The state of Security III (Application Development)

Businesses that develop applications and consumers have fundamentally different goals. A business is at its core, there to make money. In order to do that, they need a product that generates revenue. Application development costs money. Before an application is released, there is no real way for that business to know if that application will bring in the amount of money they need to continue to justify the development in the first place. Because of this, many applications are developed with security as an afterthought. There are few places where this is more evident than in the Internet of Things (IoT). These are your thermostats, trash cans, refrigerators, light bulbs, and other miscellaneous things that have not ever had a need to be connected to the internet in the past. Their creators have focused on imbuing everyday objects with new interconnected functionality that allows for creative and automated uses of things that were once, one trick pony’s. IoT devices are popping up faster than they can be secured. And the companies who produce them are in such a rush to get things to market that they do not take the time to properly lock them down.

Somewhere out there in the world there is a Distributed Denial of Service (DDoS) attack taking place. And the botnet that is attacking is not full of home computers, laptops, or even smartphones. It is full of lightbulbs that were installed vulnerable in someone’s home. Will that vulnerability ever be closed? What would you think if someone told you to update the firmware on all the light bulbs in your house?

It is estimated that there is one exploitable flaw in approximately every 100 lines of code. If Windows 8 has 50 million lines of code, then we can expect to continue to find vulnerabilities well after Microsoft has stopped supporting the product.

How do attackers find vulnerabilities in applications? When you are writing or reading code, you tend to figure out what the programmer was thinking when the code was written. It is a very human flaw when looking for vulnerabilities because you see what the coder intended, not what is possible. For that reason fuzzers are one of the best ways to discover new vulnerabilities within a system. A fuzzer will rapidly input random data in a variety of different ways to see if the system or application will break. Once that happens it is then up to a security researcher to step through the process to discover what happened and to see if that break can be further exploited for something else such as a privileged escalation attack.

Consider the source. Closed source environments have an advantage in that it is harder to figure out all of the ins and outs of how a program was developed in order to find workable exploits. That does not mean that the software has less exploitable processes, or that is any more secure than anything else out there. But it does mean that someone will have to work a bit harder to find those exploits. This is a form of security through obscurity. One of the drawbacks to this method is the limited number of eyes that ever see the original source code. It is easy to make many more mistakes when fewer people have the opportunity to analyze the code. Open Source code is available for anyone to view and understand what the original coder was trying to do (more or less depending on the coder’s ability, organization, and comments). There is the possibility that many more coders will look at open source code and discover vulnerabilities that might never be discovered. The problem with open source is there is an assumption that all open source software gets the same level of scrutiny. Open source software is just as likely to be vulnerable as is closed source software. Last years Heartbleed and Bashgate vulnerabilities demonstrated that. The problem is with assumptions, just because anyone can read and evaluate the source code for flaws, does not necessarily mean that someone has.

Security is hard; there are too many factors to consider all at once. And the only way to truly raise the cost for any given attack, is to either make applications so small that it is easy to dissect every possible outcome, or to spend considerable time and money developing hardening strategies to ensure that applications are resistant to exploit from the beginning. So in one case you end up with an application with little to no use, and on the other end of that spectrum you end up with applications with significantly more cost than the profits they can bring in.

The State of Security II (User Space)

In my last posting, I may have covered a few topics too quickly without detailing the points that were required to shift from one topic to the next. Today I would like to focus on just the last part and talk about user security and the things that you can do at home, or at your mom’s house, to raise the cost associated with that attack.

Keep everything up to date: We are far from having a perfect system, but what we have now is a variety of security researchers who look for attacks currently in use. They dissect both public and private programs looking for vulnerability’s in much the same way that attackers do. The main difference is that they report them to the responsible organization for them to fix. Some companies like Google and Facebook provide a finder’s fee for those who successfully circumvent their security and responsibly report it to them, but most of the time there is nothing to gain. Companies will hopefully take responsible action and fix the holes in their code then send updates out to their customer base.

0-Day exploits are too prevalent to realistically defend against current attacks with the definitions used by most anti-virus software. One of the best ways to prevent your systems from being vulnerable is to ensure that you keep your computer, and all its software, up to date. Sometimes that is as easy as turning your computer on, sometimes you need to look for an update button, and sometimes this process can get as tricky as downloading updated firmware from somewhere and installing it manually. Dell has a website for drivers and firmware updates for your computer that are often never installed unless you specifically go out and look for it. Although the example used here Is with Dell, the larger issue is with your home router. For several years routers came with the Wi-Fi Protected Setup (WPS) enabled and on by default in order to help end users set up encryption at home. When it was later discovered that the protocol itself is wildly vulnerable to attack, it was turned off or at least modified to prevent that particular attack. But that still means that hundreds of thousands of people have vulnerable routers at home. This is an issue that could be fixed by changing a single setting, or in the case of many Linksys devices, updating the firmware.

Don’t click on links in e-mail: E-mail is easily the number one vector for attacks on any scale. If you get an e-mail from your bank, or e-bay, or anything else telling you something is wrong, or something needs to be updated, or you just won a trip for two to mars, don’t click on it. Go to that website directly or contact that organization directly to find out what is going on. The only time it is acceptable to click on a link in e-mail is when you are expecting that e-mail. Let’s say you sign up for a new account somewhere and at the end of registration it tells you to check your e-mail to verify your account. You know that e-mail will be in your inbox soon and you know why it is there and who sent it. It is most likely a legitimate request. If you get an e-mail from your aunt Susan wanting you to click on a link to see funny pictures of cats, don’t do it. At least until you can verify that she actually sent it. Many e-mail based virus will seek to spread by using address book information to send out more viruses.

Use unique passwords: Let’s talk about passwords for a while. Passwords are the secret you need to authenticate yourself to an organization to let them know that it is you. Some organizations have greater interest in protecting your information than others. Let’s say you have password X for your bank account. Your bank has authenticated to you with an EV certificate, you are using RSA to establish an encrypted connection and ECHDE to establish a secondary bulk encryption key with AES-256. Your password is indirectly saved on the banks servers with S-Crypt function with over 100,000 iterations. There is a local salt and a database wide salt as well a database wide salt that gets hashed into the mix just for safe measure. Let’s say you use that same password to buy something at, and they save your password in plain text on their servers. As a user you have circumvented all of the security measures the bank has built to protect your money. Creating unique random passwords for every website you visit is critical. If there are some things that humans have a hard time doing, it is creating random information, and remembering it. Thankfully there are services such as Lastpass and KeePass. Password management software introduces a new layer of complexity and therefore vulnerability. The benefit you get from using password management software significantly outweighs the risk of using it. Lastpass does a few things to help mitigate that risk even further by encrypting your database and using PBKDF2 locally with 10,000 iterations and allowing the user to change the number of iterations, then using PBKDF2 again to save the master password on their servers with 100,000 iterations.

Be mindful of Scripting: Your browsers are smarter, faster, and capable of doing significant damage to your operating environment. This topic is slightly more complicated because there are a few ways to approach this issue. The first way is to use plugin software designed to protect your surfing habits. Things like Ad-Block Plus and No Script can help prevent malicious software from ever running on your computer. But both of those have some drawbacks. First off, many companies gain revenue from the ad’s they display. If you go to a site that provides free content and you are intentionally bypassing their method of revenue, then what difference is there between that and stealing? The flip side of that argument is that ads are coming from external sources and have been proven to sometimes contain malicious code themselves. Then there is the wide variety of scripting languages that your browser understands, each have their own vulnerability’s that can escape from your browser environment to compromise your system. Browsers plugins like no script are able to completely prevent scripts from running on your machine, but the process of configuring it is highly cumbersome and severely reduces the functionality of any interactive website that you may wish to visit. Another method of solving this problem is to use a sandboxing method. This could be a bootable OS on a thumb drive that you use for browsing the internet. Ubuntu works great for this purpose. Or running another OS as a virtual machine. These methods are the most secure, but not always the most practical to use for simple day to day operations. There is also software such as Deep Freeze or Microsoft’s steady state that will allow you to change anything on your computer, then when you reboot it will restore everything as if you were never on it to begin with. On the lightest side of this spectrum, you have software such as SandboxIE. SandboxIE is similar to Deep Freeze and Steady State, except is done on an application by application bases. You can run just Internet Explorer or Chrome in a sandbox and when you close that sandbox it is like it was never opened. The same goes for any software you run that might be vulnerable. You can even install software inside a sandbox and run it that way. So when you close the sandbox, all of the ad software and additional junk that comes with most software is completely gone like it was never there.

Conclusion: I am getting a bit long winded at this point, so I will summarize the bullets.

·         Keep everything up to date.

·         Don’t click on links in e-mail.

·         Use unique passwords.

·         Be mindful of Scripting.