[tags]viruses,OpenOffice,Word,Microsoft,Office,Powerpoint,Excel[/tags]
In my last post, I ranted about a government site making documents available only in Word.  A few people have said to me “Get over it—use OpenOffice instead of the Microsoft products.”  The problem is that those are potentially dangerous too—there is too much functionality (some of it may be undocumented, too) in Word (and Office) documents.

Now, we have a virus specific to OpenOffice.  We’ve had viruses that run in emulators, too.  Trying to be compatible with something fundamentally flawed is not a security solution.  That’s also my objection to virtualization as a “solution” to malware.

I don’t mean to be unduly pejorative, but as the saying goes, even if you put lipstick on a pig, it is still a pig.

Word and the other Office components are useful programs, but if MS really cared about security, they would include a transport encoding that didn’t include macros and potentially executable attachments—and encourage its use!  RTF is probably that encoding for text documents, but it is not obvious to the average user that it should be used instead of .doc format for exchanging files.  And what is there for Excel, Powerpoint, etc?

[tags]DHS,MS Word,threats[/tags]
Earlier, I wrote about the security risks of using Microsoft Word documents as a presentation and encoding format for sending files via email (see posts here and here).  Files in “.doc” format contain macros, among other things, that could be executable.  They also have metadata fields that might give away sensitive information, and a lot of undocumented cruft that may be used in the process of exploiting security.  It is no wonder that exotic exploits are showing up for Word documents.  And only today it was revealed that the latest version of Office 2007 may not have even gotten the most recent patch set.

Want to find some vulnerabilities in Word?  Then take a look at the list of US-CERT alerts on that software; my search returns almost 400 hits.  Some of these are not yet patched, and there are likely many as-yet unpatched flaws still in there.

Clearly, the use of Word as a document exchange medium is Bad (that’s with a definite capital B).  People who understand good security practices do not exchange Word files unless they are doing collaborative editing, and even then it is better to use RTF (if one continues to be beholden to Microsoft formats).  Good security hygiene means warning others, and setting a good example.

Now, consider that DHS has released BAA07-09 to solicit research and prototypes to get fixes for current cyber infrastructure vulnerabilities.  I could rant about how they claim it is for R&D but is really a BAA for further product development for fundamentally flawed software that cannot be fixed.  But that isn’t the worst part.  No, the BAA is only available as Word documents!

Can you say “irony”?  This is the agency charged with helping guide us to a more secure infrastructure?  If so, electronically KYAG.

Update: A response from Dr. Douglas Maughn at DHS points out that the site I indicated for the BAA is actually FedBizOps rather than DHS.  The DHS posting site actually has it in PDF…although the FedBizOps link is the one I’ve seen in several articles (and in a posting in SANS NewsBites).

Of course, it would be great if DHS could get the folks at FedBizOps to clean up their act, but at least in this case, DHS—or rather, DHSARPA—got it right.  I stand corrected.

[tags]biometrics,USB,encryption,hacking[/tags]
One of our students who works in biometrics passed along two interesting article links.  This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked.  This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented.  (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete.  The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.

We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about.  Security is about reducing risk of untoward events in a given system.  To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses.  Securing one component against obvious attacks is not sufficient.  Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.”  Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.

Good security takes into account people, events, environment, and the physical world.  Poor security is usually easy to circumvent by attacking one of those avenues.  Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!

[posted with ecto]

[tags]Google, spam, 419[/tags]

I recently blogged about some unsolicited email I received from a recruiter at Google.  Much to my surprised, I was shortly thereafter contacted by two senior executives at Google (both of whom I know).  Each apologized for the contact I had received; one assured me he would put in a positive recommendation if I wanted that sys admin position.

I have been assured that there will be some re-examination made of how these contacts are made.  So, score one for my blog changing the world!  Or something like it.

[posted with ecto]

[tags]Google, spam[/tags]
Today I received email from a google.com address.  The sender said he had found me by doing a search on the WWW.  He indicated he hoped I wasn’t offended by his sending unsolicited email.  However, he had a great offer for me, one that I was uniquely qualified for, and then offered a couple of URLs.

Does that sound familiar?

My first thought was that it was a 419 scam (the usual “I am the son of the crown prince of Nigeria…” letters).  However, after checking out the mail headers and the enclosed URLs, it appears to be a (semi) legit letter from a Google recruiter.  He was asking if I was open to considering a new, exciting position with Google.

And what exciting new position does the Google recruiter think I’m ideally suited for?  Starting system administrator…..

And by the way, sending email to “abuse@google.com” gets an automated response that states, in no uncertain terms, that Google never sends spam and that I should take my complaints elsewhere.

Gee, think this is a new career possibility for me?

[posted with ecto]