Monthly Archives: October 2008

FAQ on 2nd Auth

I’ve already received a number of questions about my secondary authentication tool, 2ndAuth. Here’s a few answers:

  • You only show it working for Windows Server 2003 and Windows XP – does it work on other platforms?
    Currently, we only support using it for Windows Server 2003 and Windows XP, although it’s possible that it might work in Windows 2000 Server. The technique used certainly won’t work in Windows Vista or Windows Server 2008, but I have plans to make a different version of the same idea to work there.
  • Is this a custom GINA? Does it work with other custom GINAs?
    This is definitely not a custom GINA, but it ties in to the WinLogon process that the GINA is required to call. As a result, on some custom GINAs, it’s possible that it might not work correctly, if the custom GINA does not call the WinLogon functions in the correct sequence or with the correct desktop visible. So, if you’re finding that it has issues with your custom GINA solution, try it without the GINA to see how it’s supposed to work.
  • Does the secondary authentication prompt occur on all logons?
    The prompt only occurs on interactive logons – these are logons that go through the GINA and WinLogon UI process. That means when you logon using Ctrl-Alt-Del at the desktop, or when you logon from a remote terminal session using Remote Desktop Protocol / Remote Desktop Connection. The prompt does not occur for service logons, batch logons, network logons, or any other non-interactive logons.
    This is a good thing, as it means that you can use 2ndAuth to provide auditing on service account accesses, such that all interactive logons using the service account can be audited – you will finally know who is using that service account to illicitly get domain admin privileges!
  • What are the plans for developing this in the future?
    As I mentioned earlier, a Windows Vista version is definitely on the way. I’m thinking also that we would do well to have a little bit of User Interface to configure the shared accounts, and maybe a help file.
    What do you want to see in the next version of this tool?
    Oh, and of course the other thing we’ll be adding is a fee for its use.
    One other feature I’m thinking of is to expand where the 2nd auth dialog pops up – perhaps there is reason to have it appear when unlocking a workstation.
  • Couldn’t an administrator just disable the 2ndAuth DLL?
    Absolutely. The whole point of this, however, is to keep people honest by making it easy for them to record who’s accessing a shared account. Your administrator could very easily abuse shared accounts with or without this tool, so it’s serving its purpose of making it less likely that a shared account will be used without some form of tracking.
    And there are other tools that will alert you if a critical system file is removed or altered – you can make those tools watch the configuration and DLL for 2ndAuth to make sure that they are not changed.

I was very pleased to see Larry Seltzer at the PC Magazine Security Watch Blogs pick the original posting up – thanks, Larry!

Windows 7 officially has a name

So, what’s the scoop?

It’s going to be called “Windows 7”, according to Mike Nash posting at the Windows Vista Blog.

Mike Nashimage[Is it just me, or does Mike Nash look a little like the chef who got into trouble for inflating his resume in the opening credits to “Dinner: Impossible”? ]

How sneaky of Microsoft, to fool us into thinking that “Windows 7” was just the code name, when in fact it was also the release name!

Me, I think it’s because there was just no good way to include hints of the code-name in the final release name, like Microsoft have done in the past.

Think about it – “Cairo” spawned “Windows XP” – the Greek letters chi and rho are written: “ΧΡ” (lower-case is “χρ”) (if you don’t have the Greek font, that looks almost indistinguishable from “XP”). I’ll always think of it as “Windows No Parking”.

Windows 6 became Windows Vista – get it, six is “vi” in roman numerals?

So, Windows 7 should have been Windows Viista. Or maybe the name could have made obscure art-house movie references, and been called “A Vee and two ones”. Ah, but anything with VII in it might be perilously close to Intel’s VIIV product (currently residing in our “where are they now” file).

Perhaps this should make us think back to the last time a Windows client operating system was referred to by the word “Windows” followed by its version number – yes, “Windows 7” is designed to hearken back to “Windows 3.11”. Ah, yes, those were the days, indeed.

I can’t wait to see what’s coming in Windows 7, particularly things like Multi-touch support (though I have yet to purchase a system that has even single touch support).

Seven also marks Windows’ transition from an acid into a base.

HTML Help in MFC

I recently got around to converting an old MFC project from WinHelp format to HTML Help. Mostly this was to satisfy customers who are using Windows Vista or Windows Server 2008, but who don’t want to install WinHlp32 from Microsoft. (If you do want to install WinHlp32, you can find it for Windows Vista or Windows Server 2008 at Microsoft’s download site.]

Here’s a quick round trip of how I did it:

1. Convert the help file – yeah, this is the hard part, but there are plenty of tools, including Microsoft’s HTML Help Editor, that will do the job for you. Editing the help file in HTML format can be a little bit of a challenge, too, but many times your favourite HTML editor can be made to do the job for you.

2. Call EnableHtmlHelp() from the CWinApp-derived class’ constructor.

3. Remove the line ON_COMMAND(ID_HELP_USING, CWinApp::OnHelpUsing), if you have it – there is no HELP_HELPONHELP topic in HTML.

4. Add the following function:

void CWftpdApp::HelpKeyWord(LPCSTR sKeyword)
{
    HH_AKLINK akLink;
    switch (GetHelpMode())
    {
    case afxHTMLHelp:
        akLink.cbStruct = sizeof(HH_AKLINK);
        akLink.fReserved=FALSE;
        akLink.fIndexOnFail=TRUE;
        akLink.pszKeywords=sKeyword;
        akLink.pszMsgText=(CString)"Failed to find information in the help file on " + sKeyword;
        akLink.pszMsgTitle="HTML Help Error";
        akLink.pszWindow=NULL;
        AfxGetApp()->HtmlHelp((DWORD_PTR)&akLink,HH_KEYWORD_LOOKUP);
        break;
    case afxWinHelp:
        AfxGetApp()->WinHelp((long)(char *)sKeyword,HELP_KEY);
        break;
    }
}

5. Change your keyword help calls to call this new function:

((CWftpdApp *)AfxGetApp()->WinHelp((long)(char *)"Registering");

Becomes:

HelpKeyWord("Registering",HELP_KEY);

6. If you want to trace calls to the WinHelp function to watch what contexts are being created, trap WinHelpInternal:

void CWftpdApp::WinHelpInternal(DWORD_PTR dwData, UINT nCmd)
{
    TRACE("Executing WinHelp with Cmd=%d, dwData=%d (%x)\r\n",nCmd,dwData,dwData);
    CWinApp::WinHelpInternal(dwData,nCmd);
}

This trace comes in really, really (and I mean REALLY) handy when you are trying to debug “Failed to load help” errors. It will tell you what numeric ID is being used, and you can compare that to your ALIAS file.

7. If your code gives a dialog box that reads:

—————————
HTML Help Author Message
—————————
HH_HELP_CONTEXT called without a [MAP] section.
—————————
OK  
—————————

image

What it means is that the HTML Help API could not find the [MAP] or the [ALIAS] section – without an [ALIAS] section, but with a [MAP] section, this message still will appear.

8. Don’t edit the ALIAS or MAP sections of your help file in HTML Help Editor – Microsoft has a long-standing bug here that makes it crash (losing much of your unsaved work, of course) unpredictably when editing these sections. Edit the HHP file by hand to work on these sections.

9. Most of your MAP section entries are automatically generated by the compiler, as .HM files, which hold macros appropriate for the specific control in the right dialog. Simply include the right HM file, and all you will need to do is create the right ALIAS mappings.

10. The MFC calls to HtmlHelp discard error returns from the function, so there’s really no good troubleshooting to go on when debugging access to help file entries.

Let me know if any of these helpful hints prove to be of use to you, or if you need any further clarification.

Weak point against Vista

First rule of demonstrative writing – lead off with an undeniable example of the point you’re trying to make.

Case in point – Dan Lyons’ article in NewsWeek on “A Gloomy Vista for Microsoft”, meant to be a piece defining how bad Vista is.

“Last year I was meeting with the CEO of a PC company who offered to give me a demo of his company’s gorgeous new top-of- the-line notebook, a machine that cost several thousand dollars and came loaded with Windows Vista, the latest version of Microsoft‘s operating system. He flipped open the laptop, pressed the power button, and … nothing. We waited. And waited. It was excruciating. He tried control-alt-delete. He tried holding down the power button. Finally he removed the battery and snapped it back into place. The machine started up—slowly—while the CEO sat there fuming.”

Um, yeah, OK, that sounds bad and all, but seriously, if you’re pressing the power button on a turned-off machine and nothing’s happening, that’s hardware. And if you blame hardware faults on the operating system, well, that’s just a CEO trying to ignore the fact that his hardware system and its developers aren’t providing a totally balanced view of their work.

So, let’s carry on reading. What else is a problem with Vista?

“It was sluggish. It had trouble going to sleep and waking up. It wouldn’t work with some printers and accessories.”

I didn’t see “sluggish”, but then again, I bought a higher spec machine than my three-year-old laptop in order to run Vista, because it’s a significant update to the OS. Many of its major features expect there to be lots of memory and a fast 3D video card.

The “trouble going to sleep and waking up” part I definitely had some experience with – but then, I have those problems in XP, too: over 1MB in my machine, and XP decided it was going to turn my laptop bag into a pizza oven – to judge from the popularity of my blog post on the issue, I’m far from alone in this. Laptop manufacturers really haven’t had the best of luck in XP or Vista persuading individual devices – let alone the whole system – that it’s nighty-night time, or that it’s time to wake up when you punch the “wake-up” key. Recent updates from Lenovo made my life a little easier, but the machine will still sometimes go to sleep never to wake up again. Really irritating when I’m in the middle of working as the bus arrives at its destination and I have to press the sleep button, praying that the machine will make it through the nap. And I can guarantee to hang the system if I press the sleep button and then close the lid.

And, as for printers and accessories, it’s clear that any number of device drivers weren’t actually used for any significant length of time in the Vista environment, or they’d have shown their incompatible designs. My HP printer, for instance, pops up this ugly dialog whenever I print from Internet Explorer:

hpmup081.bin isn't signed

Now, I don’t know much about drivers, but I suspect that this could be fixed by signing the driver. My other HP printer continually offers up a new version of its drivers on Windows Update, and then the installation refuses to start, because the printer isn’t plugged in to my machine. Well, of course not, it’s a network printer.

As has been pointed out by numerous other writers, XP had this same sort of flack when it released (although I don’t remember it going on for quite this long), and then as now, most of the problems were to do with software and hardware developers who weren’t paying even limited attention to the statements Microsoft put out as to features that were deprecated (i.e. made obsolete, going away, or otherwise disappearing).

Of course, my wife hates Vista, and at some point I’ll be able to point you to her ideas on the topic, because she has some actually valid arguments as to why Vista sucks. And none of those arguments are represented in Dan Lyons’ Newsweek article.

New PCI DSS (Credit Card Security) Standard

PCI Logo I’ve been asked by a couple of people to put forth my views on the latest PCI DSS (Payment Card Industry Data Security Standard) version, released last week. Several of the changes have hit topics close to my heart, so I’m overall happier with PCI DSS 1.2 than I was with PCI DSS 1.1.

You can read the whole of the new PCI DSS 1.2 document at https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

The change document is interesting (https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf) – here are some changes I noted :

1.1.6 – Firewall rule reviews every six months instead of quarterly. In theory, firewall rules should be maintained adequately by good use of change management and configuration management processes and tools, in that new firewall rules are reviewed before going into place, old firewall rules are removed as applications are ‘sunset’, and temporary firewall rules are marked as such, and reviewed / removed as they expire. In reality, of course, unanticipated firewall rule changes get made, either through accident or as a deliberate undocumented change (not necessarily malicious, just “hey, that change didn’t work, we need another port open”), and applications drop into disuse without anyone reviewing the network changes that are made to accommodate them. As such, firewall reviews are well worthwhile, even if they are rather monotonous and difficult to interpret. Lesson learned: document your firewall rules well, so that reviews can be made quickly; confirm that your documentation matches your firewall, and remember to engage a project to ‘true-up’ the firewall rules when discrepancies are found.

1.3.8 – Requiring a NAT (Network Address Translation) device on internal-external network transitions, and RFC 1918 ‘non-routable’ addresses on internal networks. Still doesn’t apply to IPv6. [IP6 has _no_ NAT or equivalent, RFC 1918 doesn’t apply, but there are “link-local” and “site-local” address ranges that can be used] My opinion? A NAT offers no security advantages over a firewall whose default rule is to deny traffic. If you are supporting IPv6, don’t go looking for a NAT or PAT (Port / Address Translator) or NAPT (Network Address and Port Translator). The use of NAT has broken so many protocols, and required so many workarounds (each of which void any hiding of network address that you might have mistakenly thought was a security feature) that it’s more of a hardship than a feature. Remember that NATs (and RFC 1918 private addresses) were only intended as a short-term workaround for the inability of IPv4 address allocation to satisfy growing demand for IP addresses. It was never designed as a security feature.

2.1.1 – References to WEP have been removed – WPA or WPA2 appears to be the stuff, now. That’s as it should be – WEP can be easily and quickly broken with off-the-shelf hardware and freely-downloadable software. WPA and WPA2 are widely available, and kit that doesn’t support anything more than WEP should be considered ‘too old to be of use’ – particularly in an environment that handles credit card information.

2.1.1 – Disable SSID broadcasting is no longer seen as a security measure. Again, as it should be; the check mark for “disable SSID broadcasts” should really have been labeled “disable one quarter of the ways in which SSIDs are broadcast”. Clearly, you can still pick up SSIDs even with SSID broadcasts “disabled”. Hiding a network that runs across the public airwaves does nothing to secure it.

3.4.1 – Despite clarifications, the standard is still kind of flakey as to what it means by “encryption key tied to user accounts” – does it mean a PEM file with NTFS ACls on it, or a Certificate Store encrypted with a key derived from the password? [The former will give up its secrets to anyone that can has a token, the latter requires that you have the key, which requires that you had the password – somewhat stronger than ‘just’ having the user token.]

4.1a – The list of SSL tests doesn’t ask to test that where SSL certificates are accepted, they must be in their valid time range, and not revoked. Those two checks should be a part of all SSL transactions. Without those checks, some of SSL’s security is removed.

4.1.1 – WEP can’t be implemented in new wireless implementations after March 31, 2009, and must be removed from use in all PCI-related wireless implementations after June 30, 2010. Do yourselves a favour and remove it now.

5.1 – Removed the statement that “Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes”. Apparently UNIX doesn’t have anything technical, other than a lack of market penetration and a slightly better-educated user base (because you have to be), that prevents viruses.

5.1.1 – Antivirus measures should detect and address “all known types of malicious software”, not merely “other malicious software”. Presumably that means something – but the goal here, of course, is to remind you that there are many kinds of malicious software that you should prevent from infecting your systems, and particularly those systems involved in the processing of credit card data.

6.1 – Security patches no longer have to be installed in 30 days, you now have one month. What you gain in January, March, May, July, Octember and Decober, apparently you lose in February.

6.5b – A sampling of developers must be interviewed at testing time, to ensure that they are “knowledgeable in secure coding techniques”. This could be interesting – first you have to enumerate your developers, then you have to find them, then you have to randomly select some of them, then you have to hope that they can communicate.

6.5.1-10 – The OWASP top-ten are included specifically in the PCI DSS document, with a note that if the top-ten change, the new top-ten must be used in preference the 6.5.1-10. Always go and get the fresh OWASP top ten, because they’ll be out of date practically as soon as the ink is dry on the PCI DSS standard.

8.2 – “password” becomes “password or passphrase”; “token devices” and “biometrics” now are lumped under “two-factor authentication”. You should really be using passphrases in any kind of secure environment, and 2FA is well worth implementing in environments where risk is high.

8.5.5 – Inactive user accounts do not have to be removed – they can be disabled instead (yay! – now we have the ability to audit them!) When you delete an account, you do not delete all the references to it, so you can have any number of ACL entries, etc that refer to this “unknown SID”.

8.5.13/14 – Account lockout for 30 minutes is still required (boo, hiss – if passwords are long and/or complex, account lockout is nothing more than a self-inflicted denial of service). Better is to log and trace attempts to brute-force password guessing, and to enforce strong passwords and/or 2FA on the high-value accounts.

8.5.16 – SQL apparently isn’t the only database that needs authentication, so this requirement has been changed to refer to all databases now needing authentication for access. About time this standard was made a little less Microsoft-centric. I don’t trust my credit card information to be safe just because it’s been put on a system whose name ends in ‘X’.

9.1 – Systems requiring physical access control are now all those “in the cardholder data environment”, not just those “that store, process, or transmit cardholder data”. That way, you have to protect machines that can communicate directly with those machines that have credit card information in play.

11 – “Hackers” replaced by “malicious individuals”. Ho hum, that old sausage.

11.3 – added that penetration tests must be performed by qualified personnel (internal or external), and that these do not have to be QSA or ASVs. This is just a clarification, but apparently some QSAs had been looking to drum up more business by saying that pen testing had to be done by other QSAs.

12.3.8,9,10 – Acknowledging that very few of us use modems any more, they are now “remote access technologies”, covering more than just old fashioned POTS dial-up.

12.8 – Instead of contracts with third parties, “policies and procedures” are required – contracts being only one way in which those can be enshrined.

As ever with PCI DSS, you have to remember that it’s not a specification for perfect security – in some ways, it’s not even a gold standard, it’s just the level that the credit card companies think they can reasonably expect almost all credit card processors to attain in the course of the next couple of years. As such, it’s like the qualifying heats at a track meet – you haven’t won anything or competed in the final race, you’ve merely demonstrated that you’re worthy enough to keep going.

Build your systems and networks securely, and you’ll naturally exceed compliance. Aim just to reach compliance, and you’ll likely fail to be secure.