Wednesday, January 30, 2008
Shmoocon
I'll be at Shmoocon in Washington, DC on the weekend after Valentine's Day. If anybody wants to meet up or something, get in touch with me.
Wednesday, November 07, 2007
Mac OS X Trojan Horse - Wolf in Sheep's Clothing?
Recently, a Mac OS X Trojan Horse was spotted in the wild. Pretty much everyone reported on it. But the best analysis I've seen is at SecuriTeam.
This is not a new type of attack. There is no new vulnerability exploited. This is not a novel attack, such as a driver exploit. This does not use some new social engineering technique or distribution method. This is not the first instance of organized crime (presumably) attempting to make money from exploiting systems. So why is everybody making a big deal about the new malware? People are making a big deal about this one because of what it is not: a Microsoft attack.
This new Trojan Horse is the first one to take an established commercial malware framework to the Apple platform. For years, these fake codecs have troubled the Windows platform, making untold amounts of money for their creators. They hijack the user's Internet experience and target people inexperienced with computers. But until now, the relatively simple task of adapting these programs for the decade old operating system has been left undone. I believe that there are two reasons for this shift.
The number of people using Apple computers (and therefore OS X) has exploded over the last year and a half. I am currently sitting at a coffee shop and an informal survey shows that there are 12 Macs and only 6 PCs (including, unfortunately, mine). While this is an atypical distribution of hardware, it underscores the point. I know that most of these have been purchased within the last year and a half because they are almost all running on the Intel platform.
As the proportion of Mac users increases, the community is bound to decrease in computer experience. For the last few years, Apple has had a loyal core of customers who are technologically savvy and educated about proper use and maintenance of their machines. However, the recent adopters are typically more casual computer users. This statistic is based on anecdotal evidence, but it seems that most other observers have drawn the same conclusion.
These two trends, increased install base and decreased expertise, will continue upward as computer activities become increasingly platform independent. As more and more services are moved to a Web based format, the importance of a single operating system will diminish. However, malware will continue to exploit the underlying system resources because this is a viable source of income.
Criminal organizations' involvement in computer based crime has drastically risen in prevalence and sophistication over the last few years and there is no reason to believe that this will change. Just like with any money-making organization, these enterprises wish to maximize their revenue streams by exploiting new markets. In order to grow, new resources must be acquired. It appears that Apple computers have been firmly identified as a new resource for criminals.
And like any other emerging market, what is pioneered by one group will quickly be followed by other players. In other words, other criminal organizations will follow suit and develop their software for the OS X operating system to compete with this group's product offering. Eventually, this market segment will become more mature with a high percentage of organized criminals developing for both Windows and OS X platforms the way that other software makers do. What used to be a hobbiest market will be filled by mature product offerings.
If there is nothing new about a piece of malware, it should not be a big deal. But this one is a big deal that many people will only recognize too late. This Trojan Horse is something new precisely because it's just business as usual.
This is not a new type of attack. There is no new vulnerability exploited. This is not a novel attack, such as a driver exploit. This does not use some new social engineering technique or distribution method. This is not the first instance of organized crime (presumably) attempting to make money from exploiting systems. So why is everybody making a big deal about the new malware? People are making a big deal about this one because of what it is not: a Microsoft attack.
This new Trojan Horse is the first one to take an established commercial malware framework to the Apple platform. For years, these fake codecs have troubled the Windows platform, making untold amounts of money for their creators. They hijack the user's Internet experience and target people inexperienced with computers. But until now, the relatively simple task of adapting these programs for the decade old operating system has been left undone. I believe that there are two reasons for this shift.
The number of people using Apple computers (and therefore OS X) has exploded over the last year and a half. I am currently sitting at a coffee shop and an informal survey shows that there are 12 Macs and only 6 PCs (including, unfortunately, mine). While this is an atypical distribution of hardware, it underscores the point. I know that most of these have been purchased within the last year and a half because they are almost all running on the Intel platform.
As the proportion of Mac users increases, the community is bound to decrease in computer experience. For the last few years, Apple has had a loyal core of customers who are technologically savvy and educated about proper use and maintenance of their machines. However, the recent adopters are typically more casual computer users. This statistic is based on anecdotal evidence, but it seems that most other observers have drawn the same conclusion.
These two trends, increased install base and decreased expertise, will continue upward as computer activities become increasingly platform independent. As more and more services are moved to a Web based format, the importance of a single operating system will diminish. However, malware will continue to exploit the underlying system resources because this is a viable source of income.
Criminal organizations' involvement in computer based crime has drastically risen in prevalence and sophistication over the last few years and there is no reason to believe that this will change. Just like with any money-making organization, these enterprises wish to maximize their revenue streams by exploiting new markets. In order to grow, new resources must be acquired. It appears that Apple computers have been firmly identified as a new resource for criminals.
And like any other emerging market, what is pioneered by one group will quickly be followed by other players. In other words, other criminal organizations will follow suit and develop their software for the OS X operating system to compete with this group's product offering. Eventually, this market segment will become more mature with a high percentage of organized criminals developing for both Windows and OS X platforms the way that other software makers do. What used to be a hobbiest market will be filled by mature product offerings.
If there is nothing new about a piece of malware, it should not be a big deal. But this one is a big deal that many people will only recognize too late. This Trojan Horse is something new precisely because it's just business as usual.
Sunday, November 04, 2007
Long Time, No Post
It's been quite a while since I posted last. Sorry, I've been busy. But I do keep my "Interesting Articles" section updated. That is over on the right side of your screen (assuming you're looking at my blog and not the RSS feed). That list is all of the articles that I have read in Google Reader and chosen to "share" via the button at the bottom of each story. I wish that there was a way that you could click to get all of the links, not just the last five or so. I'm sure that there is, I just don't know how to do it so if anybody does, drop me a line.
For the record, I am working on some other public stuff, but I'm going to keep that under wraps for now. Nothing groundbreaking or significant, just adding to the general InfoSec fluff out there. If I had as much time as I do ideas I'd live forever. Hopefully I can gt better at figuring out which ones are worth pursuing so I don't spend my time starting into things that I don't end up finishing.
For the record, I am working on some other public stuff, but I'm going to keep that under wraps for now. Nothing groundbreaking or significant, just adding to the general InfoSec fluff out there. If I had as much time as I do ideas I'd live forever. Hopefully I can gt better at figuring out which ones are worth pursuing so I don't spend my time starting into things that I don't end up finishing.
Monday, September 03, 2007
Perfect Security Is Impossible
I saw this post on securosis.com and it seemed like a great launching point for a discussion here. I want to take one point that he makes, that people seem to ask "what can I do to fix problems after the fact?" The fact that people ask this question hides a couple of addressable assumptions they often make about computer security.
The first of these is that computer problems should be addressed reactively, rather than proactively. Some people take the stance that they will always be vigilant, but many realize that they don't always do what they should. For example, most people know that they should have their vehicles serviced regularly for a multitude of maintenance issues, such as oil changes, brake replacement, tire rotation, check fluids, etc. But many of the drivers out there do not take these precautions as often as they should. Instead, they may take the attitude of "I'll fix it if it breaks." This may not necessarily be conscious decision, either; it may be that the "out of sight, out of mind" rule takes over, or that the owner is too busy to attend to it at the moment.
The reactive attitude also assumes that everything can be fixed and put back perfectly in place as it was. This assumption runs a little bit deeper in most people, because they do not really know how computers operate. On a car, a bent frame is not perfectly repairable; in our bodies, a removed organ does not grow back; in the universe, time flows only in one direction. Yet even mechanics, doctors, and scientists may not really understand that a computer can be broken in a way that is irreparable.
Fortunately, with computers we can address problems proactively. Computer security deals with protecting Confidentiality, Integrity, and Availability (the so-called C.I.A. triad). These are the three aspects of the rest of our lives that most of us attempt to protect, as well. It follows, then, that we should view our responsibilities towards our computers safe as we do our responsibilities to keeping ourselves safe.
Using caution applies to technology as with anything. Stay away from the seedier side of the Internet as you would stay away from the seedier side of the city you live in. If you need a hand deciding which are the well-lit streets and which are the back alleys, there are tools to help. McAfee Site Advisor is an excellent tool, and tends to err on the side of caution. K9 Web Protection will actually block many sites that you may wish to avoid, though it's not fool proof.
Be observant of your surroundings. If something seems not quite right, don't be afraid to be suspicious. If your computer is acting strangely or if the email from the IRS sounds fishy (phishy), then investigate the problem.
Be ready to take action. When you have determined that something strange is definitely going on, make sure you know what to do. If you don't know what to do, then know who you can speak with to find out. But more importantly, when you have figured out the proper action to take, don't delay! Many issues are exacerbated by doing nothing when you should be doing something (or vice-versa).
Finally, be prepared to fix or workaround the problem. Something will happen someday that will compromise the C.I.A. of your computer. Whether that means you delete the wrong files, you get a virus, or your house burns down, something will happen to your digital life someday. No one, even us geeks, is immune. Have backups, antivirus, etc. ready when you need them.
All of these lessons can, and should, be applied to the real world. Most of us understand this, even if we don't practice it every day. But too many people don't seem to realize that computers are not immune from the same physical realities of everything else. Either that or they are afraid to ask about these things. But Murphy's Law still applies, as does the principle that anyone can learn how to defend themselves against it.
The first of these is that computer problems should be addressed reactively, rather than proactively. Some people take the stance that they will always be vigilant, but many realize that they don't always do what they should. For example, most people know that they should have their vehicles serviced regularly for a multitude of maintenance issues, such as oil changes, brake replacement, tire rotation, check fluids, etc. But many of the drivers out there do not take these precautions as often as they should. Instead, they may take the attitude of "I'll fix it if it breaks." This may not necessarily be conscious decision, either; it may be that the "out of sight, out of mind" rule takes over, or that the owner is too busy to attend to it at the moment.
The reactive attitude also assumes that everything can be fixed and put back perfectly in place as it was. This assumption runs a little bit deeper in most people, because they do not really know how computers operate. On a car, a bent frame is not perfectly repairable; in our bodies, a removed organ does not grow back; in the universe, time flows only in one direction. Yet even mechanics, doctors, and scientists may not really understand that a computer can be broken in a way that is irreparable.
Fortunately, with computers we can address problems proactively. Computer security deals with protecting Confidentiality, Integrity, and Availability (the so-called C.I.A. triad). These are the three aspects of the rest of our lives that most of us attempt to protect, as well. It follows, then, that we should view our responsibilities towards our computers safe as we do our responsibilities to keeping ourselves safe.
Using caution applies to technology as with anything. Stay away from the seedier side of the Internet as you would stay away from the seedier side of the city you live in. If you need a hand deciding which are the well-lit streets and which are the back alleys, there are tools to help. McAfee Site Advisor is an excellent tool, and tends to err on the side of caution. K9 Web Protection will actually block many sites that you may wish to avoid, though it's not fool proof.
Be observant of your surroundings. If something seems not quite right, don't be afraid to be suspicious. If your computer is acting strangely or if the email from the IRS sounds fishy (phishy), then investigate the problem.
Be ready to take action. When you have determined that something strange is definitely going on, make sure you know what to do. If you don't know what to do, then know who you can speak with to find out. But more importantly, when you have figured out the proper action to take, don't delay! Many issues are exacerbated by doing nothing when you should be doing something (or vice-versa).
Finally, be prepared to fix or workaround the problem. Something will happen someday that will compromise the C.I.A. of your computer. Whether that means you delete the wrong files, you get a virus, or your house burns down, something will happen to your digital life someday. No one, even us geeks, is immune. Have backups, antivirus, etc. ready when you need them.
All of these lessons can, and should, be applied to the real world. Most of us understand this, even if we don't practice it every day. But too many people don't seem to realize that computers are not immune from the same physical realities of everything else. Either that or they are afraid to ask about these things. But Murphy's Law still applies, as does the principle that anyone can learn how to defend themselves against it.
Tuesday, August 14, 2007
More On What IT Wants To Tell You
Last Tuesday, I was contacted by Vauhini Vara, author of the now infamous WSJ article published last week (FYI, if you haven't listened to the podcast related to the article, it's worth it) with advice on how to circumvent the IT security controls their companies had put in place. The email thanked me for my comments and asked for some help in writing a response to that article. I took a long time creating a response before realizing that I'd gotten way off topic from the request. So I have cleaned it up a bit and posted it below.
The follow up article was published today and is available to everyone for free, just as was the original article. While the latest does give a voice to some of the concerns many security professionals had, it seems to serve mainly to placate those with concerns. I don't believe this is something the author should be faulted for, but merely reflects everyone's interest in seeing the story be over. At the risk of seeming unappeasable, I think that the article lacks the intensity of the first and seems to demonstrate a lack of true understanding of the topic.
Again, I don't see this as Vauhini's fault, she has the near impossible task of taking something some people spend their entire lives doing and tries to boil it down to a couple of hundred words to fit into a column. Without an in depth understanding of the subject and a gift for succinctness (which I don't have), this is incredibly difficult to do. I would imagine that the only way to get this right would be to collaborate with a subject matter expert, allowing editing and revisions. But this is not appropriate to the typical journalistic process.
I won't spend any more time talking about this subject because there will never be complete agreement between IT security people and the employees over where an acceptable boundary is between protecting the organization and ease and freedom of use. There isn't even total agreement between employees or between IT security folks. So this post will, thankfully, be my last on the subject.
More thoughts on the topic
As I mentioned in my earlier post, the IT department is involved in businesses to enable productivity and to contribute to the bottom line. The information security professionals are there to provide technical oversight in the way that the physical security people do. Several things are involved in this oversight, like being involved in the design process, putting in place administrative and technical controls, and auditing the organization's procedures.
The difference between the physical security and information security is that physical security is something we are born and bred to recognize and respond to. Things like protecting valuable assets, restricting access to locations, and preventing attacks are well understood by people because they have had to deal with these issues all their lives. However, when computers are involved, it makes these same principles seem alien. Computers and information networks are incredibly complicated systems and understanding them is too large a task. Therefore it is difficult for people to have an intuitive sense of what security and usability balances are made.
In designing a good access control system, for example, it is widely acknowledged that access to a facility should be granted only to those people who have a need to be there. So systems have been put in place to make sure people walking into the building should be there, whether it is a security guard, an ID badge reader, etc. IT security is no different in practice. When we design, say wireless network, we also want to make sure that these precautions are taken. Having access to an organization's network can be just as damaging, more or less, as having physical access to the home office. While employees may recognize the potential danger in propping open a door to the outside, they may not realize that this is the same principle as bringing in a wireless access point from home.
One of the main interfaces, and problems, people have with IT security is web page filtering. They typically don't view it as anything but trying to keep them productive on the job. So they view circumventing this technology as a relatively benign thing to do, especially if they are taking a break. But productivity is almost certainly not the reason why the web blocker was brought into the network. Malicious content (whether hosted on reputable sites or on maliciously designed sites) and legal precautions (regulatory requirements, sexual discrimination law, etc.) top the list of reasons why IT security departments want to be able to block certain websites.
Along with filtering web content, monitoring Internet traffic is one of the important tasks that IT security personnel perform. In some industries, this is driven more by organizational needs than by regulatory requirements. Many companies and governmental institutions have a need to know what comes in and goes out of their network. Internet monitoring is one tool to help with this. In cases where secret, confidential, or regulated information is involved, knowing if it escapes the network is critical. This can be accidental, like a consultant emailing important documents to himself, or it can be malicious, like a key logging program transmitting credit card numbers a half a world away.
However, web filtering and monitoring devices have been tasked to try and decrease the amount of time employees spend not working while they are at work. And this is when most people come into conflict with the technology. A worker who wants to visit the New York Times webpage and finds it blocked may feel that these technical controls are unreasonable. This may, in turn, cause him or her to try to circumvent them in the process of doing normal business. For example, if an employee needs to send a log file to a vendor and it is too large to go out through the email system, using a web page to host the file might seem like an ideal way to get this done. However, if we pretend in this scenario that the log contains records of all patients admitted to the Emergency Department of a hospital, those records are exposed on the Internet for anyone to access.
With those things in mind, here are some tips to help people to work with, instead of against your IT security people. These positive suggestions will likely work better than their "don't do this" counterparts.
1. We're here to help you help the company make money. That's how we get fat bonuses and better toys! If you have a legitimate business need to do something that we're preventing, talk to us.
2. We love playing with new toys! We'd love to spend 50 grand on new wireless access points and have them around to play with. If you can help us build a business case to do that, we'll work with you.
3. Come to us with your problems and ask us to help. We may know an easier way of doing something through automation or simplification. Give us the opportunity and freedom to be flexible and creative when fixing your problem and we might amaze you!
4. We take our jobs seriously and have pride in our knowledge and skills. If you treat us with professional respect, we will do the same for you. If you are patient and friendly with us, we are more likely to want to help you. If you treat us well consistently, we don't forget it.
5. We enjoy being thanked and appreciated. Some things might take a lot of work or be especially challenging. Thanking us sincerely is the easiest way to show you recognize this. Baked goods and complimenting us to our boss is the best way to get us to work twice as hard for you next time!
Working in IT can give you quite a few good horror stories to share. IT security can produce some especially gruesome ones. Some of the stories are protected by confidentiality agreements or legal order, but many of these would not be safe to print anyway.
I won't give any specific stories about the type of pornography that I have seen in my job, but I have to say that I've seen more things than I could have imagined existed. While I haven't seen anything that would be illegal, I have certainly had my eyes opened to the variety of things that people find erotic.
My organization fought a network worm shortly after I became involved with information security. It wasn't a terribly destructive or widespread one, but we spent over 200 hours cleaning it up. After some investigation, it was determined that the worm exploited a new vulnerability and was probably brought in by someone using a personal laptop.
Several times a day, the Internet monitor alerts me to the fact that someone has sent their own (or sometimes a friend or associate) personal information out on the Internet. Whether it is their tax return being sent to their webmail address, their application for a car or payday loan or job, a background check for a tenant, many people don't realize that the information they send out can be seen by many people they don't intend. Most of the time we, try to contact the person or company responsible for the information to make sure that they are aware of the issue.
Occasionally, we have had viruses or spyware infect computers embedded in products that we are prohibited from working on and to which we do not have access. In these cases, we attempt to contact the vendor and, depending on the severity of the attack, treat the device as if it were nonfunctional, remove it from the workflow, and power it off.
Lack of communication is one of the biggest problems that we have. From things as simple as a vendor needing Internet access to do a presentation to departmental changes that will require hardware moves and substantial changes to organization software, sometimes people don't understand what is involved for us in doing that work. We can't always fix a problem immediately, even if we don't have a full schedule -- they take real time and effort.
The follow up article was published today and is available to everyone for free, just as was the original article. While the latest does give a voice to some of the concerns many security professionals had, it seems to serve mainly to placate those with concerns. I don't believe this is something the author should be faulted for, but merely reflects everyone's interest in seeing the story be over. At the risk of seeming unappeasable, I think that the article lacks the intensity of the first and seems to demonstrate a lack of true understanding of the topic.
Again, I don't see this as Vauhini's fault, she has the near impossible task of taking something some people spend their entire lives doing and tries to boil it down to a couple of hundred words to fit into a column. Without an in depth understanding of the subject and a gift for succinctness (which I don't have), this is incredibly difficult to do. I would imagine that the only way to get this right would be to collaborate with a subject matter expert, allowing editing and revisions. But this is not appropriate to the typical journalistic process.
I won't spend any more time talking about this subject because there will never be complete agreement between IT security people and the employees over where an acceptable boundary is between protecting the organization and ease and freedom of use. There isn't even total agreement between employees or between IT security folks. So this post will, thankfully, be my last on the subject.
More thoughts on the topic
As I mentioned in my earlier post, the IT department is involved in businesses to enable productivity and to contribute to the bottom line. The information security professionals are there to provide technical oversight in the way that the physical security people do. Several things are involved in this oversight, like being involved in the design process, putting in place administrative and technical controls, and auditing the organization's procedures.
The difference between the physical security and information security is that physical security is something we are born and bred to recognize and respond to. Things like protecting valuable assets, restricting access to locations, and preventing attacks are well understood by people because they have had to deal with these issues all their lives. However, when computers are involved, it makes these same principles seem alien. Computers and information networks are incredibly complicated systems and understanding them is too large a task. Therefore it is difficult for people to have an intuitive sense of what security and usability balances are made.
In designing a good access control system, for example, it is widely acknowledged that access to a facility should be granted only to those people who have a need to be there. So systems have been put in place to make sure people walking into the building should be there, whether it is a security guard, an ID badge reader, etc. IT security is no different in practice. When we design, say wireless network, we also want to make sure that these precautions are taken. Having access to an organization's network can be just as damaging, more or less, as having physical access to the home office. While employees may recognize the potential danger in propping open a door to the outside, they may not realize that this is the same principle as bringing in a wireless access point from home.
One of the main interfaces, and problems, people have with IT security is web page filtering. They typically don't view it as anything but trying to keep them productive on the job. So they view circumventing this technology as a relatively benign thing to do, especially if they are taking a break. But productivity is almost certainly not the reason why the web blocker was brought into the network. Malicious content (whether hosted on reputable sites or on maliciously designed sites) and legal precautions (regulatory requirements, sexual discrimination law, etc.) top the list of reasons why IT security departments want to be able to block certain websites.
Along with filtering web content, monitoring Internet traffic is one of the important tasks that IT security personnel perform. In some industries, this is driven more by organizational needs than by regulatory requirements. Many companies and governmental institutions have a need to know what comes in and goes out of their network. Internet monitoring is one tool to help with this. In cases where secret, confidential, or regulated information is involved, knowing if it escapes the network is critical. This can be accidental, like a consultant emailing important documents to himself, or it can be malicious, like a key logging program transmitting credit card numbers a half a world away.
However, web filtering and monitoring devices have been tasked to try and decrease the amount of time employees spend not working while they are at work. And this is when most people come into conflict with the technology. A worker who wants to visit the New York Times webpage and finds it blocked may feel that these technical controls are unreasonable. This may, in turn, cause him or her to try to circumvent them in the process of doing normal business. For example, if an employee needs to send a log file to a vendor and it is too large to go out through the email system, using a web page to host the file might seem like an ideal way to get this done. However, if we pretend in this scenario that the log contains records of all patients admitted to the Emergency Department of a hospital, those records are exposed on the Internet for anyone to access.
With those things in mind, here are some tips to help people to work with, instead of against your IT security people. These positive suggestions will likely work better than their "don't do this" counterparts.
1. We're here to help you help the company make money. That's how we get fat bonuses and better toys! If you have a legitimate business need to do something that we're preventing, talk to us.
2. We love playing with new toys! We'd love to spend 50 grand on new wireless access points and have them around to play with. If you can help us build a business case to do that, we'll work with you.
3. Come to us with your problems and ask us to help. We may know an easier way of doing something through automation or simplification. Give us the opportunity and freedom to be flexible and creative when fixing your problem and we might amaze you!
4. We take our jobs seriously and have pride in our knowledge and skills. If you treat us with professional respect, we will do the same for you. If you are patient and friendly with us, we are more likely to want to help you. If you treat us well consistently, we don't forget it.
5. We enjoy being thanked and appreciated. Some things might take a lot of work or be especially challenging. Thanking us sincerely is the easiest way to show you recognize this. Baked goods and complimenting us to our boss is the best way to get us to work twice as hard for you next time!
Working in IT can give you quite a few good horror stories to share. IT security can produce some especially gruesome ones. Some of the stories are protected by confidentiality agreements or legal order, but many of these would not be safe to print anyway.
I won't give any specific stories about the type of pornography that I have seen in my job, but I have to say that I've seen more things than I could have imagined existed. While I haven't seen anything that would be illegal, I have certainly had my eyes opened to the variety of things that people find erotic.
My organization fought a network worm shortly after I became involved with information security. It wasn't a terribly destructive or widespread one, but we spent over 200 hours cleaning it up. After some investigation, it was determined that the worm exploited a new vulnerability and was probably brought in by someone using a personal laptop.
Several times a day, the Internet monitor alerts me to the fact that someone has sent their own (or sometimes a friend or associate) personal information out on the Internet. Whether it is their tax return being sent to their webmail address, their application for a car or payday loan or job, a background check for a tenant, many people don't realize that the information they send out can be seen by many people they don't intend. Most of the time we, try to contact the person or company responsible for the information to make sure that they are aware of the issue.
Occasionally, we have had viruses or spyware infect computers embedded in products that we are prohibited from working on and to which we do not have access. In these cases, we attempt to contact the vendor and, depending on the severity of the attack, treat the device as if it were nonfunctional, remove it from the workflow, and power it off.
Lack of communication is one of the biggest problems that we have. From things as simple as a vendor needing Internet access to do a presentation to departmental changes that will require hardware moves and substantial changes to organization software, sometimes people don't understand what is involved for us in doing that work. We can't always fix a problem immediately, even if we don't have a full schedule -- they take real time and effort.
Subscribe to:
Comments (Atom)