[ISN] cDc responds to MS

From: mea culpa (jerichoat_private)
Date: Mon Aug 10 1998 - 14:27:00 PDT

  • Next message: mea culpa: "[ISN] U.S. Still not prepared for cybercrime"

    Forwarded From: Carl Nimbus <apok0lypat_private>
    Cult of the Dead Cow responds to Microsoft
    (lines prefaced by a '>' are Microsoft's)
    >   On July 21, a self-described hacker group known as the Cult of the
    > Dead Cow released a tool called BackOrifice, and suggested that
    > Windows users were at risk from unauthorized attacks.  Microsoft takes
    > security seriously, and has issued  this bulletin to advise customers
    > that Windows 95 and Windows 98 users following safe computing practices
    > are not at risk and Windows NT users are not threatened in any way by
    > this tool.>> The Claims About BackOrifice>
    >   According to its creators, BackOrifice is "a self-contained,
    > self-installing utility which allows the user to control and monitor 
    > computers running the Windows operating system over a network". The
    > authors claim that the program can be used to  remotely control a
    > Windows computer, read everything that the user types at the keyboard,
    > capture images that are  displayed on the monitor, upload and download
    > files remotely, and redirect information to a remote internet site.>
    > The Truth About BackOrifice>
    >   BackOrifice does not expose or exploit any security issue with the
    > Windows platform or the BackOffice suite of products.
    Back Orifice does not do anything that the Windows 95/98 operating
    system was not intended to do.  It does not take advantage of any bugs
    in the operating system or use any undocumented or internal APIs.  It
    uses documented calls built into windows to do such things as:
    . Display call cached passwords.  This includes passwords for web
    sites, dialup connections, network drives and printers, and the
    passwords of any other application that sends users passwords to
    Windows so the user won't be inconvenienced by having to remember his
    passwords every time he uses his computer.
    . Create shares hidden to the user and list the passwords of existingshares.
    . Make itself mostly invisible.  Back Orifice does not appear in the
    control-alt-delete list of running programs, and can only be killed by
    a low level process viewer which Windows95 does not ship with.  To
    their credit, Windows98 does ship with a process viewer, but it is not
    installed by default.
    Back Orifice has nothing to do, at all, with the Back Office suite.  In
    fact, the Back Office suite only runs on NT, which isn't even supported
    by Back Orifice yet.  Apples and Oranges.
    > BackOrifice does not compromise the security of a Windows network. 
    cDc would like to know where exactly Microsoft is getting its definition
    of 'compromise the security'.
    > Instead, it relies on the user to install it... 
    Back Orifice does not rely on the user in install it.  To install it,
    it simply needs to be run.  Thanks to some actual exploits, there are
    several ways a program could be run on a windows computer, not only
    without the user's approval, but without the user's knowledge.  
    >  ...and, once installed, has only the rights and privileges that 
    > the user has on the computer.
    This is correct, once installed, Back Orifice can only do what the user
    sitting at the computer could do, if he has programs that do everything
    that Back Orifice does.  This includes, connecting and disconnecting
    the controlled machine to other network resources using any username
    and password, seeing what's on the screen, seeing what's typed into the
    keyboard, viewing and editing the registry, rebooting the computer,
    viewing stored passwords, and running plugins or programs which could
    use any number of actual exploits or attacks or activities.
    >   For a BackOrifice attack to succeed, a chain of very specific events
    > must happen:     
    >    The user must deliberately install, or be tricked into installing the 
    >    program
    So, in other words the user must intentionally or unintentionally run the
    program (or have the program run some other way)...
    >    The attacker must know the user's IP address. 
    ... or know the where the user is likely to log in.  The Back Orifice
    client can sweep through lists of addresses and network blocks
    searching for active servers.
    >    The attacker must be able to directly address the user's
    > computer; e.g., there must not be a firewall between the attacker
    > and the user.
    ... and packets have to be able to get to and from the server.  For
    good, reliable protection for Windows machines on the internet, the cDc
    can recommend nothing better than a good, properly configured
    firewall.  However, since the client can send packets from any port, if
    the firewall lets any udp packets through at all, communication can be
    achieved, and for transferring files, Back Orifice can initiate tcp file
    transfers where the connection originates from _inside_ the firewall.
    However, this does not include the hundreds of thousand of Windows 95
    and 98 boxes connected to the internet via a dialed connection through
    their local or national isp.  For mass ip vendors like those, a
    firewall simply isn't reasonable.  Most of the internet simply wouldn't
    be accessible anymore.
    > What Does This Mean for Customers Running Windows 95 and Windows 98?
    >   BackOrifice is unlikely to pose a threat to the vast majority of
    > Windows 95 or Windows 98 users, especially those who  follow safe
    > internet computing practices. Windows 95 and Windows 98 offer a set of
    > security features that will in general  allow users to safely use
    > their computers at home or on the Internet. Like any other program,
    > BackOrifice must be installed  before it can run. Clearly, users
    > should prevent this installation by following good practices like not
    > downloading unsigned executables, and by insulating themselves from
    > direct connection to the Internet with Proxy Servers and/or firewalls 
    > wherever possible.
    cDc remembers a day when PC Software was written by anyone who had a
    creative idea for a cute, useful, interesting, or even just plain
    silly program and being able to share that program with friends who
    might also enjoy the program.  It is unfortunate that the only software
    we're allowed to run now is written by large companies.  It's a good
    thing we can still trust them not to do something unwanted to ourcomputer!
    >   Generally, computers running Windows 95 and Windows 98 are not
    > vulnerable if:  >>    The computer is not connected to the outside world
    ... unless someone on the inside world wants to control you.  
    >    The computer is connected to the Internet through an Internet
    > service provider that dynamically assigns IP addresses - as the vast
    > majority of ISPs already do.
    ... unless the dynamic address assigned is always in the same subnet, as
    the vast majority of ISPs do.
    >   The computer is on a network with a firewall or proxy server between
    > it and the attacker. 
    > What Does This Mean For Customers Running Windows NT?  
    >>    There is no threat to Windows NT Workstation or Windows NT Server
    > customers; the program does not run on the  Windows NT platform.
    > BackOrifice's authors don't claim that their product poses any threat
    > to Windows NT.  Windows NT  Workstation and Server offer a
    > comprehensive set of security features that make it the best choice for
    > business users'  mission-critical applications.
    Hype hype hype.  We will be releasing a Windows NT version as soon as we
    get around to installing it.
    > What Customers Should do>
    >    Customers do not need to take any special precautions against this
    > program.  However, all of the normal precautions  regarding safe
    > computing apply:>
    >    Customers should keep their software up to date and should never
    > install or run software from unknown sources -- this applies to
    > both software available on the Internet and sent via e-mail. Reputable
    > software vendors digitally sign their software to verify its
    > authenticity and safety.   Companies should use the security
    > features provided by Microsoft products, to prevent the introduction of
    > this and  other malicious software, and should monitor network
    > usage to prevent insider attacks.
    Rather than having to abstain from using non-big company "Reputable
    Vendor" software, how about providing some protection?
    How about the ability to monitor and even prevent disk and registry
    access so people can run software with confidence, so that even if the 
    author has malicious intent, the software has become infected with an unknown 
    virus or trojan, or there is a bug or malfunction, there is no damage it
    can do.
    Incidentally, Microsoft is also falsely claiming that they
    tried to contact us regarding BO.  On the contrary, Microsoft
    has repeatedly shown little interest when contacted about security
    holes in their products in the past.  In general, they have needed
    to have their noses rubbed in it before acknowledging any problems.
    cDc issued a preliminary press release about Back Orifice more than a 
    month before releasing the software.  A wider-distribution Press
    Release was issued on July 21st, more than a week before the
    demonstration at DefCon VI... and again, nothing from Microsoft.
    Other than issuing silly statements to the press, among other things calling 
    us irresponsible and comparing BO to Satan (again, apples and oranges), 
    they have never contacted us.  For over 3 days at Defcon, no one from
    Microsoft introduced or identified themselves to us.  Immediately
    following our presentation, we were swarmed by the media and the curious...
    but no one from Microsoft.
    It wasn't until August 4 that Scott Culp, Security Product Manager
    for Windows NT Server contacted us in e-mail:>>
    Date: Tue, 4 Aug 1998 11:41:53 -0700
    From: Scott Culp <scottcuat_private>
    To: "'veggieat_private'" <veggieat_private>
    Subject: BackOrifice
    I recently received report of your BackOrifice tool, and would welcome an
    opportunity to talk with you about the tool and the security
    vulnerabilities you believe it exploits.  Microsoft is interested in
    making our products as secure as possible for our customers, and I'd look
    forward to talking with you about this issue.<<
    We immediately called him back.  He was interested in learning about
    every vulnerability we knew of.  "The biggest one we know of is
    Windows 95/98 itself," to which he agreed.
    Later that same day, Microsoft issued another statement -- this
    time mentioning that they had tried to contact us and had gottenno response.
    The goliath doth protest too much, methinks.
    The fact remains that Back Orifice is only as dangerous as Microsoft's 
    security is deficient.How about a for-instance?
    Win95/98 caches frequently-used passwords in clear-text, which BO
    has access to.  This often includes passwords users use for their ISPs.
    But if one is to believe the missives which issue from the Microsoft
    Marketing Department, ISPs have nothing to worry about.  Either that
    or ISPs across the globe should encourage all their customers toupgrade to NT?
    Is Windows95/98 the platform on which you perform 'secure' transactions?
    Is a Windows95/98 platform an endpoint of your corporate VPN?  If so,
    maybe you should be worried.
    Back Orifice is a Rorschach for Microsoft credibility. Microsoft's own 
    official response to us was issued as a marketing bulletin!  Does anybody
    else besides cDc find it disturbing that the Marketing Department is 
    running the show over there? 
    Oh, never mind.  Forget we ever mentioned it.  Listen to
    Microsoft; don't worry, be happy.  Everything will be allright. 
    Move along, there's nothing to see here.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:49 PDT