Archive for the ‘General Ramblings’ Category

4
Mar

Highjack Windows Password with Firewire

   Posted by: Joshbw

There is currently a fluff piece article on hijacking Windows via Firewire floating around.  Essentially the attack allows someone to network via Firewire, directly access the memory, and futz with the windows password logic, effectively bypassing it.  To this I say, well Duh!  I’ve maintained for quite a while that Firewire was inherently insecure.  It by design requires direct memory access, which in this case I think is a very bad idea.  Internally, a myriad of components use DMA to reduce the load on the processor.  Your networking card really doesn’t want to pester the CPU every time a packet arrives, nor does your SCSI controller really want to bother the CPU every time a sector is read.  DMA is a necessity within the computer case, but you inherently need to trust the contents of your case to do their job.

The difference with Firewire is that the component that has DMA is now external to the system.  Unlike ethernet, where the ethernet card has DMA but the external ethernet connections do not, Firewire is designed so that the external devices have DMA, and said devices could be even be another computer.  At the time of Firewire initial adoption Apple shipped it on all of their PowerBooks, so feasibly carrying just a laptop you could sneak into a corporate important person’s office and exploit the DMA of firewire to access their desktop’s memory.  Now there are tiny little x86 systems with an ethernet port, on board flash for storage, firewire and USB ports, and everything else you would need for an attack inside a pocket instead of inside a backpack. Either way, a company insider could feasibly exploit it.

I can see the logic at the time for the design, where CPUs were slow so you can’t take a hit interfacing with them, eSATA wasn’t an option for removable disks, USB 1.0 was slow (and also gave a CPU hit), etc.  The arguments for allowing DMA were plentiful, and security doesn’t seem like a concern during the specification process during those days. (Bluetooth 1.0 or 1.1 anyone?  Heck, even the Bluetooth 2.0 working spec considers security as an afterthought, or how about 802.11 that launched without even WEP)

What bothers me about this article is the level of irresponsible disclosure on the part of Adam Boileau.  He claims to have notified Microsoft two years ago and is releasing his tool now because MS didn’t act.  If this was a critical vulnerability in SQL Server or IE, I wouldn’t have a huge problem with it (I don’t think full disclosure is a great thing, but at the same time, if a company sits on a critical for two years that is also less than ideal), but the problem is that this is essentially a critical vulnerability in a specification.  Asking one vendor to essentially completely break the spec in their implementation (especially a vendor that gets hammered as often as they do for not supporting certain standards and specifications) is naive (how many devices would be broken if the host didn’t allow DMA).  MS can champion changes in Firewire (best of luck, since Apple rules that roost) but they don’t have control over it, and any change is necessarily going to be long and arduous.  Boileau should have approached a multitude of vendors with his proof of concept, from OS manufacturers (MS and Apple) to PC manufacturers (Dell leaving firewire out of all of their business lineup unless specifically added, with a note about security concerns, would catch IEEE attention), instead of dropping a note to MS and expecting that problem to take care of itself.

Apple probably wouldn’t have listened, they don’t really have a presence in corporate America where this attack would be most damaging nor do they exude much concern over security, but PC manufacturers likely would be a bit more receptive(hey, we get to cut out a component and claim it is to make our customers more secure in the same breadth).  Hitting MS alone and expecting them to muscle the rest of the industry into changing is essentially asking them to take an action that in the past has gotten them in a lot of trouble. Even if all parties concerned were committed to change though, it would take time to update the specification with all of the politics involved, and they can’t just drop support for all existing firewire devices on the market now. At best you could change certain default behaviors.

I guess the lesson here is that if you subscribe to the notion that full disclosure is morally justified so long as you have given the company proper notice, make sure the company has any power to realistically change the issue you are complaining about.  Otherwise you are just sort of an ass, taunting them with a vulnerability they don’t control.

~Joshbw

No Comments
19
Feb

The Blog is Live, sort of

   Posted by: Joshbw

It looks like everything is up and running now, more or less.  I am still tweaking the theme a bit and working on some lingering browser compatibility issues.  I’m kicking myself for starting by modifying an existing theme rather than just beginning entirely from scratch, as at least a couple of issues were the result of style issues I missed when editing the original theme.  I’ve decided that I really don’t like the fact that I can’t override user defined functions in PHP as that would have made things much easier.  Now I have to compulsively look at the change lists during each update to see if I have to merge changes, which is a pain in the butt.

So obviously I have decided to roll my own blog rather than use a blogging host such as Blogger or Spaces.  I saw benefits going both routes.  With a blog host security becomes their problem rather than mine, and considering the frequent patches pushed out for all of the existing blogging software (Wordpress, Moveable Type, etc) this is a major consideration.  Hopefully I have locked things down enough that even if a zero day that grants admin functionality is released other preventative measures will still protect the admin controls (that whole defense in depth concept).  Granted that will be little condolence when some new XSS is found in the blogging software and a billion comment spam bots post attack messages with just commenter permissions.  The other major benefit of a bloghost comes from the fact that while they may have millions of users of their software they have very few users on the actual physical machines.  With my shared server cheapo LAMP host I can’t say the same for this site, as dozens of other random net users have shell accounts on the box and are hosting their questionable code.  I like Dreamhost, as they tend to offer pretty good service with gobs of storage and bandwidth at very cutthroat prices, plus they have a pyramid scheme where you make money off of people you refer (hence the presence of the "Hosted by Dreamhost" links… just hoping to milk some folk looking for a cheap but relatively good LAMP host), but even if they are great as a shared server host it doesn’t change the fact that they are ultimately a shared server host.  I don’t exactly keep anything I value sitting on their hard drives because of that, so I was a little leery of investing time in a blog hosted on servers I don’t have a great sense of security concerning.

That said, hosted blogs have several drawbacks.  Many are designed around the idea of a social experience, e.g MySpace, Facebook, etc, and I think the focus on social components in those cases detracts from them as specifically blogs.  Then you have your dedicated blog hosts that skip much of the social stuff, Wordpress.com, Typepad, Blogspot, etc.  In the case of Wordpress.com and Typepad it seemed that I would be just as much at the mercy of the respective wordpad and moveable type flaws as if I hosted my own blog, but without the benefit of being able to take my own measures to lock things down.  Blogspot is such a pit of malware that Google de-lists it regularly, which given the fact that Google freaking owns it isn’t a stellar endorsement.

Finally, with any of the hosted solutions I don’t have much control over things.  The level of customization is limited and usually requires people to jump around hoops (in the case of myspace it seems that every user must embed some music, make copious use of blink tags and scrolling text, and have an animated background, which I sort of got over in 1994 back when all of those things were all the rage).  When it comes down to it I find it easier just to fire up textpad and edit the layout directly in the source rather than muck around with some style editor or play with layout templates and modules.  I like that I am the only one that gets a say over whether my site has ads (none at the moment, but when I am a super Internet star that may change), where those ads are, how big they are, etc.  In the end being able to control everything about my site trumped being responsible for its maintenance.  And here I thought it would be nice to leave that sort of thing for when I was doing my real paying job. 

So watch out, I have complete control of the layout, free to completely abuse rounded corners and segregated content panels.  I also have my resolution set to 1920×1200 so the site may not be sympathetic to you folks rocking the 1024×768 (come one guys, my 12" tablet PC has a better resolution than that).  Tweaks are likely to trickle in throughout the month as I decide to ad or remove stuff, or finally decide to install safari in a VM and see how bad the browser mangles it (Apple security is so abysmal these days that I won’t run their stuff on my host OS).

Anyway, any early wayward readers that have stumbled upon the site, feel free to use the comment thread to leave feedback on its design.  I haven’t spent a great deal of time testing its layout. 

~ Joshbw

Technorati Tags:
3 Comments
Back to top
Next Entries