Category Archives: Security

Microsoft Ditches VBA for Security?

For some time I’ve been noting Dan Geer’s point that Microsoft faces a dilemma: stick to backward compatibility including many security vulnerabilities, or fix the holes and lose backwards compatibility. Looks like they’ve done the latter with Office:
Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That’s worth complaining about.

Microsoft Has Trouble Programming the Intel Architecture, by mordaxus, Emergent Chaos, 16 Jan 2008

The poster immediately goes on to sneer at OpenOffice for allegedly not being able to do things Office can do (without ever mentioning specifics) and at Keynote because everybody uses PowerPoint (while acknowledging that “Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize”).

When Microsoft can manage to annoy even slavish users like that by breaking backwards compatibility, MSFT has a problem. No doubt no VBA in Office isn’t the last straw, but it isn’t the first, either.

-jsq

Google to be Dragooned Into U.S. Wiretapping?

68EEC-dragoon.gif I’d wondered when the feds would think of this:

"Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, ‘We have a saying in this business: `Privacy and security are a zero-sum game.’"

A New Internet Wiretapping Plan? Steve Bellovin, SMBlog, 15 January 2008

Their saying is wrong, as Bellovin points out:

The risks are quite similar to those posed by CALEA: this is an intentional vulnerability which can be exploited by the wrong people. (That’s what happeed to the Greek cellphone network.)

But some people believe the saying anyway, and will act on it, unless they are stopped.

-jsq

Mastery and Secure Coding

Brooks extended:

Each thing we are trying to push for in secure coding these days requires mastery, Cardspace, static analysis, threat modeling, web service security, and friends are very deep individual domains, and when applied to an enterprise they get wide as well. Let me underline that – to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.

So what I have seen work well is using a decentralized, specialist team approach with a very specific agenda and goals. Note the team can be very small, 2 or 3 people even if they are empowered.

Go Wide and Deep, Incrementally, Gunnar Peterson, 1 Raindrop, 10 JJan 2008

Not only can’t you make a late project on time by throwing people at it, you can’t really make a project secure by throwing people at it.

-jsq

Traffic Control Viewed as ISP Risk

pirates.jpg Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what’s happening in China:
Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to “purify” the Internet — an apparently urgent task. “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state,” President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

The Great Firewall: China’s Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don’t know how, that article provides tips. Continue reading

Sony Rootkitting: How It Happened

sonyrootkit.gif Here’s a paper about Sony and the Rootkit:

While Sony BMG’s customers first became aware of the dangers posed by the rootkit through media reports following Russinovich’s October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.

THE MAGNIFICENCE OF THE DISASTER: RECONSTRUCTING THE SONY BMG ROOTKIT INCIDENT, By Deirdre K. Mulligan & Aaron K. Perzanowski

Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points:

Continue reading

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Linus on Schedulers vs. Security as Numbers vs. Opinions

linus_torvalds.jpg Thus Spake Linus:

Schedulers can be objectively tested. There’s this thing called "performance", that can generally be quantified on a load basis.

Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.

So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel, by Linus Torvalds, kerneltrap.org, Monday, October 1, 2007 – 7:04 am

Linus Torvalds, inventor of Linux and thus originator of its associated industry, continues:

Continue reading

What It Will Take to Win

gp.jpg IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:
It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don’t have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don’t want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don’t have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

Secure Coding – Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Online Crime Pays

dollarsign.jpg Why Internet security professionals are losing:

Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you’ve ever bought anything online, buying from them may be disconcertingly familiar. If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase.

You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you. As in many other industries, money has given rise to professionalism.

Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We’re in a world where these guys might as well just incorporate," says David Parry, Trend Micro’s Global Director of Security Education. "There’s certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we’re talking about hundreds of billions of dollars."

Computer crime is slicker than you think, By David Raikow, CRN, 16 August 2007 08:04AM

Makes you wonder how long until traditional security companies get bought out by newly-IPOed offshore malware corps.

-jsq