Security Curve Weblog

OS X still virus and adware free (according to some)

On the Security Protocols blog I came across an interesting entry today; specifically, they pointed out a Blog entry criticizing the recently-hyped "iAdware" (F-Secure's designation) detailed by F-Secure earlier in the week. To quote from the entry:

# F-Secure bear the ultimate responsibility because through their staggering pompousness and ineptitude they totally misrepresented the issue.
# F-Secure were playing 'stir the pot'. It's one thing for Kevin Finisterre to publish his POC; it's quite another for a security company to pick it up and run it - especially in the reprehensible way they did.
# When it comes to Unix in general and OS X in particular, the boobs at Fucking Insecure don't know jack shit. And Mister Bill still has time to cancel his cheque.

This "iAdware" thing has received quite a reaction from the press at-large. Sophos via ZDNet has come down on the "it's not an issue" side of the equation and InMascatine has said that it doesn't count as malware. Once again, another OS X proof-of-concept has been received, cataloged, and passed on by the Mac community. Apparently, Apple's marketing is winning the day - according to consensus, there is no malware for the Mac.

Yes Mr. O'Brien, you are holding up five fingers...

Litchfield plays Nathan to Oracle's David

The Greeks believed that the Oracle at Delphi was the center of the universe (the "navel of world" they called it.) People throughout the Hellenistic (Greek) world would travel to the Oracle to ask all sorts of questions and the Oracle (specifically the priestess within the Oracle) would provide a (usually ambiguous) answer.

Like most ancient cultures, the role of the Oracle was not just to predict the future. There was that too, but like most ancient cultures, the Oracle also had a social role as well. It's true - the Oracle was the one place where kings and queens, emperors and priests could hear the "damning truth" about their policies and actions. If you examine what we know about the Oracle at Delphi or we examine what we know about the Old Testament prophets, we find a surprising amount of social and political commentary within their pronouncements. From a social perspective, this makes sense. For example, consider the case of King David and Uriah the Hittite; who was right there to condemn David for his actions? Nathan the prophet, sure enough. He was right there to tell David where his actions fell short. And he could - the King would be hard pressed politically if there were negative repercussions against a prophet (the prophets were seen as speaking with God's voice, so how could the King retaliate?)

So... where am I going with this? Well, recently I came across a report from David Litchfield about the "resiliency" (resistance to vulnerabilities) of Microsoft's SQL server compared with that of Oracle's database. Interestingly, Microsoft came out on top. This is particularly interesting to me for two reasons - first, I find it ironic that David Litchfield is fulfilling the traditional "Oracular" role of pointing out where the emperor has no clothes, and I find it interesting as well for what it says about the efficacy of the secure coding measures in place at both firms. As you probably know, Oracle uses automated analysis of their code to attempt to reduce vulnerabilities while Microsoft uses an "ingrained process" approach (the SDL). Over the short term, Oracle's approach of using a code-scanning tool is probably cheaper and less intrusive to the development process... but it is not self-reinforcing, so there are no efficiency gains over time - in other words, it requires continued investment: today it costs X to scan the code and tomorrow it costs the same (or more.) Contrast this with Microsoft's approach. While more expensive in the short term, the SDL has the advantage of reinforcing itself over time; in other words, the investment made today will continue to pay off over the long term becoming cheaper and more effective over the long haul. An interesting strategy, and one that I think these results bear out...

What color is your goo? I'm thinking green...

Hey, Happy Post-Thanksgiving Monday! Apologies to those of you who noticed the dearth of posts on this blog in the past week due to the holidays.

Anyway, in case you (like me) were out of commission for the past week (or hiding under a rock), there was an interesting case of a malware event in the virtual community Second Life. In case you're not interested in following the link, the short story is this: Second Life (an online 3d virtual world) was recently bombarded by a large number of little gold rings (think "sonic the hedgehog") that had the property of self-replicating when users interacted with them. If you're interested in analysis and back-story, I personally think that the best take on this comes from Kurt Wismer over at the Anti-Virus Rants blog; he's been posting on it all along and followed on that with an interesting follow up.

Anyway, this thing has been getting quite a bit of attention. There are folks who are interested in this from the denial-of-service angle and others who are interested from the worm angle; now, sure enough those things are interesting, but the thing I find really fascinating about not the fact that worms can hit a virtual community (after all, it's happened before) or the fact that a DoS is possible against these types of worlds (after all, most of us probably suspected this was the case.) And, interesting though it is to speculate about, I'm not really even all that interested about what this kind of event implies about the emergent properties of online communities... No, what I find really fascinating about this is the economic ramifications - particularly with Second Life.

You see, I think there's a richly textured world of fraud that we have yet to see latent within these online communities. Did you know, for example, that Second Life maintains a currency exchange? It's true - for a small fee (I think it's .30 cents per transaction), you can convert "real" money to Linden dollars (L$) - and for another small fee, you can go the other way (L$ to US Dollars, for example.) Or did you know that there are individuals on Second Life who are engaging in virtual prostitution as a way of earning actual legal tender? It's true. So, riddle me this... what is the profit potential of fraud within a virtual world? Is it worth a criminal's time? Well, currently the money supply within Second Life is 1,077,311,730; assuming October's exchange rate of 288/1, that means that the total money supply is just over $3,740,665 USD... and quickly growing. Not bad; a piece of that could be worth somebody's time. I wonder how long it will be before the bad guys figure out how to turn this to their advantage.

In the real world, "baddies" (thieves, extortionists, skull-breakers, muggers, etc.) are limited by the tangible nature of goods (meaning they can't produce stuff on the fly), they're limited by the relative inflexibility of institutions like banks and brokerages, and if they pull off a heist, they're governed by well-understood and agreed-upon laws. But in this new frontier... Who knows what's possible?

Symantec to Apple: "You are not a beautiful or unique snowflake"

So, I just downloaded the Symantec DeepSight report on OS X security after I came across a headline about it on SecurityFocus (which, just for the record, is owned by Symantec), and I have to say that I have mixed feelings about it: mixed feelings because I usually don't expect much from Symantec, and also because the document is not exactly "chock full" of original content (much of the data/information is repackaging of publically available material.)  However, at the end of the day I have to give this report a rating of "on the right track" because it does a good job of calling out some of the mythology surrounding OS X.

Of course, you have to take a minute to consider Symantec's goal in doing this - they're not the most unbiased party in the world.  It financially benefits them to establish OS X as an attack-prone platform.  So take the report with a grain of salt.  However, as one Mac owner (and fan of user-choice) to another, I'm terrified by Apple's marketing: they keep banging the "Mac users don't need to care about security" drum - going so far as to advertise that message on national TV that Mac's don't get malware or get hacked.  I've made the point again and again that the facts do not support this; Apple users need to pay attention to security just as much as other computer users.  Apple's encouraging their user base to ignore security is a disservice.  I would ask fellow Mac users this question: Apple advertises that Macs don't freeze or crash; if you use a Mac, compare that with your own experience. Do you think the "Macs don't need security" message is any different? 

But, those things aside, here's some highlights from the report:

OS X is not BSD:  So, we've all heard about about how Apple is more secure because it's based on BSD, right?  From a marketing standpoint, it's pretty much "front and center" in Apple's OS X claims. You know, like when Apple says, "Beneath the surface of Mac OS X lies an industrial-strength UNIX foundation ... Time-tested security protocols in Mac OS X keep your Mac out of harm’s way."  And it's effective marketing, too; users have picked it up and ran with it - occasionally saying things like "Simply put, Mac OS X is based on BSD, BSD == The most secure OS in the world hands down. You complete the equation."  Anyway, Symantec scrutinizes this claim in detail in the section "System Design Weaknesses: Mixing Mach and BSD." Basically, the conclusion they reach is that BSD and OS X are different; and because they're different that you can't necessarily equate the two without taking the Apple-specific code into account.  This makes sense to me. For example, if someone were to hypothetically use BSD code in development of a new component,, I don't think it would necessarily follow that that component (or the OS in general) are more secure because of it...

All Platforms Get Malware (i.e. "You are not special. You are not a beautiful or unique snowflake"):  Apple has made a concerted marketing push to get folks to buy in to the "Mac's don't get malware" belief.  Now some of us have tried to make the point that this is irresponsible on the part of Apple because it lulls users into decreased vigilance (and therefore makes them more likely to be impacted in the event they encounter a virus, rootkit, spwyare, worm or trojan.) Now, don't get me wrong - Symantec is biased...  They have an OS X product.  Clearly, it benefits them to establish that Mac does get malware.  However, they do a pretty good job of outlying documented incidents of malware for the Apple platform. 

Hackers Target OS X:  Lastly, Symantec goes through how hackers are making use of the OS X platform; they describe rootkits that exist in the wild, the exploit development process, 0-day threats that have been documented, and why the OS X platform does not offer any extra protection in the way of defense against exploitation over and above an operating system like (for example) Linux or even Windows.  In fact, at one point they make the assertion that the lack of a randomized address space makes the platform more susceptible to exploitation than some others (c.f. Vista.) 

Webroot - Emerging vendor? Or something else?

Because I'm into that kind of thing, I usually start off the day by reading the press releases from security (and other IT) vendors. Usually, this stuff isn't very exciting (there's a lot of bluster and hot-air on the wire), but today I found an interesting one - or at least one that made me think. This morning, Webroot announced their addition to CRN magazine's 2006 Emerging Technology vendor list. Alright, that in and of itself is not that interesting - but what *is* interesting is reading between the lines to speculate how Webroot is faring over all based on this announcement.  As you know, Webroot is privately-held, so we don't get the same kind of insight into their economics as we do with their publically-held competitors.  So any clue that we can get is a good one.

Now, before getting into this, I want to go on record as saying this is entirely speculation and I am not doing down Webroot; I actually happen to like Webroot.  In addition, I reserve the right to be totally wrong, so this could all just be hot-air.  However, if you'll indulge me in a bit of speculation, this announcement does not appear to me as if it bodes well for Webroot's long-term health. What? It's true - it looks good on the surface, but even though the announcement sounds positive, I don't think it is. Let's break it down, and I think you'll start to see why I say that:

Non-dominant market share: If you take a look at the criteria for how CRN chooses emerging vendors, you'll notice that market share is the number one most important criteria - but not in the way you'd probably expect; to make this list, you have to not be the market leader in your space. More specifically, according to CRN, "1. In established markets/product categories, the vendor could not be a dominant market-share player." Last year. Webroot was dominant in the spyware space; as a result, they would have been ineligible for inclusion in this particular directory. So last year they had the market and now they don't? Woah Nelly, that's not a good sign... particularly in an industry that tends to favor the market leader.

Direct vs. Channel Sales: Number four criteria for inclusion in the list is, "4. The company had to demonstrate that its direct-sales mix was trending down, as evidenced by the company's revenue history." Now, we know that Webroot's long term goal is to be 100% channel by 2007, so in-and-of-itself, this is not a warning sign. Where I think the warning sign is, however, is why they want to be 100% channel; more specifically, what does the 100% channel model imply about the makeup of the Webroot customer base? We know that channel sales are a very effective SMB sales tool, but we also know that they're not as effective a tool for the large enterprise. Reading between the lines, I interpret Webroot's strategy as moving toward concentration in the SMB while moving away from larger enterprises. Now, that's not to do down SMB - there's a market there to service for sure - but I had thought the Webroot direction was toward the larger enterprise. The growth curve usually encompasses SMB first and then branching out to larger and larger firms - the reverse, moving from larger to smaller, is usually a sign of decline in the marketplace.  Additionally, I'm wondering about the investment they've already made.  The large enterprise play is certainly marketed by them and discussed by analysts - - clearly they've invested heavily.  If so, why are they backing off?

Comparison with other vendors: The complete list of other emerging security vendors at CRN is as follows: 8e6 Technologies, Application Security, Array Networks, BioPassword, Bit9, Bradford Networks, ConSentry Networks, FireEye , Lightspeed Systems, MX Logic, Network Management Group, Palisade Systems, Passlogix, Port Authority Technologies, Red Condor, Senforce Technologies, Solutionary, TrustELI. Now, trust me, I am *not* about to do-down these other vendors... There are some great players in that list and a number of firms that I watch closely and strongly support. However, what I would point out is the discrepancy between the funding received by Webroot (for example, the 108 million dollar influx of last year) and the funding received by the other vendors on the list.  For example, Senforce and MXLogic (their peers according to CRN) received 12 million dollars and 26 million respectively...  not the same ballpark. Recall Webroot's competition: Symantec, CA, McAfee, Trend, and Microsoft... If it was me, I'd be pretty scared if two of the top five largest software companies in the world were my competitors, and more scared to peered with firms with 1/10th my backing. 

Now, I reserve the right to be totally wrong, and I certainly mean no disrespect to folks over at Webroot.  But I'm not sure this is good press for them; I question why they would concentrate their marketing dollars here.  Yesterday, I probably would have speculated that Webroot's in good health.  Today, I'm not so sure. 

Turns out Allchin's OK. Can we pig-pile on Oracle instead?

Have you seen the ads for the "Truth in Software Commission" hearings over at BigFix.  If you haven't seen it, I highly recommend checking it out.  Their satirical content is absolutely hilarious and it's very much worth the trip (trust me, it's long on laughs and short on the hard-sell for their products.)  Not to wax verbose on this, but even their logo is laugh-out-loud funny (provided they don't move it anytime soon, you can see it on the right of this entry.)  The tagline, "Duc Ergo Sum", could be roughly translated to "You build [it] therefore I am".  Classics humor... not something you see in infosec very often.

All very interesting, and I found it somewhat ironic that the article I saw it on (the article on which I saw the advertisement) was one of the original "post-retraction" articles where Microsoft president Jim Allchin was paraphrased as saying that Windows Vista is so secure it won't require AV.  Now, before you get all worked up like I did when I first heard that, take a moment and look at his response to all the hubbub...  it turns out that he said something a bit more reasonable than how it was originally portrayed - what he really said was hubris-free, unlike how it was originally spun.  And as of now, we're pretty much back to where we started - except with a bunch of retractions, clarifications, and general backtrackery in the industry press. 

So all-in-all, we're net-zero after the "Allchin Incident".  Now you might be wondering - if we're net-zero, why am I bringing it up?  Because of an interesting lesson in all this...  Now, on the surface, there's the obvious lesson of "don't believe everything you read", but that's not the lesson I'm talking about... misquotes and misinterpretations of statements happen, so I don't think we should expect that they won't (or shouldn't).  Instead, the lesson I'm talking about is the willingness on the part of the public and the part of the journalist community to expect hubris on the part of Microsoft and damn them for it when it happens.  Now, that's OK, but what I think is unfair is piling on the big M while simultaneously ignoring (or encouraging) the same type of hubris from other firms.  Here's what I mean...  This thing with Allchin was a pig-pile, right?  I mean, it was the same kind of journalistic feeding-frenzy you see in post-midterm Whitehouse press briefings... brutal.  But compare that frenzy with the reaction of the press to statements made by Oracle VP Hasan Rizv's comments earlier this year:

In an IT environment there are lots of complexities and if you look at the Oracle software, people have to apply the patches... Our customers are so used to high security that when there is a vulnerability they don't apply the fix because they are not used to it, which is an interesting position to be in.

Now, I blogged about this because the hubris of that statement (not to mention it's inaccuracy) seriously got under my skin, but there was pretty much no response from the mainstream industry press... other that is than the sound of crickets all around.  Or remember when Larry Ellison went on record saying that Oracle hasn't had a security problem in twenty years? Where was the pig-pile then?  Ellison's statement was inaccurate, misleading, and dangerous.  But still the crickets won the day.

Or take Apple... who has unrelentingly pushed the "no malware" message in absence of provability and contrary to empirical evidence.  I've griped about that plenty in the past, so I won't go through it again. But guess what?  When Apple makes a statement like this - not only does it not hit the press (at least as something negative,) but humble bloggers who dare to criticize it get their email boxes filled with hostility.  So here's my question: clearly, we're more eager to tear Microsoft down for doing this than other firms. Why is that?  Shouldn't we hold other firms to the same standard?  Isn't it just as offensive when a Oracle makes a statement like this (and really means it)?  Shouldn't it be?  I'm not going to say we should tolerate hubris from Microsoft.  Clearly, we should react in the way that we did and call them on it.  But why do we continue to tolerate this from everybody else?

Microsoft SDL: Serve the community, brilliant marketing

If you follow the same blogs that I do, you're probably already aware of the fact that Microsoft is hosting a series of discussions with their OEM partners about the SDL (Security Development Lifecycle.)  First of all, let me say that I'm seriously jealous of these OEM people, since it would be awesome to participate in this training.  However, references to the green beast aside, I think it's an interesting exercise to stop for a moment to consider where Microsoft is going with this whole SDL thing.  Why are they doing this, what are they doing, and what does it mean to security as a whole?

So, for some background...  If you're a developer, you're probably somewhat familiar with the "software development lifecycle" (SDLC.)  For the sake of folks who haven't spent much time in development shops, there are a variety of approaches and techniques for how software development gets done.  All software development shops operate within a spectrum of what CMM calls "maturity", what some might call "formality", and what I call "discipline."  In other words, the process that developers adhere to vary from "undisciplined" shops (usually startups) that try to rush to market without any kind of structure whatsoever.  At the other end of the spectrum, you have shops that use a formalized process that defines how requirements are developed, that ensures that users are invested, and that accountability is assigned.  Of course, there are all sorts of processes along the spectrum:   RUP (Rational Unified Process,) XP (Extreme Programming), SPICE, and so on.  Microsoft even developed their own called the "Microsoft Solutions Framework" (MSF).  I'm not going to go into a bunch of detail here on why it's a good idea to be disciplined - the most I'll say is that (though most developers feel too much process is a pain in the ass) the process really is there to make the developer's life easier.  Although I don't have direct evidence for this, I've informally noticed that the "getting woken up in the middle of the night for some issue" factor is inversely proportional to the maturity of the development shop.  Really, it's true. 

Anyway, the overall goal of maturity (read: "discipline") is to increase the quality and reliability of development.  And it works.  In point of fact, I find that the dynamics are such that there is additional up-front investment in development time for a disciplined approach, but that the long-term gains are quality, alacrity, and reliability.  Now, Microsoft has picked up on something else that I've argued as well - which is that a disciplined approach (if designed intelligently) can also lead to increases in security as well; check out this text from the MSFT overview of SDL:

...there are three facets to building more secure software: repeatable process, engineer education, and metrics and accountability.... If Microsoft's experience is a guide, adoption of the SDL by other organizations should not add unreasonable costs to software development. In Microsoft's experience, the benefits of providing more secure software (e.g., fewer patches, more satisfied customers) outweigh the costs. The SDL involves modifying a software development organization's processes by integrating measures that lead to improved software security.

Now, for anyone who hasn't familiarized themselves with the SDL, I highly recommend that they do so.  It's a great read.  Unlike some folks, I haven't swallowed all the KoolAid...  The Microsoft approach is heavy on the documentation (documentation of attack surface, documentation of threats, etc.) and heavy on the education of developers.  I disagree that this is the most effective approach over the long term; the point I've made in the past is that some activities (such as developer education) require continued investment over time; by contrast, standardization of the development process through the use of a framework is self-enforcing and therefore costs less over time.  To make it really simple, you can educate developers about why they shouldn't do this:

void doNothing(char * somefoolishness) {
    char a[5];
    strcpy (a, somefoolishness);
}

or you can do this once and make everybody use it:

class SafeString {
    SafeString(const char * somefoolishness) {
        myVal = (char*)malloc(strlen(somefoolishness));
    }
    const char * getValue() const {
        return myVal;
    }
//and blah blah blah

or whatever.  (Please don't try to compile that and complain about it, bust my nads about the strlen(), complain about the malloc, or the lack of error checking...  this is a blog for Chris'sakes so cut me some slack and just let me make the point.)  Now, one could argue (and they'd be right) that most of the "secure framework" concepts that I'm talking about are implemented in the .NET System classes (aha!).  If you ask me, MSFT has some master plan over there that accounts for both .NET and SDL.  Or maybe not...  

But anyway, small differences in philosophy aside, I think the fact that MSFT is even going here is impressive.  After all, application security is a topic that most of mainstream security (unfortunately) doesn't care about all that much.  They should, mind you, since I think it's where the majority of the issues are - but the fact that they don't is clear.  Example: do a search for "+application +security +sdlc" in your search engine of choice and compare the results with a search for "+mobile +malware +phone" - notice how the phone-malware stuff eclipses application security by an order of magnitude?  That's my point. 

So why is MSFT going there?  All told, I think it's twofold - internally to them, I think it's motivated by reducing their long-term security-related costs - which it probably will.  So, they're probably investing in their internal processes to realize some efficiency and maintainability gains (and therefore lower costs.)  Smart move.  Externally, though, is where I think the strategy gets brilliant.  Brilliant?  For sure.  Think about the marketing potential here...  can you think of a better way to displace their (unearned in my opinion) reputation for being insecure?  How much marketing would it take for them to give them an image as being a "secure" solution?  Millions?  More, probably.  Not to mention that people would be loathe to take that marketing seriously.  But by becoming the de-facto thought leader in application security - a space that is directly applicable to their product and that is underrepresented in the field?  That's the path right there. And the cost?  a few whitepapers, a book or two, a few pro-bono education sessions with partners.  I'll make a pilgrimage to bow at the feet of whoever's idea that was. 

Voting Security: Back to the Greeks

Yesterday was election day in the US as you probably know if you live in the states and you probably could care less about if you don't. And if you're in the infosec world, you also know that everyone's been cranking up for the big day due in no small part to the increasing use of electronic voting machines and the increased scrutiny that this technology has come under in the past few months - both in academia, in public forums as well as through less traditional means. Needless to say, it's been something to watch - high entertainment indeed for the connoisseur of human folly (to borrow a phrase from Jane Austen).

Now, I'll fess up - I'm a bit of a Luddite. For example, I use fountain pens (even travel with them) despite the constant ink stains, I won't upgrade to anything after Visual Studio 6 because I don't want to learn the new interface, and I prefer driving a stick. Now, being the Luddite that I am - I think electronic voting is dumb. I revel in the fact that the small town of Amherst, NH hasn't caught wind of the hideous inefficiencies associated with the "write it down on a piece of paper" style of voting.

Now, that being said, here comes a bit of heresy: I think our election woes have very little to do with electronic voting machines or the fact that security is not built in to the electronic voting process. Sure, the process is flawed, the equipment is prone to theft, and there are bugs galore. But at the end of the day - are we worse off? I'm not sure that we are.

To illustrate what I mean, consider the case of Themistokles. Themistokles (or Themistocles if you prefer the Latin spelling) was a famous Greek naval commander who was ostracized for being too arrogant (well, or for taking bribes or for being a bad leader depending on who you ask.) Anyway ostracism was basically democratic banishment - individuals could be kicked out of Greek society for a period of ten years if enough people voted that they should be. Voters would write the name of the individual on a piece of clay called an ostraka (a voting token - one is pictured above) and put in a jar. If enough votes were in the jar, the person in question had to go. In the case of Themistocles, he had enough votes to get booted out - and he was. Now, what's really interesting about the Themistocles case is that years later, archaeologists found hundreds of ostraka at the bottom of a well; they were written out by fourteen different individuals and were hidden. In other words, somebody (quite obviously) rigged the election. Of course, voting fraud is nothing new. As long as there have been elections, there has been fraud. Ballot stuffing (like what happened to Themistokles), scare tactics, fraudulent reporting, voter intimidation - all of these things were there in Athens 2500 years ago and they're with us now. With apologies to Solomon, there's nothing new under the sun.

So here's the question I'd ask: how robust does a voting system have to be before it's "robust enough" for the purpose? Is it possible for someone to smuggle malware onto a Deibold machine? Sure. Is it possible for someone to file down the punch mechanism in lever-based system? Yes. Is it possible for someone to walk in to the voting place and say that they're me? Uh-huh. Look - here's my point: fraud can happen in electronic systems just like it can happen with clay jars. Maybe the security is worse with electronic voting machines or maybe it's worse - either way, we shouldn't expect more from electronic voting just because it's electronic. Instead, I think we should be asking another question: how invested are citizens in the voting process? Aristotle said - and I agree with him - that the more people vote, the more reliable the vote will be (this doesn't necessarily imply better decision making, by the way - just a more representative count.) It makes sense, doesn't it? In Attica, where there were only 6000 people voting, stuffing the ballot only required a few extra votes - in the US where upwards of 150 million people vote (on average), stuffing the ballot takes a lot more extra votes and is therefore harder to pull off.

Hot or Not Part Deux

In case you've been following along, I promised last month to keep on top of SC's "Hot or Not" feature. Well, I'm a bit late to the party (seeing as how it's November and the column came out in late October,) but at least I didn't miss it entirely. Anyway, this month eEye founder Marc Maiffret posits that wireless card attacks are not hot; saying instead that they are just hype - nothing sums up his take better than this selection:

Do we all really believe that the next major wave of identity theft attacks is going to happen by Eastern European hackers flying to the United States to sit at your local Starbucks and hope that someone with the correct vulnerable wireless card driver is going to fall victim to their scheme?

Now, in my opinion, Marc's half right - or how about "right from a certain point of view." Here's what I mean: everything Marc says about the attack is 100 percent true: it's not being particularly likely to occur, it's the least of your worries at the local Starbucks, and it not any more technically interesting than other kernel-level issues already documented in other products. All true. So, judged solely on the merit of the bug, I would tend agree with Marc; the panic associated with this issue is way out of line for the threat. But there is one area where I think we do need to move beyond the merit of the bug to determine "hot vs. not" status - namely the Mac community's response to it.

Now I've learned the lesson that saying something negative about Mac security signs you on for the flame email barrage, but just for the record, let's not forget the following:
- MacWorld denied the existence of this flaw
- Public laims were made that the BlackHat demo was entirely fabricated
- public Assertion appeared in the press that the demo was rigged
- Apple still hasn't given full credit to the researchers

So, while I agree with Marc that this isn't the worst thing in the world from a security perspective, I think it makes for interesting fodder for discussion nevertheless.

Aycock Malware Round-Up

I came across a great post by Kurt Wismer this morning over at his Anti-Virus Rants blog: it's a timely and interesting response to all the brouhaha surrounding academic malware. Now, he and I don't entirely agree on this topic (I won't go through it all again since we did over a thousand words on it last week), but Kurt argues the other side of this issue extremely well; I highly recommend it as a must-read counterbalance for folks wishing to understand the issue. Anyway, definitely worth checking out.

Other resources I'd recommend for folks wishing to understand the issue in depth are Tony Sampson's take on M/C Journal as well as John Aycock's publications that are relevant (though tangential) to the topic - for example, his views on creating a "safe" AV testing facility...

Strange Things are Afoot with Breach Disclosure

(Today's topic has been brought to you by Dave N.) So, strange things are afoot at the Circle K - provided that by "Circle K" you mean "Breach Disclosure" and by "strange things" you mean "corporate irresponsibility". Specifically, have you seen the recent statistics for how often laptops are lost? Now, while I haven't seen an "authoritative" source for this statistic, I see 1600 per day cited fairly often as is 2000 per day. Now, whether it's 1600 or 2000 is irrelevant... the point is that it's a lot.

File that number (1600 per day) away for a minute. Now consider the number of breach disclosures reported this year. According to the ID Theft Center, the number was 138 as of the end of August. Using our figure from before (1600 laptops stolen per day), let's solve for how many laptops have been stolen in the same timeframe (we can assume 30 days per month here - no need to be a stickler). We get: 1600*(30*8) or 384,000 laptops stolen as of the end of August. See any kind of disparity there? Even if we assume that every breach disclosure stemmed from a stolen laptop (not the case, by the way), the percentage of stolen laptops leading to a beach disclosure is: (138/384000)*100... or .036 percent.

Now, how could it be that this number is so low? Could it be that firms aren't disclosing when they should? Is it possible that the corporate custodians of our data are running afoul of the law - either intentionally or unintentionally? Maybe so, maybe not. First of all, not every state has a breach disclosure law - so, we wouldn't expect that every case of disclosed data would lead to notification, right? Last count I saw, it was only 23 states that had a law - just about half. So, adjusting for half of states not having breach disclosure laws - we would expect that if everybody's reporting when they should that .07 percent of laptops contain unencrypted personally identifiable data, right? Now, I don't have any numbers on how what the actual number of laptops containing personally identifiable data is, but 7 in 10000 seems small to me - it just doesn't jive with personal experience.

So, without having an estimate of how many laptops contain PII, we can't really point an accusatory finger - other than to just say that the numbers seem "fishy". Going by personal experience, I would think that maybe on in five or one in 10 would be more realistic... If that's the case - if one in 10 laptops contain PII, we would expect to see 38,000 breach-disclosure incidents. Too high for you? How about 1 in 100? If only one laptop in a hundred has PII on it, we would expect 3,800 reports - meaning that over 95 percent of breaches still are unreported. But maybe I'm just being cynical...

AV Vendors need to crank it down about a million degrees

I came across an article today about John Aycock and his new spyware class at the University of Calgary. Dr. Aycock is of the opinion that students learn better how to protect against spyware by first understanding how spyware works - and what better way for students to understand how spyware works by actually learning how to build some? Now this isn't the first time this particular professor has espoused these particular beliefs (to great controversy) - specifically, this is the same professor that was criticized (mostly by the AV community) for offering a class that teaches students how to write viruses.

Now, put aside for the moment whether you think he's right or wrong - we'll get to that in a minute. For the time being, concentrate on the vendor response (consisting mostly of outrage and hyperbole.) McAfee likens the Calgary curriculum to torturing people ("It's like saying that in order to be a better doctor you have to learn how to torture people".) Sophos (always willing to give the benefit of the doubt) says it's more like carjacking rather than the Mengele-esque pain frenzy described by McAfee ("Should we teach kids how to break into cars if they're interested in becoming a policeman one day?") Anyway, the upshot is that AV firms have gone on record saying they will never, ever, hire students who have completed these classes: "Representatives from McAfee and Sophos Internet security companies have vowed never to hire his students." One wonders if they'll hire students that have failed the class or if you have to actually pass it to get blackballed...

Clearly the response of these AV firms is unfair to at least one group of people; namely, the students. Is it the responsibility of a high-school senior to vet the politics of their potential professors before applying to a University? Should it be? If a student changes majors, is it their responsibility to change schools if a professor's politics in their new program happens not to align with executives in industry? Where does a student go to consult the registry of professors whose classes make them unemployable in industry? Look - for the moment, put yourself in the shoes of one of these students: you're bright and you completed your degree in computer science with honors. Now, it doesn't really matter what your reason for choosing Calgary was - maybe you chose it for the excellent business school or maybe you got a scholarship (do Canadians need scholarships for school?) Anyway, no matter what the reason, Calgary was your pick. During your term, Dr. A's classes made you so interested in AV that you decide to pursue a career in it after graduation. But then comes the sticky part: you apply to AV vendor after AV vendor. Inexplicably, you're turned down at every firm. What's going on? You research it, and find out that you're blackballed; tough break... you can't untake the class so you can't get a job. Stick a fork in you.

So, the vendor response was hyperbolic and it was unfair to students. But these things would probably be acceptable if they're at least justified. So, are they? It seems to me that the crux of the AV vendors' argument is twofold: objection #1: these students are a threat and objection #2: the professor's lab might be unsafe. So are these things true? Let's break them down:

Objection #1: Calgary's AV training makes students too good and too dangerous (like Benicio Del Toro in "The Hunted"). Now, maybe I'm overly skeptical, but let me ask you to compare two scenarios to illustrate why I think Calgary's program is better than the alternative:

Scenario #1: a prospective AV employee goes to class with Dr. A and learns about malware ethics, malware countermeasures, and how malware works.
Scenario #2: a prospective AV employee spends their teen years reading electronic texts from underground groups such as the Ready Rangers Liberation Front or the Purgatory Virus Team. Maybe you reverse engineer a few viruses, maybe write a rootkit or two, maybe you write a virus toolkit or publish information on malware authorship.

Which option seems safer to you? Now, which one is more likely to get you blackballed by the industry? Apparently, the first one is unacceptable and the second one is accepted practice. How many of us in security got our start by reading less-than-reputable information sources on BBS systems or USENET (depending on your age I suppose.) Now call me cynical, but it seems to me like the Calgary program is more controlled, more conducive to learning, and probably safer because students get taught ethics while they're learning about malware.

Objection #2: The Calgary lab is potentially unsafe - some virus a student writes could leak out and spread across the Internet like something out of "The Stand." Bull. Now, I've beaten this drum in the past, but I don't think AV vendors are the last stop when it comes to dictating laboratory conditions to research teams. For example, I raised this point when AV vendors criticized consumer reports for doing their thing to test AV protection. Why is Sophos sufficiently versed in how to create a robust laboratory environment for malware research purposes but the University of Calgary isn't? Has Sophos studied the protection mechanisms that Dr. A has in place and published specific details on where they are lacking? No. Have they visited the lab to review the safety procedures? I doubt it. So why should it be accepted as a matter of course that they maintain a research lab, but somehow the University of Calgary doesn't have sufficient capability to do so? This argument is spurious. I've said it before, and I'll say it again: until somebody publishes some standards delineating acceptable practices for labs, nobody has the right to criticize. I don't buy it that vendors like Sophos, McAfee or Symantec are better equipped to maintain a lab than Universities; in other words, selling software does not give you a claim to special dispensation when it comes to doing research...