Thursday, May 24, 2007

protecting data in use?

although lonervamp's blog entry on protecting data in use is not my first exposure to this concept, it does seem to be turning into a nucleation point for a discussion on the topic as both mike rothman and anton chuvakin have posted reactions to it...

for context's sake, usually when we're talking about protecting data we talk about protecting data at rest (which is when the data is residing in a data store/data repository/database) and protecting data in motion (which is when the data is traveling between the data store and an agent that consumes the data, be it a client application or a user of that client application, or potentially data traveling between 2 data stores)... when we're talking about protecting data in use then, we must necessarily be talking about data that has already reached the data consumer...

also, when we're talking about protecting data, we are at the very least talking about maintaining those properties of the data that are described in the CIA triad... but what specifically do we mean in the case of data in use? are we concerned about the data's availability to the data consumer once it's reached the data consumer? i would say no; in fact i would say that the data's availability at that point is not just a certainty, it's a tautology...

how about integrity then? surely we're interested in maintaining the integrity of the data once it's reached the data consumer? again i would say no... it is expected that the data consumer will transform the data in arbitrary ways (making integrity impossible to enforce) as part of the synthesis of new knowledge... we're interested in preventing the data consumer from writing corrupted data back into the data store, of course, but that isn't protecting the integrity of data in use, it's protecting the integrity of data at rest...

that leaves confidentiality... how many of you reading this think you can safeguard the confidentiality of data once it gets into someone else's hands?... we usually say that the genie is out of the bottle at that point, with the understanding that you can't put the genie back into the bottle... the technical preventative paradigm for protecting the confidentiality of data is access restriction, however you cannot restrict access to data in use as it is data to which access has already been granted... the notion that you can strictly control how the data is used by exclusively tying it to proprietary software and/or hardware is the very conceit at the root of DRM...

technical preventative controls that protect the confidentiality of data in use are impossible, but let me soften that a bit... i've heard it said that you shouldn't say "no", rather you should say "yes, but . . . ", and by being specific about technical preventative controls i have left myself room for a "yes, but . . ."... it is possible to protect the confidentiality of data in use by way of technical detective controls (ie. audit logging or perhaps some clever user-specific watermarking) and/or administrative preventative controls (ie. confidentiality clauses, termination policies, non-disclosure agreements, etc)...

people are generally not satisfied with this, of course, because they naively expect technology to be able to solve their problems completely (despite the fact that technology is notorious for only ever providing parts of solutions)... it's also unsatisfying because detection takes work and administrative controls have less of an air of perfection about them (not that any control is perfect, of course)... regardless of their satisfaction, however, data in use is fundamentally and irrevocably data that can be misused because it is data that is in someone else's hands...

Monday, May 21, 2007

economics of 2 factor man-in-the-middle phishing

by now i would hope that most people reading this blog are aware that 2 factor authentication doesn't protect against phishing...

over on the symantec security response weblog, zulfikar ramzan concedes very much the same thing, that man-in-the-middle phishing can compromise even 2 factor authentication schemes, but puts it into a broader context and states that the 2 factor authentication still changes the economics of the attack and effectively makes it less profitable...

you see, the world of cybercrime is one where information is frequently bought and sold and the one-time passcodes generated by security tokens used in 2 factor authentication schemes are supposed to prevent your credentials from being traded like a black-market commodity... as such, the theory goes that the phishers, rather than having a salable good that they can pawn off on someone prepared to actually use the information, are only able to access the compromised account login sessions directly and so have to be prepared to get their money from the victims directly... this is a riskier proposition and therefore seemingly less valuable to the phishers...

although it may seem like the credentials the phisher captures are useless for resale, i'm not entirely convinced they are - credential re-use being what it is and with the heightened sense of security that the tokens offer, i'm sure those usernames and passwords will often be useful on sites other than the ones using the 2 factor authentication systems... moreover, i'm not convinced that the economics of the attack are changed as much as one might think, or that there isn't a comparable salable good to be offered here... if pornographers can monetize live video feeds of young women in various states of undress then i don't see why phishers can't sell real-time access to the login sessions they've compromised, perhaps even by setting up their customers as mirrors for the phishing page(s) and using load balancing to direct the appropriate proportion of phishing page requests to those customers' mirrors depending on how much the customer paid (and those customers could in turn resell the sessions in exactly the same way their provider sells them)...

2 factor authentication certainly changes the phishing landscape, but to say that it will reduce profitability assumes the bad guys can't innovate (which is a pretty bad assumption to make)... one simply has to imagine new ways to do things, and criminals are already familiar with imagining new ways to make money...

mcafee's allysa myers on the wildlist

ok, not literally listed on the wildlist (though, as a wildlist reporter i suppose technically she is), but rather discussing the wildlist and making a good point that i haven't seen made before...

i've mentioned the wildlist before, and once i even mentioned some of it's limitations (such as not focusing on non-viral malware or the under-reporting of malware that is trivially removed by anti-virus software)... the limitations i mentioned before were pretty damning on their own, and should have been enough to make one question the relevance of the wildlist, but the point allysa myers made last week takes the cake...

the long and the short of it is that in the world of commercial malware the distinction between in-the-wild and zoo malware has been pretty much lost... unlike viruses back in the day, commercial malware doesn't get shelved once it's completed... it doesn't just get held up and studied like some intellectual novelty, or worn like a badge of honour amongst virus writers, commercial malware almost invariably gets deployed... that means people are going to encounter it in-the-wild (even if it never becomes widespread enough to make it to the wildlist)...

additionally, while myself and many others engaged in a protracted campaign to influence the vx community away from virus spreading and other behaviours that tended to lead to viruses finding their way into the wild, there is no real opening to do the same with the malware profiteers of today as there is no way (no work-around, no compromise that makes everyone happy) for them to achieve their goals without releasing the malware... so not only do they almost always release the malware now, they will continue to do so in the future...

so the question then becomes: if almost all malware is now going into the wild, what's the point of having a list of the malware in the wild? why bother continuing to make the distinction for such a subset if it's complement is so insignificant? maybe commercial malware hasn't completely overwhelmed the non-commercial variety (yet) but when it does (and i believe it must) i suspect the wildlist will have finally outlived it's usefulness...

Thursday, May 17, 2007

understanding the malware threat of pirated software

recently both symantec and sophos have come out with statements to the effect that pirated software represents a security risk to users' computers and/or identities...

i haven't seen anyone crying FUD about sophos' claims (at least not this time, maybe next time) but mitchell ashley had some choice words about symantec's claims and, while i think i've expressed myself well enough in the comments to that post, the existence of that post and that sentiment makes me think some explanations need to be made more pronounced than they would otherwise be as simple comments...

the basic premise is that pirated software might damage users' machines or steal their identities... the way this would happen would be that the pirated copy of the software would have some malware type of functionality added to it or perhaps even be completely replaced with malware...

the question is, is that a credible threat and is there a good reason to mention it? if the answer to either of those is no then claims like those made by symantec really would qualify as FUD...

one of the oldest safe-hex tips was to only get software from trusted/official sources... this was to counter the major malware vectors of the day, which were warez (pirated software), bulletin board systems, and floppy disks... i personally have encountered a number of people over the years who ran into problems with malware precisely because they didn't follow this safe-hex principle and while floppy disks and bbses are all but extinct now, the warez scene is still around (otherwise we wouldn't be talking about software piracy) and so is still a viable malware vector... it's not an accidental malware vector either, as numerous virus writers and virus spreaders have in the past demonstrated how rich with computer using risk takers the warez scene is by targeting them and successfully spreading their malware... malware profiteers in today's commercial malware world would have to be short sighted indeed to pass up such fertile and proven ground...

of course, in the specific case being referred to by symantec, the users weren't getting their software from some warez site (at least not to their knowledge)... they weren't engaging in obviously risky behaviour, but rather they were purchasing the software from commercial pirates fraudulently posing as authorized resellers...

now you may think that the fact that they're commercial pirates that are in it for the money obviates the conventional warez-associated risks but let's look at that more closely... just because they're in it for the money doesn't mean they don't have other motives... in fact, if you were a malware profiteer trying to deploy bots (for example), why not devise a social engineering ploy that involved bundling the bots with seemingly legitimate software and enjoy the added bonus that you'd need to charge your victims money in order to make the legitimacy of the software believable?... additionally some of the employees of the commercial pirate organization may be disgruntled enough to tamper with the software or it may get contaminated accidentally - it's not like commercial pirates care about their falsified reputation enough to enable strict quality controls, if something goes wrong they can just blame the actual vendor... speaking of which, the software the commercial pirate is selling may not have come directly from that actual vendor but instead from a warez site with all the associated risks but none of the transparency about those risks that would allow the customer to gauge their risk exposure accurately...

so the threat seems plenty credible to me but still you might wonder whether it's worth it to mention the risk if there haven't been any actual reports of anything bad in the pirated software... if you're thinking like this then i can only tell you that you're thinking like a victim... in my experience victims usually think things are safe unless something specifically says they aren't... if you don't want to be a victim you need to turn that around and (as i'm sure robin bloor, marcus ranum, and many other anti-virus detractors/whitelist enthusiasts would suggest) start considering all software to be inherently untrustworthy by default unless given good reason to think otherwise...

Saturday, May 12, 2007

how can you know who to trust?

there are a lot of conflicting messages out there concerning malware issues and so naturally one is faced with the question of who do you trust to give you the right information?... i'd like to say that this an easy question to answer, particularly because i don't have a big problem separating the wheat from the chaff... however, the fact is that i've spent years honing that particular skill and, with numerous examples of everyone from ordinary users to security experts choosing to either listen to or be people suffering from false authority syndrome, the evidence suggests that it's really not as easy as it ought to be...

with that in mind i thought i'd share my own mental processes on this subject in hopes that it might raise the bar, even if only a little bit... now i'm not going to just tell you to listen to the experts; for one thing that just shifts the onus on to how to figure out who's actually an expert or not, but also because that can be a little more exclusionary than it needs to be (for example, it excludes me, and if you shouldn't be listening to me then you should stop reading this)... here's what i am going to tell you, though - what to avoid and what to look for...

here's what you should probably avoid:
  • famous people / big names - being famous on it's own doesn't make one smarter, it doesn't make one more accurate, more capable, or more in tune with the truth... fame is pretty much orthogonal to the truth...
  • the media - their power to elevate the audience is matched only by their failure to do so... their job, ultimately, is to make their content look better/more important/more interesting than it is in order to sell advertising and thus make money... their is no motivation for them to present the unmodified / unhyped truth...
  • vendors, or at least the marketing departments thereof - one need only search this blog for references to the term snake oil to see examples of why their words need to be taken with a grain of salt... marketing's interests are aligned with the company's interests rather than the publics interests...
  • experts in some other field - though many experts seem to not be aware of this fact, expertise is non-transferable... you could be a genius when it comes to networking but that doesn't mean you know the first thing about malware...
  • crowds - the wisdom of crowds is not universal, especially not where malware is concerned... in malware it usually turns into the wisdom of mobs, or digital maoism (to borrow a term from jaron lanier)...


all that being said, here are some of the things you should be looking for:
  • relevant (malware-related) credentials - this means some kind of significant experience that's relevant to the field; maybe it's professional experience, maybe academic, maybe something else, but relevant credentials are the first and probably most important thing you should be looking for when trying to decide whether someone knows what they're talking about in this field...
  • consensus with those who have credentials - just because someone doesn't appear to have credentials themselves, that doesn't mean they can't know a thing or two about the field... if what they say agrees with what those who do have credentials say then perhaps they do know something... this can be particularly significant when combined with past performance...
  • past performance - if someone is right (or appears to have been right) most of the time about the subject then there's a good chance they'll be right in the future too...
  • impartiality - all the credentials in the world won't matter much if someone has a vested interest that isn't aligned with the publics interests... the extent to which this matters depends a lot on the message; the easier it is to objectively and independently verify the information the person is giving, the less impact a vested interest can have...
  • does it make sense - there comes a point where you'll have gained enough knowledge of the field that the idea being presented will just click and you'll be able to judge the message itself rather than having to worry about whether the person sending it knows what they're talking about and is impartial...


nothing is foolproof of course, even being an expert yourself won't guarantee that you are only trusting the right people...

(and now that i've written this, i suspect that it can apply to fields other than malware as well)

Monday, May 07, 2007

do we really need bruce schneier?

there's a sacred cow in security, a living sacred cow by the name of bruce schneier... a cryptography expert, a squid enthusiast, and a self-proclaimed media whore, bruce schneier is one of the biggest names in security and he's asked if we really need the security industry...

according to bruce:
The primary reason the IT security industry exists is because IT products and services aren't naturally secure.
naturally secure? my reaction to those words is much like peter lindstrom's reaction, it seems to mean perfectly secure without 3rd party assistance (ie. inherently invulnerable) but that's just absurd... i know perfect security is impossible, you know perfect security is impossible, and bruce better darn well know that it's impossible otherwise what good is he as a security expert?

his very next sentence reads:
If computers were already secure against viruses, there wouldn't be any need for antivirus products.
now here it's quite clear he's talking about perfect security against viruses... there's just one problem, viral susceptibility is inherent to general purpose computers - so long as you can share data and the device can do more than a handful of narrowly defined things it can support viruses... this has been known for over 2 decades, i've said it here many times in the past, i've even said it in the comments on bruce's own blog so it's not as if he's never been exposed to the idea...

a really telling quote is the following:
The whole IT security industry is an accident -- an artifact of how the computer industry developed.
this suggests that security is only needed because of accidents/mistakes that happen when designing and implementing systems... this is a fundamental assumption that few people in security these days seem to question... a vulnerability is often described as a flaw, mistake, or error in the code - but this is one of the most common misconceptions i see about the nature of vulnerability as it ignores the prospect of inherent vulnerability... everyone always says that things should be made secure from the beginning instead of bolting security on after the fact, but the only way to avoid needing to add security after the fact is if it was perfectly secure from the beginning and once again, that's just not possible, not just because it's so hard to avoid all possible mistakes but because some forms of vulnerability aren't the result of a mistake... take a website, for example - there can only ever be a finite amount of bandwidth available for hosting that website so it will always be possible for an attacker (or group of attackers) to use up all of that bandwidth irrespective of any mistakes in the website or webhost or network or browser or operating system or any other component even remotely associated with such an attack...

bruce wants to believe that eventually security will be folded right into the products (like the OS) and services (like the network connection) so that 3rd party security products become redundant... this is, at it's heart, the logical conclusion to where the best-of-breed detractors see things going - after all, if security functionality is going to converge into single integrated products, it might as well converge right into the products that security is supposed to be protecting in the first place, right? unfortunately there will always be new and as yet unheard of attacks (and even existing attacks are not completely obviated by even the best security) so products and services can never be naturally secure and it will always be necessary to bolt on additional security after the fact...

so the question is, has bruce jumped the shark and do we need him badly enough that we'll follow...

Wednesday, May 02, 2007

the effectiveness of user education

amrit williams has a post up about how ineffective user education is... if you've read this blog for a while you probably know how i feel about user education already but i guess there's more to say than to just point to anecdotal evidence of it working in real life (amrit does that himself with the example of his mother)...

so which is it? technological 'solutions' or user education, nature or nurture, particle or wave, fate or chance - to paraphrase forrest gump, it's a bit of both...

amrit is right that user education isn't going to make things secure, but let's look at that again - nothing is going to make things secure, not user education, not technological controls, not even a combination of the two... security isn't a boolean property, it's a gradient, talking about making things 'secure' is pure sophistry as we should be talking about making things more secure than they are right now... don't let the great be the enemy of the good; since perfection is impossible anyways one must settle for simply making things better...

in that vein user education has a rather well defined place... security requires intelligent, context-sensitive decision making that just can't be hard-coded into the system... i understand and appreciate that people are hard to control and generally unreliable... i understand why security folks would want to ignore the user problem since they're trying to build reliable security... unfortunately, whether we like it or not, users are a part of the system and they're always going to be a part of the system - technology cannot be an island unto itself, technological controls are just tools and users need to know how to use those tools properly or the tools themselves will be ineffective (just as knowledge without good tools is also ineffective)...

neither user education nor technological controls can reach their full potential on their own, they need each other if we're to get the most out of our attempts to make things more secure - and unreliable though that might be, it's better than relying on either individually...