June 17, 2006

Microsoft - will they bungle the security game?

I suspect Microsoft are going to blow the security game. Here's the evidence:

A recent Microsoft update to Windows XP, which modifies the tool that verifies the "validity" of XP installations to ensure that they are not illicit, may itself be considered to be spyware under commonly accepted definitions.

The new version of the "Microsoft Genuine Advantage" tool reportedly will repeatedly nag users of systems it declares to be invalid, and will then apparently deny such users various "non-critical" updates. Apparently various parties have already found ways to bypass this tool, though the effects of this on later updating capabilities remain to be seen.

However, I've noted a much more serious issue on local XP systems, all of which are legit and pass the MS validity tests with flying colors. It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet *every time you boot*. At least, I'm seeing these contacts on every boot after the tool update so far, and I've allowed them to proceed to completion each time. Perhaps it stops after some number of boots, but there's no indication of such a limit so far. The connections occur even if you do not have Windows "automatic update" enabled. ...

That's about XP, their older product. Here's what what they are trying to address:

Microsoft (Nasdaq: MSFT) Latest News about Microsoft on Monday revealed the results of a 15-month test of its Malicious Software Removal Tool. The utility that seeks out and destroys malware reported malicious programs, or bots, on six out of 10 Windows computers it examined.

And here's the problem. Microsoft are responsible for the old mess, and to their credit, they are in some sense or other recognising the size of the problem by reporting on it, above. (They can't go too far, otherwise they'll be dealing with the MOACAS - mother of all class action suits.)

So they are doing what others -- Symantec, Kapersky, etc -- have developed over decades to fix the product: putting in anti-virus tools and pretending that these are the latest must-have fashion accessories.

Can you say conflict of interest ? On the superficial level, we have these problems:

  1. they are making money off the problems they delivered last time. Well, sometimes that is good, but not always, not when everyone knows it.
  2. any problem they fix is subject to approval and re-interpretation by the publicity arms. That is, you can't fix a problem if you have to reveal it, and the PR people say it's too dangerous to reveal.
  3. their efforts to fix these problems are subject to capture by the sales arm. So this is why you are seeing efforts like the above. It's not that the sales arm says "you must make the product sell more Vista..." No, it is more subtle than that. It is as if a thousand helping hands turn up to help if the solution helps Vista sales, and those same thousand hands hold little razors that take little nicks out of you if your solution slows down sales of Vista.

But even deeper than that, we have the dangers of feedback loops generating perverse solutions. The anti-virus companies had at least the market to keep them honest. They were symbiotes, feeding of the host, like those little fish that follow sharks. The rewards and punishments were fairly clear.

Microsoft will not have the market to keep itself honest: it is the market for the OS, it is the owner of the user's computer, it owns the mess, and it is now the fixer of the mess. That's not to say that they won't get it right, but that there is no negative feedback force in this "I'm my own symbiote" market to stop perverse solutions and kill them before they do too much damage.. And there are positive feedback forces, as listed above.

Not to mention brittle. These complicated systems could result in quite serious DOS attacks. Seen on Risks / slashdot:

An anonymous Slashdot user gives virus writers a worrying idea: "A virus could use one of the 'Product-Key Changer' scripts ... to install a pirated product key on every infected computer (wiping all traces of the original key). This would render millions of genuine installations indistinguishable from pirated installations. What a mess for Microsoft! They would have to immediately 'kill forever' the WGA helper, and maybe even remove the WGA check on Windows Update. Such a virus would be a hard lesson to learn for the writers of all kinds of automated 'genuine' checks."

What about Vista? Well, the signs are that Vista is constructed along the same lines. Same thinking, same techniques. So at the same time as Microsoft are swallowing the little cleaner fish in the old XP market, they are bringing out a new shark with no cleaning fish.

If I was responsible for a doze network, I'd be terrified of being the first penguin. I'd really want some other penguin over on the other side of town to play with the shark for a year or so.

Mike Nash, who was security czar over at Microsoft for the period of the Vista development now steps aside, and here's what incoming Ben Fathi says when probed on the future (which is post Vista):

Q: Is there's anything that you can tell us about what's on the horizon when it comes to security at Microsoft.

We are concentrating on what Bill Gates talked about in February at the RSA Conference. There are four areas to our security vision: a trust ecosystem; engineering for security; simplicity; and fundamentally secure platforms. We have done a lot of investments in all of those areas, and I'm going to continue those investments.

Look at, for example, the trust ecosystem, the first step in that was delivering Active Directory Federation Services in Window Server 2003 R2. The next step, and we've done some of this in Vista, is adding things like certificate lifecycle management, so enterprises can manage digital certificates. InfoCard is also an example.

In terms of engineering for security, that's all about the Security Development Lifecycle. It applies to all of our products, not just Windows, obviously. But what we're finding is that we need to make the SDL (Security Development Lifecycle) more agile with things like MSN and Windows Live having very short development cycles and needing quick updating.

Well, at least Microsoft has a Security Czar - many organisations do not. And, he's been brave (foolhardy?) enough to state what he's aiming for:

Finally, a fundamentally secured platform, that's the part I feel I will be reviewed on. It is about taking a lot of our investments in the platform itself and Windows and improving them.

I think I predicted a while back that Microsoft would have to adopt another OS in order to save their security situation. Like Apple did. Microsoft are also betting big on CardSpace (was InfoCard) saving their security bacon. I wrote long and probably scathingly about that a few months back. Here's some more skepticism:

Microsoft is emphasizing the ease of adoption for CardSpace, which is a nice way of saying that they're begging developers to get involved. For a proof of concept project, says Turner, all it takes to use the technology is to embed a bit of XML in your Web site, and to update the sign-in page. A three-line code change is all that's necessary to change from self-issued to managed infocards.

And, they stress, all this can be done with non-Microsoft technologies, including Java and Linux. "The only Microsoft bit here is Infocard," said Turner.

CardSafe will be built into Windows Vista, and will be available for Windows XP and Windows Server 2003, the company says. (Betas and CTPs are available here.) According to Turner, Microsoft is pushing for a CardSafe RTM (Release to Manufacturing) "in just a few months."

For CardSafe to succeed, it will need buy-in from more than site developers. The company is exhorting financial firms and other such organizations — pleading might be a better word — to participate in the managed card program as Indentity Providers.

It's probably fair to guess that companies are not going to sign up with gay abandon like they did with the last lot. It's also a no-brainer that anyone who suggests that it only takes a three-line code change in a website is someone who's never actually done it. And allowing Microsoft to manage the Identity that closely is not something that financial providers are going to be comfortable with.

Unfortunately, the bottom line is that it doesn't actually solve the problem we are currently looking at. The emerging threat is one of authorisation, not authentication -- Identity is the wrong problem. So unless CardSpace can address authorisation in some compelling way, it's back to the old game of rolling out those SecureId tokens and discovering that the attacker bypasses them as well. That's not out of the question, but given the complexity of understanding what all that means, I don't have high hopes.

So my call for the moment - CardSpace is version 3 of this story, and the only benefit will be if it takes Microsoft closer to version 4.

But given the number of cards they have stacked up in their hands at the moment, CardSpace could be overwhelmed even if it does work out. Unfortunately for Microsoft, others are waiting, this time, and they've had their 3 years of re-write opportunity.

Posted by iang at June 17, 2006 12:47 PM | TrackBack

"And, they stress, all this can be done with non-Microsoft technologies, including Java and Linux. "The only Microsoft bit here is Infocard," said Turner."

"CardSafe will be built into Windows Vista, and will be available for Windows XP and Windows Server 2003, the company says."

Aren't these two statements contradictory? Sure, you can code your web site on any platform. But, if you actually want to access your web site, you MUST be using Windows XP or Vista. Windows 98 through 2000, Linux, and Mac need not apply.

Posted by: Scott at June 17, 2006 03:42 PM

a little cross-over from the naked transactions and chip&pin fraud series ....
http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV

Ten reasons Chip 'n' Pin cards are bad
The weakness in combo chip/mag stripe cards
Chip and pin 'makes fraud even easier'
Fears over Chip and Pin
Eight arrested in chip and pin fraud racket
Hundreds of drivers caught out by GBP1m chip-and-PIN sting
Fraud, Phishing and Financial Misdeeds: Chip and PIN, Another Chapter in the Attack on Debit Cards

can you say "yes card"? ...

some chip & pin trials in the UK as early as 1997 and the current chip&pin "yes card" vulnerability was well documented by at least 2002

by 1998, work on aads chip strawman was to have higher security than any DDA technology at a lower cost than any SDA technology (and be able to meet transit contactless requirements)

part of this was based on detailed vulnerability study part of x9.59 standards work started in the mid-90s

the same aads chip strawman designed for both POS and internet financial transactions also did duty as authentication in RADIUS as well as Kerberos (the major authentication infrastructures deployed in the world today) ... i.e. not just the same technology ... but the objective was that a users same, exact card (with no changes) ...

AADS Radius implementation was demonstrated spring of 1999
at PC WORLD in NYC by one of the participants of the AADS conference co-sponsored by Atalla and Tandem/Compaq held in Jan99 (radius is typically the authentication infrastructure used by ISPs world-wide)

and the company that m'soft had subcontracted the original windows Kerberos implementation to (basis for the current/existing windows authentication infrastructure) demonstrated a number of different AADS chip strawman applications at the world-wide retail banking (BAI) show Dec99 in Miami

and NACHA was gearing up to do the AADS internet trials
about the same time

Posted by: Lynn Wheeler at June 17, 2006 11:19 PM

Steve Summit wrote a concurring opinion over at http://www.securityabsurdity.com/archives/11#comment-44 (crossposted by Iang):
May 10th, 2006 at 9:02 pm

If you’re going to be a heretic and point out the truth about the Emperor’s new clothes :-), you might as well go whole-hog and pin the blame for all these problems where 90% of it belongs: Microsoft.

A lot of people will claim that’s not fair, that it’s too facile, that it’s not Microsoft’s fault (it’s the *bad guys’* fault!), that security is a *really hard* problem that Microsoft couldn’t be expected to get right, that Microsoft’s only problem is its popularity, that if the other, allegedly more secure platforms (Linux, Mac OS X) were as popular as Windows is, the bad guys would be targeting them and showing up just as many problems with them, too.

But as anyone who truly understands security will tell you, all those claims are bogus.

It *is* possible to do a better job, a much better job, on computer security. We’ve known how to for 20 or 30 years. We’ve known, for example, how to compartmentalize code, so that only critical OS code runs with full permissions, and that the majority of less-critical code runs in a restricted environment where it can’t do as much damage.

But Microsoft never really cared about any of that, and they very successfully implicitly trained a whole and much larger generation of computer users that security and other problems are mostly inevitable and have to be lived with, like bad weather or something.

As a wise man once said, “Other computer companies have spent years working on fault-tolerant computers. Microsoft has spent its time more fruitfully, working on fault-tolerant *users*”

Now that people are finally starting to demand some real security, it is in many ways too late: too many of the fundamental design decisions which underlie the insecurity are now utterly entrenched, and (apparently) can’t realistically be changed.

The most obvious example of the utter culpability of Microsoft software when it comes to security problems is: e-mail viruses. Where is it written that an executable attachment should be executed when you “open” it? Why is it the *user’s* responsibility to decide which attachments are safe (plain data) and which are dangerous (executable code)? The computer knows this, it can’t get confused by tricks to hide the filename, so why doesn’t it just refuse to execute the executable attachments? But somehow this straightforward solution is never adopted, evidently because there are one or two people who need to be able to click and run programs that they receive as email attachments but which aren’t viruses. Instead we run around deploying reactive “antivirus” tools that, as you’ve correctly pointed out, can never be perfectly reliable.

Posted by: Steve Summit at June 20, 2006 06:56 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.