Month: July 2008

One week to Pwnie Awards

Move over Antoinette Perry. There is a new award in town and it will take place at the Black Hat briefings next week in Las Vegas. Pwnie awards will honor (shame?) moments of brilliance and ineptitude in the security research community. Highlights from this year’s crop of nominations include:

  • Kernel-mode remote code execution that works on XP, W2K3 and Vista. This after MSFT speculated that the bug would be very difficult to exploit in the real world.
  • Adobe Flash null pointer dereference. What appeared to be an innocuous crash that became a cross-platform, cross-browser remote code execution vulnerability after ISS’s Mark Dowd decided to take a closer look. Once again complements of Flash, continuing to undo any improvements in Internet Explorer security by introducing its own mediocre platform on top of an already fragile HTML/Javascript alliance that years of vulnerability research was finally starting to stabilize. All flash, no subtance but millions of users can’t be wrong: the dancing hamsters are clearly worth the risk of getting 0wned.
  • QuickTime– no vulnerability required, the nomination committee decided the entire application is one colossal mistake, mired in the 1990s quality control standards (“compiles without errors when most warnings are disabled”) and providing another example of insecure context switching.
  • DNS rebinding attacks. Using the web browser to VPN into the internal network behind a firewall. Considering that Kaminsky presented on the topic at last year’s Black Hat, this one has outlived its shelf life.
  • Safari carpet bombing. Note to Apple: forcing software on user machines is not a good strategy when you are awfully slow to fix publicly reported vulnerabilities.
  • Debian/OpenSSL not-very-random number generator debacle; also nominated for most epic failure.
  • Linus Torvalds for controversial views on vulnerability research and handling security bugs.
  • Overhyped bugs: DNS poisoning and unauthenticated UPnP control over network devices.

cemp

Angle brackets are aero-dynamic: protocol buffers, ASN1, XML

Google has recently open sourced  protocol buffers, one of the building blocks used for building large-scale systems. This is a good time to recap the controversies over data formats. In this debate, opinion has been sacred and facts largely open to interpretation.

Most recent iteration from May: XML: the angle bracket tax takes issue with the inefficiency and developer-unfriendliness of XML as data format. First point is hard to dispute: all of those tags and attributes decorating the data add weight. (On the other hand, all of that redundancy means XML documents compress very well but that adds another step.) Compared to the YAML equivalent on the page, the XML variant looks manifestly verbose. In all fairness the example picked here (SOAP) is probably one of the worst case scenarios for bloat, short of even more tchotckied-up format such as WS-Trust/WS-Security/WS-anything. The jury is out on the second point. XML is not necesarily intended for direct presentation to users– that is why there is XSL as stylesheet language to add presentation. For example Internet Explorer’s default tree view for XML files with collapsible nodes is actually generated by applying a default built-in stylesheet.  Manually tweaking XML files is never intended for end users. As for developers and tinkerers stuck with that problem, there is help in the form of XML editors that allow for directly working with the high-level structure instead of low-level syntax. But even with plain-text editing, consider that XHTML is a formulation of HTML as well-formed XML and not particularly more challenging than vanilla HTML/4.0 to work with.

Skepticism against XML runs deep, including entire websites devoted to cataloging its deficiencies. But strong opinions run both ways. Inflammatory arguments bashing other formats as unnecessary reinventions of XML are also abundant; here is one comparing JSON vs XML.

In to this mess Google throws a curve-ball with protocol buffers which define a binary serialization format. The overview includes the expected comparison against XML as a data point:

Protocol buffers have many advantages over XML for serializing structured data. Protocol buffers:

  • are simpler
  • are 3 to 10 times smaller
  • are 20 to 100 times faster
  • are less ambiguous
  • generate data access classes that are easier to use programmatically

If efficiency were the primary constraint, a binary format is the way to go. The challenge then is making that format extensible. This is the catch: if a data format were known to be immutable forever, everything would be hand-coded to use up the fewest number of bits. Reality is that systems evolve, protocols change. Version #2 of the application introduces extensions and yet must remain backwards compatible in a way that it can still communicate with version #1. (Sometimes even in the opposite direction) Building this level of flexibility without rewriting code for each version is the challenge.

Strangely there is already a widely used binary serialization format: ASN1. Virtually any large scale web site is likely using it because the X509 certificates required for the SSL/TLS security protocol are encoded this way. It is more complex, slightly more powerful than protocol buffers but boasts the same level of extensibility since new optional fields can be added in such a way that the structure remains a superset of its previous version. But greatest challenge for ASN1 is ease of use. There are ASN1 compilers but the interface is nowhere as polished as the cross-language programming model for protocol buffers. Parsing ASN1 is so complex that integer overflows in the parser used on Windows featured in a remote-code execution vulnerability back in 2004.

One of the more interesting properties of ASN1 is that the abstract structure of data and its encoding are clearly separated. The same logical structure can be expressed in different ways on the wire and while the most common variant “basic encoding rules” or BER is binary, a different version called XER allows outputting directly to XML. Small step for reconciliation in the format wars.

cemp

Vintage code, common hardware and value of backwards compatibility

A data point on the value of backwards compatibility. This is an area where MSFT is frequently slammed, for its insistence on favoring compatibility with past mistakes instead of throwing everything overboard to start over again– the way Apple has done with OS-X and later switching to Intel x86 chips.

Imagine having to demonstrate an application running on Windows Mobile to a crowded room full of security professionals. This code will not run on the emulator— and even if it did, emulation hardly makes for a compelling demo. “Code always wins” as the old MSFT adage goes and working code on an actual device is the golden standard. This is the predicament confronting the blogger next week. Slide decks are not a problem; they can run off a locally installed PowerPoint or OpenOffice instance (the import process still loses some details if the latest eye-candy from Office 2007 is used) or better yet run from the cloud-hosted Google Presently. Showing UI from the device is a different challenge.

Most phones can not project the view of their own display to an external monitor using a standard VGA, DVI or HDMI output. (Oddly enough a few can project other video over Bluetooth to specialized devices and there is nascent efforst to give phones projectors of their own.) Having a dedicated, fixed camera pointing at the phone was not an option in this setting. And since it is not possible for dozens of people to cluster around a single handset trying to get a peek at the tiny screen, one option is to capture static screenshots at relevant points and project these as part of the slide-deck.

Even that is non-trivial: there is no “print screen” functionality on Windows Mobile out of the box. One quick Google search finds several third-party substitutes, including a freeware version from Ilium software. Luckily the search results also unearthed a better solution. An entry on the Windows Embedded Blog dated November 2004 references a Remote Display application included as part of the Windows Mobile Power Toys. This is good news; power toys are officially unsupported applications typically written by MSFT developers on the side. According to the description Remote Display shows real-time view of the phone display mirrored on the desktop.  Much better than static screen-shots and the audience can now follow along with the exact flow.

One problem: the Power Toys are dated December 2003. Supported operating systems on the download page include W2K SP3– long defunct– as well as “Windows Mobile 2002 based smart-phones.” In other words, this code is archaic. The MSI installed without a problem on Vista, even bearing a proper Authenticode signature to keep the inane UAC prompt happy about reporting the author. But the first attempt to run it with an HTC Diamond failed with an error message about unknown CPU type on the device. Not surprisingly 5 years after the code was written, the architecture of mobile devices, as well as the operating system MSFT is shipping to run on these devices had become unrecognizable under the assumptions the original author had made. Vista does not even have a separate Active Sync component, instead Mobile Device Center handles synchronization with phones.

But the README file provided plan B: the instructions described what to do for that particular error. The recommended fix was to manually find the correct binary over for the mobile device and copy it over. There were not exactly many choices either: Windows CE 3.0, CE 4.0 and smartphones based on CE 4.0. Each OS SKU had a corresponding array of architecture choices, including x86, MIPS and ARM4. As for the device? It is running Windows Mobile 6 on ARMv5i.

So it was a surprise that copying the ARM4 binary built for CE4 worked: Vista could mirror the device screen in real time. Even more impressively, Remote Display works both ways: clicking on the phone UI from the desktop PC actually sends the mouse clicks to the phone, allowing the phone to be driven by the full-size mouse and keyboard combination.

This is one of the rare cases where the insistence on backwards compatibility paid dividends. Not only did the ARM processor have to remain backwards compatible and run binaries compiled for an earlier version, but Windows Mobile itself had to evolve such that code written for earlier CE variants could run without any changes.

cemp

Nebuad: dubious past, nebulous future

From relative obscurity, Nebuad has emerged as the star witness in the Senate hearings last Wednesday that also included representatives from Microsoft and Google.

WSJ points out that many current Nebuad executives previously worked for Gator, which almost single-handedly defined the “spyware” category earlier in this decade. Gator was one of the first examples of software bundling useful functionality appreciated by users with with intrusive, privacy invading and unwanted “features” designed to monetize that user for the benefit of advertising networks. On the surface Gator was a form-fill assistant; it helped users with the repetitive task of completing forms on websites. Web browser including Internet Explorer had an autocomplete / intelliforms feature for some time, but it was fairly primitive compared to what Gator could do. IE remembered that the user typed in some string on a particular field on a particular form on one web page; it had no concept of recognizing that as an address or recognizing other forms on other websites also asking for the address. So far so good– even Microsoft Passport was taking out full-page advertisements in the New York Times about its ability to save time by avoiding forms, because the profile data would be included in the authentication process.

But Gator had also had a dark side and it was hidden in plain sight, buried in the terms-of-use / click-wrap agreement that users seldom read. It collected information about the user’s navigation history and called home with the information. The resulting profile was used for taking targeted advertising to new levels: Gator replaced existing banner ads on websites with ads of its own choosing, disrupting the business model for many ad-funded free websites. This over-zealous tinkering with other people’s advertising brought Gator a lawsuit from several publishers including the New York Times and Washington Post.

Worse there was no meaningful opt-out possibility: no way to retain the useful functionality and opting out of the invasive tracking, other than uninstalling the app completely. And that is exactly what users decided soon after it was branded spyware (or “adware” as the preferred expression in polite company) in the public perception. On balance the inconvenience of taking two additional to provide your address one more time to another website did not outweight the potential privacy invasion from the tracking. Making matters worse, while it was possible to verify what Gator collected, users had no way to verify how the data was used once it is uploaded to the service in the cloud.

Seeing the writing on the wall, Gator soon found a more appealing application to latch on to: P2P. The popular file sharing program Kazaa was bundled with Gator (and soon several other variants of spyware) P2P created a dilemma for users who wanted to tap into the global jukebox but avoid the dubious spyware that often came bundled with the free software. Volunteer programmers responded by creating Kazaa Lite and other derivative “unauthorized” versions stripping out the dubious functionality. As for Gator, when the backlash became widespread, to the point that today Symantec has anti-spyware application that will remove Gator, the company reacted in typical fashion: by changing its name to “Claria” and hoping that will white-wash any previous associations.

Nebuad is an unmistakable here-we-go-again moment for the privacy advocacy community:

  1. Company decides to push the boundaries of accepted data collection and user tracking with new “creative scheme,” crossing the line from dubious into nefarious
  2. Technology press gets wind of the idea, at first as a curiousity, later with growing skepticism and apprehension, feeding the blogosphere.
  3. Mainstream media picks up on the story
  4. A public relations crisis results, indignant pundits demand that the company change its ways, high-level executive begin complicated song and dance for damage control.

At this point, the story normally continues with the dust settling down, contrite executives offering token changes to appease the privacy wonks and all concerned individuals move on to the next crisis-of-the-day. This time it is different. Charter canceled plans to pilot Nebuad, other ISPs are backing out and the Senate has taken an interest in the problem. Quiet possibly Nebuad picked the worst possible timing: with concerns about monitoring Internet traffic and ongoing FISA discussion around retroactive immunity for carriers, the technology community has been collectively primed to watch for the slightest incursion into the privacy of electronic communications. CDT released an interesting report suggesting that an ISP contracting with Nebuad would be violating a provision of the Wiretapping Act around unauthorized disclosure of private communications, a possibility hinted at earlier by Peter Wu.

Predictions? Keeping in mind Yogi Berra’s warning here, it is a reasonable bet that high burden of opt-in proof (as opposed to the current opt-out structure or simple click-through agreement) will be required if Nebuad-type systems are to be operational in the US. These barriers will make it unlikely that many subscribers will in fact participate voluntarily, unless the ISP offers heavy discounts on the Internet service, which is going to defeat the purpose of collecting additional revenue from Nebuad. Even if the economics worked out, the participation incentives will skew the data towards customers that were willing to make that trade-off and it is unlikely that this demographic will be very interesting for many advertisers. Bottom line is that Nebuad and its ilk are currently sailing into terra incognita with an extremely shaky business model.

cemp

Fuel pumps and the “Y2K8 crisis”: security feature gone awry

Crude oil at $100/barrel may have been the first psychological barrier for traders. Now long crossed and $150 looming on the horizon, it turns out there is an equivalent one for drivers: the $100 refueling at the friendly local gas station. New York Times reports in the article titled When a tank of gast costs $100 several large trucks and SUVs have enough capacity for hitting the three digits during a refueling stop.

But they often do not quite get there for two reasons. First one is the unwillingness to see the register ringing up that amount. The article cites owners who prefer to refuel long before they are running on fumes, to avoid seeing the full price– and possible wasting more fuel with more frequent visits to the gas station, as well as slightly higher  weight of the car on average from carrying more fuel.

The second one is a “security feature:” many pumps that accept credit cards will shut off at $75 to prevent overcharges as well as stolen cards from being used. It seems strange that a criminal in possession of someone else’s credit card would be going on a shopping spree for fuel. Electronics, jewelry and other high value goods that can pawned off appear as more likely candidates. (Never mind the cartoon strips— these measures have been in place since the times when fuel was relatively inexpensive.)

That’s not the worst limitation: in an echo of the Y2K crisis, it turns out that many older pumps are not capable of registering three digits at all. (No word on whether they simply roll back to $0.00 and start counting from there or getting stuck at $99.99.)

cemp

GMail starts enforcing DomainKeys for eBay and PayPal

In a sign that Domain Keys Identified Mail deployments have become reliable enough to depend on, Google has started to enforce DKIM signatures on eBay and PayPal.

Quick recap: DKIM is an anti-spam scheme intended to block forged of email messages and verify the sender by using digital signatures. The  short version is every large email service provider signs messages originating from their site and the recipients verify them. Strictly speaking this is purely an authentication technology, defined by an open IETF standard— nothing prevents spammers from also signing their message but there is an implicit assumption that somewhere a reputation system will spring into existence to allow vetting the verified identities and blacklisting the miscreants. Microsoft has backed a competing solution called SenderID.

Major challenge with deploying these solutions is dealing with the “gray area.” If a message is properly signed by eBay, it is clearly coming from eBay. (Leaving aside the fact that eBay may have been handing out email accounts to its own sellers and one or more of them are spammers.) That email can be safely accepted. If the message is signed but the signature does not validate, it can be rejected– although even then there are edge cases where innocuous message modifications can cause the signature to invalidate. By design cryptographic signatures are designed to be very brittle; any change to the message invalides them. Domain Keys had to work around this.  But what about unsigned messages? It could mean that eBay does not implement the DKIM standard at all. Or perhaps they have not gotten around to deploying DKIM on all the servers. A large service may have hundreds of server dedicated to handling outbound email and the conservative approach is doing a small-scale pilot project first. The final possibility is the message did not originate with eBay and is indeed a forgery, an attempt at phishing for example. It’s important to distinguish these cases because the accept/reject decision for the message will be different.

Strictly enforcing DK would mean that unsigned messages are rejected but that can not be done until there is good reason to believe that the service provider has committed to signing 100% of outbound traffic. In October 2007 eBay (and PayPal, which is owned by eBay) announced plans for adopting DKIM. But until both services could commit to signing all traffic, strict enforcement could mean legitimate messages getting dropped or sent to the junk folder and unhappy users.

cemp

Customer lock-in and US mobile market

Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices  without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.

It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy.  But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.

On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”

cemp