Crackers are changing.  Don’t think geeky kid at the end of the street, think organized crime, well financed with large teams of talented programmers.   Don’t think “senders of SPAM”, think takers of your money.  I’ve started to think this way and I find myself rather paranoid.  Maybe they really are out to get me?

I’m pondering the quickly improving capabilities of my adversary and have concluded that protecting data means more than keeping outsiders “out”.  The access to user data must be limited to permit access only from very specific programs, this in addition to the OS provided restriction of data access only for the current user.

With Citrix XenVault, we separate “corporate data” from all other data and restrict access to the corporate spaces to only “corporate applications”.  This protects the corporate data from the assumed evil non-corporate applications and this is good, but more is needed.  What if one of the corporate applications is actually evil?  What if we want to protect user data in addition to corporate?  What if everyone is evil and all apps are evil?

Things that have me troubled

Here is a link to an article on a modern attack that has LinkedIn messages in it’s roots, along with sucking out bank account data and then using that information to withdrawal money from victim’s accounts.  There is just too much good information in that article to paraphrase, so go read and come back.

Welcome back – you could be infected.  That link could have been to an evil site and you could then have been forwarded to the right place making you unaware of the slide of hand.  Before you got there, software was run in your browser, which scanned your hard drive for banking information and sent it off to the large room of well organized evil programmers.  I really am paranoid!  Yes, invasive firewalls start to seem like a good idea.

Hey bank!  Can I get an RSA fob please!

General theme

Consider that attacks do not require ROOT access to be dangerous.  Merely having the ability to run in the context of the user is bad.  If the evil programmer can run as you, they can scan computer for tasty tidbits of information that you can access, because you are the right user, and harvest that out to outside sources.  Given a zero day exploit it can even be worse and anti-virus or not, the evil software is “in”.  NOTHING here requires root access to the machine!  The fact that these attacks have not been more prevalent is surprising and I suppose outfits like McAfee and Symantec have made a good living blocking this kind of thing.

Let’s start talking about solutions.

UAC dialogs are awesome

I have previously written that I am a big fan of Vista UAC dialogs.  This remains true – they are great and have done valuable things to keep machines from getting infected. Specifically they prevent privilege elevation and for the most part, keep user’s doing “user things”.

Problem: UAC dialogs do not protect against program access to data that the user IS permitted to see.

As the next step, Microsoft have implemented new awesome things in Vista called Integrity Levels.  Internet Explorer utilizes integrity levels to restrict program access to data for websites visited in areas of low trust.  If you are low trust, you can’t see user data pretty much period!  This is so awesome that I might have to actually move from Firefox to IE as a preferred browser.   Let’s table that thought for a moment, because IE remains a large attack vector.

Cost vs. value

With security, we always consider the cost of the attack vs. the value of the bounty that can be achieved.  If the “cost” is higher than the value of the theft, we’re pretty sure that the attacker will look for easier targets.  In the case of a bot-net SPAM generated invite and using CPU time on the victim’s computer to do the work, the “costs” are near zero and the value is the full value of things that could be achieved, such as banking account numbers for “unlimited” number of people providing at least short term access to “unlimited” sums of money.  All you need is unlimited number of saps on the street willing to withdrawal the cash and it’s a sincere problem.

Okay Chicken Little, now what?

I checked with people way more paranoid than me.   They first told me that I’m right to be paranoid.  Yeah, that helps a lot.  Second, they told me that the solution is simple, you need a separate computer for doing secure stuff compared to everything else.  The computer that does online banking does JUST online banking.

Other people have told me that the computer that does Quicken does “only quicken” and here’s the good part, isn’t connected to any network!  This actually WORKS, but is rather 1980s retro, so I’ll ignore it for this post and instead suggest a small measure of security added to a vanilla Windows machine.

Practical answers

I have recently converted the homestead to have Quicken run on it’s own user account and have moved the data into a space that only a newly defined “Quicken” user can see.  Be sure to block inheritance, advanced tab.

The Quicken user isn’t one where people will logon, it will be used to run Quicken application locally as a separate program by a separate user and Windows happily draws the quicken program onto the same screen as the desktop for the primary logon.  This means that the primary logon accounts can be used to browse the internet, download iTunes and otherwise do all kinds of things that subject one to attack, but the Quicken data will be hidden behind a layer of Windows DACL protection.

We usually use “runas” to run as the administrator, but we can also use runas to run as a another lowly user and this can be beneficial to hide data, from ourselves.

The steps

  1. Create a new user “quicken”.  Give it a password.  Why we can still create admin accounts without passwords remains a troubling thought.  Maybe this is better in Win 7.
  2. Mark the password to never expire and after step 9, throw the password away.
  3. Move the quicken data to a new directory (e.g. c:\quicken).
  4. Adjust security to “not inherit” (Advanced tab) and
  5. New user has Full access to the directory, everyone else has nothing – rights removed.
  6. Test it – make sure normal accounts cannot see (access denied) and new account can see.
  7. Create a bat file (contents below) to launch Quicken on the new user’s credentials.
  8. Replace the Quicken shortcut on desktop and start menu with a shortcut to the batch file.
  9. Fix the icon on the shortcut so it looks like the normal quicken icon (qw.ico) and done.

Here’s the batch file…

runas /noprofile /savecred /user:quicken “\”C:\Program Files (x86)\Quicken\qw.exe\””

Concerns: In the bat file above, I’m assuming that the savecred is protected with DPAPI or similar and is “secure” according to the cost/benefit of defending an attack.  This could be removed to make more secure, but would require entering the password for Quicken user every time launch the program.

Happier results

The children can browse toontown, facebook and iTunes all they want and there is no “easy” access to the quicken data.  This is a step in the right direction.

Next steps

In a follow up post, I’ll discuss my in-progress activity to use XenClient to implement “one app”, “one OS”.  Run them all and then merge the display back to a single surface. This will work, but suffers a need for large computers.  This might be a good counter to paranoia.

I have a big box of tools, should be able to stay a step ahead.

Joe Nord

Product Architect – App Streaming, Profile Manager, XenVault

Citrix Systems XenApp Product Group