Monday, December 31, 2007

user education from a different angle

this is rather old but back in september, mike rothman posted an introduction to security mike's guide to internet security and while i was reading it a light bulb went off in my head...

i'm not sure a book (the guide is an ebook he sells, though there's portal and blog associated with it) can really start the kind of grassroots security movement mike is aiming for... i think there are inherent barriers in the scenario that would inhibit that, in fact... for one thing, the security knowledge that is supposed to be the currency of that grassroots movement is bound to an artifact (the ebook) and that artifact's distribution is controlled (more or less) by a commercial business model (mike put effort into that book and rightly wants to get paid)... the end result is that people have to want the knowledge in that book.. they have to want it bad enough that they're willing to pay for and read the book and that means that to some extent mike is probably going to wind up preaching to the choir...

what really piqued my interest, however, was the question that came to mind of whether or not those barriers could be removed... obviously the book could be made free, that would be one barrier down, but the knowledge contained within it would still be bound to it... in order to get the knowledge you'd need to get the book and in order to pass on the knowledge you'd have to pass on the book... passing the knowledge on from one person to the next is clearly a requirement for mike's grassroots security movement, and in the broader context that security movement sounds an awful lot like the "culture of security" i've often heard we need... but culture tied to a book just doesn't seem like it would be successful now... it certainly was in the past when books and culture were inexorably linked, but that time ended long (on the order of centuries) ago... what if the information could be passed from person to person without the book? perhaps not all as one big chunk but rather piece by piece... what would that look like?

then it struck me - that would look like a meme... a unit of cultural information that replicates from one mind to another by way of imitation... so then i set about trying to learn more about memes (did anyone miss me in october?) because i didn't (and still don't, really) know all that much about them... what i found was that virtually all culture can be regarded as being memetic in nature, whether it be religion or consumerism, politics or littering (you didn't think memes were the exclusive domain of lolcats, did you?)... in fact, once you have an idea of what you're looking for you start being able to see it in all sorts of things...

as an aside, even going to school and reading books and learning things the old fashioned way are memetic, so you might be wondering why a security ebook wouldn't be just as successful... the reason has to do with the hook for the meme... up to a certain age you have to go to school, it's not even a choice, but if you want to be even moderately successful in later life you need to get good grades and not flunk out - which means reading the books and learning the material... later on, if you want an even better life, you enroll in post secondary education and read books and learn material so you can get your diploma, get a good job, and so on... what's in it for you as far as a security guide goes? do people generally want to learn about security? is it going to make a clear and obvious improvement in the quality of one's life? will there be frat parties along the way or hot guys/girls to chat up in class? no, a security guide doesn't have nearly as much going for it from a memetic hook point of view as academia does and academia isn't exactly the most successful meme either (just look at how relatively few participate in it compared to religion or tv watching, for example)...

another thing that i've learned is that in order to use memes to disseminate security knowledge (or at least promote more secure behaviour) it's going to be necessary to engage in memetic engineering in order to construct suitable memes - though i'm still looking for better sources for what's involved in meme synthesis and/or meme splicing because so far my best attempts have turned out to just be meme hacks... now, if you're thinking that memetic engineering sounds a bit like social engineering, well, you'd be right and the irony of using such a technique for good instead of evil is not lost on me... i suppose you could call it a kind of white-hat social engineering...

the more interesting bit of irony (to my mind at least) is that using memes to help people make themselves more secure against malware and other security threats means using something with similar properties to the most well known form of malware - viruses... indeed, memes have even been referred to as viruses of the mind... it is this very viral quality that i think needs to be exploited in order to reach a wide enough group of people to "suffocate the bad guys" (as mike put it) and bring about the "culture of security"...

Friday, December 28, 2007

what average users need to know

i read a very interesting post about average users and how they only care about usability to the exclusion of security and it got me thinking...

i think one of the main reasons people focus so much on usability and so little on security is because the threat is too abstract... they've heard of viruses (and so probably use anti-virus software, though probably don't update it) but the current threat landscape (as opposed to the one from 20 years ago that they are more familiar with) is too disconnected from the average person's day to day reality for them to comprehend the need for the security measures we more security conscious folks keep advising...

this is a problem, especially for those who advocate safe hex, so how do we address it?

one avenue we should probably consider is describing what threat a particular safe hex practice is meant to counter - but that only connects security measure with the threat, it doesn't actually make the threat itself seem any more real or anymore like something the user actually needs to worry about...

i think users might benefit from knowing what they have that attackers would want as well as what lengths attackers are willing to go to in order to get those things... what attackers would want from average users isn't a difficult list to compile (it may not be complete, but it certainly gets the point across):
  • money
  • credit card numbers for getting money
  • personal identification information for getting new credit cards in your name so as to get money
  • user names and passwords for financial institutions like banks or paypal so as to get money
  • user names and passwords for any other site because you might be one of those people who uses the same user name and password everywhere and if so they can use that to get money
  • cpu cycles, storage space, and bandwidth for attacking others, usually to get money from them
  • fame and various other social rewards (though these are older goals that are much less relevant nowadays)
obviously the major goal is to get money and the more money the attackers get, the more they can invest on developing more effective and sophisticated attacks that reach even more people...

what attackers are willing to do to get what they want isn't too hard to list either:
  • trick you (via social engineering) or your computer (via exploits) into installing malware to steal your credit card number, passwords, or any other information they can use
  • trick you (phishing) or your computer (pharming) into believing a fake bank/paypal/whatever website is the real one so as to steal your account details or trick you into buying fictional goods - ultimately to steal your money
  • trick you or your computer into installing malware to show unwanted advertisements (adware)
  • trick you or your computer into installing malware that makes your data inaccessible until you pay a ransom
  • trick you or your computer into installing malware to give the attacker enough access to your computer (generally making it part of a botnet) in order to use it to attack others (by trying to overload legitimate sites, hosting fake and/or exploit laden sites, sending junk mail, sending malware or links to malware sites, etc)
  • trick administrators or systems at legitimate (and in some cases very popular) sites to host exploits for tricking the computers of visitors to those sites
  • plant malware on or construct malware that can spread itself to removable media (floppy disks, cd's, dvd's, flash media, or basically anything with memory that you can plug into your computer)
and of course, the bad guys are willing to launch their attacks on average users on a wide scale so as to reach as many potential victims as possible... encountering such attacks are not isolated incidents, there are very few computer users out there who haven't been a victim in some way at least once...

ultimately the average user needs to be made to understand that a computer is not an appliance that just does what they want it to (nor can it be), but rather it's a tool that can allow many people to do many things and not all people want to do good things... if they have stuff (money, personally identifiable information, data, etc) they want to keep safe then they need to care about security...

ethical conflict in the anti-'rootkit' domain - part 2.1

sometimes microsoft hires really good people like jimmy kuo and sometimes they really screw up and hire folks you maybe wouldn't want to meet in a dark alley... that seems to have happened with their acquisition of ep_xoff et all behind rootkit unhooker... you may recall i posted about this individual once before in relation to an apparent ethical conflict (ep_xoff wrote and released a stealthkit, or 'rootkit' for those drinking the rootkitDOTcom koolaid, capable of bypassing all stealthkit detectors save possibly microsoft's own strider winpe ghostbuster technology)...

what i didn't post about before were his reactions to the concerns expressed by myself and cd-man (here)... while his criticisms of me were little more than childish, according to dmitry sokolov, ep_xoff veered more into the realm of criminal behaviour by attempting to incite a DDoS against or defacement of cd-man's blog...

normally i would say that hiring such a goon would reflect poorly on a company, but since microsoft's moral compass isn't really known for pointing to true north, i suppose i shouldn't have expected better from them...

Monday, December 17, 2007

when is a botnet not a botnet?

when the term botnet is misused... at least misuse seems to be the interpretation allysa myers made... although i'm not sure the headline "fbi: 'botnets' threaten online shopper security" can actually be attributed to the fbi (because the media is well known for twisting things to make a catchy headline) there certainly does seem to be a lot of ambiguity in the way the term botnet is being used...

that said, i really don't think the suggestion of coming up with a new term for what used to be called a botnet is the answer... i'm reminded of another term that got watered down in a similar way... that term was virus... it seems to me that we never tried to come up with an alternative for virus (or if we did it thankfully died a quick death), rather we came up with terms for what the label virus was being misapplied to...

come to think of it, it seems to me that not too long ago the same problem occurred with the term spyware... arguably rootkit as well...

i don't think playing musical chairs with terminology is the proper way to resolve the problem... if people are misusing a term and confusing the issue in the process, abandoning the term in favour of a brand new one isn't going to make the issue any less confusing... instead it will simply introduce a new term that they've never heard of before and are unfamiliar with and they'll wonder why it's being used where botnet was being used before... that seems likely to confuse people, if you ask me...

i think the first thing to consider is what the problem really is - to my mind the root problem (ignoring it's consequences) is terminology misuse... changing terminology to run away from that misuse doesn't actually address the problem... to address the problem we need to know why it happens...

so why does terminology misuse happen? the simple answer is ignorance - people who misuse these terms do so because they don't know any better (or because the audience they're trying to reach don't know any better and they don't care to elevate their audience)... they don't know any better because malware is not a mainstream topic in our society... certain concepts bleed through into the mainstream and get assimilated by mainstream culture... those concepts then get used to try and explain things in the malware field, but with only a few concepts in their repertoire those explanations wind up being a distortion of reality rather than an accurate model...

in this case it seems that people are struggling with the idea of identity theft related malware and how botnets scale that problem up... they're struggling because the general public doesn't have the conceptual currency to properly express these ideas, while a select few (relatively speaking) do... some people are haves, but most are have-nots...

that imbalance is something i've certainly been trying to address for some time by trying to make information more available and accessible and hoping that the knowledge would trickle down (for lack of a better phrase)... obviously that is a rather slow process (and just as obviously, i seem to appeal more to technically minded folks) in part because only those who seek the information will find it... i think what we really need is a revolution in the way we disseminate knowledge, not just a set of new words...

Wednesday, December 05, 2007

why X is insecure - and probably always will be

about 2 weeks ago (old i know) you may have come across these two articles (by drazen drazic and lonervamp respectively) about why businesses are insecure (the 7 reasons why businesses are insecure and more reasons why businesses are insecure)...

i'm sure they're very good business reasons for why businesses are insecure, but i'm also sure that a business that addressed all of these problems would still be insecure for reasons that have nothing to do with that business or businesses in general or business security in general...

the fact is there's a technical reason why virtually any non-trivial thing (of which anything computer related would definitely fall under) we'd want to secure is almost certainly not secure and probably never will be... i'm not talking about the fact that there is no such thing as secure, rather i'm talking about the asymmetric relationship between attack and defense... if you're trying to defend something you have to try to defend it from all possible attacks, but if you're trying to attack something you only need to find one successful attack vector...

clearly defense takes a lot more work and that's a problem, but it's not clear that we can ever really change that... if we were going to try to change it, though, how would we go about it? the two obvious answers are: 1) make defense easier (presumably by reducing the amount of possible attacks we need to defend against), or 2) make finding that one successful attack vector harder...

making defense easier sounds good but it's easier said than done... sun tzu talked about this very thing when he said that one should force the enemy to engage in an environment of one's own choosing and thus choose what one has to defend and what the enemy can attack (art of war, part 6: weak points and strong)... now you might be tempted to limit the scope of your analysis to an arbitrarily narrow frame of reference (as schneier does here when he refers to cryptography to the exception to the rule of asymmetry between attack and defense) but in reality that doesn't actually get us any closer to our goal of reducing the amount of defenses we need... what we would really need to do is reduce the pool of potential attack vectors, to literally remove things from systems that could be used as an avenue of attack... that means fewer hosts on our networks, less diversity amongst the hosts on our networks (gasp! yes, i said it - diversity is great for minimizing the overall effect a successful attack has on a given population of hosts but it increases the pool of potential attack vectors and so makes compromising assets on the network easier; in essence, what's good for availability may not be so good for confidentiality), fewer services running on those hosts, fewer system components exposed to incoming content (ie. browsers, email clients and other network clients/servers that can do less/have less functionality), less potentially sensitive data stored on those hosts, etc... unfortunately this is completely backwards when viewed through the lens of technological progress, and while minor efforts in this area are no doubt considered beneficial, it would take extreme measures (perhaps even beyond the realm of the realistic given the complexity of modern operating systems) to actually make a significant change in the asymmetry between attack and defense for a system...

making it harder to find that one successful attack vector isn't necessarily a piece of cake either... there's one fairly well known school of thought that posits that reducing the number of vulnerabilities will shrink the pool of potentially successful attack vectors... this school of thought may be right, in a theoretical sense, but in practice it's starting to look like the total number of vulnerabilities is high enough that patching vulnerabilities at the rate we're going right now isn't really having that big an impact on the difficulty of finding a successful attack vector... another well known approach is to devise a system where the attacker has to successfully defeat multiple defenses in order to be successful on the whole... this is, of course, defense in depth... naively one might think this could put attacker and defender on more or less equal footing because now not only does the defender have to defend against a large number of possible attacks, the attacker has to breach a large number of possible defenses... unfortunately, there are only so many defenses one can reasonably deploy and, even with all of them deployed, the amount of work an attacker has to do still won't compare to the amount of work required for defense - nevermind the fact that all those defenses carry with them potential vulnerabilities which could themselves be used in an attack...

that said, it isn't necessarily true that we can't use the asymmetry to our benefit... we can, we just can't do it as a defender... richard bejtlich would i'm sure suggest what he likes to call threat-centric security but which, in the context of this post, i'll call offensive security - that is where we (who have things that need defending) go and 'attack' (as in track down, identify, charge, and imprison) those who would attack us... to quote sandi hardmeier:
Also - I have a special warning for the bad guys - you can hide from some of us, but you can't hide from all of us, and you most certainly cannot hide from your victims.
alas, this too is a kind of defense, and although we can turn the asymmetry around for individual cases, to actually protect our systems this way we'd need to go after all potential attackers (which is an unknowable set of people) whereas the attackers realistically only need to worry about the actual organizations/people they attacked (which is a much smaller and more knowable set of people)... ultimately, reducing the pool of attackers is much the same as reducing the pool of vulnerabilities - for each one you remove there's more where that came from...

so there really doesn't seem to be a good way to turn the asymmetry around and make defending easier than attacking... there are things that can improve the situation to some extent but it can be a real balancing act sometimes...