USB U3 – the device that lies.

U3 USB devices sound like a great idea – a device that will run particular software when you plug it into a computer.

How does it achieve this?

Wisely recognising that most companies disable autorun on USB storage devices, because of the security risks, the framers of the U3 standard chose to create a device format that comes as a USB storage device, but claims to be a CD-ROM or DVD-ROM drive, so that it can auto-execute the U3 Launchpad, which is what opens all the various U3 applications.

So, if you want to stop automatic execution of applications on USB storage devices such as thumb-drives, you’ll need to also disable autorun on CD/DVD drives as well.

Vulnerabilities and asset management

There’s a little buzz going around right now over Microsoft’s latest Security Advisory - “Vulnerability in Microsoft Word 2000 Could Allow Remote Code Execution”.

A few people are irritated simply that there’s an attack doing the rounds, and yet there’s no patch to download.

Sure there’s a patch – it’s called “Office 2003″. And in a couple of days, it’ll be called “Office 2007″.

Whenever a software developer produces new versions, they move features around, deleting old code and writing new code, and often in the process, removing bugs (as well, of course, as adding some!) As a result, some bugs from earlier versions don’t make it to newer versions.

Also, the architecture of portions of the software may change, including the interface presented to users. This results in software that simply can’t be exploited the same way (and, ideally, can be exploited in fewer ways than before).

So, even when developers aren’t consciously fixing known bugs, a security-aware development team is naturally going to remove security vulnerabilities almost “by accident”, as a natural consequence of the way they design, write and rewrite code.

It’s not a surprise, then, to find that Office 2000 is vulnerable, but Office 2003 is not.

But this vulnerability should serve to remind you of another issue – that of your software asset management. Office 2000 is past mainstream support. Sure, it’s on extended support until July of 2009, and that does mean that you’ll get security updates for free – but it means you will have to pay for all non-security support calls (even if you have some “free calls” left over), as well as all non-security updates.

The Daylight Savings Time changes for 2007, for instance, are an example of a non-security update. How much will that set you back for Windows 2000? About $4,000 – that’s right, four thousand dollars to turn your clocks forward an hour. Seems a high price to pay, yes? It’s the price to hire Microsoft staffers to continue supporting an operating system that they wrote last century.

How can you avoid paying such a high price? Simple – keep ahead of the game.

Your asset management team should be tasked with knowing when products are going to cross phases of support during their lifecycle – the page for Microsoft is easy to find at – and should kick-start projects to upgrade your systems before they head into the sunset. Remember that it may take up to a year or two for your business to test a new operating system for compatibility with existing applications, so that means your projects need to start a year or two before your existing software drops off support.

Then, you’ll never be faced with a security patch that you can’t apply yet, because you’re not on the base version the patch requires as a bare minimum.

Vanishing Point Game, Seattle [Event 4]

17:45 – A couple drives down unfamiliar streets, looking for a place that they only believe is the right venue, based on an ability to throw GPS co-ordinates at Google Maps. [Yes, Google Maps, because I couldn't figure out how to do that with Live Maps - irony.]

17:50 - Arrival at a sign that, in the near-dark, appears to read “Gasworks Park – Park Closed”. The closing times are in such small print that we don’t see them until leaving the car park.

17:55 – With no great “throng” to follow, because the park is actively in use by joggers, dog-walkers and various people taking their children out to play, we settle on heading for the light – the bright light, illuminating the gasworks.

18:00 – Settled into the crowd of what looked to be over a hundred geeks, you see me shiver with antici—pation. Or is that the cold? Out on the lake, there’s a couple of barges, and police cruisers scuttling around. The elemental theme is correct, then – Las Vegas was “water”, with the Bellaggio fountains; Miami, Sydney, Phoenix, LA were “air”, with the sky-writing; London, Berlin, Toronto, San Francisco, Singapore were “earth”, with images projected onto buildings; Seattle is to be “fire” – the only reason (other than dredging) that I can imagine having a couple of barges that size in the middle of the lake, with police cruisers warning everyone away, is fireworks.

18:05 (or thereabouts) – The screen crackles into life, and Loki appears on screen, giving her usual combination of waffle and puzzle clues. Finally, she points stage-left, and a rocket shoots from her fingertips. [On the video, it doesn't look like that, but in real life, man, that rocket came right out of her finger]. Then the fireworks begin.

You want to see the fireworks? Oh, my word, those fireworks made it so worth going! Okay, the fireworks can be found at – login, or register if you haven’t (and let them know that sent you!)

Then, after the fireworks end, a number of people waving flashlights direct us out to the car park, where a half-dozen buses are waiting. Apparently, there was a little over-estimating done of how many people would turn up! It wasn’t the weather’s fault – a beautiful day, followed by a cold, but dry, night should allow plenty to show up, but I guess the game is too geeky and not spread well enough through the wide world of blog. Even some of the geeks that I invited to come along didn’t think it was worth playing the game to show up.

Inside the buses, all is dark, all is warm, and all is geeky as three or four people have already opened their laptops – yes, there are people geeky enough to bring laptops to this event.

The windows on the bus are covered over with brown paper, so that we can’t see where we’re going – it turns out not to be too far, though. A couple a few rows behind us reveal that they have no idea what’s going on, they were just out walking in the park, and thought they’d come along – so much for the required invite!

The bus drops us off at our mystery location – which, the sign outside informs us, is the Fremont Studios (so much for the mystery). A strobe light welcomes us in, as we enter what looks vaguely like a hallowe’en party – black everywhere, iron gates, ribbons of black cloth draped over the doors as we walk through.

Inside the theme of deaths and disappearances continues - Elvis is here, in a Hawaiian shirt (and telling people to play checkers), and so is Amelia Earhart. There’s also a Dodge Aspen that crashed into a tree on Mulholland Drive, with a dark-haired woman in glasses and a hat standing outside the car telling everyone how awful it is that she has crashed. Apparently this is a reference to a movie I haven’t seen.

Over to the sides are ice sculptures, one of a Windows Vista logo, the other of AMD. Another ice sculpture serves as the bar, with the Vanishing Point title between two columns that support the counter. Ice sculptures … vanishing … yeah, I get the picture.

Aeroplane parts are strewn around the floor, along with a number of columns (how many? I’m not telling – maybe it’s part of the puzzle!), some distressed chandeliers and overturned candle holders.

Other items around the place – a number of hard-back books by Tom Clancy (did he die? Or is the message here that the book is dead?), some LP records (look it up on Wikipedia, kids!), cassette tapes of MC Hammer (which died first, the cassette tape or MC Hammer’s career?), reel-to-reel tapes, a Smith-Corona Coronet typewriter, a 15″ CRT monitor, a mouse (with balls – hence ‘dead’, but with USB cable, so not that dead) and a wired keyboard (again, a PS/2 connector – not that dead, they should have looked a little harder to find one with an AT connector!)

A number of laptops are set up (running Vista, of course) on one of the tables, clearly so that you can play the various puzzles that are now available. A number of people head straight for them.

I’m not sure that there’s any irony in associating a new version of Windows with plane and automobile crashes.

The weirdest thing is on the way to the rest-rooms, though. Some kind of tree-person – obviously a permanent fixture at the studio, and nothing to do with the competition – or is it?

If you think it’s part of the puzzle, maybe you’ll be interested to note that the troll has two orange frogs, one green frog, and a ladybird crawling on him. And a surfboard planted in the ground next to him.

It was a great evening, and the only thing I was hoping for that didn’t happen was some kind of presentation – even if it’s just a guy standing up at the front, telling us to enjoy the food, and that we’re here to celebrate the launch of Windows Vista. Especially if they could bring in Steve Ballmer, who my wife has been longing to meet for years. Maybe we didn’t stick around long enough, though.

So, have fun playing the game, and next time Microsoft invites you to a free event, try to make it there!

[I ran into people from as far afield as Indiana and Florida, so clearly there's no excuse!]

How to send a close_notify at the end of an SSL connection

One of the more confusing parts of writing code to correctly work an SSL connection is the final act – the closure.

Here’s how to do it in Windows’ SChannel:

    // phCtx is the pointer to the context handle you’ve already been using for SSL.
static DWORD dwshut=SCHANNEL_SHUTDOWN; SecBuffer sbshut={sizeof(dwshut), SECBUFFER_TOKEN, &dwshut}; SecBufferDesc sdshut={SECBUFFER_VERSION,1,&sbshut}; DWORD sec_ret; sec_ret=s_pSecFuns->ApplyControlToken(phCtx,&sdshut); ASSERT(secret==SEC_E_OK); // You’ll want to do better handling than just “assert”. DWORD dwSSPIFlags=ASC_REQ_SEQUENCE_DETECT | ASC_REQ_REPLAY_DETECT | ASC_REQ_CONFIDENTIALITY | ASC_REQ_EXTENDED_ERROR | ASC_REQ_ALLOCATE_MEMORY | ASC_REQ_STREAM;
DWORD dwOutFlags=0; sbshut.BufferType=SECBUFFER_TOKEN; sbshut.cbBuffer=0; sbshut.pvBuffer=0; sdshut.cBuffers=1; sdshut.pBuffers=&sbshut; sec_ret=s_pSecFuns->AcceptSecurityContext(&tls_credhandle,phCtx, 0,dwSSPIFlags,SECURITY_NATIVE_DREP,0,&sdshut,&dwOutFlags,NULL);

At this point, you’ll need to send the contents of sbshut.pvBuffer (length is in sbshut.cbBuffer) in the stream (after anything else encrypted you’ve queued up), because it contains the close_notify message. You’ll likely have to read – and decrypt – more response back from your peer, checking for it to either close the stream, or send a matching close_notify.

[The documentation for DecryptMessage online at Microsoft's MSDN now correctly describes how to recognise and react to a peer's close_notify alert.]

After verifying that you’re receiving a close_notify from the other end, you’ll be in a loop with AcceptSecurityContext, responding to the peer, and sending what AcceptSecurityContext tells you to, until ASC (as we insiders call it) returns SEC_I_CONTEXT_EXPIRED or SEC_E_OK.

SSL development gotchas.

There are two behaviours in SSL that seem to catch out a number of people.

The first is the use of close_notify.

close_notify is an operation in SSL that terminates the SSL session, providing a definite end to the stream that is being protected. As it provides an HMAC summarising the entire communication so far, it’s a solid, reliable record that your stream has not been interrupted in its journey to you, and that you have received the entire stream.

Consider close_notify to be an essential part of the stream, when you’re writing a stream, but think carefully about the possibilities when reading the stream.

In many protocols, there is some other component of the stream that can already indicate an end, and the HMAC protecting that component (which SSL considers to be simply data) can be relied upon to indicate that you have not been interrupted by evil-doers. HTTP, for instance, sends either a byte count, or uses chunked-encoding, where each chunk is counted. As a result, the close_notify doesn’t tell you anything more than you already know about the stream - it has finished. So, a lack of close_notify in an HTTPS stream, while a sign of technically poor SSL development, is not a fault in the use of SSL.

FTPS, on the other hand, is a different beast – data transfers under FTPS, if they are protected by SSL, start at the beginning of the SSL session, and finish at the end of the SSL connection. SSL connections can terminate either with a close_notify, or with a TCP FIN – closing the underlying stream. SSL’s design assumes that the TCP FIN can be forged – and indeed, so it can, in many environments. So, for a protocol like FTPS, a close_notify should really be treated as essential – though the last time I looked, out of a dozen FTPS clients I tried, only one actually sent the close_notify at the end of the upload.

Here’s a link to “how to send a close_notify at the end of an SSL connection“.

The second ‘gotcha’ is how to correctly handle client certificates.

An SSL server always has a certificate that it uses to identify itself. A client might have one or several certificates. Client certificates are requested by the SSL server if the SSL server wants them; in some cases, an SSL server might be able to accept that the client has no certificate.

For instance, going back to FTPS again, a connection to the FTPS server might be authenticated by certificate exchange, or – after the SSL session has been initiated – by using a username and password. Remember, sending a user name and password over SSL means that they are protected from snooping by everyone except the FTPS server administrator. So, an FTPS server might very reasonably ask for a client certificate, but not mind if the client hasn’t got one.

If a server can accept a certificate from the client, the only way it can indicate this is to ask for mutual authentication. Some clients are coded with the idea that a request from the server for mutual auth is actually a requirement for mutual auth, and they will throw up an error if they don’t have a client certificate, or the user hasn’t selected a certificate to use.

This is incorrect behaviour – if the client has been asked for a certificate, but cannot provide any, it should simply respond with a list of certificates that is empty. This only becomes an error condition if the server requires at least one certificate from the client.

ScreenSaverGracePeriod – how fast can you cross a training room?

We’re faced with an issue where presenters are losing their train of thought mid presentation because their slides are covered up by the screensaver – this would not be a significant problem, except that by the time they get back to wiggle the mouse, the workstation has been locked, and they have to type in their password again.

Clearly, we can’t make presenters use a machine without workstation locking on the screensaver, or these machines would be accessible for hours under potentially “privileged” accounts. [Note that privilege includes social privilege here - if a VP is presenting, even if they're a restricted user in Windows, any email that comes from them is treated like the word of %deity.]

And I didn’t want them finding their own solution (like the “Brandenberg Concerto” solution, where you simply play the Beethoven clip in Windows Media Player, put it on loop, mute the Media Player, and then minimise it), that might simply disable or prevent the screensaver completely, thus avoiding any chance of lockout.

So we found a really creative solution – ScreenSaverGracePeriod.

This is a registry setting – under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon – that controls how long you have after a screen saver goes active, to wiggle the mouse and get back to your presentation without encountering the workstation lock. [You've probably noticed already that you can wiggle the mouse quickly and not have to re-enter your password.]

It’s only a little unfortunate that the documentation incorrectly describes this as a REG_DWORD setting – our own testing shows that it has to be a REG_SZ, even though the contents are a number, describing the number of seconds ‘grace’ you want. You can use decimal, or hexadecimal if preceded by “0x”.

[Aside - why do Microsoft's programmers do this? Surely it's more effort to extract the string and convert it to a number, than have it stored as a number in the first place!]

Note that setting the ScreenSaverGracePeriod to 0 does not disable the workstation lock, it forces it to happen at any point the screensaver goes active, no matter how fast you are. The maximum value is 2,147,483 – seemingly a random number, until you realise that if you express it in thousandths of a second, it’s the largest number that can be expressed in a four byte signed integer.

VanishingPoint VIP Party – am I invited?

So, I found some time this week to play the Vanishing Point Game that Microsoft has been using to promote Vista‘s launch.

If you like puzzles, it’s really worth playing this, although I will have to admit there were a couple of places where I cheated collaborated with other players, who have posted hints and even -gasp- answers on the Vanishing Point Wiki. [I'm not linking to the Wiki because, let's face it, if you can't find it, you aren't going to enjoy any of the puzzles or puzzle-themed events.]

I am smart enough to figure out on my own that there’s a local event this Saturday, and even to send a request for an invite to the “VIP Party” afterwards. But I didn’t get a response. I’ve seen a couple of blog comments that indicate the same, and noone has yet posted that they have received a response.

Maybe the “Vanishing Point” is the email account you send your request to? It certainly seems to have made my request vanish!

Never mind, I’ll be at the Vanishing Point event this Saturday in Seattle, and I hope I’ll be at the VIP party afterward.

[Please comment below if you have actually received a response from the VIP invite email address!]

Stupid crime does not pay.

A lovely little story from the BBC this week – here are a couple of choice phrases to give you the flavour:

Fourteen GPS tracking systems were stolen last week from a warehouse in Babylon, New York. They were to be used to help the city council track lorries.

Police remotely activated the systems after the theft which lead them to the home of one of the alleged culprits.

“The GPS device is quite beneficial when we are looking for something,” said Inspector Robert Casagne.

For their next daring raid, might I suggest that these Napoleons of crime should try breaking into a a police station (armed with a pepper mill and a rolled-up copy of the Beano, of course), and try to steal a police car instead? That has to be far smarter.

Trying to deploy an Outlook add-in

Even us grizzled security professionals occasionally have to give up when faced with a pile of security so incomprehensibly bizarre as to make life seem impossible.

Recently, a member of our Security Council asked the simple question “instead of having us manually forward email to the junk mail filters, can we have a button that automatically forwards our currently selected messages as false negatives?”

When I heard of this, my natural inclination was “sure, I’m not doing anything terribly interesting or important with my few minutes of spare time a day – how hard could it be?”

I should slap myself every time I say “how hard could it be?” – although this phrase has often brought me my best achievements (WFTPD came from “this piece of crap FTP server [WinQVT/Net] crashes every time a second user logs on – how hard could it be to write a working FTP server?”), it’s also brought on some of the hardest challenges. WFTPD took a solid six months before it was remotely usable, and a few years to get to its current state, including a three month period just trying to get SSL working.

In this case, of course, I said “how hard could it be – looks like it’ll be really easy in .NET”.

So, I spent two hours writing the add-in in C# .NET.

And the following three weeks trying to figure out how to deploy it.

There were pre-requisites and requirements, updates to install, KB article patches to fetch, and then I had to write or download an extra setup custom action to add my add-in to the Code Access Security using CASPOL.EXE.

Yuck. I mean, don’t get me wrong, CASPOL’s a wonderful idea – that you can list what behaviours a program is allowed to have, that’s really powerful. Unfortunately, it’s also difficult, and prone to making it so difficult that the whole project got canceled.

Fortunately, I’m not a one-trick pony. I canceled the .NET project, sure, but I got to looking at Microsoft’s Outlook Junk Mail button – Steve Riley pointed it out recently – and I noticed that it’s written as a straight COM component using C++.

So I do the same. It’s slightly longer to develop – perhaps six hours, because I’m really not familiar with COM, and I make a few beginner mistakes. But to deploy – it’s a simple case of copy the file, run regsvr32, and away we go – a perfectly operating (if possibly a little unsecure) Outlook add-in.

Can anyone tell me why I should have persevered with the .NET version?

Or better still, how I should have done it more easily?

Visual Studio 2005 SP1 recommends /what/?

Visual Studio 2005 SP1 recommends running as administrator

That’s a great way to ruin a message that several of us have been trying to push for several years – the suggestion here is that you should be an administrator because some of the things that you may want to do might require administrative privilege.

That’s like suggesting you should turn up for your job in overalls, in case you have to fix the plumbing – when it is not your job to be the janitor.

Yes, some tasks require that you are an administrator. SOME tasks.

Can you develop a .NET program without being an administrator? Yep.

Can you develop a Windows Service without being an administrator? Surprisingly enough, yes. Install and test it – no, but then again, you can test much of the functionality of a service-targeted program without running it as a service. [All of my services run as console-mode programs when I'm testing and debugging them, so that I can more easily interact with them]

I’m certainly not saying that you can do everything without being administrator – but if you’re developing a program whose primary usage is by non-administrators, you owe it to them to develop it as much as possible without being an administrator.

That way you won’t have to come out with a support document that tells people that they have to make their CFO into a network administrator, or that you have to be an administrator to look at the calendar. If nothing else, it saves you from embarrassment – and with a number of viruses and other malware working from the assumption that you are an administrator, it’s so much safer to be non-administrator as developer and as user.

Vista’s support of UAC and fast user switching makes it really easy to run as a restricted user, with only the occasional switch of context when you need to do something – or some things – administratively.

[Finally, with a nod to administrators, developers don't actually tend to understand how to properly administer a system, just as administrators don't actually tend to understand what's possible or easy to write an application to do.]

Come on, Microsoft – please let’s give the message that running as administrator is the exception, not the rule.