Windows Vista puts testers' security at risk Problems with beta version, warns expert Tom Sanders in California, vnunet.com 16 Aug 2005 http://www.pcw.co.uk/articles/print/2141188
Users of Windows Vista Beta 1 unknowingly activate a feature of the operating system that could put their security at risk, vnunet.com has learnt. The hazard affects a peer-to peer-networking technology called peer name resolution protocol (PNRP) that is scheduled to ship as part of Windows Vista. The technology is included in Windows Vista Beta 1 that was released last month. Senior security expert George Bakos, from the Institute for Security Technology Studies at Dartmouth College, first reported the risks associated with the technology on the website of the SANS Internet Storm Institute. "I'm not aware of any formal review of the security of Microsoft's new PNRP implementation. There may be some security concerns. I'd like to see that review take place," Bakos said to vnunet.com. Bakos has had contact with Microsoft about the technology. The PNRP technology is part of the Advanced Networking Pack that was introduced as part of Windows XP SP1. Software developers can use the technology in their applications through a special software development kit. One of the possible applications of PNRP is online gaming. The technology allows players to directly connect to each other's computers, eliminating the need for a central server. It is designed to allow for faster, more scalable online gaming communities. Currently a server is needed to match up the players and coordinate between their systems. The PNRP technology offers the same functionality by creating an online cloud. The PNRP feature in Windows Vista Beta 1 is turned on by default, causing the operating system to automatically register with this peer-to-peer cloud the moment it detects a network connection. This associates the PRNP-identifier or user name with the user's IP address. After the service registers with a so-called seed server, this information is distributed throughout the systems that are part of the P2P network. Even after a user disables the service, his information will remain floating around in the cloud until it expires from the cache. "This could be used to identify an individual user and IP address. It may aid an attacker in gathering information about an individual. And if you are a privacy advocate and you don't want information about your system to be available to others, you may frown upon this," said Bakos. Once subscribed to the network, systems are continuously communicating to spread information throughout the cloud to see which users and services are available. These communications will trigger alerts from so-called anomaly intrusion detection systems, such as the firewalls from Zonelabs or Symantec. Such applications look for data traffic that tries to reach unregistered applications and warns the user. The alerts are no more than a nuisance, but they did cause Bakos to advise users who do not wish to participate in the test of the networking service to disable the feature before ever going online. In addition to the annoying alerts, Bakos pointed out that the default activation also violates the 'principle of least privilege', which states that a network service should only be turned on when needed. Unused and unneeded services pose a security risk as every entrance through the computer's defence system could theoretically be exploited by hackers. "Unused default services are a violation of the principle of least privilege and may introduce unforeseen security risks," said Bakos. He added that Microsoft didn't adequately inform beta testers that the service is turned on. "Had they been aware of it, many users would prefer to have it turned off." Microsoft has a security initiative similar to the principle of least privileged under the banner 'secure by design, secure by default, secure in deployment and communications'. It has resulted in the bundling of a firewall with the Windows operating system that is turned on by default since Windows XP SP2 and by limiting the number of active networking services. Microsoft is sending mixed messages about the settings of PRNP in future versions of Windows. In an email to vnunet.com, programme manager for the Windows client Noah Horton said that the company has not yet decided if PNRP will be turned on or off by default in the final version of Windows Vista. Earlier he wrote on a Microsoft blog that the default activation will be disabled in Release candidate 1, a future test version, and in the beta is used only to test the service in a massive deployment. In addition to testing, the beta is also meant "so that intrusion detection system vendors and systems - which are currently not used to seeing this type of packet activity and may flag it as unusual can make adjustments before the final version of Windows Vista ships," he wrote. He welcomed Bakos' report. "This is exactly the kind of data we are looking for when we test features like PNRP." In the final version of Vista that is scheduled to ship late 2006, the service will be turned on when users play online games or use other software that relies on the technology. Microsoft however could mitigate the risk by requiring the user to identify for a specific service rather than create a single general purpose service. This would improve user awareness, Bakos suggested. The software vendor could also limit access to the information in the cloud to people who are actively using that specific application. "One global cloud by default is going to provide one global opportunity for information gathering," said Bakos. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
