Security Samizdat

Michael Howard, from Microsoft, comments about Vista security from a privileged point of view. He predicts that the number of security bugs for Vista will be smaller than those for XP SP2 or Windows Server 2003. And he is able to make this prediction based on his trust in the SDL (Security Development Lifecycle)

The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows.

Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)

My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.

It is a reasonable prediction based on previous SDL experience, for example in the SQL Server 2005 case. Putting some numbers into it:

So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.

I’m a big fan of Linux-based security distros. There are many of them and most have their use. Of course each one goes through a period of fame and glory and extreme usefulness, and then it falls into oblivion when it becomes obsolete, stops being maintained (the curse of open-source projects) or a shiny new different one is released.

While there are some general-purpose LiveCD distros which are very good, such as the venerable Knoppix, my choice for security-oriented toolkits is the following:

Backtrack 2
http://www.remote-exploit.org/backtrack.html

Backtrack 2 can be downloaded from here

Mainly for pentesting and wardriving (it happens to support my PCMCIA wireless cards out-of-the-box, kinda). It is Slackware-based and contains many useful tools. From their authors:

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
It’s evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe.

It contains more than 300 tools, and has some exciting features like the possibility of deploying password-cracking clusters using PXE boot (PDF link)

One bad point, at least for me, is the lack of Nessus 3 in the latest release of Backtrack. Apparently Tenable didn’t agree to it. However it is possible to install Nessus 3 on Backtrack2 without much problem!

mPentoo 2006.1
http://www.pentoo.ch/-PENTOO-.html

mPentoo 2006.1 can be downloaded from here

Pentoo and mPentoo (the mini version) are two LiveCD distros based on Gentoo. The mini-version (mPentoo) seems to be the most interesting one. It weights a little more than 200 MB, so it fits in small CDs the kind of which you can carry inyour wallet. From the authors:

Pentoo is a penetration testing LiveCD distribution based on Gentoo. It features a lot of tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities.

It includes many tools, listed here. As you can see it lacks nothing. It even includes a copy of Nessus 2.2 and Metasploit Framework 2.6.

Helix 1.8
http://www.e-fense.com/helix/

Helix 1.8 can be downloaded from here

One of the best forensics toolkit available today. Well documented. Based on Knoppix. Many different forensics tools and toolsets included, including Sleuthkit/Autopsy, and Steve Gibson’s Forensic Acquisition Utility.

Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.

It can be used by booting the offline system to Helix, or by mounting Helix on a live system (Unix, Linux or Windows). All the evidence acquisition tools have minimal footprint and impact on the examined system, and the relevant tools are “forensically sound“.

As I mentioned at the beginning, there are many more LiveCD distros that can be used. Do you know of a good one? Please feel free to make suggestions!