Living In an Unsecured World

GhostX9 writes "Charlie Miller, Accuvant Principal Research Consultant and keynote speaker at NATO's recent International Conference on Cyber Conflict, speaks with Alan Dang of Tom's Hardware about living in an unsecured world. He goes over his recent MacBook battery exploit and the challenges of computing security in the upcoming future. Quoting: '[W]hat we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. ... The way we make it more difficult is to reduce the number of vulnerabilities and ensure users' software is up to date and "secure by default." Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple's App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out.'"

Unsecured world?

[Archangel+Michael]

When, if ever, has the world been secure?

Mankind is flawed, you cannot patch this flaw. You can only mitigate the flaws.

Re:Unsecured world?

[Archangel+Michael]

Targeting Humans (flawed) is the quickest and easiest way to exploit a system. This is Mitnick 101. It is why Nigerian scams and click loaded malware works, even to this day.

... like Apple's App Store model

[E+IS+mC(Square)]

No Thanks.

Re:Fundamental design flaw

[oztiks]

switch to openbsd :)

One word: Chromebook!

[kurt555gs]

I love mine and know it is secure by the simple reason that no one has sold enough to make it a worthwhile target.

Re:The sky is falling?

[Ironchew]

A vulnerability we should have to deal with no longer!

Sincerely,
The Year of Linux on the residential exterior

Very well.

[Microlith]

So long as said security doesn't inhibit my ability to use my machine entirely as I wish, and doesn't treat me as an enemy as well.

Re:The sky is falling?

[Baloroth]

A vulnerability we should have to deal with no longer!

Sincerely, The Year of Linux on the residential exterior

This is /. I'm guessing most people here already don't have windows. Basements rarely do.

Like The Old Joke

[SchMoops]

This reminds me of the old joke:

Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

In that sense, all the security any given person needs is just not to be low-hanging fruit.

Re:Fundamental design flaw

[ozmanjusri]

Windows Computers weren't designed for security. They still aren't.

FTFY

This Is The Wrong Way, Period.

Yep with capitals on every word.

So you see every security researcher and their friend claim how good it is to have long, strong unremembered passwords for each of your 1000 services.
They also want to have a million software work-arounds to manage flaws in the current software and operating system design. Such as ASLR, canaries, what not - then make your believe your system is, I quote again, RESILIENT. Nothing less! Your OS fights back for you and has multiple layers of security! (which usually are all bypassed in one go.. sometimes 2 go.)

That's a lot of nice words. Slashdot readers should know by now that while all these features are integrated in all modern OS (yay Lion now has real ASLR...) it doesn't stop attacks at all, and barely makes the exploits code longer to figure out.

These people have had their mind programmed to think a certain way and they do think, since "security is a process" that it's the correct way to secure software in the future. Well, it looks pretty bad and full of holes doesn't it? Pretty crappy security if you ask me, even if that's way better than 10 years ago.
They've been programmed that way because many fear that their job and their precious antivirus software would be less relevant if the flaws were fixed. Oh I can't tell you how much hate posts such a statement generates. It's like saying 'Chrome sucks because there's Google behind it and they want your data' you know. The truth too many don't like to hear and will close their eyes as if nothing was going on

There is, and there are however true alternatives. It involves rewriting from scratch the current OSes to fix the design flaws.
Actual, real OS programmers know this very well. Even the people behind UNIX knew that and rewrote it, and called it Plan9 (which died for other reasons).
Even Microsoft knows that and wrote Singularity as well as Midori. Even Open source OS programmers know that and made their little spin offs.

Those OS are by design very secure (even if the 'nothing is 100% secure' still stand true). Every app is sandboxed in it's own memory space. Every driver too and kernel components too. The memory has automatic reference counting and garbage collection, and there is also no way to provoke overflows and any attack of that class. The core assembly is typed to avoid type errors leading to exploits in the core kernel. Its also kept very, very small as are all the critical sections.

All the message passing between the apps, the apps to the kernel, the driver to the kernel and so on go through a special, ultra fast messaging system and it is the sole and unique vector for communication and thus attacks. Every message is verified and must match a predetermined contract to pass through. The contract describe the kind of data with precision. No more injection of bad data. Not only that but the kernel overhead is actually lower than Windows, OSX or Linux and the apps actually run faster.

And there's a whole lot more. With today's computer speed we will be able to afford running those new OSes while running legacy apps in emulation mode.
Besides many applications being written into portable languages such as JS this will be less of an issue.

Re:This Is The Wrong Way, Period.

[SecurityTheatre]

Well, considering that remotely-exploitable network-stack-level overflow vulnerabilities are almost completely gone, either the programming techniques have improved, or these technologies are helping.

I would like to point out that the pervasive attitude at Sony seemed to be one of "well, nothing is perfect, so we don't need to spend too much money doing our best".

On the other hand, building a secure OS from the ground up IS the right approach, and I'm sure Mr Miller would agree, but, the simple fact is that IT WONT HAPPEN (yes, all caps). Functionality is the driver, not security. Security necessarily has to be an afterthought, simply for the business reality that many people approach the problem in the same vein as the recent post about iPads "consumerizing" IT. Business people still pay the bills.

So we take these approaches at making *Better* securityu out of commodity products, rather than deconstructing everything and coming up with a completely new model that is places security first.

Remember, too, that thus far, the high end pulls the low end along. So those people who need bleeding edge performace, be it database administrators, gamers, 3d modeling, etc... they tend to drag the desktop market around in terms of technology and software support, so you have to find a model to appease them and their needs in order to have your mythical "secure OS" project get off the ground.

Re:Fundamental design flaw

[ifiwereasculptor]

Computers weren't designed for security. They still aren't. We shouldn't feel bad though, 'god' didn't do much better.

A lot of Apple fans will disagree with that last part.

Re:He's mentioned everything except

[airfoobar]

Unfortunately, that's not how security works. If the users don't know what they're doing, their systems are insecure no matter how much security you build into them.

Re:Stop makeing us change passwords each month or

[SecurityTheatre]

Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.

Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password is stored in a cached hash format on the system and that's what we consider a high value find, because we can run those through crackers very quickly to determine the result. Frankly, the first password you supplied is reasonably strong and would take a few days to crack if your attacker/tester was relatively skilled, the second would be picked up in the first pass after only about 10 minutes of a decent cracking system.

Changing passwords is an important part of keeping these caches from persisting in the long term. I can often tell how often password changes are forced, by looking at the number of valid cached credentials we obtain on the first batch of penetrated systems. Shops that require frequent password changes mean that 60-80% of our cracked cached credentials are going to be invalid (but we will see if there is an obvious pattern, like incrementing the digits by 1). Often we only get one set of valid credentials per machine, and it's for the user of that machine, which is almost inconsequential, since we could impersonate him anyway with the domain security tokens. But in a place with no password changes, or those that happen less than every 3 months or so, the value of those cracked credentials increases greatly.

Since security is a game of layering protections, it seems a rational thing to do. I recommend 60 days, rather than 30 days, however, just simply for the convenience.

Several design issues with hardware and software.

[master_p]

The problem of seccurity starts with CPUs, goes through the operating system and programming languages, and ends up to the communication standards.

The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode. This means that once an app is compromised, and foreign code is executed, all sorts of nasty things can be done. A more finegrained CPU security model would offer much better security, allowing software components withihin the same process space to coexist without affecting each other.

The problem with operating systems is that their security model is based, again, on the guest/administrator model, i.e. it is actually the same security model as the one used by the CPUs. A better security model would allow software that communicates with the outside world to run with less privileges than the user, thus saving the user from being compromized when malicious code. Furthermore, operating systems resources are not virtualized for the user, requiring access to administrator rights for jobs that could not require such rights.

The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.

Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.