Dragan on Security

Windows Server 2008 has been shipped and Security Guide for this server is here. In guide, Microsoft stated:

Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:

• Proven. Based on field experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the steps to success.
• Relevant. Addresses real-world security concerns.

 Michael Howard, one of main Microsoft’s persons behind SDL (Security Development Lifecycle) says:

Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista, and we REALLY raised the bar in Windows Server 2008.

Windows Server 2008 is a prime product example of our ongoing commitment to Trustworthy Computing, and how the company is making good on its commitment to continue to build the most secure computing environment possible. After the Trustworthy Computing commitment was made a few years ago, we’ve has made great strides in the right direction, and last week’s product launch (Windows Server 2008, SQL Server 2008, and Visual Studio 2008) clearly shows that security remains a top priority.

While I tend to focus on “Secure Features” Windows Server 2008 is full of “Security Features.” Someone asked me for my favorite security features. In no particular order, they are:

• The various defenses we see in Windows Vista: stack defenses, heap defenses, ASLR, NX etc etc
• Server Core (ok, technically not a security feature, but a critical way to dramatically reduce a server’s attack surface)
• Network Access Protection (NAP)
• Server and Domain Isolation
• Read-Only Domain Controllers
• Suite-B crypto support

Let’s wait and see how it works in real environments.

Poll “The Most Secure Operating Systems Family is?” has been closed on January 31st, 2008, after it was opened for voting more then 3 months, as planned. You had chance to vote for one of today’s popular (or less popular) operating systems.

Results of poll are here:

• Linux (24.44%, 110 Votes)
• BSD UNIX (23.11%, 104 Votes)
• Solaris (19.33%, 87 Votes)
• Mac OS X (17.11%, 77 Votes)
• MS Windows (16.00%, 72 Votes)

Total Voters: 450

In graphic presentation it looks like:

It is obvious that Linux funs were very eager to vote for their favorite. It is also obvious that majority of voters in this poll share belief that Unix-like operating systems are far more secure that Windows. Microsoft has pretty low reputation among people that took opportunity to vote in this poll.

Do not miss opportunity to vote in poll about primary motives for hacking.

See list of Validated 140-1 and 140-2 Cryptographic Modules. You’ll find there that the standard crypto providers such as DSSENH and RSAENH are now certified FIPS 140-2 on Windows Vista.

It seems that Microsoft is going to attract Linux Security experts to join and to bring different perspective to Widnows security. Recently, Crispin Cowan, who is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor, joined the core Windows Security Team. Crispin will work on User Account Control (UAC) and integrity levels, an area he knows a great deal about. Microsoft expects he’ll bring a different perspective to the Windows team, based on his security knowledge, experience and skills. Crispin holds and Ph. D. degree from University of Western Ontario, Canada.

You can visit Crispin’s web page and see more about his work.

ZoneAlarm by Check Point, firewall, antivirus and antispyware is tool that I use for quite some time on one of my computers. It offered update to new version 7.0.462.000 today. After installation and starting antispyware scan it detected and considered Windows Live Messenger as Trojan with medium risk.  ZoneAlarm recommended that I should “delete this application immediately because it constitutes security and privacy risks, and has no known usefulness”.

Here is screen shot (censored because of privacy reasons):

ZoneAlarm offered options to quarantine, delete or ignore it. After I selected delete it actually deleted Windows Live Messenger!

I reinstalled messenger, scanned again for spyware and same situation repeated. So we can now say that Check Point firmly considers Windows Live Messenger as Trojan. Some people will say: Not to far from truth, isn’t it? :)

Hopefully Check Point and Microsoft will solve this in mutual talks and confirm messenger as safe software.

A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator.

Bruce Schneier discussed this problem on his blog and said:

Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.

Also there is post “NSA Helps Microsoft and Apple for Better Security” on this blog and it has couple of links that confirm this possibility in some way.

In its article: Hands-On with Windows Vista Service Pack 1, PC World says:

Microsoft’s first service pack for Windows Vista focuses on stability and security.

The first service pack for Microsoft’s Windows Vista operating system won’t arrive until early next year, but judging from our experience with a beta of SP1, the update will be more about stability and security fixes than noticeable performance gains.

It is obvious that Microsoft works hard on security and tries to overcome bad public opinion about Windows family of operating systems. Poll on this blog shows that, at moment, opinion about Windows OS family security is still unsatisfactory even of Microsoft’s big effort to improve and make better. Look at right upper corner and also at Polls archive. You can vote for your favorites in this poll up to end of January 2008.

Windows family is the widest used OS and it is expected that, something what is in common use, will be more exposed to attacks and therefore subject of increased analysis and critics.

Design by MASSVision.

I found cool plugin for WordPress that gives possibility to have polls in blog. If you want this plugin for your blog, you can find it here. Plugin is very easy for use and I put my first question just as an experiment. Question is “The most secure operating systems family is:” and possible answers are:

• MS Windows
• Mac OS X
• Linux
• Solaris
• BSD UNIX

Hopefully you will like it and vote. After voting you can see results of this pool. In future I will think about some more interesting and intricate questions for pools. This is just an experiment. If you have good ideas for future pools, feel free to leave comment.

Microsoft introduced Data Execution Prevention (DEP). DEP is a security feature that can help prevent damage to your computer from viruses and other security threats. DEP can help protect your computer by monitoring programs to make sure they use system memory safely. If a program tries running (also known as executing) code from memory in an incorrect way, DEP closes the program.

Sometimes DEP closes innocent programs considering them dangerous or infected. In some occasions it closes regular Windows programs and services. I grabbed screenshot of DEP closing Windows Explorer.

In next screen it offers to send error report to Microsoft or you can chose to debug.

And after that you will be offered possibility to see what will be sent to Microsoft and what is privacy policy in this situation.

How to know if these system programs are infected and what to do?

First, if you are not an expert for operating systems and computers in general, it is good idea to contact one. Second, I guess you probably had this problem and looked for some resource on Internet. If you haven’t someone around to help you with issue, you may try this path:

• Have up to date antivirus software on your computer. Check if that software has updated definitions. Scan your computer. If you are not sure, you can scan with various antivirus tools even online. Remember that most of companies who produce antivirus (antimalware) software offer online scanning but not cleaning. Anyway, this is good possibility to be surer if your computer is not infected.
• Have up to date antispyware software. Check also if that software has updated definitions. Scan your computer. Do it in similar way as with antivirus.
• Have Windows firewall enabled and properly configured or buy separate firewall software. Check its logs from time to time.

Bad news is that, even properly set, you are never absolutely secure. Hackers are very inventive people.

If you want to tell to DEP that program it keeps shutting down is program that you trust, you should, first, see if a DEP-compatible version of the program is available by visiting the software publisher’s website. If the publisher has not released an updated, DEP-compatible version of the program, you can turn off DEP for the program that was closed. You will be able to use the program, but it might be vulnerable to an attack that could spread to your other programs and files.

If you choose to turn off DEP for a program, it’s a good idea to check frequently for an updated version of the program and, after you update it, to turn on DEP again. To turn off DEP for a program, see how to change Data Execution Prevention settings here.

Again, remember that this might make it vulnerable to an attack.

Microsoft, in its DEP FAQ section says:

What should I do if DEP is closing a program that’s part of Windows, such as svchost.exe or explorer.exe?

The svchost.exe and explorer.exe programs are parts of the Windows operating system. If DEP closes them or other Windows services, the cause could be smaller programs, such as extensions, that are created by other software publishers and that operate inside Windows. If you have recently installed a program and notice DEP closing Windows-based programs, check with the software publisher to see if there is an updated, DEP-compatible version available, or try uninstalling the program.

If you think your passwords are strong enough, think twice. They are probably not. Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux. The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

See more here and here.

Thanks to Dejan for bringing this to my attention.