With every innovation comes a setback, sometimes vitriolic in nature. Virtual machine (VM) technology is a good case in point.
VMs are growing in popularity by leaps and bounds. We'll see more and more VM technology to the point that it becomes common place, probably even on everyday users' desktops. The benefits of VMs are manifold and the drawbacks are few, the most significant of which is undoutedly the cost of acquiring hardware to leverage VM power.
Intel introduced its Intel's VT-x technology for x86 processors which basically an extends processor architecture to fascilitate better VM behavior. Of course potential intruders can't stand by idle why VMs take over servers and eventually desktops. They need their inroads, or so they think anyway. Be assured that there is definitely active on-going progress in developing ways to usurp VM technology to insidious purposes. So security professionals need to keep pace, or preferrably outpace the inroads made by "the bad guys."
One set of researchers have managed to develop a rootkit, appropriately named Vitriol, that demonstrates how its possible to coopt Intel's VT-x. In effect, Vitriol takes over as a the host OS and moves the original host OS into the mode of guest OS, transparently without the computer user's knowledge. The team gave a presentation of Vitriol at the recent Black Hat conference in Las Vegas. At least some of the team are slated to attend Microsoft'invitation-only Blue Hat conference, which is taking place this week, to present their work in more detail.
Writing in Monasato's blog, Dino Dai Zovi, gives an introduction to the presentation:
Hardware-supported CPU virtualization extensions such as Intel’s VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel(r) Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a “rootkit hypervisor” that transparently runs the original operating system in a VM. This presentation will describe how VT-x can be used by rootkit authors and demonstrate a rootkit based on these techniques that migrates the running operating system into a hardware virtual machine on the fly and installs itself as a rootkit hypervisor. Hypervisors of this sort can also be used to bypass PatchGuard on 64-bit systems. The presentation will conclude with a demonstration of Vitriol, a VT-x based rootkit.
Zovi clarified the previous introduction statements:
There has been some confusion around how or whether hypervisors can "bypass" PatchGuard. This is not an attack against or weakness in PatchGuard itself, it is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM.
Vitriol has got to be unnerving to Intel, and Microsoft too for that matter. I think this is just the beginning of what we'll see relating to hypervisor exploitation. Stay tuned.
- posted by
Mark Joseph Edwards
Is there no end to the goodies than can be dug up using Google? I recently came across Google Code Search, a tool that lets you look through source code that has been indexed.
This is really helpful if you're looking for examples on how to code something, or looking for code bases that might be using your own code, etc. Another use for it is to find security bugs and other risky problems, like backdoors! Try this query where you'll find that plenty of coders include the words "backdoor" in their code comments or as variable names. - posted by
Mark Joseph Edwards
Don't know yet if you're going to TechX World? Maybe these two short YouTube videos will help you decide!
First view this amusing couple of minutes that promotes the TechX World interoperability conference (produced by Windows IT Pro), which is coming soon to a city near you.
And if you think you don't need to go to such conferences then check out this 57
second clip, where David Letterman might remind of you why you probably do need to go (or at least he might remind you about why you have a heterogenous environment).
LOL ! It's all in good fun :-)
- posted by
Mark Joseph Edwards
Back in late January I blogged about a new way to authenticate users by using a graphical interface. In the blog article, "Graphical Passwords - What A Concept!," I explained how icons are used instead of text or token devices.
Today I learned about another way of authenticating users by using tactile passwords, which basically means via the sense of touch, similar to braille.
Over at New Scientist magazine there is an article that discusses how some folks at Queen's University in the UK use a mouse designed for visually impaired people. The mouse has two tiny arrays of 16 pins each that replace the left and right mouse buttons. In order to authenticate for access purposes the mouse pointer is moved around on the screen and the pin patterns change depending on the mouse pointer location. The correct authentication pattern is discovered when the right pin patterns are sensed by the fingers, at which point the user clicks to authenticate. Pretty slick, eh?
Read the article, "Tactile passwords could stop ATM 'shoulder-surfing'," for more information and a link to a video that shows how it works.
- posted by
Mark Joseph Edwards
Make some time in your schedule. Microsoft will release 11 security updates next week, some rated critical. Let's hope they patch the hole in the Windows Shell.
Here's what the company has to say about the updates, there will be:
* Six Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.
* Four Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
* One Microsoft Security Bulletin affecting Microsoft .NET Framework. The highest Maximum Severity rating for this is Moderate. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.
* Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS). - posted by
Mark Joseph Edwards
Some of the biggest challenges for IT pros these days include identity management, single sign-on, and Windows and Linux interoperability. A heterogeneous network presents a lot of challenges, but few are insurmountable, especially if you get some good advice. Remember the adage, "Smart people learn from their own mistakes, geniuses learn from the mistakes of others"? That certainly applies to the realm of IT adminstration.
Check out the TechX World roadshow - you'll undoubtedly gain some valuable insight. There will be tracks covering the challenges I mentioned, plus there will be tracks on virtualization. You should check those out along with the others particularly since virtualization can be a big help in both keeping systems secure and recovering from all sorts of problems quickly.
TechX World takes place in Washington DC on October 24, Chicago on October 26, Dallas on October 31, and San Francisco on November 2. Check it out! - posted by
Mark Joseph Edwards
The number of malicious Web sites is on the rise, and with toolkits available to create them it's really no wonder. According to Websense the number of malicious site increased by 100% during the first half of 2006. Of the malicious sites detected by Websense 15% were created using ready-made toolkits, which can be had for anywhere from $30 to $3000. That cost is a drop in the bucket compared to the money raked in by the ilk who establish such sites.
Besides making it easy to establish malicious sites, the toolkits make it possible for marginally knowledgeable people to become criminals. So in other words people who normally wouldn't do such things jump right into the fray, probably without much hesitation.
Another interesting figure revealed by Websense is that of all the malicious sites designed to steal user credentials (including banking info, etc) 40% were hosted on compromised systems!
I'll post some more about this later this week. - posted by
Mark Joseph Edwards
On September 27, 2006 Mozilla Foundation announced the availability of Firefox 2.0 Release Candidate 1 (RC1). Paul Kim, Director of Product Marketing for Mozilla Corporation, said "Web application developers, our testing community, and users who want to get a sneak peek at the next version of Firefox should download and install this release candidate."
Kim points out that since Firefox 2.0 is still in development some of your extensions, plugins and themes from previous versions of Firefox might not work properly. Nevertheless here's a list of some of the improvements you can expect to see in the new version:
A new theme that updates Firefox's familiar interface
Built in Phishing Protection
Enhanced search engine management and search suggestions for Google, Yahoo! and Answers.com
Improvements to tabbed browsing, including the ability to re-open recently closed tabs
Firefox will resume from where you left off after a system crash or browser restart
Better support for previewing and subscribing to Web feeds
Inline spell checking in Web forms
The ability to create bookmarks with "Live Titles" for Web sites that offer microsummaries
New Add-ons manager that simplifies management of extensions and themes.
Support for JavaScript 1.7
Extended search plugin format
Updates to the extension system to provide enhanced security and to allow for easier localization of extensions
Support for client-side session and persistent storage
Support for SVG text using svg:textPath
New Windows installer based on Nullsoft Scriptable Install System
WindowsZones is a new tool that claims to be able to protect Internet applications against 0-day exploits and to move those applications between security zones on-the-fly. The literature on the site says it protects browsers, email clients, instant messaging applications, peer-to-peer download clients, and more.
The tool is currently in beta and is planned for commercial release sometime in October. You can download a copy to test at the WindowsZones Web site. - posted by
Mark Joseph Edwards
Yet another 0-day vulnerability is being actively exploited. This one, discovered only a few days after the previous one, lets intruders install shell code and from there a whole slew of bad things can happen. Be sure you're protected!
Read our related news story, "IE Vulnerable to Remote Code Execution," and Microsoft's associated Security Advisory (linked in the news story) and take defensive measures. If you missed the previous report, issued on September 15, then be sure to read that one too.
- posted by
Mark Joseph Edwards