Montreal blog on Internet Security Software

Setting privileges on a specific thread

Tue, 13 May 2008 16:33:49 GMT

If you've ever needed to set privileges to a specific thread Id only, and not an entire process, you may of visited quite a few MSDN web pages trying to figure out exactly how to achieve this.

Here is a function that does this, call it using a format such as:

AddThreadPriv(GetCurrentThreadId(), SE_BACKUP_NAME);

AddThreadPriv(const DWORD in_tid, const std::string& in_rstrPrivilegeName)
{
ImpersonateSelf(SECURITY_MAX_IMPERSONATION_LEVEL);

HANDLE h = OpenThread( TOKEN_ALL_ACCESS, FALSE, in_tid);

HANDLE hToken = NULL;

if(h)
OpenThreadToken(h, TOKEN_ALL_ACCESS, TRUE, &hToken);

if( hToken )
{
TOKEN_PRIVILEGES tpNew = { 1 };
tpNew.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  if( ::LookupPrivilegeValue( NULL, in_rstrPrivilegeName.c_str(), &tpNew.Privileges[0].Luid ) )
  {
   VERIFY( ::AdjustTokenPrivileges( hToken, FALSE, &tpNew, 0, NULL, NULL ) );

CLOSEHANDLE(h);
CLOSEHANDLE(hToken);

return (ERROR_SUCCESS == GetLastError());
}
}

CLOSEHANDLE(h);
return false;
}

Trying to locate the proper documentation shouldn't be this difficult, certainly not for a company that size.

IPv6 is good for business, and will flush out unmaintained crapware

Sat, 10 May 2008 15:17:11 GMT

Ipv4 will be out of addresses sooner than most people realize.

This will probably occur within 24 months, and will likely cement Vista as the desktop os replacement for Xp, since its stack has IPv6 out-of-the-box.

The good news is that this will weed out the smaller software products who do not have the man-power to upgrade their existing applications to this newer reality.

We may even see well established products lag behind because they may be dealing with too much legacy Ipv4 code.

Time will tell...

What Will Microsoft Do With Credentica?

Tue, 06 May 2008 18:29:51 GMT

Written by Bernard Lunn / May 3, 2008

http://www.readwriteweb.com/archives/what_will_microsoft_do_with_credentica.php

The Race to Zero

Mon, 05 May 2008 13:36:10 GMT

The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008.

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

http://www.racetozero.net/index.html

Bjarne Stroustrup on the Evolution of Languages

Wed, 30 Apr 2008 17:49:35 GMT

http://msdn.microsoft.com/en-us/magazine/cc500572.aspx

twitter

Mon, 28 Apr 2008 14:44:23 GMT

follow 0utlaw at http://twitter.com

Encrypt Anything: 50 Ways to Secure ALL Your Data, Regardless of Medium

Wed, 23 Apr 2008 14:09:44 GMT

http://www.businesscreditcards.com/bootstrapper/encrypt-anything-50-ways-to-secure-all-your-data-regardless-of-medium/

Speed up that old system

Mon, 21 Apr 2008 13:12:22 GMT

Is your dev machine running slower due to the increased number of software pieces tacked on over the years?

Clean up your registry, remove duplicate files, and then defrag the drive for that new-car smell.

Here are three free utilities to do just that:

Eusing Free Registry Cleaner

http://www.pcworld.com/downloads/file/fid,64953-page,1-c,systemresourcestuneup/description.html

DoubleKiller

http://www.bigbangenterprises.de/en/doublekiller/

Defraggler

http://www.defraggler.com/

I actually hit an XP Home Limitation

Fri, 18 Apr 2008 14:41:00 GMT

I think this is a first for me. I do not think I've ever had to choose one flavor of an OS over an other because of a feature set.

I'm configuring some of my home LAN and set up remote desktop on the machines so I can log onto each one from my laptop.

Except for one.

You can't remote desktop to an XP Home edition.

So I installed something I haven't used in forever, vncviewer. It works OK, but IFF you lock the computer running the vnc server, you can't connect to it; something which is not a limitation using remote desktop.

Microsoft has released Microsoft Security Development Lifecycle, version 3.2

Tue, 15 Apr 2008 02:58:53 GMT

Microsoft has released Microsoft Security Development Lifecycle, version 3.2

Tons of great recommendations for your development team, to better your software product, such as

Code priority definitions are provided in the following list:

· Pri1 code is considered the most sensitive from a security standpoint. The following examples of Pri1 code are not necessarily a definitive list:

· All Internet- or network-facing code

· Code in the Trusted Computing Base (TCB) (for example, kernel or SYSTEM code)

· Code running as administrator or Local System

· Code running as an elevated user (including LocalService and NetworkService)

· Features with a history of vulnerability, regardless of version

· Any code that handles secret data, such as encryption keys and passwords

· Any unverifiable managed code (any code that the standard PEVerify.exe tool reports as not verified)

· All code supporting functionality exposed on the maximum attack surface

· Pri2 is optionally installed code that runs with user privilege, or code that is installed by default that does not meet the Pri1 criteria.

· Pri3 is rarely used code and setup code. (Setup code that handles secret data, such as encryption keys and passwords, is always considered Pri1 code.)

· Any code or component that has experienced large numbers of security bugs is considered Pri1 code, even if it would otherwise be considered Pri2 or Pri3. Although the definition of large numbers is subjective, it is important to scrutinize carefully the portions of code that contain the most security bugs.

Here's a table of recommended settings compiler/linker settings for unmanaged code.

Win32 Requirements: Unmanaged Code

Table G.1. Win32 Requirements: Unmanaged Code

Compiler/ tool	Minimum required version and switches/options	Optimal/ recommended version and switches/options	Comments
C/C++ Compiler	Microsoft® Visual Studio® .NET 2005
cl.exe	Version 14.0.50727.42 Use /GS	Use /GS
Link.exe	Version 8.0.50727.42 Use /SAFESEH Use /NXCOMPAT and don’t use /NXCOMPAT:NO. See "Appendix F: SDL Requirement: No Executable Pages" for more information.	Use /SAFESEH Use /functionpadmin:5 Use /DYNAMICBASE	Visual Studio 2005 SP1 is needed for /DYNAMICBASE
MIDL.exe	Version 6.0.366.1 Use /robust	Use /robust
Source code analysis	Visual Studio 2005 Code Analysis Options (“/analyze”) For Visual Studio 2005 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383	Visual Studio 2005 Code Analysis Options (“/analyze”). For Visual Studio 2005 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383 Standard Annotation Language (SAL): Code annotated with SAL should correct additional warnings in addition to those listed above. See “Appendix H: SDL Standard Annotation Language (SAL) Recommendations for Native Win32 Code” for more information. The warnings are summarized as follows: SAL Compliance Visual Studio 2005: 26020 - 26023 /analyze Visual Studio 2005: 6029; 6053; 6057; 6059; 6063; 6067; 6201-6202; 6248; 6260; 6276; 6277; 6305	Visual Studio 2005 Team Edition contains a publicly available version that is branded as “C/C++ Code Analysis”.
Protecting against Heap Corruption	n/a	All executable programs written using unmanaged code (.EXE) must call the HeapSetInformation interface. See “Appendix I: SDL Requirement: Heap Manager Fail Fast Setting” for more information.

Been a target of an attack?

Wed, 09 Apr 2008 19:13:09 GMT

What do you do if you receive a phishing email?

And what will you do if you find a site which is distributing malware?

I gathered a list of emails and forms which can be used for reporting phishing sites, phishing emails, and malware sites:

Report a site that you suspect contains malicious software.
http://www.google.com/safebrowsing/report_badware/
http://www.stopbadware.org/home/new

Report a Phishing Page
http://www.google.com/safebrowsing/report_phish/

Forward phishing emails to my company: fraudsubmission@radialpoint.com
To fraud watch international: scams@fraudwatchinternational.com
To APWG: reportphishing@antiphishing.org

If you have found a security vulnerability in any of Microsoft’s online services,
secure@microsoft.com

virus, worm, or trojan horse submission to
avsubmit@submit.microsoft.com

spyware or other malware submission to
windefend@submit.microsoft.com

Stroustrup Says C++ Education Needs To Improve

Tue, 08 Apr 2008 14:55:41 GMT

Although I rarely head over to slashdot anymore, (I prefer Digg), but once in a a while there's a great thread over there.

This thread http://developers.slashdot.org/article.pl?no_d2=1&sid=08/03/30/1155216 on C++ really shows how much developers either really love it, or hate it.

One thing is sure, C++ 'experts' are few and far between. With the upcoming TR1 adding yet more to the language, it's difficult just to keep up with everything.

I can't imagine a newbie trying to step through 8 boost pointer indirections and not getting discouraged, or trying to decipher template compiler errors.

For a TR1 overview, check out Pete Becker's book.

Et tu, Amazon?

Tue, 01 Apr 2008 14:07:09 GMT

Amazon has DRM free music. If you want to download songs, that's what you need to be using, not iTunes.

But, I tried purchasing the latest Moby CD MP3's, and because I'm a Canadian customer it won't let me.

This reminds me of that great pandora.com service which every coder here used, before it too shut down streaming to Canadian IPs.

OpenDNS rocks!

Tue, 25 Mar 2008 17:44:13 GMT

So far this year I am using two amazing products.

Jungledisk has rendered all my USB keys useless. I have it installed on all my machines, my sample code and all my tools are saved in the amazon cloud.

I don't even use its backup ability, just the storage space. Finally no more stumbling around my DVDs looking for some old piece of code which I now need!

And OpenDNS rocks. Is it faster? Maybe. Is it safer? Maybe? is it better? Absolutely. Here's what I like most, besides the fact its free:

I no longer need to run my parental control tool client-side? Why is this good?

- Less client-side code means your Cpu is free to do other things

- Less client-side code means less risk of it crashing

Now, my parental tool is good, I was one of the guys who wrote it. I even optimized the networking code of late. But it uses an OOB network call to validate Urls! It cannot possibly go faster than a DNS based solution.

Now, instead of validating pbdkids.org (while the browser sits there and waits), by sending the Url to another server which categorizes the Url, the categorization is done at the DNS request level. Here's a snapshot of the OpenDNS web site where you can configure your networks:

Anti-Malware field keeps getting more crowded

Fri, 14 Mar 2008 15:11:11 GMT

Another new Anti-Malware company is launched: http://blogs.zdnet.com/security/?p=366

I have installed their product on a couple of my machines, and I really like it so far. I've been a proponent of securing the HTTP pipe between clients and web sites; that can provide users MORE security than an up-to-date Av definition file...try it out, it's free http://hautesecure.com/index.aspx

They seem to use the google safe browsing API to use the google blacklists (phishing + malware), http://code.google.com/apis/safebrowsing/developers_guide.html in addition to other feeds. They send the URL to a backend (here's an actual trace for offensive-security.com):

- Http: Request, GET /v1.2/QueryUrl.aspx
- Request:
     Command: GET
   - URI: /v1.2/QueryUrl.aspx?Url=http:%2F%2Fwww.offensive-security.com%2F&HostId=6d0c1292-5589-4648-83c8-c68ed1a95adb&ClientVersion=1.2.1.1906&QueryThirdParty=1&QueryFrom=Client
    - Uri:
       Location: /v1.2/QueryUrl.aspx
       Url: http:%2F%2Fwww.offensive-security.com%2F
       HostId: 6d0c1292-5589-4648-83c8-c68ed1a95adb
       ClientVersion: 1.2.1.1906
       QueryThirdParty: 1
       QueryFrom: Client
     ProtocolVersion: HTTP/1.1
     UserAgent: HauteSecure 1.0
     Host: communitystats-cws.hautesecure.net
     HeaderEnd: CRLF

This is similar to the solution we use in our security product, which also validates URLs against a phishing blacklist (not a malware blacklist though).

"The four founders are Iain Mulholland, a former security strategist and manager of the MSRC (Microsoft Security Response Center); Frank Swiderski, a software architect who did stints at Microsoft and @Stake; Rob Vucic, who worked at Redmond on Microsoft’s Secure Windows Initiative Internet Crime Investigations team; and Steve Anderson, who worked on the Windows Server team at Microsoft....TechCrunch reports that the company launched with $500,000 in funding"

500K$ !? That's it? Ask my friend Austin, who's recently blogged about a couple of Montreal based shops being bought by US companies, will tell you that that's peanuts!

http://www.billionswithzeroknowledge.com/2008/03/07/congratulations-its-a-startup-canadian-fairchildren-unite/

Great vacation reading

Tue, 11 Mar 2008 17:48:47 GMT

I had the pleasure of reading The Web Application hacker's Handbook on my vacation.

It's terrific, check it out on amazon: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

Disk encryption may not be secure enough, new research finds

Mon, 25 Feb 2008 20:32:39 GMT

Yet more proof that in computer security, there is no silver bullets and no free lunches.

Read the article here.

"The Incredi" attack

Fri, 22 Feb 2008 22:15:40 GMT

I was probing a possible attack vector in a "security suite" type application, and found an interesting twist based on, The Incredibles of all things...

Recall the scene where Mr Incredible has trouble fighting off a robot, and ends up winning by having the robot attack itself? By using clever tricks, we can convince "security suites" to attack specific files, and remove them, simply by having the file trigger a hit (a positive virus detection).

How is this possible? Well, today's security vendors are constantly battling to achieve levels of certification by detecting as many malwares as possible, they want to add database entries!

I won't list real-world examples, but here's an example:

Just run [echo "removed for security purposes" > filetoberemoved] and presto!

Obviously here I can just remove the file my own self, but in fact I have the anti-malware level do so, which they often can do with elevated privileges!

Welcome to the jungle

Wed, 20 Feb 2008 17:49:24 GMT

I finally started using jungle disk, and after a little problem with it on Vista (which I managed to workaround) I really enjoy it! Not only is it dirt cheap, but you use your existing Amazon account to pay...I use picasa for pixs simply because it finds the pictures locally easily, but that seems to have an upper limit of 1 G only..

Windows Vista Media Center + Xbox 360

Mon, 18 Feb 2008 15:10:46 GMT

I set up a small home network (3PCs), with Vista Media Center on a laptop.

It detects the digital camera, imports the pictures, easily and seamlessly.

Then, one day, I had the Xbox 360 console on, and it detected this (they are not connected, but only share the same router) after which the Vista Media center asked me if I wanted to add it as an Extender.

Without any other configuration, I was browsing pictures (from the laptop) on my TV using the Xbox 360!!!

The only downside to my Vista+Xbox+HD Tv setup is the fact that I have an Xbox HD-DVD...something which will apparantly be replaced with Blu-Ray eventually. Perhaps Microsoft will put out a dual-reader.

Custom List: Other Security Bloggers, and articles on software

Tue, 06 May 2008 18:38:47 GMT

Other Security Bloggers, and articles on software

Stefan Brands
Postings on anything related to digital identity management.
Adam Shostack
Security Blog
The Six Dumbest Ideas in Computer Security
by Marcus Ranum
Top 50 Msdn security Articles
MSDN Magazine Security CD, 19,95$
Why Crunch Mode Doesn't Work
slashdot article, 2005
Peter Gutmann's Cryptlib
Better than OpenSSL?
VS2005 SP1 update for Vista
http://support.microsoft.com/default.aspx?scid=929470
AV Comparatives
Independent comparatives of Anti-Virus software
AV Test
project of the Business-Information-Workgroup at the Institute of Technical and Business Information Systems at the Otto-von-Guericke-University Magdeburg (Germany) in cooperation with AV-Test GmbH. In regular intervals we test anti-virus, anti-spyware...
STL/CLR
STL/CLR – Version of Standard Template Library for managed code 4/4/2007
STL.NET Primer
Stanley B. Lippman Architect, Microsoft Visual C++ team August 2004 Applies to: Microsoft Visual C++ 2005 Standard Template Library (STL) and STL.NET
got API
A great website for ANY developer!
Exploit Prevention Labs
Exploit and 0day prevention
Agile Alliance
We are uncovering better ways of developing software by doing it and helping others do it.
Should I check the parameters to my function?
Larry Osterman's blog - May 18 2004
RFC 3552
Guidelines for Writing RFC Text on Security Considerations
Uniform Resource Identifiers (URI): Generic Syntax
This document defines the generic syntax of URI, including both absolute and relative forms, and guidelines for their use; it revises and replaces the generic definitions in RFC 1738 and RFC 1808.
Windows Wireless Networking
Using WMI to verify WEP status - 2006 Article, Me
Susceptible Api's
Build Security In - Setting a Higher Standard for Software Assurance. This catalog provides a set of Coding Rules to assist software developers, whether manually or in conjunction with tools, to discover, explore, remove and eventually prevent security vul
Norman Sandbox
Upload malware for analysis
Virus Total Blog
Blog VirusTotal
StopBadware Blog
Stop Badware Blog
Virus Bulletin News
Latest news from the anti-virus industry
Anton Stiglic
A senior IT security advisor with a strong background in information theory and a keen interest in the business aspects involved around IT decisions. He has been involved in security in the IT industry since 1999, and in academia since 1996
Microsoft® Windows® Software Development Kit for Windows Vista™ and .NET Framework 3.0 Runtime Components
The Windows SDK includes documentation, samples, and tools designed to help you develop Windows applications and libraries using both Win32® and .NET Framework 3.0 technologies targeting Windows Vista.
McAfee Avert Labs Blog
Computer Security Research
Jeffrey's Exif Viewer
Great util for viewing more data on your image files than you care to know. Exchangeable Image File Format.
Draft Technical Report on C++ Library
ISO/IEC DTR 19768 Doc No: N1836=05-0096 Date: 2005-06-24 Reply to: Matt Austern austern@google.com
How long should my passphrase be?
To provide adequate protection against the most serious threats... keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years ... keys in newly-deployed systems should be at least 90 bits long
IDN Conversion tool
Putting [räksmörgås.josefßon.org] in IE7, gets puny coded to [http://xn--rksmrgs-5wao1o.josefsson.org/] use this tool to convert unicode characters to punycode as IE 7 does.
Google Sparsehash Package
The Google sparsehash package consists of two hashtable implementations: sparse, which is designed to be very space efficient, and dense, which is designed to be very time efficient. For each one, the package provides both a hash-map and a hash-set
Default Router Password Database
This is the internets most complete default router password database available.
Microsoft Password checker
Password Checker can help you to gauge the strength of your password. It is for personal reference only. Password Checker does not guarantee the security of the password itself.
Password Strength Checker
This application is designed to assess the strength of password strings. The instantaneous visual feedback provides the user a means to improve the strength of their passwords, with a hard focus on breaking the typical bad habits
All Your iFRAMEs Point to Us by Google's Niels Provos
February 4th, 2008 22 pages
The Ghost In The Browser - Analysis of Web-based Malware by Google's Niels Provos
2007 9 pages Other link to doc: http://www.usenix.org/event/hotbots07/tech/full_papers/provos/provos.pdf
Google Online Security Blog
The latest news and insights from Google on security and safety on the Internet
PaulDotCom Episode98
DLL Injection
Programatically setting Wininet/Internet Explorer's Proxy settings
From Windows Core Networking Blog