Sergey Simakov blog

CISSP exam and new home for blog

Sergey Simakov — Mon, 18 Dec 2006 07:08:00 GMT

Sorry for lack of posts last month. I was really busy at work with different projects (PKI, SC, security reviews) and tried to learn new CBK domains at home, so I basically didn't have a time to blog at all. Again, sorry.

Today I had an CISSP exam (you know - 6 hours is hard ;-) after week of CBK review seminars (by Dennis Griffin) with some of Microsoft EMEA guys and other attendees at Rotenburg a.d. Fulda (and you know - it was a good choice after all, because this hotel is so far away from town and there're even no any people at reception or on my floor right now, so I could concentrate on learning). I hope that I passed it - because sometimes it looked like a very complicated exam in English language ;-)

Well, it seems that Vista is ready now and will be available to customers in near feature, so it's time to check Windows Vista Security Guide and other Vista's security features. I'm living with it for 5 months now and it's really good (especially from security point of view - ASLR, BitLocker, etc)

Some news on blog changes - in near feature (begining next year) I'm going to post at http://blogs.technet.com/ssimakov - mostly in Russian and for russian ITSec community. But I'll keep this blog as personal and continue to cross-post here in English.

And now it's time to prepare for flight back to Moscow and following vacations in Phan Thiet,Vietnam.

Merry Christmas and Happy New Year!

Great blog on smartcards deployment

Sergey Simakov — Tue, 21 Nov 2006 04:13:00 GMT

I just found that I've missed a great blog by Steve Patrick (from Critical Problem Resolution team) with invaluable information on SmartCard deployment, so begin with this post - So, you want to use smart cards?. Thanks for sharing this information, Steve! [subscribed]

Consolidation of Managed Security Services market

Sergey Simakov — Thu, 26 Oct 2006 03:09:00 GMT

Well, it didn't take long time after SecureWorks/LURHQ and IBM/ISS deals: British Telecom acquires Counterpane.

Active Directory Certificate Server Enhancements in Windows Server Longhorn RTW

Sergey Simakov — Wed, 25 Oct 2006 04:24:00 GMT

Active Directory Certificate Server Enhancements (aka Windows PKI) in Windows Server "Longhorn" guide by Carsten Kinder with help of PKI PMs was finally released to web. This comprehensive document contains information about new PKI features in Windows Server "Longhorn" such as:

Cryptography API: Next Generation (aka CNG) support in CAs to provide crypto agility
Unattended and integrated interactive setup options (without need to disable AIA in root CA cert)
Certificate templates v3
Restricted Enrollment Agent and Restricted Certificate Managers support (very needed in enterprise scenarios)
many other new features and OCSP standard support

So it's very recommended to study.

BitLocker cryptographic algorithm

Sergey Simakov — Mon, 18 Sep 2006 12:59:00 GMT

FYI - Niels Ferguson posted a link to a document with details about cryptographic algorithm that is used in BitLocker (AES-CBC with a specialized diffuser that improves the security against manipulation attacks) at System Integrity team blog.

Attack on RSA signature implementation

Sergey Simakov — Sat, 09 Sep 2006 02:03:00 GMT

Good description of Daniel Bleichenbacher's attack on RSA signature implementations that may, under some common circumstances, break SSL/TLS in Matasano blog.

Joint architecture for NAP/NAC interoperability announcement

Sergey Simakov — Thu, 07 Sep 2006 10:18:00 GMT

Joint architecture for Microsoft Network Access Protection (NAP) and Cisco Network Admission Control (NAC) interoperability is officially announced at Security Standard conference in Boston. More information is available in Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture whitepaper and NAP team blog.

Social engineering threats

Sergey Simakov — Thu, 24 Aug 2006 21:19:00 GMT

It's a known fact that one of the weakest links in current security systems are people, and last week very interesting paper was released as part of Midsize Business Security Guidance - How to Protect Insiders from Social Engineering Threats

Interesting blog

Sergey Simakov — Fri, 18 Aug 2006 00:22:00 GMT

I've missed the fact that Kevin Lam from ACE (Application Consulting & Engineering) Team (author of very interesting Accessing Network Security book about penetration testing) is now blogging - subscribed.

Microsoft acquires Sysinternals and Wininternals

Sergey Simakov — Tue, 18 Jul 2006 22:44:00 GMT

According to Mark's blog post - Microsoft has acquired Wininternals and Sysinternals: developers of great troubleshooting and management tools such as Recovery Manager, Protection Manager and ERD Commander (part of Administrator Pack), free Autoruns/Process Explorer/Rootkit Revealer, and many others that are included in my must-have utilities list.

Congratulations to Mark and Bruce!

Crypto classes

Sergey Simakov — Tue, 23 May 2006 23:41:00 GMT

Michael Howard posted a link to the lecture materials from University of Washington's cryptography class.

And you should pay attention to the lecturers list:

Brian LaMacchia (ex-security architect for the .NET Framework and Common Language Runtime)
Josh Benaloh (senior cryptographer in Microsoft Research)
John Manferdelli (Distinguished Engineer, worked on the TPM stuff at Microsoft.)

BTW, does anyone mentions that v1.1 of KMDF was released? It supports Windows 2000 now, so driver developers position helped =)

Red pill

Sergey Simakov — Mon, 27 Mar 2006 02:16:00 GMT

Well, it's time to announce some changes in my professional life:

Ch-ch-Changes
Just gonna have to be a different man
Time may change me
But I can't trace time [by David Bowie]

So, I've taken a red pill (it's just our way of saying "we've taken a job at Microsoft." ;-) and now I'm working with great people in Microsoft Consulting Services Russia team and I'm very excited about new opportunities.

Identity management seminar in Moscow

Sergey Simakov — Mon, 27 Mar 2006 01:29:00 GMT

Last month Rafal Lukawiecki (Project Botticelli Ltd) made a very good presentation about 'Identification and access management in heterogeneous enterprise networks' in Moscow Microsoft office (program in russian is available here).

Overview and comparison of Microsoft identity management technologies (MIIS, ADFS) was the most interesting part of this presentation (especially assuming that InfoCard and other plans for future developments in this area from Microsoft was announced at RSA conference at the same day).

Unfortunately presentation is not available for download right now, but I think it'll be available for download from TechNet IT's Showtime section.

Two approaches to check functions parameters

Sergey Simakov — Wed, 19 May 2004 11:56:00 GMT

Larry Osterman posted interesting discussion about checking parameters in components - Should I check the parameters to my function?. Currently I'm using school one approach (always check incoming data with IsBadXXXPtr), but:

The way you check for bad pointers on Win32 is by calling the IsBadReadPtr and IsBadWritePtr API. Michael Howard calls these APIs “CrashMyApplication” and “CorruptMemoryAndCrashMySystem” respectively. The problem with IsBadReadPtr/IsBadWritePtr is that they do exactly what they’re advertised as doing: They read and/or write to the memory location specified, with an exception handler wrapped around the read/write. If an exception is thrown, they fail, if not, they succeed.

There are two problems with this. The only thing that IsBadReadPtr/IsBadWritePtr verifies is that at the instant that the API is called, there was valid memory at that location. There’s nothing to prevent another thread in the application from unmapping the virtual address passed into IsBadReadPtr immediately after the call is made. Which means that any error checks you made based on the results of this API aren’t valid (this is called out in the documentation for IsBadWritePtr/IsBadReadPtr).

The other one is worse. What happens if the memory address passed into IsBadReadPtr is a stack guard page (a guard page is a page kept at the bottom of the stack – when the system top level exception handler sees a fault on a guard page, it will grow the threads stack (up to the threads stack limit))? Well, the IsBadReadPtr will catch the guard page exception and will handle it (because IsBadReadPtr handles all exceptions). So the system exception handler doesn’t see the exception. Which means that when that thread later runs, its stack won’t grow past the current limit. By calling IsBadReadPtr in your API, you’ve turned an easily identifiable application bug into a really subtle stack overflow bug that may not be encountered for many minutes (or hours) later. [via Larry Osterman]

Hmm, it seems that I need to move IsBadXXXPtr only to debug asserts in my projects.

New Year in Sri Lanka

Sergey Simakov — Wed, 01 Mar 2006 02:37:00 GMT

Better late than never.

I spent this New Year and russian Orhodox Christmas at beautiful Sri Lanka (Ceylon) island. Some photos from this travel are posted on my Flickr account. Weather was really great (but unsually rainy for this time of year on the south-west side of island) - especially if you compare it with Moscow weather in January (60 degrees difference ;-).

This time we visit nearly every part of this wonderful country - from Nuware Eliya to ex-capital Kandy, to Dambula, to the 8th wonder of the World in Sigiriya (btw the famous The Bridge on The River Kwai that Anton Antich visited this year is actually was filmed at this place ;-).

But the real motive for this post is the difference that free education and medical help have for ordinary people. May be you didn't know, but Sri Lanka is Democratic Socialist Republic and for this matter they have free of charge education (inc. and medical help for all people. And it works - I'm comparing impressions with our travel to Goa (the richest state in India after all) and from my point of view ordinary people are much happier, there're no such obvious diversity and economic growth is visible. And even after terrible tsunami that happened last year (down this railroad) they didn't give up and are building their small businesses - and I wish them good luck.

SmartCard Base CSP and Windows PKI resources

Sergey Simakov — Thu, 15 Dec 2005 04:22:00 GMT

Yeap, I knew that I forget someting -

David Cross announced on public.security.crypto newsgroup release of the Smart Card Base Cryptographic Service Provider as free download (also available via Windows Update):

Writing a Smart Card CSP has not been trivial. This has been addressed by splitting the CSP architecture to a Base CSP and Card Module architecture. The Base CSP is provided by Microsoft as a part of the platform (with this
Base CSP release).

Card Module is a interface supported by Microsoft for card vendors to write their implementations for the same to their card. This is analogous to writing a printer driver for a printer.
It is this new Card Module architecture that will also be available as a part of Windows Vista. With this release, one of the goals that we want to accomplish is that the same card module works on older platforms and also Vista.

More information available in Shivaram Mysore blog (he is active participant of XML Encryption and XKMS and ex-Sun software architect).

There are also great collection of Windows PKI and cryptography references and links [subscribed].

news for last three months

Sergey Simakov — Thu, 15 Dec 2005 04:03:00 GMT

Well, period of silence on this blog ended. Unfortunately I couldn't post for last three months for many reasons and I'm sorry for it :((

In this post I'll try to summarize what interesting things happened in security from my point of view (actually Valery already mentioned most of them in his blog):

Peter Gutmann updated his “Godzilla crypto and security“ tutorial with excellent quote on current state of laws in Russia: “The severity of Russian law is compensated for by it’s non-mandatoryness.”

NSA announced Suite B Cryptography at RSA 2005 consisting of AES, Elliptic Curve Digital Signature and Key Exchange and SHA-256/384.

For this reason I try to describe unofficial Russian “Suite B“:

GOST 28147-89 for encryption
GOST R 34.10-2001 (Elliptic Curve Digital Signature) for DS and Key Exchange (it supersedes GOST R 34.10-94 that should be withdrawn before 1.01.2008)
GOST R 34.11-94 for hash function

More information about using these algorithms with X.509 certificate and CRL profile is currently available as draft (and will be accepted as informational RFC in the nearest time). Basic implementation for OpenSSL 0.9.8 could be downloaded at CryptoCom open-source site.

Bruce Schneier posted his impressions from Cryptographic Hash Workshop hosted by NIST: 1, 2, 3.

This autumn was a bad time for many IPSec ISAKMP/IKE implementations: Protos test suite from Oulu University Secure Programming Group found multiple vendor implementation vulnerabilities. And this is an exact sample of using fuzzing technique to find security flaws.

Sun Microsystem released Solaris 10 source code as OpenSolaris including Kernel Crypto Framework/Drivers, User Crypto Framework (PKCS#11) and Crypto Algorithms (more information is available at Darren J. Moffat blog)

BTW, it is interesting to compare design of future Microsoft CryptoAPI NG from previous post and The (Open)Solaris Cryptographic Framework. They are build of the same cryptoproviders separation as distinct digest, signature, etc providers and both moving to support kernel (right now it's impossible to use CryptoAPI in ipsec driver for example).

And developer part of news: two most successful Microsoft Shared Source projects released as WiX 2.0 and WTL 7.5 - and MSFT could be really proud of them (we use them extensively in our projects).

Windows kernel developers also received new development framework - Kernel Mode Driver Framework 1.0 (unfortunately it didn't support Windows 2000 in version 1.0, but I hope it will due to feedback from developers community) and updated Driver Install Framework Tools 2.01. And best of all - WDF contains Windows Server 2003 SP1 DDK with Static Driver Verifier for free ;-) If you're interested in Windows Kernel development - watch for OSR NTDEV and Steve Dispensa blog.

Well, it's enough for today - thank you for reading =)

Security slide decks at PDC2005

Sergey Simakov — Fri, 16 Sep 2005 01:23:00 GMT

For poor souls like me (who could not attent PDC this year ;-) - at least we can check PDC2005 slide decks [via Sam Gentile].

I'm interested in “Scrubbing Source Code for Common Coding Mistakes (FxCop and PreFast)“, “Building IPv6, Firewall, and IPsec Aware Applications“ and especially “Understanding, Enhancing, and Extending Security End-to-End“ (because it mentions CryptoAPI NG)

[Updated 2005/12/07 to include direct links to presentations and btw CNG is _must read_ for any CSP developer!]

Humans

Sergey Simakov — Fri, 12 Aug 2005 17:14:00 GMT

Valery shared that wonderful quote from Network Security: Private Communication in a Public World last week:

Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)

And today this comic by Scott Adams =):

New security books from Microsoft security team

Sergey Simakov — Wed, 13 Apr 2005 16:03:00 GMT

As I posted recently Protect Your Windows Network book by Steve Riley and Jesper M. Johansson is available for pre-ordering. Both Michael Howard and Steve Riley posted updated information about preorder (with promo code ;-)

Also yesterday I accidentially found new book by Michael, David LeBlank AND John Viega - 19 Deadly Sins of Software Security due to August 2005. It should be interesting book from authors of Writing of Secure Code and Secure Programming Cookbook.

[Update] This monday Michael Howard officially announced this book on his blog.