So why are there so many bad, nonsecure and just plain broken security products on the market? Should we depend on the unseen hand of the free market to allow the better products to bubble up to the top? Bruce Schneier’s recent column in Wired magazine shows that better products doen’t necessarily mean more secure products. Consumers would rather have an easy to use product instead of a secure product, in other words they want the dancing bears and chocolate. So products that have lots of blinking lights will win out in a free market over those that actually work. As Bruce mentions what is needed is some sort of label to let consumers know just how secure a product or service is. Sorta like the SPF rating on sunscreen, this way people can pick the level of security they need for thier environment. Bruce wrote about this before back in 2001 but the idea is much older than that. I first heard about such an organization that would rigoursly test and rate the security of products from Tan at the L0pht. He wrote and published a white paper waaay back in January of 1999 calling for a Cyber UL to test and rate security products.
So here it is over eight years later from that first call to action. Eight years. And we still have products like Secustick being released and used by the French Intelligence agency. Obviously there is a need for such an organization, where is it? Why hasn’t it been created yet?
So by now you have probably heard about the MacBook Pro that was compromised at CanSecWest last Friday. Here is a quick recap if you missed it. A MacBook Pro with all updates applied on a wireless network, if you can break in you win the laptop. Well, after two days no one broke in so the rules where relaxed a little and the MacBooks where allowed to surf to malicious webpages. You can read more details here, here, here, here, here, and probably a few dozen other places.
The hype on this is pretty amazing considering that this really isn’t that big of a hack. This sort of things happens on Windows platforms on a almost daily basis. Yes, its zero day but other than that so what? Lets take a look at the actual exploit, or at least as much as we can piece together from the various ‘news’ outlets. First you need to convince a user to visit your malicious web page with Safari (no mention if Firefox or other browsers are immune) which depending on who you are convincing may or may not be that hard. Then even after you get your code installed installed on the victim your only granted user level access. Your still not root. Granted your a big step closer to getting root but you are still mired in userland.
So yes, this is a valid hole that should be repaired as soon as possible but it doesn’t warrent anywhere near as much press as it has been garnering.
Over and over people tell me that a product, service or other item is secure because someone else important uses it, and they are sooo important that they would never ever use or do anything insecure. So basically what they are saying is that “I trust them so I will do what they do.” The problem with this is they don’t really know how that other person uses a particular product. Perhaps they made a change to make it more secure or made a change and unknowingly made it even worse, or made no changes and it is just a crappy product to begin with!
Lets take for example the millions of people that run their credit cards through POS systems all over the country. Those systems must all be secure right? Banks wouldn’t let those swipe machines be easily hackable would they? Well they would if they were the brand used by Stop & Shop Supermarkets. The POS systems you normally use where secretly replaced by (Folgers Crystals!) hacked POS systems that still validated your purchase but recorded the information for later retrieval. (Pretty cool hack if you ask me.)
But, but, but thats a small company, I only trust big companies since they would never leave their data unsecured! They would if they where TJX who had people rumageing through their network for over 17 months before the breech was discovered.
But those are brick and morter shops, they always have problems. Reputable online companies don’t have those sorts of problems. Maybe not, unless you use products from Intuit whose online TurboTax filing system temporarily exposed tax returns including social security numbers and bank account numbers to anyone who asked. While the time between discovery of the hole and its closure was pretty short it is unknown if it was discovered and abused but not reported even earlier.
Hardware, I trust hardware. All that software stuff is easy to break but give me some good strong hardware anyday. You mean hardware like the Secustick, a USB flash drive that automatically encrypts its contents and supposedly self destructs if tampered with? So secure that even the French governement trusts it? Thats the kind of hardwrae you trust? Not so fast, its pretty trivial to break that as well.
So be careful who you trust, and don’t depend on others to make the decision for you. Treat your data and personal information as sacred. Trust no one.
The April 2007 print issue of CSO Magazine has a nice article on page 30 by Michael Fitzgerald entitled “L0pht In Transition.” Unfortunately they don’t have a version online or I would link to it. The article pretty much sums up what all of us are up to these days and asks the question if what we did made any differance. If anyone has a physical print copy I wouldn’t mind getting a hold of one.
I have been trying to beat people over the head about cell phone security issues for years. It amazing how much people trust those things. They look at it like a microwave or a refridgerator and not a small computer. They think it is a small inpenatrable box that only they have access to. But, but, but, but the Government uses them! My FBI buddy uses his Backberry all the time! Why they must be secure if they use them on Wall Street! Idiots.
I am glad to see I am not the only one who undestands the risks involved. When your setting up party plans for the weekend and sending text messages back and forth who cares? But when you start flinging business critical powerpoint presenations around, or worse yet new email passwords, things become a little more important.
I think every C level officer in your company should be forced to read this Ten dangerous claims about smart phone security And then print it out and post it in the breakroom. No, they won’t believe you at first but eventually, hopefully, after you beat them over the head with it enough times they may come to accept it.
Myths number 4, 8, and 9 are my favs. 4 is Encryption. People hear that word and think all is right with the world. Most smart phone encryption is like useing an armoured car to transport a million dollars from a homeless guy on a park bench to a another one living in a card board box. Whats the point? Myth 8 is about deleted data still being on the phone. Most people I work with know that when they delete stuff from the computer it is still there, why can’t they understand that it is the same with thier phones? And Myth 9 that spying on the phone is hard, wasn’t there a case recently where a Walmart employee (or was it Best Buy?) was caught evesdropiing on his bosses text messages? I suspect that cell phone eavesdropping is a major tool of industrial espionage.
Personally I still use a seven year old Samasung SPH-N200. Black and white screen, no text messageing, no nothing, but it does what it is supposed to, make phone calls and record voicemails. And it still looks cool enough to get stange looks when I am using it. “Wow, thats a cool old phone, retro even.” Hehehe.
Hint: Click the Print me button at the bottom of the page so that you don’t have to click through five pages of ads.
Ok, this is just to funny not to write about. As a previous Blackhat attendee (and speaker) my name is on the mailing list of whoever owns the conferance these days. Anyway, I get an email that was appropriately routed to my spam folder, asking me to complete a survey for some magazine called ‘Dark Reading’ which looks llike a TechWeb property that deals with security. Now normally I don’t waste time with such survey’s but I was bored at the time so I figured what the hell. Talk about entertainment! Check out this sample question….
11. What’s the first thing you typically do when you discover a vulnerability in an off-the shelf hardware or software product?
– Report it to the vendor
– Post it/share it with other crackers/researchers
– Begin developing ways to exploit it for financial gain
– Begin developing proof-of-concept code to expose the vulnerability to a broad audience
– Find out who would be willing to pay the most for it
– Contact law enforcement
I can not wait until the FUD filled article they write based on this survey comes out. Of course I checked off “Find out who would be willing to pay the most for it” Bwahahaha. Yes, I somehow get a weird sort of personal satisfaction by becoming an outlying value in a statistical survey. hehehe…. I especially like the questions with an ‘other’ option that allow me to enter in my own answer. Like…
13. Many law enforcement agencies have developed computer crime units to investigate computer break-ins. Of these, which do you think has the best chance to catch you?
My answer? “None. I can not be caught!” Hahahaha
If anyone notices the article they write from this survey let me know. It aughta be good for a few laughs.
I figured if I’m going to do this blogging thing I should get some real software instead of editing an HTML file by hand. Not that I mind writing raw HTML but this is so much easier and has all these cool nifty features like comments and stuff. So I’ve just installed this today, I’ve moved over all the old posts and I will be moving over everything else as well but it may take a few days weeks so things will be changeing.
I am very very happy about this. <danceofjoy> I finally own hackernews.com again! </danceofjoy> many many thanks to Dave for keeping watch over the domain and not gouging me to transfer it over. (Dave, I owe you many beers!) Now just because I have the domain doesn’t mean I am going to resurect HNN or anything it is just good to have things back to where they belong. For now hackernews.com will just point here.
Lopht.com Lives! Unfortunately with an Oh and not a zero, but we will take what we can get. Amazing what a spammer will pay for a half decent domain, looks like I am back to Mac&Cheese again for a while. Or I suppose you could say it is amazing (or stupid) what someone will pay to recapture the past. Either way, expensive. lopht.com is back online. Yeah!
Dildog threw his annual Christmas bash with all of the usual suspects and a few unusual ones. Tame by L0pht party standards but hey, we’re all gettin’ old. The Vegtable of Death actually stopped looking for dead people long enough to grace us with his presence. The Fish of Tweet was still 5K miles away but still thought of. Mudge had his new girly girl and I don’t think I saw a drink in his hand all night, WOW!