Slashdot Mirror
Living In an Unsecured World
GhostX9 writes "Charlie Miller, Accuvant Principal Research Consultant and keynote speaker at NATO's recent International Conference on Cyber Conflict, speaks with Alan Dang of Tom's Hardware about living in an unsecured world. He goes over his recent MacBook battery exploit and the challenges of computing security in the upcoming future. Quoting: '[W]hat we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. ... The way we make it more difficult is to reduce the number of vulnerabilities and ensure users' software is up to date and "secure by default." Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple's App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out.'"
When, if ever, has the world been secure?
Mankind is flawed, you cannot patch this flaw. You can only mitigate the flaws.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I wonder if he has windows in his home. That's a terrible vulnerability that we have endured for centuries and somehow civilization survives.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Three or four exploits is one exploit. Unless your solution scales exponentially, it's bullshit.
No Thanks.
This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out
So the theory is that making systems harder to hack will dissuade hackers, thus making all computers secure forever. It's too bad this is such a novel theory and no one's ever tried to harden existing systems against hacking otherwise we might have some empirical evidence to support his plan.
Oh what's that? The entire history of hacking is one of ever more elaborate and clever security precautions being overcome by ever more elaborate and clever hackers? One side cannot ever declare victory and rest on its laurels? It's an arms race, you say?
How very exciting!
It breaks my pluginses, my precious!
switch to openbsd :)
I love mine and know it is secure by the simple reason that no one has sold enough to make it a worthwhile target.
* Carthago Delenda Est *
Not necessarily. It means actually spending money to do QA, uniting developer teams, using fuzzing to explore hacking your own code, and low-hanging-fruit examinations of your code. For a long time, certain OS versions just didn't do any of that.
Operating systems were designed for geeks, not civilians. Civilians have money; so the scammers wrote exploit code for profit. Child's play script kiddy junk. Real coders got involved and went for bigger money. Now it's out of control, and Anonymous and LulzSec make fools out of people that were sitting fat and pretty because they bought the "cure" after a golf game. Now they're twitching.
Windows has vulnerabilities, but a huge war chest. If they'd spent part of that war chest on real design and security, it would be a smaller war chest. The same goes for Apple (let the fanbois begin) as the latest APNC exploit was just fixed for iOS. The problem is: it's not expensive, it's process control and design and testing, grunt work that no one wants to do, because they too, want: profits. When love of the art is involved, and darwinian results are in the mix, you get a Linux or BSD or Solaris, all three of which are vastly more solid than the competition. That's what it takes, the ethics of doing it right.
---- Teach Peace. It's Cheaper Than War.
So long as said security doesn't inhibit my ability to use my machine entirely as I wish, and doesn't treat me as an enemy as well.
This reminds me of the old joke:
Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"
In that sense, all the security any given person needs is just not to be low-hanging fruit.
Linux does not have the market share either.
The other reason is you hardly ever load software onto it. The other problem with your theory though is chrome (browser) has a massive (relative to Linux) market share, I wonder how long it will be before a persistently open tab could become an "attack vector".
FTFY
"I've got more toys than Teruhisa Kitahara."
Yep with capitals on every word.
So you see every security researcher and their friend claim how good it is to have long, strong unremembered passwords for each of your 1000 services.
They also want to have a million software work-arounds to manage flaws in the current software and operating system design. Such as ASLR, canaries, what not - then make your believe your system is, I quote again, RESILIENT. Nothing less! Your OS fights back for you and has multiple layers of security! (which usually are all bypassed in one go.. sometimes 2 go.)
That's a lot of nice words. Slashdot readers should know by now that while all these features are integrated in all modern OS (yay Lion now has real ASLR...) it doesn't stop attacks at all, and barely makes the exploits code longer to figure out.
These people have had their mind programmed to think a certain way and they do think, since "security is a process" that it's the correct way to secure software in the future. Well, it looks pretty bad and full of holes doesn't it? Pretty crappy security if you ask me, even if that's way better than 10 years ago.
They've been programmed that way because many fear that their job and their precious antivirus software would be less relevant if the flaws were fixed. Oh I can't tell you how much hate posts such a statement generates. It's like saying 'Chrome sucks because there's Google behind it and they want your data' you know. The truth too many don't like to hear and will close their eyes as if nothing was going on
There is, and there are however true alternatives. It involves rewriting from scratch the current OSes to fix the design flaws.
Actual, real OS programmers know this very well. Even the people behind UNIX knew that and rewrote it, and called it Plan9 (which died for other reasons).
Even Microsoft knows that and wrote Singularity as well as Midori. Even Open source OS programmers know that and made their little spin offs.
Those OS are by design very secure (even if the 'nothing is 100% secure' still stand true). Every app is sandboxed in it's own memory space. Every driver too and kernel components too. The memory has automatic reference counting and garbage collection, and there is also no way to provoke overflows and any attack of that class. The core assembly is typed to avoid type errors leading to exploits in the core kernel. Its also kept very, very small as are all the critical sections.
All the message passing between the apps, the apps to the kernel, the driver to the kernel and so on go through a special, ultra fast messaging system and it is the sole and unique vector for communication and thus attacks. Every message is verified and must match a predetermined contract to pass through. The contract describe the kind of data with precision. No more injection of bad data. Not only that but the kernel overhead is actually lower than Windows, OSX or Linux and the apps actually run faster.
And there's a whole lot more. With today's computer speed we will be able to afford running those new OSes while running legacy apps in emulation mode.
Besides many applications being written into portable languages such as JS this will be less of an issue.
start by taking the time to a non rush job and do a lot more QA / testing. Also usability testing needs to be done as well.
auto testing can help but it does not cover all things / leads to coding to pass the test missing the stuff that the test does not cover.
I am a firm believer that when we came up with the concept of zero tolerance we were in trouble. Life is shades of grey; some more white, some more black never just black nor white. If we lose the ability to take care of ourselves, we lose our ability of self determination a.k.a freedom. We are in trouble...
Stop makeing us change passwords each month or less and cut back on the pass word rules Ti5@j0ke is way to pass with out needing to use a post it and next month it's P@ssw0rd2!
educating the fucking users, which is the most glaring and most fundamental security hole there is. Make sure the users know they need to keep the PCs and anti-viruses updated, make sure they know how, make sure users know not to run untrusted programs, make sure they know what counts as a program (screensavers, plugins, installers... we know but they often don't), make sure they don't insert a USB stick they found in the street, if their PC has an instant-on OS option make sure they use that to do their banking instead of their main OS, if there are grandmas out there using Windows for no good reason try and get them to switch to another OS, teach users to recognise suspicious behaviour and ask for help... need I go on?
Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.
A lot of Apple fans will disagree with that last part.
As much as I like BSD and use Linux, it's not inherently anymore secure in that respect. Somebody does still need to go through the code and audit it. And not just one somebody, really a whole team of somebodies doing it regularly.
In practice though, I've never worried about software that I install in that respect because I have means of securing the system beyond just trusting my sources.
Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.
Modern ones maybe not. Many older ones, back when a big buyer was the military, and some smaller ones still designed for such areas, are. What we have now is an upgraded micro-controller architecture with security bolted on the back. The problem isn't that we don't know how to do security much better. The problem is that nobody who's building the systems cares enough.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
There's also the issue that security is annoying. Whether it's changing your password monthly or something non-IT related like checking badges at the lobby, security is a pain in the ass, and a lot of people would rather install the security infrastructure and then bypass it. Hell Feynman used to tell the story of the general at Los Alamos who ordered a zillion dollar uber-safe to store the secrets of the bomb in, and then never bothered to change the factory combination.
One reason UAC and the other recent ideas don't work is because they bug the shit out of the end user. Windows is especially annoying because when it decides it needs admin approval to do something, it pops up a dialog, and *locks the rest of the system from doing anything until you handle the question.* That's asinine. Lock the program in question from doing anything, but don't stop the video I have going in the second monitor. Stupid little irritants like that make me want to turn that crap off, and I know better. Most users wouldn't hesitate to make their system stop pissing them off on a daily basis.
"I disagree with you" does not equal "flamebait."
The efforts to improve Internet security are simply being out paced by the rate of new technology implementations. The Internet has been one gigantic Rube Goldberg construct since the beginning. Trying to provide security while maintaining backwards compatibility is creating security nightmares. Any large scale and meaningful security improvements would require a wholesale abandonment of past security methodologies and replacing that security infrastructure would be extremely expensive and would cause incompatibilities that would almost render the Internet useless. Just look at the amount of work required for implementing IPv6. This is only one aspect of the Internet core requirements. Everyone from ISP's, OS developers, and application developers across all platforms will be effected. We certainly know how to create very secure systems but unless we are willing to start over from scratch and abandon any backwards compatibility the chances of creating a more secure Internet is doubtful in the extreme.
Is that how it goes?
Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.
Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.
Changing passwords is an important part of keeping these caches from persisting in the long term. I can often tell how often password changes are forced, by looking at the number of valid cached credentials we obtain on the first batch of penetrated systems. Shops that require frequent password changes mean that 60-80% of our cracked cached credentials are going to be invalid (but we will see if there is an obvious pattern, like incrementing the digits by 1). Often we only get one set of valid credentials per machine, and it's for the user of that machine, which is almost inconsequential, since we could impersonate him anyway with the domain security tokens. But in a place with no password changes, or those that happen less than every 3 months or so, the value of those cracked credentials increases greatly.
Since security is a game of layering protections, it seems a rational thing to do. I recommend 60 days, rather than 30 days, however, just simply for the convenience.
Of course, it makes sense that a security consultant would want to centralize security even more. He would profit from such centralization, but he wouldn't profit from ensuring that we get better security.
In my opinion, computer security should be approached just like a public health issue. We should teach people good computer hygiene, just like we teach people about proper personal hygiene. Granted, this approach is not going to solve every problem, and this educational effort would have to be never ending, but I don't think there is any way around that.
We need to start teaching good computer hygiene courses in schools. And for the generations that are already out of school, we need to create ways to get them to catch up to the kids we educate on this subject. For this to really work, everyone needs to learn about proper computer hygiene. Not just the office worker, or IT personnel, but the janitor, the big-shot CEO, the stay-at-home wife, the unemployed, and even grandpa/grandma. The burden of good computer hygiene simply can not be pawned off unto someone else anymore.
And this goes for the people that are going to teach our kids (or teach us) about good computer hygiene, we can't let security firms, manufacturers, ISPs, software vendors, or even content providers, teach our kids about proper security. We need to start taking responsibility for this ourselves. The industry does not teach, it obfuscates. That's a big part of how it makes money. And letting them teach our kids about good computer hygiene would only lead to too many conflicts of interests. That's why we need to do this ourselves.
And I say "computer hygiene", but we should probably call it something else. The term "computer" is not enough these days to convey every type of security problems we should be teaching our kids (or ourselves) about. There is social engineering, which can be very low tech. And there are many more types of powerful computing devices, that can still have problems, but that we do not specifically call computers anymore.
UAC is not a security feature. Improving it's interface and security simultaneously would be simple by just automatically answering all questions with "no". Doing that "securely" would mean giving the user / administrator a set of instructions for which privileges need to be given to the application at the beginning which is precisely what is too complicated.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
One curious part of the interview is when Alan Dang write: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users can protect themselves.
But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..
The problem of seccurity starts with CPUs, goes through the operating system and programming languages, and ends up to the communication standards.
The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode. This means that once an app is compromised, and foreign code is executed, all sorts of nasty things can be done. A more finegrained CPU security model would offer much better security, allowing software components withihin the same process space to coexist without affecting each other.
The problem with operating systems is that their security model is based, again, on the guest/administrator model, i.e. it is actually the same security model as the one used by the CPUs. A better security model would allow software that communicates with the outside world to run with less privileges than the user, thus saving the user from being compromized when malicious code. Furthermore, operating systems resources are not virtualized for the user, requiring access to administrator rights for jobs that could not require such rights.
The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.
Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.
it's not inherently anymore secure in that respect
It isn't and it even introduces a single point of maximum vulnerability (1. crack the repo, 2. ???, 3. profit!). However, compared to having to hunt for programs on-line it is inherently more secure. You might take your programs from download.cnet but all they do is run a virus scanner. A recent article about 'open source' software being bundled with malware makes me glad I can do apt-get install with less worry.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
If the app store is the best model they can think of, then time to hand in the fricken geek badge.
They could have proposed an even more restrictive model, namely that of video game consoles. One can't even get started developing for a console unless affiliated with an established company with "industry experience" (that is, having already published a commercial game on another platform).
'No, more like the Linux RPM/Deb model that's only been around for... what? a couple of decades? And which offer far better prices, control and access to the market.
If by "far better prices" you mean zero as the only available choice, then how are people supposed to cover the cost of developing high-quality video games or tax preparation software?
Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so.
In the system you propose, how would each party know the other's key?
In a world without MSWindows, who needs MSWalls?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Almost all major distros have audit processes of some sort. That's the only reason we have not already seen rogue engineers introducing trojans directly into the kernel and/or tools.
They could be better, but we need more guys like Theo DeRaadt to lead the audit teams, which presents a sort of dilemma.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
There's also the issue that security is annoying. Whether it's changing your password monthly or...
I've never understood why "change your password monthly" has become the poster child for security advice most often mandated by IT departments. On the list of things to make security stronger, this wouldn't even be in the top one hundred, and in fact, I suspect frequent password changes make security weaker.
("Never use the same password on two different systems" would have been my number one choice for advice.)
http://www.geoffreylandis.com
Actually, paraphrasing the great line from Soylent green, "Chrome OS is made of SUSE"!
So, it is Linux. It just has anything not needed removed and all the posts not needed locked up. It's *prolly very secure in it's own right.
I had a Samsung Galaxy Tab 7", and replaced it with the Chromebook. It is great as an internet appliance with a real keyboard.
* Carthago Delenda Est *
I've always thought it was a butt-covering method. "Yeah, we had a data breach but we're taking proper security measures. We make them change their password every month!"
You're right - it makes it less secure. Everyone at my office writes their pw down and stores it somewhere around their desk.
"I disagree with you" does not equal "flamebait."
Actually, believe it or not it is based on Gentoo - at least the package management aspects are. The end-user experience is pretty appliance-ish.
One thing going for Chrome is the fact that it uses secure boot, so that greatly limits attack vectors, and if you do manage to get temporary control the next OS upgrade is going to fix that, unless you manage to somehow block those (and that will be even harder to do without tripping the signature checks). And, it is pretty trivial to re-image in the absolute worst case (push a button and insert a USB drive - re-provisioning takes 2 minutes and your settings/apps get completely restored on first login). There is an app you can download to make the rescue drive, and Google is looking to make it possible to create it from chrome.
On the other hand if you can root a phone chances are you'll be able to root chrome - nothing is perfect. However, compared to the typical general-purpose OS it is fairly secure.
And doesn't everyone just increment their monthly password? Basepassword!1, Basepassword!2, Basepassword!3, etc.
In order to avoid man-in-the-middle attacks, a solution like verifying the other part's public key by a different route could be used.
I can think of three sorts of "different routes", none without drawbacks:
The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode.
Wrong. The x86 architecture alone has numerous rings. Five I think? No mainstream kernels use more than two of those rings.
The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.
C is just a tool. How a tool is used is a methodology. The tool is not at fault, the methodology is. Even with a good methodology, you just can not have morons at the console writing the code. I know, business owners dream of a world where they can have low-cost interchangeable morons writing code. That is not going to ever happen (reliably).
Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.
I think Phil Zimmerman is the name of a guy you should talk to. Working with encryption has been an extremely dangerous pastime in a not-too-distant history. ITAR is the acronym you should specifically be looking for. One example: Windows 2000 shipped capable of doing 56 bit encryption (useless) due to ITAR. Once you proved you were in America, you could upgrade to 128 bit encryption.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Thanks for revealing my password, you insensitive clod!
Active Directory cached credentials are salted. I've never seen RT files for anything other than the "administrator" account. It's a non-trivial hash.
But your point is valid.