March 6, 2008 1:29 am by Markus.

An old security vulnerability in the Windows Firewire implementation has resurfaced. I wonder how long it takes until Microsoft figures out that if one can read/write arbitrary memory (including kernel-memory), then one can probably find encryption keys to “secured media content” …

Posted in Security | Print | No Comments »

February 2, 2008 5:59 pm by Markus.

I had written long before I had a blog about doing copy protection the right way (read: so it requires some effort to remove it). With the more recent programing frameworks a couple of things changed. For one, all the new programing frameworks (.NET, Java) have cryptography support, which means it is far simpler to incorporate a license key scheme based on digital signatures. Personally I like using 512bit-DSA (Digital Signature Algorithm) for these purposes, because the key is long enough to stop amateurs from computing the secret key and short enough that a signature encoded as BASE32 could be typed in by someone. In the software you obviously only include your public key for verifying the signature of your license.

One issue with byte-code languages is that they are fairly trivial to disassemble (and produce very human readable code). Microsoft even included an MSIL Disassembler with .NET. Therefore the code needs to be obfuscated. One thing to try (not all obfuscater-programs support this) is to make the names as human-unfriendly as possible. Renaming classes to “A” and “B” is nice, but renaming them to “XfGkoAlPPqzz” and “XfGkoBlPPqzz” makes it even harder to read.

With a signature-based license key the hackers have only a few options left since they can’t write a key-generator. For one, they could patch a different key into the software for which they know the private key and generate signatures for this new key. It’s therefore important to use a hash of the real private key in some other ways in the program. For example, one could hash the private-key string with SHA/MD5 and use the result as a key for decrypting some data with a symmetric cypher such as AES. Another idea is to put the hash (or a checksum using the hash of some data and the public key) in some saved user data in order to prevent data-exchange between the cracked and legitimate versions of the software.

The second option is to find where the accept/reject decision is made in the program and to patch this comparison. Note that API-calls to the framework are fairly easy to find, even in obfuscated code. You should therefore have the API-call (for the crypto-functions as well as displaying any kind of error-message like “invalid license key”) far away from the comparison-operation so the hackers have to dig through more code. Also, I found that using a command-pattern makes for fairly unintelligible byte-code. Consider creating a class that encapsulates commands and has some Execute() method that can also return which command to execute next. Now, if you have a couple of commands in a List that are executed in a loop by invoking all the respective Execute() methods, then that is a bit harder to follow. Consider writing commands that can change entries in some global hash-table of strings, an If-Command, a Goto-Command, a MessageBox-Comand, a Verify-Signature-Command etc. With all those implemented, you can encode a little program by putting all those commands in a list. The important thing now is to encode the accept/reject decision (and one or two important parts of your software unrelated to the license-key) using the Command-Pattern, i.e. to write little programs in your “command-pattern-programing-language”. The If-Statement being used for the accept/reject will then be the same spot every other condition is tested in your code and can therefore not be patched without destroying other parts of the program. This forces the hackers to understand your command-pattern and to figure out what bytes they have to change to make this an unconditional jump. I found this fairly easy, clean and straight-forward to program (and debug) in a high-level language, yet fairly hard to understand in obfuscated byte-code.

Posted in Coding / Programming, Cryptography, Security | Print | No Comments »

January 8, 2008 8:34 pm by Markus.

After reading this article on Slashdot about NSI immediately registering every free domain that is searched for on their site, I went ahead and tried it myself. Indeed, seconds after searching for two random domain-names they were immediately registered (or locked). They even put a domain-parking page on it. Since this is all fully automated I can’t help but wonder what would happen if somebody were to search for all sorts of trademarked names, especially from companies that are fairly aggressive in suing for trademark infringements. I wonder if they thought about that …

Posted in Security, Ramblings | Print | No Comments »

November 24, 2007 1:03 am by Markus.

I’m using many of the services Google has to offer, GMail being one of the many. I’ve noticed a couple of times now that when I logout from Google’s single-sign-on, but then go back to GMail (type in URL, not back-button) I’m still logged in despite that the Google main page or any of the other services. I can even access all sorts of old email so it’s not some strange cache-issue. I can’t quite reliably reproduce it, but it happens somewhat frequently.

I’m wondering whether Firefox does something strange in the way it clears cookies or does Google use an extra authentication-cookie for GMail that is not always deleted.

Posted in Security | Print | No Comments »

July 1, 2007 4:38 pm by Markus.

I wrote about the problems with PHP strings here and the possible solution I liked using a class encapsulating strings in PHP. I now worked out some details to make every string function in PHP work with the new “SafeString”-class. You can find the details and source here. This is still more a proof-of-concept and for all practical purposes would require the re-writing of a couple of things like database abstraction layers and such to return SafeStrings as well.

Posted in Coding / Programming, Security | Print | 1 Comment »

June 11, 2007 3:11 pm by Markus.

Captchas are these little word-puzzles in images that web-sites use to keep spammers and bots out. They are everywhere and even the New York Times had an article about Captchas recently. It turns out it’s a nice exercise in applying some machine learning to break these things (with lots of image manipulation to clean up the images). Since spam-bots are becoming smarter, people are switching to new kinds of Captchas. My favorites (using images) so far are Kittenauth and a 3D-rendered word-captcha.

Posted in spam, Machine Learning, Artificial Intelligence (AI), Security | Print | No Comments »

May 7, 2007 5:01 pm by Markus.

A while ago I read about an idea to make it easier to avoid common programming mistakes in PHP regarding the handling of strings. There are dozens of attacks that one must pay attention to when using strings: you have to escape your string one way when you embed it in an SQL statement, escape it in a different way when outputting it as part of a web-page (XSL attacks), and escape it in a third way when you output it as part of a HTTP-header. It’s not surprising that eventually somewhere something will be not escaped in the right way.

Wells suggests a SafeString class to encapsulate all Strings in a class with different access methods that automatically escape your string the right way. So if you were to output the string back to the user, you’d call a toHTML() method that properly escapes any HTML-tags and special characters embedded in the string. A method to access the raw string would be called “UnsafeRawString” to remind the programmer that the string contains “tainted” user-input. While it is still possible to do something wrong, these parts stick out in the code (for example, one might use String->toHTML() when using it in an SQL statement - obviously wrong, but much easier to find). See “Making Wrong Code look Wrong” for the underlying philosophy.

I really like the idea, but I see a couple of practical problems with this idea:

• All strings, including Server variables and Super-Globals, should be automatically converted to the new String class. Otherwise the programmer has to constantly figure out if he/she is dealing with an encapsulated string or not.
• You’d need a database abstraction layer that will return these kind of strings as results of queries.
• All the existing PHP string operations (from strcmp to soundex) must be usable. This can be tricky, but interestingly PHP5 offers a way with __call to overload the object with arbitrarily named functions (see overload() function in PHP4). With some eval-magic this could be doable. Technically you wouldn’t want anybody to ever to work with the UnsafeRawString…

Posted in Coding / Programming, Security | Print | 1 Comment »

February 2, 2007 2:30 am by Markus.

Bruce Schneier gave a speech of how human psychology affects computer security. Very true as security software is often too cumbersome to use. Email encryption is still not common place while SSL as an end-to-end encryption is. It’s easy to use and people have been trained to look for that little golden padlock in the corner before entering their credit-card. Yet I feel that there are a couple of things that could be done to encourage people to pay more attention when it comes to computer security related things. In my opinion this isn’t happening because:

1. Most people are good and assume that other people are good too. They hold the door open for the guy that left his badge in the car, they click on the “cool link”, they open email that looks like it might be from someone important.
2. Most people see security problems as something that happens to someone else. Most breaches are never publicized, some publicized breaches are so huge (millions of credit card number copied - yet nothing happens to them or anybody they know) - this enhances the belief in the low likelihood of problems. We feel save in a crowd.
3. Most people believe they know what they are doing. Some other people are pretty learning-resistant when it comes to computers. I’ve heard some stories from companies in which the IT-staff is supposed to do user-training as well in addition to the external training the people received in the beginning (try to get accounting to explain to you over and over again how to file reimbursement claims). Maybe we really need a computer-drivers-test, but then again drunk driving can kill people while drunk computing can not.
4. People get bored. Cry Wolf too often, ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click “Yes, I’m sure.” (This will be interesting with Windows Vista) We are constantly bombarded with awareness-programs which makes the IT-security awareness compete with many other awareness-programs.
5. There is no incentive. Most people (employees) don’t face consequences when their PC is infected or the company database gets stolen. People have the neighbors kid come over to remove all the spyware from the machine and so on. Avoidable security problems like spyware turn into a “car maintenance problem”.

I think on the incentive side there is a lot that can be done. In the industry a lot experience has been gained with safety incentive programs to reduce accidents. I found a study cited on a website where it states that the reinforcing safe of acts “removes the unwanted side effects with discipline and the use of penalties; it increases the employees’ job satisfaction; it enhances the relationship between the supervisor and employees” (McAfee and Winn 1989). Properly designed incentives have the approval of the people to whom they are addressed, and are often preferred to other forms of safety motivation such as laws and policing. Probably some incentives could be created to educate the users and teach them safer computer practices. For example, to make people think more carefully about following links in email (phishing!) one could send fake phishing emails; if the user clicks on a link he gets on a page that informs him that this could have been trap and to always enter the URL directly into the browser address bar. It’s possible to track who clicked and who didn’t with specially crafted URLs in the emails. Similar things could be done with harmless executable attachments. I think this is a direction that should be pursued.

Posted in Security, Psychology | Print | No Comments »

January 20, 2007 2:11 am by Markus.

Both Tim and Michelle (XP SP2) have the McAfee firewall and virus-scanner installed on their machines. Both their machines came up with a little dialog-box upon boot up today requesting to please connect the machine to the Internet right now to verify the subscription. Clicking cancel will result in an “are you sure” question and upon confirmation (i.e.: “yes, verify the subscription some other time”) it disabled the firewall and the virus-scanner (the little M-icon in the tray turns black). I didn’t notice it at first. You have got to be kidding me! Just because the software can’t check for newer virus-signatures it shouldn’t be disabling the virus-scanner or the firewall. Especially not the firewall as that probably won’t be have to be kept up-to-date. You can re-enable both by clicking your way through the security center, but I wonder how many machines on the Internet right now are left without protection….

Posted in Security | Print | No Comments »

November 22, 2006 1:34 pm by Markus.

I just helped Michelle get her Cisco VPN Client to work after she got an “Error 51” asking her to ensure that she at least one network adapter enabled (which was the case). The client software wouldn’t even startup to let us configure anything. After a couple of calls to tech-support, finding out that the error isn’t explained in the manual and a re-installations we found the following to work: disable the Firewall and Virus-software (McAfee in that case; make sure your machine is still behind another firewall, e.g. your routers’ firewall), go to the Control Panel > Administrative Tools > Services. Then stop and restart the “Cisco Systems, Inc. VPN Service”. The startup setting should be set to automatic BTW.

I still don’t quite understand why this works (Shouldn’t the client communicate with the service using named pipes? Shouldn’t the firewall be irrelevant for the startup of the client?), but hey…

Please leave a comment if that worked for you; or whatever workaround you found. Thanks.

Posted in Fixing Stuff, Security | Print | 2 Comments »