Information Security

Long time no see, lots of changes…

Ryan M. Hurst — Wed, 03 Mar 2010 23:53:52 GMT

It’s been a very long time since I posted to the blog, that’s because there have been a bunch of changes in my life.

As some of you may know I was divorced about a year ago, I essentially have sole custody of my son, I have lost 55 pounds, taken a new job where I do not work on Information Security and as a result of all of the above I spend very little time with things like Media Center and more time on things like cycling, hiking, skiing and so-on.

In any event, my hope is that this post clarifies why I “disappeared”.

As for the future of the blog, I have worked in Information Security almost my entire career and even though I no longer work in the area I still closely follow it and I expect to post here on these topics.

I do not expect, at least in the near future you will see much on Media, I do expect to see some posts come down the line about personal things and bits about my new job.

Thanks again,

Ryan

PB-TNC: A Posture Broker Protocol (PB) Compatible with TNC to be published tomorrow

Ryan M. Hurst — Wed, 03 Mar 2010 23:42:45 GMT

This week is RSA, the largest security conference in the world; this is the 1st year in a very long time I won’t be there but, this year Scott Charney included a focus on the Isolation of Infected Machines in his keynote.

The timing of this is excellent (for me) because a specification I worked on in the IETF around standardizing an evolution of one of the core protocols used in the Network Access Protection (NAP), the Microsoft uses in its product (and its own Networks) to isolate infected hosts on the network will be published tomorrow, in the meantime the final draft is here.

White Paper Published: Introduction to the Windows Biometric Framework

Ryan M. Hurst — Tue, 23 Dec 2008 18:39:41 GMT

We just recently published a new White Paper that provides a great Introduction to the Windows Biometric Framework.

Thinking outside-the-box, or loosing your privacy little by little

Ryan M. Hurst — Sun, 30 Nov 2008 07:31:04 GMT

I ran across a neat article on using Javascript and default CSS behaviors to infer what sites you frequent, this is not new, the earliest reference I could find of this was from 2006 but I bet this has been going on for much longer.

An example of analytics that can be applied to this data is that one follow is using your URL history to infer gender.

These are great examples of thinking outside the box and how privacy is an illusion (especially on the web).

Did you know you can disable the use of USB storage devices in Windows?

Ryan M. Hurst — Thu, 13 Nov 2008 10:28:17 GMT

Well to be honest the only way to really stop the use of external storage devices is to whip out your epoxy and fill all the external ports on a machine.

Any policy that is locally enforced is a policy that can be bypassed by an attacker with local administrative privileges or physical access.

Plus if the definition of an attacker also includes the authorized user of the machine there are vectors that do not involve physical media that can *and will* be used (email, IM, web, etc.) to get the data off the machine.

With that being said it is actually possible disable the use of USB storage devices in Windows, I know a few companies who actually do this when paired with Extrusion Prevention Systems and/or Information Rights Management (IRM) systems (Its important to note such systems are best effort also, I suppose information does want to be free??).

The mechanism I am speaking about is documented in KB823732, it is supported as of XP SP2 and once is set the devices function as read-only devices only.

People should think carefully before deploying such a policy, there are plenty of legitimate reasons to use USB drives and doing this and settings like this don't differentiate by use case.

How to tell if a volume is Bitlocker protected with TPM and PIN

Ryan M. Hurst — Wed, 12 Nov 2008 10:47:57 GMT

Today I was presented with a question, how can I tell if the OS volume is protected with Bitlocker a TPM and a PIN.

Since I could not sleep (its 2:30AM right now) I figured I would throw together a quick and dirty script that checks for that, it was pretty easy to do.

I started with the documentation for Win32_EncryptableVolume which I recall seeing previously in a unrelated mail at some point, from there I discovered the GetKeyProtectors method, I then did a search on Live for GetKeyProtectors and VBSCRIPT that was scoped to Microsoft.com domains.

This got me a handful of samples, I took one hacked it up and came up with this:

' --------------------------------------------------------------------------------
' Get configuration we will need
' --------------------------------------------------------------------------------
' Get the OS System Drive
set shell = WScript.CreateObject( "WScript.Shell" )
strDriveLetter = shell.ExpandEnvironmentStrings("%SystemDrive%")

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

' --------------------------------------------------------------------------------
' Get a list of volumes that could be bitlocker protected.
' --------------------------------------------------------------------------------

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now check if it was protected with a TPM and a PIN
' --------------------------------------------------------------------------------

nKeyProtectorTypeIn = 4 ' type associated with "TPM and Pin" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now return what we found.
' --------------------------------------------------------------------------------
On Error Resume Next 'handle unitialized array

If IsNull(aKeyProtectorIDs(0)) Then
    WScript.Echo "This volume is NOT TPM and PIN protected."
Else
    WScript.Echo "This volume IS TPM and PIN protected."
End If

From the time I decided to write the script, to the time I wrote it and tested it was about 15 to 20 minutes; the samples were great, the MSDN documentation was pretty decent too; all this without ever doing anything with Bitlocker before, WMI is great stuff.

I may never use this but if nothing else it was quick and fun to throw together, maybe it will help you.

What I have been up to for the last year...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:16 GMT

A year ago I announced I took a new job back in Windows Security, I have not had much chance to blog since I took the new job but even if I did have the time I could not talk about the stuff I had been working on.

But times are a bit different now, a week ago was the Professional Developers Conference and this week was WinHEC; these were really the 1st events where Windows 7 became a public thing so now its safe for me to talk about what I have been up to.

As I said in a previous post my groups mission is to build platform technologies and solutions that enable secure password-less authentication into Windows, networks and the applications built on our platform.

To that end over the last year we have defined and delivered a platform for Biometric Devices in Windows, the "Windows Biometric Framework", this has been one of the best projects I have worked on at Microsoft.

Its just amazing that a year ago we had a whiteboard drawing and now we have a full platform and solutions built on that platform with support from great partners like Upek and Authentec (there are others too but I can't name them yet).

The cool bits of this project are in the platform, not in the user interface but the part people get to see is always a good place to start, in the "Hardware and Sound" control panel you now see a Biometric Devices control panel applet:

It exposes a set of common tasks related to Biometric devices, these of course include "Use your fingerprint to log on to Windows".

The control panel applet itself includes a list of Biometric Units that are registered on the machine, this machine (my Lenovo X61) has a Upek based Biometric Unit, you can see it bellow:

From this location you can "Remove your fingerprint data" if you do not feel comfortable with this data being persisted on the machine, or you can manage/enroll fingers.

Currently the platform only supports fingerprint readers, but its designed to support other concepts like facial recognition, vein recognition, geometry, iris and more.

In future versions of Windows, as these technologies become more common I hope to see it expanded to include native support for them as well.

So far the feedback has been great, the solution is the fastest we have tested and it allows for these solutions to co-exist, so you can buy a laptop with a built in fingerprint sensor from one manufacturer and a mouse with a sensor from another and they can both work on the same machine, unfortunately today that's not normally the the case.

There is lots more in store for Strong Authentication in Windows 7 also, I will try to write more about this and other features in this area in the future.

Hah, this reminds me of some usability tests I have seen...

Ryan M. Hurst — Sun, 22 Jun 2008 06:06:03 GMT

Have you ever used Live? As a stock holder I hope so, when you register a Live ID or when you change your Live account password you are given a Password Quality Feedback Indicator, a couple friends of mine worked on this, feedback indicators are not new, but the Live one is the first one I had a chance to hear 1st hand about the design process used and how well such systems fair with users in usability tests.

In any event I ran across a blog post/cartoon on password validation that reminded me of this and made me chuckle, as such I decided it was worth sharing with you.

Cem has a interesting post on LifeLock

Ryan M. Hurst — Thu, 19 Jun 2008 05:58:21 GMT

My friend Cem over at Random Oracle has written a interesting post on LifeLock, I have written about these Identity Theft insurance companies before here.

I am personally signed up with Debix, I recently financed a car and it was awkward to get the financing setup because of the approval process compared to what it would be otherwise, that's really the point though, isn't it?

In any event, I can say at least in my case, I can see how the Debix brokering of the fraud alert provides a level of protection that I think is worth having, though in name of full disclosure I did not have to pay for the service and I have not gone through the personal evaluation process to determine what the cash value to me is as of yet.

I guess the real proof of value comes in when you have to claim the insurance and you see how awkward that process is.

In general though as you can see in my prior post on this topic I am a fan of such programs being underwritten by a company you know and trust, and LifeLock is self insured .

That being said there are many types of Identity Theft, and these services don't help protect you from all of them, though they do help in the case of financially oriented threats.

Check out Cem's post though, its worth a read.

Did you ever wonder who contributes to Internet standards?

Ryan M. Hurst — Thu, 19 Jun 2008 05:25:52 GMT

I stopped by the Malt and Vine tonight and picked up some interesting dark beers (I am a huge fan of stouts, porters and dark ales), and while sitting here enjoying a Dogfish Head World Wide Stout I figured I would look at IETF statistics (I am a wild one!).

Jari Arkko runs a great website that tracks this, its worth checking out some of the more interesting charts he has are the affiliation chart, the historical affiliation and of course there is me.

The author stats dont show contributions to specifications where a individual or company is not listed as a explicit author, and there are general (unpublished?) rules around how many authors can/should be listed so contributors often are relegated to a un-tracked acknowledgement sections or no reference at all (one can check news group archives to find many of these folks, they do matter).

So, like all statistics take these numbers with a grain of salt; don't get me wrong they do provide value, with that being said some things are so exaggerated you can't help but notice.

For example, look at the author distribution for CISCO relative to their closest peer (its 2.5 times!!); this is no surprise to anyone who has participated in the IETF, its pretty common to go into a hum (a consensus process in the IETF) and see a room with a bunch of CISCO people in it.

Another interesting thing to notice is the number of authors in a given company, Microsoft has 65 (making them/us #5) while CISCO has 255 (They are #1 in participation); that's not to say that more authors is better or worse, like all things the devil is in the details.

A couple statistics I think would be interesting, probably more interesting IMHO, would be a historical trend of standard velocity (how long standards take to get completed in the IETF over time) another would be some metric that showed specification vs. deployment on the internet.

Well back to my beer.