Q&A with the Security MVP Experts (June 21, 2007)

Chat Topic: Q&A with the Security MVP Experts
Date: Friday, June 21, 2007

Please note: Portions of this transcript have been edited for clarity

Melissa Travers MSFT (Moderator):
Hello everyone. I am the MVP Lead for the Windows Security MVPs in the US and would like to officially welcome you to today’s chat. For those of you who may not know, MVP stands for Most Valuable Professional. MVPs voluntarily share their time and expertise helping others in the technical community…such as participating in this chat today. To learn more about our program go to http://www.microsoft.com/mvp

Our topic today is limited to security related issues. As security maps to a concept and not a product, we have MVPs participating today with various areas of expertise. To ask one of our Experts a question be sure to check the Ask the Experts box after you type your question to submit. Hope you enjoy today’s chat. I am going to turn things over to our MVPs now and ask them to introduce themselves to you.

Introductions

Alun Jones MVP (Expert):
Hi, I'm Alun Jones, three-time Windows-Security MVP. I've been involved in security from a Developer and IT Pro perspective for the last several years, and I write the Tales from The Crypto blog at http://msmvps.com/blogs/alunj/

Gary Warner MVP (Expert):
I’m Gary Warner . . . a security volunteer in Birmingham, Alabama. I’ve been doing malware and network security for about 19 years, and very active with the FBI InfraGard program for the past six year. I currently serve as President of the Birmingham InfraGard chapter, ( http://www.birmingham-infragard.org) and a member of the Birmingham FBI’s CyberCrime Task Force. With regards to phishing, I’m a member of the FBI’s (& Microsoft) Digital Phish Net, a co-chair of the Anti-Phishing Working Group’s “Working With Law Enforcement” Committee, but mostly working with the CastleCops PIRT Squad (Phishing Incident Reporting & Termination) ( http://www.castlecops.com/pirt), where we not only “report” phishing, but work on contacting all the right folks to shut the site down and report any details to law enforcement.

Roger Abell (Expert):
Hi. I am Roger Abell. I have a real life, working with Windows production systems in a large US university, which might clue you that I get to see some of pretty much everything, including some of the worst exposures to threats.

Kat Armstrong MVP (Expert):
Hello. My name is Kathie (Kat) Armstrong, and I am a second year MVP in the area of General Windows Security. I am an Administrator for GeeksToGo.com, and welcome some of my malware removal trainees tonight.

Jane Edwards [MVP] (Expert):
I'm Jane Edwards, a Microsoft MVP in Windows Security, specializing in removing malware.

Dana Epp MVP (Expert):
Hi I'm Dana Epp ( http://silverstr.ufies.org/blog) and my expertise is in the convergence of information security principles and practices with software engineering. My latest work has been on strong authentication and identity management, and I spent a lot of my community time having fun integrating Srv08 technology like Cardspace, Rights Management Server and NAP with small business solutions.

Nancy Altholz MVP (Expert):
Nancy Altholz MVP - Author Rootktis for Dummies

Start of Chat

Gary Warner MVP (Expert):
Q: Since the release of Windows Vista, how have you guys seen a change in exploits moving from XP to Vista? How do you plan on tackling these?
A: Windows Vista is quite a bit more secure "out of the box" by default. The reality is that there are so many millions of "vulnerable" boxes still running older versions of windows, there has not been a NEED to attack Vista. (Though we can talk about some new Vista exploits that *DO* work on both shortly.)

Dana Epp MVP (Expert):
One of the benefits of FCS in comparison to many other vendors is that there is an inclusion of more multiple AV engines. So you benefit from more than a single signature base.

Dana Epp MVP (Expert):
Q: How does the antivirus/antispyware agent used by Forefront Client Security compare to other vendors, such as Symantec and McAfee?
A: One of the benefits of FCS in comparison to many other vendors is that there is an inclusion of more multiple AV engines. So you benefit from more than a single signature base.

Kat Armstrong MVP (Expert):
Q: Since the release of Windows Vista, how have you guys seen a change in exploits moving from XP to Vista? How do you plan on tackling these?
A: To answer the last part of your question, many Security Experts were involved in Beta testing Vista. At that time, the creators of the tools that fight malware began testing and re-coding their removal tools. This is a constant process, and they will continue to update if/when new exploits are found.

Alun Jones MVP (Expert):
Q: Since Firewalls can't see inside encrypted SSL tunnels for outbound access to the Internet, would it be a good idea to block SSL connections outbound for all sites except for a few highly trusted Web sites?
A: Definitely a good idea, Tom - there's a reason port 443 is known as the "secure firewall tunneling protocol". Encryption is a two-edged sword - you can encrypt bad traffic as well as good.

Roger Abell (Expert):
Q: Will Microsoft bring back Microsoft AntiSpyware (Beta 1) many people liked it, and like it better than Windows Defender?
A: I obviously cannot answer for MS but my understanding is, your answer is no. The product has evolved and moved on. The version you mention was a quick rebranding of the product as initially purchased before MS had added in much of its time/expertise.

Gary Warner MVP (Expert):
Q: People are making a big deal out of the new Vista Firewall because it blocks outbound connections too. Is there a real security advantage to doing this on the client side? Aren't we mostly concerned from inbound attacks?
A: In security we refer to "Ingress" filtering and "Egress" filtering. The point of "outbound" or "Egress" filtering is that when the Bad Guys place malware on your computer, its probably going to need to make an "Outbound" connection to accomplish most anything. Some examples would be: Keylogging that sends your data out via a custom program, spamming programs that include their own mail engine, or various port-scanners and attack tools that use your infected computer as their attack base. Many "totally owned" computers would still be safe if the hacker’s connection back to himself were only blocked by a well-behaved Egress Filtering Firewall.

Kat Armstrong MVP (Expert):
Q: Does anyone know if Microsoft are going to hurry up with releasing Windows XP SP3? It does take ages to get 70+ updates from ms after a reinstall with SP2?
A: According to http://www.microsoft.com/windows/lifecycle/servicepacks.mspx they are hoping to release this Service Pack in early 2008.

Deb Shinder [MVP] (Expert):
Q: I've never had spyware on my computer, and the only "virus" I ever had was Blaster. I hear that so many people have problems with Spyware and viruses but I can't seem to get them. I'm I doing something wrong?
A: More likely, you're doing something right. If you only go to a few carefully selected web sites, never get any email, etc., you're less likely to get malware. In other words, if you aren't very popular, you're probably safer, just like in real life. :) But just because it hasn't happened yet doesn't mean it won't. You should still use antivirus protection and anti-spyware software.

Dana Epp MVP (Expert):
Q: When is a release date set for Windows Live Onecare v2.0?
A: I don't believe there is a public guidance on this release as of yet. Stay tuned.

Alun Jones MVP (Expert):
Q: The thing I don’t understand about rootkits is why the kernel doesn’t put up serious defenses. Memory hashing, virtual protects etc. Maybe even PKE on the hash
A: There are some more serious defenses already being put up in Windows Vista. The 64-bit version includes PatchGuard technology, preventing patching of the kernel, and requiring drivers to be signed. With BitLocker enabled on a Vista system with a TPM (Trusted Platform Module) chip, the operating system's boot code is compared to previous 'known good' versions before a boot is allowed.

Dana Epp MVP (Expert):
Q: How do you see Forefront working with MOSS2007? We are hoping to use this because to the best of my knowledge Symantec is not ready.A Can you clarify your question? Are you asking if Forefront supports it? Or how it might work in comparison to a Symantec solution?

Alun Jones MVP (Expert):
Q: The thing I don’t understand about rootkits is why the kernel doesn’t put up serious defenses. Memory hashing, virtual protects etc. Maybe even PKE on the hash
A: ... ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) also adds to this protection, but some of the more aggressive defenses you're discussing would cause performance degradation that many users would find intolerable. Maybe when processors get faster :)

Gary Warner MVP (Expert):
Q: Re: outbound filtering. Wouldn’t having malware on the computer imply that the firewall could be blown off the face of the process list, putting up no defense anyway?
A: Not really. The malware attacks these days are normally "phased attacks". A tiny nearly powerless piece of malware, often called a "dropper" or a "downloader", is the initial infection. These infections are quite reliable, because usually they are launched by the user downloading a piece of JavaScript, or by actually clicking on an executable in their email. Often it is the "second phase" of the malware that has the assignment to terminate all of the anti-virus and firewall protection of the computer. If the dropper is prevented from making its Outbound connection, Phase Two never happens.

Nancy Altholz MVP (Expert):
Q: With PatchGuard in Vista 64 bit, how do AV companies protect your computer?
A: Patchguard requires driver signing and all AV drivers will be signed. The AV companies also are using a subset of APIs which do not require patching of the kernel.

Dana Epp MVP (Expert):
Q: Microsoft indicates that 64bit is the way we all need to go, then why is it expensive for developers to develop for the 64bit platform. I hear from several sources that the installer is expensive as well as the signing code. Can this be easier?
A: From Microsoft's side, their tools already support development of 64bit out of the box. However, it is up to the 3rd party ISVs (such as the installer companies) to provide that piece. Here is where supply and demand comes to play. 64bit may be the way of the future, but it isn't yet mass deployed. Costs will come down as more people are running it and software vendors can update their products to suit. As a developer, nothing prevents you from targeting and deploying 64bit now with Visual Studio tools.

Alun Jones MVP (Expert):
Q: What are the best practices for securing wireless broadband cards while on the domain in both XP and eventually Vista? These seem to leave a big hole in the corporate network...
A: This sounds like a sequel into the Steve Riley talk on The Death of The DMZ. With mobile devices (laptops, PDAs, SmartPhones, etc) and networks that penetrate into your secured facility, there are so many ways in to your network that you can no longer realistically talk about "the perimeter". Everywhere is _a_ perimeter now, which is why it's more important to investigate tools such as host-based firewalls and Network Access Protection (NAP) to perform policy compliance checking before allowing roaming devices back onto your network.

Kat Armstrong MVP (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: My mother is a first time computer user at age 54. I have had to 'secretly' install security programs on her computer. She doesn't believe that there really are such things as viruses and spyware.

Deb Shinder [MVP] (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: I would uninstall all peer to peer file sharing software on my child's PC. Unfortunately, my "child" is 23 now and doesn't live at home...

Dana Epp MVP (Expert):
Q: One of the common goals of malware is to simply disable the firewall so it wouldn't matter whether it blocked outbound traffic or not - is the process of turning Windows Firewall off in any harder in Vista for malware?
A: Yes it is harder, depending on how it is deployed. When used in combination with group policy and the upcoming NAP piece in Windows Server 2008, malware has a harder time turning such things off. With NAP, when its turned off it can be configured to be FORCED back on, but the fact remains.... if you can execute code in an administrative context the game is over. As an example, if a user gives permission to run hostile code, it could easily kill the Security Center, and all notifications without your control. The weakest link in security is the human factor, and the OS cannot defend against poor judgment in what you CHOOSE to run.

Roger Abell (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: For a "typical" parent setting them up with One Care can save much time in keeping their systems aligned to baseline preventions.

Alun Jones MVP (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: I would reduce the number of users on it :) My kid's 11 years old now, so I'm concerned with his use of social networking sites growing; so the computer is in a shared physical space at all times. As for my parents, I'd like them to stop acting on email that's out of character for the alleged sender.

Gary Warner MVP (Expert):
Number One Suggestion for Child's computer: DO NOT ALLOW A CHILD TO USE A COMPUTER YOU USE FOR FINANCES!!! I have two teenagers and pretty much assume that the computer they use is "unsafe".

Dana Epp MVP (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: Personally, I would ensure they run as Standard User. In XP or Vista. By using least privilege you can significantly reduce not only the attack surface of the OS, but the limited scope and damage hostile code can cause if it is indeed ran.

Jane Edwards [MVP] (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: Give them all limited accounts!

Nancy Altholz MVP (Expert):
Q: If you had one thing to change on your Parent or child's PC...what one thing would each of the experts recommend to do?
A: I would recommend having the child use the PC in a room where they are supervised by an adult. I do not advocate any use of monitoring software but I would regularly inspect the child's computer for untoward activity and the presence of P2P networking programs that invite infection. I would run scans frequently and install a blocking hostfile such as the MVPS host file and a program like SpywareBlaster to passively prevent threat installation.

Dana Epp MVP (Expert):
Q: In the latest Steve Riley security management column he argues that we spend too much time securing the network and not the data itself with rights management/encryption etc. Thoughts? http://www.microsoft.com/technet/community/columns/secmgmt/ (link)
A: He's right. At the end of the day we shouldn't care so much about the computer or the software. It's the data – the information. We need to protect that information by first understanding WHAT it is, and how it is important to us. This is why an "asset catalog" is CRITICAL to any home or business. By first knowing WHAT is important, and what value we place on it, we can then decide how best to safeguard it.

Roger Abell (Expert):
Q: Why should I use IPSec AH only and not with ESP? Isn't it the encryption that counts?
A: It really depends on what is your objective. AH will allow you to know the involved endpoints, which itself can be highly important. If what flows between the endpoints is of value/sensitivity then packet content encryption is called for also.

Gary Warner MVP (Expert):
Q: I understand how malware typically operates in stages, with the smaller dropper being deliberately small for fastest propagation, but the box must be owned for the dropper to call home. Killing the firewall, antivirus etc would be of little effort no?.
A: The key is to have some form of "checking" so that when the firewall or AV is killed, the machine user REALIZES IT. This can be done fairly easily with Group Policies, or even by just observing whether the tools are properly updating. If your AV stops giving updates, the primary reason is that you are already owned...

Alun Jones MVP (Expert):
Q: Wouldn't it be a good idea to add IDS/IPS to the Windows Firewall?
A: Maybe yes, maybe no. Anything you add to the firewall increases its complexity, making it more likely to have its own exploitable faults. Fortunately, Microsoft made the Vista firewall with a relatively simple extensibility API (for those of you who view driver writing as "relatively simple"), so if you think it's worth the complexity risk to get an IDS / IPS benefit, you should be able to find a third-party developer with a solution geared just to you.

Dana Epp MVP (Expert):
Q: @Dana....since we all know malware will persist no matter what do you not think it would be beneficial to make the windows firewall more secure to disable e.g. password protect it....like many AVs do for their settings
A: Interesting question. From a threat perspective how complex do we wish to make the safeguards? We can password protect the config, but what prevents a rogue administrator (or the admin owner of the machine) from turning that off? UAC as an example raises the bar, but doesn't prevent you from making such a change. If it is critical that the firewall be protected and you don't like the way Microsoft deploys their firewall service, you are FREE to install something else. A combination of group policy and Forefront Client Security can go a LONG way reduce the risks exposed by such attack vectors, and give us greater assurance levels that we can keep such protections on.

Deb Shinder [MVP] (Expert):
Q: With Linux's rising popularity amongst home users, would you expect malware developers to develop malware for Linux?
A: They are already doing it. In fact, in a report from Kaspersky Labs way back in 2006, the number of Linux-based viruses, Trojans and other exploits had doubled over the last year. The more popular any software becomes, the bigger a target it becomes for malware writers. Just as Firefox is experiencing increased incidence of exploits, so will Linux continue to do so as/if it continues to gain in popularity.

Kat Armstrong MVP (Expert):
Q: Do you think with all the new popularity and all the buzz about the exploits will Apple be targeted even more now by hackers?
A: Unfortunately, I'm sure they will. 'Hackers' aren't only interested in Microsoft. Much of the time, they create their malware just to prove they can. Yes, may do it to gain access to your information...but you would be surprised how many of the "script kiddies" just want the thrill.

Alun Jones MVP (Expert):
Q: @Dana....since we all know malware will persist no matter what do you not think it would be beneficial to make the windows firewall more secure to disable e.g. password protect it....like many AVs do for their settings
A: The obvious counter to any firewall asking for user interaction is that the malware will travel along with something the user wants to do anyway, so that the user will happily open up the door.

Deb Shinder [MVP] (Expert):
Q: Why is UAC so hated? As I don't see it much at all.
A: I think the reason so many people hate it is that their first exposure to it is when they get a new Vista computer or install Vista in a clean installation for the first time, and they are then installing lots of programs one after another so they keep encountering the UAC dialog over and over and over and think it's going to be that way all the time as they're using the computer. In actuality, you don't see it that much when you're not installing programs.

Alun Jones MVP (Expert):
Q: There are plenty of ways of elevating privileges, why isn’t there a 1 call API dedicated to lowering rights? For example say I'm concerned my software might be exploited, in winmain why can’t I just call say... SetProcessPrivileges(SOD_ALL);
A: You generally would have to remove privileges from the token and then create a less-privileged process with that token - Michael Howard's "Writing Secure Code for Windows Vista" has some excellent advice on how to achieve this.

Gary Warner MVP (Expert):
Q: Where can I go to get end to end guidance for MS security? Data Protection (and I don't just mean backing up), Host Security, Network Security and Physical Security?
A: I hear there are some bright MVPs that hang out in the Microsoft News Groups . . . .

Kat Armstrong MVP (Expert):
Q: Why is UAC so hated? As I don't see it much at all.
A: I have to agree with Deb. I think that for most people, it's a simple matter of annoyance. In reality, the UAC will help prevent things like Rogue anti-spyware applications from installing themselves on a computer. However on the flip side, the UAC will come up for every legitimate install from the user, as well. In today's world, people want things to be done "NOW!!", and having to click through makes them feel as though their time is being wasted.

Dana Epp MVP (Expert):
Q: What do you guys think of the recent hacking of the new Harry Potter book, and how could it have been prevented?
A: A breach in security is a breach. No matter if it’s the ending of a Harry Potter book, the recipe to Coca Cola or the credit card database at a major online retailer. It’s never very good. It’s hard to answer "how" it can be prevented, as we don't yet know how the system was compromised. We do know this... this isn't a technology problem. This is a business one. Corporate security policies should dictate how information should be accessed and by whom, and then we can find ways to reduce risks to acceptable levels with technical safeguards. Without knowing the root cause, examples of safeguards that might have helped here include strong access control with ACLs and Rights Management Server. But it’s too difficult to just say "doing X would have solved Y" without knowing the business workflow behind the scenes.

Dana Epp MVP (Expert):
Q: Do you think a comprehensive, Microsoft-built Security System, integrated into Windows, is a good idea?
A: Integrated? No. On top of the core OS. Absolutely.

Roger Abell (Expert):
Q: Do you think a comprehensive, Microsoft-built Security System, integrated into Windows, is a good idea?
A: Look, anything helps, right? I believe in layers, that no one (or few) layer will be complete and remain complete. On the other hand I also strongly believe there is value in the independent view. While the OS provider might be able to better safeguard their product, they might also be blinded to aspects that they have managed to never notice. Windows is slowly pulling itself out of a failing that there is no separate place where config/control is stated, that can be compared to the run-state config/control defs. If you follow me, there is a bit of a fox guarding the chicken coop scenario when everything is loaded in one.

Nancy Altholz MVP (Expert):
Q: There is a 'run process as administrator' option in an exes properties. Why isn’t there a 'run as limited user'?
A: Though XP doesn't offer that function per se, you can run as a limited user by using Process Explorer which is a MS product.

Dana Epp MVP (Expert):
Q: There is a 'run process as administrator' option in an exes properties. Why isn’t there a 'run as limited user'?
A: It's much harder to create a restricted token based on another user's context than the other way around. However, Aaron Margosis (MS Employee) has an interesting take on it. You can check out the post at: http://blogs.msdn.com/aaron_margosis/archive/2004/09/10/227727.aspx

Gary Warner MVP (Expert):
Q: There is a 'run process as administrator' option in an exes properties. Why isn’t there a 'run as limited user'?
A: Run as "limited user" is actually the default behavior ... the concept is "Least Privilege". Only give additional privileges to the process as desired. It is highly recommended that we do *NOT* run as the Administrator user account, but if you are, you can run any process as another userid with "Run As . . . " in "User Account Control"

Kat Armstrong MVP (Expert):
Q: Can some please explain to me about a Master boot virus. A buddy of mine had one, and had to do a complete reformat.
A: The Master boot record is a small program that runs when the computer starts, and begins the boot process. A Master boot virus is a common type of virus that will replace the Master Boot record with its own code. Since the Master boot record executes every time the computer is started, the master boot virus is dangerous.

Dana Epp MVP (Expert):
Q: How does Kerberos Constrained Delegation work? Sounds like magic to me.
A: Excellent question. A good introduction can be found on TechNet at: http://technet2.microsoft.com/windowsserver/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

Gary Warner MVP (Expert):
Q: Any word on whether there will be a Microsoft certified architect (MCA) program built around security? Alternatively, a wider question might be, what Microsoft training offerings are best for honing one's security skills?
A: Some Microsoft Security learning resources are available here: http://www.microsoft.com/learning/centers/security.mspx

Kat Armstrong MVP (Expert):
Q: Is the new OneCare Beta open to everyone/anyone that takes the survey?
A: Not necessarily. The selection process will be based largely around the type of platform you run on your computer. Also, please be aware that you can submit multiple applications, once for each of the computers you personally work with at your home or workplace. *Make sure you have permission to do any type of beta testing from your boss BEFORE you agree to do so.

Melissa Travers MSFT (Moderator):
We are going to wrap things up now. We had some great questions today! Thank you all for joining us today and a special thank you to our MVPs for sharing their expertise with us. The transcript from this chat will be posted in a couple of weeks to the TechNet community site.

For info on upcoming TechNet chats go to http://www.microsoft.com/technet/community/chats/default.mspx

Have a great evening everyone!