Thursday, November 12, 2009

Don't cry over spilled COFEE

This morning I was looking at my Information Technology daily news feed from Infragard, which is supposed to be sensitive information but only ever contains links to public web sites and a brief discussion of the link. Anyway, in this morning's edition there was some discussion about Microsoft's COFEE being leaked into the wild and a link to this article:http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600872. Generally there seems to be terror surrounding the release of this tool. Here are the two money quotes:
"the danger is that a detection tool will be written for COFEE so that the bad guys can cover their tracks."

and
"One researcher who got a copy of COFEE online says bad guys could abuse the tool by taking one of its Dynamic Link Libraries (DLL) and loading it into a compromised machine’s memory, where it then dumps stored clear-text passwords to a file."

I believe these feelings are being expressed by people who probably don't know much of the fundamentals of forensics or information security. I could see this being very disturbing news for a law enforcemet agent that doesn't know anything other than "insert this magic USB stick into a computer and magic happens and you get the stuff you need."

Sure, somebody could write a rootkit that watches for COFEE and starts trashing evidence, and it probably will happen before too long. So what? Many of us use DD to image the memory on a computer and the same threat has existed for us, and we're not freaking out about it. If malware writers started to do that, they would just end up on the same hamster wheel that anti-virus writers are on. Today your malware can detect COFEE so we pack the code differently. Now your malware has to detect two signatures for COFEE. And so on, and so on, and so on.
And so I find myself in agreement with Microsoft's Richard Boscovich, an attorney in the Internet Safety Enforcement Team.
"we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to 'build around' to be a significant concern..."
Unfortunately, that quote didn't make it into the Infragard summary of the article, which is too bad because I think that is the money quote. Here is the next best quote from the article:
"COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals -- its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field."

The second quote from above is what really steamed my broccoli; the one about dumping clear text passwords by loadingg a DLL into memory. Obviously there are the security problems about any program that is keeping passwords in clear text, and users should be purging themselves of such software. Mainly thought, I feel like that functionality is actually exploiting a vulnerability in Microsoft's code and should be patched. Seriously, if such functionality exists (and I'm not positive that it does) this should be considered a major security flaw. Unfortunately I can't give you an educated opinion on this because I'm not a law enforcement agent and so I can't see the secret program. Here is a decent write up of what it can do: http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/

Verdict: everybody chill out. No big deal. Nothing to see here. Move on.

No comments: