g m g D e s i g n . c o m

Security expert Bruce Schneier has a great editorial on zero-tolerance rules. So what are zero-tolerance policies?

These so-called zero-tolerance policies are actually zero-discretion policies. They’re policies that must be followed, no situational discretion allowed. We encounter them whenever we go through airport security: no liquids, gels or aerosols.

Why are they annoying?

These policies enrage us because they are blind to circumstance. Editorial after editorial denounced the suspensions of elementary school children for offenses that anyone with any common sense would agree were accidental and harmless. The Internet is filled with essays demonstrating how the TSA’s rules are nonsensical and sometimes don’t even improve security. I’ve written some of them. What we want is for those involved in the situations to have discretion.

And finally, Schneier’s recommended solution to them! (emphasis added at the end)

The solution is to combine the two, rules and discretion, with procedures to make sure they’re not abused. Provide rules, but don’t make them so rigid that there’s no room for interpretation. Give the people in the situation — the teachers, the airport security agents, the policemen, the judges — discretion to apply the rules to the situation. But — and this is the important part — allow people to appeal the results if they feel they were treated unfairly. And regularly audit the results to ensure there is no discrimination or favoritism. It’s the combination of the four that work: rules plus discretion plus appeal plus audit.

Brilliant blog article on risk assessment by Bruce Schneier.

First para:

People have a natural intuition about risk, and in many ways it’s very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for.

That first para reminds me of Malcolm Gladwell’s Blink. In Blink, Gladwell delineates the important role of the adaptive unconscious (intuition) in making instant judgment calls. He also points to situations where such intuitive judgment calls were superior to judgment calls made after weeks of research! Somewhat tangentially, I’ve noticed that it’s become almost politically incorrect to say that one is using intuition, or that one “just has a feeling” about someone, as that person will likely be deemed “prejudiced” or perhaps simply thoughtless for using his “gut” rather than his “reason.” Gladwell, however, points to examples where using one’s intuition led to rueful consequences, and expounds on why one approach is sometimes superior to the other.

Anyway, Schneier goes on to describe attending a security conference, where the speaker bemoaned the fact that employees at his company were not taking security seriously enough (emphasis in second paragraph added by me):

It seems to me that his co-workers understand the risks better than he [the speaker at the conference] does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That’s what the company rewards, and that’s what the company actually wants.

So, that’s why employees don’t follow security procedures. Solution: fire them, and do so publicly. If following procedure is truly critical, then making an example out of someone is the most efficient way of changing the company culture (thought: make an example out of the guy who wasn’t doing a very good job anyway, just to minimize the impact to the company).

This “evilgrade” is definitely not new:

Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

But when the “hypothetical” becomes the easy and pragmatic, the threat is taken more seriously.

The solution is for software companies to digitally sign their updates:

Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it’s safe" from the attack, he says.

Straight from Joanna Rutkowska’s blog site…

1) Security by Correctness
2) Security by Isolation
3) Security by Obscurity

The first (correctness) sounds unattainable in its complete form, but new frameworks are an improvement. I.e., memory attacks are more difficult in .NET-compiled code vs in native code. The third item, obscurity, refers to randomness, such as ASLR (randomized base addresses), or executables whose runtimes are obfuscated, randomly and at runtime (huge downside: difficult to debug in the field… as someone who does that sort of thing, that one really resonates).

Item #2, isolation, looks intriguing. We do that to an extent (different low-priv usernames, JVM sandboxing), but virtualization gives us the capacity to do that to a much greater extent. So, one compromised VM won’t affect anything else (well, ideally).

As Bruce Schneier likes to say: “security is hard.” And he should know, being a security guru. There’s no silver bullet, but leveraging the three approaches above, taken together—and with a healthy dose of common sense on the part of the user—yields a more secure operating environment.

Dr Martin Hellman (the “Hellman” in Diffie-Hellman… in other words, a prominent cryptographer) writes about our relative risk of nuclear annihilation. Bottom line is that if we’re 99% safe from nuclear annihilation, we’re in grave danger. Check it out.

Phoenix Technologies is putting Linux not just on the desktop, but in the BIOS (basic input-output system). Most people only sporadically access the BIOS (to change the boot sequence, for eg), and many people have undoubtedly never heard of it. Having a quick-boot version of Linux (called HyperSpace) at users’ fingertips would be a big paradigm shift.

From an economic/market standpoint, this is exciting.

But from a security standpoint, I’m concerned. I loathe the idea of the BIOS becoming a major attack vector for malware. I’d love to get details on what steps are i place to protect the BIOS from the sort of infection that would require the BIOS to be flashed to correct.

Enjoyable read from tdaxp.com.

On pirates, he writes:

Currently, insurance companies reward pirates, and punish crews that want to protect themselves from pirates.

Insurance companies reward pirates by paying ransom. When a pirate receives ransom, he and all his friend know a way to get more money: take more ships hostage.

Insurance companires punish crews who try to defend themselves. Premiums go up if ships are armed….

On politics:

Under Geithner, the only way a politically powerful company loses money is by not having enough friends in Washington. Likewise, the best way for a politically powerful company to make money is by having friends in Washington. [He goes on to cite Lehman Brothers, Citi, and Goldman Sachs.]

And now the tie-in (of Geithner and piracy):

As long as Geithner is Treasury Secretary, insurance companies would be foolish for looking at the actual profit-and-loss actions of their consequences. Far more important, under Geithner’s watch, is doing the politically popular thing.

Tim Geithner is so bad at his job, that he is a national security threat… when it comes to pirates, at least.

It’s a stretch, methinks. But still an enjoyable read.

FYI – per the FP blog site:

Most interesting of all, though, is Feingold’s reference to the last time that piracy was notably halted in Somalia — under the Islamic Courts Union in 2006. That regime, later ousted by Ethiopian troops (with U.S. support…) brought the only calm to the seas that the country has seen in recent years. 

A well-known security guru comments that SCADA is woefully insecure (definition of SCADA).

The WSJ claims that state-sponsored hackers have penetrated the US’s electrical grid (though Bruce Schneier, a security guru, seems to doubt the claim).

Researchers demo BIOS attack that survives hard-disk wipe.

Some people say I’m paranoid about computer security. To those people, I say: don’t use online banking.

At least not on their own spyware-ridden machines.

Pretty good read on the subject, for paranoid types.

EDITED (2/18):

Here’s the abstract of the paper:

The increasing mobility of computing devices combined with frequent stories of privacy breaches and identity theft has thrust data encryption into the public eye. This heightened awareness of, and deman for, encryption has resulted in the development of a number of strong encryption solutions that emphasize usability. While encryption can help mitigate the threat of unintentional data exposure, it is equally capable of hiding evidence of criminal malfeasance. The increasing accessibility and usability of strong encryption solutions present new challenges for digital forensic investigators, whose traditional response methodologies leave them largely unprepared to deal with pervasive strong encryption.

In this paper we address the shortcomings of the traditional forensic response methodology with respect to encryption. We develop and discuss a variety of practical techniques for dealing with the use of encryption to conceal evidence. Our research highlights the virtues of volatile memory analysis by demonstrating how key material and passphrases can be extracted from memory to facilitate the analysis of encrypted media in a forensically sound manner. We also present a proof of concept tool capable of automatically extracting key material from a volatile memory dump and using it to decrypt an encrypted disk image.

It’s hard to stress this enough. Don’t use an administrative account unless you really need to. Regardless of the operating system you use–Windows, Mac, Linux, or whatever–you can create a standard/restricted user account and use that for most tasks. And you should definitely use a limited account for web surfing.

According to ZDNet, 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts. In other words, malware that somehow manages to execute on a user’s machine either won’t work or will effectively be contained by using a limited account. Malware that attempts to terminate or evade anti-virus scanners will likely fail if the user is logged in as a limited user.

Reason interviews security guru Bruce Schneier. Lots of practical, in-perspective advice.

Kiplinger’s forecasts that an exodus of foreign investment from Russia by the US/Europe will curtail Russian expansionism and aggression abroad. Excerpt:

Capital flight may prove the most effective check on Russian aggression in Georgia, as well as a means to prevent similar moves by Russia elsewhere in the “near abroad” of former Soviet republics. Moscow will ignore diplomatic efforts by the U.S. and Europe to persuade it to back off and give its neighbors room. But it’ll be harder for the Kremlin to ignore the more immediate and harsh discipline of the market.

I’m sometimes told (by people who don’t understand economics) that I put too much stock in economics and the role of the market in shaping world events. This is but one example of the efficient global market in action–for good.

On September 12, 2001, Jean-Marie Colombani, the editor of Le Monde, famously wrote, “Today we are all Americans.” Three years on, it seems that we are all anti-Americans. Hostility to the United States is deeper and broader than at any point in the last 50 years. The Western Europeans, it is often argued, oppose U.S. foreign policy because peace and prosperity have made them soft. But the United States faces almost identical levels of anti-Americanism in Turkey, India, and Pakistan, none of which are rich, postmodern, or pacifist. With the exception of Israel and Britain, no country today has a durable pro-American majority.

Good editorial by Fareed Zakaria. Indeed, anti-Americanism is disturbingly high due in no small part to the arrogance and bad behavior of the Bush administration. But would the world be better off without the Hyperpower?

[...] Someone has to be concerned about terrorism and nuclear and biological proliferation. Other countries might bristle at certain U.S. policies, but would someone else really be willing to bully, threaten, cajole, and bribe countries such as Libya to renounce terror and dismantle their WMD programs? On terror, trade, AIDs, nuclear proliferation, U.N. reform, and foreign aid, U.S. leadership is indispensable.

The temptation to go its own way will be greatest for Europe, the only other player with the resources and tradition to play a global role. But if Europe defines its role as being different from the United States–kinder, gentler, whatever–will that really produce a more stable world? U.S. and European goals on most issues are quite similar. Both want a peaceful world free from terror, with open trade, growing freedom, and civilized codes of conduct. A Europe that charts its own course just to mark its differences from the United States threatens to fracture global efforts–whether on trade, proliferation, or the Middle East. Europe is too disunited to achieve its goals without the United States; it can only ensure that America’s plans don’t succeed. The result will be a world that muddles along, with the constant danger that unattended problems will flare up disastrously. Instead of win-win, it will be lose-lose–for Europe, for the United States, and for the world.

My last post on full disk encryption offered suggestions for protecting your machine from “offline” attack scenarios. I.e., if a tech-savvy thief steals your laptop and tries to read your personal/business data (bypassing the Windows login prompt is trivial), FDE protects the data on your machine from being compromised by a knowledgable and determined thief.

But FDE does not protect you from “online” attack scenarios; i.e., where the operating system has booted. Online attacks may–or may not–refer to attacks that occur over the web. Increasingly though, network-facing services and applications provide entry points into client computer systems (web browsers, email clients, and such). I’ll list some simple (but often neglected) steps to avoid infection of your client system.

First, I’ll assume you’re using either Windows XP or Vista. If you’re using MacOS, these suggestions may also apply (conceptually if not pragmatically). If you’re using Linux, you almost certainly already know these suggestions.

1. Log in as a regular, non-priviledged user. Don’t use an administrative account (an account that is a member of the Administrators group) for day to day tasks. If malware somehow executes on your machine, it will typically run within the context of the logged-in user (exception: if malware exploits a system service).
2. Apply DEP (Data Execution Prevention) on all programs/services. By default, DEP is not applied to all processes (for compatibility reasons). Do yourself a favor and enable it for all processes.
3. Keep software and anti-virus up to date.
4. Use common sense.

There you go. Just 4 steps (forget those silly “top 10″ lists). Surprisingly, most of the top 10 lists out there say nothing about DEP, even though DEP (aka, NX/XD) offers hardware-assisted protection from a common software attack (buffer overflow exploits).

Logging in as a non-priviledged user is also one of those items that’s excluded from most top 10 computer security lists. Log in as a standard user (not a power user). If you need to run a program that requires admin privs, do a “run as.” If you’re using Vista and the application is UAC-aware, you will automatically be prompted to run as a higher-priviledged user.

Item 3, keeping software & anti-virus defs up to date actually is covered by the top 10 lists. It’s obvious, but I’ll say it anyway. Use anti-virus and keep it up to date. Keep your Windows updates up to date (by default, Windows will do this automatically and occasionally require you to reboot). Keep other non-Microsoft software up to date as well.

Use common sense. That’s tough given the rather cogent malware, utilizing both technical attacks and social engineering (like, emails that look legit that coax you into downloading and installing software). Don’t fall for it. Be suspicious of emails, and demand digital signatures for software that you download (and be careful where you download software). Be quasi-paranoid about trusting email attachments and “urgent notifcations” from your bank. If it looks suspicious, it’s probably a scam.