Yep.  That’s right.  I’d only just done a blog entry on Microsoft being a popular target to hack, maybe because of the large market share or maybe because they just don’t fix bugs as well or as quickly, when what do you know … Microsoft’s SQL database (SQL Server 2000/2005) has been targeted as well with another vulnerability.  This time the shout out comes from SEC Consult in the form of Security Advisory 20081209-0.

It allows arbitrary code execution, already proven in a lab.  Nasty nasty.  Check out the link for more information.  But the basics are that calling the extended stored procedure “sp_replwritetovarbin” and giving it uninitialized variables as parameters, you can trigger a memory write to a controlled location.  So, of course, the workaround is basically just removing the “sp_replwritetovarbin” extended stored procedure.  (Sure hope that you don’t use it.)  Such as by running “execute dbo.sp_dropextendedproc ’sp_replwritetovarbin’” as an administrator.  Microsoft’s own documentation is “Removing an Extended Stored Procedure from SQL Server“.

It’s not easy being Microsoft.  But it’s also no picnic using them…

The weather outside is frightful.  And so is security on an old Microsoft PC.  I know, that’s old news really.  Unpatched Microsoft PCs are honeypots.  Still, if one message could be gotten across to computer owners, it’s to patch their PCs!

So let’s start with what should be fairly obvious news.  Microsoft isn’t patching Internet Explorer 6 anymore.  They want you to use IE7 instead.  They support IE7.  (Even if IE6 was so much better in so many ways.)  So if you’re for some odd reason still using IE6, then you’re really wearing a big target that says, “Hack me!” See, you really are…

Okay, so that was the obvious.

Now let’s look at, say, Microsoft’s latest Patch Tuesday.  Specifically, let’s look at what it didn’t contain: A patch to fix a zero day vulnerability in IE7.  And this vulnerability is in the latest Windows Vista SP1 and Windows XP SP3.  It’s a security hole just waiting to be exploited.  …If you use IE.  If you use, say, Firefox, or Opera, then you’re safe from it.  But that pretty much goes without saying anyway.

Here’s one you might not expect though, and, again, goes to show that keeping yourself updated means a lot.  WordPad is a security risk.  Yes, that’s right.  WordPad has an unpatched hole it’s Word 97 document text converter which can be used to hack you silly.  Okay, so it requires you opening up an infected Word 97 file.  In WordPad.  (Does anyone even still use WordPad when OpenOffice is free?)  The thing is, if you have Windows XP Service Pack 3 or Windows Vista (or Windows Server 2008) then you’re safe.  It’s only older service packs (or lack thereof) of Windows XP or Windows 2000 that are at risk.  Have an up-to-date PC and you’re safe.  But still … WordPad.  WordPad!  Why the heck doesn’t Microsoft fix that little gem?

So, you see, security doesn’t just happen.  To be secure you have to do your own part.  You have to make sure that you’re getting your updates.  And with Windows Update set to automatic, I don’t think it’s ever been easier.  Staying up to date saves you from a lot of malicious evil nasty do-badders out there.  But even then, it doesn’t protect you from everything, just most things.  Surf safe.  Surf smart.  And keep up to date.

And, though I hate to say it, keep as much away from Microsoft as you can manage.

Mythbusters will not air any more RFID myth shows.

The question is why?

Adam Savage first explained that when a meeting was set up with Texas Instruments to explore the hackability and reliability of RFID, TI included in the conference legal pitbulls from practically every major credit card company.  Who quickly chomped down on their asterisk.  It was said originally that it was Discovery networks that chose not to ever air another RFID episode again.

But now a slightly different version is floating around, which even Adam Savage supports now.  (Under what duress however cannot be accounted.)  Which is thatTI only invited one credit card representitive to the conference call, because they could better explain how credit companies use the technology.  Technical questions were asked and answered as planned.  And that supposedly there was no pressure whatsoever on Mythbusters to cancel their RFID show.

Which is further changed that it was Beyond Productions (the production company for Mythbusters) who pulled the plug on Mythbusters, and not Discovery.  And that indeed, no RFID Mythbusters show will ever air again.

Uh huh.

Yeah.

I’m almost buying that.

(Sarcasm, by the way.  Just in case you couldn’t tell.)

Now I’m not saying that the truth doesn’t lay somewhere in the middle.  None of us outside know all of the facts.  But if there were no pressure from any lawyers, then why would anyone even consider cancelling the show?  Obviously there was support for the show originally, or else Mythbusters wouldn’t have tried to make it.  Something changed along the way.  If it wasn’t during the call with TI, then when was it?  If it wasn’t legal teams from major credit card companies, then who was it?

Hackers have already proven how easy it is to clone RFID chips, how easy it is to hack systems to glean information, and so forth.  These are not myths.  These have been done.  It’s bad enough when the RFID chips are in your little credit-keychain devices and cards that you just wave at a machine and don’t have to sign or type a thing.  Cloning those could cause serious annoyance.  (Only prevented from being more than an annoyance by limits on how much can be purchased in such a manner.)

But it’s much worse when you consider the new passports using RFID.  Doh!

It’s a serious issue.  And one that, apparently, big business is doing its best to make go away, when even myth heroes Adam Savage and Jamie Hyneman are stopped from telling you the truth.

PS. By the way, I seriously stress that if you feel a need to use any of these devices with RFID built in, that you at least keep them in an RF-shielded container when they are not being used.  These devices are designed to broadcast their information to any device which asks.  The security is atrocious as anyone, anywhere, can ping these devices as they sit in your wallet or purse.  Protect yourself.  Be secure.

And whenever possible, say no to RFID until these basic security issues are resolved.

Border Gateway Protocol (BGP) is not about showing your passport when you come from Mexico into the United States.  It’s about the internet.  It’s about the very core of the internet and how billions of randomly placed computers can somehow all communicate together.

When your typical every day web surfer types in the name of the website they want to go to (like InsanIT.net) what happens is that a Domain Name System (DNS) server looks up the name of the website that you want to go to, and returns back to you the actual IP address for that website.  Because the internet doesn’t connect to other computers by names.  It connects to other computers by specific IP address numbers.  But people don’t want to type in 127.000.000.001 to go to a website.  They want to type in InsanIT.net.  So a DNS server is just a big lookup table that automatically tells your computer that InsanIT.net is actually address 127.0.0.1.  (For those who aren’t aware of this, 127.0.0.1 is not actually InsanIT.net’s IP address.)

How does that relate to BCP?  I’m getting there.

The shortest distance between two points is a straight line.  But the fastest distance between two points takes a complicated look-up procedure.  Because you don’t want the loading of the webpage data to have to go from here to Shanghai and back just to get to you,you want the fastest possible route between your network and the computer that holds the web page you want.  So what happens is that when your request for the address 127.0.0.1 (to continue the above example) comes to your Internet Service Provider (ISP) to hit the great wide internet, the ISP’s typically has a router that consults a BGP table for the fastest route from you to the webpage that you want.

Now that BGP table is like any train station or bus route table in that it shows the best way for you to get from Point A to Point B.  But how is that table made?  It’s “easy”.  The table is made from “advertisements” of Autonomous Systems (AS).  Say I’m a big internet pipeline layer.  I have a BGP router.  I tell my BGP router to advertise to ISPs that my great wide internet pipe can deliver to Address A through Address C at a blazing speed.  ISPs pick up my announcements (in a completely automated way) and build their tables.

Now, here’s the kicker.  Here is where Wired has an interesting if not scary point.  Who says that I’m telling the truth?  Who says that my BGP router really can deliver the fastest route?  Well?  No one does.  It’s just assumed that all BGP routers are honest.  That’s how the BGP is flawed.  By design it figures that every BGP router tells the truth.

Why is this so important?  What is the worst that could happen then if my BGP router is intentionally lying?  So it just takes a little longer for my web page to load?

No.

What Pakistan semi-accidentally proved is that such a simple trick can be used not just to slow down the flow of information on the internet, but to completely block a website from being accessed by potentially  anyone.

That’s bad enough.

But at the recent DEFCON 16 “Tony” Kapela (data center and network director at 5Nines Data) and Alex Pilosov (CEO of Pilosoft) showed to us that it’s much much worse than that.

It turns out that you don’t have to break the internet when you do something like this.  You can actually engineer it to make the web page request go through, to keep the data truckin’ on.  But you still get to read all of that data as it passes on by.  You can snoop to your little heart’s content, with no one the wiser.  This isn’t just web pages we’re talking about.  It’s “secure” internet shopping and all of your credit card data.  It’s every last email.  It’s corporate espionage.  For any unencrypted data it’s a complete breakdown of all security.  The only potentially safe data is encrypted data.  And even that’s not 100% guaranteed as encryptions can be broken.

But, in fact, it can be even more malicious than that.  You can theoretically alter the data as it passes through.  You could, say, change what loads on a webpage.  Or what comes through in an email.  You could literally control what people see, and all without anyone’s knowing.

THAT is what has Wired (and so many security-conscious people) in an uproar.  The Border Gateway Protocol is inherently unsafe.  It takes a little more knowledge than usual to perform this kind of hack, and requires you to buy a BGP router and put yourself into the system, but it isn’t beyond the realm of possibility.  And once you’re in, you’re golden, because there are no errors.  Everything looks completely legit.  All because the BGP architecture is completely based on trust.

Stephen Kent (chief scientist for information security at BBN Technologies) has been working on solutions to fix this very issue for years.  He has even privately demonstrated a similar BGP interception for the Departments of Defense and Homeland Security.

So rest assured that this issue is not being ignored.  There are several possible solutions.  One day the BGP system will be based less on trust and more on security.

But until then, don’t ever assume that the internet is safe.  Your best approach is still the most simple approach: encrypt your important data.  Security doesn’t just happen.  You have to make it happen.

You bought yourself an iPhone from Apple.  You decided to password protect your phone in case evil insurgents try to use it for nefarious means.  And you slept better at night, knowing You Did The Right Thing.

Until you read this.

As reported by the MacRumors: Forums, breaking into a password protected iPhone is as easy as 123.

1) Tap “Emergency Call” keypad from passcode entry screen.

2) Double-tap home button.

3) Tap blue arrow next to contact’s name.

“You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, “full” Phone access, and Mail by accessing various entries on the Favorite’s page, i.e. tapping their home page brings up a full, unrestricted Safari.” says greenmymac.

Can anyone say “Oops!” over at Apple?  I sure know that we can say it here.

A workaround to prevent this horrendous security snafu is to disable the home button double-tap.  (Settings > General > Home Button > Checkmark Home)  In the mean time though, Apple sure better be working on fixing this security blunder, because never has a hack been so easy as this.  It makes Microsoft look secure!