Tuesday, February 27, 2007

are we winning, or losing, or have we already lost

a popular refrain from security folks these days is that we, the good guys, are losing or are fighting a losing battle... occasionally someone will say that we're actually winning, and others might even say that we've already lost...

all of these are wrong and here's why...

for starters let's look at what it means to win... what end results in security would indicate that we have won? naively, if we no longer had to think about security, if we could just set our security mechanisms and then forget about them and remain secure from there on out then we'd have won conclusively... that's not very realistic, however... how about instead if we continue to work tirelessly to keep things secure and in so doing are able to foil every attempt at breaching the security we've set up, every attempt at compromising the information we're protecting or exploiting the resources of our endpoints? that too sounds like a pretty conclusive win, however if we were able to take the possibility of mistakes and bad security decisions out of the equation like that then it's quite likely that the security decision making process could be replaced with an algorithm, which brings us back to the set and forget security mechanisms...

how about losing - what would it mean to lose? again naively, if our security failures become so bad that we are forced to just throw up our hands in defeat and stop using the technological resources we've been trying to secure then that would be a clear indication that we've lost... alternatively, if we continue to work tirelessly to keep things secure but fail most if not all of the time then that too would be a pretty obvious case of having lost... of course if we fail all the time, or most of the time, or even just enough that the value of our technological resources is no longer greater than the cost of our failures then, barring blind faith, it stands to reason we'd just throw up our hands in defeat and stop using those resources - so again it collapses to a single indicator...

neither of these sets of outcomes seem very likely... we're always going to have successes and we're always going to have failures... we're always going to have to keep working at security - and, because it's going to continue indefinitely, the very notion of winning or losing in the larger context of security as a whole is as meaningless as winning or losing at life... individual successes or failures cannot translate into winning or losing on the whole anymore than having a good or bad day translates into winning or losing at life... security isn't a game and it's not a war, both of those things eventually end and security doesn't... whether you win or lose an individual battle (or many of them), the constant struggle that is security (like life) goes on...

and for those who decry the perpetual cat-and-mouse game we seem to be in and hold that up as proof that we're losing (or have already lost), consider this: if there is no perfect security (something many take to be axiomatically true) then we can conclude that for every measure there exists a counter-measure... since counter-measures are themselves measures we can conclude that for every counter-measure there exists a counter-counter-measure, and so on and so forth... given that (somewhat inductive sounding) conclusion, the cat-and-mouse game is the only feasible outcome - one or both sides would have to be either too stupid or too lazy to find/use the counter-measures available to them for it to have turned out any other way...

Thursday, February 22, 2007

snake oil from agnitum

how do i put this succinctly without seeming overly personal? folks, stop and think about how you're using the P word... which word is that? well, take a look at this agnitum blog post and see if you can figure it out:
First of all, why did we decide to add total malware protection to our core firewall product?
hmmmm, was it product? no it was protection, specifically total malware protection... i've said it before - the unqualified use of the word 'protection' is bad enough but to qualify it with a word like 'total' implies something about a product that just is not (and cannot be) true...

don't get me wrong, i know what the intended meaning of total malware protection is (it's supposed to mean that it offers a degree of protection from all types of malware, not all instances of it) but anyone who sits down and thinks about how the average person (with no knowledge of the malware field) will interpret that phrase should realize that average people will not understand or even conceive of that intended meaning... you know what they might understand though? that it's comprehensive, that it has full/total/complete coverage, or simply that it handles all types of malware... if you're going to write marketing material make sure you thoroughly consider how the average person thinks...

now at this point you might be thinking there goes kurt picking on the smallest little slip-up again, but there's more... snake oil isn't just about making outrageous claims, another hallmark of snake oil is the unthinking use of jargon... consider the following:
Using award-winning VB100 technology licensed from a leading malware expert
now i ask you, what is VB100 technology and what awards has it really won? actually knowing what you're talking about is a good first step towards not sounding like a snake oil peddler and that means knowing that VB100 isn't the technology but rather the award... maybe it's a grammatical slip-up by someone for whom english isn't their native tongue, but if so it stands in stark contrast with what is otherwise excellent english prose...

and yet there's still more... i understand they're licensing anti-malware technology from a vendor whose won the VB100 award but who is the vendor? wouldn't that be a good thing to tell people? wouldn't it be nice to be able to verify that that vendor actually won the VB100 award rather than taking agnitum's word for it? wouldn't it be nice to be able to look at the VB100 history to see how often the vendor won the award (since that is where the real significance of the VB100 award lies)? i mean really, if the vendor's engine is so great then the name should engender consumer trust, so why be obscure by basically referring to it as an unnamed award winning technology? what is there to hide?

you know what's really sad though? from the description it actually sounds like it's a pretty good engine (detection of all malware types integrated into a single light-weight client process) that really deserves a higher standard of promotion...

Wednesday, February 21, 2007

google search malware warning update

i wrote before about google's efforts to warn users of their search engine when visiting known bad sites and i had a number of concerns about how it had been implemented...

it appears that somewhere along the line ALL of those concerns were addressed... as you can see below, not only was a backlink added so that users could back out of going to the bad site but the mal-link itself has become non-clickable (a user would have to copy-n-paste the url into a browser window in order to continue to the bad site)... as such they've now made the safest option the easiest option...


but wait, that's not all... they've also gone and marked up the results page itself so you know right from the results page if a particular link is bad or not...


did my previous post on this have anything to do with getting these changes made? probably not, but that's not what's important... what's important is that the changes were made and the feature is a lot safer (and more convenient) because of it...

Tuesday, February 20, 2007

security catalyst's first q&a podcast

now i want to start of by saying that i don't often listen to podcasts, i don't multi-task all that well and need to just sit there and listen to a podcast in order to really absorb the content so they're really not very helpful to me per se... there are also usability issues with podcasts - you can't quickly scan through a podcast to save yourself time, you can't easily stop it and go back hours later without starting over (in part because you can't scan over the part you've already heard to reacquaint yourself with the context), and you can't easily quote/refer to/respond to a podcast...

that said, the security catalyst's first security podcast q&a caught my eye because the supporting summary information (which is a great thing to include with podcasts, by the way, and i wish more people did that) indicated that there was anti-virus material being covered and so it would probably be of interest to me... i also noticed some odd inclusions and omissions in the recommended links, but i'll get into that later...

the first thing that struck me about the anti-virus portion of the podcast (which starts about 25 minutes in, by the way) was that michael santarcanjelo and adam dodge got the overall answer right - as far as detection rates, heuristics, etc. go there really isn't a lot of differentiation between the major anti-virus players out there so using any of them should be fine... when i've brought this concept up it's generally been in response to the old what's the best anti-virus question and my response is that the detection rates of most of the mainstream products are so close to each other that their relative rankings can easily change from one month to the next... trying to decide on an anti-virus on that basis is pointless, you need to look at other broad factors like usability and quality of support - basically, you have to find the one that fits your particular circumstances best... for the consumer this is pretty easy as there are free trials available for many of the products...

the second thing that struck me was that they got the overall message so right while getting many of the underlying details so wrong...
  1. they say that you want a product that has both real-time and on-access scanning -- real-time and on-access scanning are synonymous, the only real-time scanning any product does is the scanning it does when something is accessed (on-access)... perhaps they meant on-demand and on-access scanning as those are definitely both things you want...
  2. they say heuristics look at how programs behave -- heuristics look for familiar/suspicious routines, not bad behaviour... behaviour blockers look for bad behaviour...
  3. they say almost all major players have heuristics -- show me one that doesn't have heuristics and i'll show you one that isn't really a major player...
  4. they say you should look for instant messaging protection because you can share potentially hazardous files over IM -- this is completely redundant, however, since as soon as you try to do anything with the file you just downloaded your on-access scanner will scan it...
  5. they say you should look for webmail protection presumably to protect you from email borne malware you receive in your webmail -- this is redundant as well since, once again, since once you download the malware to your local machine and try to execute it (even if you don't know what you were doing was going to execute it) your on-access scanner will scan it before it executes... perhaps they mean more general web protection to block drive-by-downloads and various other browser exploits that can sometimes launch malware outside the scope of your on-access scanner...
  6. they say you should look for conventional email protection if you're instead using email clients like outlook or thunderbird in order to prevent things like melissa or lovebug -- once again this is redundant, on-access scanners catch these when you try to access them... if you're a corporation or some other organization and running an email server then you may want to look into email scanning at the gateway (not to mention content filtering that blocks a variety of attachment types) however...
  7. they say email protection is just as important as system protection -- well this is sort of right but for the wrong reasons; email protection is part of system protection... email is just one of many ways into the system...
  8. they suggest looking at places like pcmag or cnet for reviews -- the reviews done by such non-expert organizations are notoriously bad (even consumer reports can't seem to do an adequate job of testing anti-virus products)... don't get me wrong, i'm sure they're adequately skilled to perform comparisons of extra (gee-whiz) features, but if you find such a review trying to compare detection rates then run away (unless they outsourced the review to a respected independent testing organization, but in that case why don't not get the review straight from the horse's mouth?)...
  9. they suggesting looking at the ICSA anti-virus certifications -- i honestly have not seen much good said about ICSA's certifications but i have seen some not-so-good things said... long story short the certifications are paid for by the vendors (ie. they're bought), the criteria aren't as strict as some others, and the vendors get do-overs...
  10. they omit av-comparatives.org and virus bulletin which are much more widely recognized and respected in the anti-virus community...
  11. they say that companies won't send you viruses because (essentially) they're worried you'll something dumb with them -- in actuality the bigger concern is that you'll do something irresponsible or even malicious with them.. they have no way to know you won't so they err on the side of caution...
despite all this, i'm still happy with the message that was sent... i just wish it hadn't been followed by material that made me go no, no, no, no...

Thursday, February 15, 2007

limited security benefits of limited users

the idea of running as a limited user is getting a lot of attention these days... it's not a new idea, the principle of least privilege has been around for a very long time, but there are some out there who (incorrectly) view it as the solution to the malware problem...

the principle of least privilege states that you should give the least amount of privileges necessary for an entity to do his/her/its task and no more... the idea is to keep people and/or things away from that which they have no need to access... you might well be thinking that this sounds like it really should solve the malware problem, after all if we can prevent the malware from being able to access things it needs to access in order to do it's job then it won't work anymore... indeed, many people think that this practice should be able to prevent viruses and all sorts of other malware... they think that by running as a limited user that any malware they happen to come across will be unable to access the system files and/or resources that are key to the malware's ability to do bad things....

the implicit assumption here is that you need administrative privileges to be able to do bad things... when you make it explicit, however, it should become obvious that this is false... as a limited user you can still delete or modify your own files, can't you? you can still connect to the internet and send data to 3rd parties and receive data back, right? you can still run programs that can display text and/or images, too... those things are more than enough to implement malware that operates in a limited user context... if you can delete or modify your own files then so could a (malicious or otherwise) program you run - opening you up to viruses and a variety of different types of trojans... if you can send and receive data over the internet then so can a (malicious or otherwise) program you run - opening you up to worms and remote control programs like RATs and bots, not to mention all sorts of spyware... and let's not forget that if a program you run can display text and/or graphics it can display annoying ads (ie. adware)...

as you can see, there are all sorts of malware that can theoretically run in a limited user environment... what running as a limited user will do is stop a great deal of the current malware from operating because that malware was designed with the assumption that it would run in an administrative user context... it was a safe assumption to make because most people did and still do run as administrator, and with all the extra power available in such a scenario why wouldn't a malware creator try and take advantage of it... the power they are generally most interested in, the one that is most advantageous to a malware writer is the ability to install the malware - to modify the system in such a way as to ensure that the malware gets run as soon as the computer starts up... but not being able to do that doesn't mean that a virus can't infect or a worm can't spread or a trojan can't trash your files or give remote control to a 3rd party as soon as you run it, it just means that it won't automatically continue doing it when the computer reboots...

and this isn't just theoretical, either... 20+ years ago while performing some of the first academic research into computer viruses, fred cohen was able to get a virus to spread successfully on a professionally administered unix system without having root (administrator) access and without needing the root user to run the virus...

Wednesday, February 14, 2007

what's wrong with identity management

this is something that's been nagging at me for a while and i think the cross site request forgery vulnerability in gmail from late last year/earlier this year underlines the problem... a single account for everything gives too much power to whoever or whatever compromises that account (whether by gathering the credentials or hijacking the session)... this isn't just a problem with google account, though, there was microsoft's passport, and of course the much talked about (these days) openid...

let's start with the reason for identity management, the motivating factor that lead to it's creation... there's some problem condition out there that pushed people to come up with the idea, supposedly as a solution (though perhaps not a good one)... that problem condition is that with so many sites out there requiring users to log on it's difficult if not impossible for users to remember all the username/password pairs for each of those sites... users, being cunning when it comes to finding lazy solutions, came up with the adaptation of using the same username and password for most/all of the sites they log into... the security problems with this are two-fold: first it creates a situation where instead of having different secrets (passwords) protecting different assets you have one login to rule them all, and second that single set of credentials is placed in many different databases (a different one for each site) which raises the probability that those credentials will get exposed by someone cracking into one of those databases...

identity management generally aims to move user authentication out of the hands of every tom, dick, and harry site out there and into the hands of a trusted few sites which then vouch for the user's authenticity to any other site that asks... this has the immediate benefit of storing user credentials at and conducting the authentication transaction through fewer sites (generally just one) so that the risk of exposure due to database cracking is reduced... unfortunately it still leads to a one login rules them all situation, and frankly database cracking is not the low-hanging fruit in identity theft - if you can do it you can certainly get a lot of credentials in one go, but it's far easier to compromise a user's credentials through the user him/herself by way of phishing or key loggers or a password stealer...

the problem that identity management solves is the same one that users solved by using the same username and password everywhere - it solves the convenience problem associated with many sites requiring authentication... it solves it a little bit better in that one particular type of attack surface (the remote databases) is reduced, but since it collapses multiple accounts down into one it leaves open (and actually promotes) the problem where the compromise of a single set of credentials exposes all your information and assets - and isn't that what the real problem with using the same username and password everywhere is?

the only real way to mitigate the risk of such catastrophic exposure is to use multiple accounts with different credentials - which may be possible with identity management but is definitely not the usage pattern it was designed for... the whole problem arises because using multiple accounts with different credentials isn't easy - everyone seems to want to solve that difficulty by simply not doing it, by finding a way around it, but there isn't one... client-side password managers actually do a pretty good job of solving that difficulty without simply avoiding it, but depending on the implementation those can have problems of their own...

Friday, February 09, 2007

recognizing social engineering - part 1

randy has a timely post over on eset's threatblog about the likely event that anna nicole smith's death will be used by the black hats in a social engineering ploy... it's really a very classic example of how significant media events can be used to fool people into installing malware... as such i thought i'd take the opportunity to generalize a way of detecting some kinds of social engineering - not all kinds, mind you, this won't include HP's pretexting or anything like that, just a classic broad category that randy's hypothetical example falls into...

the sorts of emails that randy describes are those that would appeal to our idle curiosity - we don't care enough to go and look for the info or pictures but if those things come to us then our curiosity can be satisfied... at a fundamental level this boils down to the principle that if something seems to good to be true then it probably is... this is not to say that the death was a good thing, but having answers to questions you never asked (such as what are the details of a now dead celebrity) magically appear in your inbox without any effort on your part is just too good to be true...

emails promising racy pictures of anna kournikova are similarly too good to be true... then there are emails promising information about the recent storms in europe, also too good to be true... emails from microsoft with a critical security patch attached? too good to be true.... emails with the subject line i love you? well the romantic in me doesn't want to admit it but with no evidence to the contrary it's probably too good to be true too... all of these are examples that have been used to spread malware...

good things don't just turn up in your inbox without you asking for them or searching for them or otherwise putting in some kind of effort to get them... the world doesn't hand us our every whim on a silver platter - that's basically what would be going on if things we were even mildly curious about just (supposedly) showed up in our inboxes for no good reason... so next time you're looking through your unread messages (or anything else, for that matter) and you get that "hmmm - that looks interesting" feeling come over you, think about the too good to be true principle and ask yourself if the object of your interest qualifies... ("if the bait looks obvious, don't take it")

Thursday, February 08, 2007

why 'safe site' indicators fail

there's been some interest lately in a study on the efficacy of various 'safe site' indicators such as HTTPS and website authentication images... these are indicators that are supposed to help the user determine that it's safe for them to enter their credentials, that it isn't a phishing site, but according to the study those indicators don't work (or rather their absence isn't enough to tell people that a site isn't safe)...

let's look at why... website authentication images (where you select an image to be shown on future visits to prove that the site is the same one you initially visited - essentially a visual shared secret authentication protocol) are a pretty new development, their use (and their significance) has probably not yet reached the mainstream among users... as such slip ups might be forgiven (if you could attribute a near 100% failure rate to mere slip ups)... maybe websites are just too unreliable when it comes to displaying images - perhaps we've come to expect images to be absent on occasion...

HTTPS indicators (that indicates you're visiting a secure site, that your session is encrypted with SSL or TLS) on the other hand have been around for quite some time... they've become about as mainstream in the publics awareness as they're going to get so their complete failure can't be blamed on it's novelty - perhaps they're just too unobtrusive?

the only one that had a significant impact was actually an unsafe site indicator (a warning that came up when visiting a site that wasn't safe)... now, aside from the interesting implications all this may have for why humans seem to more naturally lean towards blacklists, the relative success of these 2 types of indicators (safe or unsafe) brought to mind a little tidbit about human perception i heard some time ago... it seems that we're much better at noticing when something that shouldn't be there is there than we are at noticing when something that should be there isn't...

put another way:
The opposite to this effect is a situation where the brain perceives something that is not actually there. On being presented with an incomplete object, the brain automatically fills in the missing pieces according to our previous memory and experience. There are many examples available of common optical illusions to illustrate this.
this more than adequately explains why the absence of safe site indicators would be ignored by people, and in so doing shows why such human-interpreted safe site indicators aren't (and won't be) effective at warning people away from phishing sites...

(and yes, i realize the implications this has for my manual phishing email detection method - i can only hope that our tendency to pay attention to who sends the emails we receive makes share secret authentication as a way to weed out phish more workable in an email context than it is on the web...)

Monday, February 05, 2007

snake oil from eEye digital security

found this eEye digital security press release thanks to the infosec sellout blog... i agree with a lot of what the infosec sellout says about this press release but there's one thing s/he doesn't say, one phrase s/he doesn't use that i think it really needs to be said... in the press release in question, eEye is peddling snake oil...

take a look at this quote:
eEye is combining its own anti-virus dynamic heuristics technology with ‘sandboxing’ technology from leading anti-virus vendor Norman Data Defense to complete Blink Professional 3.0 as a single, small-footprint agent, incorporating multi-layered security methods to protect against both known and unknown vulnerabilities in real-time, thus making it the last security product enterprises and SMBs will need to purchase to stop 100 percent of malware attacks, regardless of signatures or patch updates.
do you see what i see? there's a fairly blatant implication that their technology will stop 100% of malware...

long time readers will probably recall past articles on snake oil and realize that snake oil is something i feel pretty strongly about and that this is a punch i will not pull... least of all in this instance with an example of one of the oldest and best known forms of snake oil in the malware domain...

detecting and/or stopping 100% of viruses (which is a subset of malware) is basically the archetype for anti-malware snake oil... it was the epitome of intellectual dishonesty among the less reputable vendors of the past and a cornerstone of most if not all the anti-malware snake oil to follow... there's no good reason why something like this should have been allowed to slip through the cracks unless eEye doesn't care about the quality of the message it sends out to people - and if that's the case, i would strongly suggest voting with your wallets...

words that mislead: protection

i've written about how there's no total, full, or complete protection before and i even touched on how the word protection on it's own was a little misleading, but now i think that that deserves to be more than just a footnote somewhere...

i think we're all intuitively aware of the implied boolean nature of the word protect and it's derivatives - you're either protected or you aren't... if you qualify it properly, then (and only then) the concept of partial protection gets acknowledged (ex. if you go into a sword fight with only part of a suit of armour, are you protected? no, not really... are you partially protected? sure)...

partial protection is all that anyone can ever offer, and usually partial protection is enough, so long as you're also aware of the fact that it's only partial and so have the opportunity to avoid situations where that protection might fall short... unfortunately security vendors rarely qualify their use of the word protect and it's derivatives (protection, protected, etc.) so ordinary folks get entirely the wrong message from the vendors and are lulled into a false sense of security, sometimes simply due to a sloppy choice of words (though as witnessed before, it's often a downright intellectually dishonest choice of words)...

so to help people make more accurate interpretations of the messages they get from vendors, whenever you see the word protect, protected, or protection, whether qualified or not, adjust it's qualification to mean partial protection and try and make yourself aware of the situations where that protection might fail...

Friday, February 02, 2007

on the application of legal pressure in the fight against malware

thanks to a reader i was pointed towards an article about kaspersky's efforts to make the law a more effective tactical device for use in the battle against malware...

using the law this way is not a new or unusual idea - there are many sides to the malware problem, it has many different dimensions, and some of those involve people rather than technology... from a strategic point of view it makes sense to try and address the problem on all fronts and one of those deals with the people responsible for the malware, be they malware creators or just purveyors... the only way to force them to stop being part of the problem (well, the only legal way to force them) is by using the law to catch and prosecute them...

doing so is not a mark of desperation, it's not something you do simply because you are being overwhelmed by the number of malware being created, it is something you do if you're smart... it is a strategy designed to subject the blackhats to the forces of attrition and thereby control (to some degree) the number of people creating/using malware and by extension the amount of malware being spread around and the amount of malware out there at any given time that qualifies as new...

it's controlling the amount malware that qualifies as new at any given moment that is the most interesting/tempting benefit here... whether an anti-virus company can keep up with the rate of malware creation or not it doesn't change the fact that as rate goes up the number of pieces of malware that can't yet be handled by known-malware scanning at a particular moment in time also goes up and therefore so does the user's chances of encountering such undetectable malware... now at 200 a day, most of which have very low distribution, and hourly updates available, those odds aren't necessarily cause for alarm but you wouldn't want them to keep growing unchecked...

of course if you are being overwhelmed by sheer numbers, it can help there too, but being overwhelmed (as opposed having already been overwhelmed) is just another way of saying you're currently operating at peak capacity with your current resources - it doesn't make too much sense to keep people around if you aren't making use of them after all... you can either acquire more/better resources (which costs money) or you can try to get law enforcement to reduce the demand for those resources (guess which one is better for the bottom line)...

an important thing to note however, is that the law isn't likely to be any more effective at addressing the problem of cyber crime than it is at addressing the problem of regular crime... as such, hinting around about solving the malware problem (which cyber crime is a part) as the article does about solving the malware problem is misleading... the law alone isn't going to do it, the law in combination with other tactics isn't going to do it, the law is just an additional measure to help mitigate the problem...

words that mislead: solution

when is a solution not a solution? when it solves the wrong problem...

how many times have you seen an anti-malware product called a solution? i know i've seen it a lot and it's one of those things that really bugs me because they aren't solutions to the problem you're expecting... when people think of an anti-malware solution they naturally think of something that will solve the malware problem...

but there is no solution to the malware problem and there can never be such a solution... a solution to the malware problem implies that it wouldn't be a problem anymore - that you and i wouldn't have to worry about it, think about it, or deal with it anymore... it implies that the problem would just go away - that will never happen... there can never be perfect security so there will always be things that can be taken advantage of, and so long as there is darkness in mens' hearts someone will be taking advantage of those things...

what anti-malware solutions solve are not malware problems or even security problems, but rather they solve business problems... say you're given the task of finding a security product with some arbitrary set of properties and deploying it in your organization... the problem you face is finding the product that is the best fit, that has the most requirements from your checklist with the fewest undesirable trade-offs - that is the type of problem that anti-malware solutions solve...

unfortunately, most consumers of anti-malware products are not thinking about business problems, they're thinking about keeping malware away from their computers... most of them are people, not IT departments with a new demand from management - and those who work in IT departments are people first and IT workers second, they're people when they go home at night, they're people when they're with their families on the weekend...

as much money as anti-malware companies make off of corporate customers, framing their message for the narrowly defined business context sends entirely the wrong message to everyone else... it suggests the product can make the malware problem go away instead of more accurately suggesting that it's simply a tool that can help the customer to better protect their systems...