It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like:

as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever. Thus, to a good approximation, 100% of certificate errors are false positives.

Priceless… Mozilla - take a word of advice from the MS guys and make your invalid SSL cert flow 1000% less annoying please. Anyway, another one of the quotes I thought was even more interesting:

If phishing victimizes 0.37% of users per year and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 0:5 x 10=365 hours or 0.18 seconds per day.

So… if .18 seconds per day is too much, let’s take a look at what our anti-phishing technologies are doing. Let’s say they take up 2 whole seconds a day to download their lists, and verify that the sites you browse aren’t on that list, while you are surfing and trying to boot up and shut down browser processes, etc…. We are talking about more than 10x delta between what it should actually take. Further, let’s do the math on what would happen if anti-phishing went away. How many times worse would the phishing black market be if anti-phishing filters went away entirely and phishing was instead dealt with the registrars, ISPs and the brand owners themselves? Three times? Five times? Would it go to ten times? Would it go to more than ten times to make it actually worthwhile from an economic perspective?

How about UAC in Windows? How many seconds has that added to everyone’s day to stop the threat of malware? Does it add up and does it actually stop malware infections for the additional time it incurs? What about Anti-virus? Are we operating in a deficit or do those security products actually prove themselves to be worthwhile for the entire public? I know this is really tricky math based on an insane amount of variables, and it very might well prove out that some products are a no-brainer because they don’t add time or latency. But I do suspect there are a lot of things that we tend to think of as good ideas that actually end up being worse for the end user if you do the math. I know the article was really talking about user education being a bad idea economically (and I couldn’t agree more based on every study I’ve seen or been a part of). But it’s still interesting to think about how a similar formula could be applied elsewhere. Thought provoking research anyway.

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

Click to enlarge

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Thanks to Jeremiah for sending these over. News is fast hitting about Chinese hacks against Adobe and Google. Very interesting stuff. But beyond the hacks themselves - in Google’s case targeting Chinese political dissidents - is this interesting news:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Wow! And I do mean wow! Google is no longer willing to take the political hit associated with their flippant stance towards China’s censorship and is actually stepping up to do the right thing! Absolutely amazing. This is the first really truly non-evil thing I have seen Google do in years. I read a really funny article the other day by Fake Steve Jobs where he called Google sociopaths - and until today I agreed with that statement. Now I think at least they know what the difference between right and wrong is, even if they’ve definitely chosen the wrong route a greater percentage of the time than not.

Of course there is all kinds of potential for spin in Google’s blog post. For instance never once did they explain how their cloud wasn’t secure and you shouldn’t upload sensitive information to something that’s not secure if you care about that kind of thing. But alas, I’d never expect that either. Convenience will win that war over security either way. But it’s exciting news, and I’m interested to hear what the fallout of this one is.

I realized after I posted the last post that ha.ckers.org has finally reached the 900 blog post mark. I honestly didn’t think we’d make it. After how many hornets’ nests we’ve stirred up over the last 5 years that this version of this site has been online, it’s kind of amazing that the site is still going strong. So I decided to do a bit of a fun post. If you are lacking a sense of humor, please move on now. We’ll forgive you. Now, in reference to a recent Twitter post about yours truly:

@shawnmoyer What no @rsnake’s on a plane joke?

Speaking of RSnakes on a plane - I was taking a trans-Atlantic flight and I was bored - as an RSnake will tend to be after 2 solid hours of a classic but bad Meg Ryan movie. I realized that they had some games on the in-flight entertainment. Ahh, something to play, this should be amusing. Well, if the games were good, maybe I would have been more interested, but Blackjack sounded good enough for kicks. So I started playing. You start off with $100. Well, after me quickly losing a few hands, I decide that playing like a normal user is getting me nowhere. Let’s try some different tactics. How about betting $100 and then folding? Ah… I end up with a negative integer, somehow. Now what if I bet a huge negative number and fold again - like -200? Ah, I get an even bigger negative integer.

What happens if I keep doubling my bet? Hmmm… this negative integer thing is getting huge. Oops! Blackjack - huge positive payout: time and a half larger than my bet even! Alas, somewhere around 1,000,000 is when the in flight entertainment crashed on me - and it turns out that clicking the button thousands of times to change your increment of betting from -50,000 to +50,000 in $5 increments is a really crappy way to make a flight go faster. But before all that, here’s the picture I took:

Click here to enlarge

How many things were wrong here? Input validation errors, logic flaws, and negative integers used for currency… The worst part was I couldn’t even bet someone a free drink that I could get a higher score than them because they offered free drinks in-flight. Alas! Anyway, this story was in case, like Mortman, you were wondering what it’s like to fly with RSnakes on a plane… Moral of the story - stop showing old Meg Ryan movies on airplanes.

I was talking with id last night, and then shopped this idea around to a couple local OWASP guys, but now I think it’s baked enough to talk about publicly. I make no bones about the fact that I think SSL is almost entirely worthless against a determined attacker who has man in the middle access and is intent on doing harm, and not just passively listening. Passively listening is limited to people who can get access to a valid cert (through MD2/MD5 collisions, through being a CA or hacking a CA, etc… all of which have been proven possible). That’s bad enough, but put into that that the visual cues tell you nothing about site authenticity (leaving EV certs out of this for the time being) and you’re left with a nearly completely broken security mechanism in the browser. You can debate this fact all you like, but what if I don’t care about site authenticity, I just want to do transport security?

An idea we began toying around with is using DNSSEC. Like DKIM, you can put public certs into DNS records that can be queried by any mechanism that wants to use that. By making a change to the way browsers work to look at the DNS record via DNSSEC a few things become possible. Firstly, you can be assured that you are talking to the correct IP address after the negotiation is complete. That is because the DNS record cannot be spoofed (thanks to DNSSEC) and the certificate can prove that the IP you are talking to is really in control because it can verify that it is the owner of the public key. But wait - there’s more!

SSL certs cost money - but that’s because the CA’s infrastructure needs to be supported. In this model, there is no additional weight on any central authority, outside of DNS itself. So you could theoretically kiss the need for expensive certificates goodbye (sorry CA’s your time may have come!). This obviously couldn’t replace SSL certs in day one, or maybe not even for many years, but for internal applications or for when I want to allow all you readers to ensure you are talking to this server, and not another one, that suddenly becomes possible. It also becomes possible for people in 3rd world countries who cannot afford costly certificates to be able to gain transport security in the browser.

Now you’re probably saying - how is this different than a self signed cert. Well, leaving out of it that the CAs are vulnerable, there are dozens of them that can create certs to MITM you - of foreign origins and that they suffer from collisions… there’s still one major difference. The browser intentionally throws a warning with self signed certs, and even if it didn’t I still can’t verify that it’s my self signed cert and not someone else’s without a significant amount of burden placed on the user.

So now you’re probably saying, there are two single points of failure introduced here - the DNS server and the DNSSEC service itself. Why place additional security burdens on the end user? Well, I’d argue that if DNSSEC is broken, we have a much much bigger problem on our hands than we do than if a CA gets broken into even. If we can secure a CA we should be able to secure a DNSSEC service. I’m not worried about that one nearly as much as I am the individual DNS servers themselves. However, remember that their company already relies on DNS. Let’s say they use Godaddy and rely on them to be primary NS. We’ve already been relying on them to provide lookup security for years. The only difference is now they’re using DNSSEC and now we entrust them with the security of the transport.

The reason I like the idea is that it gives the domain the option to choose - pay for an SSL cert that can be MITM’d or get a free DNSSEC domain cert that can’t. I can’t stop someone from trying to make money off this idea and selling EV DNSSEC domain certs, but I see no reason we can’t make a non extended version completely free to all. Consider this a preliminary RFC - flame away!

I had a funny thought while talking with some folks from Intel about what the future state of of information security would look like and how that relates to what our favorite nerdy show, Star Trek, has to say on the topic. This is meant to be a funny post, but there may be some truth buried in here somewhere too. Without further ado:

Physical security will always be a problem: How many times have we seen people open up random access panels on the Enterprise and start pulling out chips when something goes awry or just start swapping them out right and left? Crawling through tubes to get past obstacles and the like… all point to the fact that even the most sophisticated military war machine of the future won’t stop some teen aged acting ensign in engineering from taking over control of the whole ship in about 35 seconds.

Organizations will focus on secure transport and network security and will still ignore drive encryption and the insider threat: I don’t really recall any times where enemies were able to intercept any meaningful communications between the Enterprise and other federation ships. That must mean they are using TLS16/SSL34.0 in the future, which is good, but for some reason any schmuck diplomat from some third world (pun intended) alien race can get any information out of the computer he wants without ever even supplying a password!

PCI doesn’t stop hackers, now or ever: They don’t use money in the future. Probably because consumers are so sick of having their credit cards stolen is my guess. I’m also guessing based on how many holes still exist; SQL injection still exists even hundreds of years in the future. So currency, and therefore the payment industry had to go. Even Quark trades in gold-pressed latinum - you don’t see the Ferengi taking plastic.

Biba and Bell La-Padula security models will always be a good idea, but will still never be properly implemented: Seriously, the federation is pretty lax in their whole openness. I mean, should you really let people on your ship, carrying weapons, with no or minimal escort and allow them to use your computers, write to them, copy information off of them and so on? Balancing the prime directive and giving some industrial revolution era alien species access to a computer with the engine schematics to the warp core of the most advanced war ship in the fleet sorta seems a little out of whack. Maybe that’s what they get for not having money in the future - no one’s worried about losing their job.

The singularity is a non-event and will end up being a wash for security: I mean, Data is pretty cool, but he is really more than a oddity in the show. Sure, he’s saved the Enterprise a number of times, but he’s also pretty darned hackable in the future too. He’s been compromised more than most of the other people on the show combined. This is not a good outlook. Why they didn’t bother to root-kit him, I’ll never know. But if Data is the tipping point of a potential Skynet, I’m not too worried - he plays violin and he owns a cat.

Individuals will almost completely give up on the idea of protecting their privacy: Everyone on the Enterprise is pretty happy with the idea of carrying around RFID chips on their badges all the time, even when they’re off duty and getting some R&R and T&A on Risa.

Organizations will always ignore single points of failure, even after it bites them in the ass: I can’t even tell you how many times the Enterprise has managed to damage the one and only di-lithium crystal that they have on the whole ship. They know they can’t whip up a new one with the replicators but they still don’t carry even one spare. Then they end up being stranded or having to use the sensor array to catch radiation from some exploding sun or some other retarded plan that always manages to work out exactly perfectly, but always necessitates near death experiences in the process. Why, for all that’s holy, wouldn’t you just bite the bullet and pay to have two on board? Yes, I’m talking to you, Jean-Luk and you too Mr. CISO.

The iterative development model will be proven bad for security and quality exactly 1,000,000 times but will still be used in production anyway: How many times have we seen engineering making changes to the warp core while they are 200 light years from any star base or any other craft for that matter? And how many times has that gone smoothly again? No, it’s a bad idea now, and it will always be a bad idea. But then again, maybe you shouldn’t worry so much about keeping your data and integrity intact… it always manages to get fixed in an hour or so anyway, right?

Biometrics will always be used as a backup to password authentication - but both still suck: Sure, voice print recognition has been used a few times, as has hand scanners and even an iris check a few times. But the vast majority of times someone has entered in a password on the show (which incidentally is almost never - giving you an idea about how lax security will be in the future) it has been by saying it out loud. Hackers must be pretty un-inventive in the future because I’m guessing digital voice recorders are pretty easy to get your hands on.

Virtualization security is an oxymoron - even in the distant future: I mean, really, how many times has the whole damned ship been taken over by some overzealous holodeck character? Whoever wrote the holodeck hypervisor really needs to be put in a room with Worf for a few hours so he can explain with his batleth what the need for true physical and logical isolation is. Why some Sherlock Holmes character should have access to main memory, I’ll never know. Too bad we aren’t smart enough in the distant future to think about hardware isolation instead of relying exclusively on dangerously faulty software.

And with that, I’ll let you go back to your regular scheduled programming.

Well, it’s been quite a week or so for me. 7 days of travel, to Las Vegas for SANS and Stockholm for the penetration testing summit. Man, I’m tired! But I promised tons of people I’d actually write out what I was talking about during my speeches, since it’s tough to cover everything in such a short presentation, with all the other things I was talking about, and now that I’m finally recovered from my jet lag, I had a chance to sit down and write it all out. For those of you who have no idea what I’m talking about, don’t worry, you’re not behind the times. You can read the whole RFC1918 issue here. I tried to make it into a blog post, but it kept getting longer and longer, so I just turned it into a whitepaper instead because it’s easier.

Without re-explaining the paper, it turns out that in certain browser, and with certain VPN and the current architecture of most RFC1918 networks, there is a high tendency for bad things to inadvertently happen, like IP collisions. That’s annoying in the networking world (and a well known problem) but it’s dangerous in the security world (and far less understood). Anyway, I talked it over with HD Moore and Toby and some of the other guys at SANS and it turns out they had actually seen similar things happen in the past, so it’s been validated in the wild (again, inadvertently though).

No, I don’t believe there is a silver bullet. But, I came up with an interesting thought exercise while I was at RSAcon that I like to call the silver bullet metric. I asked a number of notable security experts, vendors and analysis and everyone had almost the same reaction, which is that this is worth thinking about, but a hugely complex task to complete. So I thought I’d throw it out there and let the community think about it too. Let’s take a theoretical situation where we looked at any single security vendor out there and give them essentially as much money as they needed to do a complete global deployment of one of their security products. So if it was an anti-virus vendor, you’d give them enough to put AV on every desktop. If it were a firewall, it would be at every endpoint, and so on. Now, the metric is a combination of two scores a) how much is the total cost of ownership and b) what percentage of global online fraud has it decreased. Let’s take a few examples.

If you put Anti-virus on every desktop in the world, would you stop viruses from existing? I think any reasonable person who understands how viruses work would say no. It will, however, make the bad guys work harder and iterate faster to get by the filters (boutique malware). So there is actually a diminishing return once you get above a certain level of deployment. On the other hand, at the very lowest end, if only a few people had anti-virus they would be pretty well protected, because the virus authors wouldn’t bother trying to figure out a way around it. Of course everyone else who doesn’t have the AV is screwed in that scenario. So the right percentage of deployment for anti-virus isn’t global, it somewhere in the middle in that simple example.

If we’re talking about firewalls doing proper egress filtering, that would stop some worms from propagating, but it probably wouldn’t solve enough of the problems compared to the other options out there. If we’re talking about whitelisting applications that can run on computers, that would probably solve a much bigger percentage of the problems compared to firewalls, but the total cost of ownership is through the roof - and who is going to monitor and create all those whitelists. Eesh!

But back to AV for a second - AV has the hidden benefit outside of security that theoretically increases longevity of computers. So AV increases the lifetime of the computer, although the decrease in usability of the computer because of the resources that are being used might offset that number. Anyway, all of that factors into the total cost of ownership. Once we go through that exercise (which is probably best left for the product managers of each product line to do) you come up with a few interesting metrics. The first is the silver bullet metric, and the second is exactly what the maximum level of deployment that product or service should get to before it stops being an effective tool for the money - because TCO might change depending on how widely it is deployed as well (economies of scale, diminishing returns, etc…).

I’m not at all saying I have the right answer, or that I do believe there is a single best product out there, but to be the devil’s advocate, what if we did find that one product or service had the best silver bullet metric - what then? Why would we back any other technologies at that point? Anyway, it’s a fun thing to think about. Perhaps it’s just another lens by which to look at the security industry through. Of course this exercise has it’s evil twin too - which is the types of exploits that can be performed and their own associated cost benefit analysis.

This year’s RSAcon has been a lot of laughs. The parties were great, the people were fun, I actually learned some stuff, and took away a few new ideas for vulnerabilities. So all in all it was a great time. At one point I found my self staring face to face with a vacant Google booth. So I took it upon myself to seize the moment, especially since Google hasn’t figured out how to put computers into kiosk mode (they weren’t the only ones either, by the way - ask mubix). *sigh*

Click to enlarge

The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the ha.ckers.org logo, to which I said, “Don’t worry, we were just playing a practical joke on you.” To which she said, “Okay.” Okay indeed.

So you’ve seen ha.ckers.org on Google’s own machines at a security conference - where there’s so much irony it hurts. But what about you guys? Where can you get ha.ckers.org to show up in places it shouldn’t be? I’ll give out some sort of special prize for the winner - I just haven’t figured out what it is yet.