I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

• Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
• Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
• Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.

(pause)

Burke: Are you trying to get me to throw a chair at you?

(pause)

Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.

Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.

This is worse than most vulnerabilities we see.  Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker.  This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.

The solution?

• There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”

The manual “work around” involves editing the Registry.  Note – only experienced system administrators should manually edit the registry.  One wrong move can cause major stability and bootup problems.  The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center.  Microsoft has also posted a knowledge base article with a “fixit” here.

• Stay tuned for more details from Microsoft

Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.

While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing.  Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.

Contact us today at 800.234.2175 to talk with a security expert if you have further questions.

Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing

Lawsuits, as a result of data breaches, were out of control.  Sure, if a company has a breach that results in fraud or identity theft, I can understand why someone would want to sue the company.  I believe that if a breach occurs, and it is at all possible that identity theft or fraud might occur as a result, that the company should offer credit monitoring services for people.  But what I have never agreed with are those suits filed by individuals or groups where no identity theft has occurred, no fraud occurred, and there is little or no chance of having that happen and still, they get sued.  The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his social security number, was exposed has no legal standing to seek damages BECAUSE HE DID NOT SUFFER MATERIALLY AS A RESULT OF THE BREACH.  This is how it should be.  I remember the class-action lawsuit against the Veterans Affairs where they had to pay $20 million and no identity theft or fraud had occurred.  There were 26.5 million records exposed, so was everyone going to get $0.50 after the attorneys were paid.  These lawsuits have been ambulance-chasing lawyer’s dreams for some time.  I am glad it is moving in another direction…

I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers. At some point we will see what they use of these…
—————————

What does it take to keep the enterprise secure?
A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn’t one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.

More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration is key. Central repositories for compliance documents and audit documentation is critical. Policies, procedures and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interest in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.

Why should some applications (or classes of apps) NOT be used in the enterprise?
The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn’t be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don’t know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.

If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.

Why should others be used? Do you have any examples?
Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.

Why isn’t it the best idea to give end-users administrator rights?
There are lots of reasons for this 1) the user may install software that could compromise the system and subsequently the entire network. 2) Hackers that compromise the system may use these rights for other nefarious purposes.

How is mobility affecting the typical company’s security planning?
USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock prices, not to mention the fees and class action lawsuits that usually follow.

Is there such thing as too much or too little security?
Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren’t able to keep up with the 24×7 management and monitoring, you aren’t getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren’t getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.

The Chinese police have arrested 3 in conjunction with a hacker site called Black Hawk.  This site had been (among other things) selling membership fees totaling more than $1 million US.  This group has been known to threaten businesses such as Internet cafés telling them they would be shut down with a DDOS attack if they didn’t pay them.  Ultimately the Chinese authorities found them by tracking the phone number given to these businesses to pay Black Hawk.

What is really happening here is that the Chinese government feels the pressure as a result of the Google hacks and wants to appear like they are really cracking down on cybercrime.  The truth is, these bozos at Black Hawk aren’t anywhere near the level of sophistication as the Google hacks (which many believe were in face Chinese state sponsored).  So this really is nothing more than perception management by the Chinese, which likely means they are feeling a bit of pressure but ultimately have no intention of changing their behavior at the government level.

While many elements of security is moving towards the desktop, things like DDOS attacks can only be stopped at the service provider level, or by large sophisticated enterprises.  Service providers are beginning to prepare themselves better for these types of attacks that most security experts expect to increase dramatically in the future.

Government sponsored DDOS attacks… in other words government sponsored cyber terrorism seems to becoming more common as well.  There have been a few examples in the past.  One of the more recent is the attacks against Estonia by (what is believe by most to be) the Russian government.  Cyber terrorism will be a powerful weapon of the future.

Article

In my opinion, this isn’t about economic and revenue losses, but rather a security issue.  Most pirated versions of software cannot receive updates and patches.  This leaves a lot of vulnerable systems to be attacked, exploited, and then used for nefarious purposes.

Vint Cerf estimated that one in four computers worldwide has command and control software that makes it part of a botnet.   Of course no one knows the real figure.  Most other security professionals estimate it somewhere between one percent and 10 percent.  Either way, it is a big number.  Having that many systems under the control of others can have devastating consequences.  This is why we have the volume of SPAM we have today.  This is how countries can (and have) been taken offline through DDOS attacks.  The problem with pirated software is that those systems become a plague to all the legitimate systems out there.  This will grow to be an enormous problem in the near future.

http://www.msnbc.msn.com/id/30699735/