Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Living In an Unsecured World 112

GhostX9 writes "Charlie Miller, Accuvant Principal Research Consultant and keynote speaker at NATO's recent International Conference on Cyber Conflict, speaks with Alan Dang of Tom's Hardware about living in an unsecured world. He goes over his recent MacBook battery exploit and the challenges of computing security in the upcoming future. Quoting: '[W]hat we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. ... The way we make it more difficult is to reduce the number of vulnerabilities and ensure users' software is up to date and "secure by default." Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple's App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out.'"
This discussion has been archived. No new comments can be posted.

Living In an Unsecured World

Comments Filter:
  • Unsecured world? (Score:5, Interesting)

    by Archangel Michael ( 180766 ) on Tuesday August 02, 2011 @09:14PM (#36967758) Journal

    When, if ever, has the world been secure?

    Mankind is flawed, you cannot patch this flaw. You can only mitigate the flaws.

    • "It only takes one."

      Doesn't matter how much time you spend hardening your system. If there is a single exploit in your system every piece of malware will use it.

      I always raise an eye brow to "The less vulnerabilities we have, the more secure we are." It's not like you need to double root a system. One root kit is enough.

      • Yes, but the more vulnerabilities there are the quicker it is that an attacker is going to find it and the more kits that can root the system. Sure one vulnerability is enough, but the fewer there are the more they're going to need to want that particular machine to actually finish up.

        • Targeting Humans (flawed) is the quickest and easiest way to exploit a system. This is Mitnick 101. It is why Nigerian scams and click loaded malware works, even to this day.

      • by TheLink ( 130905 )

        Doesn't matter how much time you spend hardening your system. If there is a single exploit in your system every piece of malware will use it.

        Not true. Like the joke goes, I don't need to outrun the "bear", I only need to outrun the majority...

    • When, if ever, has mankind not attempted to secure his surroundings?
      • moving into caves
      • building shelters
      • inventing "doors"
      • inventing "latches"
      • inventing "locks"
      • inventing weapons to defend property
      • inventing language and numbers, to identify and quantify property, and communicate ownership
      • inventing laws so that society can help protect his property

      We may have never achieved security, but we have always sought to increase it.

  • I wonder if he has windows in his home. That's a terrible vulnerability that we have endured for centuries and somehow civilization survives.
    • Would you feel so secure with your windows if anyone from anywhere in the world could break them? If they could break yours and thousands of others automatically with the same amount of effort? If it would take a team of experts months of effort to track down a single perpetrator - assuming he screwed up along the way?

      Or would you accept that there's an inherent danger when an attacker has physical access to your windows, but try to make remote/anonymous window-breaking as difficult as possible?

      My analogy

      • As someone who designs structures, I have to tell you: That's a feature, not a bug.
    • A vulnerability we should have to deal with no longer!

      Sincerely,
      The Year of Linux on the residential exterior

      • A vulnerability we should have to deal with no longer!

        Sincerely, The Year of Linux on the residential exterior

        This is /. I'm guessing most people here already don't have windows. Basements rarely do.

        • Windows 7 on my desktop, laptop, and netbook. Despite the historic opinion of Windows around here, 7 provides a very solid, stable, and importantly, a usable desktop environment.

      • by Nursie ( 632944 )

        I make do with live emperor penguins embedded into the walls!

        Sure, they're angry, they smell bad and they don't let in any light, but it makes attackers think twice!

    • In a world without MSWindows, who needs MSWalls?

  • Three or four exploits is one exploit. Unless your solution scales exponentially, it's bullshit.
    • by lpp ( 115405 )

      I think he's implying something more along the lines of exploit vectors.

      For example, if a successful exploit requires that the user simultaneously download and run a malware app while an already installed app is opening an external connection while at the same time an inbound connection attempt is made, your chances of being infected drop quite a bit and the work needed to pull it off as a malware author goes up, possibly to the point where it's no longer worth it in most cases. It also perhaps increases th

  • by E IS mC(Square) ( 721736 ) on Tuesday August 02, 2011 @09:25PM (#36967838) Journal

    No Thanks.

    • Indeed, it disconnects sellers from their market, losing feedback and communication. I've had better luck security-wise with the bazaar than any store.
    • by grcumb ( 781340 )

      indeed. When I saw this quote:

      We also need to better control the software loaded on our devices (i.e. Apple's App Store model)

      ... all I could think was, 'No, more like the Linux RPM/Deb model that's only been around for... what? a couple of decades? And which offer far better prices, control and access to the market. So much so that, for all its popularity, Apple's Store is -at best- a pale approximation of a viable software management model."

      • by Anonymous Coward

        When I saw the quote, I was reminded of those politicians who want us to give up our freedom ‘to make us secure’. I think he can stick his app store where the backlight don't shine.

      • He seems to be focused on Apple products as user/cracker/hacker. In his world a 'repository' just isn't called a "repository" even if that's what he means most likely.
      • 'No, more like the Linux RPM/Deb model that's only been around for... what? a couple of decades? And which offer far better prices, control and access to the market.

        If by "far better prices" you mean zero as the only available choice, then how are people supposed to cover the cost of developing high-quality video games or tax preparation software [pineight.com]?

        • by grcumb ( 781340 )

          If by "far better prices" you mean zero as the only available choice, then how are people supposed to cover the cost of developing high-quality video games or tax preparation software [pineight.com]?

          By running their own repo/PPA, or paying someone else to broker that service, and only allowing access to paying customers.

          To be perfectly clear: I'm not saying you have to use only your distro's repositories. I'm saying that the Debian/RedHat repo model is a way, way better example of secure software delivery than the Apple App Store.

  • This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out

    So the theory is that making systems harder to hack will dissuade hackers, thus making all computers secure forever. It's too bad this is such a novel theory and no one's ever tried to harden existing systems against hacking otherwise we might have some empirical evidence to support his plan.

    Oh what's that? The entire history of hacking is one of ever more elaborate and clever security precautions being overcome by ever more elaborate and clever hackers? One side cannot ever declare victory and rest on i

    • The summary seemed to imply "security through obscurity to me.
    • by 0123456 ( 636235 )

      Oh what's that? The entire history of hacking is one of ever more elaborate and clever security precautions being overcome by ever more elaborate and clever hackers?

      You forgot the part where they just wrap their malware in a 'Free B00b1es' screensaver and people download and install it for them.

      • by tepples ( 727027 )

        You forgot the part where they just wrap their malware in a 'Free B00b1es' screensaver and people download and install it for them.

        I think that's what the reference to Apple's App Store was intended to fight. One has to social engineer not only the user being attacked but also Apple.

    • It does work, the problem is that you have to really secure the applications not kinda sorta secure them. And in practice folks rarely manage to secure them enough to remove the profit motive from breaking in.

    • by rtb61 ( 674572 )

      Of course there are two types of black hat hackers. One group, the private enterprise, distribute their attacks so that they kind hide their criminal activities behind the activities of script kiddies. The other type the government professionally paranoid black hat hackers tend to keep their attack secret until they use them of course corruption in those organisations means attack methods can leak out.

      I wonder how many out in the wild attacks had their origins in the offices of the professionally paranoi

  • by kurt555gs ( 309278 ) <kurt555gs@nOsPaM.ovi.com> on Tuesday August 02, 2011 @09:45PM (#36967956) Homepage

    I love mine and know it is secure by the simple reason that no one has sold enough to make it a worthwhile target.

    • Linux does not have the market share either.

      The other reason is you hardly ever load software onto it. The other problem with your theory though is chrome (browser) has a massive (relative to Linux) market share, I wonder how long it will be before a persistently open tab could become an "attack vector".

      • Actually, paraphrasing the great line from Soylent green, "Chrome OS is made of SUSE"!

        So, it is Linux. It just has anything not needed removed and all the posts not needed locked up. It's *prolly very secure in it's own right.

        I had a Samsung Galaxy Tab 7", and replaced it with the Chromebook. It is great as an internet appliance with a real keyboard.

        • by Rich0 ( 548339 )

          Actually, believe it or not it is based on Gentoo - at least the package management aspects are. The end-user experience is pretty appliance-ish.

          One thing going for Chrome is the fact that it uses secure boot, so that greatly limits attack vectors, and if you do manage to get temporary control the next OS upgrade is going to fix that, unless you manage to somehow block those (and that will be even harder to do without tripping the signature checks). And, it is pretty trivial to re-image in the absolute wo

    • by Cwix ( 1671282 )

      So your saying they are not only useless to users, but useless to virus writers also?

      • by gl4ss ( 559668 )

        it's a pretty good target for js malware. but the sales and use numbers are so low, you might as well target beos.

    • Comment removed based on user account deletion
  • Very well. (Score:5, Insightful)

    by Microlith ( 54737 ) on Tuesday August 02, 2011 @09:59PM (#36968038)

    So long as said security doesn't inhibit my ability to use my machine entirely as I wish, and doesn't treat me as an enemy as well.

  • Like The Old Joke (Score:3, Insightful)

    by SchMoops ( 2019810 ) on Tuesday August 02, 2011 @10:29PM (#36968186) Homepage

    This reminds me of the old joke:

    Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

    In that sense, all the security any given person needs is just not to be low-hanging fruit.

    • by evanbd ( 210358 )
      You also need to not be a particularly tempting fruit. See spear phishing, advanced persistent threats, Stuxnet, etc.
    • This reminds me of the old joke:

      Alice and Bob are camping when they get attacked by a hungry lion. Running away at top speed, Alice begins to overtake Bob. "We'll never be able to outrun it!" says Bob. Alice replies, "I don't need to outrun the lion - I only need to outrun YOU!"

      In that sense, all the security any given person needs is just not to be low-hanging fruit.

      That joke is only about encryption if the bear's name is Carol.

    • Two guys are out camping in the woods, and the discussion turns to bears. One of them has a monstrous cannon of a pistol he lugs around all day, but it gets heavy by the end of the day. The other guy shows him a tiny .22 pistol,
      A: "This is what I carry. All I need for bear."
      B: "Are you kidding? You won't even slow down the bear a little bit with that thing."
      A: "I wasn't going to shoot the bear.

      Moral of the story: Increase your own security a little bit, and encourage everyone else to be less secure,

      • by Rich0 ( 548339 )

        Yup, if you want to survive WWIII your bomb shelter is only going to be as useful as its defensibility.

  • by Anonymous Coward

    Yep with capitals on every word.

    So you see every security researcher and their friend claim how good it is to have long, strong unremembered passwords for each of your 1000 services.
    They also want to have a million software work-arounds to manage flaws in the current software and operating system design. Such as ASLR, canaries, what not - then make your believe your system is, I quote again, RESILIENT. Nothing less! Your OS fights back for you and has multiple layers of security! (which usually are all bypa

    • Well, considering that remotely-exploitable network-stack-level overflow vulnerabilities are almost completely gone, either the programming techniques have improved, or these technologies are helping.

      I would like to point out that the pervasive attitude at Sony seemed to be one of "well, nothing is perfect, so we don't need to spend too much money doing our best".

      On the other hand, building a secure OS from the ground up IS the right approach, and I'm sure Mr Miller would agree, but, the simple fact is that

  • start by taking the time to a non rush job and do a lot more QA / testing. Also usability testing needs to be done as well.

    auto testing can help but it does not cover all things / leads to coding to pass the test missing the stuff that the test does not cover.

  • I am a firm believer that when we came up with the concept of zero tolerance we were in trouble. Life is shades of grey; some more white, some more black never just black nor white. If we lose the ability to take care of ourselves, we lose our ability of self determination a.k.a freedom. We are in trouble...
  • Stop makeing us change passwords each month or less and cut back on the pass word rules Ti5@j0ke is way to pass with out needing to use a post it and next month it's P@ssw0rd2!

    • Listen, I do computer security audits and penetration testing and we break into 90% of the companies we attempt to break into. The simple fact is that password complexity and password changes is probably the #3 biggest risk in the enterprise, aside from simple patching and configuration/hardening issues.

      Through a combination of techniques, we are able to obtain password hashes of various values. Frequently these are cached values. If you've ever logged into a windows workstation on a domain, your password

  • educating the fucking users, which is the most glaring and most fundamental security hole there is. Make sure the users know they need to keep the PCs and anti-viruses updated, make sure they know how, make sure users know not to run untrusted programs, make sure they know what counts as a program (screensavers, plugins, installers... we know but they often don't), make sure they don't insert a USB stick they found in the street, if their PC has an instant-on OS option make sure they use that to do their ba
    • by Kargan ( 250092 )

      I don't disagree with what you are saying at all, but I am curious:

      Who is going to do the educating, exactly, and how? It's not like you can force people to learn things they don't want to learn. You don't need a license to use a computer or the Internet.

      Make no mistake, there are actively, willfully ignorant users all over the place. They know what they need to do to learn more - use the computer more. But they don't want to, because using the system is not an enjoyable, rewarding experience. It's mor

      • Who is going to do the educating, exactly, and how?

        At the moment, the only ones trying to teach people about security are frustrated IT workers. Every little bit helps, so if the gov't put some effort into it, quit doing campaigns for the RIAA and started doing something for their citizens, they could improve the situation quite a bit.

        There are a lot of possibilities. From introducing security essentials into school curricula (who needs to be taught Powerpoint?), to encouraging companies to take action to safeguard their own data (the recent hacks should be

    • by Anonymous Coward

      Umm, no. The user should not have to worry about security. It should be secure by default. The burden of security should be placed on the thousands of software engineers instead of the millions of end users.

      • Unfortunately, that's not how security works. If the users don't know what they're doing, their systems are insecure no matter how much security you build into them.
    • You can't educate willful indifference.

      Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".

      I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.

      Security is about fixing human nature, which is why it's so damn hard, and sometimes appears irrational

      • You can't educate willful indifference.

        Users KNOW they should have strong passwords, but consistently, in my security audits of big companies without technical controls in place to prevent it, 30% or more of passwords are crap like "master" and "cookie" and "god".

        I'm not kidding. People DONT see value. Even if they do, they think... "well, everyone needs to do that, but I am special". It's human nature.

        Actually, you can to an extent.

        The way I've educated my mom about secure passwords was to teach her how easy it was to crack her own passwords. And when I say teach, I don't mean to say that I broke her passwords for her. No, I showed her the script, explained it a little, and then I made sure she filled out some of the paths and that she ran the script herself.

        That was half of the education process. The other half was to teach her how to make a password out of a long sentence of her choice.

        Just explaining

  • The efforts to improve Internet security are simply being out paced by the rate of new technology implementations. The Internet has been one gigantic Rube Goldberg construct since the beginning. Trying to provide security while maintaining backwards compatibility is creating security nightmares. Any large scale and meaningful security improvements would require a wholesale abandonment of past security methodologies and replacing that security infrastructure would be extremely expensive and would cause incom
  • Is that how it goes?

  • Of course, it makes sense that a security consultant would want to centralize security even more. He would profit from such centralization, but he wouldn't profit from ensuring that we get better security.

    In my opinion, computer security should be approached just like a public health issue. We should teach people good computer hygiene, just like we teach people about proper personal hygiene. Granted, this approach is not going to solve every problem, and this educational effort would have to be never ending

  • One curious part of the interview is when Alan Dang write: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
    This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users can protect themselves.
    But the sad part in this case is that it's the security consci

  • by master_p ( 608214 ) on Wednesday August 03, 2011 @05:18AM (#36970102)

    The problem of seccurity starts with CPUs, goes through the operating system and programming languages, and ends up to the communication standards.

    The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode. This means that once an app is compromised, and foreign code is executed, all sorts of nasty things can be done. A more finegrained CPU security model would offer much better security, allowing software components withihin the same process space to coexist without affecting each other.

    The problem with operating systems is that their security model is based, again, on the guest/administrator model, i.e. it is actually the same security model as the one used by the CPUs. A better security model would allow software that communicates with the outside world to run with less privileges than the user, thus saving the user from being compromized when malicious code. Furthermore, operating systems resources are not virtualized for the user, requiring access to administrator rights for jobs that could not require such rights.

    The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.

    Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.

    • Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so.

      In the system you propose, how would each party know the other's key?

      • Each part would know the other's public key by exchanging public keys on communication initialisation.

        In order to avoid man-in-the-middle attacks, a solution like verifying the other part's public key by a different route could be used.

        • In order to avoid man-in-the-middle attacks, a solution like verifying the other part's public key by a different route could be used.

          I can think of three sorts of "different routes", none without drawbacks:

          • Using a CA that offers X.509 style hierarchical PKI can be expensive.
          • Using a web of trust can be expensive if you aren't already a frequent flyer. Without attending key signing parties far from home, your key will be connected primarily to other keys in the same city, meaning the number of keys reachable from your key isn't going to grow very large. Or what am I missing?
          • Perhaps by "routes" you meant diverse routes through the Interne [perspectives-project.org]
          • How about verifying the public key by uploading it to an email account, like Mozilla's single sign on system?

    • The problem with CPUs is their horrible security model: it is either user or kernel mode for an application, there is no other security mode.

      Wrong. The x86 architecture alone has numerous rings. Five I think? No mainstream kernels use more than two of those rings.

      The problem with programming languages is that the most used programming languages for system programming are too open for abuse. I am talking about C/C++, of course. Take Windows, for example: hundreds of buffer overflows bugs, because C does not do bounds checking on arrays. If C was designed with safety first, performance second, and made checked array access the default, and unchecked array access explicit, less security issue would exist.

      C is just a tool. How a tool is used is a methodology. The tool is not at fault, the methodology is. Even with a good methodology, you just can not have morons at the console writing the code. I know, business owners dream of a world where they can have low-cost interchangeable morons writing code. That is not going to ever happen (reliably).

      Finally, communications over networks should have been encrypted by default, and only revert to unencrypted when it did not hurt to do so. The encryption support cost would have been minimal by now, as with all technologies that start expensive and get cheap as they are massively produced.

      I think Phil Zimmerman is the name of a guy y

You are always doing something marginal when the boss drops by your desk.

Working...