Research

Author’s Note: This was originally posted last year, but nothing ever changes: Backup Backup Backup Did I say backup yet? Backing up home computers used to be little more than a convenience to keep you from losing some old college papers. These days our entire family histories find life on our unreliable home computers. From digital photos of junior, to financial records in Quicken, to love letters in email, our computers store items in ephemeral 0s and 1s that used to be on paper in a box. Sure, paper isn’t perfect, but I suspect more of us have experienced hard drive crashes than house fires. Backup is really a pain, so I suggest prioritizing your efforts to focus on the most important stuff and to make it easy and seamless for your non-geek friends and family. In many cases your best bet is to get an external hard drive and some basic backup software (I use SuperDuper on my Mac, not sure what’s good these days on PCs, so recommendations in the comments appreciated). A bunch of the external drives now include basic software for free, and you can plug in the drive, install the software, and just check up on it every now and then. For digital photos I’ve started recommending the archive features of Photoshop Elements, Microsoft Digital Image Suite, and the like. The advantage here is they get a photo tool they can use for other purposes, while getting basic photo backup features. I just grabbed Photoshop Elements for my Father-in-Law and a bunch of blank CDs. My plan is, every few months, to burn an archive of his photos on CD and store them over at my place (we live 20 minutes away). No- backup isn’t fun or sexy, but today it’s very very necessary. I hear all too many stories of people losing valuable family photos due to a basic hard drive crash, virus, or whatever. Imagine losing ALL your baby pics, wedding pics, or Grandpa’s 80th birthday pics where he flashed back and called Grandma by the name of his long-forgotten French mistress from WWII inciting immediate, if lethargic, violence. Ah, Family. Good times. You really don’t want to let your family lose their memories, do you? It’s also a good idea to print really valuable photos. The rumors of paper’s demise are greatly exaggerated. Share:

I’m about to tread, yet again, on religious ground. John Gruber, attacking an eWeek article, incited a response by Tom Ptacek over at Matasano. I suggest you read those articles, especially the Matasano response, because they highlight very clearly some of the technical differences between OS X and Windows Vista. I’ve been spending a lot of time, we’re talking a year or two, trying to decide if OS X is inherently more secure. I’m not a vulnerability researcher or OS developer, so I can’t dig in like Ptacek, but as an analyst I’m pretty good at weeding through the BS and I’m geeky enough to know what I’m talking about. OS X is more secure than my XP PC, but Vista changes everything. This is not your usual Windows. Tom’s response to Gruber focuses on Windows Vista, but Tom could have explained that more clearly. Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista. I think all the pundits need to be clear about which OS versions they are talking about. To a very real degree they are debating around each other- Tom focusing on Vista, and John on XP. This was something I was planning to write about after I got my hands on a non-beta copy to play with, but Tom beat me to the punch. OS X is more secure than XP for a variety of reasons, including the user account model, lack of SYSTEM, quiet network profile, some core code signing, and so on. That said, OS X was not designed with a secure development lifecycle, and does not include the advanced security features shipping in Vista. Not that Vista is perfect, but there are clear indications that the game may have changed. (And yes, I’ve simplified a lot) The Secure Development Lifecycle is far more than some marketing campaign. MS hammers their code harder than anyone… ANYONE else in development today. Independent review, multiple security code scanning engines, mandatory training, and dropping beta versions to hackers like free candy. I talk with a lot of vendors; many have good processes, but I haven’t found any major vendor that makes such an effort. Ignore XP- it never went through this process, but look at SQL Server 2005, one of the first major applications to go through this process. No vulnerabilities to date- just one shared-code flaw (XML Core Services). Vista is the first consumer OS to go through this process. Bugs will still be found, but I suspect far fewer than XP. Memory randomization- key code hops around in memory. This makes it incredibly hard for an attacker to point to system code, since the code always moves. No hardcoding addresses. This may be the most significant change in the OS security. C#, which will probably be the most common application language used on the Windows platform, uses memory virtualization, just like Java. Again, nothing’s perfect, but this means C# apps are much less likely to suffer some of the common families of flaws that have crippled Windows so far. The user privilege model is stronger, but not perfect. MS cut back a little here to keep some enterprise customers happy, but the improvements are still very real. Old code demanding admin access runs off virtual registries rather than corrupting the main system registry. Browser isolation- most major malware today on XP comes in email or over the browser (and half the email stuff uses the browser). IE 7 itself is stronger, and the browser runs in a more isolated and less privileged mode. I’m just running off other’s evaluations, so take it or leave it, but the hard-core researchers I know all tell me Vista is not the MS software we’re used to. Everything from the browser, to the kernel, to the programming languages used to build applications is significantly improved. And I haven’t even mentioned all the new security features, like a real 2-way firewall, PatchGuard, and so on. Will it all work? I don’t know, but I do know those who have hacked away at Vista come away impressed. So is Vista more secure than OS X? I think so, but we’ll still see more malware for Windows for a long time to come. And Apple has plenty of time to take some of the same security steps. Heck, with less ties to legacy applications Apple could probably jump ahead if they put their minds to it. Vista might see life on my Mac, but replacing my XP virtual machine. But with Vista now released we all need to be clear about which operating systems we’re discussing. On paper Vista has more security built in at a more fundamental level than OS X. But Vista is brand new, and we’ll have to watch the world kick the tires for a while. Apple needs to respond with similar features, where needed, if they are to compete in the security game. If they want to. The truth is, security is still not a major factor in most people’s OS choice. I’m sitting here saying I think Vista is more secure, but I don’t plan on switching off my Mac. Security is about being “good enough”. As the major target for attacks, “good enough” for Windows is significantly higher than “good enough” for Macs. Until Apple sees the same kinds of exploits on the same scale there will be little motivation for them to invest so deeply in security. The game isn’t over, but it’s definitely a different game than just a few weeks ago. Share:

The Month of Kernel Bugs has released their latest vulnerability. There’s also a Metasploit exploit module. I’m not going to post every time one of these pops up, but hopefully this puts some of the wireless flaw debates to bed. Share:

My work day had a bit of an unplanned interruption today. I shut down my computer to head from the home office to a nice quiet coffee shop for a change of scenery and a little time off the Internet to get some research done. When I booted up in the coffee shop I noticed that all my personal settings were gone for some reason. All my data was there, but every single preference in every single application (including registration keys) were missing. I looked in my preferences folder in the Library (a Mac thing, way better than a registry) and everything seemed to be in place, but anytime I opened an app it would overwrite the old preferences with a new preference file. Oops. Repairing disk permissions (a Mac thing, not so cool) and some other routine fixes didn’t work, so I scooted home to my backups. I copied over my 2-day-old preference files from a backup and that seemed to do the trick for most apps and my desktop/startup items. A few things are still hinky, but most of it’s normal. The one bad problem was my blog software (Ecto). Ecto seemed to lose all settings even after the fix, including all my drafts for future posts. Big bummer. A half hour later I was able to dig up some of the other settings files, replace those from 2 days ago, and everything seems fine. Backups are good. Nightly backups are better, and I think I’ll be even more diligent from now on. That said, this incident raised some questions in my mind. Even assuming I had a complete backup from last night, or a current differential, I was still looking at an uncomfortable loss of data from just the morning. I’m realizing that on any average day I produce a fair volume of data throughout the day. From calendar entries to emails to blog posts. Losing that hourly data won’t kill me, but would still be seriously annoying. Also, it was a VERY manual process to restore my preferences. I’d like to see more continuous backup software; and not just backups of documents/photos, but of settings and other system information, all with a granular restore. Time Machine in the next OS X looks like a good step in this direction, and I hope Apple includes settings in the backup schemes. I’ve played with a few Windows system restore settings, and while those do a good job of restoring your system you tend to lose a lot of the hourly data. That might be motivation to keep data on a separate partition from system software and settings to better enable granular restores. All of which is a real pain for us laptop users. As it is I own AT LEAST one external hard drive for every PC/Mac, not counting my small NAS. That’s a lot of drives and a lot of manual backups, and I don’t backup on the road. Eventually I’d like to have all my home systems automagically backup on the network every night, but that has to wait I can move to gig Ethernet and get a bigger, faster NAS. This is well beyond the average home user’s capabilities. As our entire lives and family histories move to fairly unreliable PCs (and Macs; they lose hard drives too) we could be destroying our social records. Despite constant warnings I still can’t get ANY of my family members to reliably backup their digital photos. I look forward to the day where no PC or Mac ships without an extra drive just to backup data. To operating systems that scream and kick their feet until you agree to backup to magnetic or optical media. To the day where all of this is transparent to the average user. Maybe System Restore and Time Machine will solve the problem. But I doubt it. There has to be a better way to preserve our digital lives. (sorry for the less-than-insightful rant, but I’ve been on a backup kick lately. We really don’t pay enough attention to backups in the consumer world- even us hard core geek consumers) Share:

To follow up on metrics, Amrit pointed out in the comments that we can’t use totally imaginary numbers. There’s some myth out there that assumes risk models can track directly to ROI models. I’ll save the full rant for later, but here’s a little math. Back in science days we talk about significant digits. Basically, every number has a certain number of significant digits. 22.1 has 3, while 22.11 has 4 significant digits. When multiplying or whatever, you use the least number of significant digits in the result. Since one number has greater precision than the other, the result can’t be any more precise than the least precise number. (I’m a history major, work with me). We like to multiply in risk assessments a lot, but most of those numbers are guesses. So here are my two formulae for risk management: A number of no significant digits X another number of no significant digits = a number of no significants To put it another way: A guess X a guess = a wild-assed guess Amrit’s right- fake numbers are bad if you treat them as numbers. The math just don’t work. When I suggest you use structured qualitative metrics I don’t mean you should treat them like they are anything other than imaginary numbers. They’re still valuable, but you’d better not drop them into some BS ROI formula. Share:

Guidance Software sells one of the best computer forensics tools on the market. Their largest client base is law enforcement and other types who perform investigations. According to Security Fix, they were hacked and the FTC found them negligent. Something about not taking basic security precautions, and keeping data they shouldn’t have. I don’t know, I get lost in details. Customers should now feel confident, since Guidance has to undergo two years of mandatory security audits. Oops. Too bad, it’s a cool product. At least, once they detected the breach a few weeks after it happened, they had trained investigators and appropriate tools to realize they were screwed. Share:

Oh goodie- another religious security debate! We do love our religious arguments so. This time it’s Amrit taking on Rothman over security metrics. Amrit likes them, Rothman doesn’t. Both of them are funny looking (sorry, it’s not germane to this post, but I figure people should know). I’m with Amrit on this one- metrics are absolutely critical. But I also agree with Mike, the wrong metrics are worse than no metrics, and pretending everything can be measured is silly. Didn’t we get over that in college? Amrit and Mike are both right; and despite my attempt to jump the shark and make this sound controversial they both probably agree more than they disagree. Security metrics are a vital evolution of our industry. We’re not artists, as much as there is an art to our science. We can’t just sit around and tell management to trust us and “no… don’t worry… we’re doing a good job. No viruses this week, right?” By the same token we can’t pretend everything we do can devolve into some simple ROI model to tell the CFO how many people to hire and how many security widgets to buy. Metrics are a valuable tool to baseline activities and track results. Metrics should help us measure both our activities and the results. Results beyond the number of incidents. Metrics also bring maturity to a discipline by, among other things, allowing that profession to communicate to the outside world. As a paramedic I might have claimed that my only metric was dropping off live bodies (preferably at a hospital), but in reality we tracked dozens of metrics- from response times, to procedural successes, to long term patient outcomes (just keeping you alive to the front door doesn’t always mean you go home). We need security metrics to: Baseline activities and investments Track those over time for deviation Correlate activities and investments to results Optimize to maximize results and minimize waste Communicate all of this to external parties CISOs that can measure and demonstrate program efficiency can more easily obtain budget for necessary improvements. It’s a combination of building trust, and being able to justify new efforts. Metrics should also include qualitative measurements. No Virginia, we can’t measure everything with real numbers, that’s why amps go to 10 (or 11). But if we use consistent qualitative models, we can gain quantitative benefits by still tracking results over time. Saying, “give us money and you won’t get hacked” won’t help you get money, ensures you lose it when you get hacked (and you will), and doesn’t help you look like a professional. On the other hand we can’t make up fake ROI models just to keep the CFO happy (one of my biggest pet peeves). You don’t do yourself any favors in the long term if you send off imaginary numbers every time someone asks for the impossible. Use real metrics. Mix quantitative and structured qualitative. Track yourself over time, correlate results, and use them to optimize efficiency (ooh- I sound like one of those professional speaker types!). Give honest answers to honest questions, and when someone asks for the ROI of a firewall ask them for the ROI on their desk.   Share:

Thanks to an independent evaluation we now know that Firefox 2.0 is slightly better than IE 7 at detecting phishing sites. Firefox detected 243 sites missed by IE while IE “only” detected 117 sites missed by Firefox. I’m only a history major, but I think that puts it at 460 sites missed by one browser or the other. Which means neither one is really good enough. So while everyone else is getting their panties in a wad, you can go ahead and download the Netcraft toolbar, or any of the other toolbars with anti-phishing/anti-spyware built into them (as recommended in our Top 6 Tips). Because what it really comes down to is no single tool is perfect, and if you can use multiple tools that don’t cost more or hurt your ability to get things done there’s really no reason not to. Don’t get dragged into the “my browser/OS is better than your browser/OS” debate, which is the Internet equivalent of wearing all black and sitting in some dark coffee house while smoking cloves and debating useless narcissistic shit that no one cares about and won’t ever make you anything other than a selfish twit. Be the dude or chick that just gets the job done, has fun, kicks ass, and looks hot in the process. Nietzsche is dead. (Note: Securosis does not guarantee any level of hotness should you or should you not take our advice. Do not send Securosis photos to prove said hotness as we don’t care, unless you’re really hot, and then you’ll get me in trouble with my wife. Results not guaranteed. Your performance may vary.) Share:

After posting our Top Six Hints for Safe Online Holiday Shopping, Chris Pepper notified me that Firefox 2.0 is not an automatic upgrade, and Firefox 1.5 doesn’t prompt you at all to download the new version. So go here and download it now. As for security there’s one setting you should change right away. Under the security preferences, if you store passwords in Firefox you want to check the box to set a master password. Otherwise anyone on the system can go into the preferences and see all your passwords. Needless to say that’s what we call, “bad”. I do let FF keep my passwords, even though it’s a bit of a risk to store so many in a single place. I DO NOT STORE ANY BANKING PASSWORDS ANYWHERE!!! If someone cracks FF they’ll get my Amazon and other retail passwords, but I never store any financial institution passwords. None of my banks. No PayPal. No E*Trade. Share:

A while back I started to wonder if my phishing providers really cared about my business. They were getting seriously lazy- using generic “Your Online Bank” instead of a real bank name, no longer personalizing my emails, and using links practically entitled, “stealmyinfo.com”. Starting last week someone finally started working for my business. It’s nice to see that entrepreneurial spirit finally returning to the land of spam and opportunity. Here’s what I found in my Inbox (click to enlarge): Since not all of you regularly dissect phishing attacks, let’s have a little fun and pull this puppy apart. The above is a perfectly-formatted Ebay member-to-member email. Other than the whole “I don’t have an Ebay account on this address” thing, but at least it looks pretty. So my obvious first clue was the account bit. And the second was that I wasn’t running an auction. But here’s where it got interesting- by clicking on the item number it linked to a real auction! Not too shabby. Every other link, other than one (which we’ll get to) was real. Since I wondered if this was some hack on Ebay I decided to look at the message headers (View: Message: Long Headers in Apple Mail): Oh well. It’s really from kgonzalez@mail.ampsa.com.pa, not Ebay. Bummer, just when I was feeling special they barely even spoof their email. So much for professional pride. Viewing the raw source of the message reveals that nearly every link except one goes back to Ebay. That link? Somewhere in Japan that looks just like the Ebay login. Now I get it. The scam was to trick me into logging in to Ebay to respond and tell the “sender” that I wasn’t running an auction for ” cabachon sapphires in 14K yel gold,different, NR :O)”. (Which eventually went for $275). The site, which was at (spaces added to prevent accidental clicking, but it’s down now) http:// ns.postup02.net/~tanimua/ .cgi-bin/ws/ISAPIdllUPdate/ISAPIdllSignInpUserId=co_partnerId=siteid=0pageType=-1pa1=UsingSSL=1bshowgif=favoritenav=errmsg=8/index.html had a great looking login page I wish I took a screenshot of. I also wish I’d logged in with fake credentials, but I suspect the second part of the scam might have been to get me to enter my PayPal credentials. Either way, they could own my EBay account, or PayPal account (maybe). I’ve had a couple more similar messages since that one, but haven’t had the time to check them out. I (of course) used a “safe” browser not subject to any Javascript games. If I’d been really curious I would have accessed it from a vulnerable browser in a virtual machine, just to see what happens. Overall this isn’t the kind of thing that would fool anyone with some healthy skepticism, but I know plenty of innocents that would easily fall for it. Most users don’t know how to read an email header, or even where to find it in our nice GUI mail applications. Sometimes it’s fun to see where these phishing emails take you. Just make sure you wear protection and only try it from an isolated system. And it’s nice to know I’m worth a little effort again. I was starting to worry if it was me. Share: