Monday, December 18, 2006
Sorry for lack of posts last month. I was really busy at work with different projects (PKI, SC, security reviews) and tried to learn new CBK domains at home, so I basically didn't have a time to blog at all. Again, sorry.
Today I had an CISSP exam (you know - 6 hours is hard ;-) after week of CBK review seminars (by Dennis Griffin) with some of Microsoft EMEA guys and other attendees at Rotenburg a.d. Fulda (and you know - it was a good choice after all, because this hotel is so far away from town and there're even no any people at reception or on my floor right now, so I could concentrate on learning). I hope that I passed it - because sometimes it looked like a very complicated exam in English language ;-)
Well, it seems that Vista is ready now and will be available to customers in near feature, so it's time to check Windows Vista Security Guide and other Vista's security features. I'm living with it for 5 months now and it's really good (especially from security point of view - ASLR, BitLocker, etc)
Some news on blog changes - in near feature (begining next year) I'm going to post at http://blogs.technet.com/ssimakov - mostly in Russian and for russian ITSec community. But I'll keep this blog as personal and continue to cross-post here in English.
And now it's time to prepare for flight back to Moscow and following vacations in Phan Thiet,Vietnam.
Merry Christmas and Happy New Year!
Monday, November 20, 2006
I just found that I've missed a great blog by Steve Patrick (from Critical Problem Resolution team) with invaluable information on SmartCard deployment, so begin with this post -
So, you want to use smart cards?. Thanks for sharing this information, Steve! [
subscribed]
Wednesday, October 25, 2006
Well, it didn't take long time after SecureWorks/LURHQ and IBM/ISS deals:
British Telecom acquires Counterpane.
Tuesday, October 24, 2006
Active Directory Certificate Server Enhancements (aka Windows PKI) in Windows Server "Longhorn" guide by Carsten Kinder with help of PKI PMs was finally released to web. This comprehensive document contains information about new PKI features in Windows Server "Longhorn" such as:
- Cryptography API: Next Generation (aka CNG) support in CAs to provide crypto agility
- Unattended and integrated interactive setup options (without need to disable AIA in root CA cert)
- Certificate templates v3
- Restricted Enrollment Agent and Restricted Certificate Managers support (very needed in enterprise scenarios)
- many other new features and OCSP standard support
So it's very recommended to study.
Monday, September 18, 2006
FYI -
Niels Ferguson posted a link to a document with details about
cryptographic algorithm that is used in BitLocker (AES-CBC with a specialized diffuser that improves the security against manipulation attacks) at
System Integrity team blog.
Friday, September 08, 2006
Good description of
Daniel Bleichenbacher's attack on RSA signature implementations that may, under some common circumstances, break SSL/TLS in
Matasano blog.
Thursday, September 07, 2006
Joint architecture for Microsoft Network Access Protection (NAP) and Cisco Network Admission Control (NAC) interoperability is
officially announced at
Security Standard conference in Boston. More information is available in
Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture whitepaper and
NAP team blog.
Thursday, August 24, 2006
It's a known fact that one of the weakest links in current security systems are people, and last week very interesting paper was released as part of Midsize Business Security Guidance - How to Protect Insiders from Social Engineering Threats
Thursday, August 17, 2006
I've missed the fact that Kevin Lam from ACE (Application Consulting & Engineering) Team (author of very interesting Accessing Network Security book about penetration testing) is now blogging - subscribed.
Tuesday, July 18, 2006
According to Mark's blog post - Microsoft has acquired Wininternals and Sysinternals: developers of great troubleshooting and management tools such as Recovery Manager, Protection Manager and ERD Commander (part of Administrator Pack), free Autoruns/Process Explorer/Rootkit Revealer, and many others that are included in my must-have utilities list.
Congratulations to Mark and Bruce!
Tuesday, May 23, 2006
Michael Howard posted a link to the lecture materials from University of Washington's cryptography class.
And you should pay attention to the lecturers list:
- Brian LaMacchia (ex-security architect for the .NET Framework and Common Language Runtime)
- Josh Benaloh (senior cryptographer in Microsoft Research)
- John Manferdelli (Distinguished Engineer, worked on the TPM stuff at Microsoft.)
BTW, does anyone mentions that v1.1 of KMDF was released? It supports Windows 2000 now, so driver developers position helped =)
Sunday, March 26, 2006
Well, it's time to announce some changes in my professional life:
Ch-ch-Changes
Just gonna have to be a different man
Time may change me
But I can't trace time [by David Bowie]
So, I've taken a red pill (it's just our way of saying "we've taken a job at Microsoft." ;-) and now I'm working with great people in Microsoft Consulting Services Russia team and I'm very excited about new opportunities.
Last month Rafal Lukawiecki (Project Botticelli Ltd) made a very good presentation about 'Identification and access management in heterogeneous enterprise networks' in Moscow Microsoft office (program in russian is available here).
Overview and comparison of Microsoft identity management technologies (MIIS, ADFS) was the most interesting part of this presentation (especially assuming that InfoCard and other plans for future developments in this area from Microsoft was announced at RSA conference at the same day).
Unfortunately presentation is not available for download right now, but I think it'll be available for download from TechNet IT's Showtime section.
Wednesday, May 19, 2004
Larry Osterman posted interesting discussion about checking parameters in components - Should I check the parameters to my function?. Currently I'm using school one approach (always check incoming data with IsBadXXXPtr), but:
The way you check for bad pointers on Win32 is by calling the IsBadReadPtr and IsBadWritePtr API. Michael Howard calls these APIs “CrashMyApplication” and “CorruptMemoryAndCrashMySystem” respectively. The problem with IsBadReadPtr/IsBadWritePtr is that they do exactly what they’re advertised as doing: They read and/or write to the memory location specified, with an exception handler wrapped around the read/write. If an exception is thrown, they fail, if not, they succeed.
There are two problems with this. The only thing that IsBadReadPtr/IsBadWritePtr verifies is that at the instant that the API is called, there was valid memory at that location. There’s nothing to prevent another thread in the application from unmapping the virtual address passed into IsBadReadPtr immediately after the call is made. Which means that any error checks you made based on the results of this API aren’t valid (this is called out in the documentation for IsBadWritePtr/IsBadReadPtr).
The other one is worse. What happens if the memory address passed into IsBadReadPtr is a stack guard page (a guard page is a page kept at the bottom of the stack – when the system top level exception handler sees a fault on a guard page, it will grow the threads stack (up to the threads stack limit))? Well, the IsBadReadPtr will catch the guard page exception and will handle it (because IsBadReadPtr handles all exceptions). So the system exception handler doesn’t see the exception. Which means that when that thread later runs, its stack won’t grow past the current limit. By calling IsBadReadPtr in your API, you’ve turned an easily identifiable application bug into a really subtle stack overflow bug that may not be encountered for many minutes (or hours) later. [via Larry Osterman]
Hmm, it seems that I need to move IsBadXXXPtr only to debug asserts in my projects.
Tuesday, February 28, 2006
Better late than never.
I spent this New Year and russian Orhodox Christmas at beautiful Sri Lanka (Ceylon) island. Some photos from this travel are posted on my Flickr account. Weather was really great (but unsually rainy for this time of year on the south-west side of island) - especially if you compare it with Moscow weather in January (60 degrees difference ;-).
This time we visit nearly every part of this wonderful country - from Nuware Eliya to ex-capital Kandy, to Dambula, to the 8th wonder of the World in Sigiriya (btw the famous The Bridge on The River Kwai that Anton Antich visited this year is actually was filmed at this place ;-).
But the real motive for this post is the difference that free education and medical help have for ordinary people. May be you didn't know, but Sri Lanka is Democratic Socialist Republic and for this matter they have free of charge education (inc. and medical help for all people. And it works - I'm comparing impressions with our travel to Goa (the richest state in India after all) and from my point of view ordinary people are much happier, there're no such obvious diversity and economic growth is visible. And even after terrible tsunami that happened last year (down this railroad) they didn't give up and are building their small businesses - and I wish them good luck.
Wednesday, December 14, 2005
Yeap, I knew that I forget someting -
David Cross announced on public.security.crypto newsgroup release of the Smart Card Base Cryptographic Service Provider as free download (also available via Windows Update):
Writing a Smart Card CSP has not been trivial. This has been addressed by splitting the CSP architecture to a Base CSP and Card Module architecture. The Base CSP is provided by Microsoft as a part of the platform (with this
Base CSP release).
Card Module is a interface supported by Microsoft for card vendors to write their implementations for the same to their card. This is analogous to writing a printer driver for a printer.
It is this new Card Module architecture that will also be available as a part of Windows Vista. With this release, one of the goals that we want to accomplish is that the same card module works on older platforms and also Vista.
More information available in Shivaram Mysore blog (he is active participant of XML Encryption and XKMS and ex-Sun software architect).
There are also great collection of Windows PKI and cryptography references and links [subscribed].
Well, period of silence on this blog ended. Unfortunately I couldn't post for last three months for many reasons and I'm sorry for it :((
In this post I'll try to summarize what interesting things happened in security from my point of view (actually Valery already mentioned most of them in his blog):
Peter Gutmann updated his “Godzilla crypto and security“ tutorial with excellent quote on current state of laws in Russia: “The severity of Russian law is compensated for by it’s non-mandatoryness.”
NSA announced Suite B Cryptography at RSA 2005 consisting of AES, Elliptic Curve Digital Signature and Key Exchange and SHA-256/384.
For this reason I try to describe unofficial Russian “Suite B“:
- GOST 28147-89 for encryption
- GOST R 34.10-2001 (Elliptic Curve Digital Signature) for DS and Key Exchange (it supersedes GOST R 34.10-94 that should be withdrawn before 1.01.2008)
- GOST R 34.11-94 for hash function
More information about using these algorithms with X.509 certificate and CRL profile is currently available as draft (and will be accepted as informational RFC in the nearest time). Basic implementation for OpenSSL 0.9.8 could be downloaded at CryptoCom open-source site.
Bruce Schneier posted his impressions from Cryptographic Hash Workshop hosted by NIST: 1, 2, 3.
This autumn was a bad time for many IPSec ISAKMP/IKE implementations: Protos test suite from Oulu University Secure Programming Group found multiple vendor implementation vulnerabilities. And this is an exact sample of using fuzzing technique to find security flaws.
Sun Microsystem released Solaris 10 source code as OpenSolaris including Kernel Crypto Framework/Drivers, User Crypto Framework (PKCS#11) and Crypto Algorithms (more information is available at Darren J. Moffat blog)
BTW, it is interesting to compare design of future Microsoft CryptoAPI NG from previous post and The (Open)Solaris Cryptographic Framework. They are build of the same cryptoproviders separation as distinct digest, signature, etc providers and both moving to support kernel (right now it's impossible to use CryptoAPI in ipsec driver for example).
And developer part of news: two most successful Microsoft Shared Source projects released as WiX 2.0 and WTL 7.5 - and MSFT could be really proud of them (we use them extensively in our projects).
Windows kernel developers also received new development framework - Kernel Mode Driver Framework 1.0 (unfortunately it didn't support Windows 2000 in version 1.0, but I hope it will due to feedback from developers community) and updated Driver Install Framework Tools 2.01. And best of all - WDF contains Windows Server 2003 SP1 DDK with Static Driver Verifier for free ;-) If you're interested in Windows Kernel development - watch for OSR NTDEV and Steve Dispensa blog.
Well, it's enough for today - thank you for reading =)
Thursday, September 15, 2005
For poor souls like me (who could not attent PDC this year ;-) - at least we can check PDC2005 slide decks [via Sam Gentile].
I'm interested in “Scrubbing Source Code for Common Coding Mistakes (FxCop and PreFast)“, “Building IPv6, Firewall, and IPsec Aware Applications“ and especially “Understanding, Enhancing, and Extending Security End-to-End“ (because it mentions CryptoAPI NG)
[Updated 2005/12/07 to include direct links to presentations and btw CNG is _must read_ for any CSP developer!]
Friday, August 12, 2005
Valery shared that wonderful quote from Network Security: Private Communication in a Public World last week:
Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)
And today this comic by Scott Adams =):
Wednesday, April 13, 2005
As I posted recently Protect Your Windows Network book by Steve Riley and Jesper M. Johansson is available for pre-ordering. Both Michael Howard and Steve Riley posted updated information about preorder (with promo code ;-)
Also yesterday I accidentially found new book by Michael, David LeBlank AND John Viega - 19 Deadly Sins of Software Security due to August 2005. It should be interesting book from authors of Writing of Secure Code and Secure Programming Cookbook.
[Update] This monday Michael Howard officially announced this book on his blog.