What do you think, should I do it?

I get a fair bit of blog spam – comments advertising everything from sexual enhancers to fake anti-malware. This one just came in this morning:

Sweet! I can turn off all the blog spam just by e-mailing the criminals? Or, could it possibly be that this is a clever ruse find out what my e-mail address is so they can send their junk there too? Hmm. I think I'll just forward this to abuse@gmail.com.

Fun Experiences at Airport Security

For a while I've been thinking about writing something about interesting times I've had at various airport security checkpoints; security theater, as they have come to be known. There is the obvious shoe removal arguments and the ill-defined rules on electronics (my camera is larger and has more electronics than most laptops, but that can stay in the bag, laptops can't), but there have been more interesting stories. Got any of your own? Share them!

Around November 2001 a colleague of mine and I flew to New York on business. On the way back we went through Kennedy airport. I was wearing a pair of boots, which the TSA (was it even TSA then?) required me to remove, even though shoes were not normally removed at the time as airport security hadn't yet figured out that you could bomb a plane with them. The lady scanned them for explosives and then handed them back saying "these are OK." I was so relieved because I had explicitly asked for the non-exploding boots when I bought them.

Not TSA related, but still: the same year I was traveling through Boston with my competition shotgun. It was broken down into three pieces and stuffed into a very solid, and quite short, aluminum case. When I went to check in I told the check in agent that it needed special screening. She asked me to open it and then asked what it was. I responded that it was a shotgun. She took two steps back from the counter, threw her hands up in the air, and exclaimed "Is it unloaded?" I felt like answering "What? It has to be unloaded? But what if I want to use it during the flight?" Fortunately for me, I didn't.

Several years later I was flying from Seattle, this time with a rifle. Firearms require special screening so after checking in they called a sky cap to carry it for me over to the TSA because I am no longer allowed to touch it at that point at Seattle Tacoma International Airport. Note that at other airports I am perfectly well allowed to touch it as they usually make me hand carry it to the checkpoint. Once I got there the Transportation Security Officer (TSO) asked me for the keys and then struggled with the case for a while before opening it. I offered to help, but he refused as I were not allowed to touch it. He poked around the foam in the case for a while, but all the while refused to lift the rifle. I informed him that the foam is removable and he was welcome to do so as it would make it far less likely I would try to sneak a bomb on the plane. He ignored me. When he was done with that I asked if he was finished and he said "not quite," which turned out to be nearly the only two words this friendly gentleman said to me the entire time. He then turned around, grabbed the explosives swab – and proceeded to swab my rifle down for explosives! I tried asking him how he thought the bullets come out of it! Unfortunately, the airline agent that was with me was laughing so hard I couldn't make myself heard. We both stopped laughing when the TSO explained that he did not find any explosives. It turns out that the Explosives Trace Detection (ETD) units used for explosives swabbing can evidently only detect ammonia-based explosives. Lesson: I wonder when the TSA will realize the giant hole in failing to detect smokeless gun powder?

This year, again with a rifle, I asked why the TSO was so careful not to touch the rifle. Apparently, they are not trained in handling firearms and are afraid they will explode if they touch them. Silly me, I thought they were federal law enforcement officers. Now I realize they are not. They're mostly just people like you and me, except they save lives; and I work in real security.

Shoes again: apparently kid shoes are no threat. I travelled with my three-year old a few years ago. As we went through the check-point they made me remove my shoes for screening, but she could keep hers on. I'm not sure if they were too small to pose a threat (presumably if they were actually bombs there may not have been enough explosives in them to blow a hole in the plane?) or whether they just figured I would be willing to blow myself up but not to sacrifice her. I asked them what size shoes must be to pose a threat, but they refused to answer, citing national security concerns.

A year or so after September 11, I went through Minneapolis airport. Going through the security checkpoint I asked the TSO if he wanted me to put my clothes and underwear in a separate bin or whether I could put them in the same bin. He went beet red and disappeared. The replacement officer told me to take this very seriously and make sure I remove even the smallest piece of metal, like my neck chain, because the scanner was so sensitive this time. I went through without incident. When I got comfortably ensconced in seat 47 E I stuck my hand in my pocket and discovered the three-inch pocket knife I had forgotten to remove. I contemplated briefly calling the TSA and asking if the machine was actually plugged in but decided that would just cause them to empty the whole airport and then arrest me so I figured I'd better let sleeping dogs lie. Amazingly, even with this incredible breach of security, I got home safely.

There are probably more stories. What's your most outrageous one? I've heard of many, like the federal marshal who was permitted to fly with a loaded hand gun but had his nail clippers confiscated, and the TSO that held a leatherman knife and failed to recognize it. If you just want to read some others, read Jeffrey Goldberg's article in the Atlantic Monthly.

XP Antivirus in the News

Several helpful people just pointed me to some articles on XP Antivirus and its various variants. In case you do not remember, XP Antivirus was the subject of an article I wrote for The Register a few months back.

It turns out that the scammers got hacked, and the hacker posted some internal accounting details on the web. As suspected, this is a sophisticated business making millions of dollars. It even appears to have an affiliate program.

In case you have not seen the articles yet, here are a few:


Thanks to Marc Michault, Phillippe Jan, and Jason Grubè for all pointing me to articles on this topic.

Is MS08-067 Wormable?

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update.

The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various outlets that it was wormable "on older systems." Michael Howard backs that up with some interesting analysis on the SDL blog. The Secure Windows Initiative (SWI) blog also discusses the issue and points to a number of mitigations designed to reduce the "wormability" on newer operating systems. By "older systems" Microsoft really means "not Vista and Server 2008." This leads to the question of why the vulnerability cannot be used to create a worm on Windows Vista and Server 2008, and whether the claim is correct or not.

The claim that MS08-067 cannot be used to create a worm on Vista and Server 2008 is based largely on two defenses used on those operating systems. The first is that the vulnerable end-point is not anonymously accessible on those operating systems. That's a pretty good defense out on the general Internet. However, on a corporate network it provides little defense. Anyone with user-level credentials on a host can exploit the vulnerability. Thus, if a single computer gets infected and then is brought inside the corporate network, it can infect any other computers on the corporate network by authenticating to them. It would take a little more coding to write an exploit that does that, but it is certainly not an impossibility.

The second defense is Address-Space Layout Randomization (ASLR). ASLR causes the addresses used for code in memory to change from execution to execution. Each time you execute a program it will be loaded into a portion of memory; but, under ASLR, that memory is offset at one of 256 possible memory locations. Many exploits rely on knowing where in memory certain structures are. Prior to ASLR those locations were deterministic within an Operating System, Serice Pack, and Patch Level combination. However, under ASLR, they are, as I mentioned, no longer deterministic. This makes exploitation much more difficult.

However, do these defenses, and specifically, ASLR, really make a vulnerability "not wormable?" I would argue that the answer is "we do not know" but that it is tending toward "no." The problem is that we really do not understand the spreading patterns of worms well enough to make a claim one way or the other. Let us take a neutral scientific approach to understanding this claim.

Worms rely on spreading from computer to computer. Each computer that is infected with the worm can infect countless additional computers. The only thing that moderates it is time. The spread, however, is exponential. The more infected computers there are, the more computers there are that can spread the infection. Eventually, some form of critical mass is reached at which point the spread turns uncontrollable. Unfortunately, we do not know where that inflection point is.

To see how this works, let us take a hypothetical worm, and let us assume that ASLR is not used. Let's say the infection takes 1/8th of a second per computer. In other words, if computer A is infected and targets the worm at computer B, 1/8th of a second later, computer B is ready to start infecting computer C. In one second, a single computer, computer A, can spread the infection, directly or indirectly, to 64 other computers. The total impact of the worm is t/r^2, where t is the time and r is the rate of spread measured in the time it takes to infect an additional computer. Using that formula, we can see that after 1 second 64 computers could be infected. After 2 seconds, 256 computers can be infected, and so on.

Now let's apply ASLR to this. Using ASLR, the memory address space is allocated over 256 possible addresses. In other words, under a very tight assumption the infection will fail in all but 1/256 cases. The assumption is that we cannot predict where the locations are, and that the randomization will actually cause the infection to succeed in only one case of 256. Let us just say this assumption holds because it lets us analyze a worst-case scenario for the worm. Under ASLR then, we can consider the rate of spread to be 1/256th that of the non-ASLR worm. In other words, rather than infecting the next computer in 1/8th of a second, computer A can only infect one new computer in 32 seconds. This, obviously, slows down the spread of the worm, but is it enough? The spread is still exponential. It just takes longer to spread. Consider this chart:

This chart maps the number of infected computers over a 24-minute period, assuming there is an infinite number of computers to infect, and ASLR is in use on all of them. It is clear from this graph that the spread is exponential. After 24 seconds, 2,025 computers are infected. By contrast, without ASLR, it would take less than 6 seconds to infect that many computers. The point, however, is that ASLR would not stop a worm, it would only slow it down. What we do not know is whether slowing down a worm is effectively enough to stop it. My inclination would be to say that it is probably not enough unless we can slow it down by many orders of magnitude.

In addition to ASLR, the affected service on Windows Vista and Server 2008 would only restart twice before staying down indefinitely. This is important because unsuccessful exploitation would almost certainly cause the service to crash. However, I do not consider that as a defense against worms, because more than likely, the user would at that point either restart the computer or just the service. Given that the restart behavior would only serve to further slow the spreading rate. It would not change the exponential nature of the spread. Again, we arrive at the same conclusion: none of the defenses make a vulnerability non-wormable. They merely slow the spread down.

This is important because there is a risk that people will avoid patching because a vulnerability is not wormable. Make no mistake, remotely exploitable vulnerabilities are still wormable, and within an hour, you could easily have your entire corporate network infected. As if that weren't bad enough, using a remotely exploitable vulnerability, someone with far worse intentions could take over your computers and use them as an entry point into your network. For that the criminal needs only one computer, not a whole network of them. Wormability, or lack thereof, is irrelevant against a targeted attack, which means that ASLR is essentially irrelevant against a targeted attack. in most cases the attacker needs a computer, not a particular computer. Being able to only gain a foot hold on one computer in 256 is likely to be enough because after the initial entry, the vulnerability plays no further part in the compromise of your network. In other words, do not consider ASLR to be a reason not to patch some particular vulnerability.

Now, do I think we will see a worm for MS08-067? No. Not in the traditional sense of Blaster. The time of worms, like Blaster, that are inherently non-destructive, has passed. At this point, criminals are not interested in simply writing worms that self-replicate. They are interested in one of the three big things: money, ideology, or national supremacy. While we may still see massive worms, they will be fundamentally different than the ones of old, and they will probably take a bit longer to write. The new breed will be more targeted, more silent, more deliberate, and more dangerous. Once the objectives change, so do the attack patterns.

In short, please do not use wormability, or lack thereof, as a decision factor in deciding whether to patch a vulnerability or not. Wormability is an irrelevant and potentially dangerously misleading metric.