Microsoft releases new patches (it’s the 2nd Tuesday).  It allows IT departments to better plan patch deployments and avoids the issue of having a constant stream of patches to install.

Malware authors adapted to this schedule. On patch Tuesday, they would race antivirus and antimalware companies trying to generate protections.  Every month as the Microsoft patches became available; malware authors would download the patches and analyze the code changes to figure out what Microsoft fixed.  With the knowledge gained from reverse-engineering patches the malware authors would create new malware to take advantage of unpatched systems. At the same time, antivirus and antimalware companies would attempt to generate antimalware protections for unpatched machines.

 

Microsoft created the Microsoft Active Protections Program (MAPP) in 2008 as a response to the problem with reverse-engineering patches.  The MAPP program was to give antimalware companies a chance to generate protection signatures or heuristics before the patch was released.  This gave antimalware companies a big advantage in creating protection.

(By the way, Microsoft even keeps track of companies that generate protections within 96 hours of notification here.  Please note – based on what I see from the information provided by Microsoft, very few companies consistently provide protection within the 96-hour window.)

 

Big win, right?

 

Not so fast.

 

In March 2012, exploit code for a just-patched RDP exploit was discovered on a Chinese website.  There was a text in the file that seemed to reference an internal Microsoft case number, “MSRC11678”; strong evidence that there was a leak in the MAPP program.  While the website with the code was discovered after the patch was released, it was likely antimalware authors had access to the exploit earlier.  Confirmation of the leak came on May 3rd, when Microsoft excommunicated Hangzhou DPTech Technologies Co., Ltd. From the MAPP program for breaching Microsoft’s NDA.

 

Now I know what you must be thinking: how much in advance does Microsoft notify MAPP participants?

 

While it is tempting to stop there and spread FUD, the answer can be found on the MAPP blog site.  In a post dated May 2, 2012, The MSRC senior program manager, Maarten Van Horenbeeck, said this:

We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.

 

So, what is the point of all this?  Two points:

1)      In trying to give advanced notice to antimalware vendors, Microsoft has also given early access to malware authors.  At a minimum you can bet that foreign intelligence agencies like China’s MSS (APT, anyone?) and Russia’s FSB have this advanced information.  Currently, Microsoft has over 70 companies from all over the world participating in the MAPP program.  That’s a lot of people who have access to this information.

2)      Microsoft attempts to balance early dissemination with the threat of premature disclosure to malicious actors.  The ability of antimalware companies to execute on this information for creating protection seems to be highly variable.  At the same time, the delay from vulnerability notification to patch is measured in months; in this case the patch took six months.

 

 

 

Your iPhone and 3G iPad is keeping track of everywhere you go

It appears that iPhones and 3G iPads are keeping a running log of GPS locations in a hidden file on the phone.  The log contains every location the phone has been to; it’s essentially a running GPS loge of everywhere you go.  When the phone synchronizes to the computer (and is backed up), the hidden file is copied to your computer.

Alasdair Allan and Pete Warden have created an application that will decode and plot these locations on a map – if you are using OSX.  more on this can be found on their iPhone Tracker site.

I’ll wait for the Windows version :)

Business continuity and disaster recovery statistics: lies, damn lies and. . . stuff people just make up.

I’ve been quoting all these statistics in class about the percentage of businesses that fail after experiencing a fire, data loss, etc.  I’ve gotten the figures off of various sites over the years, but recently I’ve wanted to be able find a firm attribution as to who actually produced some of these statistics – you know- a little academic objectivity to show that those little tidbits aren’t all BS.

So I started searching – the first quote is that 70% or 80% of businesses that experience a disaster / fire / data loss fail in a few years.  It took little searching to find several sites that make this claim.  several authors reference “Home Office Computing Magazine” and some others refer to a 2004 DTI report or Chubb Insurance.  Even big organizations like HP and the US Congress quote these figures (see the Back to Business Act of 2007 Section 2 and Impact on U.S. Small Business of Natural and Man-Made disasters, produced with help from HP) . As it turns out, this statistic has been around for years; however, no one seems to know where the original statistic came from or doesn’t bother checking their source.  I read the oft-quoted 31-page (page 32-36 is marketing fluff) 2004 DTI report looking for that 70% statistic or anything analogous – it wasn’t there.

Trying to be thorough, the oft-quoted 2004 DTI report references a two-page Backups and recovery “fact sheet” identified URN 04/610.  The most relevant statistic found in that document: “61% of companies took more than a day to recover from their worst systems failure.  These delays inflicted major disruption to business operations in roughly half the cases.  Some reported disruptions that lasted a month”.  Nothing about business failing, though. . .

This leads me to conclude that the oft-cited “80% of businesses affected by a major incident close within 18 months” is a myth used to sell business continuity services and backup tape libraries.

A search for more business continuity statistics yield similar results.  It seems that people are simply quoting other people’s statistics for marketing fluff.

Oh, and I’m aware that a variation of this statistic even appeared in a congressional bill, “(1) 43 percent of businesses that close following a natural disaster never reopen;(2) an additional 29 percent of businesses close down permanently within 2 years of a natural disaster”  (Back to Business Act of 2007 Section 2).  No attribution is made.  Having statistics appear in the congressional record doesn’t make the claims correct.

One would think that the BBB or some insurance companies could come up with a valid statistic, but so far I’m now going to have to tell students the story of the 80% myth and that, “BCP is very important. . .” And if they ask, “how important?” I’ll tell them, ” . . . well, it’s on your next test!”

For further reading see:

http://www.continuitycentral.com/feature0660.html

http://www.continuitycentral.com/feature0440.htm

Tips for preventing Identity theft

Protecting yourself from identity theft

Before I go too far into things, I want to differentiate between two primary kinds of identity theft.
The first kind of identity theft is when someone fraudulently uses your credit card.  It may seem scary, but trust me; it’s not much of a problem.  With this form of identity theft you call the credit card company and report the fraudulent charge(s) as soon as you find them; you don’t lose any money or have lasting problems.  This form of identity theft happens a lot and compared to other forms of identity theft, this isn’t a big deal.  The credit card company simply removes the charge from your account and sends you a new credit card.
The second kind of identity theft, called new account fraud,  is when a criminal starts opening up new credit accounts or accessing other credit accounts in your name.  This is a huge deal, is extremely hard to fix, and can make your life suck for quite some time.
There are other kinds of identity theft (like medical identity theft), which I may discuss at a later time.  This article deals primarily with financial identity theft.
Identity theft is lucrative for the criminal, takes time to discover, and causes lasting damage to a person’s credit.  The victim spends massive amounts of time disputing accounts, making phone calls, writing letters, etc.  It’s hugely stressful and makes future access to credit difficult and potentially more expensive.

What do criminals need to steal my identity?

In reality, a determined criminal only needs your name.  There is a case where a guy was able to obtain all the information necessary for committing identity theft with only a name.  He was able to get Social security numbers, addresses, dates of birth, call up the credit card companies and get details on recent charges, and more.  Oh, did I mention he did this while in jail?
Yes – he did this on a pay phone in jail.  Do a search on “James Rinaldo Jackson” if you want to know more about him.  While Mr. Jackson now works for the other side, there are many, many people out there with the skills to gather bits of personal information and bundle those bits into something that can be used against you.
Paranoid yet?
My point is this: This article has good hints and tricks, but you’re somewhat screwed if a knowledgeable criminal specifically targets you.  In that case, you’re going to need more help than I can give.  If you are in that situation you need to hire a professional who specializes in handling those situations, or consider changing your identity and moving to New Zealand – YMMV.  Oh, and don’t bother with generic identity protection companies like lifelock either.  Companies like lifelock are mostly useless and offer a false sense of security– but I’ll get to that later.
Most of us don’t have to worry about being specifically targeted because that much effort is just not that lucrative.  Generally speaking, you get specifically targeted for being famous, seriously pissing off the wrong person, or getting cocky in articles about being some kind of minor deity when it comes to protecting people from identity theft  (like Todd Davis, the CEO of a credit protection company did).
If you are not one of the above, let’s talk. . . .
Grab a rum and coke or a glass of wine (your choice) – this is going to take a little time and I want you to be relaxed as we go through this.
. . . don’t worry, I’ll wait.
Ready?
Ok – first off, the companies that deal with credit and your personal information don’t give a shit about you.  Seriously – they could not care less.  What they care about is making money, lobbying congress to keep the status quo, and avoiding bad press–in that order.  The government isn’t doing much either, mostly because of priority two (lobbying congress to keep the status quo).  While there are a few new laws, most of the effective provisions have been delayed, watered down, or both at the behest of lobbying by the credit cartel.
Second off – the people who commonly steal your identity are people you know.  A neighbor’s kid, an uncle with money problems, that sort of thing.  Yes, there is always that faceless Internet theft ring based in Russia/China/Dundalk the TV blabs about; but I’m here to say what no one else is saying and what you may not want to hear: Your identity is just as likely to be stolen by an acquaintance.
In short, it’s up to you to protect yourself.  . . .Oh, and go buy a safe for your important papers.

Identity Kung Fu

Protecting yourself entails making it painful for others to access or use your credit.  If it’s more time consuming to steal your identity than someone else’s, you will be left alone.  Think of it a little of like the angel of death during Passover:  All you need is to perform a little sacrifice.
In this case, it’s a $5 – $10 sacrifice to each of the three evil credit reporting agencies.  You know. . . to placate them.
No, seriously.  This works even if you aren’t an Israelite trapped in ancient Egypt.
But before we do that, you want to get a current copy of your credit reports; again from the three evil credit agencies.  This can be done for free, but they do make it a mildly painful procedure.
(By the way – I’ll stop calling the credit reporting agencies evil when they stop being evil)
The procedure is to go to http://www.annualcreditreport.com.  Follow the steps to get one credit report from each of the three evil agencies.  Be careful not to fall for their other offers or ‘deals’.  Come back here when you’re done.

Ok – now that you have copies of your credit reports, we’re going to turn access to them off. . disable them. . . throw the switch.  This is where that $5-$10 sacrifice per evil agency comes in.  Before anything else, I need to lay down the rules:
1) Once you lock your credit files, you have to pay to unlock your credit files (even if you only want to for a short period of time).  If you try to get credit to buy a house, a car, obtain store credit, or buy a new cell phone, you will need to unfreeze your credit at each evil agency in order to be able to read your file.  This is the whole point of a credit lock – it keeps people out.
2) Companies already on your credit report will still be able to look at your credit report.  There is not much you can do about this; however, the credit lock will still prevent someone from obtaining credit in your name.
3) You need to lock your credit at ALL THREE credit agencies.  In Nov 2007 I was able to buy a car with two out of three credit reports locked.  If I can do it, someone pretending to be you can do it.  Don’t skimp – either do them all or don’t bother.
4) You should not need to unfreeze your credit report to get your annual credit report.
5) Don’t lose your PIN or passwords like I did.  It took me months to straighten things out.  I had to prove who I was, pay them to lift the credit freeze (via snail mail) then pay them to put it back on again.  Theoretically you only have to pay them to generate a new PIN, but Equifax is run by mentally deficient chipmunks who simply removed the freeze then denied I asked to have a new PIN generated. . but I digress.

Now, the rules for creating a credit lock (also called a credit freeze) depend on the state you live in.  In most states you can now do this on the web.  My suggestion is to try the web first.  If that doesn’t work, you’re going to have to go all previous millennia and use something your parents called a ‘Post Office’.  (It’s how people communicated in ancient times. ) Either way, the fees vary by state – usually $5-$10 per evil credit reporting agency.

The sites:
• Mentally deficient chipmunks Equifax – https://www.freeze.equifax.com
• TransUnion – https://annualcreditreport.transunion.com/fa/securityFreeze/landing
• Experian – http://www.experian.com/freeze
When on these sites – pay attention!  They may try to sell you identity theft protection or credit monitoring.  Don’t fall for their spin.  You want a credit freeze and only a credit freeze.  Anything else is simply lining their pockets.
If you get denied on these sites you may have to go the postal route.  For directions on creating credit locks using mail, go to the consumers union web site at: http://www.consumersunion.org/campaigns/learn_more/003484indiv.html#MD.  By the way – this is a great consumer advocacy site.

What if I lose my PIN / password / file number?

Well, you’re about to get acquainted with the post office if you lose your PIN.  Here are the directions from one evil credit reporting agency (Equifax):
https://help.equifax.com/app/answers/detail/a_id/240/noIntercept/1

If you lose the PIN that was issued to you when you added the Security Freeze to your credit file, you may request a new one in writing.
Please provide proof of identification, such as a copy of your driver’s license, passport, birth certificate or other proper identification forms.
A fee may be required for residents of some states for a replacement PIN.   Please review the Security Freeze Fees that provides the various fees.   Please submit your request in writing to:

Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348

The other agencies have similar methods, although I was able to get TransUnion to reset a PIN over the phone. . .And while convenient – I believe that is also a problem.  Remember that story of James Rinaldo Jackson?
With identity protection nothing is perfect, but a credit freeze raises the bar significantly for committing identity theft.  Does a freeze make identity theft impossible?  Heck no, but it makes stealing your identity harder than most others, and that’s usually enough to protect you from new account fraud.

UPDATE:

there is a great article on Consumer Reports about the likelihood of being a victim of identity theft.  If you remove credit card fraud and focus only on the “new account fraud” (true identity theft), the odds are less than 1%.  That said, I have personally experienced credit card fraud around 5 times now.  I mostly blame DefCon.

http://blogs.consumerreports.org/money/2010/12/identity-theft-exaggerations-department-of-justice-study-credit-card-banking-accounts.html
-Cary

Secure your garage door

You won’t believe how easy it is to open a garage door from the outside unless you take precautions. Check out this video from Lifehacker: How to unlock your garage from the outside and how to prevent it.

The vulnerability lies in the quick release on the garage door opener itself (the thing that pulls the door up and down).  If you immobilize the quick release the exploit won’t work.  You could also lock the garage door itself, but that would prevent the garage door opener from working at all.

Return top