Monthly Archives: June 2007

Wireless PC Lock – part 2

Over the last several days, I’ve been getting more and more requests for my updated Wireless PC Lock software that I described way back last year.


Possibly, it’s because of stories like this one:


At New York-based Big Four accounting firm Ernst & Young, the security department confiscates laptops if they are unlocked when not in use, say employees (who wish to remain anonymous). To reclaim the confiscated PCs, workers must explain why they forgot to lock their machines and then they get a quick refresher course in security. These employees say they dread that walk to IT, so many have gotten better at remembering to lock them.


Well, that’s a really amusing story, and I will confess that at my workplace, any workstation found unlocked tends to be used to invite the rest of the team out for lunch – you don’t forget to lock your workstation too often [whether that's because lunch for a whole team is expensive, or because you just don't want to have to spend an hour with your colleagues, is beyond me].


I work in a physically-secured building, where RFID cards have to be used to get in and out, but the problem of locked workstations is still an important one to us – the data that I can access is quite different from the data that can be accessed by the people across the hall, or by the people in other buildings. And if any inappropriate data access occurs from my workstation under my account, it’ll be my job that’s on the line – nobody’s going to try dusting for fingerprints to check that it wasn’t me.


So, I like to have an ‘insurance policy’ against forgetting that simple Windows-L keystroke. My insurance policy is the Wireless PC Lock, which detects when I get up and walk out of range, locking my computer if I haven’t already done so.


The crap software that comes with the Wireless PC Lock is a problem, though. It requires to be installed, which I don’t want (because I’m a restricted user); it doesn’t really lock the workstation (it puts up a full-screen bitmap of dolphins); it unlocks the workstation when you get back in range (even when it’s on the other side of a wall); etc, etc.


So, I decided it would be handy to have some replacement software that could be installed / used on a per-user basis. For the first release, this is strictly personal software – there’s no install. You copy the EXE into place, and run it from startup.


Insert the USB stick into your system and away we go. Right-click the new icon in your system tray (it looks a little like the transmitter fob on my unit – yours may be different), and choose to register with your fob.


The program will ask you to turn the fob off and then on again, so that it knows whose fob to lock against; once you have this set, that may be all the configuration you need to do – but of course, I have added configuration for the timeouts.


And, if you go and visit your Windows sound schemes, you’ll find there are additional sounds for the Wireless PC Lock, allowing you to hear when you’re about to get locked out by an absence of wireless fob.


Obviously, this is a real lock of your workstation that’s going to happen, so you will, yes, have to type in your password every time you come back to your workstation – your fob carries a two-byte code, which is not nearly difficult enough to hack to make it a valid logon protector. Sorry.


If you lose your fob, or your fob loses batteries, don’t worry – you can use your password to unlock, as usual, and then once you’re unlocked, the Wireless PC Lock software won’t activate again until it registers the presence of your fob again. Just remember that the Wireless PC Lock is a convenience measure, and is a “backup” against you forgetting to press Windows-L to lock up your machine when you’re walking away from it.


I’ve attached a zip file containing the Wireless PC Lock application – please let me know what you think of it!

Security Expert Chat – Thursday 6/21/2007, 4pm PDT

Technet’s brief description for a chat this Thursday (June 21st) at 4pm PDT:


Q&A with the Security MVP Experts
We invite you to attend an Q&A with the Microsoft Security MVPs. In this chat the MVP experts will answer your questions regarding online safety issues such as phishing, spyware, rootkits as well as server related topics. If you have questions on how to protect your PC, please bring them to this informative chat.


Here’s a link to the calendar invite for those of you running Outlook, and on the day, at the time, you can click here to enter the chat room.


Why am I linking to it? Because I’ve been invited along as one of the “Security MVP Experts” – bring along your questions and concerns, and we’ll try our very best to answer them.


For other Technet related chats, click here.

Context menus not working in Vista?

commandprompt I spent a while the other day trying to figure this one out.

Under “Start”, I have a ‘pinned’ Command Prompt item.

I can’t get a context menu (aka “right-click menu”) to appear when I right-click on this Command Prompt.

I can right-click on the Command Prompt choices that appear if I search for Command, or navigate under Accessories, so I know that right-clicking is available in general.

The answer is a simple setting, as it so often is, and certain people should feel ashamed that they didn’t think of suggesting it.

Right-click the “Start Orb”startorb, select “Properties”, and then on the “Start menu” tab, next to the “Start menu” radio button, click “Customize…”

Under “Customize Start Menu”, if you scroll down a page, you’ll see the setting “Enable context menus and dragging and dropping”. If this is unchecked, then the pinned items will not work with a right-click.

customizestart

Which raises the question … why was I able to right-click (context menu) on the items in the start menu when this feature was unchecked? It really doesn’t seem a terribly useful feature if I can get around it by navigating through the “All Programs” option in order to get to the Command Prompt and load up the context menus that you’ve told me I can’t have.

Technorati tags: , ,

Testing Live Writer Beta 2

Live Writer Beta 2 has new features, including:

Support for
real tables

[But where are the cell borders I asked for?]

This is the ribbon for autism.Support for pictures in Community Server (without having to load the Community Server Gallery plugin)

Plus the expected support for multiple languages, more help, more options and a speling cheker.

This makes it substantially easier for me to write my blog entries offline – now all I need to do is find some time offline, as well as a few clip-art images to use.

[If you're wondering why I'm happy to be offline, consider that it gets really slow to preview your work when you have to go online just to insert a graphic, and that it's difficult to remain online if you're on a bus.]

I have only been using Live Writer Beta 2 for a few minutes, and I can already say it feels quick and light, perfect for the way I blog. Time will tell if it eventually gets weighed down with too many features, online requirements and so on to be of any use.

Can’t I trust the Postal Service? Part 3 – the service.

Finally, in this series on the USPS “Hold Mail” service, I’d like to address the service itself.

When you request to hold mail, you provide your name and the address of the mailbox whose mail you want to hold.

You read the text that says that you agree that you are authorised to hold mail for that address, and you press “Continue”.

If I were to submit that process as a technical standard for holding email, I would be refused inside of a minute.

Where’s the check?

The only check is that you’re not daring enough to submit the request on someone else’s mailbox. There’s some strength to this, because if you are found out, there’s the possibility of fines or jail time. But if it’s worth it to you to block mail to a recipient, you don’t need any level of sophistication to do so.

And if you’re the unfortunate recipient of this denial-of-service attack? You can remove the hold online or by phone – if you have the confirmation number that was given to you when you booked the hold. Ah, but you didn’t book the hold, so you don’t have the confirmation number; you have to visit your local post office with valid ID.

This is just great for an identity thief – if I steal your wallet, with all your identifying information, I can also stop you from receiving and verifying your credit card bill, at least until you can get some replacement identification. Aha – and how do you get replacement identification? You can visit the DMV for a new Driver’s Licence, but they will insist on mailing your identity to you. D’oh!

How can this be fixed?

Well, the hold mail service already requires 3 days of advance notice. Why not use those 3 days to send a little postcard to the address for which a hold is requested? Include a unique confirmation number on it, and ideally, don’t start holding mail until the recipient of that mail, the guy with the key to the mailbox, has positively responded, either online, by phone, or in person, that he does indeed want his mail held, by revealing the unique confirmation number.

How can you get this changed?

Write to your congressman, and your local postmaster.

But do be prepared to wait a little for a response – someone may have already put a hold on their mail.

Can’t I trust the Postal Service? Part 2 – the certificate.

In part 1 of this mini-series, I talked about how the US Postal Service had deployed only part of the certificate that they had bought, and that this resulted in either an irritating dialog (in IE 6, and other browsers), or a page that warned you not to go farther (in IE 7).

I’d like to reiterate my advice that when you see a certificate problem, you should not continue to the web site. Again, the certificate problem warnings indicate that the site has failed to prove to you that they are who they claim to be. At that point, you say “I cannot trust the web site – I must use the brick-and-mortar store, or the phone”, and you don’t carry on into the web site.

[I asked the same question of an Internet Explorer presenter at Tech-Ed (Markellos Diorinos), and he gave the same answer - unless you are the owner of the web site, or a security researcher, don't try and debug certificate errors, just assume you cannot trust the site and walk away. Remember, it's not about trusting or not trusting the Postal Service, it's about how you deal with the site to which you've connected, which has claimed that it can identify itself as the Postal Service, and then singularly failed to do so.]

Now we go to the next step – looking at the certificate that is in use.

I was surprised to see the following item appear in the certificate’s details:

So, this isn’t a certificate for just the web site in question – this is a certificate for any web site in the usps.gov domain.

Okay, this is a technically valid certificate – but is it good security?

I’m not sure that I can go quite as far as to say “no”, but it’s certainly something I would shy away from.

Why?

  • Purchase cost
    It costs a lot more to get a wildcard certificate than it does to get a single host certificate.
    Not quite as much as to get a certificate authority certificate, but definitely significantly more, so that it only makes financial sense if there’s something that you absolutely cannot do without using a wildcard certificate.
  • Deployment cost
    When you use a wildcard certificate across several sites within your domain, you have to give that wildcard certificate to all site administrators, or install it for them on all sites within your domain. This means that the administrator of one of your secure sites is a huge step closer to being able to spoof any of your secure sites.
  • Increased attack surface
    Several of your sites are now sharing the same private key; if someone attacks one site successfully, they can now pretend to be any of your other sites.
  • Revocation cost
    Say the worst happens, and you discover that the private key has been exposed to unauthorised parties – not necessarily through an external attack, but possibly because the administrator of one of these sites has left your employment; you now want to revoke the key – so again, you have to re-deploy the new certificate to all of your web sites and administrators.
  • Third-party hosting
    Large companies like the Postal Service often outsource the development and hosting of web sites. When you give a third party a certificate for the site they are hosting, you really don’t want them to be able to spoof others of your sites. That’s part of the point of certificates.

There are doubtless some other good reasons why wild-card certificates might be bad. Why would you use them, then?

  • Purchase cost
    While the cost is more than that of buying a single certificate, there is a number of sites (depending on your CA) for which it is cheaper to buy a wildcard certificate, rather than multiple individual certificates
  • Small business
    If you’re a small business, where you are the sole administrator for a dozen websites under your domain, the cost of deployment is the same for a wildcard certificate as for a single certificate.
  • Server co-hosting
    Again, possibly more for small businesses, if you are running several web sites on the same IP address and port combination, you can only give out one certificate when people connect. This may require a wildcard certificate, although this is generally a suggestion that you either separate these sites out to their own IP addresses, or treat them as a single host with multiple applications. Wildcard certificates don’t help with cross-domain server co-hosting.
  • Certificate management
    It’s easier to maintain a backup copy of one key than a dozen.

Quite frankly, I don’t think any of these arguments really outweigh the risks. Maybe you will, or maybe there are some reasons that I haven’t given – what’s your take on wild-card certificates? Is there something I’ve missed, either for or against?

Did you guess the Tech-Ed theme yet?

When I first arrived, I thought it was “finger painting”, because of the logo.

But now, after spending a week here, I realise that it’s “Weight Management”.

Interesting sessions are frequently posted on one, then the other, side of the building, with no way to go but down the stairs (or escalators, when they’re working), across the length of the main hall and expo floor, then back up the next set of stairs.

Finally, today’s lunch (the last lunch at Tech-Ed is always pretty poor food) ran out. Completely expired, with hundreds of starving techies waiting to eat.

Not a pretty sight.

When food finally did come, it was “fried vegetables in a bun”.

Now, granted, some of us might need to lose the weight…

[Let the flood of diet pill spam comments commence.]

Steve Riley at TechEd

Okay, so everyone attends Steve Riley‘s sessions, and some of them cluster around him wherever he goes at TechEd (at the Spiderman ride at last night’s attendee party, I saw him enter the ride, and the “wait from this point” counter immediately ran up to 45 minutes).

But there’s a reason he’s popular – he speaks to his audience in a very enjoyable and informal manner, he rarely refers to notes or reads from his slides, and he has a lot of good stuff to say. Possibly he has this ability because he isn’t associated with a product group, and therefore doesn’t have to push the latest and greatest piece of software. Whatever the reason, he’s worth going to see.

I managed to catch one of Steve’s presentations, on “Making the Trade-Off: Be Secure or Get Work Done”. This was a great talk, although apparently a number of people have had issues with his discussion of “Security Theatre” at the airports, and in the war on terrorism (it always sounds like “war on tourism” when the President says it, and that does seem like a good description of airport security theatre).

If I had to pick on one complaint about Steve’s session, it would be that I wanted to see a little balance in the first section – while I take Steve’s point that we Security wonks need to talk to business types about the cost savings and/or benefits of implementing security, privacy, integrity and disaster recovery technologies, I think it’s important to re-state what may be obvious to some:

When you’re looking to hire security expertise, make sure that they don’t just want to save money, but they also want to save the world.

If you’re hiring as a security expert someone who only wants to save your company money, that person may be too interested in facilitating the business to consider the privacy of your customers’ data, or to spend an hour making a change that significantly increases security but would take far longer to quantify as a monetary saving. Even if you want to insist that every security change requires a financial report as to its benefits, a security guy who isn’t motivated much by security isn’t going to provide the valuable “devil’s advocate” point-of-view that allows you to truly assess the risk landscape in which you live.

Of course, as Steve’s point was originally supposed to underline, if your security guy cares only about saving the world, and nothing about saving money, you will constantly clash with him about issues where your data simply isn’t worth protecting – where the cost of an exploit or loss is less than the cost of protecting it.

[Is that a scary thought? Yes, it is, at first blush - that somewhere out there is your data, being held and protected by an organisation that says "this data is only worth this much to us, and because it would cost more to secure than to lose it, we don't care to protect it".

But don't panic - there are plenty of safeguards. First of all, your data is generally tied in to hundreds or thousands, maybe millions, of other people. So, the cost of losing your data is essentially the cost of losing the data of your cohorts all combined - lose one, and you've lost them all through the same method. Most loss of customer data is in the thousands to millions of dollars of worth to a company or organisation. Your data is generally safe.]

The bottom line is: when looking for, or training, security staff, try to find someone who wants to be a security superhero, but teach them how to enumerate the benefits of what they’re going to do. There’s always plenty of financially beneficial, security smart changes to be made, so asking him to not make security smart changes that are financially expensive is a matter of prioritisation, rather than one of stopping him from doing security.

Public, Home and Work networks

Here I am at TechEd, and I want to connect back home.

No problem – I can use a VPN, because I have one set up on my server back at home.

[Perhaps that's not normal, but I'm a geek]

Now I want to browse my home network, partly because I want to see what’s on my Media Centre back at home.

Here’s what I get:

So, I want to turn on Network Discovery and File Sharing, yes?

No.

Although all of the traffic I initiate to my home network, and all of the traffic it sends back to me, is encrypted, the key to remember about turning on Network Discovery is that it not only allows you to browse other servers at home, to discover them, but it also allows you to browse other servers on the local network, and does not give you a way to distinguish between them.

So, if I browse looking for servers at home, I may accidentally locate someone’s laptop down the hall from me, which happens to be running a server OS, or simply sharing out its files.

I think, though, that it would be handy to be able to turn on network discovery and file sharing over the VPN connection, rather than for all connections at the same time.

Interesting empty file behaviour in Windows Vista upgrades

Did you upgrade from Windows XP to Windows Vista? Do you turn off Explorer’s “Hide Known File Types” option?

If so, try this:

Right-click on your desktop, select “New” and then “Text File”.

Name your text file “test.cmd”. Approve the prompt that tells you changing the file type might cause your world to stop.

Now try and edit the test.cmd file – right-click it, select “Edit”.

Jesper and I both get the following message:

At the moment, I just can’t think of a good explanation – do you get the same behaviour?

We’ve already discovered that it doesn’t seem to happen if you had a fresh install of Windows Vista, only if you upgraded to Windows Vista from Windows XP.