Web Development

Bolted-on security features aren't secure


Jaqui Greenlees, a software developer, consultant, and former highly active member of the TechRepublic community, has been known about these parts for making some provocative statements at times. He is critical of JavaScript as a security risk to a degree that makes me look like a JavaScript cheerleader (and I'm no friend of the way JavaScript is typically implemented in popular Web browsers) -- so much so that he stopped posting to TechRepublic at all back when TR's interface started requiring JavaScript. He was a vocal critic of all things Microsoft, for reasons of both heavyhanded business practices and security issues.

He's smart, opinionated, and bucks trends. He thinks about security a lot. Sometimes, he says something on the subject that catches me by surprise.

Now that you have the background, check out a weblog post of his, on his own website, titled Microsoft Breaking the law again?

Jaqui explains in brief detail how to verify for yourself, using Visual Studio, that Microsoft is harvesting information about MS Windows users and very intentionally suppressing some of Microsoft's security features. The following quote from Jaqui's weblog post summarizes the problem:

That one section of the file logs in as administrator, if you are not, turns off warnings, collects data from your computer, sends that data to Microsoft, then turns warnings back on and logs off as administrator.

This quote explains the suggestion that Microsoft may be breaking the law (again):

Then decide, is Microsoft committing the same criminal act they were penalised for by the US Courts with the Windows 98 Update issue of sending information to themselves when you ran windows update in windows 98?

Of course, WGA/MGA is specifically designed to send information to Microsoft for validation purposes, and there's nothing particularly hidden about that fact. As is often the case, I find myself not necessarily in agreement with Jaqui's take on a security matter (such as my somewhat milder views of the problems with JavaScript). WGA/MGA, complete with its explicit disclosure of the fact that it is intended to send system information to the Mothership, seems to me to essentially be a free pass for exactly what Jaqui discovered in the LegitCheckControl.DLL file.

From the Genuine Microsoft Software FAQ:

Q: What information is collected from my computer?

A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. The validation tools do not collect your name, address, e-mail address, or any other information that Microsoft will use to identify you or contact you. The tools collect such information as:

  • Computer make and model
  • Version information for the operating system and software using Genuine Advantage
  • Region and language setting
  • A unique number assigned to your computer by the tools (Globally Unique Identifier or GUID)
  • Product ID and product key
  • BIOS name, revision number, and revision date
  • Volume serial number
  • Office product key (if validating Office)

In addition to the configuration information above, status information such as the following is also transferred:

  • Whether the installation was successful
  • The result of the validation check

As standard procedure, your Internet Protocol (IP) address is temporarily logged when your computer connects to a genuine validation website or server. These logs are routinely deleted.

On the other hand, the implementation of this feature of WGA/MGA behavior leaves something to be desired:

  1. A tool that logs itself into an account with administrative access, then turns off the system's security warnings system, constitutes a tremendous potential security threat -- even if the tool itself is not malicious. The potential for abuse is a touch disturbing to consider.
  2. It's also interesting to note that the behavior of WGA/MGA is something that MS Windows' own security features would consider a threat, necessitating this temporary deactivation of the warning system. This strikes me as an unintentional indictment of the entire process of validation in this manner, and digital rights management systems in general. They are, in effect, legitimized malware -- and here's a demonstration of the whys and wherefores.
  3. The fact that this sort of behavior is even possible -- not merely as an overlooked bug, but as an intended part of the design of Microsoft's security features -- constitutes a security risk of its own. It also starts one thinking about whether this approach to producing security alerts and "protecting" the user could even be designed to disallow such security risks at all. In other words, it's a strong piece of evidence of a principle of security by which I've lived for years: Bolted-on security is not even as strong as the bolts. Call it "Perrin's principle of integrated security" if you like.

A security feature differs from a characteristic of a secure architecture in that the first is bolted-on, and the latter is part of the entire design philosophy of the system. Virus scanners, carefully crafted warning systems that maintain definitions of "risky" behavior, and similar security measures are security features in this sense. Meanwhile, default system behavior by which files are opened or executed based on specific instructions rather than as determined by a three-letter filename extension is a characteristic of a secure architecture.

Note that there is a difference between "bolted-on" and "modular". I leave understanding the distinction as an exercise for the reader, and only mention it here as a cautionary statement for those who understand programming well enough that they might wonder if I have a problem with modularity in software design. I don't: quite the opposite, I tend to think most complex software systems are not modular enough, for purposes of security as well as other reasons. In fact, my next article will touch briefly on a benefit of modularity in authentication systems.

Suffice to say, for now, that all else being equal a bolted-on component of a system can be more easily circumvented, and not necessarily by attacking it directly, than a modular system that is an integrated part of the whole when attached. On the other hand, a system can operate without a modular component (though it may need a replacement), though a bolted-on component of a system may not be removable without crippling the entire system -- or worse.

For many years, Microsoft Windows in all its evolving incarnations has edged closer to something it might call proper multiuser support. This is a good thing for MS Windows' overall security, and might one day provide real, effective privilege separation. It has taken a long time, though, in large part because MS Windows grew out of DOS -- an intrinsically single-user (and single-tasking) system -- and Microsoft has been loath to just throw out the entire system design to start over the way Apple did with MacOS X. There is surely little, if any, original DOS code still extant in MS Windows Vista, but the requirements of backward compatibility and the slow evolution of MS Windows over the years have ensured that, to some extent, user authentication is still a bolted-on security feature -- or welded-on, perhaps, after so many years of increased integration.

The fact that WGA/MGA can circumvent the standard authentication process to behave in a manner so reminiscent of malware is a pretty clear indicator of how far MS Windows authentication systems have to go before they become an integral part of the system architecture -- and, thus, something I might call "secure".

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

8 comments
visitorsx3
visitorsx3

The javascript is also incredibly slow-loading. Adverts are bad enough, but other unrequired things in pages are just too much, and the web's become flooded with it. This page here should load real fast, because it's just text and a small image - instead it takes forever because of all the un-needed code extras. When folks are talking more about green computing, there should be more emphasis on the use of unnecessary code in pages - it take more power to store them, cache them, diplay them, and retrieve them, and of course adds to congestion online. The web was much better before it got flooded with adverts, unwanted non-login cookies, and graphic / frame kipple.

visitorsx3
visitorsx3

The internet isn't secure at all; you're better having something like a shell-terminal and usb port (no wireless-networking pen drives or hubs-etc being enabled) just for net access, and a separate LAN altogether for internal company needs. Remote access wants are going to complicate that of course. But two monitors make using the net as a resource easier, and the less need for security makes it faster. And if you use SPX/IPX for the LAN then it's all the easier to spot any net-based traffic trying to get in, plus it's faster too, and already uses unique NIC IDs. Surely everyone knows that Microsoft is a bit dodgy when it comes to security by now anyway; maybe I'm just naturally untrusting but even before I knew anything of networks it is kinda obvious that whoever manufactures anything will either keep tabs on it, and / or some folks that worked making it will be keeping tabs on it - and know exactly how to disable it or get around it. Holds true for anything. Similarly I would never trust 100% anything that does security, as whatever you can code in or make into a circuit can be reversed or in some way circumvented. If someone really really wants to get into a network, there's so many ways to go about that that aren't even directly related to networking subjects that are generally taught. The whole area of phone technology and telecomms lines tends to be out of the loop, there all sorts of wireless ways to remotely monitor electronics (why fibre-optics is more secure), get a job as a cleaner in the facility etc.....there's RFIDs on everything now - you could be wearing them and they could be in every product you buy, and you don't even know about it. I don't see a problem in the sense that a vendor has a right to check and see if anyone is ripping off their software - you can always use Linux if you don't want to pay for an OS, or want to pay less. Plus, home or business, why aren't more ISPs advertised as secure - what about monitoring the connections and requests. There were some stories here a while ago on plans to itemise people's internet bills to the content of the sites visited and how long they spent on them - nothing new in security terms, but it's amazing how many people didn't realise that information is easily gathered by their ISP. I used a proxy anonymiser a few times, in the full knowledge that sure it does mask my IP on a forum or from any site, but it's hardly private for real, since anyone dodgy at your ISP can still spy on you if they wanted to, plus what if someone that runs the proxy service only does so for ulterior motives. And they send their logs off of who uses it, to someones interested in who would want to use a proxy cover. At the end of the day, if you rely on checkboxes and GUI selections to do all your security for you then what do you expect. It's like anything else - they're wanting to introduce ID cards over here; of course it's just a new way for criminals to get info they can exploit in even easier ways than they do now with passports etc, and it was the same story with credit cards and chip-and-pin and any other readymades. I've had two serious account meddlings with my college account - one was someone unlocking my computer when I nipped out of the class, and another time two of my admin accounts for a server were disabled. Both were on Windows, and though it was obvious either someone say in the IT dept did it or another class member (it's not like it can just happen itself), no-one was interested in checking the logs and so on to see what happened. If it was my network I'd have wanted to know how it was compromised. Plus it being an ideal real-world opportunity for learning about security - also lost. People don't care, is the bottom line. For every person doing something right there's another bunch that don't care - and when anything is collaborative then it brings down the quality to whatever the not-caring level is. I wrote way more than I meant to; but that's the end arguement there as to why the internet just isn't secure.

ng_kai_choy
ng_kai_choy

That's what made the AS/400 and I-Series so great: security was integrated into the operating system. It wasn't an application add-on.

grephead
grephead

I agree that AS/400 has lots of great security features. However, in my experience the staff running them are stuck in the pre-internet era. It is very rare to find an AS/400 employee who understands and applies common procedures we take for granted in distributed systems. Particularly in critical areas like encryption. Consider database info/backups, SSH/SCP, secure apache configuration, disabling telnet/ftp, etc. Internal controls like User Profile security are irrelevant if you can sniff the QSECOFR password over insecure connections.

Tony Hopkinson
Tony Hopkinson

All multi user systems where separation of privileges is fundamanental to the architecture.

Jaqui
Jaqui

they ran a unix os. designed with secure multiuser operations in mind.

apotheon
apotheon

While various flavors of Unix-like OS (notably AIX, some Linux distributions, and I think certain BSD Unix systems) will run on an AS/400, the "native" OS was called OS/400, and has since been renamed i5/OS. iSeries servers (what they're now calling the AS/400 architecture) is the only architecture on which OS/400 was meant to run.

Justin James
Justin James

... I learned a TON about this very topic just a few days ago, oout of curiosity. :) My understandsing of the AS/400 situation matches yours. Indeed, I understand that it natively does virtualization and is capable of running many OS's, including Windows, in those VMs, not just i5/OS and *Nix. J.Ja