Security Curve Weblog

My laptop is not a Rhesus Monkey

The Register had an article today, "As Emperor of Security, I hereby decree..." It caught my attention since it was so atypical in style. The author spends some time discussing the things that he would decree if made emperor of security. Neat concept, right? I thought so too.

The mandates were totalitarian and restrictive; purposefully so (that's sort of the point, right?) Some of them were good ideas (mandatory education for all new computer users), some were bad ideas (fines for insecure software), and some had both good points and bad points (mandatory anti-virus, anti-spyware, and firewall software). However, what really got me thinking was the discussion about "mandatory monocultures" :

It's pretty well been proven that operating system monocultures are a bad thing. In a biological population, the introduction of a disease into a monoculture can spell doom for the entire group: since everyone is the same, everyone is vulnerable in similar ways. This is analogous to computing monocultures: if everyone is running Windows (or Mac OS X, or Linux, or whatever) and a serious compromise enters that population, then there is the danger that everyone in that group will suffer devastating losses.

This reference, of course, points back to the one and only Dan Geer "CyberInsecurity" paper that caught so much attention when it was published because of the ramifications of it's release.

Now, I know better than to contradict Dan Geer. And I won't, because I believe his paper to be absolutely true. But there's a limit to how far the analogy holds; my laptop is not a Rhesus Monkey, a Lemur, or even a bacteria. While populations of machines can (and do) share a number of similarities with a population of organisms, that doesn't mean that everything that's true about organisms is true of laptops. For example, don't put a bunch of laptops in a box and expect them to start making little laptops. In other words, just because certain threats are more virulent in a monoculture world, don't assume that all of them are. And why not? First: because nobody has to manage a population of organisms, and Second: because there are more bad things than plague...

Consider two environments: one has a thousand machines each with identical OS, architecture, patch level, etc. The other also has one thousand machines but each one has different operating systems, architectures, and patch levels. Say (for the sake of argument) that two full time administrators manage that environment - a reasonable number, right? Dan's paper points out that the first environment is much more likely to be impacted by worms; and that's true. But which envrionment is more manageable? Which one is more likely to have automated security tasks like patch management, central monitoring, coordinated audity, etc? See what I mean?

Take the OS and application patches alone. Say that the operating systems in the second environment (the non-uniform one) each require an average of two vendor patches per week for all installed services and apps (a ridiculously low number.) Say each of those patches require 5 minutes to download, prepare, and install (another ridiculously low number.) Guess what: that patching process would take 166 full-time hours. If you had a more MANAGEABLE environment, you could have deployed something to automate that. You could start focusing on something more strategic than patches application with all the time you'd save.

Look - monoculture does increase the risk of population-level catastrophic events. However, diversity decreases the ability to manage the environment. Reduced manageability directly increases the risk of individual-level events like targeted attack. It's not a traditional curve where the optimal position is maximum diversity; instead, it's a bell curve: the optimal position is diversity - but manageable diversity.

Vulnerability Research: Good or Evil?

This morning, I came across the excellently written post by Pete Lindstrom "Why Bugfinding is Irresponsible and Increases Risk". As always, Pete is succinct, considered, and lays out his argument in exceptional clarity. That's not to say that I agree with the entirety of what he says - just that I think he's studying the problem in a comprehensive way, and I think his (non-mainstream) approach is thought provoking.

Pete's position is that vulnerability research - more specifically for-disclosure research ("bugfiding") - increases overall IT risk, and is therefore undesirable. I won't dispute whether it does or does not increase risk; I think we can only speculate as to what kind of relationship risk and research might or might not have. Sure, there's anecdotal evidence on both sides of the issue, but we don't have any empirical evidence - we don't have any way to test how research impacts risk - and we have a fairly equal number of smart people arguing for both sides. So, maybe it increases risk and maybe it doesn't.

However, I think debaters on both sides of this issue are somewhat guilty of security-centrism. In other words, although risk is very important as part of doing business, there are other factors to consider; security is a means, not an end. When considering the value of vulnerability research, shoudn't we also consider the broader ramifications that don't directly relate to risk? In fact, some of these broader issues are things that we can actually get some data about; for example, the economic impact on vendors and others, like the impact on overall software quality, etc.

I guess my point is, why ignore all the other potential benefits of vulnerability research because of a potential (but not necessarily definite) increase in overall IT risk? Shouldn't the discussion be broader than that?

Why I don't trust E&Y

What is it exactly, do you suppose, that Ernst and Young sells its clients? If you said "auditing services" or "consulting", you're right, but I'm asking a more general question than that. To get to the heart of the matter, why would you listen to E&Y moreso than you would listen to your neighbor, a cousin, or that dude on the street that talks to himself?

The answer is Trust. That's what they sell. At the core of the purchasing decision is the degree to which you do or don't trust E&Y to deliver the goods - and the confidence that you have that they will add value. They know it, too - take a look at their Overview: "...integrity and professional competence are the cornerstones of our global organization. We work hard to earn and maintain our clients’ trust and confidence..." Or take a look at their Code of Conduct:

We respect and protect confidential information obtained from, or relating to, our clients or third parties, as well as personal information about our people, in accordance wiht local law and professional standards.

So what kind of effect do you think it has when they lose that trust? Like when, for example, they fail to disclose the exposure of customers' personal information (in direct contradiction to the advice they give others.) Or about all the laptops with client information. Or what about if something like that happens again and again.

You'd have to think that would impact the bottom line...

DHS Flunks Yet Again

Once again, the DHS has brought home their cybersecurity report card, and for the third straight year they've flunked across the board. The government reform committee, in this year's FISMA report card once again deemed that DHS maintains a security posture that is "unacceptably low." Said chairman Tom Davis,

DHS must have its house in order and should become a security leader among agencies. What's holding them up?

Business Week has picked this up and ran with it in their "Department of Homeland Insecurity" coverage, saying:

Flaws in the government's systems come in spite of a big and growing IT budget. The federal government's IT budget rose to $62.2 billion in the year ended September, 2005, from $50.4 billion in 2002. Of that, $4.8 billion was for IT at the DHS, including $2.35 billion specifically for IT security, according to the OMB. The entire DHS IT budget was $1.8 billion in 2002, the year it was created.

62.2 billion dollars and they can't get it done... Perhaps some after-school activities (glee club?) might help them stay focused on their studies; or maybe we can refer the DHS to the SchoolMatters website hosted by the Department of Education... After all, the DoE scored a "C" this year (up from last year's "C-") - thereby proving that "no agency left behind" really is working.

Apple Easter-Egg Courtesy of Illuminata

OK, long story short - I just figured out that Illuminata (one of my two most favorite analyst firms) has a real bona-fide weblog called "Illuminata perspectives". I had been subscribing to the "new articles" feed over there, but the blog is way cooler. Anyway, courtesy of them, check out the nifty Easter-egg in OS X.

Come on, say "two factor" again. I dare you. I double dare you.

Today, I saw a press release from Green Armor hyping that Six Credit Unions Choose Green Armor Solutions' Identity Cues Two Factor for FFIEC and NCUA Compliant Two-Factor & Two-Way (Mutual) Authentication. Do I even need to say why this irritates me?

You probably already know that it infuriates me when vendors use FFIEC guidance to try to sell product. Green Armor is in that camp - they set the tone in the title ("Two Factor... for FFIEC... Compliant... Authentication") and progress from there:

Identity Cues Two Factor will allow the credit unions to improve authentication for online banking and to meet new FFIEC and NCUA guidelines without sacrificing user friendliness, and without having to endure a complicated and costly enrollment process... they provide strong two-factor authentication (exceeding FFIEC guidelines) as well as effective two-way (mutual) authentication that protects against phishing, pharming, and online fraud...

Clearly, in order for something to be "compliant", the implication is that there is a regulatory mandate to which they are responding. In this case, Green Armor is implying that there is a mandate from the FFIEC 2005 that two-factor be used; more specifically, the claim is that the 2005 Authentication Guidance requires that FS institutions implement two-factor authentication and that Green Armor helps companies fulfill their required, mandatory, activities. Far be it for me to point out that documents entitled "guidance" are rarely prescriptive. But, let's take a look at the document anyway, shall we:

"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."

Look at that phrasing: "where indicated...", "or other controls." Decisive. Powerful. Prescriptive. What's that - not decisive or powerful at all? Maybe not. Let's compare that language with something that is a clear mandate; something that FS is unambiguous about. How about SEC Rule 33-8590 governing Edgar filings and reporting:

We are requiring that certain open-end management investment companies and insurance company separate accounts identify in their EDGAR submissions information relating to their series and classes (or contracts, in the case of separate accounts). In addition, we are adding two investment company filings to the list of those that must be filed electronically and making several minor and technical amendments to our rules governing the electronic submission of filings through EDGAR.

Now that seems more prescriptive to me: "We are requiring..." compared to "where indicated", and "that must be filed" compared to "should implement multifactor ... or other controls"

For humor value, substitute the same clausal structure into this Rule as is used in the 2005 Authentication Guidance. The rule now reads like this: "When necessary, investment companies should separate accounts identified in their EDGAR submissions information relating to their series and classes or identify separate accounts through other mechanisms." That's the same thing, right?

OS X Challenge Wrap-up: How to waste time and not prove anything

Have you seen the Onion's "Dolphins Not So Intelligent On Land" report? Is it just me or does this (obviously fictional) study remind anyone else of the hacking challenges going on in the OS X world the past few days:

After capturing the dolphins from the ocean, Lindell and his colleagues tagged them and placed them under the intense, high-wattage lights of a moisture-proof lab. The researchers then administered an extensive battery of tests designed to measure everything from the dolphins' self-awareness to their aptitude for writing and reading comprehension...

Funny, right? Well, I thought so... For some reason, though, the "hacking contests" (equally absurd) don't make me laugh quite as hard. Maybe I don't find it as funny because in the back of my mind, I know that there are people who think the OS X contests have merit. I mean, to say that the challenges were "skewed" is beyond understantement - the the rm-my-mac competition competition allowed anybody from the Internet to connect to it and create a local account and the challenge was to find a local exploit. OF COURSE somebody could. Then we had the University of Wisconsin challenge, which locked the machine down and had only HTTP and SSH open. So, somebody needed to find a 0day remote exploit. OF COURSE somebody couldn't.

Blah, what a waste of time.

Math-Impaired Mac Security Advocates

I was reading through Security Focus "Triple Threat to Macs Largely Academic" article this morning, since it is a topic of interest to me. The article was interesting, and I found it worthwhile that the author addressed the PR aspects of the recent security issues. All in all, an interesting read. But, being a glutton for punishment, I decided to read the comments as well. I figured there were probably some Mac owners "baitin' for bear" that might have something to say about the security of OS X. There were. Some excerpts:

- ...I suspect that people have been focusing on OSX ever since version 10.1, just that it took some real skills to do it until now, keeping the task of popping an OSX box way out of script kiddie reach.

- think that OSX has been targeted the whole time, just that it took this long for anyone to actually find anything useful to crack it with, thanks to the ease with which Windows could be cracked and the higher skillset required to actually pop an OSX box from the outside.

Of course. For those who read this blog on a (semi) regular basis, you may remember that time that I did a comparison of when patches came out for a vulnerability in libRuby to see how Apple compared to other vendors (read: not so well). Well, just to further underscore my point, I did the same exercise again, this time using a larger sample set. This time I used four vulnerabilities common to most Unix-based OS vendors (CVE-2005-1689, CVE-2005-2969, CVE-2005-0710, CVE-2005-3185.) I then calculated the number of days that elapsed between the vulnerability announcement and when an OS patch was released (all this data is freely available with a bit of digging by following the reference links in the CVE entry.) Want to see what I found?

So, here's my question: if Mac is so much more secure than other systems, why is it that it takes Apple on average 100 percent longer to patch vulnerabilities than other vendors? Or isn't it just more likely that it isn't worth an attacker's time to go after it?

Is it safe to come out yet?

Now that we've updated the version of Moveable type to the most recent version, the time has come to once again selectively experiment with the comment functionality on this, our humble blog. Provided that the signal-to-noise ratio stays relatively high, they'll stay on... Looking forward to the feedback (hopefully without the barrage of spam this time around.)

Vulnerability Research According to Smith

Let's try that again without the typos... :-)

So, there's been a bunch of hullabo today about how ethical (or unethical) it is to sell vulnerability research information before it's disclosed. Everybody's leaping into the fray - overall, though, I think I side with the capitalists: those who would give researchers the right to hawk their wares. I'm for "controlled capitalism" - in other words, we give researchers the right to sell vulnerabilities, but we control how it gets done.

In the past few days, we've had commentary from The Register, that seems to come down on both sides of the issue. As it relates to remunerating the researcher, they have this to say:

But should we then expect security researchers to audit commercial software, which is sold for profit, and to do so for free? If there are ethical issues in the sale of vulnerabilities, what's ethical about selling very insecure software in the first place? While it's impossible to write software without vulnerabilities, it's pretty obvious that some companies don't even try to create secure products - and thus, ethics don't seem to come into play...

Pete Lindstrom picks this up and gives it his unique spin in a response on his Spire Security Viewpoint. Dancho Danchev gives us empirical observations on the current vulnerability underground markets, while Rainer B¨ohme gives us some idea of the root market drivers in his awesome paper.

No matter what side of the issue you're on, you can't escape the fact that there is money to be made in 0day vulnerabilities; if there weren't, programs like the 0day initiative would be long gone by now. People say, responding to the success of these programs, that it is unethical to sell 0days because criminals might buy them and use them for destructive purposes. I partially agree with this, although I think we're putting the blame on the wrong people. By analogy, the production and sale of firearms is, without question, a thriving business. Again, there's no question that firearms are dangerous in the wrong hands. In fact, it's hard to make a legitimate case that there is a source of any more potentially dangerous artifact than those legally produced and sold by the gun industry. Note that I'm not saying anything for or against gun control, by the way - all I'm saying is that guns can be dangerous in the wrong hands, and that there's a market for them.

However, very few people would say that gun makers are legally, morally, or ethically responsible for their products. In other words, most would agree that if a terrorist guns down a bus full of children, that Smith and Wesson is not culpable. There are those who would argue otherwise to this, but our society has historically held that they one performing the actual criminal act is culpable, whereas those who make the weapon are not. It's probably simplest that way, since if the weapon-makers were culpable, it could lead to debates about the degree to which Louisville Slugger is culpable for battery, how much Ford is culpable for vehicular homicide, or how much Sony is culpable for Ashlee Simpson.

That's not to say you can sell a gun wherever you please and to whomever you please - there are laws about how guns can be sold, where they can be sold, and to whom they can be sold. Again, some would say that there's a difference between guns and vulnerabilities because sales of guns are currently rigorously controlled; but that's a different issue - just because we don't have controls today doesn't mean that we can't ever have them. Let's establish some controls for vulnerability sales so that the 0days cease to be as dangerous. Ther are others that would say that selling guns is also unethical; maybe that's true in a higher sense, but not according to our legal system.

To those people who argue that selling 0days is always unethical, I would ask the question: why would it be ethical to sell a gun (which can be used by untrustworthy parties to take a human life) but not ethical to sell a vulnerabilty? After all, a vulnerability is just an idea.

More on the Mac 0\/\/n1ng

Following up on the rm-my-mac news, this topic was picked up on the Cult of Mac Weblog. Their take on what happened? Check it out:

In addition, the owner of the challenge site notes that the computer is "on a shitty wireless network." Shitty wireless networks typically have shitty encryption. This whole thing is about as far from a test of OS X's security as you can get.

So according to that theory, the hacker flew to Sweden, found this guy's house, sat outside it in a car to gather network traffic, cracked the WEP key, intercepted some cleartext communication (for example a telnet session) to gain access to the root password, and then rooted the box.

Sure. That's clearly more likely than Apple having a 0day...

Bad Publicity for Apple on the Security Front

Usually, I'm not a fan of "hacking challenges" for a few reasons: they don't prove anything about security, they're usually not fair, and whetever prize being offered is usually not worth the time investment. However, there is one place where hacking challenges matter: public opinion. In other words, for good or for ill, people tend to take notice when somebody wins (or loses) a hacking challenge. So when the rm-my-mac challenge demonstated that a fully patched OS X installation can be rooted in about 30 minutes using "one of dozens" of undisclosed (and unpatched) vulnerabilities, I'm thinking that might catch an eye or two. Or then again, maybe not; here is some reaction from the Mac population:

- "Still, it's 20 minutes longer than it took me to own XP" -Good Morning Silicon Valley

- I have heard from a reliable source that Microsoft setup this competition using a crippled version of MacOSX by installing Windows backdoors at certain memory locations. -Raymond Cubicle in the ZDnet Comments

- Both CNET and ZDNet are paid by Microsoft (e.g. for advertising, etc...) Every article they post about Apple are so biased. Check their past articles and decide for yourself. -John Doe3 in the ZDnet Comments

Check the ZDNet comments for more fun "it's a Microsoft setup" comments.

"Boing Boing" Scoops Citi

Citi acknowledged the rumors started by the Boing Boing that ATM cards have been comprimised, that there is a PIN-block in place preventing customers from using thier cards in certain countries, and that new cards were being issued. Silly me, I would have thought that Citi would have made customers aware that their cards were being frozen proir to the "Boing Boing" putting it up - apparently that's not the way it is.

Sux to be Citi.

I came across this really super-interesting story about how tons of Citi customers are SOL due to mismanaged fraud control via the Identity Woman Blog. It's just painful.

Citibank customer:
I'm stranded in a foreign country, I need cash, and I can't withdraw cash from my account.

Citibank drone:
d00d omfg we wuz 0wnz0red, it is teh suck!!!1!1 Go home and we'll re-issue a new card. Then be prepared to go through this all over again, and again, and again.

Citibank customer:
So even if I fly all the way back to the USA so you can issue me a new ATM card, you can't promise I won't be locked out the very next day?

Citibank drone:
yup! kthxbi!

Whipping Boy Update: Oracle

Just when you thought there was nary a peep about Oracle in the industry press, along comes Information Week with a four-page take on Oracle's patching process. The piece highlights some of the criticism that Oracle's had from David Litchfield, Red-Database-Security, etc. The article's long, but well worth the read.

There's some great stuff here, and the fact that a major outlet like Information Week is covering this means that people are starting to take notice...

Symantec feels the pain?

This week, Symantec launched their new "Internet Threat Meter" site; the "Internet Threat Meter" is basically a portal where Joe Average can go to see aggregated information about the "state of the Internet" - there are "traffic lights" (green/yellow/red lights) on the site that correspond to the overall "safety level" associated with PC usage at the current time. In case you haven't seen it, here's the link.

Just for the record, although they look similar, do not confuse the "Symantec Threat Meter" with the "Symantec Threat-Con" which is entirely different. Whereas the ThreatCon has four levels, the Threat-Meter has only three (probably to make it more accessible to the average user.) And while the colors for the Threat-Meter are green, yellow, and red, the Threat-Con colors are green, yellow, ORANGE, red (they've weeded out the overly-technical "orange" level.) Obviously, I'm being sarcastic.

What strikes me about this is not just the similarity (and competition) with the existing tool, but the similarity with Windows OneCare. From a user interface perspective, this new "Threat Meter" is very close to Microsoft Windows OneCare Live - both in terms of what's available on the interface but also the way that the controls/tools are categorized, made available, installed, etc. Of course, this begs the question: is Symantec feeling the pain from OneCare already? Is the beta cutting into their sales enough that they are responding ad-hoc in a way that competes with rather than compliments investments they've already made?

Here's my thinking... Symantec will never say this flat out, but they make their money from consumer AV. Judging by what we can infer (the way they break down the numbers is less than transparent), their reliance on consumer AV is anywhere from 50% to 80% of overall yearly revenue. How can we tell? Read between the lines - in Symantec's 2005 Annual Report for example, they tell us that the consumer segment is their strongest sector (the "star performer" they call it.) They also tell us that their top selling software category is "security solutions." Now, take the union of where "security software" intersects "consumer segment" - and compare that with what's in their product line. See what I mean? They're talking about consumer AV. You can actually line up the numbers in the report to make guesses about percentage of revenue (why I say between 50 and 80 percent - 80 is more of a historic number while the current report points to more like 50.)

Which means that Symantec is in for a world of hurt when those sales start to dry up - and dry up they will. Here's the deal - when Microsoft starts selling something, competitors tend to go away. If we look at it logically, Microsoft can own the consumer AV market whenever it wants: they can ship their AV or anti-spyware with Windows. They can make OneCare free. In fact, I'll bet you dollars to donuts that Microsoft giving away the free AV beta is already impacting Symantec's sales. I'm not sure how much we can read into what SYMC's up to, but I for one will be interested to see where this goes.

Symantec Goes to White Castle...

Remember that movie "Harold and Kumar Go to White Castle?" If you haven't seen it (and I recommend that you do), the movie is about two stoners who spend one very long night driving around New Jersey looking for "the perfect food" (which is none other than 30 sliders and a coke.) Basically, it's a movie about two dudes driving around in a drug-induced fog.

Well, Symantec has apparently taken a cue from H&K and has decided to drive around aimlessly looking for "what they crave" - in this case, wireless access points. While I'm not entirely sure how this relates to SYMC's business model, I'm glad somebody's putting out numbers about this kind of thing. So, if you see a bunch of dudes in yellow driving around with laptops... maybe it's Symantec on the drift.