Slashdot Mirror
SecurityFocus On MS Security "Hole"
friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.
I mean, if I wanted to hork data off of a system I had full physical access to, I'd just grab the drive, stick it in my pocket, and walk out whistling "Jimmy Crack Corn and I Don't Care."
Now I can't get that song out of my head!
Anybody else stunned that Slashdot posted an article about MS that didn't involve an explanation as to how they're incompetant?
.. but he is right about the physical security. Not long ago I walked a client several hundred km away through an OpenBSD boot via floppy so he could change his forgotten root password. I don't hear the masses screaming for Theo's head because this is possible.
Trolling is a art,
This appears to be a problem using the win2k recovery console on a winxp install, not the XP console.
And all it allows you to do is copy files around. Whoopty do. Pop in a linux boot floppy with ntfs support and do the same thing, only easier (because the win2k recovery console doesn't support wildcarding; lame.)
Once the general populace knows about a problem, the media has to say something, because how would it look if they didn't report on a new trend? Suddenly everybody "knows" about the problem, even though it does not exist.
I can't say that I don't give a fuck. I've just run out of fuck to give.
... who still thinks the Registry is a bad thing?
(comment to be taken lightly. Should irritation persist, chill.)
"Derp de derp."
[I posted this on SecurityFocus.]
Actually, it is CRITICAL in one aspect.
If Avaya's security consultant Ken Pfeil is correct when he said:
"If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file."
Then EFS is useless in the standard configuration for protecting hard drives. Specifically, hard drives on LAPTOPS, which frequently get stolen.
Most likely this is an IMPLEMENTATION issue, though, and NOT a "hole" in XP. It sounds like the certificate/key used for EFS is stored on the drive, and the password for it is tied to the Workgroup/Domain password. The certificate/key really needs to be stored on a USB key or other removable media, so it can be kept separate from the system.
Encrypting files/folders/partitions on hard drives is supposed to guard against exposure EVEN WHEN CONTROL OF THE SYSTEM IS COMPROMISED!
Case in point -- laptops. What is the point encrypting data on the drives if when stolen, the machine can be consoled and the password changed, opening all the files?
I do not know if you can move the certificate/key off to removable media. If you can, like I suspect, then it is an implementation issue and not a "hole". If not...
You are right in that it was overplayed as a major catastrophy, though. For almost all other cases, if you've lost control of the hardware, you're screwed.
-Charles Hill
Learning HOW to think is more important than learning WHAT to think.
Jornalistic integrity? Man which world do you live in?
I'm with the author on this one. I dislike MS as much as the next guy, but I'd WANT a recovery disc to dump me at a prompt if the data files were corrupt. If the files on the drive are THAT important, they should have been encrypted anyway...and if I was the admin of the box, they would already be encrypted.
I have nothing to worry about.
News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.
No recovery console does not mean to bypass the password set by the administrator. It means to recover data that has been lost due to reason "foo".
While I don't see it as being that big of a deal, you could do it w/any OSs bootdisk I suppose (or even a LILO prompt on a Linux machine) I think it is an odd bit of information that should be known.
Media organizations know they get eyeballs when their audience is afraid.
Ignorant and afraid of terrorists? Watch Fox News.
Ignorant and afraid of hackers? Read Wired, or WinInformant.
Maybe we should be afraid of ignorance, instead.
Laugh at my Lisp and I keeell you.
This isn't a security flaw.
This is desired administration behavior. The Win2k disc can't deal with the WinXP registry properly, so it goes straight to recovery mode. Recovery mode is pretty much useless to begin with, and you can't really do anything to a system in recovery mode
Besides, if you can physically walk up to the computer in question and boot it from a CD in your pocket, your security problem doesn't come from Windows - it either comes from a BIOS that doesn't support changing the boot order, or it comes from between your ears.
Here's a sample of Mr. Mullen's "unbiased" approach to Microsoft security:
http://www.securityfocus.com/columnists/127
Paper Pusher
does XP Recovery Console run on Linux?
"Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle's "unbreakable" applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post. "
Although the last part about whipping arouses me in a peculiar way, I'd much rather see Larry Ellison's claims being dissected and put into context. Sure they are a marginal player in most markets, but in the enterprise application business they really advertise aggressively and not so truthfully.
Seeing the tech press just relaying a story like this only confirms the notion that there are no journalists that understand tech, and no techies that understand journalism.
Oh, I can't help quoting you because everything that you said rings true
That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.
Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.
It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.
I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.
Read the EFF's Fair Use FAQ
In contrast, I know SQL Slammer was reported day-of. In this case, a free patch was available six months prior to the worm. And let's face it: if the patch is available but not applied, it's not Microsoft's, Oracle's, Linus's, or any other vendor's fault--only the SysAdmin in question.
One major difference was that SQL Slammer took out several networks, where Oracle did not have such impact.
To \.'s credit (and I'm going mostly off memory), but big critique was on the DB admins, not on Microsoft.
I totally agree on this - I've been doing Win2k installs for a few years now, and I'd have had to totally scrap god knows how many systems if it weren't for the recovery console.
And the fact that you can use the Win2k boot CD to log in without a password isn't a bug, or even a security hole, it's simply the fact that MS didn't require a password to use the Console in Win2k.
What do the critics want MS to do? Recall and patch every single Win2k boot CD?
sig:- (wit >= sarcasm)
Perhaps you missed the point he was trying to make. While the "its a feature, not a bug" argument is valid in many cases, this is not one of them. The whole argument can be ended with the simple fact that you need physical access for this "exploit". As mentioned in the article, and as anyone who follows computer security knows, once an attacker has physical access to a machine its game over. With that as a given, administrators WANT tools that allow them access to a system like this, its been included in systems back to the VMS days that I know of, and probably older.
I believe the rational way to view these types of articles is to look at what they're saying and actually stop to think about it, rather than flying off on blind tangents about bias. While it may be true that the author often defends Microsoft for whatever reason, this particular article is based on solid points that make a very compelling point on this specific issue.
So what's the deal? You see an article with "Windows" or "Microsoft" and "hole" or "exploit" or "fundies" and you automatically hit reply and type in some snively childish remark to whore some karma? Or are you just plain bored?
Overrated Moderation: This posts sucks... because.
If they reported _every_ M$ bug on Slashdot all the good articles would get pushed off the front page.
As opposed to now, when all the good stories getting pushed off the front page by reposts, you mean?
sig:- (wit >= sarcasm)
Whether or not, in this particular case, the reported exploit is not the vulnerability described, there have been so many valid, exploitable, preventable, denied by Microsoft, bugs/cracks/flaws/exploits/holes that Microsoft is presumed guilty from the get go. And considering their programming and their behavior following, this is to be expected. They've created an atmosphere where the logical, understandable response is to mistrust them. That's their doing, and they're the ones to fix it (if at all possible).
PHYSICAL SECURITY. This is the first tenet of network security. Prevent the box from being accessed by those who should have no access. This tenet, however well implemented, is absolutely useless if the baddies that mean your network harm are INDSIDE the network, which in 75% of cases is true. It's a sad-assed day indeed when your own employees are the evil that is supposedly lurking outside the firewall.
If this is a hole then so is the fact I can mount your ex2fs /home partition from a boot floppy and ftp all the filez there to whereever I want them to reside. Actually the linux "hole" is worse, as it has infinitely more powerful command-line tools available to a bootflopper.
/]% rm /*/* on my way out. Know your enemy, he's probably a family member.
People fear the Internet and what a hax0r could do to their PC, but (as this article proves) give me physical access to your machine and I could do more damage to you than 99.999% of crackers ever possibly could - and that's only because I'm not enough of a bastard to [root@localhost
-Mark
The answer is yes since you could transfer your program to the system where it would be run at system start... though this still doesn't make it much of an issue. The key to the article is physical security! Say it with me, physical security. If someone can walk right up to your machine then they can do pretty much whatever they want if they are technically sophisticated enough.
Fnord.sig
please explain where the threat is that's being downplayed ?
If this were the worst "issue" with Windows security, nobody would use anything else. Nobody.
In my opinion, this issue isn't on the panic scale at all - it's on the "everyone that's worried about it is a fuckwit" scale, weighing in right around 9.5.
This article has nothing to do with being a windows apologist. This issue effects essentially ALL pc operating systems. Just last week i floppy-booted my openBSD machine because i forgot the root password, then changed it. Where is the media frenzy ? Where, as another posted pointed out, is the get-theo-lynchmob ?
AFAIK it's easier to totally circumvent ANY pc unix machine with a bootfloppy (unless its configured specially) than it is to use this recovery console trick to do anything of gain to a windows machine. what a fantastic showing by microsoft if this is worthy of harassment.. because the message is "you handle something marginally better than all other currently widely used OSes"
Listen, this is slashdot. It's ok (expected, even!) to hate windows and microsoft. But to be really effective, you should pick something worth being angry about. And if you can't find anything better to get concerned with than this, you really don't have much justification for concern at all (and you don't have much of a justification to comment on the matter, either)
My opinions are my own, and do not necessarily represent those of my employer.
Listen up! I come to Slashdot for one thing only: Microsoft bashing. If I want to read pro-MS stuff I'll go to -- um, some site that people talk about how great Microsoft is.
This is too much. Let's hope it's not the start of a trend. Thank God I didn't subscribe.
Ceci n'est pas une pipe.
I've just found a huge bug in Linux security! If you boot from a Linux boot disk, then you can mount the hard disk and read files off it! Linux security all over the world is compromised! No server in the world will ever be safe again!
Oh, and anyone who disagrees with this, or tries to use some kind of 'logic' or 'rational argument' to disagree is a Linux apologist.
Actually, this 'hole' is worse the one in Windows. Windows config data is stored in the registry, which is binary and so is much harder to manually edit than the plain-text files in /etc/ on a Linux box.
I am TheRaven on Soylent News
Seems to me this whole issue is a direct result of MS's tarnished brand. Why bother doing research to find out if this weeks security hole is bogus or not? Microsoft's brand is so coupled with "security compromise" you don't need to prove the case anymore to attain public credibility.
I have a second sig, I call it sig#2.
You got the joke wrong.
They get Halloween and Christmas confused, because 31 OCT is 25 DEC.
(31 OCT would be 19 HEX)
slashdot!=valid HTML
Indeed, if a particular system were more vulnerable than Windows then crackers would scan for that system and attack it. Opportunists go for the easy prey, not necessarily the most common thing. You can find non-MS nodes on the internet if you look - that's not a problem.
In a domain, the Administrator account for the forest root domain is the recovery agent. Additional recovery agents can be assigned through the domain group policy object. The certificates are self-signed if no CA (Certificate Authority) is configured. Any recovery agent should export the private key to removable media and lock it up in a secure place and keep another secured copy off site. Delete the copy from the forest root's first domain controller.
On a stand alone server or workstation (Not a member of a domain), a self signed certificate is generated for use and the local Administrator account is the recovery agent. The private keys for the administrator and your own user account can be exported to a floppy or other removable media and deleted off the computer. Another copy should be kept in another secured location in case the first gets burned down, stolen, corrupt, etc. Make sure the floppy isn't in the laptop carrying case, otherwise, the theif will have your private key when he takes the whole bag.
Another important thing to note is that the document is decrypted in memory and a clear text copy isn't put on the drive. A hacker going through your drive, looking for deleted temp files will be wasting time. If you want to be extra paranoid, configure windows to clear the page file at shutdown.
For more reading:
Click Here
If you really want to learn this stuff, read this book. I found it to be extremely educational and was the only book to explain certificate server to me effectively.
Click Here
-Lucas
Windows NT and 2000 MCSE
Yea a stupid error was made and several sites reported on it. I am supposed to feel bad to bill or do what Tim Mullen says and "Give Bill a Break"? No I won't be giving Bill G. a break. Maybe if more articles are written which say how bad MS software is MS might actually have to be accountable one day.
So you're all for more articles making a big deal out "security holes" that aren't "security holes" at all?
Ever heard the fable about the boy who cried wolf? You should not support Microsoft-bashing for the sake of Microsoft-bashing when there's nothing behind it, it only lowers your own credibility. Focus on Microsoft's real problems.
NO CARRIER
Indeed. And not only featureset but usability and user-friendliness factor are also placed above security issues. :)
As a result we have a dominant OS that's insecure and a secure OS that's mostly unusable by anyone who is not a third generation sysadmin. In all that rush no one had the time to write an OS that's is BOTH secure and user-friendly. Flame away
It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.
But it is difficult to determine this case, as there are a lot of questions and too few answers.
Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.
I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.
Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?
So how does IIS come out so crappy when it comes to security?
I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?
Clever signature text goes here.
"Tim Mullen is probably the most notorious apologist for Microsoft in the security community."
In other words...
"Since his comments are not anti-Microsoft enough you shouldn't listen to him, because it's more important to blame Microsoft than be right."
This is why I post to slashdot, to correct morons like this, and for that I am called an astro-turfer.
What does that article say? It says "Based on the number of vulnerabilities announced in 2002 that affect operating systems..."
Now, either I'm an idiot or that article is basing its results on REPORTED VULNERABILITIES. Might the number of reported vulnerabilities have something to do with how hard people ARE LOOKING FOR VULNERABILITIES?
The ONLY way to test the relative vulnerability of an OS is to do a thorough code review of each, or send experts on each into a room and ask them to find exploits (and both approaches won't even be that accurate).
If someone can boot from a configuration other than the default OS, they have free reign
I've seen one PC based O/S do this correctly. OS/2. Don't laugh, but I learned the hard way one weekend at a finacial services firm. It seems the OS/2 HPFS386 (comes with OS/2 server) driver uses a combination ACL+Hardware code to encrypt the drive. We were upgrading an old server to a new one and just moved the data drive over to the new box. Nada, zilch, nothing. The computer saw the drive but none of the contents. It didn't matter what we did, (rescue disk, etc.) we couldn't see the file system.
To make a long story short (what was supposed to take two hours took eight), we had to put the drive back into the original box and run a special administrators tool (separate locked away disk) to remove the ACL's from the file system. Only then could we move the drive to the new server and re-apply the ACL's. Not a fun weekend.
Enjoy,
It's just the normal noises in here.
Since when has accuracy been a concern to the editors at Slashdot?
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It's great that we have security. Most people won't mind security. Even Joe Sixpack seems to understand that security is generally good. Now, people are starting to get that Open Source is secure, stable, blah blah blah..
The thing with Linux (and probably BSD's though I don't have much experience there) is that most people that know what is a server, can set up a linux server. Even most of those people can keep their server relatively secure with security.debian.org and shutting down redundant stuff and such. But even many of those people are not willing to switch to Open Source on desktop.
As I see it. Linux IS decent desktop OS too. If you pre-install Gnome or KDE or pretty much anything else for someone, they will be able to use it. My girl-friend has no trouble at all with my wmx-based desktop, after about 2 minutes of briefing. But the thing is, once things get nasty on Linux desktop they often need even MORE experience with the OS than when running a server.
Once you have to touch the command-line, it can be a pain before you get used to it, but finding the relationships between the nice GUI and all the scripting and configs and stuff, is even more so.
No flames though, this is getting better all the time, I think, but the fundamental nature of UNIX as opposed to Windows seems to make UNIX easier for someone who knows what he's doing (like sysadmin or developer) while Windows is still easier for my mother, which unfortunately might have to mess with the network settings to read her mail, even if somebody assisted her by phone.
I'm currently doing a toy desktop OS with the idea of trying to combine the ease of use, even when going to system levels, with easy to develop with API, and strong security.. then again, don't hold your breath =)
Software should be free as in speech, but if we also get some free beer, all the better.
Quick, make sure both Ashcroft and the Department Of Homeland Posturing know that anybody whistling Jimmy Crack Corn needs to be tackled at the knees!
- First they ignore you, then they laugh at you, then ???, then profit.
In other news, Linux was found to have the same flaw as Windows XP this week, after Jimmy Costain, a four year old boy, hacked into his father's Linux machine with a RedHat recovery disk.
/etc/passwd file."
/etc/passwd file is an old Unix recovery technique, used since the dawn of time, and that he's happy to see Windows XP finally catching up on the feature list.
"It was quite easy. I just booted the floppy, mounted the root filesystem, and zeroed the root password from the
Linus Torvalds was available for comment.
"Well, of course, you idiot, if you have physical access, anything is open."
Linus went on further to say that booting a floppy to wipe a password from the
"I wish people would stop trying to find lame security flaws which are not security flaws at all and actually concentrate on the serious ones" mused Linus.
well, I'll let you pick which end
/. that server.......
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
I wonder if we could
Why? Because SUCH a small percentage of people honestly work with the source. Im sure that less than 1% of linux users know how to do anything more than run the code thru the compiler, and the majority cant even do that.
As I constantly point out, every slashdot user is not helping write the kernel of Linux.
The reason MS is getting probed is twofold. 1) Hackers have a bug up their ass about MS (no pun intended), and 2) Security firms are hunting for obsure exploits due to the notariety they get in being credited with finding the bug/exploit. If you are a security firm and can tell your clients you found five exploits in the last year, that equates to money.
And dont believe that Linux users are any more computer savy than Mac users. Thats like saying brown eyed people are smarter than blue eyed people. A lot of people learned Unix while they were in college. Those skills can easily transfer over to Linux. Thus, its mearly a comfort thing than a tech savy thing.
Also, the Apache vs. IIS thing. I would account for the market share and the security issues just by maturity of the product. How long was Apache web server out before IIS came out? Quite a while. Unless MS sawed down and copied Apache, it would be hard to make a product w/o making a few mistakes. NOTHING is perfect the first time. How secure was the first version of Linux?
Also, Im sorry, but Apache still gets hacked. I remember before IIS was out pages were getting hacked all over the place. Free Kevin, anyone?
Im not slamming what you are saying, really, because I dont get the feeling you are one way or the other on this. I am just expressing a point of view. But there is definitely a lot of anti-MS FUD expressed here, and strangely enough, MS got quite a bit of /. lovin today.
Hopefully this will be the start of a trend. Not pro-MS, but pro-rational article.
Manipulate the moderator system! Mod someone as "overrated" today.
> So how does IIS come out so crappy when it > comes to security? Simple. It's because IIS is a much larger product. It does so many more things than Apache it's not even funny. When you have more lines of code, you have more bugs. When you have more bugs, you have more security holes. IIS has tons more lines of code -> IIS has tons more security holes. If you'll look at all of the IIS exploits, you will find that most of them (and I mean > 90%) are in very seldom used extensions/code sections (known as ISAPIs in IIS-speak). Apache does not have these components. If the support for a particular feature is not present in Apache, there cannot be security holes in it. Since there are thousands of lines present in these IIS components, there are bound to be security bugs. Saying that IIS is more secure that Apache is not a fair comparision. It's really that simple.
That every desktop user in the world should move over the FreeBSD, and learn a whole new environment? We'll ignore the fact that Linux (in any of it's variations) is infinitely more difficult for the end-user.
Why is it people like you always miss the point - it's not about brand names or vendors. It's about a bloody tool. A PC is just another tool, and if it can't be used by the people who need it, it's not good enough. Sure, security is important, but what good is a secure computer that only 10% of the population can figure out how to log into?
I'll happily move over to a better OS if it comes along, provided it's actually going to help me do my job in a better way! Until then, forget Linux - it's 5 years behind MS, and probably 10 behind MacOS (and yes, I'm aware OSX is based on BSD, blah blah blah).
Ok, being a sysadmin for both apache systems and IIS systems, I would love to know what you think IIS can do that apache cannot. ISAPIs in IIS can be loaded as modules in apache. So I am really interested to know if you have anything in mind or if you are just blowing smoke.
I had mod points and was going to use them in this forum... but I just couldn't resist replying to your post because there just simply isn't any foundation to your claims.
The only thing that Apache lacks (and it doesn't anymore) is a good GUI configuration tool. Personally though, I always liked the direct editing of the config file anyway. I still do that even though the GUI is a very nice addon. I am not saying that IIS sucks and I am not saying that Apache is the coolest thing since sliced bread... all I am asking is for you to back up claims like that with real facts.
On another note. You might want to consider adding <br> tags to your posts when you want a new line. Makes it easier to read.
I realise that the sysadmin comment was facetious, but you *did* say flame away ;)
Yes, realistically, linux *IS* harder to learn than windows (learn, not neccesarily use). However, if you will settle for *only* using a windows-like interface, mandrake and lycoris are pretty damn accessible. Windows (in the easy-peasy sense of the word) is a *user's* operating system. Sysadmining isn't just point-and-sneeze in windows either.
Free Java games for your phone: Tontie, Sokoban