MBs Windows Security

What distinguishes an effective CAPTCHA from a poor CAPTCHA is the ability to make things hard on non-humans without making things hard on humans. Most of the CAPTCHAS I see out there fail in one of those two features.

But while I thought I had seen the worst CAPTCHAs ever, I stumbled across RapidShare’s new CAPTCHA. Now in the past I have actually praised their CAPTCHA because of it was so user friendly. It wasn’t case-sensitive and when there were ambiguous characters (number 0 vs letter o), it always seemed to work.

Obviously the CAPTCHA was flawed and a number of people wrote some bots and other tools to bypass it. RapidShare felt a need to tighten things up a bit so they came up with the Cat CAPTCHA:

Now it is important to note that if you are not a RapidShare member you often have to wait to be able to download a file. In this case I had to wait three minutes before I even got to the point where I could enter the CAPTCHA. Already thinking this was an annoying CAPTCHA I also grabbed a screen shot.

Now if you look closely, it says to enter all letters having the image of a cat. Looking at the image, I saw both numbers and letters so, while it made me pause and think more than most CAPTCHAs would, I figured the answer was NTPS. The caption says there are four letters, the text box limits your input to four characters, everything was all caps, and so I figured I was all set.

It turned out that NTPS wasn’t the correct answer and it put me back into the queue to wait another three minutes. After the timer finished counting down, RapidShare presented me with another CAPTCHA to solve:

This CAPTCHA was all letters and they all had little cats on them so this seemed easier, but as I started typing I remembered that the text input box only allowed four characters. So which four are the answer? I tried the first four but that didn’t work.

Thinking it might be a browser issue, I tried different browsers,but quickly discovered that after three failures it locks you out. And it doesn’t do this based on a cookie it’s based on your IP address! Being behind a NAT’d connection I guess I just locked out my entire ISP from using RapidShare.

At this point I did some searching and found out that I am just one of hundreds of people blogging about this.

It turns out that I wasn’t being too careful because what RapidShare doesn’t tell you is that some of those images on the letters are actually dogs, not cats. I must be a bot.

Looking (very) close I finally determined that the correct answer to the CAPTCHA above would have been NERW. Geez, they could at least start showing the CAPTCHA during the countdown so you can get started working on it.

This CAPTCHA fails in so many ways it is amazing:

They rely too much on their description, which pretty much eliminates anyone who doesn’t speak that language.
They lock you out by IP address.
If you have to squint or enlarge the picture to figure out the CAPTCHA then something is probably wrong. Try entering this thing on your iPhone outside in the sun.
If someone needs to post on Yahoo! Answers to figure out your CAPTCHA then something is probably wrong.
If a Yahoo! search for “rapidshare captcha” returns 79,500 results, then something is probably wrong.

RapidShare’s response to the issue is this:

“As every free user should have noticed, we are experimenting once again with the CAPTCHA system. The reason is that RapidShare is popular enough for people to create tools to download from RapidShare as a free user as if they were a premium user. This has a negative impact for our paying premium users, since they expect a fast download.”

In the meantime they are probably losing a lot of visitors and completely destroying the already fragile user experience with CAPTCHAs.

I just finished writing patch reports for Windows systems I must support for my clients or for my own business. After you put together all the Vistas, XP’s, 2000’s, 2003’s, SP’s, R2’s, x64’s, and IE6 and 7’s, the list of patches that need testing is quite long. And confusing.
Fortunately I don’t have to support any Itanium systems. Nor do I have to deal with XP Media Center, XP Tablet, Small Business Server, Home-editions, or non-English versions. So there are people much worse off than me. I do, however, have to deal with patching Office XP, 2003 and 2007.

And it seems that very soon we will have to address Windows 7, which could come as soon as next year, and Microsoft has extended the availability of XP home for ultra-low-cost PC’s up to June 2010 so those XP patches could still be around for quite some time.

Nevertheless, I imagine that my headache is nothing compared to what Microsoft has to deal with getting ready for Patch Tuesday. While Microsoft has made tremendous progress in patch management over the last five years, this obviously is an area with lots of room for improvement.

A couple of years ago I wrote an article at SecurityFocus.com about my security paranoia, which ended up in a lot of people thinking I went way too far and perhaps needed some mental help. In the article I wrote that instead of the word paranoia, I prefer meticulous precaution.

With astronomical growth in spyware and an increase in search engine poisoning, how is my meticulous precaution doing? Well, it’s just plain paranoia now.

So in addition to all the well-known best practices and the stuff I mentioned a couple years ago, here are some additional precautions I feel compelled to take:

1. I have an isolated virtual machine always open that I use just for e-mail and instant messaging. This machine is a member of my domain because I need to move stuff in and out of there so often, but firewall rules and other precautions limit its exposure. Plus I never browse the web from this machine.

2. I have another virtual machine always open for general web browsing and downloading. In this VM I have IE7, Firefox, Netscape, Opera, and Safari installed, as well as all the file downloaders, proxies, filters, and anything else cool I find. The browser security settings themselves are moderately secure, but relaxed enough for good web compatibility. This is where I do all my web 2.0 stuff.

3. I have another extremely isolated and extremely hardened virtual machine for more adventurous web browsing and other risky internet stuff. Just IE7 and Firefox here but lots of scanners, blockers, filters, and just about every security-related add-in I can find. I usually keep scripts, active content, and even images turned off in the browsers. Oh yeah and this vm isn’t even on my physical machine here, it’s at my data center and I connect to it via Terminal Services.

4. And of course I have a separate virtual machine on standby (suspended) for all my financial stuff. There are also a few other VM’s I keep on standby for other dedicated and potentially sensitive tasks. All these virtual machines means I need 4GB RAM and 3 monitors to get any work done.

5. Speaking of financial stuff, whenever I create a new financial account, I set up a new e-mail alias just for that account. In the case of PayPal, I created the account under that unique e-mail address but I added several other e-mail aliases that I can give out to people when they pay me so I never have to reveal my secret login address. When I get an e-mail from PayPal to any address but the secret one my Outlook rules will automatically discard it. And speaking of PayPal, I highly recommend spending five bucks to get a security key for your account.

6. I also use secret e-mail addresses for handling sensitive information. The fact that GMail keeps every e-mail forever is kind of scary, especially since it is a web-based app that could so easily fall prey to a cross-site scripting or similar attacks. This is especially a problem because so many web sites insist on sending you a plaintext e-mail with the account information you just barely set.

So I have an incoming mail filter on my GMail account that looks for words like “password” and “login information,” automatically forwards them on to another non-public e-mail address, and then deletes GMail’s archive copy. If you use Gmail, do a search for “password” and see what it comes up with. In case you were wondering, yes I do need a spreadsheet to keep track of all my e-mail accounts.

7. I frequently exit out of then re-open my web browsers, which are set to clear cache, history, and cookies upon exiting. I don’t want some cross-site scripting attack stealing any session cookies. And I never log out from a sensitive web site, I always exit the browser.

8. Occasionally I use the snapshots feature of VMWare to roll back the OS partition of my most sensitive machines. It’s my version of a Crazy Ivan.

9. And most importantly I back up frequently so I have no problem wiping a machine and starting from scratch if I suspect a malware infection or security breach.

10. Ok, well I’m withholding number 10 because I’m just too paranoid to tell you about it.

Today I was driving on the freeway and couldn’t avoid driving over a flattened cardboard box. I looked in my rearview mirror waiting for it to fly out behind me but it never did. Great, I was driving down the freeway with a box stuck to my car. Continue Reading »

I have a problem with my two-year old: he keeps getting out of his bedroom. This morning it was 4am and he was climbing over me and my wife, patting us on our heads.

It’s not like we haven’t tried containing him. It started when he wouldn’t go down for naps. As a quick fix I just hooked a bungee cord from his door to the closet door in the hall, which really didn’t work and was probably kind of dangerous. Continue Reading »

I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on previous work by others, in particular the Biba model.

This morning, after being startled by two of my sons arguing over who had the longest turn playing Guitar Hero, and still not quite ready to get out of bed, I grabbed the remote control and started up the DVR recording of the Super Bowl. As my eyes were still trying to focus, I sped forward to the first commercial break then hit play.

For those of you who have been waiting for SP1 before you move to Vista, that time has come:

http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx

Some of you who know me know I have four kids—all boys. Now when you have four brothers growing up together under the same roof there is a lot of competition. In some families this competition would be with sports or academic achievement. In my house the competition is who has the best password.

I thought I would share a tool I had developed a while back as part of my Windows lockdown procedure. Deleting files that are in use and particularly WFP-protected files can be a pain and the methods vary with each version of Windows.

X-Out is a simple utility that makes the process more consistent by deleting files using a native application that runs very early in the Windows boot process (the same place where autochk runs). At this point there are no file
permissions or applications to get in the way. Even Windows won’t stop you from deleting the files you want.

When Windows starts, it will see that those files are not there and therefore will not configure WFP to monitor those files.

You can download X-Out here.

In case you haven’t noticed, in the last few years Microsoft has released a number of different client protection tools. First it was Windows Defender, then OneCare, and now we are seeing a big push on the Forefront product line. In fact, there are a number of tools that provide overlapping client protection.

In my last post I vented out some Vista complaints I had. One of those was how Microsoft changes the Start Menu with every version of Windows. In fact, after writing that I did a personal protest and changed the properties of the Start Menu to use the Classic Start Menu, which is the same one we had with Windows 2000. I was very pleased with what I had done. Continue Reading »

Vista has had some pretty bad press this year, some people blame Microsoft for initially overhyping but eventually poorly marketing the OS, some blame the “I’m a Mac” commercials, and some blame the security features. As for me, I just find it to be too rough around the edges.

I was recently playing around with web proxies at my data center lab and got an idea to open up a couple anonymous proxies to see how long it would take for someone to start exploiting them. I fired up two anonymous proxies–using 3APA3A’s very cool and very tiny 3proxy tool–on adjacent IP addresses, each listening on port 8080. Continue Reading »

Today I was looking at a post at cryptome.org that shows all the IP addresses controlled by or somehow affiliated with the NSA. I had seen previous versions of this post and at first glance it seemed like someone did a lot of work to gather all of that detailed info. So today I was browsing through the latest update of this list and started to get suspicious of the content.

Seeing the sheer number of addresses and that there was no apparent basis for selecting which IP addresses made the list, I set out to prove that this guy was either just some conspiracy nut or this whole list was nothing more than a hoax. I extracted all the IP address ranges from the document, sorted them, and compared them to the list of IANA’s IPv4 assignments. It turns out that NSA list includes most of the allocated IPv4 address space with the exception of 15 or so class A and a few dozen class B networks. Continue Reading »