Tuesday, August 22, 2006

Censorship and Common Sense in Security

Recently I posted a vulnerability to bugtraq@securityfocus.com which is a public board for the open discussion of security issues. I reposted the message a week later and again a few days after that. Finally several days later I received an email saying that the moderator hasn't taken action on my post. I finally resolved to notify a moderator only to find out that there are many and their information is not readily apparent even in the "you've been rejected" email. So I posted a message that was sure to get a reaction. The response came in less than 2 minutes. This is a far cry from the previous posts that took more than 24 hours to be included.

So now that I had their attention the moderator began debating. He argued that confidentiality / privacy issues were not "security" related issues and didn't belong on the board. I was stunned. I reminded the moderator that the basic tennets of security are CIA (Confidentiality, Integrity, Availability). The moderator then responded with a two page rant about why Firefox wasn't mandated to provide confidentiality or integrity.

I am concerned about the state of flaw disclosure in the computer security world. It appears that moderators favor some products and post the most inconsequential flaws for other programs. It seems a priviledged few companies get off easy while others get hammered.

I'm all for the little guy and I love Firefox which is why I hoped that publishing this vulnerability would help get it fixed more quickly. I hope that in the future, security discussion boards will post "equal opportunity" flaws. By so doing Bugtraq can help improve all products rather than to hide exploitable vulnerabilities for certain favored vendors.

David Cross

Wednesday, August 02, 2006

The 10 Immutable Laws of Security and Why There Should be 11 or maybe just 3

When talking to a Microsoft representative about a security vulnerability they will immediately ignore what you are trying to tell them and point you to the 10 immutable laws of security. (This is so they have fewer items on their plate to fix hoping that you will get tired of trying to talk to them and go away.) David Cross from Trust Security Consulting tried to talk to MS about an issue which would allow an attacker to disable all protective software anti-virus, firewalls, anti-spyware and basically open the door wide to create a communication channel back to the hacker's computer or to another computer on the net. The official answer from a security guru at Microsoft was read the 10 immutable laws of security and don't bother writing back.

Let me sum up the 10 immutable laws of security that Microsoft forwards to people who are trying to help them...
1) if someone puts a file on your computer then it's not your computer any more
2) if blah, blah blah, it's not your computer anymore
3) if blah blah blah, it's not your computer anymore
... (keep repeating the same stuff over and over)
10) technology is not a panacea

So in summary all the blah-blah's basically say the same thing if you put ANYTHING on your computer it's not your computer any more. Let's not overcomplicate Microsoft's little world for a moment and breathe a breath of fresh air and have a little Irish Spring Soap commercial moment where all the software on our computer is Microsoft software and we are blissfully happy with nary a care in the world.

Ok, now that we have achieved momentary ignorance let's take a look at reality. (Sorry) There are software developers other than Microsoft! "What!?" you say, as you are snapped back into a cruel reality where monopolies don't promise everlasting visions of waterfalls and lilting Irish accents. Then you take a quick look at your start menu. There are probably 40 or more installed pieces of software installed on your system that are not owned by our friend the billionaire philanthropist. Stranger still is that many of these were put on by the manufacturer. Wow! So according to Microsoft's 10 LAWS they and we have already broken what 9 of them? Shame on us! If computers need 3rd party software to do what we want them to then why should we allow that to mean our computers are already compromised?

So what's the big deal? So are we to accept that our computers are compromised at this point? Hmmm. That would be the assumption, but then again we are smart users and have installed Microsoft's, or heaven forbid, some other brand of anti-virus, anti-spyware and firewall software! We are forward thinkers afterall and are concerned about the safety of our data. Now we are assured by each of these non monopoly companies that their software stops hackers dead in their tracks. Now we bump into the rule #10 in the immutable laws. Technology is not a cure all. True enough however application level firewalls are surprisingly robust now and incredibly effective if used properly. So we are safe!! Yay! Microsoft's little shield system tray monitor even tells us that our world is already looking rosy now that we have all the little shields showing green lights.

So why should we not expect our computer to be safe even though we have 3rd party software installed. Firewalls stop most of the common spy capabilities of even our most trusted software like the Microsoft media player which checks back with the mother ship to let them know what you are doing with it and if you are playing licensed movies. So now that our nifty firewall can stop that and stop all the other ad-ware based programs from downloading their ads and communicating back everything you are doing... Shouldn't we feel safe now? Yes!

We should feel safe. Afterall there are two types of hacking one of which Microsoft totally ignores with it's blanket "if someone puts a program on your computer then you're not safe" crap. Our computers have defenses against external threats trying to get in, and thankfully contrary to Law 10, even defenses against internal threats trying to get out.

So there are more than just remotely exploitable vulnerabilities? There is such a thing as a locally exploitable vulnerability! WoW! To quote a popular Far-Side comic where polar bears are preparing to attack an Igloo and eat the contents the one polar bear says to the other "these are hard and crunchy on the outside, soft and chewy on the inside". Hmm that reminds me of Microsoft's assumptions in the 10 laws. Basically that's what the first 9 laws say. Afterall when reporting a recent vulnerability that can shut down anti-virus AND firewall software AND anti-spyware software with one simple function call I was immediately referred to the 10 Laws and told that they were not interested unless the exploit was a remote exploit.

So their solution is making the outside harder and crunchier but the inside still should be soft and chewy? Hmmm.

What if security was treated like at the Louvre where it's incredibly hard to get in and once you steal a painting it's impossible to get out? Wouldn't that be cool? Isn't that how it's supposed to be?

So really, there should be a concept even in Microsoft's vocabulary of security from outside-in AND inside-out. The point at which bad software can't get in and bad software can't get out is when I'll be dreaming in Irish Spring style commercials complete with the waterfalls, fresh clean scents, and maybe a cute girl with a Scottish accent instead of Irish.