Tuesday, February 13, 2007

Hacker, Microsoft duke it out over Vista design flaw | Zero Day | ZDNet.com Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.   Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges. "[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog. That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator." This, in Rutkowska's mind, is a "very severe hole in the design of UAC." "After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can't under Vista, which is a bit disturbing," she added. A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack. 11:11:29 PM

Debate growing over data security - baltimoresun.com When Johns Hopkins officials announced this week that a courier had lost nine backup computer tapes containing personal data on 135,000 employees and patients, security specialists were critical, even though the information probably was destroyed without being compromised. The reaction came not just because the tapes were lost, but because they weren't encrypted -- coded so that they could be read only with a computerized key. "Have we not learned from history yet, that if you're going to give [data] to a third party that you either encrypt or password protect it?" said Linda Foley, executive director of the Identity Theft Resource Center in San Diego. Amid a spate of lost or stolen data, some organizations and industries have begun taking steps to better protect employee and customer information, yet far too many have not, privacy advocates say. Many still leave sensitive information uncoded or hand it off to sometimes-careless employees or third parties. This year alone, Social Security numbers were posted on a public Web site at the University of Nebraska; personal information on 537 people was stolen from the New York Department of Labor; a hacker accessed Social Security numbers for more than 1,200 people at the University of Missouri; and a laptop was stolen that contained medical records for 1,100 patients at the Salina Regional Health Center in Kansas. Some consultants say that costs keep organizations from updating their security practices -- encryption software and developing privacy procedures can be expensive. But the No. 1 reason is complacency, according to Lillie Coney, associate director of the Electronic Privacy Information Center, or EPIC, in Washington. "They don't see themselves as being in a position where they're going to lose something," Coney said. 8:40:57 PM

Wanted: Missing FBI Laptops. Wanted: Missing FBI Laptops. If you lose your laptop, don't go crying on the shoulder of the Federal Bureau of Investigation. It has its own problems. The agency had at least 160 laptops lost or stolen over the past four years. Ten of those laptops contained highly sensitive classified information and at least one included "personal identifying information on FBI personnel, according to a new report. While the number may loom large, the agency actually has improved on keeping tabs on its wares. The report released today by the Justice Department's Office of Inspector General was a follow-up to a similar 2002 report. The charter report found that the FBI had reported some 317 employee laptops as either lost or stolen over the previous 28-month period. Seventeen of those laptops were reported stolen. In 2002, the FBI had roughly 11 laptops stolen or lost each month. The agency currently mismanages an average of four laptops monthly. It's worth noting that as many as 51 of the laptops reported lost or stolen since 2002 may also have contained classified data, but the inspector general's office said the FBI could not be sure. At least seven of the laptops were assigned to the agency's counterintelligence or counterterrorism divisions, the report notes. It is not clear from the report how many of those stolen or lost laptops used encryption technology to safeguard the data. Only one individual case cataloged in the report details that encryption technology was used to protect data stored on the computer's hard drive. The report recommends that future laptop-loss reports include information on whether the computer in question had protected data. The FBI agreed with that recommendation, and said it would make such reporting mandatory. Now, if they would just make the use of encryption technology mandatory on government laptops, I'm sure we would all sleep a little more soundly. [Security Fix] 7:25:51 PM

Schneier: Why Microsoft Sold Out Consumers in Vista. Schneier: Why Microsoft Sold Out Consumers in Vista. Today, the PC industry needs Hollywood more than Hollywood needs the PC. Most consumers rely on traditional consumer electronics devices to view DVDs and TV content, but companies like Microsoft are betting on the converged digital home and desperately want a bigger piece of the media device market. Because of the DMCA, Microsoft has to get permission to build devices compatible with Hollywood's DRMed content. So when Hollywood demanded that Microsoft lard Vista with restrictions to access high-def DVD and digital cable content, the software giant was in a weak bargaining position. But as Bruce Schneier explains in a recent editorial (via BoingBoing), Vista's DRM may also be a play to turn the tables and turn Microsoft's platform into a distribution channel on which Hollywood relies: "[W]hile it may have started as a partnership, in the end Microsoft is going to end up locking the movie companies into selling content in its proprietary formats. "We saw this trick before; Apple pulled it on the recording industry. First iTunes worked in partnership with the major record labels to distribute content, but soon Warner Music's CEO Edgar Bronfman Jr. found that he wasn't able to dictate a pricing model to Steve Jobs. The same thing will happen here; after Vista is firmly entrenched in the marketplace, Sony's Howard Stringer won't be able to dictate pricing or terms to Bill Gates. This is a war for 21st-century movie distribution and, when the dust settles, Hollywood won't know what hit them.... "Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market." Schneier overstates his case a bit when he says Microsoft could have simply refused Hollywood's demands for DRM and Hollywood would have released today's high-def video content for Vista anyway. But he's right that Microsoft would very much like to lock content vendors into a distribution channel that it controls, including for channels like IPTV and digital downloads. And the more Hollywood depends on Microsoft, the more Microsoft may be able to limit competition from other tech companies' platforms and devices. [EFF: Deep Links] 7:19:17 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 9:02:22 AM.