L0pht in Transition 2

So I wrote about the article in CSO Magazine by Michael Fitzgerald earlier this month when the print version came out. Finally it is now online for easy reading by all you non-subscribers. Previous Works sysop Jason Scott of Admin-D and Textfiles.com fame has written a rebuttal/commentary/analysis of the piece.
And finally in a completely unrelated story L0pht got a mention in the New York Times last Sunday.

Cyber UL

So why are there so many bad, nonsecure and just plain broken security products on the market? Should we depend on the unseen hand of the free market to allow the better products to bubble up to the top? Bruce Schneier’s recent column in Wired magazine shows that better products doen’t necessarily mean more secure products. Consumers would rather have an easy to use product instead of a secure product, in other words they want the dancing bears and chocolate. So products that have lots of blinking lights will win out in a free market over those that actually work. As Bruce mentions what is needed is some sort of label to let consumers know just how secure a product or service is. Sorta like the SPF rating on sunscreen, this way people can pick the level of security they need for thier environment. Bruce wrote about this before back in 2001 but the idea is much older than that. I first heard about such an organization that would rigoursly test and rate the security of products from Tan at the L0pht. He wrote and published a white paper waaay back in January of 1999 calling for a Cyber UL to test and rate security products.
So here it is over eight years later from that first call to action. Eight years. And we still have products like Secustick being released and used by the French Intelligence agency. Obviously there is a need for such an organization, where is it? Why hasn’t it been created yet?

Mac Hack Hype

So by now you have probably heard about the MacBook Pro that was compromised at CanSecWest last Friday. Here is a quick recap if you missed it. A MacBook Pro with all updates applied on a wireless network, if you can break in you win the laptop. Well, after two days no one broke in so the rules where relaxed a little and the MacBooks where allowed to surf to malicious webpages. You can read more details here, here, here, here, here, and probably a few dozen other places.
The hype on this is pretty amazing considering that this really isn’t that big of a hack. This sort of things happens on Windows platforms on a almost daily basis. Yes, its zero day but other than that so what? Lets take a look at the actual exploit, or at least as much as we can piece together from the various ‘news’ outlets. First you need to convince a user to visit your malicious web page with Safari (no mention if Firefox or other browsers are immune) which depending on who you are convincing may or may not be that hard. Then even after you get your code installed installed on the victim your only granted user level access. Your still not root. Granted your a big step closer to getting root but you are still mired in userland.
So yes, this is a valid hole that should be repaired as soon as possible but it doesn’t warrent anywhere near as much press as it has been garnering.

Who Do You Trust?

Over and over people tell me that a product, service or other item is secure because someone else important uses it, and they are sooo important that they would never ever use or do anything insecure. So basically what they are saying is that “I trust them so I will do what they do.” The problem with this is they don’t really know how that other person uses a particular product. Perhaps they made a change to make it more secure or made a change and unknowingly made it even worse, or made no changes and it is just a crappy product to begin with!

Lets take for example the millions of people that run their credit cards through POS systems all over the country. Those systems must all be secure right? Banks wouldn’t let those swipe machines be easily hackable would they? Well they would if they were the brand used by Stop & Shop Supermarkets. The POS systems you normally use where secretly replaced by (Folgers Crystals!) hacked POS systems that still validated your purchase but recorded the information for later retrieval. (Pretty cool hack if you ask me.)

But, but, but thats a small company, I only trust big companies since they would never leave their data unsecured! They would if they where TJX who had people rumageing through their network for over 17 months before the breech was discovered.

But those are brick and morter shops, they always have problems. Reputable online companies don’t have those sorts of problems. Maybe not, unless you use products from Intuit whose online TurboTax filing system temporarily exposed tax returns including social security numbers and bank account numbers to anyone who asked. While the time between discovery of the hole and its closure was pretty short it is unknown if it was discovered and abused but not reported even earlier.

Hardware, I trust hardware. All that software stuff is easy to break but give me some good strong hardware anyday. You mean hardware like the Secustick, a USB flash drive that automatically encrypts its contents and supposedly self destructs if tampered with? So secure that even the French governement trusts it? Thats the kind of hardwrae you trust? Not so fast, its pretty trivial to break that as well.

So be careful who you trust, and don’t depend on others to make the decision for you. Treat your data and personal information as sacred. Trust no one.

L0pht in Transition

The April 2007 print issue of CSO Magazine has a nice article on page 30 by Michael Fitzgerald entitled “L0pht In Transition.” Unfortunately they don’t have a version online or I would link to it. The article pretty much sums up what all of us are up to these days and asks the question if what we did made any differance. If anyone has a physical print copy I wouldn’t mind getting a hold of one.