lysa myers drew my attention to some interesting developments in the sandboxing arena last week. at first i thought she might be referring to security companies adding sandboxing to their arsenal (which i'd really like to see more security vendors do), but that's not it at all. it's actually sandboxing being added to individual applications. not only will adobe reader now come with it's own sandbox, but dell is coming up with a sandboxed version of firefox too.
i have mixed feelings about this sort of development. on the one hand it's nice to see sandboxing getting more attention and use, and these efforts will surely bring the technique to the masses. but on the other hand i worry about the effects of baking sandboxing into applications - especially applications that might call each other.
if something is running inside a sandbox and it executes an external program, that program should also run inside the same sandbox (otherwise the sandbox is rather simple to escape from). what happens, then, when the dell kace secure browser (which runs in it's own sandbox) launches adobe reader (as it would generally be expected to do when you click on a pdf link)? would we have adobe's sandbox nested within the browser's sandbox? how would that work - specifically how well (or poorly) would it work? you may recall that google's chrome had it's own sandboxing right from day 1 but that there were problems coexisting with other sandboxing technology (that i discussed here). the conflict between chrome and sandboxie seems to have been resolved but, as more and more applications come with sandboxing baked in, further inter-sandbox incompatibilities seem like a pretty likely outcome.
not only is cross compatibility between sandboxes a problem, but the question of implementation efficacy is an issue too. chrome's baked in sandbox was easy to escape because chrome's sandbox wasn't complete. it was only able to sandbox a narrowly defined set of processes specific to the browser itself - it couldn't even sandbox the plugins that it ran in order to render rich content like flash. it stands to reason that any baked in sandboxing technology is only going to be good enough to sandbox the application it's baked into. if the sandboxing technology was good enough to handle all the secondary processes that an application might launch then the technology might as well be made into a general purpose sandboxing product instead of being baked into an application. some may be better than others and people may be lulled into a false sense of security by thinking that the sandbox baked into application X is as good at protecting them as the sandbox baked into application Y.
i'm a big proponent of sandboxing, but i don't think sandbox sprawl is a good thing. it would eventually replace a few discrete sandboxes with known properties and known shortcomings with a ridiculous number of sandboxes with unknowable properties and shortcomings and cross compatibility issues. i'd prefer to see users using one or two general purpose sandboxes than dozens of custom sandboxes.
Showing posts with label allysa myers. Show all posts
Showing posts with label allysa myers. Show all posts
Monday, July 26, 2010
Monday, June 21, 2010
mobile model won't stop malware
thanks to lysa myers for drawing my attention to this slate article about the security advantages of modern mobile device OSes like iOS (the OS for iphones, ipads, etc), android (google's mobile phone OS), and chromeOS (google's netbook OS).
i agree with lysa that it is a fairly well balanced article, in spite of the somewhat sensationalistic headline (and to the credit of a publication whose focus is not strictly about computer security). however, i also find it a bit short sighted.
i say this because the writing is already on the wall with respect to the future of malware, and that future is not encumbered by the modern mobile OS' attempts to be locked down.
i'm surprised that i haven't written about this concept earlier, i thought i had, but when it comes to chromeOS specifically, the reason such an OS has any chance at all is because more and more applications are moving onto the web, into the cloud. an operating system that only gives you access to the web browser wouldn't be very useful with the world wide web of 10 years ago, but now there are a wide variety of web apps to allow you to be productive with nothing more than the lowly web browser.
and where legitimate applications go, malware is sure to follow. we're already seeing malicious facebook apps, and malicious javascript that changes your router's DNS settings is not unheard of either. worms that spread on social networking sites instead of the user's computer are old news by now, and web-based spyware is out there. a locked down endpoint device is a non-issue to malware that operates in the cloud or finds other ways around actually changing the endpoint device itself.
mass adoption of these more stringently locked down platforms won't be the end of malware, it won't even mark a turning point in the evolution of malware since the development is already in progress. if such adoption takes place it would probably be most appropriate to think of it as punctuation in the evolution of malware.
i agree with lysa that it is a fairly well balanced article, in spite of the somewhat sensationalistic headline (and to the credit of a publication whose focus is not strictly about computer security). however, i also find it a bit short sighted.
i say this because the writing is already on the wall with respect to the future of malware, and that future is not encumbered by the modern mobile OS' attempts to be locked down.
i'm surprised that i haven't written about this concept earlier, i thought i had, but when it comes to chromeOS specifically, the reason such an OS has any chance at all is because more and more applications are moving onto the web, into the cloud. an operating system that only gives you access to the web browser wouldn't be very useful with the world wide web of 10 years ago, but now there are a wide variety of web apps to allow you to be productive with nothing more than the lowly web browser.
and where legitimate applications go, malware is sure to follow. we're already seeing malicious facebook apps, and malicious javascript that changes your router's DNS settings is not unheard of either. worms that spread on social networking sites instead of the user's computer are old news by now, and web-based spyware is out there. a locked down endpoint device is a non-issue to malware that operates in the cloud or finds other ways around actually changing the endpoint device itself.
mass adoption of these more stringently locked down platforms won't be the end of malware, it won't even mark a turning point in the evolution of malware since the development is already in progress. if such adoption takes place it would probably be most appropriate to think of it as punctuation in the evolution of malware.
Friday, March 21, 2008
if not mortgages then maybe car payments or psp's
one of the things that has interested me in the past but has generally seen little or no attention by the mainstream is the social dimension of malware... ultimately malware comes from people, and contrary to the traditional stereotype the people involved have generally not been anti-social - anything but in fact...
one of the few concepts from this domain to catch mainstream attention (too much so, in fact, like a song that gets played on the radio too often) is the idea that malware has become financially motivated, or more simply that malware creators are now interested in money rather than fame...
this is a description that gene hodges fleshes out a bit, going so far as to suggest that the malware writers have grown up and are paying their mortgages using monies gained from malware related activities...
allysa myers looks at recent arrests and sees something that doesn't fit in with this model, however... many of the arrests are still kids - paying a mortgage doesn't seem like the sort of thing kids would be doing...
to my mind, they're both right and they're both wrong... we like to model the world because it helps us put things in perspective and make sense of things, but models often lack sufficient complexity to accurately represent reality... the malware writer population is more complex than either is giving credit...
when financially motivated cybercrime crossed the chasm in the computer underground, it did not completely supplant existing motivations (indeed, monetary rewards do not replace the need for social rewards - you can buy status symbols but you can't buy acceptance or camaraderie), rather it broadened the spectrum of rewards that one could acquire through nefarious online means and in so doing it has allowed the population to expand and diversify... so now there are amateur kids and professionals and everything in between...
proper viruses aren't really in vogue anymore, of course, so the role models that newbies learn from and emulate are no longer a clique of experienced virus writers like you'd have found in the vx - the newbies are going to be learning the tricks of the trade from (or in some cases be made into patsies by) the more advanced cyber criminals who will quite possibly be paying their mortgages with their ill-gotten gains or (perhaps more likely if they're advanced enough to have developed 'assets' to do their bidding for them) they may never have to worry about mortgages again...
the kids are the most likely to be arrested because they're the least risk-averse and least experienced in criminal enterprise and therefore represent the low-hanging fruit to law enforcement... they brag, they make splashy purchases that attract attention, they fail to adequately hide money that kids have no business having... those that are lucky enough not to get caught will probably eventually turn pro... now that one can make a living at it, malware writing is no longer something that people will largely be growing out of... the more complete it's set of rewards becomes, the less those involved in it will need to go outside of it in order to get the rewards they need...
one of the few concepts from this domain to catch mainstream attention (too much so, in fact, like a song that gets played on the radio too often) is the idea that malware has become financially motivated, or more simply that malware creators are now interested in money rather than fame...
this is a description that gene hodges fleshes out a bit, going so far as to suggest that the malware writers have grown up and are paying their mortgages using monies gained from malware related activities...
allysa myers looks at recent arrests and sees something that doesn't fit in with this model, however... many of the arrests are still kids - paying a mortgage doesn't seem like the sort of thing kids would be doing...
to my mind, they're both right and they're both wrong... we like to model the world because it helps us put things in perspective and make sense of things, but models often lack sufficient complexity to accurately represent reality... the malware writer population is more complex than either is giving credit...
when financially motivated cybercrime crossed the chasm in the computer underground, it did not completely supplant existing motivations (indeed, monetary rewards do not replace the need for social rewards - you can buy status symbols but you can't buy acceptance or camaraderie), rather it broadened the spectrum of rewards that one could acquire through nefarious online means and in so doing it has allowed the population to expand and diversify... so now there are amateur kids and professionals and everything in between...
proper viruses aren't really in vogue anymore, of course, so the role models that newbies learn from and emulate are no longer a clique of experienced virus writers like you'd have found in the vx - the newbies are going to be learning the tricks of the trade from (or in some cases be made into patsies by) the more advanced cyber criminals who will quite possibly be paying their mortgages with their ill-gotten gains or (perhaps more likely if they're advanced enough to have developed 'assets' to do their bidding for them) they may never have to worry about mortgages again...
the kids are the most likely to be arrested because they're the least risk-averse and least experienced in criminal enterprise and therefore represent the low-hanging fruit to law enforcement... they brag, they make splashy purchases that attract attention, they fail to adequately hide money that kids have no business having... those that are lucky enough not to get caught will probably eventually turn pro... now that one can make a living at it, malware writing is no longer something that people will largely be growing out of... the more complete it's set of rewards becomes, the less those involved in it will need to go outside of it in order to get the rewards they need...
Monday, December 17, 2007
when is a botnet not a botnet?
when the term botnet is misused... at least misuse seems to be the interpretation allysa myers made... although i'm not sure the headline "fbi: 'botnets' threaten online shopper security" can actually be attributed to the fbi (because the media is well known for twisting things to make a catchy headline) there certainly does seem to be a lot of ambiguity in the way the term botnet is being used...
that said, i really don't think the suggestion of coming up with a new term for what used to be called a botnet is the answer... i'm reminded of another term that got watered down in a similar way... that term was virus... it seems to me that we never tried to come up with an alternative for virus (or if we did it thankfully died a quick death), rather we came up with terms for what the label virus was being misapplied to...
come to think of it, it seems to me that not too long ago the same problem occurred with the term spyware... arguably rootkit as well...
i don't think playing musical chairs with terminology is the proper way to resolve the problem... if people are misusing a term and confusing the issue in the process, abandoning the term in favour of a brand new one isn't going to make the issue any less confusing... instead it will simply introduce a new term that they've never heard of before and are unfamiliar with and they'll wonder why it's being used where botnet was being used before... that seems likely to confuse people, if you ask me...
i think the first thing to consider is what the problem really is - to my mind the root problem (ignoring it's consequences) is terminology misuse... changing terminology to run away from that misuse doesn't actually address the problem... to address the problem we need to know why it happens...
so why does terminology misuse happen? the simple answer is ignorance - people who misuse these terms do so because they don't know any better (or because the audience they're trying to reach don't know any better and they don't care to elevate their audience)... they don't know any better because malware is not a mainstream topic in our society... certain concepts bleed through into the mainstream and get assimilated by mainstream culture... those concepts then get used to try and explain things in the malware field, but with only a few concepts in their repertoire those explanations wind up being a distortion of reality rather than an accurate model...
in this case it seems that people are struggling with the idea of identity theft related malware and how botnets scale that problem up... they're struggling because the general public doesn't have the conceptual currency to properly express these ideas, while a select few (relatively speaking) do... some people are haves, but most are have-nots...
that imbalance is something i've certainly been trying to address for some time by trying to make information more available and accessible and hoping that the knowledge would trickle down (for lack of a better phrase)... obviously that is a rather slow process (and just as obviously, i seem to appeal more to technically minded folks) in part because only those who seek the information will find it... i think what we really need is a revolution in the way we disseminate knowledge, not just a set of new words...
that said, i really don't think the suggestion of coming up with a new term for what used to be called a botnet is the answer... i'm reminded of another term that got watered down in a similar way... that term was virus... it seems to me that we never tried to come up with an alternative for virus (or if we did it thankfully died a quick death), rather we came up with terms for what the label virus was being misapplied to...
come to think of it, it seems to me that not too long ago the same problem occurred with the term spyware... arguably rootkit as well...
i don't think playing musical chairs with terminology is the proper way to resolve the problem... if people are misusing a term and confusing the issue in the process, abandoning the term in favour of a brand new one isn't going to make the issue any less confusing... instead it will simply introduce a new term that they've never heard of before and are unfamiliar with and they'll wonder why it's being used where botnet was being used before... that seems likely to confuse people, if you ask me...
i think the first thing to consider is what the problem really is - to my mind the root problem (ignoring it's consequences) is terminology misuse... changing terminology to run away from that misuse doesn't actually address the problem... to address the problem we need to know why it happens...
so why does terminology misuse happen? the simple answer is ignorance - people who misuse these terms do so because they don't know any better (or because the audience they're trying to reach don't know any better and they don't care to elevate their audience)... they don't know any better because malware is not a mainstream topic in our society... certain concepts bleed through into the mainstream and get assimilated by mainstream culture... those concepts then get used to try and explain things in the malware field, but with only a few concepts in their repertoire those explanations wind up being a distortion of reality rather than an accurate model...
in this case it seems that people are struggling with the idea of identity theft related malware and how botnets scale that problem up... they're struggling because the general public doesn't have the conceptual currency to properly express these ideas, while a select few (relatively speaking) do... some people are haves, but most are have-nots...
that imbalance is something i've certainly been trying to address for some time by trying to make information more available and accessible and hoping that the knowledge would trickle down (for lack of a better phrase)... obviously that is a rather slow process (and just as obviously, i seem to appeal more to technically minded folks) in part because only those who seek the information will find it... i think what we really need is a revolution in the way we disseminate knowledge, not just a set of new words...
Monday, May 21, 2007
mcafee's allysa myers on the wildlist
ok, not literally listed on the wildlist (though, as a wildlist reporter i suppose technically she is), but rather discussing the wildlist and making a good point that i haven't seen made before...
i've mentioned the wildlist before, and once i even mentioned some of it's limitations (such as not focusing on non-viral malware or the under-reporting of malware that is trivially removed by anti-virus software)... the limitations i mentioned before were pretty damning on their own, and should have been enough to make one question the relevance of the wildlist, but the point allysa myers made last week takes the cake...
the long and the short of it is that in the world of commercial malware the distinction between in-the-wild and zoo malware has been pretty much lost... unlike viruses back in the day, commercial malware doesn't get shelved once it's completed... it doesn't just get held up and studied like some intellectual novelty, or worn like a badge of honour amongst virus writers, commercial malware almost invariably gets deployed... that means people are going to encounter it in-the-wild (even if it never becomes widespread enough to make it to the wildlist)...
additionally, while myself and many others engaged in a protracted campaign to influence the vx community away from virus spreading and other behaviours that tended to lead to viruses finding their way into the wild, there is no real opening to do the same with the malware profiteers of today as there is no way (no work-around, no compromise that makes everyone happy) for them to achieve their goals without releasing the malware... so not only do they almost always release the malware now, they will continue to do so in the future...
so the question then becomes: if almost all malware is now going into the wild, what's the point of having a list of the malware in the wild? why bother continuing to make the distinction for such a subset if it's complement is so insignificant? maybe commercial malware hasn't completely overwhelmed the non-commercial variety (yet) but when it does (and i believe it must) i suspect the wildlist will have finally outlived it's usefulness...
i've mentioned the wildlist before, and once i even mentioned some of it's limitations (such as not focusing on non-viral malware or the under-reporting of malware that is trivially removed by anti-virus software)... the limitations i mentioned before were pretty damning on their own, and should have been enough to make one question the relevance of the wildlist, but the point allysa myers made last week takes the cake...
the long and the short of it is that in the world of commercial malware the distinction between in-the-wild and zoo malware has been pretty much lost... unlike viruses back in the day, commercial malware doesn't get shelved once it's completed... it doesn't just get held up and studied like some intellectual novelty, or worn like a badge of honour amongst virus writers, commercial malware almost invariably gets deployed... that means people are going to encounter it in-the-wild (even if it never becomes widespread enough to make it to the wildlist)...
additionally, while myself and many others engaged in a protracted campaign to influence the vx community away from virus spreading and other behaviours that tended to lead to viruses finding their way into the wild, there is no real opening to do the same with the malware profiteers of today as there is no way (no work-around, no compromise that makes everyone happy) for them to achieve their goals without releasing the malware... so not only do they almost always release the malware now, they will continue to do so in the future...
so the question then becomes: if almost all malware is now going into the wild, what's the point of having a list of the malware in the wild? why bother continuing to make the distinction for such a subset if it's complement is so insignificant? maybe commercial malware hasn't completely overwhelmed the non-commercial variety (yet) but when it does (and i believe it must) i suspect the wildlist will have finally outlived it's usefulness...
Subscribe to:
Posts (Atom)