Tag Archives: security

Hey Microsoft! Do Better.

Posted on by

The title might seem a little over the top, but let me explain. This afternoon, I had one thing I wanted to do. I wanted to sit in my racing sim and practice. A seemingly simple thing, right? The thing is, I hadn’t sat down at my sim in about a month. (life has been a bit busy lately) As I expected, I had some AV updates that needed to be applied… no problem. The batteries on my wireless mouse were giving out… annoying, but again, no problem. The system seemed super sluggish after doing the AV updates, so took a look at oh, yep… a bunch of updates from Microsoft. No problem, I’ll let these install and then I’ll play I thought. Oh, how naive of me.

I should have known something was up earlier, but I let my trust in the update process get the better of me. You see, earlier I’d loaded up a piece of software that controls the haptic feedback on my seat and it had a problem because it couldn’t find the output device. The output device is a small usb audio interface that sends analog signals to an amplifier that drives a transducer, which in turn makes the seat vibrate. This sudden change was a result of driver updates, something that I’d specifically disabled. (for reasons that will soon become apparent) That seemed weird, but the device was still there and I just had to re-select it.

The second thing that should’ve tipped me off was an NVidia driver update coming through Windows Update. Strange I thought… I’m sure I disabled that. (I had previously) Still, I thought… what’s the harm. It probably needs it anyway. What I didn’t see was one of the other update packages contained a driver update for the onboard audio. This had already completed, but the worst part was that in the process of updating, it removed the user interface that allows you to configure things like surround sound. I checked the properties for Sonic Studio 3 and found that the application was missing, but there was a handy menu to install it. Awesome! (it wasn’t awesome)

Clicking this menu brought me immediately to the listing for this application on the Microsoft store, but when I clicked it the download immediately failed and told me to log in. I tried to do that and was met with a progress wheel that timed out and failed. This happens when you use a local account with Windows and don’t log in to Microsoft’s services. Ok, annoying, but I’ll just go to the Asus ROG driver page and download them I thought. What I got from the manufacturer support site was a driver-only download. Cue a bunch of searching through forums until I find a link to a slightly older version of the same driver package with the entire suite. (also hosted on the manufacturer site)

What happened became apparent at this point. Asus has moved current & future versions of this application/driver package onto the Microsoft store and removed it from their own support page. This has the effect of tying continuing support of their products to Microsoft’s services. It also revealed that Microsoft is continuing to reset certain settings on your computer to their factory defaults without notice or warning in what are supposed to be security & quality updates. Microsoft, if you’re listening… this is how you erode user trust.

While I’d managed to turn off driver & application updates via Windows Update (again) and had fixed the sound issues… I was done. This whole debacle cost me over an hour of my time, by which point I was so disgusted I didn’t even want to do the one thing I’d sat down to do in the first place.

Apple & Security; the Java debacle

Posted on by

While I have become more of a fan of Apple’s products in recent years, I have never been a fan of their security disclosure policy.  Apple has traditionally been very secretive, sometimes out of necessity.  Back when Steve Jobs retook the company, Apple was near death.  The company had run into a brick wall with it’s legacy operating system.  The latest version, OS8 had been so long in development that it was now technologically far behind it’s competitors.  When Jobs shook things up with OS X (10) he had a reason to be secretive.  Apple had been successful with their new products, but was still fragile.  If any of their competitors could peek inside what was going on, they might be able to stop Apple’s progress before the company could become healthy again.

Today, Jobs legacy is an Apple with a $98B war chest made largely on the success of the iPod, iPhone and iPad.  These are all benefactors of the technology Jobs brought over from NEXT that helped to form what we now know as OS X.  The problem is with all that success, Apple’s share of the desktop PC market has grown.  Apple is now big enough that’s it’s clearly visible on the radar of a lot of people including potential attackers.

To Apple’s credit, OS X was designed with security in mind from day one.  Most of the vulnerabilities that have effected the OS over the years have required a social engineering element to get users to unwittingly install malware.  For a long time, Apple’s policy, (of withholding details about security flaws until a patch is available) worked for them.  However, a recent vulnerability in Java managed to scratch a large unsightly gash in that previously pristine, brushed aluminum finish.

The component that most recently exposed this weakness in Apple’s approach is ironically a third party product, Oracle’s Java platform.  It’s a little more complicated in Apple’s case because the company repackages and builds their own custom version of Java. Because of this, it always takes longer to get Java on Macs because the software has to be separately modified, tested and blessed by Apple.  The people behind the Flashback trojan saw this opportunity and modified their malware to take advantage of the Java vulnerability.  In the 2 months it took for Apple to produce their version and publicly acknowledge the flaw over 600,000 Apple computers were infected.  The fact that most Apple customers think they’re immune to viruses didn’t help the problem either.

This should be a wake-up call to Tim Cook and the OS X security team.  Apple may not agree with full disclosure, but they can’t continue to put their collective heads in the sand and think nothing will happen.  Had even limited disclosure been made to Apple customers earlier, it would have been possible to mitigate much of the threat posed by this vulnerability.  Instead, Apple customers were exposed to this vulnerability for 2 months.

Computer security and the human factor

Posted on by

One of the most important things to remember about security is that it is a process, not a product.  All too often, people think of security as a specific problem with a specific solution.  Unfortunately for us, security (in almost any context) is a moving target.  What was a strong password yesterday is weak today.  There are good reasons to require users to change their passwords, but it’s only part of the solution.  Forcing user’s to change their password too often invariably results in weaker passwords that are easier to remember.

To understand why this is a problem we first need to define what a strong password is and what makes one weak.  Numeric passwords are the worst as there are only 10^N possibilities where N is the number of characters.  Using letters is a little better as that’s 26^N for english.  Using both upper and lower case gives you 52^N, while a full alphanumeric set gives you 62^N.  Use of a full alphanumeric characterset on passwords 8-characters and higher was considered strong enough until recently.  After all, 218 trillion possibilities seems pretty large doesn’t it?  Considering some of today’s high-end graphics cards can perform over 2 trillion floating point operations per-second, breaking even a completely random 8-character alphanumeric password is trivial.  Adding the full set of special characters   on most english keyboards yields an additional 30 characters for 92^N or 5 quadrillion possibilities for an 8-character password.

You’re probably noticing a problem; we’re out of usable characters.  From this point on, the only way to increase password security is to make them longer and longer.  Obviously we can only keep up with this for so long before technology overtakes our ability to remember a secure password.  Clearly simple password-based security is insufficient for protecting anything of real value.  What’s needed is a multifactor system that uses 2 or more separate components to authenticate a user’s credentials.

A multifactor authentication system could be as simple as the combination of a password and a physical token such as a smartcard.  To authenticate, the user must insert the smartcard and type his or her password.  Either factor by itself will be rejected.  The beauty of this system is that any data protected in this way is inaccessible without each piece of the authentication puzzle.

A system is only as secure as its weakest link.  In many cases we humans are unfortunately that link.  We have limited memory and are vulnerable to social engineering attacks that get us to reveal sensitive information to complete strangers.  A strong password is useless if a user gives that password away or writes it down.  Adding a unique physical component to the equation raises the level of difficulty for an attacker significantly.