Forwarded From: Carl Nimbus <apok0lypat_private> Cult of the Dead Cow responds to Microsoft (lines prefaced by a '>' are Microsoft's) > On July 21, a self-described hacker group known as the Cult of the > Dead Cow released a tool called BackOrifice, and suggested that > Windows users were at risk from unauthorized attacks. Microsoft takes > security seriously, and has issued this bulletin to advise customers > that Windows 95 and Windows 98 users following safe computing practices > are not at risk and Windows NT users are not threatened in any way by > this tool.>> The Claims About BackOrifice> > According to its creators, BackOrifice is "a self-contained, > self-installing utility which allows the user to control and monitor > computers running the Windows operating system over a network". The > authors claim that the program can be used to remotely control a > Windows computer, read everything that the user types at the keyboard, > capture images that are displayed on the monitor, upload and download > files remotely, and redirect information to a remote internet site.> > The Truth About BackOrifice> > BackOrifice does not expose or exploit any security issue with the > Windows platform or the BackOffice suite of products. Back Orifice does not do anything that the Windows 95/98 operating system was not intended to do. It does not take advantage of any bugs in the operating system or use any undocumented or internal APIs. It uses documented calls built into windows to do such things as: . Display call cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any other application that sends users passwords to Windows so the user won't be inconvenienced by having to remember his passwords every time he uses his computer. . Create shares hidden to the user and list the passwords of existingshares. . Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows95 does not ship with. To their credit, Windows98 does ship with a process viewer, but it is not installed by default. Back Orifice has nothing to do, at all, with the Back Office suite. In fact, the Back Office suite only runs on NT, which isn't even supported by Back Orifice yet. Apples and Oranges. > BackOrifice does not compromise the security of a Windows network. cDc would like to know where exactly Microsoft is getting its definition of 'compromise the security'. > Instead, it relies on the user to install it... Back Orifice does not rely on the user in install it. To install it, it simply needs to be run. Thanks to some actual exploits, there are several ways a program could be run on a windows computer, not only without the user's approval, but without the user's knowledge. > ...and, once installed, has only the rights and privileges that > the user has on the computer. This is correct, once installed, Back Orifice can only do what the user sitting at the computer could do, if he has programs that do everything that Back Orifice does. This includes, connecting and disconnecting the controlled machine to other network resources using any username and password, seeing what's on the screen, seeing what's typed into the keyboard, viewing and editing the registry, rebooting the computer, viewing stored passwords, and running plugins or programs which could use any number of actual exploits or attacks or activities. > For a BackOrifice attack to succeed, a chain of very specific events > must happen: > The user must deliberately install, or be tricked into installing the > program So, in other words the user must intentionally or unintentionally run the program (or have the program run some other way)... > The attacker must know the user's IP address. ... or know the where the user is likely to log in. The Back Orifice client can sweep through lists of addresses and network blocks searching for active servers. > The attacker must be able to directly address the user's > computer; e.g., there must not be a firewall between the attacker > and the user. ... and packets have to be able to get to and from the server. For good, reliable protection for Windows machines on the internet, the cDc can recommend nothing better than a good, properly configured firewall. However, since the client can send packets from any port, if the firewall lets any udp packets through at all, communication can be achieved, and for transferring files, Back Orifice can initiate tcp file transfers where the connection originates from _inside_ the firewall. However, this does not include the hundreds of thousand of Windows 95 and 98 boxes connected to the internet via a dialed connection through their local or national isp. For mass ip vendors like those, a firewall simply isn't reasonable. Most of the internet simply wouldn't be accessible anymore. > What Does This Mean for Customers Running Windows 95 and Windows 98? > BackOrifice is unlikely to pose a threat to the vast majority of > Windows 95 or Windows 98 users, especially those who follow safe > internet computing practices. Windows 95 and Windows 98 offer a set of > security features that will in general allow users to safely use > their computers at home or on the Internet. Like any other program, > BackOrifice must be installed before it can run. Clearly, users > should prevent this installation by following good practices like not > downloading unsigned executables, and by insulating themselves from > direct connection to the Internet with Proxy Servers and/or firewalls > wherever possible. cDc remembers a day when PC Software was written by anyone who had a creative idea for a cute, useful, interesting, or even just plain silly program and being able to share that program with friends who might also enjoy the program. It is unfortunate that the only software we're allowed to run now is written by large companies. It's a good thing we can still trust them not to do something unwanted to ourcomputer! > Generally, computers running Windows 95 and Windows 98 are not > vulnerable if: >> The computer is not connected to the outside world ... unless someone on the inside world wants to control you. > The computer is connected to the Internet through an Internet > service provider that dynamically assigns IP addresses - as the vast > majority of ISPs already do. ... unless the dynamic address assigned is always in the same subnet, as the vast majority of ISPs do. > The computer is on a network with a firewall or proxy server between > it and the attacker. > What Does This Mean For Customers Running Windows NT? >> There is no threat to Windows NT Workstation or Windows NT Server > customers; the program does not run on the Windows NT platform. > BackOrifice's authors don't claim that their product poses any threat > to Windows NT. Windows NT Workstation and Server offer a > comprehensive set of security features that make it the best choice for > business users' mission-critical applications. Hype hype hype. We will be releasing a Windows NT version as soon as we get around to installing it. > What Customers Should do> > Customers do not need to take any special precautions against this > program. However, all of the normal precautions regarding safe > computing apply:> > Customers should keep their software up to date and should never > install or run software from unknown sources -- this applies to > both software available on the Internet and sent via e-mail. Reputable > software vendors digitally sign their software to verify its > authenticity and safety. Companies should use the security > features provided by Microsoft products, to prevent the introduction of > this and other malicious software, and should monitor network > usage to prevent insider attacks. Rather than having to abstain from using non-big company "Reputable Vendor" software, how about providing some protection? How about the ability to monitor and even prevent disk and registry access so people can run software with confidence, so that even if the author has malicious intent, the software has become infected with an unknown virus or trojan, or there is a bug or malfunction, there is no damage it can do. Incidentally, Microsoft is also falsely claiming that they tried to contact us regarding BO. On the contrary, Microsoft has repeatedly shown little interest when contacted about security holes in their products in the past. In general, they have needed to have their noses rubbed in it before acknowledging any problems. cDc issued a preliminary press release about Back Orifice more than a month before releasing the software. A wider-distribution Press Release was issued on July 21st, more than a week before the demonstration at DefCon VI... and again, nothing from Microsoft. Other than issuing silly statements to the press, among other things calling us irresponsible and comparing BO to Satan (again, apples and oranges), they have never contacted us. For over 3 days at Defcon, no one from Microsoft introduced or identified themselves to us. Immediately following our presentation, we were swarmed by the media and the curious... but no one from Microsoft. It wasn't until August 4 that Scott Culp, Security Product Manager for Windows NT Server contacted us in e-mail:>> Date: Tue, 4 Aug 1998 11:41:53 -0700 From: Scott Culp <scottcuat_private> To: "'veggieat_private'" <veggieat_private> Subject: BackOrifice I recently received report of your BackOrifice tool, and would welcome an opportunity to talk with you about the tool and the security vulnerabilities you believe it exploits. Microsoft is interested in making our products as secure as possible for our customers, and I'd look forward to talking with you about this issue.<< We immediately called him back. He was interested in learning about every vulnerability we knew of. "The biggest one we know of is Windows 95/98 itself," to which he agreed. Later that same day, Microsoft issued another statement -- this time mentioning that they had tried to contact us and had gottenno response. The goliath doth protest too much, methinks. The fact remains that Back Orifice is only as dangerous as Microsoft's security is deficient.How about a for-instance? Win95/98 caches frequently-used passwords in clear-text, which BO has access to. This often includes passwords users use for their ISPs. But if one is to believe the missives which issue from the Microsoft Marketing Department, ISPs have nothing to worry about. Either that or ISPs across the globe should encourage all their customers toupgrade to NT? Is Windows95/98 the platform on which you perform 'secure' transactions? Is a Windows95/98 platform an endpoint of your corporate VPN? If so, maybe you should be worried. Back Orifice is a Rorschach for Microsoft credibility. Microsoft's own official response to us was issued as a marketing bulletin! Does anybody else besides cDc find it disturbing that the Marketing Department is running the show over there? Oh, never mind. Forget we ever mentioned it. Listen to Microsoft; don't worry, be happy. Everything will be allright. Move along, there's nothing to see here. ----- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:49 PDT