Research

I have a love-hate relationship with Vegas. As someone who’s not the biggest fan of crowds (after way too many years of events security) this isn’t exactly the most relaxing environment. As someone who hates to lose… well, if you think you can win here you’re fooling yourself. On the other hand I met my wife here (at a Jimmy Buffett concert); and as a security professional this is probably the most fascinating city on the planet (followed closely by Joha esburg). Vegas is a double whammy of security- on one side there’s all the casino security. Cameras everywhere, multiple layers of guards and law enforcement, and the built-in security systems of the games. It’s a great place to challenge yourself and try and find the holes (or catch something before the casino does). On the other hand this is an entire city dedicated to nothing more than manipulating every man, woman, child, and sentient alien on the face of the planet. From the casino design, to the advertisements, to the very structure of the city there’s no better place to come learn social engineering. Amazing. An entire city devoted to leaching every possible dollar out of your pocket through manipulation of every base instinct in your genetic code. It’s just fascinating- from the single deck blackjack tables that make you believe you’re a card counter, to TV shows like Las Vegas that make casinos out to be some altruistic corporation run by locals who care. My favorite on this trip is the “ultra-lounge” here at the Rio (it’s a regular hotel lobby bar with the occasional model posing on a platform). I didn’t bother to check the drink prices. I was once comped a bottle of vodka at one of the lounges. We thought we’d order a second bottle, but I didn’t think $300 for something you could get for $40 in the liquor store down the street was the best deal on the planet, no matter how many “actress/models” serve it. You gotta love Vegas. (Someday I’d love to check out the behind the scenes security- just in case any of you readers have connections.) Share:

I’m heading out to Vegas tomorrow morning to speak at the Data Center conference. If any readers are there and want to meet up, just email… Share:

For some reason I think I often end up the middle on some of these vulnerability issues; trying to bring reasonable advice to both technical and less-technical users on hyped security issues. Here’s another one. The Month of Kernel Bugs project released a new flaw affecting Macs- it’s a flaw in disk image files that crashes the system. Right now we don’t know for sure if it could allow someone to take over your computer, but I promise you that this class of attacks will, if not now, eventually let someone else take over your system. There is also an unconfirmed report this may be in the wild. DMG files are, to be blunt, the single most likely vector for a rapidly spreading Mac virus. We talked a little about this in our first post on kernel bugs. Because of how OS X manages disk image files, if you mount a malicious disk image (even if you don’t run anything inside of it) an attacker could take over your system. This is a kernel flaw- so you don’t need to be running as root or with administrator privileges. The attacker will totally own your system, and can use it, just as Windows systems are commonly used, to attack your friends and associates. A really nasty attacker might even do some nasty things like try and identify other Mac users based on their address book settings or by trolling your inbox for Mac-formatted emails. Yep- I’m using hyperbole, because I want you to take this seriously. Matasano has a great write up on this. I disagree that disk images are always a bad idea since I’ve found them really useful, but do agree they are a royal pain in the rear to secure. I also think Gruber is taking this more seriously than they give him credit for, yet considering his influence on the Mac community I hope he takes it even more seriously. Because of how disk images work they are far more likely to allow someone to take over your computer than other file types on a Mac. Here’s my advice for other Mac users: As many recommend, turn off Safari’s “Open safe files after downloading” preference. Don’t download any DMG file from an untrusted source. Never open a DMG file emailed or IMd to you from someone you know unless you were expecting it. That’s how a mass exploit will work. Apple should require admin privileges to open a disk image in future versions of the OS, or design some other mechanism to prevent kernel panics (e.g. virtualization or something similar). Yes, this is an inconvenience, but since we’re talking about a file format that will be nearly impossible to secure, yet is valuable to us as users, additional steps should be taken. There’s no need to panic, but we do need to take this very seriously. This won’t be the last we hear about this kind of problem. Share:

Jim at DCS has this post on scanning SCADA networks. Here’s the thing. If you’re so scared you’ll break your stuff by running a simple Nessus scan with safe settings, you have a serious problem. Just imagine how screwed you’ll be the first time an attacker decides to scan your systems for you. Unless you’re totally sure that network and those systems are totally isolated, you better have a darn good recovery plan. Including a job recovery plan, if you know what I mean. Yes- you can mess up and perform more intrusive scans that break things, but I’d be seriously worried if even this is the case. If stuff dies with typical safe scan settings it falls in the whole “bad” category. Share:

There’s a new bug, which can reveal your password to any other page on the same domain. Even if you have a master password set, you should clear out all your Firefox stored passwords until this is fixed. There are a lot of ways to take advantage of this, especially on Web 2.14.168.42 sites. Yep- I use it, and will miss it. I hope they fix this soon. Share:

Today is the last day some of you will be in front of your computers before the horror of Black Friday. Thus, we are reposting our safe holiday shopping advice. Hey. Let’s be careful out there. Yes folks, Black Friday is less than two weeks away and the silly season is upon us. As someone born and bred in good old North Jersey (until I could legally escape), land of honey and shopping malls, this is a time so deeply ingrained into my subconscious that I’ve occasionally found myself sleepwalking around the nearest parking lot, looking for our old wood-paneled station wagon. These days, thanks to the wonder of the Internet, anyone can experience the hustle and bustle of the Paramus malls from the comfort of their own home. And to help keep your shopping experience authentic, there’s no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your web browser. Of course they might take your house with it, which, even in Jersey (despite the legends) is somewhat rare. In the spirit of safe and happy holidays, Securosis presents our top 6 tips for safe online shopping, simply presented for the technical or non-technical consumer. Some of these tips also apply to the real world for those of you who just can’t restrain the draw to the mall. Spread the fun, and feel free to post your own tips in the comments. Use a dedicated credit card (or PayPal account) for holiday shopping. Our first tip is also useful for the physical world- still the origin of most credit card fraud. Take your card with the lowest limit and use it exclusively for holiday shopping. Use one you can monitor online, and check the activity daily through the holidays (weekly at a minimum). Make sure it isn’t a debit card, and turn off any automatic payments (so you can dispute any charges before making payments). Keep tracking activity at least weekly for 12 months after the holidays are over, or cancel the card. DON”T USE A DEBIT CARD!!! These don’t have the same protections as credit cards, and you’re responsible for fraudulent charges. As for PayPal, read on to our second tip. Only use credit cards at major online retailers; use a PayPal debit account for smaller shops . Sure, you might get a better deal from Billy-Bobs-Bait-Shop-And-Diamond-Wholesaler.com, but many smaller retailers don’t follow appropriate security practices. Those hosted with a major service are often okay, but few consumers really want to check the pedigree for specialty shops. Instead, create a dedicated PayPal account that’s not linked to any of your bank accounts or credit cards. Credit it with as much cash as you think you need and use it for those riskier online payments. Worst case, you only lose what’s in that account, and you can easily cancel it anytime. Never, ever, ever ,ever click on ANYTHING in email. It doesn’t matter if your best friend sent you a really good deal in email. It doesn’t matter if it’s your favorite retailer and you’ve always gotten email offers from them. Repeat after me, “I will never click on anything in email.” No special offers. No Ebay member to member emails. No “fraud alerts” to check your account. No nothing. Ever. Nada. Attackers are getting more and more refined in their attacks, some of which are very hard to distinguish from legitimate emails. Spam waves over the holidays are expected to break records this year. When you see an interesting offer in email, and it’s a business you want to deal with, just open your web browser, type in the address manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud; never click on anything in email! Update your browser- use Firefox 2.0, IE 7, Safari, or Opera. Turn on the highest security settings. Over the past month or so we’ve seen major updates of Firefox and Internet Explorer, both with significant security enhancements. Safari (installed on every Mac) and Opera are also good options. Firefox 2.0 and IE 7 include features to help detect fraudulent sites- if you see a warning, shut down the browser and don’t go back to that site. All of these browsers will ask you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it’s a fraud or they don’t deserve your business. Most browsers now install with security enabled by default, so we won’t be providing detailed instructions here. Just download them. Now. Then come back and read the rest of this list. We’ll wait. Download and install the Netcraft toolbar if you’re on Windows. This is a free toolbar for Firefox and IE that helps identify phishing sites. Although both browsers include their own anti-phishing technologies (as do many other toolbars), it never hurts to double up during the holiday season. Think of it as the deadbolt lock to enhance the regular lock on your front door. If you don’t want it bothering you all the time, at least use it during your holiday shopping and turn it off later. Keep your antivirus, firewall, antispam, and anti-spyware up to date. I don’t really care which product you use (and truth be told, we don’t really like most of the commercial ones) but as bad as some of these perform they really are essential on a PC. Before the holidays we plan on putting together a list of free, non-geek security tools, but for you non-technical type any of the shrink wrapped major vendors offers at least a modicum of protection. For Windows users, Windows Defender is a good, free additional tool to limit spyware. Right now there’s no known spyware for Macs. These six simple steps won’t stop all fraud, but will significantly reduce both the chances you’ll be a victim, and the damage if you are. Feel free to email them to

Author’s Note: This was originally posted last year, but nothing ever changes: Backup Backup Backup Did I say backup yet? Backing up home computers used to be little more than a convenience to keep you from losing some old college papers. These days our entire family histories find life on our unreliable home computers. From digital photos of junior, to financial records in Quicken, to love letters in email, our computers store items in ephemeral 0s and 1s that used to be on paper in a box. Sure, paper isn’t perfect, but I suspect more of us have experienced hard drive crashes than house fires. Backup is really a pain, so I suggest prioritizing your efforts to focus on the most important stuff and to make it easy and seamless for your non-geek friends and family. In many cases your best bet is to get an external hard drive and some basic backup software (I use SuperDuper on my Mac, not sure what’s good these days on PCs, so recommendations in the comments appreciated). A bunch of the external drives now include basic software for free, and you can plug in the drive, install the software, and just check up on it every now and then. For digital photos I’ve started recommending the archive features of Photoshop Elements, Microsoft Digital Image Suite, and the like. The advantage here is they get a photo tool they can use for other purposes, while getting basic photo backup features. I just grabbed Photoshop Elements for my Father-in-Law and a bunch of blank CDs. My plan is, every few months, to burn an archive of his photos on CD and store them over at my place (we live 20 minutes away). No- backup isn’t fun or sexy, but today it’s very very necessary. I hear all too many stories of people losing valuable family photos due to a basic hard drive crash, virus, or whatever. Imagine losing ALL your baby pics, wedding pics, or Grandpa’s 80th birthday pics where he flashed back and called Grandma by the name of his long-forgotten French mistress from WWII inciting immediate, if lethargic, violence. Ah, Family. Good times. You really don’t want to let your family lose their memories, do you? It’s also a good idea to print really valuable photos. The rumors of paper’s demise are greatly exaggerated. Share:

I’m about to tread, yet again, on religious ground. John Gruber, attacking an eWeek article, incited a response by Tom Ptacek over at Matasano. I suggest you read those articles, especially the Matasano response, because they highlight very clearly some of the technical differences between OS X and Windows Vista. I’ve been spending a lot of time, we’re talking a year or two, trying to decide if OS X is inherently more secure. I’m not a vulnerability researcher or OS developer, so I can’t dig in like Ptacek, but as an analyst I’m pretty good at weeding through the BS and I’m geeky enough to know what I’m talking about. OS X is more secure than my XP PC, but Vista changes everything. This is not your usual Windows. Tom’s response to Gruber focuses on Windows Vista, but Tom could have explained that more clearly. Gruber probably hasn’t hammered on a recently-released, barely-production-deployed OS so his arguments are tailored towards Vista. I think all the pundits need to be clear about which OS versions they are talking about. To a very real degree they are debating around each other- Tom focusing on Vista, and John on XP. This was something I was planning to write about after I got my hands on a non-beta copy to play with, but Tom beat me to the punch. OS X is more secure than XP for a variety of reasons, including the user account model, lack of SYSTEM, quiet network profile, some core code signing, and so on. That said, OS X was not designed with a secure development lifecycle, and does not include the advanced security features shipping in Vista. Not that Vista is perfect, but there are clear indications that the game may have changed. (And yes, I’ve simplified a lot) The Secure Development Lifecycle is far more than some marketing campaign. MS hammers their code harder than anyone… ANYONE else in development today. Independent review, multiple security code scanning engines, mandatory training, and dropping beta versions to hackers like free candy. I talk with a lot of vendors; many have good processes, but I haven’t found any major vendor that makes such an effort. Ignore XP- it never went through this process, but look at SQL Server 2005, one of the first major applications to go through this process. No vulnerabilities to date- just one shared-code flaw (XML Core Services). Vista is the first consumer OS to go through this process. Bugs will still be found, but I suspect far fewer than XP. Memory randomization- key code hops around in memory. This makes it incredibly hard for an attacker to point to system code, since the code always moves. No hardcoding addresses. This may be the most significant change in the OS security. C#, which will probably be the most common application language used on the Windows platform, uses memory virtualization, just like Java. Again, nothing’s perfect, but this means C# apps are much less likely to suffer some of the common families of flaws that have crippled Windows so far. The user privilege model is stronger, but not perfect. MS cut back a little here to keep some enterprise customers happy, but the improvements are still very real. Old code demanding admin access runs off virtual registries rather than corrupting the main system registry. Browser isolation- most major malware today on XP comes in email or over the browser (and half the email stuff uses the browser). IE 7 itself is stronger, and the browser runs in a more isolated and less privileged mode. I’m just running off other’s evaluations, so take it or leave it, but the hard-core researchers I know all tell me Vista is not the MS software we’re used to. Everything from the browser, to the kernel, to the programming languages used to build applications is significantly improved. And I haven’t even mentioned all the new security features, like a real 2-way firewall, PatchGuard, and so on. Will it all work? I don’t know, but I do know those who have hacked away at Vista come away impressed. So is Vista more secure than OS X? I think so, but we’ll still see more malware for Windows for a long time to come. And Apple has plenty of time to take some of the same security steps. Heck, with less ties to legacy applications Apple could probably jump ahead if they put their minds to it. Vista might see life on my Mac, but replacing my XP virtual machine. But with Vista now released we all need to be clear about which operating systems we’re discussing. On paper Vista has more security built in at a more fundamental level than OS X. But Vista is brand new, and we’ll have to watch the world kick the tires for a while. Apple needs to respond with similar features, where needed, if they are to compete in the security game. If they want to. The truth is, security is still not a major factor in most people’s OS choice. I’m sitting here saying I think Vista is more secure, but I don’t plan on switching off my Mac. Security is about being “good enough”. As the major target for attacks, “good enough” for Windows is significantly higher than “good enough” for Macs. Until Apple sees the same kinds of exploits on the same scale there will be little motivation for them to invest so deeply in security. The game isn’t over, but it’s definitely a different game than just a few weeks ago. Share:

The Month of Kernel Bugs has released their latest vulnerability. There’s also a Metasploit exploit module. I’m not going to post every time one of these pops up, but hopefully this puts some of the wireless flaw debates to bed. Share:

My work day had a bit of an unplanned interruption today. I shut down my computer to head from the home office to a nice quiet coffee shop for a change of scenery and a little time off the Internet to get some research done. When I booted up in the coffee shop I noticed that all my personal settings were gone for some reason. All my data was there, but every single preference in every single application (including registration keys) were missing. I looked in my preferences folder in the Library (a Mac thing, way better than a registry) and everything seemed to be in place, but anytime I opened an app it would overwrite the old preferences with a new preference file. Oops. Repairing disk permissions (a Mac thing, not so cool) and some other routine fixes didn’t work, so I scooted home to my backups. I copied over my 2-day-old preference files from a backup and that seemed to do the trick for most apps and my desktop/startup items. A few things are still hinky, but most of it’s normal. The one bad problem was my blog software (Ecto). Ecto seemed to lose all settings even after the fix, including all my drafts for future posts. Big bummer. A half hour later I was able to dig up some of the other settings files, replace those from 2 days ago, and everything seems fine. Backups are good. Nightly backups are better, and I think I’ll be even more diligent from now on. That said, this incident raised some questions in my mind. Even assuming I had a complete backup from last night, or a current differential, I was still looking at an uncomfortable loss of data from just the morning. I’m realizing that on any average day I produce a fair volume of data throughout the day. From calendar entries to emails to blog posts. Losing that hourly data won’t kill me, but would still be seriously annoying. Also, it was a VERY manual process to restore my preferences. I’d like to see more continuous backup software; and not just backups of documents/photos, but of settings and other system information, all with a granular restore. Time Machine in the next OS X looks like a good step in this direction, and I hope Apple includes settings in the backup schemes. I’ve played with a few Windows system restore settings, and while those do a good job of restoring your system you tend to lose a lot of the hourly data. That might be motivation to keep data on a separate partition from system software and settings to better enable granular restores. All of which is a real pain for us laptop users. As it is I own AT LEAST one external hard drive for every PC/Mac, not counting my small NAS. That’s a lot of drives and a lot of manual backups, and I don’t backup on the road. Eventually I’d like to have all my home systems automagically backup on the network every night, but that has to wait I can move to gig Ethernet and get a bigger, faster NAS. This is well beyond the average home user’s capabilities. As our entire lives and family histories move to fairly unreliable PCs (and Macs; they lose hard drives too) we could be destroying our social records. Despite constant warnings I still can’t get ANY of my family members to reliably backup their digital photos. I look forward to the day where no PC or Mac ships without an extra drive just to backup data. To operating systems that scream and kick their feet until you agree to backup to magnetic or optical media. To the day where all of this is transparent to the average user. Maybe System Restore and Time Machine will solve the problem. But I doubt it. There has to be a better way to preserve our digital lives. (sorry for the less-than-insightful rant, but I’ve been on a backup kick lately. We really don’t pay enough attention to backups in the consumer world- even us hard core geek consumers) Share: