Tag: Security

Categories
In The News Internet Politics

NSA… Can you hear me now?

Of course when the Federal Government uses the legal equivalent to the Atomic Bomb, you know (despite their insistence) that all of the alleged activity is true… otherwise they would defend it. They even went as far as stating:

The fact that the United States will assert the state secrets privilege should not be construed as a confirmation or denial of any of plaintiffs’ allegations, either about AT&T or the alleged surveillance activities.

Yea sure. You don’t invoke something like this when you have nothing to hide. It’s like how all those companies “settle” but don’t admit guilt or wrongdoing. You don’t pay for something you didn’t do.

By the way, if you traceroute to this website and see “att.com” anywhere in there, you can rest assured they know your reading this ;-).

Categories
Internet Mozilla Security

SiteAdvisor Spyware Quiz

Site Advisor is running a quiz to see if users can correctly identify sites that ship spyware with their products. A few things crossed my mind while taking the quiz:

The age old method of knowing if an establishment is legitimate is to ask someone who knows, or rely on reviews. In my case I use Google queries, and got 7/8 (simply because I guessed on the P2P programs presented in the end, because I got lazy and it’s getting late). That proved pretty accurate. Just the site name and “spyware” turned up good results each time. Granted that’s more technical than most. I know many who limit their downloads to those offered by more trusted sources (recommended by tech mags for example, or included on CD with them). This test doesn’t really reflect those habits accurately, making more people seem vulnerable.

Why do they have an old version of Firefox for the screenshots (I see the update icon)? Don’t they know running the latest version has more security fixes, and will protect them from known and fixed exploits? I’d expect more from them on that one.

Oh yea, after your done taking the test you can see the analysis of the results, but don’t view that if you plan to take the test or you’ll ruin it. But I know your all honest and wouldn’t cheat ;-).

Categories
Mozilla Security

Symantec on Firefox vs IE

Many remember a few months ago Symantec came under fire for suggesting that IE was more secure than Firefox, because it had less security issues. Immediately many pointed out that Symantec’s methodology in the research was flawed, since they focused on vendor acknowledged security issues. That essentially lets the development teams decide how many security issues they want to have.

Symantec has now revised their research to include how many non-vendor confirmed security issues were reported. This puts things a bit more level of a playing field. Naturally you’d expect Firefox to have more confirmed flaws, because development is transparent. The IE team has the ability to selectively choose what’s “critical”. That’s a big advantage in the old comparison. They don’t seem to declare a “winner”, they just lay out the data.

Moral of the story? Data is only accurate if the research is well done. Symantec realized their research was flawed, and corrected it in a way that seems pretty fair, considering Firefox and IE have totally different development situations.

Categories
Security Software

Backdoor? “Over My Dead Body”

Niels Ferguson of the Security Integrety Team had this to say about the idea of a backdoor being implemented in Windows Vista’s new Bitlocker security system:

Over my dead body.

Well, maybe not literally—I’m not ready to be a martyr quite yet—but certainly not in any product I work on. And I’m not alone in that sentiment. The official line from high up is that we do not create back doors. And in the unlikely situation that we are forced to by law we’ll either announce it publicly or withdraw the entire feature. Back doors are simply not acceptable. Besides, they wouldn’t find anybody on this team willing to implement and test the back door.

Very good to hear. If there is anything of the sort in Vista, it’s only a matter of hours before someone (bad cop, someone on vista team) leaks enough info for hackers to figure stuff out. That changes the product from a “security” product to an “obscurity” product.

Security is important in computing. “Backdoor” is just a public relations spin on “security hole”. Nothing less.

Categories
Google Internet

True Hackers

I’ve been saying for quite a while that true hackers, aren’t the stereotyped computer nerds. They are just observant people who know what to look for. That article is a little disturbing, but nothing strange. I remember a year or two ago when someone had a “Google Hack” to find those Axis cameras, many not even password protected.

Very interesting read.

Categories
Mozilla Open Source Security

DHS helping to secure open-source software

CNet News is reporting that Homeland Security is sponsoring an effort to secure open source software. According to the article:

In the effort, which the government agency calls the “Vulnerability Discovery and Remediation, Open Source Hardening Project,” Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said.

And yes Firefox is listed as one of the projects to be scanned. Thunderbird unfortunately isn’t listed, which personally I think would be a good candidate for this project considering mail clients have been used quite a bit as a point of entry. Since it shares common code with Firefox it still gets some benefit. It says the “resulting database” will be accessible, but I don’t know if that means they will file in bugzilla, or host their own database which developers need to visit and harvest from.

Personally I think this is great. Getting open source projects an audit like this will enhance security online, so end users will benefit. Hopefully things work out well, and they expand to cover more projects over time.

A criticism of the project is that this only funds finding bugs, rather than fixing them. This isn’t likely to be as large of a problem for Firefox as there are paid staff working on the project. Perhaps bounties will be put out by third parties? Who knows. Hopefully in the end, these products become better.

Categories
Funny Politics Security Software

Google Earth A Threat

If some of this silliness keeps going on, were going to end up having airplanes without windows, because it could threaten security if you look outside.

Perhaps it’s time for some countries to consider building roofs over classified equipment, or perhaps putting a tarp over it. What ever happened to underground bunkers and camouflage?

Categories
Software

Kerio Personal Firewall Saved

Sunbelt Software bought Kerio Personal Firewall, saving it from being killed by Kerio (who is discontinuing the product at the end of the year). I’ve been using it for a few months, after using Sygate Personal Firewall for ages (which is also discontinued now that it’s owned by Symantec). I must say Kerio is much better, if not simply for performance, Sygate was much more resource intensive from what I can see.

On their blog (one of the few good corporate blogs I might add), they discuss their plans ever so briefly, of note is:

  • Upon the close of the deal, Sunbelt will also announce new reduced pricing for the full version of the product and a variety of special offers for both Kerio and Sunbelt customers.
  • Additionally, Sunbelt will continue Kerio’s tradition of providing a basic free version for home users.

Also really great to hear. Hopefully they will improve the basic version as well. Lowering the price is a good move considering it’s a rather high $45.

It’s good to see there are some alternative firewalls out there. Having a laptop (and not always the benefit of being behind a real hardware based firewall) the extra protection is welcome.

[Hat tip: dslreports.com]

Categories
Mozilla Software

Pavlovian Vulnerability

It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?

I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.

My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.

How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.

The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?

The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.

Definition

Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.

Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.

Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.

Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.

Categories
Mozilla Software

Firefox and Security

ZDnet’s George Ou recently blogged about Firefox Security that raised a few questions in my mind (that he didn’t mention). I’d like to go over them briefly:

Is it possible to write a secure program (other than a “Hello World”)?

I’ll go on the record saying there is no such thing as a secure web browser, or any large program. It’s just not possible, at least right now (who knows what great secure programs we’ll have when the apes take over and enslave us). If you look hard enough you’ll find some vulnerabilities even in OpenBSD. Why? Studies have shown programmers make quite a few mistakes (isn’t that obvious?). In most cases these bugs are obscure “outlier” cases where 99% of users never see. Of those a small percentage are security vulnerabilities. As with anything there are degrees of severity (hence security vulnerabilities are rated). Many may never be experienced. But a few are found by accident, and a few by malice.

What is security, and how is it graded?

My big question is how do you grade a products security? It’s clear the industry as a whole doesn’t have a clue how to do so. Right now software security is an informal process of yelling “I found one” and posting a message showing the exploit. I personally believe a few things come into play when discussing if a product “is secure”:

  1. Response time for patching – does the creator issue a patch quickly, or do they take forever to acknowledge and fix the vulnerability.
  2. Box Install Security – how secure is the product “out of the box”? For example, OpenBSD is very secure out of the box, but I can still install a whole bunch of vulnerable software on it. Then who is at fault? Does that make OpenBSD less secure as a platform?
  3. Vulnerability vs. Exploit – just because there is a potential (vulnerability), doesn’t mean there is a will or capacity to do so, or someone already taking advantage (exploit). I’d much rather have software on my computer with 10,000 vulnerabilities than 1 exploit. I think most users would make the same choice should they be given it. We’d prefer 0 and 0, but we’ll take vulnerabilities over exploits.

How does Mozilla Firefox/Thunderbird rate on the above?

Well, lets go through each metric and discuss it briefly:

  1. Response time is rather quick typically (at least from what I’ve seen). It will get faster with Firefox 1.5, since patches can be deployed to Firefox users quicker. The quicker the user base updates, the less attractive an exploit is. Right now it’s not as easy to keep people up to date. They technically re-download the entire browser, which is somewhat slow, and turns people off. That’s not good. But the new update system is good.
  2. Box Install Security – this is a somewhat more complex issue. I’d say Firefox is rather secure out of the box, at least relative to IE since it doesn’t have ActiveX. It does have a platform for extensions, but any extension available from the installer (limited to DOM Inspector and [my child] Reporter) are clean. After that, it becomes the user’s responsibility to download from reputable developers (just like you would for any other download). IE technically does have an extension system (we see that with browser addons such as Google Toolbar), and is subject to the same principle.
  3. Exploits – I’ll leave it to you to check how they compare to their competition.

So is the honeymoon over?

I don’t think there ever was a real “honeymoon”. Since the beginning the purpose of mozilla.org was essentially (copied from the Developers page):

Developers can help Mozilla by fixing bugs, adding new features, making Mozilla smaller and faster, and making Mozilla development easier for others.

The emphasis is mine. It’s appreciated when people find bugs and vulnerabilities. To the degree of a $500 bounty on security vulnerabilities. So finding vulnerabilities means the honeymoon has finally arrived (if you want to look at it that way). The good thing about vulnerabilities is once they are patched, they won’t become exploits (unless the patch is ineffective for some reason). Similar to law enforcement getting tipped off about a robbery and acting on it. That’s not bad, it’s good, assuming your information is timely and accurate, and law enforcement is effective.

Again, it’s important to note the difference between a ‘vulnerability’ and an ‘exploit’. Technically every computer ships with a vulnerability: your keyboard and monitor. People can spy on you, and alter your data. Yes, it is a vulnerability. It’s #1. Is it feasible to fix? Likely not (though you can limit the effects by not working on sensitive info with people around, and locking your computer screen when your not in front of the keyboard). Exploits are what I’m personally afraid of. Thankfully none have really hit Firefox just yet. With the release of Firefox 1.5, and the new update system, it will be much easier to limit any damage an exploit could cause with easier updating to remove vulnerable systems.

Is there a lesson of the day?

I’d say there is a lesson. Keep your software up to date. No code is perfect, nor will it be anytime soon. If your up to date, you have the best defense out there. By choosing a product which has the best security model design , and keeping it updated is the first step to a secure computer. Obviously a virus scanner is good too. Personally I believe Firefox has a more secure design by not being so “friendly” with the OS, and not supporting ActiveX, but regardless of your choice, keep it up to date. I’m sure the IE team will agree that’s the single most important thing you can do to stay safe. Run the latest release version.

I’m personally surprised that in 2005 Apple and Microsoft still don’t have a method for software developers to register their products to be used with the default updating mechanism in the OS. It would be ideal if the OS could track updates for me and keep my system up to date. They only work for software from the OS maker. There are third party services for this (VersionTracker), but none in the OS itself. Instead we have a patchwork of updating mechanisms for products. Each work differently, and it’s a confusing mess. But that’s a topic for another day.