Windows Vista Security Inherently Indeterminate?

Symantec and McAfee are complaining about being
locked out of certain kernel processes in the new
upcoming version of Windows, Vista:
http://technology.guardian.co.uk/weekly/story/0,,1882019,00. html
http://macdailynews.com/index.php/weblog/comments/11096

What I'm wondering about is that if Microsoft is going
to keep such key info about Vista to itself, and if
Symantec and McAfee are correct in that this at the
least limits their security products, then how will it be
possible to determine how secure a Vista workstation
will be in a sensitive environment? Just take Microsoft's
word on it? Hope that your firewall product will detect
anomalous network behavior, and....but then how would
you determine if a certain PC was causing it if you can't
scan it thoroughly with tried and true products?

Hmmm....

-BC

Re: Windows Vista Security Inherently Indeterminate?

Post removed (X-No-Archive: yes)

Re: Windows Vista Security Inherently Indeterminate?

Sebastian Gottschalk wrote:
> BC wrote:
>
> > Symantec and McAfee are complaining about being
> > locked out of certain kernel processes in the new
> > upcoming version of Windows, Vista:
> > http://technology.guardian.co.uk/weekly/story/0,,1882019,00. html
> > http://macdailynews.com/index.php/weblog/comments/11096
> >
> > What I'm wondering about is that if Microsoft is going
> > to keep such key info about Vista to itself, and if
> > Symantec and McAfee are correct in that this at the
> > least limits their security products, then how will it be
> > possible to determine how secure a Vista workstation
> > will be in a sensitive environment?
>
> Not at all. Trivial steps for an evil guy:
>
> 1. call VeriSign via anonymous telephone
> 2. claim that you're a big company and that you need a cert signed
> 3. send it in via anonymous email, get the signature mailed back via
> anonymous email
> 4. sign your malware
> 5. infect some Vista boxes by catching idiots who're using IE on the
> internet
> 6. install the malware, load the rootkit
> 7. Congratulations, you got a botnet.
> 8. ...
> 9. PROFIT!!!
>
> > Hope that your firewall product will detect anomalous network behavior
>
> Hope that yours doesn't.
>
> > but then how would
> > you determine if a certain PC was causing it if you can't
> > scan it thoroughly with tried and true products?
>
> Wait, you were talking about McAfee and Symantec first...
>
>
> Strange enough, this is total nonsense. Those big companies can easiliy
> afford a VeriSign certificate, sign their malware^W"security products" and
> then could load it into kernel mode however they like.
>
> The real problem is that this nonsense locks out relevant FOSS software
> like WinPCap and TrueCrypt, as well as relvant patches to kernel-mode
> drivers (anyone said tcpip.sys?) - and doesn't lock out malicious guys as
> promised.

I'm not exactly a big fan of suckware like McAfee and
Symantec, but those two, despite their obvious self-
serving interests, get some credit for making a fuss and
drawing attention to this. I am so uncomfortable with the
idea of a PC attached to the network with essentially a
black box at its core doing all sorts of stuff I would not
be sure about being legitimate or not. I'm sure there will
be some clever reverse engineering to get some trusty
utility apps working again, but then clever hackers and
virus writers will probably be able to do likewise. And
then what? Wait 'til Tuesday?

Ughh....

-BC

Re: Windows Vista Security Inherently Indeterminate?

BC wrote:
> I am so uncomfortable with the
> idea of a PC attached to the network with essentially a
> black box at its core doing all sorts of stuff I would not
> be sure about being legitimate or not.

So just use Free Software. There are enough operating systems out there,
where you can see the complete source code.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Windows Vista Security Inherently Indeterminate?

Volker Birk wrote:

> BC wrote:
>> I am so uncomfortable with the
>> idea of a PC attached to the network with essentially a
>> black box at its core doing all sorts of stuff I would not
>> be sure about being legitimate or not.
>
> So just use Free Software. There are enough operating systems out there,
> where you can see the complete source code.
>
> Yours,
> VB.


....not to meantion those operating systems run quite well...


Imhotep

Re: Windows Vista Security Inherently Indeterminate?

Post removed (X-No-Archive: yes)

Re: Windows Vista Security Inherently Indeterminate?

In article <4oeds5Fe7io6U1@news.dfncis.de>, Sebastian Gottschalk writes:
>BC wrote:
>
>> I'm sure there will be some clever reverse engineering to get some trusty
>> utility apps working again, but then clever hackers and virus writers
>> will probably be able to do likewise.
>
>As I already mentioned, the evil guys can simply aquire a certificate from
>VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.


Come on this was over 5 years ago now

http://www.verisign.com/support/advisories/authenticodefraud .html



David Webb
Security team leader
CCSS
Middlesex University

Re: Windows Vista Security Inherently Indeterminate?

Post removed (X-No-Archive: yes)

Re: Windows Vista Security Inherently Indeterminate?

In article <4oetg1Fea96iU1@news.dfncis.de>, Sebastian Gottschalk writes:
>david20@alpha2.mdx.ac.uk wrote:
>
>> In article <4oeds5Fe7io6U1@news.dfncis.de>, Sebastian Gottschalk writes:
>>>BC wrote:
>>>
>>>> I'm sure there will be some clever reverse engineering to get some trusty
>>>> utility apps working again, but then clever hackers and virus writers
>>>> will probably be able to do likewise.
>>>
>>>As I already mentioned, the evil guys can simply aquire a certificate from
>>>VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.
>>
>> Come on this was over 5 years ago now
>>
>> http://www.verisign.com/support/advisories/authenticodefraud .html
>
>It was 5 years ago since the still ongoing series of such incidents
>started.

Please post details of subsequent incidents where Verisign has signed
certificates for someone falsely claiming to be Microsoft.

I can't say I particularly like any of the CAs and Verisign has abused it's
power in the past - such as with it's wildcarded A records for the .com and
..net top level domains. But still attacking them for this incident with the
"Microsoft certificates" after five years seems excessive.


David Webb
Security team leader
CCSS
Middlesex University

Re: Windows Vista Security Inherently Indeterminate?

david20@alpha2.mdx.ac.uk wrote:
> In article <4oetg1Fea96iU1@news.dfncis.de>, Sebastian Gottschalk writes:
> >david20@alpha2.mdx.ac.uk wrote:
> >
> >> In article <4oeds5Fe7io6U1@news.dfncis.de>, Sebastian Gottschalk writes:
> >>>BC wrote:
> >>>
> >>>> I'm sure there will be some clever reverse engineering to get some trusty
> >>>> utility apps working again, but then clever hackers and virus writers
> >>>> will probably be able to do likewise.
> >>>
> >>>As I already mentioned, the evil guys can simply aquire a certificate from
> >>>VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.
> >>
> >> Come on this was over 5 years ago now
> >>
> >> http://www.verisign.com/support/advisories/authenticodefraud .html
> >
> >It was 5 years ago since the still ongoing series of such incidents
> >started.
>
> Please post details of subsequent incidents where Verisign has signed
> certificates for someone falsely claiming to be Microsoft.
>

Well, maybe not Microsoft, but there was this from
the latter part of 2002, and it doesn't exactly comfort:
http://www.computerworld.com/securitytopics/security/holes/s tory/0,10801,73996,00.html

-BC

Re: Windows Vista Security Inherently Indeterminate?

In article <1159877105.844452.260690@i42g2000cwa.googlegroups.com>, "BC" writes:
>
>david20@alpha2.mdx.ac.uk wrote:
>> In article <4oetg1Fea96iU1@news.dfncis.de>, Sebastian Gottschalk writes:
>> >david20@alpha2.mdx.ac.uk wrote:
>> >
>> >> In article <4oeds5Fe7io6U1@news.dfncis.de>, Sebastian Gottschalk writes:
>> >>>BC wrote:
>> >>>
>> >>>> I'm sure there will be some clever reverse engineering to get some trusty
>> >>>> utility apps working again, but then clever hackers and virus writers
>> >>>> will probably be able to do likewise.
>> >>>
>> >>>As I already mentioned, the evil guys can simply aquire a certificate from
>> >>>VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.
>> >>
>> >> Come on this was over 5 years ago now
>> >>
>> >> http://www.verisign.com/support/advisories/authenticodefraud .html
>> >
>> >It was 5 years ago since the still ongoing series of such incidents
>> >started.
>>
>> Please post details of subsequent incidents where Verisign has signed
>> certificates for someone falsely claiming to be Microsoft.
>>
>
>Well, maybe not Microsoft, but there was this from
>the latter part of 2002, and it doesn't exactly comfort:
>http://www.computerworld.com/securitytopics/security/holes/ story/0,10801,73996,00.html
>

Rather a different issue. Microsoft's software had a rather big flaw.
But in essence it isn't that much different to the recently reported openssl
flaw

http://www.openssl.org/news/secadv_20060905.txt

which amongst other things affects lots of open source browsers

http://www.cdc.informatik.tu-darmstadt.de/securebrowser/

For once IE isn't affected.


David Webb
Security team leader
CCSS
Middlesex University


>-BC
>

Re: Windows Vista Security Inherently Indeterminate?

david20@alpha2.mdx.ac.uk wrote:
> In article <1159877105.844452.260690@i42g2000cwa.googlegroups.com>, "BC" writes:
> >
> >david20@alpha2.mdx.ac.uk wrote:
> >> In article <4oetg1Fea96iU1@news.dfncis.de>, Sebastian Gottschalk writes:
> >> >david20@alpha2.mdx.ac.uk wrote:
> >> >
> >> >> In article <4oeds5Fe7io6U1@news.dfncis.de>, Sebastian Gottschalk writes:
> >> >>>BC wrote:
> >> >>>
> >> >>>> I'm sure there will be some clever reverse engineering to get some trusty
> >> >>>> utility apps working again, but then clever hackers and virus writers
> >> >>>> will probably be able to do likewise.
> >> >>>
> >> >>>As I already mentioned, the evil guys can simply aquire a certificate from
> >> >>>VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.
> >> >>
> >> >> Come on this was over 5 years ago now
> >> >>
> >> >> http://www.verisign.com/support/advisories/authenticodefraud .html
> >> >
> >> >It was 5 years ago since the still ongoing series of such incidents
> >> >started.
> >>
> >> Please post details of subsequent incidents where Verisign has signed
> >> certificates for someone falsely claiming to be Microsoft.
> >>
> >
> >Well, maybe not Microsoft, but there was this from
> >the latter part of 2002, and it doesn't exactly comfort:
> >http://www.computerworld.com/securitytopics/security/holes/ story/0,10801,73996,00.html
> >
>
> Rather a different issue. Microsoft's software had a rather big flaw.
> But in essence it isn't that much different to the recently reported openssl
> flaw
>
> http://www.openssl.org/news/secadv_20060905.txt
>
> which amongst other things affects lots of open source browsers
>
> http://www.cdc.informatik.tu-darmstadt.de/securebrowser/
>
> For once IE isn't affected.
>

But wasn't that 2002 problem more germane to the
risks of Vista having a kernel that'll be off-limits to
3rd party monitoring and security scans?

-BC