Vista and Blue Pill: Debunking the Myth
Blue Pill is easier to swallow now that the trick has been more closely scrutinized. Plus, a look at what's on your hard drives that you thought you erased.
A security researcher named Joanna Rutkowska claimed to have been able
to bypass Windows Vista's default security to prevent unsigned code from
running. To do this, she used malware that she created and called "Blue
Pill." The malware takes advantage of a feature of newer AMD processors
to move the entire running OS into virtual memory. She did this by logging
on with administrative privileges, which is not the default configuration.
Reverting back to a lesser privileged user left her malware present, and
allowed her to run unsigned code. This, she claimed, would be undetectable.
In an interview
, one of the leading virtualization engineers
dismissed Rutkowska's claims. According to Anthony Liguori, "I don't
feel there is any new risk here at all."
There are a couple of issues that need to be addressed in this story.
First, Rutkowska claimed to have found a flaw in Vista or, more importantly,
been able to run malware on Vista. Not true. As an administrator, Rutkowska
should be able to run any code she chooses, signed or not; Vista doesn't
attempt to prevent administrators from such actions. Users, on the other
hand, should not be able to run code such as Blue Pill, and in fact Blue
Pill would not run if the user didn't have administrator privileges. So,
no flaw in Vista was discovered, although Microsoft has said that it's
investigating Blue Pill to see if there's something it should add to or
modify in Vista. Liguori suggests that Microsoft shouldn't bother wasting
any time on this.
Next is the issue of moving the OS into a VM, which is a feature of the
AMD processor and should be possible. Think of it as putting a laptop
into hibernation mode; nothing new there.
Finally there's the issue as to whether or not such actions are "detectable."
One of Rutkowska's biggest claims is that Blue Pill and malware like it
will be "completely undetectable." Liguori flat out disputes
whether that is even possible. It boils down to whether it's possible
to convince the OS, which has been placed in a VM, that it is not. The
complexity of the malware would have to be beyond that of fully developed
VM managers, such as XEN or VMware, as both are detectable using the methods
The bottom line: While Blue Pill may have been a darling at Black
Hat and Rutkowska has certainly had her 15 minutes of fame, the risk to
users of Vista, AMD Processors or PCs in general has not changed nor is
it likely to because of Blue Pill.
It should be pointed out, however, that Rutkowska has produced a number
of thought-provoking white papers on how to hide things, but none of which
have been realized in real-world scenarios.
Disk Drive Researchers Turn Up Disturbing Data
a study, researchers purchased and analyzed some 300 used hard disks
to see whether their former owners had adequately wiped them prior to
getting rid of them. Almost half -- 49 percent -- did not, and several
contained information, including kiddie porn, that could be used for blackmail.
On the down side, it's unfortunately no surprise. Far too many
people don't realize that the data on their drive could be accessed by
others, let alone know how to properly erase the drive to ensure it cannot
be accessed. On the up side, the study shows that the number of properly
wiped drives had doubled since a similar study last year.
If there's anything to be gleaned by administrators from such an effort,
it's that you should be very careful about to whom you contract out the erasure
of sensitive information from your hard drives. There may be no way
to verify that such a contract is being handled adequately, thus ensuring
that you won't find yourself in the news as a result of a data leak. Will
it really be enough to say, "Well, hey, it's not our fault, we hired
so and so to do that!"?
Centrelink: "Zero tolerance on privacy breaches"
The Australian government's welfare agency, known as Centrelink,
has demonstrated its "zero tolerance" policy. After discovering
more than 600 cases of inappropriate data access by employees, they dismissed
19 employees. Ninety-two others resigned and 300 were fined or received
salary reductions. The remaining 189 were reprimanded, demoted or warned.
Five of the cases involved data being altered and those have been turned
over to the Australian Federal Police.
It's excellent to see an employer using such a range of actions to deal
with a policy violation. Of course if you are Australian, you may be left
wondering why any of these employees are still employed. However, we've
said before that just as there are differing levels of violations, so
too should there be differing levels of action by employers.
Centrelink is using software to monitor employee access to its 6
million customer records while performing more than 80 million transactions
Departing Workers' Copying Not Criminal
ruling by the U.S. District Court for the Middle District of Florida
finds that an employee's intent cannot be used to convict them of exceeding
authorized access as it is defined under the Computer Fraud and Abuse
Act (CFAA). Previous rulings had found that employees were guilty of that
offense when, say, they copied all of their employer's customer records
just before leaving for a rival company.
The impact of this ruling may be that companies need to improve the wording
of their employee policies regarding the handling of such data. The judge
here ruled that the term cannot apply to someone who, at the time of the
data access, was authorized to access said data. Previously, that notion
was ignored when it could be shown that the employee was acting with the intent of using the data for unauthorized purposes,
such as with their next employer.
While examining your policies, consider being more granular with your
permissions. For example, an employee may need access to customer records.
Do you grant permission for them to access all customer records,
or only their customer records? The difference could be considerable,
especially in a case where the data has been copied and taken to a rival.
It is interesting to note that access control has become, over the past
10 years, less and less granular -- this, despite the fact that the tools
offering the granularity have offered more, not less. The Cybertrust RIT
believes it could be due to the fact that increased granularity requires
increased knowledge, time to implement and effort to audit. In other words,
as security tools have evolved to provide more choices in how and what
is secured, security may be dropping due to the complexity of implementing
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.