I came across an article this morning over on skynews talking about the results of a wireless security study that went on in the UK.  Some folks over there did an ethical hacking experiment where they checked to see what percentage of WiFi networks were secured vs. which were vulnerable.  For those of you with two eyes and a brain, the answer is probably not a shocker: it’s about 50/50.  Security of WiFi stinks – period.

But that’s not why I’m bringing it up.  I’m bringing it up because of their conclusion and call to action.  Frankly, it irritates me that the conclusion of this is telling the users to “be more vigilant” – or, as they relate in the skynet article:

“We urge all wi-fi users to remember that any information they volunteer through public networks can easily be visible to hackers.  It’s vital they remain vigilant, ensure their networks are secure and regularly monitor their credit reports and bank statements for unsolicited activity.”

No.  This continuing blaming of the victim is unacceptable.  One percent of networks configured improperly?  OK, maybe that might be a “fluke” – attributable to user error.  But when you start talking about half – there’s something else going on.  And telling people to “strap it up” isn’t going to help – it’s just patronizing.

Here’s what I mean.  Put aside user misuse for a minute, and look at a situation where the consumer has no control over usage (we’ll get to usage in a minute.)  In that case, it’s crystal clear where responsibility for lack of safety lies.  Say, for example, I tested potatoes and found that 50% of potatoes were laced with arsenic. Would my conclusion be – “be more vigilant about potatoes you buy; bring test kits with you to check your foods; and remember to test for kidneys for damage regularly?”  Clearly  not, right?  We’d ask instead questions like, “why is that potato poisonous?   how did the arsenic get there?”  No blaming the victim.

Now the case of WiFi is a little bit different – because the consumer has some control over usage; in other words, they can configure it correctly or incorrectly and they have some control over that.  But people forget: engineering dictates usage.  What’s that mean?  Specifically, the way something is engineered governs the way that it is likely to be used. In other words, if you design a car with a big red button on the dash that says “PUSH ME”, you should expect consumers to push it – even if pushing it means the car blows up.  When they push it, and it blows up the car - you, the engineer, are responsible. No matter how strongly worded the manual is about not pushing the button because it’ll blow up the car, your design was poor because the button was there in the first place.

Make it easiest for the user to use it in an unsafe way?  Guess what – the unsafe use is going to be how many people use it.  So the well engineered apparatus – be it a car or a wireless access point or whatever – will make it easier for the user to configure it in a safe way and harder for them to configure it in an unsafe way.  To make unsafe usage the default scenario and then to complain when users do it?  That’s just bogus….

So, Comodo (not the dragon, but still a cool name anyway) recently dusted it up over the certificate signing request page at Verisign and whether or not it should be public.

Comodo started by kicking the dirt at Verisign:

“When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem… With millions of customer’s financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.“

And then Verisign responded that it’s a non-issue:

“I understand where an outsider might look at this and think that they’re looking at something where they can really do powerful things to certificates, but at the end of the day, those powerful things are done by somebody else,” he said. “That control is only accessible by somebody who has a special what we call administrator certificate that is actually on the computer from which they’re accessing it.”

Yawn.  Oh sorry, I dozed off a little bit at the end there.  Anyway, in my opinion, they’re both wrong.

It’s not a big-deal security-wise, Verisign is right about that.  I’ve used their infrastructure enough to know that you have to have the admin cert to actually do anything with that page (like gen a CSR).  So nobody’s going to be issuing any certs off of that page.  So Comodo’s claim that it was an ethical imperative to disclose it? I’m not sure I agree.

That being said, neither it is a good practice on Verisign’s part to disclose who their customers are to the world at large. Disclosing *any* information (even that a particular firm is a customer) without their permission seems like a bad practice in my opinion.  Shouldn’t someone have to opt-in to that?  According to Verisign’s privacy statement:

You should be assured that we do not provide or sell personal information about our customers or site visitors to vendors that are not involved in the provision of VeriSign’s public certification and other services.

Well, for this purpose they apparently do.

So net-net, not a security issue but not good form by the big V either.  So now the whole industry is going to get spun up and chase its tail about this thing.  Verisign has some egg on their face… maybe.  Comodo gets seen as petty for reporting it publicly… maybe.   And we all collectively… lose.  In future, maybe some better communication between the coopitition can save everyone the hassle and save themselves the marketing fallout this is sure to have.

Cyberman with an electric guitar… So incredibly random…  so nerdy…  but yet, I cannot look away.

Of course, I had an entirely opposite to the  “World’s No. 1 Hacker” crap that’s been making the rounds.  The Register says the security community is “rocked” because of the allegations of plagiarism, racism, and general chicanery contained in the ebook.  I, at least, remain totally, completely, verifiably… unrocked.

Full disclosure: I only read about 10 pages at random from the ebook, so maybe I’m not the best judge.  But the few pages I skimmed seemed…  well, like a security book (maybe because it’s plagiarized from other security books.)   The only thing different about it seem to me to be the wall of text in the beginning about the awesomeness of Greg Evans:

“Innovator,” “leader,” “visionary”—just a few of the terms that describe Gregory D. Evans, andthe extraordinary range of talents and expertise that distinguish this multi-faceted author and cyber-security expert.

Sigh.  Really?  Anyway, I really didn’t want to spend too much cycles on this other than to ask who is reading this?  If you are a security practitioner, wouldn’t you read one of the (innumerable) other books out there?  If you are legitimately a youth trying to learn how to be a reet haxor or whatever, why would you read this rather than the ocean of data available on the internet that isn’t chock-full of self-aggrandizement?  I mean, is it just me?  Why, for example, would someone choose to read this book over something with a similar dearth of hacker cred – say for example Carolyn Meinel’s, “Überhacker II“?

Anyway… generally speaking, I’ve found that this kind of stuff tends to go away if we all just ignore it. But in the meantime, I would ask what market we in the mainstream security community aren’t serving that a book like this is able to gain any traction at all.

Edit:  As Diana mentioned yesterday, don’t forget to check out this awesome writeup by Ben Rothke about the plagiarism angle.

OK, so I saw in the industry press that CIS had put out configuration guidance for the iPhone. This seemed interesting to me, since I’m now an Android user (love it, by the way) – I think the Google phone is the best thing since sliced bread. Not that the iPhone and Android are the same thing – just because I feel a kinship with the iPhone users for some reason.

Anyway, I surfed over to the benchmark to check it out. Not surprisingly, there’s about as much complexity associated with hardening an iPhone as you’d probably expect. For example, they outline that “Airplane Mode” is pretty good from a security perspective, that it’s probably a good idea to turn the password protection feature on, and that you really ought to upgrade the firmware occasionally.

But believe it or not, I didn’t bring it up to make fun of the specific recommendations in the benchmark. It it what it is… No matter how obvious the recommendations might seem to us as security folks, explicitly pointing stuff out in a no-nonsense way can never be bad.

No, actually the reason I’m bringing this up comes about because of the “wall of text” in the legalese of the Benchmark’s Terms of Use. Check this out and see if anything about this strikes you as unusual:

CIS makes no representations… as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware…

Wait… wut? OK, so I’m not a lawyer. And maybe lawyers have a different meaning for the word “representation” (if so, I couldn’t find it). But doesn’t this (from the CIS Benchmark FAQ) sound like a representation “as to the positive effect” on security:

CIS Benchmarks enumerate security configuration settings and actions that “harden” your systems. They are unique, not because the settings and actions are unknown to any security specialist, but because consensus among hundreds of security professionals worldwide has defined these particular configurations.

What bothers me about this is that CIS clearly asserts that using the benchmarks will help secure your systems. What else could “harden your systems” mean? What would be the point of pointing out that “hundreds of experts agree” if the end state was not to make the security profile better?

It’s clearly the case. In fact, it’s sort of the whole point.

CIS leading with this seems to me kind of like Honda pasting a big yellow sticker on the Civic’s steering wheel that says “Automobile not intended for transportation.” … What the frick else would it be intended for? Outdoor paperweight? Portable cell-phone charger?

Is it really the case that we’re so far down the word-weasel road that the only way not to get sued is to entirely disavow what our products actually do? Can it really be that bad? Or is CIS just over the fence?

I was reading through Security Focus “Triple Threat to Macs Largely Academic” article this morning, since it is a topic of interest to me. The article was interesting, and I found it worthwhile that the author addressed the PR aspects of the recent security issues. All in all, an interesting read. But, being a glutton for punishment, I decided to read the comments as well. I figured there were probably some Mac owners “baitin’ for bear” that might have something to say about the security of OS X. There were. Some excerpts:

- …I suspect that people have been focusing on OSX ever since version 10.1, just that it took some real skills to do it until now, keeping the task of popping an OSX box way out of script kiddie reach.

- think that OSX has been targeted the whole time, just that it took this long for anyone to actually find anything useful to crack it with, thanks to the ease with which Windows could be cracked and the higher skillset required to actually pop an OSX box from the outside.

Of course. For those who read this blog on a (semi) regular basis, you may remember that time that I did a comparison of when patches came out for a vulnerability in libRuby to see how Apple compared to other vendors (read: not so well). Well, just to further underscore my point, I did the same exercise again, this time using a larger sample set. This time I used four vulnerabilities common to most Unix-based OS vendors (CVE-2005-1689, CVE-2005-2969, CVE-2005-0710, CVE-2005-3185.) I then calculated the number of days that elapsed between the vulnerability announcement and when an OS patch was released (all this data is freely available with a bit of digging by following the reference links in the CVE entry.) Want to see what I found?

So, here’s my question: if Mac is so much more secure than other systems, why is it that it takes Apple on average 100 percent longer to patch vulnerabilities than other vendors? Or isn’t it just more likely that it isn’t worth an attacker’s time to go after it?