MSFT Security and UAC: Huge Client US State Dept Hacked

[Chad Harris]

What you won't find at MFST Press Pass or in a Wagner Edstrom Press Release
for MSFT:

*(The New York Times is a Small Newspaper from a Small Rural Town Outside
Seattle called New York City)*

How UAC and MSFT Security Works on the Ground:
http://www.nytimes.com/2006/07/12/w...357efafd741931&ex=1154577600&pagewanted=print

From the Company who brought you 30 Security Blogs on MSDN and Technet and
who brings you UAC.

UAC Team Blog--Read posts from the archives--they are screenshot in detail;
Scroll Down; Click on the Archives and previous recent dates.
http://blogs.msdn.com/uac/

I have seen no blogging on MSFT's huge client the US Government's State
Department being hacked on any of many security blogs I ck out on MSDN and
Technet's sites.



July 12, 2006
Computer Hackers Attack State Dept.
By THE ASSOCIATED PRESS
WASHINGTON, July 11 — The State Department is recovering from large-scale
computer break-ins worldwide over the past several weeks that appeared to be
directed at its headquarters and at offices dealing with Asia.

Investigators believe hackers stole sensitive information and passwords, and
implanted “back doors” in unclassified computers to allow them to return,
said officials familiar with the hacking. They spoke on condition of
anonymity because of the delicacy of the intrusions and the resulting
investigation.

The break-ins and the department’s response severely limited Internet access
at many locations, including some headquarters offices in Washington, the
officials said. Nearly all Internet connections have been restored since the
break-ins were recognized in mid-June.

Asked what information was stolen, a department spokesman, Kurtis Cooper,
said, “Because the investigation is continuing, I don’t think we even know.”

Employees said the hackers appeared to hit computers especially hard at the
Bureau of East Asian and Pacific Affairs.

 

[Intel Inside]

That security infringement is so serious they should upgrade to Linux.

 

[Kerry Brown]

It's interesting but hardly on topic for a Vista newsgroup. It is more
suited to microsoft.public.security.

 

[Dongle]

What's the connection between that article and UAC in Windows Vista Home
Edition? Surely the State Department isn't built around computers using
Windows Vista Home Edition. In fact, the article doesn't mention any
platform.

 

[Chad Harris]

Ordinarily I'd agree but I also have been reading about 20 MSFT Security
blogs per week on MSDN and Technet blog sites Kerry and they are nearly
totally focused on security in VaVaVista from Vistasoft and they are
blogging on you guess it, UAC.

And given that MSFT opened a 58 million dollar facility right after 911 in
the D.C. area to take advantage of the post 911 so-called need for security
(yet 5 years later there is no significant congressional oversight for
security, border control, or substantive measures that would make the US a
bit more secure and clients like the top agencies in the government have
MSFT personnel there nearly all the literal time, I hold MSFT in part
responsible for any huge security breach.

I see enough security presentations at TS2, MSDN, and Technet to know that
it's being showcased by the Softies.

Combined with the reality of major government agencies that are huge if not
the largest MSFT clients being hacked continually, and MSFT's blogging out
of one month that they are going to be totally transparent with you and
meeting secretly behind closed doors with the U.S. DOJ about turning over
customer information and searches after witholding that they turned over
partial info for 9 months last year, I thought it was relevant but no one is
forced to read a newsgroup. Most of my friends or even well dressed
successful appearing people on the street have no idea what I'm talking
about when I say "newsgroup", "registry", "UAC", RC1, volume shadow service,
and on and on.

I have also read the literature in the mailings MSFT makes to governments
and the claims for enhanced security. Not enhanced enough.

CH

 

[Kerry Brown]

Again, I agree it's interesting stuff but it would be more appropriate in a
newsgroup about security. There are some good discussions about this this
kind of stuff in microsoft.public.security.

 

[Chad Harris]

Actually, whatever any government agency uses is built around much of what
is in Vista in a home. And from what I'm seeing this year, a lot of homes I
know do a better job of security than a panoply of agencies that have been
ridiculously breached by bozo head moves on the part of their personnel and
policies not stgringently in place from their big vendor MSFT.

I don't know that Vista Home Basic or Premium edition will be the edition
of choice in homes any more than most people in homes use Windows XP Home,
particularly since many companies I know who do extensive business with MSFT
and advise in deploying MSFT have full time telecomuting, Accenture being
one.

I also think it's relevant to be concerned about the contrast between MSFT's
marketing and blogging promotion of bit locker and enhanced security in UAC
and their cooperation with the government in turning over your personal
information and searches. I think it's relevant to be concerned about WGA
which is quintissential spyware, from a company who is showcasing and
marketing an app called Windows Defender which ships in Vista, and is also
necessary to make the cutsey little Win One Care Live icon "green" should
you use that software--and I strongly recommend WOC.

I think you will see advertising that stresses features in any Vista that
are the same in any agency or business. I would suspect that government
agencies have many many types of servers with substantial "security."

I also remember the Mark Minasi talk on how one day one of the highest
officials at an Ohio Nuclear facility took his laptop home one weekend to
play games with his grandson, and took it out of a security perimeter with
no protection--and was hacked promptly within a half hour after he breached
security. Fortunately, the nuclear reactors were off line while this was
discovered and corrected.

I also can count more breaches of massive data including the most important
items of personal ID by numerous US agencies with regards to the Armed
Forces in the last 6 months than I have fingers on two hands.

I could easily list them but some of them involve over a million individuals
with raw data placed on media--CDs or DVDs since I don't see the government
as an early adopter of more advanced media (holograms, perpendicular
technology, ect.)

The article doesn't mention any platform because the newspaper has been
threatened daily by the US Government who is outraged it reports their
illegal wiretapping behavior that outrages many of us. Most articles in
this vein are ridiculously vague.

I can show you documents from MSFT though, that boast clients that are among
the largest US government agencies as well as enterprises that are
intimately involved in government security.

Psst--almost all of them are using predominantly Windows boxes and servers,
although Linux may be soon making inroads.

I'm willing to bet ole CALEA is implemented on Windoz boxes and soon by
Vista boxes. The softies have a slide that says 400 million Windoz (OEM
preinstalled) boxes in 24 months. The "Vista opportunity."

http://www.calea.org/

http://www.askcalea.net/

CALEA is the friendly agency that wants to tap your phone and your computer.
And they want MSFT and other companies to help them.

http://www.nytimes.com/2006/06/10/t...adc6aafd625349&ei=5088&partner=rssnyt&emc=rss

June 10, 2006
Ruling Backs Internet-Phone Wiretapping
By BLOOMBERG NEWS
WASHINGTON, June 9 (Bloomberg News) — Comcast, Vonage and other companies
that provide telecommunications services over the Internet must allow
wiretapping of phone calls by law enforcement officials, a federal appeals
court ruled Friday.

In a 2-to-1 decision, the Court of Appeals for the District of Columbia
Circuit upheld a Federal Communications Commission directive treating such
companies the same as conventional phone companies for law enforcement
purposes. Comcast and other cable companies offer Internet service over
their networks, and Vonage is the biggest provider of Web-based phone
service.

Under the Communications Assistance for Law Enforcement Act, known as Calea,
phone companies must ensure that their networks are accessible to
authorities for wiretapping.

The American Council on Education, an association of 1,800 universities and
degree-granting institutions, challenged the commission's decision,
contending that providers of Web information services should be excluded
from the act. But the court ruled that the F.C.C. was correct in extending
the act to the Internet.

CH

 

[Dongle]

Interesting. So why doesn't Microsoft just follow Open Source's lead and do
security like Linux does? Do you think it's because MS they can't find any
competent people for that sort of thing?

 

[Dongle]

Too bad we can't have a betting pool as to the number of days between
product release and the first security breach. You know every blackhat and
script kiddie out there has had this beta since day 1 and is fighting to get
the first zero-day exploit.

 

[Mark D. VandenBerg]

Who says we can't?

Too bad we can't have a betting pool as to the number of days between
product release and the first security breach. You know every blackhat and
script kiddie out there has had this beta since day 1 and is fighting to
get the first zero-day exploit.

 

[Guest]

And this is why you shouldn't turn off UAC... (yes, I know this article has
absolutely nothing to do with Vista or UAC)

However, I would find it really funny if they told us that it was Linux that
was installed on the computers that were hacked.

 

[display name]

Hah! Someone needs to put it on a Web site so it doesn't get lost in all
these posts.

Chad, the subject line of your post (and the post in general) is a little
perplexing. Wouldn't those hackers need to get through a whole lot security
that has nothing to do with Microsoft or UAC in order to achieve that
breach? A DMZ, hardware firewalls, intrusion detection and such? You’re
saying all these agencies just hang their servers right on the Internet and
rely wholly on some former version of Microsoft UAC for security? Hard to
swallow that one.

How do you know they didn't intrude through Unix or Linux? It wouldn't be
the first time. Why do people who love Linux and hate Microsoft so much hang
out in newsgroups like this? To enlighten us poor clueless dopes?

 

[Chad Harris]

I think that most of us almost to a person would find if you spent time at
MSFT that they have one of the most abundant supplies of competent bright
imaginative people in a company of that size on the planet. They are full
of over the top talent. It's reflected in their blogs.

But I also believe that they are consumately arrogant as a rule, and regard
most of their customers as the penultimate quintissential dumbass.

This is reflected in the way they handle information, transparency, and
treat people in regards to feedback.

CH

 

[Colin Barnhorst]

Chad, thanks for keeping us up to date on this stuff. There is nothing sexy
about security and your effort is appreciated.

 

[Chad Harris]

I find security often difficult and not sexy either, but important. I
don't mind admitting that I have had to read Ed Bott's excellent chapters
and one in particular in his XP Inside Out on the security tab, and I can
use these permissions to the extent to control folders, and have had to read
and reread some of the KBs (some of them are easy enough like the special
permissions KB) but ***parent, child, objects is very tough terminology for
me** and I can read a lot of highly science as a reflex--but this stuff
takes some shifting gears--for me.

I can understand how the security teams/enthusiasts/evangelists get into
this deeply--I think for them its like building a very dynamic fortress,
but it's hard reading sometimes and not the most interesting part of the OS
for me.

Good Security Blog from MSFT Steve Riley's
http://blogs.technet.com/steriley/

I've spent a lot of time playing with the security tabs and running around
in circles some of the time and in Vista trying to run UAC without
modifying it, or running with much reduced privileges, and I feel the
same way at times I felt when we used to go into the Hall of Mirrors at some
carnival. I was trying to drag some of the music from my XP boot to my
Vista boot when it wouldn't import to the Vista library (maybe now that I
have WMP11 on XP it will be easier) and it was comical the way I had to go
to security tab layer after layer after security tab to get one lousy cut
onto Vista. I have not been able to overcome reading XP "My Documents" from
Vista no matter what I do, and I have seen some very elegant probably
correct explanations as to why I never will be able to do this.

I look forward to Bott's Vista book--the longer Vista takes to RTM, the more
time Ed has to make it better.

Ed Bott's Blog (Fun and Informative on the Road to Vista RTM).

http://www.edbott.com/weblog/

The links to articles on wiretapping, etc. etc. are to an extent off topic,
and some people may feel some political agenda, but I see them as necessary
to understand today because I do believe they impact privacy and security
and I see privacy and security on a computer as overlapping with no bright
yellow line between them.

What bothers me the most is the more I understand how the governmental
intrusions are playing out, the more eggregious they are, and the less there
seems to be anything you can do about them. This government is about
intimidation, and totalitarian dictatorship more than ever before and you
better believe it trumps any security MSFT is going to try to sell.

C-Span is full of some of the best and brightest lawyers in the US giving
seminars on privacy and computer security and its nexus.

Laurence Lessing--then at Harvard--and now a law professor at Stanford
http://cyber.law.harvard.edu/lessigbio.html

has done a lot of work in this area. Lessig was instrumental in getting the
Supreme Court's computer system modernized when he clerked for Scalia. He
was also appointed Special Master in the MSFT Anti-trust case, which angered
MSFT and caused them to demand his withdrawal which did not happen until
they won in the DC Circuit appeal and he was removed from the case. MSFT
later prevailed in that case in the appeal to the DC Circuit and its
sweetheart deal from the Bush adminstrations version of 'DOJ.'

CH

 

[Chad Harris]

A lot of them will come as in XP via IE. I think UAC is very much aimed at
people trying to use Trojans and blended threats to gain access to areas in
your system, and walling them off much like a bank or some place that stores
critical intelligence.

CH

 

[Chad Harris]

I think its possible to find out more detail about what platforms they were
using, and Linux is probably being used to an extent along with MSFT servers
because as is often the case, a lot of the Sys Admins are Linux enthusiast
and Windows enthusiasts.

CH

 

[Chad Harris]

No --I didn't mean to leave that impression, and I have no idea that they
have Vista deployed and probably they have some machines but not the
majority. I have no idea how TAP works with the government and this
administration is so secretive and runs with a completely do nothing about
oversight Congress that the only time you get any real information out of
them is when the American Idol finalists visit the West Wing or Bush
supervises T Ball while the Middle East is blowing up. And people whose
time is divided between the nationally important saga of Mel Gibson's DUI
and playing Where's Waldo with Castro's GI bleed.

I meant that when a government agency installs their systems, MSFT has a
huge presenceand a major hack to that extent shouldn't have taken place and
MSFT has to bear some responsibility because their server systems tout
security in a major way.

CH

 

[Kerry Brown]

I feel the same way at times I felt when we used to go into the Hall

of Mirrors at some carnival. I was trying to drag some of the music
from my XP boot to my Vista boot when it wouldn't import to the Vista
library (maybe now that I have WMP11 on XP it will be easier) and it

I found the best way to work with the music library is to tell it to monitor
the folder on my XP machine where the music resides. When I tried to import
the music I had problems. I store all my music in one folder on my XP
machine. All my other machines are set to monitor that folder. It works now
for all of them with a mix of WMP10 and 11 on various machines. I have had
problems importing a large library on all versions of WMP.

 

[Colin Barnhorst]

You have to be an OS enthusiast to even want to be a Systems Administrator.