Microsoft Black Tuesday Preview – August 2009

Microsoft has released their usual preview of security updates to be released next Tuesday, August 11.  This month, nine security bulletins and associated patches are scheduled to be released.  Eight of these affect Windows itself, although not all eight affect all versions of Windows.  The breakdown by Windows version and severity rating appears to be:

Windows Version	Critical	Important	Moderate
Windows 2000	4	2	—
Windows XP	3	3	—
Windows Vista	3	2	2
Windows Server 2003	4	3	—
Windows Server 2008	2	1	2

Note that this information may change when the patches are released.  Unfortunately, it appears that installation of almost all of these patches will require a reboot.

The ninth patch, also for a vulnerability rated Critical, affects Microsoft Office and several other Microsoft applications: Microsoft Visual Studio, Microsoft ISA Server, and Microsoft BizTalk Server.

As usual, I will post more information here once the updates are actually released.

What’s in Your Wallet?

Back in July, I wrote about some of the privacy and security issues raised by the inclusion of RFID chips in US passports.  Wired now has a report, from the DefCon 17 hackers’ conference in Las Vegas, that the RFID-equipped credentials of several attendees from the US Government were “sniffed”, and the holders photographed, by equipment on display:

But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

The scanning device, which had a detection range of 2-3 feet, was connected to a camera; when an RFID credential was detected, the scanner recorded the data, and the camera took a photograph of whoever was in the vicinity.  This was done as a security awareness exercise; needless to say, the credential holders did not know about it beforehand.

One reason this story is somewhat amusing, of course, is that many of the people attending this conference are supposed to be experts in this field:

The Meet-the-Fed panel, an annual event at DefCon, presented a target-rich environment for anyone who might have wanted to scan government RFID documents for nefarious purposes. The 22 panelists included top cybercops and officials from the FBI, Secret Service, National Security Agency, Department of Homeland Security, Defense Department, Treasury Department and U. S. Postal Inspection. And these were just the Feds who weren’t undercover.

(Incidentally, the data collected were deleted immediately afterwards, and the media destroyed.  The aim was to make a point, not to create a problem.)

Although many of the credentials (such as building passes) contained only a facility number and an employee number, that did not necessarily make them more secure.   Finding the facility number by inference would not be difficult; and, since employee numbers are often assigned sequentially, it might be possible to guess other valid combinations.   Also, many of the people involved may have more than one credential that is susceptible to being scanned, and the union of all the data contained may reveal a great deal of information.   (This is another example of a classic problem in securing data.  Just restricting individual pieces of data is not enough, in general, because you have to worry about how the data might be combined or correlated as well.)

The equipment required to the scanning is small and inexpensive, easily carried in a backpack, for example.  This means that data on RFID devices can be at risk just about anywhere:

For $30 to $50, the common, average person can put [a portable RFID-reading kit] together…. This is why we’re so adamant about making people aware this is very dangerous.

In fact, one company is planning to introduce a $50 kit this fall that will enable the purchaser to assemble a scanning kit that can read the most common type of RFID chip.

Many people don’t even realize that they are carrying RFID-enabled credentials right now.  Given the lack of concern for security that seems to be the norm, I expect we will see quite a few nasty exploits resulting from this.

Solving the Wrong Problem

Back on July 29, Brian Krebs of the Washington Post, in his “Security FIx” blog, posted a note about large amounts of confidential government data found on peer-to-peer [P2P] file sharing networks.  Although the original post was amended later that day to explain that some of the data was out-of-date, or otherwise not quite as sensitive as originally believed, it is still clear that a great deal of confidential information is leaked in this way.  The original report was prompted by testimony before the House Oversight and Government Reform Committee, chaired by Rep. Edolphus Towns (D-NY).

It’s now been reported, by the Post and in an article in Ars Technica, that Rep. Towns is planning to introduce legislation to forbid the use of P2P software on networks belonging to the US Government or to government contractors.  The reports go on to say that the Congressman’s patience, and that of his colleagues, has been exhausted waiting for the makers of P2P software to “fix” the security problem.

It strikes me that this is a case of solving the wrong problem, a not-uncommon phenomenon in large organizations.  The software, after all, is doing what it is designed to do: namely, to share files.  Why on earth is this software installed on networks that deal with sensitive information in the first place?  In some cases, it appears that the software was installed without authorization by some of the network users.  Why are these systems and networks configured to allow ordinary users to install software?  This is just lunacy.  I have been responsible for large trading-floor networks in the financial services industry, and I can assure you that we would have never dreamed of letting the users install their own software.  Is it really necessary to pass an Act of Congress to produce an act of sense by the adminstrators of these systems?

Twitter Problems

The Twitter social networking site is experiencing a denial-of-service attack, which took the site down for a while starting around 9 AM EDT this morning.  Further information is available at the Twitter status page.   Another social networking site, Facebook, seems to be having problems this morning also, although on a somewhat intermittent basis. Not much more information is available at present.

Update Thursday, August 6, 17:45

Apparently both Twitter and Facebook were the targets of DDoS attacks.  The “Epicenter” blog at Wired has a post with many of the details.

Apple Updates Mac OS X

Apple has released a new version, 10.5.8, of OS X for the Mac, which incorporates a number of security fixes.  The update applies to Mac OS X v10.4.11 and  Mac OS X v10.5 through v10.5.7.  The update can be obtained via the Software Update mechanism, or from the Apple download page.