Wow, this is kind of a big hole: Palm OS Treo Find Feature Information Disclosure Vulnerability. Basically, if you set a password on your Treo, the Find function still works even when the device is locked. (See the details here.) In defense of Palm, the exploit requires physical access, so if your phone is always with you the risk is fairly low. However, according to Symantec, Palm was notified of the exploit and has decided not to fix it. -1 for them.
Category Archives: Security
Palm OS Treo “find” feature ignores system password
Comments Off on Palm OS Treo “find” feature ignores system password
Filed under Security
Multiple subjectAltNames in certificates: now from Entrust
Back in September I wrote a pair of columns about how Exchange 2007 uses certificates. In it I pointed out the utility of having multiple subject alternative names, or subjectAltNames, in a single certificate; doing so allows you to have a single cert that works with autodiscover.yourdomain.com, mail.yourdomain.com, and the real underlying FQDN, all in one cert. Unfortunately, as far as I can tell no commercial CAs will actually issue such a certificate.
However, I got mail today from Andrew Codrington at Entrust. They’ve just introduced a new “unified communications certificate” as part of their partnership with Microsoft. The UC cert includes 10 subjectAltNames, with the option of adding 3 more for an additional $99. Good deal? Maybe; the 1-year cert price is a whopping $599. Still, that’s certainly cheaper than buying 3 standard Entrust certs @ $159 each when you factor in the time and labor required to obtain and install them. More on this later…
Technorati Tags: Exchange 2007
View BitLocker recovery passwords stored in Active Directory
So, you can probably tell I’m working on a BitLocker-related project by now…
One drawback to storing BitLocker recovery passwords in Active Directory is that there’s no good way to retrieve the recovery password when you need it, or so I thought. I suggested to the BitLocker team that they consider writing an extension to AD Users & Computers to make it easy for authorized admins to get a recovery password for a given computer– turns out they’d already done it and were deep into the signoff process!
The tool is officially documented in KB 928202. It’s an AD U&C extension that makes the BitLocker recovery information visible; you need to get it from PSS, but it’s a free call, so why not?
Comments Off on View BitLocker recovery passwords stored in Active Directory
Filed under General Tech Stuff, Security
First part of the Data Encryption Toolkit for Mobile PCs released
Great news– Security Analysis, the first part of the Data Encryption Toolkit for Mobile PCs, just went live.The overall Data Encryption Toolkit is a set of tools and guidance to help people secure the data on their laptops using Windows Vista with BitLocker and the Encrypting File System (EFS) in Windows XP and Windows Vista. Look for more pieces of the DET coming soon, as soon as we finish writing them 🙂
Comments Off on First part of the Data Encryption Toolkit for Mobile PCs released
Filed under Security
Where to keep your BitLocker recovery password
BitLocker allows you to store your recovery password in a file, in Active Directory, or on paper. However, Microsoft’s Troy Larsen has another, extremely valuable, suggestion:
You might also consider saving a copy of the recovery password to your cell phone—then you will have it when you are a 1000 miles from home and discover that your two year old took your dongle off the desk when you were packing. Not that that sort of thing ever happens.
Comments Off on Where to keep your BitLocker recovery password
Filed under General Tech Stuff, Security
Storing BitLocker recovery information in Active Directory
Windows Vista’s new BitLocker encryption technology is a two-edged sword. On the one hand, it offers excellent protection because it encrypts the entire OS volume with AES-256. On the other hand, if you lose the volume master key (VMK), you’re screwed– there’s no way for you to unlock and recover data from the volume.
To make this less of a danger, Microsoft allows you to create a recovery password that you can use to decrypt the disk. More precisely, the technical overview says:
In BitLocker, recovery consists of decrypting a copy of the volume master key blob that has been encrypted with a recovery key stored on a pluggable USB flash drive or with a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is possible if the TPM fails boot component validation, malfunctions, or disappears.
However, you still have to be very, very careful not to lose the recovery password! Vista includes the ability to back up the recovery password to Active Directory, but Microsoft hasn’t released the public details of exactly how to do this… until today, that is. The new BitLocker AD Guide describes how to enable AD backup of BitLocker recovery information (including the TPM owner password and the BitLocker recovery password for each protected volume).
You’ll need to extend your AD schema to enable this recovery mode. Don’t use the schema extension files on the Vista product DVD to do this. They don’t contain the correct schema properties. Instead, use the schema extension included with the AD Guide itself.
Comments Off on Storing BitLocker recovery information in Active Directory
Filed under Security
How’d we pick the products for the anti-phishing test?
I’ve gotten several inquiries about how we selected the products we tested in the anti-phishing technology evaluation. That’s a fair question; some companies are unhappy that they were included, and some that they weren’t.
When we defined the parameters for the testing, we selected the vendors that had either browser-based toolbar add-ons or built-in anti-phishing technology in the browser as of May 2006 and that (in our opinion or by market data) had a significant usage presence. There are dozens of products that meet the first test, but not that many that meet the second. We picked the top 8 based on our understanding of actual usage and deployment. I didn’t want to include payware products because the original objective was for us to help Microsoft understand how well IE 7 worked compared to its biggest competitors– and in this market segment, payware products are at a disadvantage.
Would we have preferred to test all the products? Sure. The team at Carnegie Mellon that did a similar study (with a smaller list of products and a smaller set of URLs) said the same thing. However, we had to draw the line somewhere. When we redo the tests, we’ll probably change the product mix around; I’d expect to see Firefox 2.0 included, and maybe some of the commercial products.
To address Symantec’s complaint, I’d make two points. First, Norton Confidential wasn’t announced until June, so how could we have included it? You’re making the Firefox argument. We only tested products that were publicly available at the start of our time period; we excluded Norton Internet Security 2006 because it was commercial (and I suspect that if we’d tested the 2006 version, we’d be hearing that we should’ve tested the 2007 version instead. Sic transit gloria annual releases…)
Second, it’s pretty worthless to have a blog but not allow comments or trackbacks. That’s not a blog, it’s a monologue. Whatever you think of the quality of Microsoft’s products (including IE), you have to admit that they have aggressively embraced blogging as a way to communicate directly with customers– something I’d like to see more security companies emulate.
Update: fixed the link to McAfee’s SiteAdvisor blog.
Comments Off on How’d we pick the products for the anti-phishing test?
Filed under Security
McAfee SiteAdvisor sure looks like an anti-phishing tool
Oh, bother.
I got a testy e-mail from Shane Keats of McAfee asking us to remove SiteAdvisor from the study, based on his claim that SiteAdvisor isn’t an anti-phishing toolbar. I wrote a detailed response, in private e-mail, and was prepared to leave it at that.
However, Mr. Keats cried “foul” to InfoWorld and on the IE blog, saying that including SiteAdvisor is “silly and wrong. We don’t claim, anywhere, to offer phishing protection. In fact, we’re pretty explicit that we don’t.”
I’ll admit to sometimes being silly, and I’ve certainly been wrong before, but I think in this case it’s fair to include SiteAdvisor. Here’s why:
- The SiteAdvisor.com home page contains this text: “McAfee SiteAdvisor also complements and enhances your existing security software by detecting threats which traditional security products often miss, including spyware attacks, online scams, and sites that spam you”. I think a reasonable person would likely interpret the reference to “online scams” as including phish.
- Question 2 of the SiteAdvisor FAQ page says “SiteAdvisor is a consumer software company dedicated to protecting Internet users from all kinds of Web-based security threats and annoyances including spyware, adware, unwanted software, spam, phishing, pop-ups, online fraud, and identity theft.” This definitely seems to represent SiteAdvisor as an anti-phishing tool.
- Mr. Keats included a partial quote from this support article: “SiteAdvisor’s software does not currently provide automated or real-time phishing detection”. However, the full text of this article explicitly says that user reports of phish sites are reported by SiteAdvisor. In our report, we didn’t distinguish between tools that use automated reporting and those, like SiteAdvisor, that can incorporate user-generated reports.
- On August 3rd, I spoke via phone with both Craig Kenwec of McAfee and Scott Van Sickle of Global Fluency, a PR agency that handles client-security PR for McAfee. Both of them told me that SiteAdvisor incorporates anti-phishing functionality.
Comments Off on McAfee SiteAdvisor sure looks like an anti-phishing tool
Filed under General Stuff, Security, UC&C
Phishing data sources and transparency
Microsoft pointed to our study from the IE blog, where there are already several comments, including this one from “Sheep and Duck”:
3Sharp was founded in 2002 by three friends: Paul Robichaux, Peter Kelly, and John Peltonen, all experts in their respective fields. Their goal was to establish a company that could demonstrate the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies. By working closely with Microsoft’s Information Worker Group, 3Sharp has always been able to stay on the cutting-edge of the Office System technologies.
http://www.3sharp.com/about_us.htm
Somehow I don’t trust this “study”.
To which I say:
Sheep and Duck, I understand why you’re skeptical. No matter who commissioned the study, *someone* would distrust the results on that basis alone. However, I think if you read the report, you’ll see that we have been transparent about our test methods and the data we used for the test. If you read the report and still have questions, feel free to contact me via e-mail (paulr@3sharp.com) or my blog (www.robichaux.net/blog) and I’ll do my best to address them.
The report even says that the actual scores of which product blocked or warned on which URLs is available from us on request. It’s hard to be much more transparent than that!
The folks over at mozilla links also asked a good question that I should have addressed in the FAQ: because some of the URLs came from a feed generated by opt-in Hotmail users, does IE have an unfair advantage? The answer is “no”, because the feed we used wasn’t incorporated in the data feeds that Microsoft uses for the Phishing Filter.
09-28-06: 3Sharp releases “Gone Phishing”: study of anti-phishing technologies
Big day for 3Sharp— we just released “Gone Phishing“, the first public study to compare the effectiveness of anti-phishing technologies for Windows. I alluded to it in an earlier post. The study is the topic of today’s podcast installment. As a bonus, this episode features music and even embedded URLs (at least for the iPod-compatible AAC version).
Comments Off on 09-28-06: 3Sharp releases “Gone Phishing”: study of anti-phishing technologies
Filed under Security
Frequently asked questions about 3Sharp’s anti-phishing report
When we started working on “Gone Phishing“, I anticipated that I’d get some questions, so I’ve been keeping a running list of things that I expect to be FAQs.
Q: What’s unique about your study?
A: As far as we know, no one’s done a public study that directly compares multiple products against a meaningful number of URLs. Most of the evaluations that have been put out there are anecdotal and only used a few URLs.
Q: What did you test?
A: We took 8 anti-phishing products (including the Netcraft toolbar, IE 7’s Phishing Filter, Google’s Safe Browsing for Firefox, Netscape 8.1, GeoTrust TrustWatch, McAfee SiteAdvisor, the eBay toolbar, and EarthLink’s ScamBlocker) and ran two sets of tests: one to determine how good each technology was at catching known phish, and one to see how many mistakes each made on known-good URLs.
Q: Who won?
A: IE 7 came out best overall, with a score of 172 of a possible 200. Netcraft was a very close second, scoring 168/200. For the rest of the scoring, see the report.
Q: Microsoft commissioned the study. Isn’t it biased?
A: No. 3Sharp, not Microsoft, designed the methodology, picked the URLs, and ran the tests. The report includes a complete discussion of how we did this, and even lists of the URLs we tested. We believe our methodology is sound and we’re being 100% transparent about how we got the results we did so that others can duplicate the results if they like.
Q: How’d you decide who won?
A: We calculated a composite accuracy score for each technology. This score combined the product’s performance at blocking or warning phish with its accuracy in not blocking or warning on legitimate URLs. Each technology earned points for correct blocks/warns and lost points for bogus blocks/warns. (See p10 of the report for the full scoring formula). A product that blocked all 100 phish and none of the 500 good URLs would score a perfect 200; a product that didn’t block anything (e.g. IE 6, Safari, Firefox 1.5, Opera, etc.) would score 0.
Q: 200? I thought there were only 100 phish.
A: We used 100 live phish and 500 known good URLs for the test. However, our scoring formula counts 2 points for a block and 1 point for a warning– so if product X blocked all 100 phish, it would score 200.
Q: Why’d you decide that a block should score twice as much as a warn?
A: Users have increasingly become conditioned to ignoring security warnings. In our view, stopping someone from going to a potentially dangerous site is better than suggesting that they not do it.
Q: What URLs did you use?
A: We gathered 100 phish for the tests; we did this by using several data feeds, scanning them using regular expressions, and then manually culling out the real phish. We tested each phish by hand to make sure that it was still live before running our tests, then we manually tested each phish in each technology and scored the results. Each phish was tested within 48 hours of its arrival to make sure it was fresh (or is that “phresh”?) See appendices A and B of the report for a complete list. For the known-good URLs, we took a set of 500 randomly selected URLs from our data feeds, then manually checked them to make sure they weren’t 404.
Q: Why didn’t you test <my favorite product>?
A: We had to take a snapshot of available products at a point in time. We couldn’t test all of the products, and we couldn’t go back and re-do the tests every time one of the technologies got updated. For example, EarthLink released an update to ScamBlocker during our test period, Mozilla released Firefox 2.0 (which includes anti-phishing features) recently, and Microsoft has updated IE 7 twice since the tests. Because phish have such a short lifetime, we couldn’t go back and re-run the tests.
Timely story on phishing impact
Reuters has an interesting story today on how phishers are cranking up their attempts to steal your money– and your identity. Symantec released a study today claiming an 81% increase in the number of unique phishing message sent out in the first half of 2006 vs the second half of 2005– not a huge surprise to anyone who has an e-mail account.The story is particularly timely, though, given that 3Sharp will be making a phishing-related announcement later this week; I’ll have more to say later in the week.
Comments Off on Timely story on phishing impact
Filed under Security
CISSP: worth pursuing, or not?
Kerry Thompson just posted a solid article exploring the pros and cons of getting a CISSP (Certified Information Systems Security Professional) certification. The CISSP curriculum is demanding, that’s for sure; Thompson presents some good arguments both pro and con. (His final take: if you want more money, get an MCSE or CCNA :))
Comments Off on CISSP: worth pursuing, or not?
Filed under Security
Restricting camera access on mobile devices
All sorts of folks are calling for restrictions on camera phones. Some propose legislative remedies, while others just want the phones banned from their facilities.
Comments Off on Restricting camera access on mobile devices
Filed under Security
Security update numbers, apples to apples
Ed posted comparing IBM and Microsoft’s security update records. He missed a few important details, though that’s understandable given that he’s not a security dude. Just to set the record straight, though, I wanted to point out something that security folks learn pretty quickly: simplistic comparisons that claim that “vendor X has better security than vendor Y based on patches” are worthless. Any time you see one, there are some hard questions you should be asking.
First, what products are included? We don’t know what criteria McAfee used to make their pretty graphs. Did they include Office updates? Updates for Windows 2000 before it went EOL? Windows Media Player? Who knows? Reputable researchers and vendors will always include their source data; if you don’t see it, you should be wary.
Second, what basis of comparison is being used? Most broad-based comparisons of vendors are flawed because they mix dissimilar items, usually applications and OSes. You can say “Microsoft had to issue more patches than IBM”, but that’s meaningless unless you’re talking about specific products. A more interesting question would be to ask something like “Who had more patches to install: an Exchange 2003 admin on Windows 2003, or a Lotus Domino 6.5 admin on RHEL?” Well, according to Secunia, the numbers break down like this:
- 8 patches for Exchange 2003 + 100 patches for Windows Server 2003 Standard, versus
- 22 patches for Domino 6.5 + 212 patches for Red Hat Enterprise Server 4
All of a sudden the comparison doesn’t favor IBM quite so much! A more proper comparison might leave the operating system out of it (after all, there are more Notes seats on Windows than on Linux), but even then there’s still room for argument: Secunia doesn’t break down Domino R6 vs 6.5, so the vuln count of 22 may include some items that aren’t relevant.
Third, counting patches alone leaves out some important dimensions. It’s like counting the money in your wallet by counting bills and ignoring denominations– would you rather have 10 $1 bills or 1 $100? Other factors to evaluate include the severity of the vulnerability and how long between its emergence (or disclosure) before the vendor gets a patch out– the so-called “days of risk” model.
Fourth, not all vendors tell the truth. More kindly, not all vendors tell the whole truth and nothing but. For example, IBM doesn’t include severity ratings on its security page, so you can’t judge the severity of a reported vuln unless you’re already pretty knowledgeable. Oracle is flat-out dishonest in some of its security patch release notes. When you’re comparing vendor security, you should include the nature, frequency, and accuracy of their security-related disclosures and communications.
Filed under Security
Paul's Down-Home Page 