SAN JOSE, Calif. – April 14, 2010 – Cisco today announced that it is expanding the industry's broadest portfolio of small business technology with new solutions to help small businesses connect their business to the world, secure their network and communicate more effectively. New technologies include a family of energy-efficient, unmanaged switches and a wireless virtual private ...

Google has a significant stake in the Internet and whether it survives or not. Could that be why the search giant has declared all out war against the phishers of the world?

————————————————————————————

People associate phishing with identity theft. That’s bad enough, but there is something else to consider. If phishing continues to be successful, people will be afraid to do anything online, especially when it requires disclosing personal information.

Businesses, financial establishments, and companies who exist because of the Internet are keenly aware of this. It seems that Google, one such company, has decided to bring their vast arsenal of technology to bear on the problem of phishing.

There are two reasons why I am interested in Google’s approach to anti-phishing. First, their Anti-Phishing Team has been able to automate the black-listing process, no small feat. Second, they are finally talking about how they do it. Their method involves two parts, a client-server interface and the backend data base. Let’s look at the client-side service first.

Client side

The client interface is Google’s Safe Browsing API. It has been working quietly in the background for several years. A fact many do not realize. Three of the four (edited to reflect Internet Explorer’s ranking) big-name Web browsers Firefox, Safari, and Chrome use it. Google defines the Safe Browsing service as:

“At a high level, the service works by checking each URL the client loads against a list of known phishing and malware sites. The list of known sites is represented as host-suffix / path-prefix expressions.

As the name suggests, these expressions can match arbitrary URLs as long as they have the required host suffix and path prefix. This approach helps protect against sites where the attacker uses many different URLs in order to try to evade blacklists.”

The following diagram (courtesy of Google) is a visual description of the look-up process:

The client-server handshake is the easy part. Trying to keep the black list current, have minimal mistakes, and even fewer false positives is where it gets tricky.

Back end

Until recently, Google has kept mum about how their black list is populated. I first learned about it through a Google blog post. It pointed me to the paper Large-Scale Automatic Classification of Phishing Pages (pdf). Now public, after being presented by Colin Whittaker, Brian Ryner, and Marria Nazif (all members of Google’s Anti-Phishing Team) at the 17th Annual Network and Distributed System Security Symposium.

Right away in the report, the team discusses what is needed for the black list to be effective:

• Comprehensive: A blacklist that is not comprehensive fails to protect a portion of its users.
• Error free: False positives subject users to unnecessary warnings. Eventually, the users will ignore the warnings.
• Timely: The black list must update in real-time. As most phishing sites are up for less than a day.

The report goes on to explain that the automatic classifier (back-end algorithmic process) uses the following Web-page elements in the decision-making process:

• Page URL: Look for anything odd about the hostname. Is it unusually long or possibly contain an IP address.
• Page content: The page is checked to see if it has a password and or PIN field. Additionally, the page is checked for links that may be pointing at a known phishing domain.
• TF-IDF score: TF-IDF is a ranking method used when automatically scanning for phishing sites. Through the magic of mathematics, important terms like “password” or “PIN” are given more weight.
• Hosting information: What network hosts the Web site and where the Web servers are located geographically can be telling. For example, I’d be concerned if the Web server for an American bank is in a different country.
• PageRank: PageRank is used to determine the spam reputation of the page’s domain. Apparently, the Anti-Phishing Team has discovered a relationship between phishing pages and domains that send spam.

That’s quite a list of things to check. More than I would care to check each time I go to a new Web site.

Automated

Automating the search for the above elements is the first step the Anti-Phishing Team did and probably the simplest. The classifier then takes the information and ranks the URL, from 0.0 not at all phishing to 1.0 definitely phishing. Finally, software called the Blacklist Aggregator prepares the list to be served to the clients.

What really makes this system effective is how the classifier is retrained every day to pick up new phishing trends. Google explains:

“As a training data set, we use a sample of roughly ten million URLs analyzed by the classification workflow over the past three months along with the features obtained at the time.”

The report goes on to explain how the training data set is manipulated to test the classifier and make sure it is providing the most accurate results possible. From what I understand, the training process is the heart of the classifier and what separates Google’s approach from others.

A different take

Another Google blog post I came across looks at phishing differently.

The post explains how Web-site designers can minimize the chance of having their work trigger anti-phishing scanners. After reading the post, I realized these points are something we should keep in mind as well:

• Beware of username and password requests that are not specifically for that Web site.
• Be leery of logos near login fields that are not related to the Web site.
• Links to other Web pages should be readily viewable and related to the site’s domain page.

The above bullet points are important, but easily missed. I was almost tricked by a password request that had nothing to do with the Web site I was viewing.

Report’s conclusions

A short while ago, I wrote a piece about users and rejecting security advice. One of the premises I wrote about is how difficult it is to keep track of all the anti-phishing rules, so we don’t. I am heartened by reports like this one from the Anti-Phishing Team. Their conclusions offer the following encouragement:

“In this paper, we describe our large-scale system for automatically classifying phishing pages which maintains a false positive rate below 0.1%. Our classification system examines millions of potential phishing pages daily in a fraction of the time of a manual review process. By automatically updating our blacklist with our classifier, we minimize the amount of time that phishing pages can remain active before we protect our users from them.

Even with a perfect classifier and a robust system, we recognize that our blacklist approach keeps us perpetually a step behind the phishers. We can only identify a phishing page after it has been published and visible to Internet users for some time. However, we believe that if we can provide a blacklist complete enough and quickly enough, we can force phishers to operate at a loss and abandon this type of Internet crime.”

Final thoughts

Automated filters aimed at reducing phishing attacks are vital to the existence of the Internet as we know it. There may be other answers, but until they are turned into working systems, this seems like our best bet.

I also feel the more informed we are about phishing, the safer we will be. Call it the belt and suspenders approach.

What does the future — not tomorrow or next year, but much farther into the future — hold in store for us? How does IT security fit into this picture of things to come?

I do not have a crystal ball, and I have not yet written a program that predicts future events. We all think about the future from time to time, though, and even speculate about what might yet arise in that future — especially those of us with an interest in technology.

When we think about the future, though, we usually keep our science-fictional speculations neatly divided from our career planning. Will we be able to send humans to other solar systems in fifty years? What about Mars? Maybe so, and it might be an exciting time for the human race, but it is not common for us to start looking into a career path that is intended to put us in the middle of planning a manned mission to Mars or to Alpha Centauri. Instead, when we think about our careers and skills development, we tend to think about things like attending the Black Hat conference or learning Python.

In the last few years, though, I have been thinking more and more about how my professional skills might be guided toward a future with flying cars and washing machines that communicate with me via brain implants. In fact, such speculations are not even strictly career-oriented in nature.

It occurs to me that, in at least one conception of a future that I think is very likely, secure software development might actually become a survival skill. Somewhere down the line, we are going to start seeing cybernetic implants on the market. The first such thing available for general use might be a direct interface between the brain and the computer. The way things are going in the cellphone world, the computer might even be the implant, with an always-on wireless Internet connection.

Considering the security landscape of today’s Internet, though, and the direction security on the Internet seems to be going, that could be a very scary thought to consider. What kind of damage can a computer virus do if it infects a cybernetic implant? Will denial of service attacks only affect our Internet connections, or might they find a way to affect the cerebral cortex as well? Will our brains become nodes in the world’s largest botnet?

What about the day that may come when we get implants that allow us to adjust our metabolisms, that can enhance or diminish sensory input on command, or that simply repair replication errors in our cells? What will a computer virus that infects the systems that can do such things actually do to us? Will we one day manage to solve all biological illness problems only to simultaneously open ourselves up to man-made digital infections that can be even more deadly?

As we approach the day when we may find ourselves incorporating computers into our very bodies, people will hopefully become more careful about what kind of software and hardware systems they buy. Today, those of us who worry about Chinese hardware and Microsoft software that could spy on our email are regarded by many as paranoid. In twenty years, it may be perfectly normal to worry about Chinese hardware and Microsoft software that could spy on our most private moments — perhaps even on our thoughts.

I, for one, hope that open source software is at the forefront of software development for cybernetic systems, for security reasons. I also want to be able to safely and securely tweak the code myself. I am beginning to think it is time to start learning languages like Ada, Go, and Io for secure, massively concurrent development, which may become incredibly important as nanotechnology starts giving us a view into the highly complex future of programmable selves.

How do we plan for the science-fictional future? As technological advancement accelerates with every passing year — perhaps every day soon — this question becomes more and more urgent. If things go anywhere near the way I expect, learning security skills may be the most important thing we can do to prepare for the future.

Montreal, April 7, 2010 — Concordia University is pleased to announce today the donation of a comprehensive network security solution valued at more than $400,000 from Cisco Canada to Concordia's Faculty of Engineering and Computer Science. The solution will be located in the new Cisco Network Security Laboratory at the Concordia Institute for Information Systems Engineering (CIISE). ...

I do not know anyone that likes spam. Yet, nine out of every ten emails are spam-related. If it’s not cost-effective, wouldn’t spammers stop?

—————————————————————————

The fact that spam exists eludes me. First, how can you trust unsolicited email advertising questionable products (you know the kind)? Next, despite our disdain, spam must work. Otherwise, advertisers wouldn’t be using it. In trying to figure this out, I came across the Messaging Anti-Abuse Working Group (MAAWG).

MAAWG is a consortium of Internet Service Providers (ISP), Email Service Providers (ESP), anti-spam technology vendors, and companies interested in fighting email abuse. Here’s their mission statement:

“The purpose of MAAWG is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks, and other messaging exploitations.

To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: Industry collaboration, technology, and public policy.”

Last year, MAAWG published a report about email abuse. The paper is packed full of useful information. The 2010 Email Security Awareness and Usage Report is this year’s equivalent. It’s impressive, providing what I would consider an in-depth look at how users view spam. Check out what MAAWG is trying to accomplish with this survey:

• Measure the levels of email users’ awareness of spam issues.
• Understand how email users distinguish legitimate email from spam.
• Measure the level of awareness of messaging threats and perceived vulnerability.
• Track changes in response patterns among U.S. respondents.
• Provide a benchmark for future research.
• Promote research results as basis for outreach and communication campaigns.

That’s quite a list. Now, let’s see what the participants had to say.

Who are the participants?

The survey is specific about participant requirements. MAAWG was looking for people that consider computers and the Internet a tool, not their profession. The following is how MAAWG classified the participants:

“Those surveyed were general consumers who indicated they did not have an IT professional managing their email address and were therefore generally responsible for their email experience. Since we were interested in consumers’ habits, we did not differentiate between ISPs and ESPs, but used these terms to refer to the service where consumers obtain their email.”

The interviews were held early January of 2010 and involved six countries. The following graph depicts participant distribution by country:

Amount of experience

One of the first questions requires participants to judge their level of experience: How would you describe yourself when it comes to your experience with security on the Internet; including firewalls, spam, junk mail, and computer viruses? Here is what the participants decided:

• 44 percent classified themselves as somewhat experienced.
• 36 percent considered themselves having little or no experience.
• 20 percent felt they were very experienced.

Importance of sender?

I thought this question was telling: In general, how important do you consider each of the following types of personal email sent you? A spammer or phisher would love to know which email addresses are important. It gives them a distinct advantage, since they can spoof the sent by address. That said, email from family and friends topped the list as being extremely important, with financial email a close second. The following chart gives the run down:

What is spam?

Next, MAAWG asked: How do you personally define spam? The respondents were asked to pick all that apply. Topping the list at 69 percent was non-requested email. The following chart shows the break down by type of email and participating country:

Spam indicators

Appropriately, the survey asked: When going through your email and deciding what email is spam and what is legitimate, what indicators do you rely on to help you decide? The sender’s name or address garnered over 70 percent. Subject line came in second with 67 percent.The chart below lists all the indicators and how the participants ranked them:

By correlating the above results with other survey information, MAAWG was able to come up with the following statistics:

• Women are more likely to check the sender’s name or address (76 percent to 71 percent).
• Men base their decision on the email’s contents or spelling (56 percent to 49 percent).
• Email users that are 55 or older are more likely to use all of the indicators.

The indicators seem intuitive. Yet, I never think to check the “time of day/night sent”. I should, that’s a great way to help verify the sender.

When is spam email opened?

The results of the next two questions are where I start to see a crack in the spam-fighting armor. MAAWG first asks: When you receive email that you think is spam, what do you usually do? Here are the results:

Over 60 percent say, “Do not open it.” That’s as I would expect. Do you agree? The next question is: Have you ever done any of the following? The first chart breaks the answers into age groups:

The next chart correlates participant’s answer with their level of experience:

Almost half of the participants opened emails they suspected were spam. Does that surprise you? It did me, for the following two reasons:

• First, the 18 to 34 age group was determined to be the more experienced, yet a large percentage of them opened suspect email.
• Second, if you refer back to the question: When you receive email that you think is spam, what do you usually do? The chart points out 60 percent of all respondents do not open spam emails.

Does that mean users, even experienced ones are tempted to check out email they know is spam at least some of the time?

Survey conclusions

If spam is a concern, take the survey and see how your answers compare. Then see if you agree with one of the conclusions made in the report:

“Among various types of organizations, Internet/email service providers and anti-virus software companies are those most widely perceived as responsible for stopping the spread of viruses, fraudulent email and spam.

Less than half of users think that stopping the spread of viruses and spam is their own responsibility, but they tend to rate themselves better at doing it than all organizations, except for anti-virus software companies which get the highest marks.”

There is certainly some food for thought in that statement.

Is there a disconnect?

Let’s look at the conclusion in more detail. The survey participants feel that:

• ISPs, ESPs, and antivirus providers; not users, are responsible for stopping spam.
• Users are more capable of detecting and stopping spam than all organizations except antivirus providers.

I will let that sink in. In many ways this survey mirrors what I found when writing “Are users right in rejecting security advice” and “Is there hope for antivirus programs.”

Final thoughts

I am starting to think the problem is more than a technical issue. Could it be another case of how “we’re wired” is being used against us. What do you think?

I want to thank Linda Marcus of Astra Communications and MAAWG for publishing the 2010 Email Security Awareness and Usage Report, along with allowing me to repost the above MAAWG charts.

Andy Moon summarizes the five key issues covered by the Federal Trade Commission’s guidelines for businesses that store sensitive customer data.

—————————————————————————————-

Financial giant HSBC recently amended its previous public statements and confessed that an IT employee walked out with data on approximately 15,000 current customers and 9,000 former customers. The number of accounts compromised was increased by four orders of magnitude from the 10 records HSBC admitted to in December 2009. Though there is no evidence that suggests French authorities’ involvement, the data made it into the hands of French officials who were looking into suspected tax evaders.

The HSBC case and the recent hacking attack on Google clearly demonstrate that even huge companies with massive security budgets can end up with breaches. Many people without data security backgrounds may very well feel like Sisyphus as they try to keep their private data secure, but there are some resources for those of us who are not security gurus.

The FTC has a very good interactive tutorial and manual that lays down some good guidelines for businesses that store sensitive information like social security or credit card numbers (though if you store credit card numbers, I hope you are already following PCI data security standards). If your business has employees, then it is a virtual certainty that you have data to be concerned about.

The FTC tutorial talks about the five key issues that need to be addressed in a data security plan:

1. Awareness: Make sure that you know what kind of data is being stored. If you know that the only personal data you are storing is social security numbers of employees, you will be able to use that information to help decide what to protect and how closely to guard it.
2. Minimize: Keep only the data that is absolutely essential to your business. This is one of the key points in the PCI DSS as well. If you don’t have a business need to keep the data, then have a policy stating that such data should not be kept. Hackers can’t access information that you haven’t stored.
3. Secure: Once you know what sensitive data exists in your environment, you can decide on appropriate protection mechanisms. There are dozens of options for encryption for both primary data storage as well as backup media and even some cloud vendors are highlighting security in their offerings.
4. Trash it: After you have identified the data that you know you have to keep, proactively look for data that you can reasonably throw away. There are many products that could be used for this purpose, we recently started using one called Identity Finder that can search for Social Security numbers, credit card numbers, bank account numbers, and piles of other personal data.
5. Make a plan: It is important to plan for the day when your data is compromised. Hopefully, through careful implementation of the preceding items, you will never need to execute your plan, but it is a good idea to have a plan in place so that you aren’t just making your response up after a breach. A good response plan can mean the difference between an embarrassing incident and a PR nightmare.

The people who want to steal your data are out there and have a lot of motivation. Some want to use personal information for identity theft or other fraud, but the hacker could just as well be working at the behest or for the benefit of a government that isn’t concerned about privacy rights. You must also remember that there are probably regulatory agencies in your country that mandate an appropriate level of security, so ignoring the issue is a good way to get yourself into trouble. What kind of security issues are you dealing with these days?

The conventional wisdom is that a Certifying Authority is necessary for a safe, encrypted connection to a Web site. The conventional wisdom might be wrong.

IT Security readers have already confronted the issue of whether the TLS/SSL Certifying Authority system is a scam. In theory, there is nothing to say that a CA, or Certifying Authority (or Certificate Authority, depending on who you ask) signing a given certificate really proves anything about the security of the connection. While certain types of phishing sites may be very unlikely to buy signed certificates, in the vast majority of cases a CA provides no practical guarantees of safety.

With the advent of the Perspectives approach to certificate authentication, even the “protection” CAs supposedly provide against phishing sites is, in principle, obsolete. Thanks to broadly cross-platform compatibility, the Perspectives extension provides a strong argument that Firefox is the most secure browser for TLS/SSL encryption.

The fact of the matter is that relying on a Certifying Authority to tell you when a PKI certificate is “legitimate” just adds an additional entity to the chain of entities you must trust when establishing a secure connection to a Website. With a system such as OpenPGP’s public key cryptography protocol, the only entity you really have to trust is the entity with whom you are trying to communicate. Using traditional PKI, as in the case of SSL/TLS, a third entity in the form of the CA is added to the mix.

Things only get worse for the picture of the CA system from there. Wired reports that security researcher Chris Soghoian discovered an “Internet spying box” being sold to federal agencies by Packet Forensics. This device provides a “drop-in solution” for MITM attacks on TLS/SSL encrypted communications, allowing the feds to (for instance) eavesdrop on your communications with your bank on a supposedly secure connection.

This may just seem like a problem with TLS itself — a vulnerability in the protocol or the encryption technology — at first glance, something that can be fixed. Unfortunately, the situation is much more dire than that, at least as far as the CAs’ desire to engender trust in the public is concerned. To quote the Wired article:

The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

In short, a device now on the market that can be used to eavesdrop on supposedly secure online transactions implicitly relies on the complicity of supposedly trusted Certifying Authorities. Anyone with an even passing familiarity with the way markets tend to work in the real world should start wondering how many CAs are already offering such “forged” certificates to government agencies, to make this device marketable in the first place. As a side note, one might also wonder whether “forged” is the correct term, when the “mint” that produces the legitimate certificates is also producing the “forgeries.”

University of Pennsylvania computer security professor, and encryption expert, Matt Blaze suggests that governments may not be the only entities making use of the underlying vulnerability in the PKI model of certificate authentication:

If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this.

Regardless of your feelings about governments spying on their own citizens without “probable cause”, this development is an excellent demonstration of the problem of relying on a self-appointed “authority” as a validator of secure communications, holding the keys for your encrypted Internet connections. By contrast, a self-signed certificate — treated by most browsers as somehow intrinsically less secure than CA-signed certificates — requires no reliance on any additional parties’ trustworthiness. With Perspectives offering an alternative means of out-of-band verification that the certificate offered by the site is the certificate you should expect, there does not seem to be any reasonable argument left against using a self-signed certificate. Why place your trust in any more people than you absolutely must when trying to maintain your privacy?

Google is a big news-maker. Lately, it has been an especially interesting source of privacy and security news.

In recent months, we have seen some interesting security-related turns of events arise at Google. Because this should not be an all-Google, all-the-time gossip column, not all Google-related security and privacy news has been reported here, but that does not mean that interesting events have not been afoot. Among those reported here are:

• Google’s CEO, Eric Schmidt, disparaged the importance of privacy.
• Google came up with a free DNS service — which may be another way to track us.
• China invaded Google.
• Google demonstrated its disdain for privacy with Buzz defaults.

Since then, more events have come to pass that add some interesting spin to our evolving vision of the search giant:

• Eric Schmidt proved he is a hypocrite when it comes to privacy. While he offers advice that Google users simply shouldn’t do things they don’t want other people to know about, he uses the full force of his fortune and legal representation to bully his mistress into shutting down her Weblog when she makes oblique (and generally flattering) references to him.
• GMail added “suspicious activity” notifications. Depending on login locations and other information, you may receive a warning of suspicious activity on your GMail account when you log in. The Google Online Security Blog tells us how it works.
• Google offered skipfish to the world. Skipfish is an automated active Web application security reconnaissance tool that can be used to test the security of your Web development projects. It has been released under the terms of the Apache License, a copyfree open source license — exactly the sort of license security tools should use.
• Moxie Marlinspike offered a Google-specific proxy service. The point, of course, is to provide a way for people to use Google’s services without giving Google more information it can use to track you. The service is called GoogleSharing, and a Firefox extension that automatically provides proxy protection from Google is available to the public.
• Nobody targeted Google Chrome at this year’s Pwn2Own. Meanwhile, IE8 and Firefox on MS Windows 7, and Safari on the iPhone, were targeted and cracked wide open quite quickly.
• Google agreed to censor a racist site in Australia. In some respects, this policy decision seems to contradict Google’s new policies regarding censorship in China.
• Google fixed the most publicly lamented privacy problems with Buzz. Sadly, Google seems to have done so only because a bunch of people complained about the original policy, and not because its decision-makers agree there is a privacy issue at stake. Still, this puts Buzz solidly ahead of Facebook in the privacy arena.
• NSA teamed up with Google in a “cyberattack probe”. This proves, once again, that major corporations are more than willing to tackle difficult security issues (when their own security is at stake) and privacy violation stories can be big news (when buzzwords like “cyberattack” are in the headlines).

The key to getting people to take good security advice may be to couch it in terms of how to improve convenience.

Michael Kassner asked, Are users right in rejecting security advice? The question raises the issue of how people are advised to secure themselves, and why such advice is not heeded. In summary, the problem boils down to a quick cost-benefit analysis based on the most accessible data users have on the subject: the lessons of their own experience.

When users are confronted with an ever-growing pile of advice that encourages them to undertake increasingly complex steps to defend themselves from the predations of security crackers, they naturally apply the filter of their own understanding of what will probably affect them directly before deciding whether to take any of the offered advice. Most users see no direct results of becoming the victims of failures in security other than an occasional bit of inconvenience in the form of cleaning up after a malware infection, while they see the task of learning from the constant stream of security advice and applying that advice to their daily lives as a similar annoyance that is constant rather than occasional.

Unfortunately, the answer to Michael’s question is not a simple “yes” or “no”. It is, in fact, both at the same time — depending on how you look at it:

1. Yes. Given their perspective, it is natural and right that users should reject the avalanche of security advice that constantly pours into their lives. A simplified approach to security is desperately needed, and without themselves becoming security experts they must simplify by ignoring many of the suggestions that present themselves on the basis of the cost to their own convenience.
2. No. There is a lot of good advice that, as part of a comprehensive approach to acquiring good security habits, can actually help them achieve a significant improvement in the safety of their activities when using computers without significantly decreasing the convenience of those activities.

Unfortunately, the process of selecting what advice to follow, and of figuring out how to incorporate it into one’s life effectively, requires a user to either learn enough about security principles to understand the consequences of one’s choices in depth or to very fortuitously choose the right single advice source to trust to make such decisions for the user. Because the former option will almost never be the choice a typical user makes, the latter — the option of selecting the right source of advice to trust — must be addressed if we ever hope to help the typical end user achieve greater security in how they choose to secure their computing activities.

Many who have an interest in understanding the complexities of security principles deride organizations such as Microsoft for their approach to security, and lament the tendency of end users to simply trust such organizations without question. The approach taken by these organizations tends to suffer from severe conflicts of interest that guarantee end users will be significantly less secure than they could otherwise be. On the other hand, these organizations are successful in garnering the trust of end users because of a part of their approach to security that is often overlooked by security experts: offering simplified approaches to addressing the complexities of security.

End users want to believe that there is a silver bullet for security. The evidence of this fact is everywhere around us. Looking a bit more closely, it becomes obvious that people with a more intensive interest in security also want to believe in such a silver bullet, but whereas the common end user might come to a decision about what constitutes the One True Answer to security based on simple convenience, the rest of us tend to make that decision based on a deeper technical understanding of some aspect of our computing lives. Unfortunately for all of us, there is no silver bullet.

That does not stop software vendors from trying to offer an apparent silver bullet to slay the security beast, either as a product that can be sold individually for substantial profits or as a component or characteristic of a product that can, of course, be sold for substantial profits. It is in offering a “silver bullet” approach to security that organizations such as Microsoft display that, while their inherent conflicts of interest in the realm of offering strong end user security prevent them from being truly trustworthy sources of security advice, they understand something about security advice that many security experts do not: the importance of the convenience factor.

To counteract the facile approach of encouraging end users to just pick something and stop thinking about it taken by many software vendors, security experts need to adopt some methodology for offering security advice that improves convenience, rather than damaging it. A list of ten key factors in password security makes for an easy article to write, and it is good and accurate advice as far as it goes, but it does almost nothing to help the common computer user achieve greater security because such a person is not interested in trying to maintain a database of regularly changed complex passwords impervious to brute force attacks and rainbow tables in their heads, with a different password for each of a hundred different authentication contexts.

When considering a piece of technical advice to offer an end user, we must also consider the convenience cost. More to the point, we must consider how that technical advice can become part of a piece of advice in how to improve convenience. For example, telling people that they should use a different password for every Web site may be “good” advice in that it is accurate where security is concerned, it is “bad” advice in that it is highly impractical when taken in a vacuum. If someone’s only choices are to memorize dozens of unique, strong passwords or to reuse one password across dozens of different authentication contexts, the latter option is the only real option.

On the other hand, the article, Five features of a good password manager, offers much more helpful advice that addresses both the importance of unique passwords and the needs of convenience, because it does not just suggest using unique passwords. Instead, it presents the need to use unique passwords for different authentication contexts as a reason to use a convenience enhancing tool.

A lot of the time, security experts forget to mention the convenience methods they know will work to make good security advice practicable. We know that password management systems work to improve both convenience and security at the same time, but when we see that a password database for some Web site has been compromised we only think, “I wonder how many of those people use the same password for everything.” What we should be thinking instead is, “I wonder how many of those people are aware of the benefits of a good password manager, and how to select a good password manager.”

To make a long story short (too late), advice should not be offered simply as key points for what makes for a secure system. Rather, it should be offered as key points for how to select a convenient system that offers improved security.

Antivirus software is getting a bad rap right now. Justified or not, we need to step back and figure out how to fix it.

—————————————————————————

To start, let’s define antivirus protection. Simply put, it’s software that prevents malware from infecting computers. If that’s agreeable to you, I then have to ask why computers protected by antivirus apps are still getting infected.

To explore this further, I enlisted the help of Rick Moy, president of NSS Labs, a company with the following charter:

“NSS Labs performs expert, independent security-product evaluations to assist end-user organizations in selecting the right security products for their environment.”

I initially learned about NSS Labs while doing research for a piece about browsers and their ability to fend off malware. Since that article, Rick and I have had several interesting conversations about the current malware versus antivirus software climate, something NSS Labs is very interested in. With that in mind, I asked Rick several questions about the seemingly epic battle:

TechRepublic: You mentioned there are two classes of malware threats, user attacks and machine attacks. Could you explain what you meant?

Moy: Taking a high view, malware can be defined by the way it executes:

• Attack on the User: Users are tricked into downloading and executing software containing malware such as fake AV, video codecs, and pirated software. In this case, the user is the vulnerable or weak link.
• Attack on the computer: Attackers exploit vulnerabilities in computer software without the user’s knowledge. For example, visiting a malicious Web site with a vulnerable browser usually leads to exploitation and the installation of malware. All without any user interaction.

The first threat is solved by a combination of user education and reputation systems (like those provided in Internet Explorer 8, Firefox, or Chrome) that warn people, the software they are about to download is infected. Some AV products have this as well.

The second is solved by Host Intrusion Prevention Systems (HIPS), not traditional AV. They do this by operating in memory and inspecting data as it streams onto a computer. HIPS also inspect processes before allowing them to run. This once-stand-alone technology is increasingly being integrated into endpoint security products.

TechRepublic: During our talks, you mentioned that antivirus software usually has three components, each focusing on a different aspect of malware. I found that interesting and would appreciate you elaborating on that.

Moy: Operation Aurora is a great example. It consists of all three stages; vulnerabilities, exploits, and malicious payloads. This distinction is often confused in discussions, but critical to understanding how to effectively block attacks.

• Vulnerability: Is a bug in software code that allows a product to be exploited, e.g., a buffer overflow.
• Exploit: Is a specially crafted code sequence that can leverage vulnerabilities within an application. Some examples would be heap sprays and buffer overflow attacks. An exploit can be hiding in an infected Web site (client-side attack) where it ambushes visiting computers or be launched from another computer (remote attack).
• Payload: Is malicious content that gets delivered once the vulnerable application has been exploited. Payloads are the actions performed on the compromised target computer, such as command execution, writing a downloader or Trojan to disk, or returning a reverse shell.

The following graph shows the relative volume of attack components at each stage.

Rather than chasing malware payloads, endpoint security products should focus more on vulnerability protection. That’s because the number of vulnerabilities is far less, therefore more manageable.

TechRepublic: According to antivirus software companies, their products will protect against malware. You feel that users are being somewhat misled by those claims. Could you please explain?

Moy: During the end of 2009, we surveyed 500 visitors to our Web site and found that 46% expected their antimalware product to stop 100% of the threats. Major security vendors estimate 30+% of machines they scan have some form of malware. The statistics show that malware is far from under control.

TechRepublic: It only takes one time of having a protected computer become infected for people to realize something is not quite right. What do you think the problem is?

Moy: We are fighting an asymmetric battle right now; the bad guys have more power than the good guys. As defenders, we need to watch and guard ALL possible avenues of attack. As attackers, cybercriminals only need to find ONE to exploit our systems. They are motivated and disciplined, testing their malware creations until they get an effective strain, i.e., evade the most antivirus products and infect the most machines.

Going forward, software developers must write more secure code, in order to reduce the number of vulnerabilities. Users must educate themselves and patch frequently.

TechRepublic: I have been a strong advocate of: If you keep the operating system and application software up-to-date, there is no problem. You gave an example of why that’s not always true. Could you share it?

Moy: While it’s important to apply the latest software patches, this will not guarantee your safety. Patches are only written to address known issues. Cybercriminals are constantly developing and using new attacks that have yet to be discovered by the security community, so called zero-day attacks.

Zero-day exploits give attackers a window of opportunity. That is, until analysts can figure out what’s going on and push out a signature file and or patch. It’s during that time frame when behavioral protection may help.

TechRepublic: You seem optimistic that antivirus applications can be improved to where they will be effective. What will it take?

Moy: There are clearly areas where antivirus products can improve. In our recent study of the Operation Aurora attack, we found six out of seven products were not stopping exploit variants. And, they had mixed results in detecting the malicious payloads.

Security products should evolve to provide more vulnerability-based protection. Reputation services are also key technologies for reducing end-user exposure, but not all vendors use them. Finally, security vendors should embrace more real-world testing and third-party services to drive innovation and quality.

TechRepublic: You mentioned that NSS Labs uses a different methodology when testing security products. Could you tell us about that and why you feel it is a better way?

Moy: Given the speed with which new threats arrive and spread through the Internet, legacy testing techniques are no longer a relevant measure of a product’s capabilities. Thus, NSS Labs has developed a unique “Live in-the-cloud” testing framework that emulates the experience of average users.

Client machines visit malicious Web sites using their Web browsers and attempt to download malware. Files not blocked are then executed dynamically. This new test methodology focuses on threats currently active on the Internet and is the best predictor of protection offered by a product.

Recurring testing introduces malware into the test harness within a few hours of discovery, as malicious URLs are visited every few hours. This enables us to measure how long it takes a vendor to add protection, since few sites are stopped on the first visit. These metrics help show the significant differences in effectiveness among products.

TechRepublic: With that unique approach do you feel that you can be of service to antivirus software developers?

Moy: Absolutely. Our engineers take a hacker’s approach to testing - with the gloves off. Without such an approach, testers merely validate what a product can do. It’s important to find what a product can NOT do, before the bad guys do. We have already helped many of the world’s best known security companies improve their products.

Final thoughts

Three comments by Rick, really stood out:

• Defenders need to protect all possible avenues of attack, the bad guys only need one to exploit.
• Endpoint security products should focus more on vulnerability protection.
• Test security products in a way that emulates the experience of average users.

To me, these three simple statements clarify the problem and what needs to be done. What do you think?

I would like to thank Rick Moy of NSS Labs for sharing his insight about a subject near and dear to all of us.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
try { var pageTracker = _gat._getTracker("UA-9822996-4"); pageTracker._trackPageview(); } catch(err) {}

A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.

MUMBAI, India, March 29, 2010 - Cisco today announced an extensive deployment of its next-generation network architecture at the National Stock Exchange of India (NSE), the country's largest stock exchange in terms of daily turnover and number of trades. The comprehensive solution comprises Cisco's world-class routing, switching, security and core technologies designed to help ensure high ...

Added caution about debug commands.

Update made to iACL example.

Conflicts of interest can be a big problem for security, particularly when you trust an organization to have your own best interests in mind.

The reason why there’s no such thing as a trusted brand is:

Corporate leadership changes, as CEOs and board members come and go, as business divisions undergo reorganization, and as legal and financial circumstances lead to changes in corporate policy. The influences on corporate vendor behavior are probably no more numerous than those on individual behavior, but the entity of a corporation is far less resistant to changes in its trustworthiness than any individual.

A trust relationship with an individual is a perfectly normal and healthy thing, and is often a necessary part of life. Where an individual demonstrates a propensity for acting in a particular manner, and a personal relationship with that individual suggests that the reason for that propensity is a matter of integrity, what we perceive is the individual’s trustworthiness. Organizations — including nonprofits, profit-seeking corporations, and governments, among other examples — are not subject to the same rules of integrity, because their perceived integrity is entirely dependent upon the integrity and value systems of the people who make up the organization, both as decision makers and as agents of the decision makers.

This is not the whole story, however. To a certain extent, the behavior of an organization can be somewhat predictable, and beneficial decisions about how to deal with such organizations in the short term can be supported by an effective analysis of the factors that influence their behavior.

The simplest keys to understanding such behavior is to consider what the organization’s “customers” think and say they want, whether those “customers” involve advocates and patrons, voters, the press, or literal paying customers and potential customers. Principles of economics show us that such organizations are strongly influenced by what customers want and need, as expressed by their buying behavior.

One should not be fooled into thinking that what people say they want or need is necessarily identical to what they demonstrate they want or need. The most successful organizations will be those that serve what their customers demonstrated they want or need, rather than simplistically serving what their customers say they want or need.

Such criteria for the success of an organization gives rise to what we call “conflicts of interest”, where the perceived responsibility of an organization to serve the demands of its customer base is in tension with its survival mandate, which requires it to serve the wants and needs demonstrated by its customer base. Even worse, a customer base is not always who we think it is, creating a conflict of interest between the perceived importance of serving what people who purchase widgets from Foo Corporation demand and serving what members of the board of directors demand. In the end, the most important “customers” for a corporation are its shareholders, after all.

Conflicts of interest encourage dishonesty. In order to give people what they demonstrate they really want and need, one must often give them the impression that one is giving them what they say they want and need, even if those two things are substantially different. This is because one of the things people tend to demonstrate they want and need is a belief that they really understand their own wants and needs, even when that belief is at odds with their own behavior. In the short term at least, the simplest way to do this is to give them what they demonstrate they want and need while lying to them about what they say they want and need.

The problem of organizational conflicts of interest is particularly dangerous in the realm of security. It is, in fact, the fundamental reason for “security theater”: giving people the impression that you are Doing Something about security when, in fact, the measures you take are egregiously lacking in actual security benefit. The following values of software vendors tend to conflict directly with the organizations’ responsibility to serve customers’ security needs:

1. Complexity

To a non-trivial degreee, simplicity is security. Eliminating complexity eliminates opportunity for unexpected behavior that can compromise the security of the system.

Complexity, on the other hand, is the natural result of adding bells and whistles to a software system. Increased integration of functionality within a single piece of software helps to lock people into a particular product line over the long term, ensuring increased security of a vendor’s business model, but it also ensures greater opportunity for security vulnerabilities to arise as the result of unexpected interactions between different parts of the system. Both MS Windows and the X Window System could benefit from simplification, but the needs of the market strongly discourage such simplification.

2. Features

Improvement in the security of a system begins with the fundamental design of the system, if we ignore for the moment the question of whether the system should be created at all. When discussing software, that fundamental design is often referred to as the software’s “architecture.” Architectural security concerns involve those design decisions that incorporate security principles into the system’s architecture as such basic assumptions about how it operates that such security measures cannot be circumvented short of breaking or replacing the entire system.

Software systems that have been offered on the retail market for years tend to be very difficult to alter on an architectural level. Superficial changes are much easier, and less costly, to make. Because difficulty and cost are antithetical to the goals of a profit-seeking corporation, making significant architectural changes in a software product is generally deprecated in favor of adding features that present the appearance of improved security.

Because most software consumers are unaware of the difference between architectural and superficial security measures — between architectural security and security “features” — it is generally a winning strategy for a successful software vendor to add an authentication nag such as MS Windows Vista’s User Account Control rather than to implement architectural privilege separation. The key difference is that if UAC breaks or is “turned off” one can then do whatever one wishes with the system with full administrative access, while breaking or “turning off” the authentication mechanism for a system that offers architectural privilege separation just makes it impossible to accomplish any administrative tasks at all.

3. Information

For many purposes, privacy is security. Maintaining the security of your data is identical to maintaining its privacy, after all. Anything that compromises privacy offers an opportunity to compromise security.

Software vendors like to learn things about their customers, at least for purposes of better serving the needs of their customers, if not for purely cynical marketing strategies or even less wholesome reasons. Even if we assume for the moment that a software vendor’s attempts to harvest information about its customers are for entirely trustworthy reasons, and even if we assume that such information will never be misused, there is still a danger to such information harvesting: accidental disclosure.

The tendency of some operating systems and applications to “phone home” to the vendor with information about the user or the computer on which the software is running offers an opportunity for malicious security crackers to eavesdrop on the communication of such data across the Internet. Even if the information makes the journey safely without being compromised, storage on the vendor’s servers creates a one-stop shopping location for malicious security crackers to gain access to the data. Attempts to automate compliance with legal requirements for data disclosure can also offer opportunities for security crackers to gain unauthorized access, as demonstrated when China cracked Google security. Then, of course, once your information is in the hands of the government, it can always be stored on the hard drive of a laptop some bureaucrat loses at a coffee shop, on a CD that is lost in the mail, or on servers that give security crackers yet another one-stop shopping location for personal information.

4. Obscurity

Any security expert worth his salt can tell you that obscurity is not real security. As Auguste Kerckhoffs taught us in the 19th Century, the design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents. The only part of a security system that should require actual secrecy is the key, in part because it is much easier to ensure the secrecy of a single piece of data than it is to ensure the secrecy of the workings of an entire system — particularly when the system itself is widely distributed, as is the case with a piece of retail software.

The most successful software vendors have a vested interest in making it difficult for others to duplicate the functionality of their software too closely, because this allows less successful software vendors to start eating into their market share. As such, the myth that obscurity is an effective security measure is of great value to successful software vendors. The fact that obscurity can, in fact, hinder security in many cases is an inconvenient detail that must be swept under the rug to keep people from rejecting software products on the basis of their reliance on obscurity for security.

5. Reputation

It is of great value to software users to know all the security implications of using a given piece of software. Knowledge of vulnerabilities, for instance, can help users implement work-arounds for those vulnerabilities when needed. The lesson of How should we handle security notifications? is clear: we need to know when we are subject to security vulnerabilities to be able to account for them, and mitigate the effects of those vulnerabilities. It seems only natural that a software vendor should serve our need for security by presenting us with as much information as possible about any vulnerabilities in the software the vendor brings to market.

Hopefully you are not so naive as to believe that is how actual corporate software vendors tend to behave, serving our security needs first and foremost. The truth of the matter is that it is of much more value to a software vendor to try to give its customers the impression that its software is never vulnerable to anything than to give its customers information about vulnerabilities. As a result, policies that involve hiding security vulnerabilities from view — such as “responsible disclosure” requirements for security notifications — arise as a means of pretending to serve security first and foremost while actually serving corporate reputation at the expense of security.

Think for yourself

Before taking anything an organization says at face value, consider the fact that the organization’s behavior is likely influenced by innumerable conflicts of interest. A brand, a corporation, a government — any organizational entity — simply cannot be trusted the same way one can trust an individual, and conflicts of interest such as those articulated here are collectively a big part of the reason for that untrustworthiness.

The solution is to think for yourself. Do not let marketing and convention replace your faculty for reason. Consider the potential conflicts of interest and double-check every “fact” presented by an organization.