GEEKONOMICS

I will be speaking on The Morning Show with radio hosts Dorothy and Brian on KUSA-AM.

Date: August 1, 2008

Time: 8:10am Pacific

Channel: 980AM, KUSA

Location: Yakima, WA

ListenLive: http://www.talk980kusa.com

IBM X-Force just released a report about who is better at discovering software vulnerabilities. It hammers independent researchers. 

IBM X-Force report slams independent security researchers

To quote:

The report was critical of independent security researchers, drawing attention to statistics that showed independent researchers are almost twice as likely to have exploit code published on the same day as their vulnerability disclosure than vendor-driven research organizations. Over the past year and a half, independent researchers discovered 70% of all vulnerabilities that were not anonymously disclosed, but vendor research organizations found 80% of critical vulnerabilities, meaning those with a Common Vulnerability Scoring System (CVSS) base score of 10.

"You have to ask yourself whether you're providing more responsive patching and protection techniques, or are you doing it for self driven egocentric reasons," said Kris Lamb, director of IBM's X-Force research

No. This is the wrong question. You have to ask yourself why security researchers are doing for free what software manufacturers should be doing themselves more comprehensively before releasing their products.

Whether it is independent researchers or vendor research organizations, it makes no matter. Both are subsidizing substandard manufacturing practices for one of the most lucrative and profitable industries on earth. Researchers of all stripes are providing a free service to software manufacturers by discovering vulnerabilities software manufacturers should have detected - or better yet, avoided - in the first place.

In short, the argument of who is better or more responsible at discovering vulnerabilities is childish, vain, and incomprehensibly short-sighted.  It is a stop gap practice that has become status quo. It perpetuates bad software, subsidizes mediocrity, and shields manufacturers for bearing the burden they should rightly bear.

"But if we don't do it, people will be at risk," might be the ardent reply. And the answer would be, "You're right."

This is prime example of market failure. Where the players cannot self correct. We cannot stop discovering vulnerabilities because we would be worse off if we did...but we also perpetuate the problem by doing so.

Security researchers are doing far less good than they believe and should avoid squabbling over who is better at doing the job software manufacturers have abdicated to victims.

I was happy to meet Drazen Drazic at AusCERT 2008. Drazen is CEO of Securus Global and runs his popular IT security blog Beast of Buddha. Recently, we exchanged a great set of interview questions. My answers are posted on Beast or Buddha. Please visit!

Talking with David Rice; insecure software implications, regulation, vendors, making chang and other things...

Thanks again for the opportunity to share some more thoughts on insecure software, Drazen!

A top aide to Gordon Brown has been a suspected victim of a “honeytrap” operation by Chinese intelligence agents which was covered by the TimesOnline.

Gordon Brown aide a victim of honeytrap operation by Chinese agents

To quote:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning...

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence. The incident will raise fresh questions about the security of sensitive official information. It follows a spate of high-profile cases where data from government departments have been lost...

The incident highlights the growing threat of Chinese intelligence to Britain and the West. Last December Jonathan Evans, the director-general of MI5, warned that China was carrying out state-sponsored espionage against vital parts of Britain’s economy, including the computer systems of big banks and financial services firms...

Joel Brenner, the US government’s top counter-intelligence official, warned: “So many people are going to the Olympics and are going to get electronically undressed.”

Looks like the Downing Street gentleman got undressed in more ways than one.

I do not claim to bring any (more) sanity to the open source debate regarding how much or to what extent "openness" makes software more secure. I, in fact, do not believe open source makes software intrinsically more secure. Open source software deserves at least as much suspicion as closed-source software.

In short, because open source software can be more secure than closed-source software (which is possible) does not mean it will be more secure (which is the reality). Apple is learning this in spades as well as many others even within the heart of the open source movement itself.

More importantly however (and more carefully to sidestep the inevitable haranguing I will get for my last sentence) open source and closed-source software are equivalent to me from a legal perspective. Open source software comes with the same highly insular contract disclaimers and lack of warranty assurances as does closed-source proprietary software like Microsoft, Cisco, and Oracle. Neither type of software maker meaningfully stands behind their product nor does either type of software maker bear the social consequences when their statements about how "secure" they might actually be are shown to be false. In short, you can make any claim or assertion you want when you bear no legal or financial accountability to consumers for being wrong. 

As case in point, consider the latest brouhaha in the open source world. Recently, Slashdot covered, well, an Open Source cover-up:

Linux’s Security Through Obscurity

Roughly put, members within the Open Source community are aghast that Linus Torvalds, the father of the open-source flagship GNU/Linux operating system, would advocate against fully disclosing vulnerabilities found within the Linux operating system itself (the kernel). In the open source community, this is anathema.

Linus’ argument is actually quite rational:

“If it's not a very public security issue already, I don't want a simple "git log + grep" to help find it.”

In other words, unless a vulnerability has been alreadly publicly disclosed, Linus argues that discovering the equivalent of zero day vulnerabilities in the kernel should not be as simple as searching through the change logs to find, as Brad Spengler put it, “the myriad silently fixed vulnerabilities in Linux.” [my emphasis] 

Brad goes on to state:

They [Linux kernel developers] seem to have the impression that people who find and exploit kernel vulnerabilities rely on the commit messages fixing the vulnerability including some mention of security…this is far from reality. The people who *do* rely on these messages and announcements however are the smaller distributions and individual users. Yet Linus et al believe they're helping you by pulling the wool over your eyes regarding the exploitable vulnerabilities in their OS.

In the back-and-forth of this debate, Linus (et al) feels that some level of obscurity regarding reporting vulnerabilities helps protect people. This seems like a reasonable position. No sense in making it easier for attackers to find weak spots in the operating system.

On the other hand, others argue no; only full disclosure of vulnerabilities truly protects people and that obscurity actually hurts the very people Linus is trying to protect.  This also seems like a reasonable position. How can you protect yourself if you don’t know what weak points need fixing?

This is a difficult debate. Which one is more correct?

As it turn out, neither. They are both wrong.

The "wool over the eyes" in this scenario actually has little to do with the degree of “openness” and everything to do with the lack of software assurance and accountability. In other words, at best openness is a distraction...a technologists’ argument to and for other technologists. At worst, it is a sales pitch...a feature, if you will, that is as easy to implement as sharing the source code itself.

In fact, neither open- nor closed-source software manufacturers produce code that can withstand highly foreseeable malicious acts “out of the box” and neither is held accountable legally or financially for this deficiency. That is the point to focus upon.

We, as consumers, are crash test dummies for all types of software manufacturers. We, as consumers, are somehow supposed to console ourselves that one type of software manufacturer might produce patches faster than the other type of software manufacturer. But consumers should not have to patch systems nearly as much as they do in the first place. Hackers and security researchers are simply discovering what software manufacturers failed to detect themselves. The open source folks can work themselves into a froth all they want about what degree and detail vulnerabilities should be reported, but frankly, transparency without accountability is vacuous.

The assertion of the open source community is that openness will make software more secure...but only after the software is released, used and employed by an untold number of people in an untold number of systems in an untold number of circumstances, and hopefully, hopefully, under the many eyes theory, vulnerabilities will be discovered and fixed before anything “bad” happens. If this sounds suspicious to you. It is. It is completely reactionary.

Consider this: A recent study on open source software by Fortify Software highlights the lack of security in open source projects.

Open source projects fall short on security

To quote:

Enterprises often rely on open source software to save development time and money, but they shouldn't rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices…the study found that open source developers need to pay more serious attention to security, and enterprises should treat open source with healthy skepticism as they integrate it into their businesses.

No doubt this report will create a flurry of explanations, counterclaims, clarifications, and outright attempts at debunking. Let me short circuit the whole process by saying this: In the end, openness may indeed make open source "more secure" than closed-source. I will concede this point even in light of evidence against it. So by all means, be as open as you like. But openness by itself does not promote avoidance of vulnerabilities or proactive protection of consumers. Accountability does.

Nothing quite motivates a manufacturer to do what they should before releasing a product as when the manufacturer must fairly bear the burdens once unfairly expected of the consumer.

One final note. Lest I appear bias against Open Source, let me be clear: I am. I am equally biased against closed-source manufacturers however. In fact, I am biased against all types of manufacturers whose products potentially impact the health, welfare, and safety of hundreds of millions of people and who fail to recognize such responsibility legally and financially.

Brad's final thought in his post is this:

If you remain complacent about the state of affairs, you're only enabling them to continue their current misguided foolishness.

Indeed. So let's report vulnerabilities in all the hairy detail we like, but make the manufacturer's of all stripes accountable. Stop the foolishness of the software market.

I will be speaking with radio host Bill Meyer on Total Information AM, News Talk Radio, Medford, Oregon.

Date: July 22, 2008

Time: 8:10am Pacific

Channel: 1440AM, KMED-AM

Link: www.kmed.com

Sometimes, users get tricked into visiting malicious website. Upon visiting, vulnerabilities within users' browsers or operating system are exploited. But you don't always have to be tricked. You don't even have to be stupid. You just have to be unlucky.

Major sites fall victim to Web hijack; check yours

To quote:

Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack tool kit called Asprox, which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found, it will download malware onto the computer...

Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy, as well as Windows.

For instance, if you had a hankering for Snapple and visited Snapple's website, you're done. Game over. Your machine is owned, hijacked by an attacker to do with as he/she pleases. If you visited any of the other 1,000 or so "government and top business websites" that had been hacked and infected, you would also be done. You don't have to be stupid, gullible, or unaware to be exploited. You just have to use the Internet.

Recommendation from the article?

"...for your own computer's safety, it's critical to keep all your software -- not just the browsers and the OS -- up to date with patches."

And that has worked really well so far (excuse my sarcasm). And what of the toolkits that use exploits we don't have patches for?

Better recommendation:

Hold software manufacturers to account. Software manufacturers do not pay the social costs for defects in their software which they fail to detect. You do. You must adjust your behavior, software manufacturers do not. Stop the madness. Does it really make sense to suggest tens of millions of websites and users are better suited to fix what software manufacturers shouldn't have made defective in the first place? 

The beat the apocalypse theme to death, Kris Kapersky will show off proof-of-concept code and demonstrate how to use JavaScript code or TCP/IP packet storms against Intel-based machines in October 2008. In other words, because Intel has 80% of the market, everyone should take pause.

To quote from Researcher set to demo attack on Intel chips:

Kapersky also charged that such CPU bugs [he discovered] actually have damaged hard drives without users' knowledge.

"Although CPU bugs are not something new in the security industry, nobody has come out with any proof-of-concept exploits," wrote Kaspersky. "It is just a matter of time before we start seeing these sort of attacks used in more devastating ways over the Internet. Intel has provided work-arounds to major BIOS vendors for some of these bugs, but who knows which vendor actually uses them? End- users are in the dark as to how to check if they are secure or not. Intel doesn't provide any test program for this, and the worst thing is [that] some bugs are still not fixed. In other words, Intel has no work-around for it."

End-users are in the dark, indeed.

I will be speaking with top rated radio host Troy Neff on the Troy Neff Show, WCWA AM1230, Toledo, OH.

About Troy: http://troyneff.com/

Date: July 21, 2008.

Time: 6:15am Pacific (9:15am Eastern)

Station: AM1230, WCWA (Fox Sports Radio), Toledo, OH.

ListenLive: http://www.wcwa.com

Just so owners of the iPhone don't feel left out, the Blackberry crowd (myself included) can enjoy the growing attention of attackers also...

BlackBerry server faced with critical zero-day

To quote:

A critical zero-day flaw in BlackBerry Enterprise Server could be exploited by attackers to gain access to sensitive data, according to an advisory issued by the French Security Incident Response Team (FrSIRT).

The flaw is a PDF attachment handling error in the BlackBerry Attachment Service, FrSIRT said. An attacker could exploit the flaw by tricking a user to open a malicious PDF file attachment.

The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0. FrSIRT has rated it "critical."

BlackBerry maker Research in Motion has confirmed the flaw and issued a warning to customers. A patch has not been released for Enteprise Server. As a workaround, companies can prevent the server from processing PDF Files.

"This issue has been escalated internally to our development team," RIM said in its advisory. "No resolution time frame is currently available."

Well, see there you go, the issue has been escalated. Whew. I will twiddle my thumbs and not read any PDFs from my Blackberry until a resolution time frame have been worked out..and then wait for the patch. I mean really, how many business people read PDFs anyway?!?