Is security failing?

Technocrat

Is security failing?

Beryllium Sphere(r)

Sat Dec 02 12:56:28 -0800 2006

Security

manage

We, as security professionals, are drastically failing ourselves, our community, and the people we are meant to protect.

according to Noam Eppel in an article earlier this year enetitled Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security

He's promised to suggest solutions in a later article but in the meantime wanted to prompt awareness and discussion of the state of security. He succeeded: the discussion has been vigorous but unusually thoughtful.

Anyone would instantly ask "What do you mean, 'failing', and what would you think of as success? There's no nontrivial part of the physical world that's free of crime".

Noam Eppel tries for common sense rather than rigor and sees the failure in two forms. First, he argues, we've lost control of our networks. Spam oozes through multiple layers of filtering and wastes straggering amounts of server resources before the filtering. DDoS attacks are routine and have put companies out of business or forced them to pay protection money.

He also looks at it from the viewpoint of the end user who is willing to take reasonable precautions against crime but expects to be able to do normal things with low or manageable risk. Eppel argues that we're not there if every device needs expert hardening after it comes out of the box and before it can be used. He sees the deskotp as a failure because the user needs to buy a second box to serve as a firewall just to keep the system safe long enough to download all the security patches, which themselves are evidence of failure. After all, what other product needs to be recalled every second Tuesday? For that matter, what does it say if the advice to users is to stop using the default web browser that's integrated all through the system?

I've got problems with some of his supporting statistics, for example the one on spyware prevalence, based on a survey that counted tracking cookies. But then, doesn't it illustrate his point that the security profession doesn't have solid facts to work from?

Some of the comments were true but missed the point:

most people fail to adequatey secure thier enviroment because they have no plan to manage it long term, no technical security architccture, and no real concept of what constitutes a security program.

when the point was that things are out of control if you need a "technical security architecture" just to go about your business. Others accidentally illustrated the difficulties:

I think that security proffessionals know EXACTLY how to secure a system - turn the computer off.

is funny because it doesn't work: just get a wake-on-lAN packet into the same LAN segment and the computer may turn itself back on. If you need that amount of knowledge to keep things secure then very few things will be secure.

One argued that the problem is an unalterable problem of human nature:

Sorry to say but the whole technical aspect here is irrelevant, the level of corruption in most socities right now in the 21st century is too high to be able to stop all this crime from happening. There are too many holes in society itself and these are not solvable with tech.

which leaves out the problem of scale: a meatspace conman can attack a few marks at a time, a phisher can strike millions.

What's my take on it? I think there have been a lot of successes, which are hard to remember because attackers can just change their tactics and refocus attention on new areas. When's the last time you lost a system to a Ping of Death or a syn flood? Worms have gotten harder to field as we've gradually hardened applications: there are even people using sendmail, of all things, successfully. Attackers have been forced up the stack to higher-level attacks such as SQL injection or direct to the highest-level attack, injecting bad data into humans.

are fat clients a failure?

zogger

Sat Dec 02 13:11:09 -0800 2006
manage

For most people on the internet, wouldn't running from a live cd only about eliminate most concerns? Maybe the industry needs to rethink dedicated appliances for dedicated tasks, something like the webTV but actually functional, has a mouse, etc. If you ave nothing to write to, you can't get owned too easily.

I know that wouldn't come close to solving all the problems, but I think it could help 90% of the folks out there with what they use a net connected computer for.

are fat clients a failure?

Charles E Hill

Sat Dec 02 14:12:46 -0800 2006
manage

There are three major "mental" issues with users that have proven almost impossible to shake.

1. It won't happen to me, I'm a nobody out in nowhere.

2. But the e-mail was sent to me by someone I know! They wouldn't send me a virus!

3. Cool! Shiny!

On the industry side, there are two big issues.

1. Backwards compatibility.

2. The computer as the Swiss Army Knife.

Most "average" users don't understand that when it comes to cyberspace, East Jesus, Nebraska is just as close to the mean streets of Shanghai as it is to the local Piggly Wiggly. There is no such thing as "nowhere" on the Internet. If you're connected, you better consider yourself as walking down back alleys in Harlem, at night wearing "I hate black people, am unarmed and have lots of cash on me" sign, as far as safety is concerned.

It will happen to you, if you don't take precautions. And in the case of the Internet, "reasonable" is the equivalent of living in the worst neighborhood -- you have as many locks and protective measures as you can afford. Welcome to the Internet.

* * *

Repeat after me (or to your clueless friends): Spam comes from strangers, viruses come from friends and co-workers. Computer viruses are called that because they behave like biological viruses. You have to have contact with someone infected to get a virus and it works the same way for your computer.

Just because you get a neat attachment from a "friend" doesn't mean it is safe. Save that sucker off and manually scan it with your AV program before clicking it.

Junk mail just shows up, uninvited, in your postal box. Spam just shows up, uninvited, in your e-mail box. In most cases you have no idea who is sending it to you, but there it is. Get some anti-spam filters and just deal with it. I spend less time on spam than I do on junk mail.

* * *

People are so easily distracted and amused. I've lost count of the number of virus infections I've fixed where people told me "all I do it read my e-mail, browse CNN and E-Bay". Right. That is why their cache and history are full of porn, flash games, warez sites, dozens of different forums, funny video/audio links, electronic greeting cards, etc.

You want to stop getting viruses? Stop opening electronic greeting cards and every "joke" link that your buddies send to you. If you go to a website and it requires you to install ANYTHING, tell it NO. Need to update Flash? Too bad.

General rule: If it pops up a dialog box asking about yes/no, you need to pick no and immediately scan your computer for spyware and viruses. I don't care if it promises photos of Brittney flashing her goodies in Paris, JUST SAY NO.

* * *

For the industry, there is too much "but to fix that we'll break all this other stuff". No, it is already broken, you just don't know it, yet.

Here's the simple solution: provide the legacy stuff in a VM, but start over from scratch with the rest. Resist the temptation to add any more features, just go over what there is and fix it. If that breaks something that has worked for the last 10 years, so be it.

There has also been decades of "the computer can do ANYTHING, just add more software" advertising. This has convinced people that the computer can do anything WELL, which isn't the case. A Jack of all trades is master of none, and this also applies to computers.

* * *

Zogger's mention of using a LiveCD is great, except the industry is focused on selling more and more software. You can't install anything with the LiveCD (now), and people are always "oh, I need to install X and Y and Z and A thru Q while I'm at it. And I need this, too and something else tomorrow."

Personally, I think this is the way it is going to go. A "core" system boots securely to the Internet and most of your "software" is ASP-provided. This would actually work if the ASP-stuff was only one or two hops away from you, like at your ISP.

It could be cached on your local machine for "offline" use. Check out Slax's webconfig, ROX and ZeroInstall for excellent ideas.

are fat clients a failure?

Beryllium Sphere(r)

Sat Dec 02 17:19:57 -0800 2006
manage

Enterprise environments are moving in that direction, except it's the "standard image" instead of a live CD and they reimage when something goes wrong instead of having the system be read-only to begin with.
I really like the idea but we need faster CD drives, and a painless way to keep a persistent /home (mounted noexec) on a USB nerdstick.

are fat clients a failure?

Charles E Hill

Sat Dec 02 19:47:27 -0800 2006
manage

Forget the CD drive, and just use two USB sticks or partition one of them in half. You can get a 1 Gb USB (bigger than a CD image) for $25 now.

That way you can even use your CD to play music. :-)

How to Hack a LiveCD

Carl

Sun Dec 03 05:12:50 -0800 2006
manage

Once upon a time I, too, thought that LiveCDs and bootable USB thumbdrives were going to solve the security problem that is a compromised system or an over-clickhappy end user.
Then I realised I was wrong.
Assuming a perfect world, where the end user will be happy to reboot their system to visit their bank's site, where the Internet cafe is going to let somebody reboot their systems at random, with their own random bootable system, the big problem is that LiveCDs are fixed (USB thumbdrives less so) - what is installed at the time of creation is fixed in time - no security updates or improvements allowed.
When I was looking into the various reasons why a plan to get users to use LiveCDs to access their banking sites (but using their fat client for everything else) wasn't going to work, I brought up the difficulty of getting users to reboot just for going online (make security hard and people will work around it), but something more interesting came to light.
On the surface, the plan of using LiveCDs sounds fine - there is no chance of overwriting boot media and a simple reboot kills whatever crazy process manages to get running. Sure, a memory-only rootkit can run, but it will only affect that particular boot cycle (and these rootkits exist). Thankfully, that issue is a fairly low risk.
What was a bigger risk for the particular LiveCD plan was that the Firefox version being promoted with the LiveCD was vulnerable to a remote memory disclosure security hole (disclosed a week or so after the announcement of the LiveCD). This meant that any site that you visited could happily read through the system memory allocated to Firefox - which meant accessing passwords, authentication details, visited sites, basically anything that you have previously seen since you started that Firefox session.
Now, consider a phishing attack that directs the victim to the real banking site, but asks you to visit another site (www.nearly-realbank.com) to fill out a customer satisfaction survey about your online banking experience. Without asking for your authentication details, the site owner can happily suck that data out of the allocated Firefox memory and use it for whatever purpose they want.
Now for the million dollar question. How are you going to convince the bank (or even most security 'experts') that your bank account was broken into even though you were using a read-only LiveCD from a clean boot, visited the bank site first from a clean link, and did not supply your details to any other site?
Simple rule of thumb - It's broken. All of it.
Security is hard work. It sucks that you need to become an expert across multiple domains in order to even comprehend how emerging blended attacks work, let alone how the vulnerabilities being discovered even exist. What is needed is a fresh approach to Information Security, but that is an argument for another day (you could always contact me if you want the rest of the argument).

The solution: Logging

AB3A

Sun Dec 03 07:11:48 -0800 2006
manage

Security is a state of mind. It's like being secure in a high crime neighborhood. You do what you can to mitigate the risk. And you're prepared to write off what you lose. Those circumstances are exactly the same on the internet. If someone really has a grudge and knows the arts of hacking, it's awfully hard to prevent damage. This is exactly the sort of thing we experience every day on the highways.

The amazing thing is that there are so few incidents of road rage. And it is similarly amazing that the Internet is no worse than it is.

Keep in mind, any country discovered allowing their Red Teams loose on another country's assets is risking some severe sanctions. E-mail has been blocked from ISPs who do not exercise reasonable spam controls. I expect that pretty soon we'll see trusted logging software which is designed to provide a traceable account of what happened. This won't prevent attacks. But it will allow investigators to figure out where the attacks came from. If people think they'll get discovered, I believe they'll behave far better than what we have seen thus far.

It's the wild west right now, however. And in those days it was often hard to tell who was more corrupt: the enforcers, or the perpetrators. Just as a neighborhood watch can help mitigate crime in certain rough neighborhoods, a few country to country logging alliances might make a big difference here.