fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry

Apple vs Microsoft as a Malware Target.. Stop Saying Market Share..

This guest post from Haroon, debunks some of the FUD that loiters around the MAC vs PC security argument.  

Seen any security vendors playing to this in their product positioning?  If so, email fudalert@fudsec.com...

By
Haroon Meer of Sensepost [published with permission]

I really enjoy listening to Mac Break Weekly.. Leo Laporte is an excellent host and i would tune in just to hear [Andy Ihnatko's] take on the industry and the (possible) motivations behind certain players moves. (he is sometimes wrong, but always worth listening to). The only time the things ever get a little cringe-worthy is when talk switches to malware and security (although both Andy and Leo for the most part have pretty reasonable balanced views on it).

Disclosure: I am a mac user, and love the hardware.. the fan-boy'ism that surrounds it, not so much..

Most security savvy mac users, dont push Invulnerable-Mac argument too much.. But it does lead to the follow-up "Once Mac gets more market share, we will hit the malware tipping point".. I dont think that this is how it will go down.. Here's my $0.002c on it.

One of the talks we gave at the recent ITWeb Security Summit was titled "One bad Apple".. The aim of the talk was to examine the truth/lies/fud behind the security claims on both the fan-boy and hater end of the spectrum.. I dont want to cover the whole talk here, but do want to touch on just a few of the current annoying red-herrings that normally pop up in this discussion:

Vulnerability counts as a useful Metric

This argument has been had by [many people] far brighter than me, so i wont rehash it here. I think its safe to say that since there isnt really a standard on what gets reported, very few vuln count reports end up comparing apples with apples. What i did pick on during the talk, was that some people dont even bother trying to dress up the stats in a cloak of reasonableness. The table below was taken from ByteSize magazine showing that Apple indeed had more Vulnerability Disclosures than Microsoft:

Vendors with the Most Vulnerability Disclosures (ByteSize - 3rd Ed. 2009)

Instead of muddying the water by asking what a 3.2% disclosure means, or by comparing Apple with Microsoft you have to ask yourself if the table is really comparing Microsoft, with its software, hardware, * against Wordpress with its 60 000 lines of PHP code?

My suggestion there is that if we going to use tables and charts, we should at least stick to the reasonable ones:

Malware defense

Of course the next topic that refuses to die is how mac architecture pixie-dust prevents it from getting worms and viruses.. A quick check should clarify this.. The ILOVEYOU virus which took windows computers all over the world (and according to Wikipedia cost about $5.5 billion in damage) was a snippet of VBS that read your address book, and mailed itself to your contacts (where it did the same). You can hack this up in Automator in seconds.. Same functionality completely..

Memory Corruption Attacks

In recent times, Microsoft has made huge leaps in terms of generic memory corruption protection mechanisms to minimize the effect of buffer overflow/mem corruption attacks. While Apple claimed to do the same with Leopard, they still trail Microsoft in this regard. The 3 points we covered:

  1. Non-executable Stack.
  2. Non-executable Heap.
  3. Address Space Layout Randomization.

(We cover these in more detail in an upcoming [conference in July] - but again, its fairly well understood that OSX in its current form is only randomizing libraries, and that to get the benefit of ASLR, you need to be randomizing everything)

So if we are saying that Apple is just as vulnerable to ILOVEYOU and even more vulnerable today than Windows from a nimda or a code-red, then what explains the fact that we dont see Macs getting owned on the same level as Windows?

The almost global answer is "Market share!". The belief that once more people are running macs, the big bad malware writers will start aiming at them.

If you look at the [netcraft web server survey] (2003) you should notice that at the time that nimda and code-red were running around the Internet, IIS didnt have the lions share of the webserver market either. Their lower market share didnt keep them safe then, why does it keep mac users safer now ?

The real market share difference

One of my guesses here is that we are looking at the wrong data for market share. What Microsoft does have over Apple, is a bigger market share of [developers..]

Microsoft went out of their way to make sure that anyone and their dog could write code for their platform, that any idiot in the world could write an app for them, and many did. I suspect that if you consider that any group will have a proportion of people with evil intentions, then in part what we seeing is just the percentage of the bigger pool.

Different user profiles

The other thing (although it sounds strange) is the question of user culture which is different. My wifes macbook air has very little software that didnt come with the machine. Apples "batteries included" policy means that her machine remains pretty clean.. Her mothers windows machine is a different story

Which means what?

Today, pound for pound, OS X Leopard is indeed more vulnerable than a Vista machine, but the eco system around Mac is holding back the huge embarrassing attacks that shamed Microsoft into action. Apple has a small window during which time they can take action, refine their built in mitigation strategies and come out on the other side acting like they were better all along..

(Recent hires like Ivan give hope for this happening)

If Snow Leopard is done right, it will hopefully be Apples XP-SP2, and us fanboys will be able to keep our securer-than-thou attitude.. If it doesnt, its only a matter of time..

Might As Well Face It...

This weeks #fudsecfriday invited guest post is by shrdlu, an IT security manager who has held international positions in multiple institutions and is now US based.  The other clue to his identity is he amuses himself at the expense of his children ("otherwise what's the point in having them?").  I'm still not convinced that narrows it down ;-).  

My thanks to shrdlu for the molitov cocktail of a post...

IT Security Manager

Media_httponlythe80scomwpcontentuploads2008robertpalmerjpg_hcfnjiiihkzjxdy
Now, many of you are probably too young to get a Pogo reference, so I'll just get to the point.

Hello, my name is shrdlu, and I'm a FUD addict.

And so are you.

Come now, do you really think that FUD is only produced by eeeevil vendors out to make a quick buck?  Or do you think it's only generated by clueless media?  No, folks, we're doing it to ourselves on a daily basis.

The very nature of security involves uncertainty.  We all know deep down that you can never have 100% security; that sooner or later, as Richard Bejtlich is so fond of saying, prevention eventually fails.  It's only a matter of time.  And so rather than sitting down and waiting for the threat to come to us, we go out looking for it.  Endlessly.

Emily Yoffe in Slate.com writes about ongoing research in what one scientist calls our "seeking" drive - our addictive behavior around finding nuggets of information:

We actually resemble nothing so much as those legendary lab rats that endlessly pressed a lever to give themselves a little electrical jolt to the brain. While we tap, tap away at our search engines, it appears we are stimulating the same system in our brains that scientists accidentally discovered more than 50 years ago when probing rat skulls.

A very simple example of this addictive seeking behavior can be found in the Facebook application called "Hatchlings."  The player collects eggs of different colors by looking for them in the profile pages of friends also playing the game, as well as other random pages on Facebook.  Once collected, the eggs hatch into various creatures matching their eggs, and can be deleted ("released into the wild") or retained by periodically feeding them -- you guessed it -- more harvested eggs.  It's stupid, it's mindless ... and so far I've found 5,545 of the damned things.  And as far as users go, I'm by no means the worst:  the top-ranked player in my city has over 48,000 of them and the number one player globally has more than 592,000.

So if Hatchling eggs are the gateway drug, it's but a small step from there to Easter eggs in other software.  And when the Easter eggs run dry, well, there are built-in Easter eggs that the developer didn't even know about, aren't there?  They're called "unintended functionality," or vulnerabilities.

Take a look at this year's Black Hat schedule and count the number of talks that are NOT based on finding a vulnerability or finding an attack.  Go ahead, I'll wait.  It's actually kind of like hunting for a needle in a haystack ... and I promise, you'll get a dopamine rush out of it, especially if you find it.

So when pretty much every talk at every conference is about newly discovered vulnerabilities and attacks; when we treat vulnerability researchers as rock stars; when defenders are only interesting when they've actually suffered a breach; is it any wonder that we're steeped in FUD?

If there's still any doubt in your mind, try to remember the last time you said or heard someone say,"You know, our security is probably just fine.  Don't worry about it."

Hyper Security

This week's invited guest post is from Brian Honan, an information security consultant based in Dublin, Ireland who founded and heads Ireland's national CSIRT team.  This post explores hype - the LSD of the infosec industry...  Thanks Brian!


Brian Honan

Independent Information Security Consultant

A discussion with an old friend recently strayed into the area of
information security and the hype that she currently sees surrounding
products that will make us more compliant, secure and hacker proof.  She
works as an IT manager is a relatively large company and confessed to
feeling confused by the various products, their claims and indeed the hype
over the threats these products promise to address.

This is a subject that I have spoken about a number of times and it is
something that I feel as an industry we need to be careful about.  Yes we
need to make people aware of the problems but lets not become Chicken Licken
proclaiming the sky is falling.

The plain truth is that all products are hyped up, be that a car, a plasma
TV or an information security product.  This is especially so in IT where we
are constantly being told certain products will do things for us cheaper,
faster, smaller, and quicker, making us all more productive with minimal
effort.  So there is an amount of hype that will come from selling products
or services, including those in the information security field.
The other source of hype is from within the media, both industry and
mainstream.  Very often the security stories that make the news relate to
major computer virus outbreaks or attacks on well known institutions.  These
stories only make the news because they are simply that, news!

As someone who is heavily involved in information security I am often
frustrated by the lack of concern people display with regards to computer
security.  If anything there is not enough awareness of the threats people
face once they go online.  People understand the security risks we face in
the real world. That’s why we deploy burglar alarms on our homes or business
premises, shred important documents, have a safe to store valuables and keep
our money in banks.  Based on our understanding of the risks we face we take
appropriate steps to protect ourselves.  For example, if I owned a company
that is a small professional firm with no valuable stock to protect, I would
deploy burglar alarms and ensure I had good locks on the doors. If my
company keeps valuable or desirable stock on the premises then I would take
additional steps to protect myself, such as install CCTV, employ a security
guard and store the valuables in a safe.

Securing your business is all about risk management. You identify the threat
to your business, be that burglars, theft from staff, fraud or fire. You
then decide what you need to put in place to manage that risk.  Once you
deploy computers and/or connect to the Internet, there are very real threats
to your business. Computer viruses, hackers and in-house threats exist and
need to be managed.

So yes there are real threats and people need to be made more aware of these
threats and how they can counter them.  The problem is most people,
including those working in IT, do not understand properly the threats and
problems relating to IT security.

Yet everyone is looking for solutions without actually understanding the
problem.  Vendors and resellers will be only too happy to sell products,
however if the underlying problem is not properly addressed then these
solutions are not going to work as expected resulting in the customer having
a greater lack of confidence in information security.

With the recent economic downturn the information security industry is seen
to be countering the trend seen elsewhere in the IT industry by having its
budgets maintained or in some cases even increased.  Vendors and resellers
fully understand this and see information security as the area with the
money and are unsurprisingly exploiting it as only they can.  Having worked
in the information security industry for many years where only a small
number of companies provided expertise and services, I suddenly find every
company now offer information security solutions.  While it is good that
more people are becoming aware that information security needs should be
addressed, customers need to ensure that their vendor fully understands
information security and are providing solutions based on impartial advice
and not simply to sell a product.

It is time for us to stop listening to the hype, looking properly at the
risks that need to be addressed and calling that sales person or consultant
to task when they start to over hype a problem or solution.  But it is also
time for us to grow up and accept some responsibility for our own actions.
We need to fully understand what the problems are we are trying to address
so that we can identify the best solutions to those problems and be able to
ignore the hype.

Showing The Oblomovs The Door

This week's invited guest post is from Nick Selby, a security convergence consultant and enterprise security thought leader who established and led The 451 Group's Enterprise Security Practice from 2005-2009.  [Ed: This post was provided shortly prior to Black Hat/Defcon]

Nick Selby
Founder, Cambridge Infosec Associates, Inc
 
A recent survey shows that half of information security professionals are unhappy in their jobs despite six-figure salaries. Of course they're unsatisfied - we have well-trained, well-intentioned security professionals reduced through a series of relentless box-ticking to ensuring that their hopelessly dated signature-based technologies have the most recently-updated chance of not stopping anything. Why? Because as punishment for making everything so complicated, security professionals have been saddled with compliance management.
 
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
 
I stomped away from trying to influence security as an analyst because compliance (the adjective and the verb and the noun ... and whatever form is the word, 'Compliancy') has managed to suck every ounce of oxygen from the room that is the security industry. Okay, that's an exaggeration - I really quit because I find it more rewarding to once again do security than to talk about doing security.
 
We're in an Orwellian information technology universe, and we've let criminals become Big Brother because they often have better configuration management data than our own information security groups. We have a rapidly evolving threat landscape, advanced persistent threats, new generations of attacks and attackers and a wildly changed attack paradigm, and purveyors of “intrusion detection” and "anti virus" don't just exist, they're propped up as puppet regimes by the makers of rulesets designed to keep us “safe” and “smart.”
 
Josh Corman at IBM was spot-on when he called PCI, the, “Cyber-incarnation of 'No Child Left Behind.'” At this writing it's unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we're heard of, but the fact that they're out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard. Well-intentioned businesspeople at PCI, seeing their money walk out the door at an exponentially increasing rate, thought they'd, "Raise the bar" by setting forth some highly specific tasks. Unfortunately they were specific to a paradigm gone by, and those who don't comply get their credit card privileges popped. Thus have they managed not only to not raise the bar but in fact to substantially lower the ceiling - PCI is not the minimum standard, it's the maximum effort that many organizations make.
 
And why not? By doing PCI, one can claim to be doing, 'Best practices'. ('Best Practices' is a term for which toilet-dunks should be applied rigorously -  the term is, to borrow a phrase from Marcus Ranum, weapons-grade marketing bullshit.)  Meanwhile, Visa and MasterCard stay shtum on their card fraud numbers in one of the best shell games around as banks and card associations play the Three Wise Monkeys, passing the buck back and forth amongst their cabal while storm clouds of another off-balance-sheet Armageddon gather in the distance.
 
Is this just another "anti-compliance" rant? Sure, but it's also a "pro-risk rant". It's not just that our lives as security professionals are increasingly (and increasingly exclusively) about feeding the compliance beast. It's more about the fact that all this compliance stuff is preventing us from addressing risk and performing, you know, security. Compliance is big money (there are more than 100 sponsored links on Google for the phrase, “Security compliance”), so vendors and analysts push it, and departmental budgetary politics becomes all about securing compliance-related funding. This directly leads to stovepipes - those "Cylinders of Excellence" in which the slightest thought about anything not budgeted becomes, "out-of-scope".
 
Now hear this: Our enemies do not compartmentalize their attack resources. They don't have a budgetary or organizational constraint against standing in the smoking area and walking in to your building behind a smoker who's taped open the ram-bar latch; or phishing credentials from one of your employees by phone, fax or email; or popping through a poorly constructed web application; or if the stakes are really high, having someone sit in front of your Vice President of Whatever's house, looping trivially through his WEP-"protected" WiFi and surfing into your network on his VPN connection. Let's not even talk about his cell phone.  How many stovepipes within your organization have those utterly commonplace vectors just crossed?
 
To deal with these threats we don't need more stuff, we need to talk to one another, to use the resources we have in place already in smarter and better ways. Communication, cooperation and a top-down emphasis on understanding risk - these are things that can't come from the comet tail of crap being pushed by vendors and consultants today.  We face a 360-degree threat, every day, and bad guys are as innovative and resourceful as they need to be to stay one step ahead of you. The problem is we're not making them need to be very resourceful at all.
 
Compliance - the state of being - is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes by Oblomovs you've hired to "deal with" compliance. Security requires integrity, inter-departmental communication, articulation of goals and give-and-take between stakeholders so that everyone has more information to take into account when making business decisions. It requires coordination between physical and logical, between departments as seemingly disparate as HR and marketing and bizdev and sales, and the executives who make decisions about where they want their firm to go.
 
You want to be a CEO? Manage risk by demanding your people give you information supportive of cost-benefit analyses that are based on how you can create more value as opposed to how you can avoid being fined or having your name in the paper. You want your compliance department to manage risk for you? You'd better hope your firm is considered, “Too big to fail,” so the next round of government bailouts can save your sorry butt. Although, since you're allowing the government - through SOX and HIPAA - and other industries like the payment folks to set your agenda, maybe a bailout was what you had in mind from the start.

Arm Yourself With The Gobbledygook Manifesto

"He who is prepared, spots the FUD" - Anonymous Infosec Dude #2

Stumbled across this highly relevant manifesto for the FUDbuster.  Read and apply the "mind grep" test to future infosec marketing materials you receive.

If a vendor indulges you in buzzword bingo, consider emailing this manifesto with a simple subject line of 'I saw this and thought of you".  Important note: Failure to reply to follow-up emails heightens effect.

3703gobbledygook