[Moderator: hehe, this was a good reply, but this thread will die now.
I think we all know MS is behind on security despite what they say.
We know this is a viable security risk because most 'net users are
not clued in on security concerns. That said, enjoy this post :)]
Reply From: Synthe Omicron <synthe@ronin.net>
> From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
> Microsoft Security Bulletin (MS98-010)
> Information on the BackOrifice Program
Actually, it's Back Orifice, not 'BackOrifice', dweebs. Just because
all you at Redmond feel the need to be StudlyCaps compliant with
BackOffice and the like doesn't mean we all do. We grew out of our
warez days...
> Last Revision: August 04, 1998
> Summary
> =======
> On July 21, a self-described hacker group known as the Cult of the Dead Cow
> released a tool called BackOrifice, and suggested that Windows users were
> at risk from unauthorized attacks. Microsoft takes security seriously, and
> has issued this bulletin to advise customers that Windows 95(r) and Windows
> 98(r) users following safe computing practices are not at risk and Windows
> NT(r) users are not threatened in any way by this tool.
I don't know, I've heard other people describe cDc as a hacker group
also. But maybe I'm looney.
Suggest eh? My _Webster's Unabridged Encyclopedic Dictionary of English
Language_ lists 'imply' as a synonym to 'suggest'. I contend that they
weren't suggesting anything, they were _telling_ you. Again, a minor
point, perhaps. We wouldn't want to actually admit to anything, not
after such a glorious track record.
BTW, users of any system are at risk of unauthorized attacks. When I
walk down the street, I'm at risk of being hit by a bus. Suggesting
one's at risk is like saying 'you might die'. Duh. Everything is a
risk, I don't care what OS it is. Windows especially.
'Microsoft takes security seriously'
------------------------------------
Methinks it's time for a review, eh? (in no particular order)
=============================================================
+ Schneier and Mudge break the *MS implementation* of PPTP.
+ Mudge and Weld Pond (along with help from others, including Hobbit)
break LANMAN hashes and the general password/key management
structure in *Windows NT and Windows 95*.
+ Peter Gutmann breaks Windows 3.1 and Windows 95 password file
encryption.
+ Peter Gutmann writes a trojan horse that will mail Windows passwords
to an arbitrary machine on the Internet without having to break the
encryption
+ Peter Gutmann extends an attack on some of Netscape's software to
break the security of the *MS implementation* of PCKS #12 in (among a
number of products), Microsoft Internet Explorer, Internet Information
Server, and Outlook Express.
+ L0pht releases an Advisory about *MSIE* in which a buffer overflow
could allow the execution of arbitrary code.
+ Peter Gutmann discovers a security hole in *Microsoft's CryptoAPI*
which allows the private keys to be obtained by anyone without
breaking the encryption.
[These are just the one's I remember off the top of my head. I've been
visiting L0pht's site a lot lately and I was recent at Peter's (one I
usually check) about cryptlib. Please, feel free to add more that I've
forgotten...]
> The Claims About BackOrifice
Better title: The Spin We Created About Back Orifice
> ============================
> According to its creators, BackOrifice is "a self-contained,
> self-installing utility which allows the user to control and monitor
> computers running the Windows operating system over a network". The
> authors claim that the program can be used to remotely control a Windows
> computer, read everything that the user types at the keyboard, capture
> images that are displayed on the monitor, upload and download files
> remotely, and redirect information to a remote internet site.
Creator. This may or not be true, but as I look at the press release
from cDc, Sir Dystic is the only mention as far as programmers go.
"* BO contains extensive multimedia control, allowing images to be captured
from the server machine's screen, or from any video input device attached
to the machine."
I don't see 'read everything the user types' there. This says 'images
to be captured from the server machine's screen [...]' Are you saying
this is the same thing?
'upload and download files remotely' Hrm. This is bad? I realize that
the FUD is supposed to say (in our heads) 'uploading and downloading
files remotely is bad' but that's not true. I don't know why this
characteristic is singled out. Sure, this may be a security concern,
and that's what you *seem* to be getting at, but then again, a hammer
is a hammer, wether I bludgeon somebody with it or use it to pound
nails is incidental.
> The Truth About BackOrifice
> ===========================
> BackOrifice does not expose or exploit any security issue with the Windows
> platform or the BackOffice(r) suite of products.
True, but only because there are is no security with which one might
have issues with, on the Windows platform or the BackOffice(r) suite
of products.
> BackOrifice does not compromise the security of a Windows network.
> Instead, it relies on the user to install it and, once installed, has only
> the rights and privileges that that the user has on the computer.
Again, true, but only because there is no security to compromise on a
Windows network.
Of course, if the user is the Administrator...
Why two instances of 'that', BTW
> For a BackOrifice attack to succeed, a chain of very specific events must
> happen:
> - The user must deliberately install, or be tricked into
> installing the program
> - The attacker must know the user's IP address
> - The attacker must be able to directly address the user's
> computer; e.g., there must not be a firewall between the
> attacker and the user.
What has a firewall got to do with it? There can be a firewall between
the server and client. All that matters here is if the firewall
restricts access between the two (arguably, it wouldn't be a firewall
if it didn't, but, since we're talking about MS here...).
> What Does This Mean for Customers Running Windows 95 and Windows 98?
> ====================================================================
> BackOrifice is unlikely to pose a threat to the vast majority of Windows
> 95 or Windows 98 users, especially those who follow safe internet computing
> practices. Windows 95 and Windows 98 offer a set of security features that
> will in general allow users to safely use their computers at home or on the
> Internet. Like any other program, BackOrifice must be installed before it
> can run. Clearly, users should prevent this installation by following good
> practices like not downloading unsigned executables, and by insulating
> themselves from direct connection to the Internet with Proxy Servers and/or
> firewalls wherever possible.
I've rewritten this part, your customers will find it much more helpful.
========================================================================
Back Orifice poses a threat to the vast majority of Windows 95 or
Windows 98 users because there are no discernable safe Internet
computing practices with regards to these platforms, with the possible
exception on running a competently configured firewall, using a
correctly and adeptly configured Unix variant, like OpenBSD, or using
the given machine as a standalone (and even then, it's a gamble). Like
any other program, Back Orifice must be installed before it can be
run. Clearly, users should prevent installation by following their
common sense and researching, or at least trying to determine the
integrity based on value judgements, the software they download.
Interestingly enough, a lot of the software available for download
from Microsoft's various sites is unsigned... not that it would
matter, for I am sure that while they may be using MD5, they have
probably mangled the correct implementation of it into something
totally insecure yet proprietary to make money.
> What Does This Mean For Customers Running Windows NT?
> =====================================================
> There is no threat to Windows NT Workstation or Windows NT Server
> customers; the program does not run on the Windows NT platform.
> BackOrifice's authors don't claim that their product poses any threat to
> Windows NT.
> What Customers Should do
> ========================
> Customers do not need to take any special precautions against this program.
> However customers should ensure that they follow all of the normal
> precautions regarding safe computing:
> - Customers should not install or run software from
> unknown sources -- this applies to both software available
> on the Internet and sent via e-mail. Reputable software
> vendors digitally sign their software to verify its authenticity
> and safety.
> - Corporate administrators can block software that is not digitally
> signed by a reputable or authorized software company at their proxy
> server and/or firewall.
> - Customers should keep their software up to date to ensure that
> hackers cannot take advantage of known issues.
> - Companies should use actively use auditing and monitor their
> network usage to deter and prevent insider attacks.
Too funny. I can't comment, I'm about to need a new spleen.
> More Information
> ================
> Please see the following references for more information related to this
> issue.
> - Microsoft Security Bulletin 98-010, Information on the
> BackOrifice Program (the Web posted version of this
> bulletin),
> http://www.microsoft.com/security/bulletins/ms98-010.htm
http://www.cultdeadcow.com/ might also be a worthwhile stop too.
> Revisions
> =========
> August 04, 1998: Bulletin Created
> For additional security-related information about Microsoft
> products, please visit http://www.microsoft.com/security
> ----------------------------------------------------------------------- --
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
> IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
> EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
> FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION
> OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
> INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
> DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
> OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
Hrm. The fine print at last. Typical.
> (c) 1998 Microsoft and/or its suppliers. All rights reserved.
> For Terms of Use see
> http://support.microsoft.com/support/misc/cpyright.asp.
> =====================================================
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing the request,
> and can be anything you like.
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/security/bulletin.htm. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
--
Synthe Omicron <synthe_at_ronin.net> [http://www.ronin.net/~synthe]
Hacker Advanced Research Projects Agency [http://harpa.ronin.net/]
RSA: 0xE5DD7B9D/57B6 06E1 EF62 228A 3676 3D64 0580 6201
DSS: 0x7B216BA8/A710 B524 DBCC 2B96 9E32 246C 1F98 F044 7B21 6BA8
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Thu Aug 6 09:35:46 1998