Security Curve Weblog

The only way to win is not to play

My dad is a man of few words. However, one of the things that I remember him saying when I was in high school that has stayed with me the rest of my life happened when I was struggling to learn Calc from a teaching-challenged educator. In a completely uncharacteristic move, he (a statician at the time) said "Son, whenever somebody needs Calculus to prove their argument they're trying to pull one over on you." Now whether or not you agree with this, you have to admit it's funny. I thought it was hilarious at the time (probably because it was so out of character for my dad) and I think it's equally hilarious now.

So where am I going with this, right? Well, I've noticed that there has been quite a bit of interest in the security community about how to use game theory to approach the topic of security. For example, I've noticed that folks are using game theory to understand terrorism, it's being used to understand network security, and so on. Now, when I first started hearing about folks doing this, I was excited and interested. But the more I've looked at what's coming out, the more disappointed and cynical I've become. In fact, I'm tempted to start applying my Dad's dismissive attitude toward Calculus to game theory (i.e. "whenever a security person starts quoting game theory, they're trying to pull one over on you.") Now, I haven't quite reached that level of cynicism just yet, but I'm close. I understand that given the popularity of using game theory in this context, it's possible that I could get flamed hardcore about this post; however, I feel like I need to say what I need to say. Here's why I think it's difficult to use game theory to understand security:

Security is non-zero-sum: Game theorists classify games as being either zero-sum or non-zero-sum. This is a fancy way of differentiating games where winning by one player comes at the total detriment of another player (zero-sum: the gain of one player comes at the loss of another player) vs. games where achievement by one player does not proportionately impact other players (non-zero-sum: it is possible for one player to gain without another player losing.) Despite what might seem intuitive on the surface, the typical security scenario is non-zero-sum. Really, it is. OK, ok - you're going to say that if someone is trying to defend a machine and somebody else hacks it, that their victory means your defeat (hence it's zero-sum), right? Well, that's true. Or you might say that if someone is trying to steal your money and you're trying to keep it, that that's zero-sum too. And you'd be right. But these are all discrete parts of a bigger game - these things are all individual competitive *strategies* that are part of a larger picture. Ask a typical security professional, for example, whether the goal of their job is to "defend all the servers at any expense" - the answer you'd get would be "no" - that's not the job; the job is, "help our business to understand their risk and operating accordingly" right? Meaning, an attacker could "win" (cause damage, steal money, etc.) at the same time that we're still doing our jobs (i.e. we win too - they get whatever it is they want - money, resources, data, etc. - and we get what we want - our business keeps operating despite the loss). See, non-zero-sum. So what does that mean for the game-theory approach? Well, based on what we know about non-zero-sum games, we know that "Non-zero-sum games differ from zero-sum games in that there is no universally accepted solution. That is, there is no single optimal strategy that is preferable to all others, nor is there a predictable outcome. Non-zero-sum games are also non-strictly competitive, as opposed to the completely competitive zero-sum games, because such games generally have both competitive and cooperative elements. Players engaged in a non-zero sum conflict have some complementary interests and some interests that are completely opposed." Interesting; "no universal solution" and "no predictable outcome"? That certainly jives with anecdotal experience. In short, non-zero-sum games are the most difficult to analyze.

Security is asymmetric:meaning, there is a different strategy for all players. A game like chess is symmetric because the goal/strategy of black is identical to the goal of white - checkmate the king using the same rules for movement of pieces. A game like "Deal or no deal" however, is asymmetric because the strategy of the banker is different from the strategy of the contestant. Now apply this to security; is the strategy of the hacker the same as the strategy of the firewall admin? Obviously not. So what does that mean to the broader question? It means that goals and strategies of individual players have to be taken into account when formulating a strategy - whcih in turn means that approaches to using game-theory for security will need to examine the different strategies used by "offense" and "defense" as well as consider their (as we stated above, not always contradictory) goals. Again, asymmetric games are the hardest to analyze

Security is infinitely-long: when are you "done" defending your firms assets? 2007? After 20 times hackers try to break in? How about never? The hardest games to understand are those that do not have a finite set of moves, as is the case in security. And guess what, infintely-long games are the hardest to analyze

Imperfect and Incomplete Information: no player knows the strategies and/or the moves of the other players; as you probably guessed, imperfect-information games are the hardest to analyze

Security is a Simultaneous Game: all players can move at any time. Additionally, players are not required to move in response to other players. The simultaneous game is the hardest to analyze.

So, that's it. Now, I'm not saying that you can't ever use game theory to understand subsets of the security problem. However, I am saying that understanding the broad security picture is hard using game theory and that certain aspects of security make it harder to analyze than a more controlled situation like chess. Now, maybe we don't need to understand the whole picture in order for this technique to be useful; however, I would argue that it's important to keep in mind where game theory helps and where it doesn't the next time you come across somebody pitching it as a security tool.

Why Symantec needs a unified voice

Once an organization gets to a certain size, it becomes exceptionally important that organizations have a central message and that the central message is unified and focused. Otherwise, statements made by one area can diluate statements made by another area; it's actually worse than not publishing the messages at all if they contradict - "net zero" (no effect) would be if contradictory messages just cancelled each other out - but that's not what happens. Instead, disparate messages either leave readers scratching their heads wondering "WTF" (best case) or they can have other side effects like making the firm look hypocritical or self-serving. Here's what I mean.

The other day, SYMC VP David Sykes went on record indicating that it's "pointless to speculate about software that isn't released yet" in reference to the debate about Vista's new security features and potential threats to those features by EU regulators. Now, while I wholeheartedly agree with Mr. Sykes that it's not usually productive to speculate about software that's not released yet, this message dilutes the efficacy of work being done in other areas of the firm. Specifically, Symantec has recently published concentrated research dealing with the security and performance of Windows Vista; they published a report entitled Windows Vista: Network Attack Surface Analysis as well as made statements to the press indicating that Vista is likely to be less stable/secure than XP. They've also gone on record by highlighting potential attacks against the yet-to-be-released product.

So, while Symantec's pointed criticism to the press saying it's unwise to speculate about the security of unreleased products would be valid on its own, it appears disingenuous at best (or hypocritical at worst) when viewed in light of public comments made by other areas of the firm. Worse yet, it obviates the investment made by Symantec in authoring and publishing their Vista research.

Totally unrelated to that, I found the little WTF guy in the picture on the internet a few months ago and thought it was absolutely hilarious; however, I can't find out who drew it to give it attribution.

Your data. Always had it, always will...

Everybody's fired up about thumb-drives. ComputerWorld warns us about the dangers of thumb-drives in their article "Thumb-Sized Leaks in Corporate Security" and Hummingbird's recent study about how departing corporate executives steal data hand-over-fist has been getting all kinds of play in the Register and on VNUNet. According to some, it's quite a huge issue:

Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device... And often, the company won't even know the employee has done it. The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines.

Yowsa. Sounds serious. Clearly, all of these things could happen. But when you stop and think about it, the threat of the thumb-drive is not categorically different versus what has been present in corporations since corporations have existed. Why do I say that? Because folks have always carried knowledge (and media used to carry that knowledge) with them from job to job and from task to task. Look, what's the difference between putting proprietary data on a thumb-drive vs. putting confidential documents in your briefcase? Before the briefcase, the knapsack was the "data stealing" vector of choice. Isn't it the case that CEO's, directors, managers, and - yes - even humble flunkies could have walked out the door with proprietary information in the fifties before the PC as we know it even existed? I think human nature is such that we can guarantee an unbroken chain of data theft spanning back to the before time of Solomon; ancient Greeks hiding stone tablets labelled "propietary and confidential" under their togas and ancient egyptians smuggling papyrus under their armbands.

OK, granted that you can fit a lot more information on a thumb-drive than you could fit in a briefcase, but doesn't that mean that folks using the "hardcopy data stealing method" have to select what they steal a little more carefully? In fact, although I haven't studied the matter carefully, I would bet that percentage-wise employees are pocketing about the same percentage of data as they always have - it's just that now there's more of it to steal.

So what's the answer? Clearly, employees are going to steal data. They want to steal it, so they'll find a way. They feel (as we all probably do) that what they do today can be useful to them tomorrow in the next endeavor that undertake; given that incentive, folks will go to fairly far lengths to get their hands on this stuff. Mark my words: take away thumb-drives (or implement some measure to make thumb drives hard to use) and employees will steal floppies - get rid of the floppies and they'll send information out via email - filter the email and they'll walk out with hardcopy - implement airport-style security to prevent walking off with documents and guess what - they'll take it home anyway (as much of it as they can) in their head.

Look, I don't want to be a doomsayer, but it seems to me that this is the kind of battle that won't be solved with technology - it'll be solved by making employees not want to steal the data - either via legislation, litigation, or because your employees are so darned satisfied that they don't want to leave in the first place. But then again, I could be wrong.

More trouble with statistics...

The trouble with statistics is that they can sometimes be deceptive. For example, my RSS reader and inbox has been flooded for the past few days with news about the recent Mitre report citing cross-site scripting as the number one attack vector; everybody's writing about it. The short story around this is that the 2006 Mitre CVE statistics point to the fact that Cross-Site Scripting accounts for the largest share of reported vulnerabilities (21.5%) followed closely by SQL Injection (14%). Now, no doubt this is interesting. No doubt that Mitre's doing a service to the community by publishing these statistics. And no doubt this tells us something about the state of vulnerability research in 2006. But what it tells us is not exactly the same as what's being represented in the industry press.

Here's what I mean. Clearly, the data does tell us that more application vulnerabilities were located this year than in prior years. Based on those statistics, we can say without question that web vulnerabilities are a more popular target for research. However, the temptation is to draw broader conclusions from the numbers that aren't necessarily in scope. For example, Network World calls Cross-Site Scripting the "top security risk"; the Inquirer says that "hackers are looking to cross site scripting bugs as the best way to bring down a system." LinuxWorld tells us that Cross Site Scripting is "now the most preferred hacking techniques used by hackers since these vulnerabilities allow access to such data as credit card details." The implication is that XSS is in active use by blackhats to commit fraud and that it's being used as a vehicle to bring systems to a halt; not only can we not know that based on what was released, but they also go against things that we know to be true (such as, for example, that XSS can't bring a system down.) Moreover, the data from Mitre doesn't account for usage of vulnerabilities - it's just their appearance that gets tracked.

So "caveat lector." All we can say for sure based on the data is that researchers are finding more XSS vulnerabilities; there could be a number of reasons for this not having to do with attackers using it more. Maybe cross-site scripting is easier to find (it is) or maybe web-based products that might be impacted by xss are more popular now than three years ago (they are). I don't think we can draw conclusions about anything other than the fact that XSS is more popular with researchers - we can't/don't know anything about the popularity with attackers or level of risk associated with a XSS vs. a buffer overflow.

Watt Evans = 1 / Nay-Sayers = 0

As some of you may or may not know, I've been following with interest the progress of Lawrence Watt Evans' Spriggan Experiment. For those of you who aren't familiar with LWE, he is a fantasy/sci-fi author whose cannon includes a number of titles that I think are exemplary; his writing style is informal and fun, and he's the master of the super-interesting premise - "The Cyborg and the Sorceror" for example is a wildly creative idea and one that I think has been under-received by the sci-fi community.

So what does this have to do with information security? About a year ago, LWE decided to use Schneier's Street Performer Protocol for the distribution and authorship of a new book in one of his series. Because he's cool as shiz, he even answered some questions for us about the process and his use of the method. Well, apparently the experiment worked; so much so that he's decided to release another book that way; even more interesting is that he's put up a blog for reporting progress and (hopefully) where he'll post his thoughts about the process.

So, needless to say I'm excited. I'm wishing him the best on this project and hopefully it'll be economically successful enough that he'll keep going... and going... and going...

As a side note, the image above is cover-art from the last serial he put out (linked to the image on his site.) I highly encourage fans of sci-fi to check it out; after all, it's free to read.

Antitrust and Diversity for it's Own Sake

In a pretty strange move, Microsoft may be requiried to remove some security features from Vista based on a warning from EU regulators. The thinking is that if Microsoft includes additional security features, that other companies who sell security products may not be able to compete as effectively; check out the logic:

"...computer security depends on diversity and innovation in the field of security software, (and) such diversity and innovation could be at risk if Microsoft was allowed to foreclose the existing competition in the security software markets... [this] would ultimately harm consumers through reduced choice and higher security risks."

Their position is both true and alarming at the same time. It's true because, in some ways, they're right: Microsoft offering certain types of security software - like antivirus, personal firewalls, and/or spyware protection - could impede the ability of some of the niche players in that space to compete. Moreover, this isn't a point the EU folks have made only recently; it's a continuation of what EU regulators have made before about Microsoft's role in the security software space - it's been at issue ever since MSFT acquired GeCAD.

On the other hand, it's alarming as well. Alarming because while it makes sense for AV and (potentially) spyware, the extent to which they expect Microsoft to "leave security alone" in other areas is unclear. Would, for example, Microsoft be required to exclude technologies like stack layout randomization because it reduces the efficacy of HIPS solutions? Not to mention that there are some who would argue that the courts are preventing MSFT from cleaning up their own mess. For example, you've heard folks who think that the festival of malware is because of poor engineering on Microsoft's part right? For example, many users say things liek "[Microsoft] shares some blame here, especially for creating such a swiss-cheese virus delivery client" and "Microsoft is responsible for this mess and we all know it." So, if MIcrosoft is responsible for the problem, shouldn't they be allowed to fix it? I don't know the answer, but it's an interesting question.

I'll also admit that I don't think that I buy the argument from EU regulators that Microsoft adding security features "would ultimately harm consumers through reduced choice and higher security risks." Or, at least, I think they should clearly specify which features they're talking about; for example, I'm not sure that features that we've had around for ever like auto-update, EFS, heap protection services, and autheticode (which all arguably have security benefit) reduce choice or increase security risks. And after all, there are tons of products that compete with those features: CA Unicenter's SDO for example arguably competes with Autoupdate and PGP's Full-Disk Encryption arguably competes with EFS. It seems to me that an argument could have been made about these features before they were released about competition issues; but yet, at the end of the day, there was none.

Airport Security: How to make life suck and have people love you for it.

OK, so remember when we were talking about behavioral screeners at airports? Well, apparently they've decided to expand that program; check it out:

But security officials here are so impressed with behavior pattern recognition techniques - which they say can distinguish a nervous traveler from a dangerous one - that they say they plan to expand their use more widely in Miami than at any other U.S. airport. If officials have their way, all 35,000 of the airport's workers - including janitors, skycaps, even Starbucks coffee servers - will be trained to watch travelers for suspicious movements.

Awesome, so in addition to serving up vanilla latte's, your local barrista also has law-enforcement in their scope of responsibility. Remember that when you get tempted not to tip them. So what are the suspicious activities? Apparently, they include:

...someone rifling through a trash can, an unattended bag, a young man sitting on the floor alone, or a seemingly unhappy face.

An unhappy face? Sitting on the floor alone? These are behavioral traits I exhibit on almost every business-trip I make: I'm unhappy because traveling sux and I sit on the floor alone quite a bit: usually with a laptop next to one of the jealously-guarded and carefully hidden power outlets.

This, like most of the other anti-terror measures at airports is likely to be less than effective. But will it go away? I doubt it; people just feel too good about these measures - it gives them that warm and fuzzy illusion of safety. Check out the statistics:

Among the findings of the poll of U.S. adults, taken Aug. 18-20:

• 77% say they think airport security is effective.
• 70% say none of the security measures used in airports should be stopped.
• 71% say the 2001 attacks, and more recently uncovered terror plots, have permanently changed the rules for how Americans fly.

You want to be the politician running on the "airport security doesn't work and is burdensome" ticket when 70 percent of the population feels the opposite? I wouldn't want to be.

"Wide open" means extra security

As you may or may not remember, last week I commented that I think we need to rethink whether open source is or is not de facto more secure; if I had but waited a few days to go there, I could have used this article as an example of the kind of think I'm referring to. The article, originally from Infoworld, basically makes a case for why open source security tools are more popular than closed-source ones; however, I think that quite a few of the premises on which the argument is founded require further justification. To see what I mean, take a look at this quote:

Although no OS is truly secure, security tools offered on a Windows platform are immediately suspect, due to well-documented security issues of the underlying OS. Linux, FreeBSD, NetBSD, or OpenBSD-based products have a much better security track record (OpenBSD claims to have had only one remote hole in the default install in more than eight years).

OK, so Windows tools are immediately suspect. Why? The article says it's because of "well documented security issues" and that other OS'es have a "better track record" but I'm not sure what he means. What metric is he using to quantify this better track record? Is it because of number of vulnerabilities? CERT says that Windows has less. Is it because of some other features of Windows? If so, which ones specifically? The point is that the article doesn't say - the premise that other OS'es have better security is implied. I don't buy it; at least, I won't buy it without further justification.

Now people are going to say that I'm pro-Microsoft, but really the opposite is true. I'm not pro-anybody; in fact, at the house I run a number of different OS'es: OS X, Windows 2003 Server, Solaris on Sparc, and even Windows 98 (since it's the only thing around that'll still run Merchant Prince 2.) So I'm pretty much impartial - with the exception that I usually like to see the underdog win (so if anything I guess I lean toward supporting other platforms.) But I don't agree that "because it does" is acceptable supporting evidence for an argument outlining why Microsoft's security sucks. Maybe their security sucks and maybe it doesn't - but I don't think we can put a stake in the ground one way or the other until we decide on some evaluation criteria and actually do some analysis about it.

Look, I've used nessus and nmap professionally - on Linux if you're curious - but the reason for that has nothing to do with better security... It has to do with the fact that nessus is free, it provides about the same level of value as commercial scanners, and it doesn't run on Windows (until the 3.0.3 beta, that is.) If it ran on Windows, I'd use it on Windows. So at least in my case, the reason I use nessus has nothing to do with the (in)security of the OS - it has to do with what OS the tool supports (and please don't mention NeWT).

How is Security like Bread Mold?

Did you know that for quite a long time, individuals believed that living creatures could just magically appear out of thin air? It's true. Up until the middle ages, folks believed that things like mold, maggots (ewww), and mice would just "pop" into existance from other substances like rotting meat and old bread. The theory was called Spontaneous Generation, and if you think about it, it makes sense: you put a piece of bread out on the table and watch it for a while. Magically, the bread "turns to mold". Amazing. Mystical, even. Nowadays we know that there is more going on behind the scenes that accounts for the mold, but they didn't know that then.

So where am I going with this? I was reading with interest Klocwork's analysis of Firefox over at their blog (always interesting reading, by the way.) The background story is that Klocwork ran their source-code analysis tool on Firefox and found a bunch of (potential) programming issues. Now, of course there was a bunch of static in the comments from individuals on both sides of the "are these really issues" side of the fence, and I don't really have an opinion on that one way or the other. However, it was one of the comments that really got me thinking. Here's the comment, from an individual going by "clover":

Actually I do find Firefox to be more secure than IE. Since it's open source it is easier to audit because you don't have to reverse engineer it. So far the Mozilla team has been good about fixing vulnerabilies as they arise, compared to Microsoft's speed in handling these issues...

So that's the traditional wisdom, right? Open source is easier to audit, ergo it is less likely to have vulnerabilities. But as we know, just because something is a widely held belief (like spontaneous generation) doesn't mean it's true; after all, if nobody re-evaluated the assumptions about where bread mold comes from, we'd still all think that it appeared by magic. So is this traditional wisdom true? For a long time, I thought it was. But now I'm starting to reconsider.

Why am I reconsidering this basic premise? Because I have yet to come across anybody except vendors like Klocwork (and to be fair Coverity and others) as well as the occassional researcher (HD Moore comes to mind) who actually do any auditing... No, it's true: I've worked in a broad cross-section of the industry and I can say with experience that I have yet to find anybody who's doing this seriously: the feds aren't doing it, industry isn't doing it, academia isn't doing it. Who is? Researchers? Researchers only audit code to the extent that it gets them props (trust me, I speak as an ex-researcher) - and the biggest props correspond to the most popular software. So researchers aren't necessarily auditing open source tools more. So where is all this auditing happening?

Look, if I use an open-source product like Firefox (which I happen to use by the way - because I like tabbed browsing, not for any security reason) instead of IE, does that mean I'm more secure? Maybe, maybe not. What about if I use an open-source browser that's less popular like Konqueror? Does the fact that it's open source de facto mean that more people have audited the code just because they have the ability to do so? I think if we think about it logically that we'd have to say "no". Now I'm not saying that Firefox isn't more secure than IE (or vice versa by the way), but I am saying that the statement that it's more secure because it's open source needs some more justification than a perceived increase in eyes on the code...