May 2008 - Posts

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld, on Security by Obscurity. It is another one of those point-counterpoint pieces like we did in the Vista Security book where Roger argues one side of the issue, and I explain why he is wrong; or, rather, argue the other.

Last night WSUS deployed XP Service Pack 3 to the sole remaining computer running XP that I have. This morning, I came down and was greeted with incessant reboots. The computer booted, apologized for not being able to boot properly, asked if I wanted to boot into safe mode, defaulted to normal boot, rebooted, and so on and so on.

It would boot into safe mode fine, so I did that. Not knowing what it was, I ran a disk check, which turned out to be a real mistake. Once I configured the computer to run a disk check at startup it would not even boot into safe mode.

Fortunately, I know Bill Castner, another Microsoft MVP, and he pointed me to a solution. It turns out that this computer is running an OEM OS image from HP. HP, apparently along other OEMs, deploy the same image to Intel-based computers that they do to AMD-based computers. That means they all have the intelppm.sys driver installed and running. That driver provides power management on Intel-based computers. On an AMD-based computer, amdk8.sys provides the same functionality.

Ordinarily, having intelppm.sys running appears to cause no problems. However, on the first reboot after a service pack installation, it causes a big problem. The computer either fails to boot, as in my case, or crashes with a STOP error code of 0x0000007e. It will boot into safe mode because the drivers are disabled there.

To fix the problem, boot into safe mode, or boot to a WinPE disk, or into the recovery console, and disable the intelppm.sys driver. You do not need it on an AMD-based computer anyway. To disable it, take the following steps:

If you booted into the recovery console, from a command prompt, run "disable intelppm"

If you booted into safe mode you can run "sc config intelppm start= disabled"

If you booted into WinPE, you have to manually edit the registry. Do this:

  1. Run regedit
  2. Click on HKEY_LOCAL_MACHINE
  3. From the File menu, select "Load hive"
  4. Navigate to %systemdriver%\Windows\System32\Config on the dead system and select the file name System
  5. Name it something you can remember, such as "horked"
  6. Navigate to horked\ControlSet001\Services\IntelPPM
  7. Double click the Start value and set it to 4
  8. If you did what I did and completely destroyed things by running a disk check, navigate to ControlSet001\Control\SessionManager. Open the BootExecute value and clear out the autochk entries
  9. Repeat steps 6-8 for the other control sets.
  10. Reboot

The computer should now reboot just fine.

What's wrong with this picture?

If you answered "why would the IRS use a web server in Korea to ask for information about my tax refund" you are a winner!

This is a phishing site preying on people who do not know that all you need to do to get your tax rebate is to file a tax return this year. Apparently, this is the hot new phishing scam, and the IRS has instructions for how to handle it.

The e-mail came in at 21:07 PDT today. By 21:30 PDT it was not recognized as a phishing site by either Internet Explorer or Firefox. By 21:35 Firefox had it marked. Impressive. By 21:40 IE did not have it marked, which I found interesting.

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably a good policy for me.

On a whim I decided to run the latest beta of the OneCare Live Safety Scanner on my primary laptop. I was very surprised when the scanner actually found some malware on my computer. This was the first time any anti-malware had found any malware on any of my computers since some free anti-virus for the Macintosh found a virus on a floppy disk I put in my Mac II Se, in 1991. After a 17-year hiatus, I finally managed to contract some malware!

After the scan was finished I had my explanation:

The infection was in my dev projects directory, in a directory call moztests. That's where I put the files I wrote when I was working on what Mozilla eventually patched as MFSA2007-27. OneCare just cleaned my research off my computer!

Do not misunderstand me. I am not saying that you should not use anti-malware software. I am not even saying that you should do as I say, not as I do, as many security "experts" tend to say. All I am saying is that you need to consider the consequences of all software you install. While it is true that I do not see much malware on any of the computers I manage, that is not a reason to not run anti-malware on them. You need to consider the risks of not doing so. I would never leave our kitchen computer, the closest thing to a kiosk that we have in my house, without anti-malware. Likewise, I find it wise to run it on the kids' computer. My laptop, on the other hand, is used for all kinds of work where the anti-malware would get in the way, so I refrain from it, accepting the risk that I may, inadvertently, one day click on something I shouldn't. To at least minimize that risk I run as a standard user in Windows Vista.

Furthermore, there is one additional thing you should consider. If we took the advice of some authorities and stopped running anti-malware software, would the status quo - the state where we really do not find much active malware - remain? Of course not. Right now the malware purveyors are mutating their software at extremely rapid rates, producing, literally, millions of new malware every year. At an event last week I heard a figure that we are on track to see 5 million unique pieces of malware again this year. Yet, most people I talk to say their anti-malware solution never finds any of it on their computers. More than likely that is due in large part to the fact that the vast majority are mutations of earlier versions; created to stay ahead of the anti-malware software. If we remove anti-malware software from the eco-system we would make it that much easier for the bad guys to control us. They could stop the mutation arms race and focus instead on getting fewer versions deployed to more computers, and we would have no hope of catching any of it. Therefore, the advice to not run anti-malware is unsound at best. It has simply become a cost of using a computer these days; a cost of keeping the eco-system as sound as is possible with a technology-only solution.

However, you may want to think twice about anti-malware on a computer you use for vulnerability research.