Tom Olzak

Posts Tagged ‘Vista’

Protecting core productivity apps with EMET

In Uncategorized on October 29, 2009 at 11:02

This week Microsoft released a toolkit designed to help IT professionals protect systems from common threats.  Named the Enhanced Mitigation Evaluation Toolkit (EMET), this little gem is easy to implement, once you install the very small executables on your workstations.

Before I walk you through setting up FireFox, I want to take a minute to tell you why you should care about this.

Why you should care

In its initial release, EMET protects against exploitation of four common attack vectors.  When an application is “configured,” requisite behavior necessary for an effective compromise of a system is blocked.  The following information is from readme.rtf included in the downloadable EMET .zip file:

  1. SEHOP – Structured exception handling (SEH) chain validation breaks SEH overwrite exploitation techniques.
  2. Dynamic DEP – Certain portions of memory are marked as non-executable.  Using EMET, you can target specific applications instead of fighting with compatibility issues caused by setting DEP in the BIOS.
  3. Null page allocation – Attackers are blocked from taking advantage of NULL dereferences in user mode.
  4. Heap spray allocation – Heap spraying involves filling a process’ heap  with specially crafted content to aid system exploitation.  EMET pre-allocates those memory addresses and blocks these attacks.

Although Microsoft hasn’t testing all possible applications, they have successfully tested the following:

  1. iexplore.exe (IE) – although there are apparently some problems getting IE to behave all the time.
  2. winword.exe (Word)
  3. excel.exe
  4. acrord32.exe (Acrobat Reader)
  5. firefox.exe
  6. outlook.exe
  7. powerpnt.exe

The developers of EMET warn it isn’t for everyone.  Since EMET turns off functionality some applications may need to work as expected, it should only be used by IT personnel willing and able to work through possible issues.

Using EMET

Using EMET starts with a quick download of a .zip file.  Extract the file in a folder not generally accessible.  This helps prevent unwanted visitors to the target system from messing with them.

Once I extracted the files on my Windows 7 Ultimate desktop, I was in such a big hurry to start testing I forgot about my “new enhanced” security.  EMET is run from a command prompt and requires elevated privileges.  So my initial run was thwarted until I performed the following steps to bring up a command line window with the proper permissions:

  1. Click Start
  2. Type Command Prompt in the search field.
  3. Right click on Command Prompt at the top of the programs list to bring up the window shown below.

    PCmdPrompt

    Figure 1

  4. Click Run as administrator

I then followed the simple example in the readme document to protect FireFox, as shown in Figure 2.

 

CommandLine

Figure 2

Pressing Enter resulting in a successful run of EMET.  I confirmed this by listing all protected applications.  See Figure 3.

FFSuccess

Figure 3

That’s all there is to it.  EMET works with

  • 32-bit Windows XP, Server 2003, Server 2008, Vista and Windows 7
  • 64-bit Vista, Windows 7 and Windows 2008 R2

One-Time Passwords are Not Foolproof

In Access Controls, Cybercrime, Hacking, malware, Password Management on September 18, 2009 at 09:47
Credit: Technology Review

Credit: Technology Review

Many of us started using one-time password devices some time ago.  They typically take the form of “footballs” or smartcards and generate a random—or pseudorandom—string used only as a password for one session login.  This was considered to be “safe enough.”  But now we might have to rethink our approach.

In a recent article by Robert Lemos, he describes an actual theft using a Trojan that rides one-time password sessions. 

The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.

Source: Real-Time Hackers Foil Two-Factor Security, Robert Lemos, Technology Review, 18 September 2009

The use of multiple factors of authentication is often viewed as a panacea for sensitive data access control challenges.  However, it was only a matter of time before attackers found a way to exploit these methods.  So what do we do?  How can we ensure our business and personal systems are protected when we perform online transactions, like banking or accessing strategic business data?  There are multiple answers to this question, which implemented together provide a layered approach.

  1. Continue to use multi-factor authentication.  This is still a good way to thwart the majority of attempts to get to your data, and it’s far better than using only a traditional password.
  2. Keep patching and updating your AV solutions.  Patching is still one of the best ways to keep bad stuff off your endpoint devices.  Combined with AV (anti-malware) software, patching can smack down bad stuff crawling over the wire.
  3. Remove local admin access—even for you.  No one should browse the Web while logged in with an account which allows installation of anything on the desktop.  This is much easier with Windows Vista and Windows 7, but the large number of Windows XP systems still running on systems at the office and at home still require some special effort to make this happen.
  4. Consider using a sandbox or virtual machine.  The best way to prevent unwanted software from making a home on your PC is to browse the Web with a browser running in a sandbox.  Products like Sandboxie provide a free solution for isolating any Internet activity to a work area with read only access to the hard drive, system files, etc.  When finished, kill the sandbox and everything picked up along the way simply goes away.  Another approach is using virtual machines.  For home or home office, Sun’s VirtualBox is an excellent choice.  For larger businesses, VMware is an option.  However, beware of using a sandbox or VM for casual browsing and for accessing your bank account.  Remember, anything installing itself in your VM or in your sandbox will function as it would on your actual desktop.

Anti-Forensics: Challenges for the Forensics Investigator

In Forensics on March 13, 2009 at 19:24

Paul Henry video from 2006 in which he discusses encryption, steganography, disk wiping, and other methods used to thwart forensics methods.

(Video is a little rough, but the information is valuable.)

Vista SP2: Why bother?

In Windows 7 on March 5, 2009 at 12:15

I’m reserving judgement about Vista SP2, for which a release candidate was just announced.  I’m not sure why I care if Windows 7 is on its way.  I installed Win7 beta last weekend.  I am very impressed.  Since I upgraded my only instance of Vista, I guess I’ll just pass on any Vista updates and stick with a beta which seems a better OS than Vista production releases.

%d bloggers like this: