Anyone see a game changer here?
Part of the discussion of recent attacks by targeted email to individuals crafted to deceive that particular individual based on intelligence gathered for this use by governments. "The alleged attacks from China are troubling on many fronts. On Thursday, security firm McAfee released a report saying the program used to target U.S. firms involved a so-called "zero day" vulnerability -- one that was to this point unknown to the security community, and thus indefensible by anti-virus software. The flaw involved Microsoft's Internet Explorer, McAfee said. Microsoft says it is working quickly to provide a software patch. But the malicious software attacks other software flaws too, McAfee said, adding this ominous note: "There very well may be other attack vectors that are not known to us at this time." "These highly customized attacks known as advanced persistent threats were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior,” wrote McAfee's George Kurtz in a blog post today. “They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered - it is too late…All I can say is wow. The world has changed. Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property." Mark Rasch, former head of the Department of Justice computer crime unit, called the attacks “cyberwarfare,” and said it was clearly an escalation of a digital conflict between China and the U.S. As if the old threat models weren't bad enough... Bruce
On 1/15/10 4:07 PM, Bruce Williams wrote:
As if the old threat models weren't bad enough...
The old threat models were simply not up to date. Gadi.
Bruce
-- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On Jan 15, 2010, at 9:21 AM, Gadi Evron wrote:
On 1/15/10 4:07 PM, Bruce Williams wrote:
As if the old threat models weren't bad enough...
The old threat models were simply not up to date.
Precisely correct. This has been going on for quite some time; some people simply weren't paying attention. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Where are these quotes coming from ? Marshall On Jan 15, 2010, at 9:07 AM, Bruce Williams wrote:
Part of the discussion of recent attacks by targeted email to individuals crafted to deceive that particular individual based on intelligence gathered for this use by governments.
"The alleged attacks from China are troubling on many fronts. On Thursday, security firm McAfee released a report saying the program used to target U.S. firms involved a so-called "zero day" vulnerability -- one that was to this point unknown to the security community, and thus indefensible by anti-virus software. The flaw involved Microsoft's Internet Explorer, McAfee said. Microsoft says it is working quickly to provide a software patch. But the malicious software attacks other software flaws too, McAfee said, adding this ominous note: "There very well may be other attack vectors that are not known to us at this time."
"These highly customized attacks known as advanced persistent threats were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior,” wrote McAfee's George Kurtz in a blog post today. “They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered - it is too late…All I can say is wow. The world has changed. Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property."
Mark Rasch, former head of the Department of Justice computer crime unit, called the attacks “cyberwarfare,” and said it was clearly an escalation of a digital conflict between China and the U.S.
As if the old threat models weren't bad enough...
Bruce
On Fri, Jan 15, 2010 at 10:20:33AM -0500, Marshall Eubanks wrote:
Where are these quotes coming from ?
That particular one: http://redtape.msnbc.com/2010/01/gregory-fayer-opened-an-e-mail-on-monday-ni... Some more commentary: http://www.wired.com/threatlevel/2010/01/operation-aurora/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired27b+%28Blog+-+27B+Stroke+6+%28Threat+Level%29%29&utm_content=Google+Reader Of course, you'll have to follow links in an email in order to read those, if you dare. Marcus
On Fri, 15 Jan 2010, Bruce Williams wrote:
"The alleged attacks from China are troubling on many fronts. On Thursday, security firm McAfee released a report saying the program used to target U.S. firms involved a so-called "zero day" vulnerability -- one that was to this point unknown to the security community, and thus indefensible by anti-virus software. The flaw ... "These highly customized attacks known as advanced persistent threats were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior, wrote McAfee's George Kurtz in a
He makes it sound like nobody's ever discovered 0-day sploits in use in the wild / had 0-day sploits used against them. The term 0-day has been around for quite some time for a reason. I don't see anything new here other than the insinuation that the Chinese government might have been behind their use. Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Jan 15, 2010, at 10:37 AM, Jon Lewis wrote:
Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries?
I think only those not paying attention would be left with that impression. Spying has been done for years on every side of various issues. Build a more complex system, someone will eventually find the weak points. Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat". The issue I see is people forget that floppies posed the same threat back in the day. The reality is that the technology is complex and easily used in asymmetrical ways, either for DDoS or for other purposes. The game is the same, it's just that some people are paying attention this week. It will soon go back to being harmless background radiation for most of us soon. - Jared
On Jan 15, 2010, at 10:43 AM, Jared Mauch wrote:
On Jan 15, 2010, at 10:37 AM, Jon Lewis wrote:
Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries?
I think only those not paying attention would be left with that impression.
Spying has been done for years on every side of various issues. Build a more complex system, someone will eventually find the weak points.
Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat". The issue I see is people forget that floppies posed the same threat back in the day.
The reality is that the technology is complex and easily used in asymmetrical ways, either for DDoS or for other purposes.
The game is the same, it's just that some people are paying attention this week. It will soon go back to being harmless background radiation for most of us soon.
The "difference" this week is motive. In the 1980s-1990s, we had joy-hacking. In the 2000s, we had profit-motivated hacking by criminals. We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker. --Steve Bellovin, http://www.cs.columbia.edu/~smb
We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker.
Agreed, and given that is more easy to aggregate bits of information from different sources to put together the puzzle it makes more sense for a nation-state to do so when they are pursuing information about advanced technology. Folks are concerned about the coming fall IETF meeting, without drinking from the conspiracy theory fountain, I'm almost sure that -unless somebody do something really stupid- nobody will have any problems, the host country will be delighted to have so many "technologists" with juicy information and experience under their roof and "surveillance." Regards Jorge
On 1/15/10 5:52 PM, Steven Bellovin wrote:
On Jan 15, 2010, at 10:43 AM, Jared Mauch wrote:
On Jan 15, 2010, at 10:37 AM, Jon Lewis wrote:
Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries?
I think only those not paying attention would be left with that impression.
Spying has been done for years on every side of various issues. Build a more complex system, someone will eventually find the weak points.
Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat". The issue I see is people forget that floppies posed the same threat back in the day.
The reality is that the technology is complex and easily used in asymmetrical ways, either for DDoS or for other purposes.
The game is the same, it's just that some people are paying attention this week. It will soon go back to being harmless background radiation for most of us soon.
The "difference" this week is motive.
In the 1980s-1990s, we had joy-hacking.
In the 2000s, we had profit-motivated hacking by criminals.
We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker.
And indeed, what do we even know of this incident _for_sure_ so far? The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day. Both are likely vectors which have been seen used before. Regardless of what really happened, which I hope we will know more on later, these things are clear: 1. Unlike GhostNet, which showed an interesting attack but jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement. Did Google ever say it's China rather than from China? 2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past (consider 0days patched by Microsoft and reported by the Taiwanese government). 3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal. The attack would not have been against all these corporations, but rather multiple attacks, and possibly multiple tools. 4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done. As to "everyone does it", here is an example I wrote of the German experience (not my best writing, but good analysis): http://www.darkreading.com/blog/archives/2009/03/german_intellig.html Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On Jan 15, 2010, at 8:13 AM, Gadi Evron wrote:
1. Unlike GhostNet, which showed an interesting attack but jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement. Did Google ever say it's China rather than from China?
To my understanding they believe that people that live in China are relevant (which is why they brought it up in the context), but they are very carefully saying that they don't know the exact perpetrators. http://www.ipinc.net/IPv4.GIF
On 1/15/10 10:15 PM, Fred Baker wrote:
On Jan 15, 2010, at 8:13 AM, Gadi Evron wrote:
1. Unlike GhostNet, which showed an interesting attack but jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement. Did Google ever say it's China rather than from China?
To my understanding they believe that people that live in China are relevant (which is why they brought it up in the context), but they are very carefully saying that they don't know the exact perpetrators.
Absolutely, they pointed it out to me elsewhere (I copy-pasted). I made a mistake. I mention them as #1 before the current incident out of respect. This should have said "but many jumped to conclusions..." which is also what I said at the time, and supports my third point. Thanks for pointing this out. Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
To my understanding they believe that people that live in China are relevant (which is why they brought it up in the context), but they are very carefully saying that they don't know the exact perpetrators.
Uh, Fred the link is to an image that has nothing to do with the topic. Can you prove you are not Chinese and my computer is not hacked? Fred is your real name, isn't it? You are Fred, aren't you? Seriously, it suddenly came to mind that this list is a "high value target" and many people click away on links from who knows who. I guess it's the classic the shoemakers kids have no shoes situation.... Bruce -- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
On Jan 16, 2010, at 12:15 AM, Fred Baker wrote:
On Jan 15, 2010, at 3:05 PM, Bruce Williams wrote:
Can you prove you are not Chinese and my computer is not hacked? Fred is your real name, isn't it? You are Fred, aren't you?
You. Says so on my business card...
<IMG_2226_2.jpg>
看的也不見! TV
On Jan 15, 2010, at 4:34 PM, tvest@eyeconomics.com wrote:
On Jan 16, 2010, at 12:15 AM, Fred Baker wrote:
On Jan 15, 2010, at 3:05 PM, Bruce Williams wrote:
Can you prove you are not Chinese and my computer is not hacked? Fred is your real name, isn't it? You are Fred, aren't you?
You. Says so on my business card...
<IMG_2226_2.jpg>
看的也不見!
Google Translation tells me this means "see never see!". Let me guess, there's a better translation.
That's the translation the Chinese Government has inserted into the Google Translation service. ;) -----Original Message----- From: Fred Baker [mailto:fred@cisco.com] Sent: Friday, January 15, 2010 4:28 PM To: tvest@eyeconomics.com Cc: NANOG Subject: Re: Anyone see a game changer here? On Jan 15, 2010, at 4:34 PM, tvest@eyeconomics.com wrote:
On Jan 16, 2010, at 12:15 AM, Fred Baker wrote:
On Jan 15, 2010, at 3:05 PM, Bruce Williams wrote:
Can you prove you are not Chinese and my computer is not hacked? Fred is your real name, isn't it? You are Fred, aren't you?
You. Says so on my business card...
<IMG_2226_2.jpg>
看的也不見!
Google Translation tells me this means "see never see!". Let me guess, there's a better translation.
On 1/15/10 5:52 PM, Steven Bellovin wrote:
The "difference" this week is motive.
In the 1980s-1990s, we had joy-hacking.
In the 2000s, we had profit-motivated hacking by criminals.
We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker.
Following up -- I just wrote a blog on the subject called "the fog of cyberwar": http://darkreading.com/blog/archives/2010/01/fog_of_cyberwar.html In short: While we are all talking of Google's morals and US/China diplomacy, there are some questions that mostly remain unasked: 1. Did Google hack a Taiwanese server to investigate the breach? If so, good for them. Our ethics need to catch up to our morals, as we usually wake up to a new world others created for us, a few years too late. But, for now, it's still illegal so some details would be nice. As you know, I have been calling for more than "get slapped, write analysis" response to cyber crime for a long time, but we need to be careful not to start an offensive the Internet can't win (criminals willing to play scorched Earth--we're not, and our legal/ethical limitations). 2. Is Microsoft, while usually timely and responsible, completely irresponsible in wanting to patch this only in February? While they patched it sooner (which couldn't have been easy), their over-all policy is very disturbing and in my opinion calls for IE to not be used anymore. 3. Why are people treating targeted attacks as a new threat model? Their threat models are just old. This we discussed here. Oh yeah, and this is espionage, not cyber war. Computers are just new tools/weapons for an old motive. Espionage unlike cyber crime and cyber war is well established in law and diplomacy both. Security experts should not spread fear, and they definitely shouldn't be the ones people look to for answers on this. Thoughts? Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
On 1/15/10 5:52 PM, Steven Bellovin wrote: ..> 2. Is Microsoft, while usually timely and responsible, completely irresponsible in wanting to patch this only in February? While they patched it sooner (which couldn't have been easy), their over-all policy is very disturbing and in my opinion calls for IE to not be used anymore.
It is not as if there are a wealth of alternatives. There are still many cases, where IE or MSHTML components are a pre-requisite, to access a certain product that is important to the user. A canonical example, would be: Intranet apps, web-managed routers, switches, firewalls, or other network infrastructure that can only be administered using MSIE version 6 (ActiveX control, or old HTML relying on IE features) -- probably devices with old software. Mail readers such as Outlook with MSHTML components embedded. ..> 3. Why are people treating targeted attacks as a new threat model? Their
threat models are just old. This we discussed here.
It's an old model that could have fallen into some measure of disuse. Targeted attacks are possibly riskier to launch than randomly dispersed attacks, and require an insider or more determined attacker who can effect social engineering in the right place; the result is they are rarer. Intuitively, hardly any user thinks they can personally be subject to a complex targetted attack penetrating multiple security layers and requiring obscure enterprise-specific info.... until it happens... because people assume complexity of the required attack, and 'security software' such as Antivirus lead to a high level of safety, without ever having a logical or statistically rigorous basis for arriving at the assumption. Perhaps there were so many non-targetted attacks, that the idea of "targetted attack" was drowned out of the security dialogue and forgotten by some.. or there was a mistaken belief that the targetted attacks automatically get stopped by the firewall and mod_security... -- I believe 3 to 4 weeks is par for the course, with most major software manufacturers, even for a patch to a critical security issue... It is really impossible to make a reasonable assessment on Microsofts' response based on just one event (where in fact, they pulled through). I don't perceive that Microsoft have any solid history of being more timely or more responsible, than other vendors. In most cases, they have released patches soon after a serious advisory was made public, but the date the vulnerability was first discovered and reported to Microsoft, is not disclosed in the advisory or patch too often, that I saw. As I understand: a vulnerability might have first been reported to MS months or years before they released a patch or even acknowledged there was an issue, in some cases. Sometimes they even advise, but say there will be no patch (e.g. Windows XP and MS09-048 ). A "true" zero day like the recent one, where the exploit is in the wild and in use by blackhats prior to the vendor even being aware of a possible vulnerability, is a different animal, than routine security patches (even ones listed as critical or high-priority). Because (no doubt) it requires some strong measure of analysis first to determine what code is being exploited, in addition to the normal steps involved in fixing a hole.... e.g. determining what the actual possible bug(s) are, and how to fix, without probably introducing new ones, or missing some conditions. -- -J
The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that. Bruce On Thu, Jan 21, 2010 at 9:19 PM, James Hess <mysidia@gmail.com> wrote:
On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
On 1/15/10 5:52 PM, Steven Bellovin wrote: ..> 2. Is Microsoft, while usually timely and responsible, completely irresponsible in wanting to patch this only in February? While they patched it sooner (which couldn't have been easy), their over-all policy is very disturbing and in my opinion calls for IE to not be used anymore.
It is not as if there are a wealth of alternatives. There are still many cases, where IE or MSHTML components are a pre-requisite, to access a certain product that is important to the user. A canonical example, would be:
Intranet apps, web-managed routers, switches, firewalls, or other network infrastructure that can only be administered using MSIE version 6 (ActiveX control, or old HTML relying on IE features) -- probably devices with old software. Mail readers such as Outlook with MSHTML components embedded.
..> 3. Why are people treating targeted attacks as a new threat model? Their
threat models are just old. This we discussed here.
It's an old model that could have fallen into some measure of disuse. Targeted attacks are possibly riskier to launch than randomly dispersed attacks, and require an insider or more determined attacker who can effect social engineering in the right place; the result is they are rarer.
Intuitively, hardly any user thinks they can personally be subject to a complex targetted attack penetrating multiple security layers and requiring obscure enterprise-specific info.... until it happens... because people assume complexity of the required attack, and 'security software' such as Antivirus lead to a high level of safety, without ever having a logical or statistically rigorous basis for arriving at the assumption.
Perhaps there were so many non-targetted attacks, that the idea of "targetted attack" was drowned out of the security dialogue and forgotten by some.. or there was a mistaken belief that the targetted attacks automatically get stopped by the firewall and mod_security...
-- I believe 3 to 4 weeks is par for the course, with most major software manufacturers, even for a patch to a critical security issue...
It is really impossible to make a reasonable assessment on Microsofts' response based on just one event (where in fact, they pulled through).
I don't perceive that Microsoft have any solid history of being more timely or more responsible, than other vendors. In most cases, they have released patches soon after a serious advisory was made public, but the date the vulnerability was first discovered and reported to Microsoft, is not disclosed in the advisory or patch too often, that I saw. As I understand: a vulnerability might have first been reported to MS months or years before they released a patch or even acknowledged there was an issue, in some cases. Sometimes they even advise, but say there will be no patch (e.g. Windows XP and MS09-048 ).
A "true" zero day like the recent one, where the exploit is in the wild and in use by blackhats prior to the vendor even being aware of a possible vulnerability, is a different animal, than routine security patches (even ones listed as critical or high-priority).
Because (no doubt) it requires some strong measure of analysis first to determine what code is being exploited, in addition to the normal steps involved in fixing a hole.... e.g. determining what the actual possible bug(s) are, and how to fix, without probably introducing new ones, or missing some conditions.
-- -J
-- “Discovering...discovering...we will never cease discovering... and the end of all our discovering will be to return to the place where we began and to know it for the first time.” -T.S. Eliot
On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that.
You do realize, of course, that IE is recording less than half the security flaw rate of Firefox? (See http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vul...) --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote:
On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that.
You do realize, of course, that IE is recording less than half the security flaw rate of Firefox? (See http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vul...)
Consider for a moment that both Firefox and Safari are built on open-source code where the code can be audited. As a result, it is clear why Firefox and Safari are more "insecure" than IE, it is simply because the code is there to be audited. Frankly, they are all about the same security-wise. William
On 1/22/10 8:37 PM, William Pitcock wrote:
On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote:
On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that.
You do realize, of course, that IE is recording less than half the security flaw rate of Firefox? (See http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vul...)
Consider for a moment that both Firefox and Safari are built on open-source code where the code can be audited. As a result, it is clear why Firefox and Safari are more "insecure" than IE, it is simply because the code is there to be audited.
Frankly, they are all about the same security-wise.
William
I have a feeling that most of the 'security' problems with firefox is related to extensions/addons/plugins, rather then the firefox application itself. You can't fault the devs for unsupported addons/extensions/plugins that are made by a third party with questionable levels of programming skills. M$ tried this same thing, comparing Linux to Windows vulns, neglecting to mention that the only reason why there was more Linux exploits was because they were including things other then the kernel and base system. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Jan 22, 2010, at 10:37 PM, William Pitcock wrote:
On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote:
On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
The problem with IE is the same problem as Windows, the basic design is fundementally insecure and "timely updates" can't fix that.
You do realize, of course, that IE is recording less than half the security flaw rate of Firefox? (See http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vul...)
Consider for a moment that both Firefox and Safari are built on open-source code where the code can be audited. As a result, it is clear why Firefox and Safari are more "insecure" than IE, it is simply because the code is there to be audited.
Frankly, they are all about the same security-wise.
I think that that's wishful thinking. IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this". They've also put a lot of effort into building and using security tools. (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html) I'm not a fan of Windows. I think it's ugly and bloated, and I don't like it as a user environment. I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD. If the world suddenly switched its OS of choice away from Windows, I wouldn't weep. But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On 1/23/10 6:08 AM, Steven Bellovin wrote:
I think that that's wishful thinking. IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this". They've also put a lot of effort into building and using security tools. (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)
I'm not a fan of Windows. I think it's ugly and bloated, and I don't like it as a user environment. I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD. If the world suddenly switched its OS of choice away from Windows, I wouldn't weep. But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.
Microsoft has put a lot into securing its code, and is very good at doing so. My main argument here is about the policy of handling vulnerabilities for 6 months without patching (such as this one apparently was) and the policy of waiting a whole month before patching an in-the-wild 0day exploit. Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really? With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own. This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry. Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On Thu, 2010-01-21 at 23:19 -0600, James Hess wrote:
On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
It is not as if there are a wealth of alternatives. There are still many cases, where IE or MSHTML components are a pre-requisite, to access a certain product that is important to the user. A canonical example, would be:
Intranet apps, web-managed routers, switches, firewalls, or other network infrastructure that can only be administered using MSIE version 6 (ActiveX control, or old HTML relying on IE features) -- probably devices with old software. Mail readers such as Outlook with MSHTML components embedded.
Luckily, in the last 18 months especially, I've seen several different corporate requirements tender specify __against__ these (huge) problems, at least in non-US contracts. The first-hand argument I've heard for this is that it can actually reduce the tendered proposal bottom line and TCO, quite the reverse of what you would assume (probably by more lateral thinking by the Tenders) Notably, ActiveX was proscribed, followed recently by Silverlight. Certainly, the first firm to do it about 3 years ago has now written it in to EVERY request as standard text. Granted these are only around half-to-1M US$ tenders, but it's a (small) start. If this actually improves the general market/quality/usability of devices it's yet to be seen by me and my circle; maybe they are all just niche companies. They use lots of Sun/EMC/Brocade and similar. Yet, I have to say that the kit they end up installing is much easier to work with for Beasties and Tuxheads; far fewer VMs or Wine just to use IE or some obscure app (to us, that is) so a much faster/more familiar job-flow, and less gotchas/misconfigs. Still, no complaints from MS trained/based engineers that I've heard of that get contracted-in, this isn't super-uber-BOFH stuff. I was truly shocked the first time I read "Standards Compliant" and "BCPs/RFCs" in a corporate acquisition tender pack, for sure. YM<will>V. Gord
On Fri, 22 Jan 2010 05:52:11 +0200, Gadi Evron said:
1. Did Google hack a Taiwanese server to investigate the breach? If so, good for them.
No, *not* good. If *you* had a server that got compromised, and used to launch attacks on 500 sites, would you want to try to deal with 500 return strikes? Especially if the initial strike happens at 5:47PM on a Friday, and by the time you come in on Monday morning, you've been pwned by 197 different return strikes? Then the fun *really* starts when you call your national CERT and report you've been hit by an organized set of targeted attacks from 198 locations and hilarity ensues because your CERT can't contact 143 of them and verify it was a return strike. Definitely one of the sillier things I've heard Gadi say in a while...
On Thu, Jan 21, 2010 at 7:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
I just wrote a blog on the subject called "the fog of cyberwar": http://darkreading.com/blog/archives/2010/01/fog_of_cyberwar.html
In short: While we are all talking of Google's morals and US/China diplomacy, there are some questions that mostly remain unasked:
1. Did Google hack a Taiwanese server to investigate the breach? If so, good for them. Our ethics need to catch up to our morals, as we usually wake up to a new world others created for us, a few years too late. But, for now, it's still illegal so some details would be nice.
From your blog post: "While reporting is vague, Google has supposedly broken into a server in Taiwan (unless information of working through Taiwanese authorities, or that someone else has done this for Google, becomes available)."
So... you're taking incomplete information hyped up by "tech" reporters operating based on leaks from people tangential to an investigation as fact, and deciding that if Google doesn't tell you the details of an ongoing criminal investigation that you'll assume they broke the law. Damian -- Damian Menscher :: Security Reliability Engineer :: Google
On 1/24/10 6:37 AM, Damian Menscher wrote:
So... you're taking incomplete information hyped up by "tech" reporters operating based on leaks from people tangential to an investigation as fact, and deciding that if Google doesn't tell you the details of an ongoing criminal investigation that you'll assume they broke the law.
No. I write there's incomplete information, mention what possibly happened, what alternatives exist, and ask for more data. Yes, if Google did do it, I support the move. Do you have new information to kill speculation, or should these "tech" reporters keep at it? Gadi.
On Sat, Jan 23, 2010 at 9:20 PM, Gadi Evron <ge@linuxbox.org> wrote:
On 1/24/10 6:37 AM, Damian Menscher wrote:
So... you're taking incomplete information hyped up by "tech" reporters operating based on leaks from people tangential to an investigation as fact, and deciding that if Google doesn't tell you the details of an ongoing criminal investigation that you'll assume they broke the law.
No. I write there's incomplete information, mention what possibly happened, what alternatives exist, and ask for more data.
Yes, if Google did do it, I support the move.
Do you have new information to kill speculation, or should these "tech" reporters keep at it?
Nobody who knows anything is going to say anything, as this is an ongoing criminal investigation. I'm afraid I'll have to leave you to your speculation. Damian -- Damian Menscher :: Security Reliability Engineer :: Google
On 1/24/10 7:48 AM, Damian Menscher wrote:
On Sat, Jan 23, 2010 at 9:20 PM, Gadi Evron<ge@linuxbox.org> wrote:
On 1/24/10 6:37 AM, Damian Menscher wrote:
So... you're taking incomplete information hyped up by "tech" reporters operating based on leaks from people tangential to an investigation as fact, and deciding that if Google doesn't tell you the details of an ongoing criminal investigation that you'll assume they broke the law.
No. I write there's incomplete information, mention what possibly happened, what alternatives exist, and ask for more data.
Yes, if Google did do it, I support the move.
Do you have new information to kill speculation, or should these "tech" reporters keep at it?
Nobody who knows anything is going to say anything, as this is an ongoing criminal investigation. I'm afraid I'll have to leave you to your speculation.
Fair enough.
Damian
-- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
On 1/24/10 7:20 AM, Gadi Evron wrote:
On 1/24/10 6:37 AM, Damian Menscher wrote:
So... you're taking incomplete information hyped up by "tech" reporters operating based on leaks from people tangential to an investigation as fact, and deciding that if Google doesn't tell you the details of an ongoing criminal investigation that you'll assume they broke the law.
No. I write there's incomplete information, mention what possibly happened, what alternatives exist, and ask for more data.
To illustrate, you quoted: "While reporting is vague, Google has supposedly broken into a server in Taiwan (unless information of working through Taiwanese authorities, or that someone else has done this for Google, becomes available)." The paragraph continues, with: "If this happened, ..." I hope this solves any misunderstanding. Gadi.
Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat". The issue I see is people forget that floppies posed the same threat back in the day.
Do you mean the "AutoRun" threat, since this sort of thing is usually done by people who (a) run M$ Winders and (b) do not know how to turn off the really annoying "helpful" features created by the clueless idiots in Redmond ... and those idiots keep on creating more and more security hole "features" that have to be disabled. Someone should tell the idiots who design API's that API's are designed to be used -- and they will be used to do what it was designed to do -- and if that design constitutes a security flaw, then it will be used as such and the only solution is to stop designing stupid APIs. The most laughable example is the creation of API hooks into the kernel for use by AntiVirus vendors. Unfortunately, these APIs can, by their very definition, be used by anyone who wants for any purpose they desire. Personally I would prefer a secure kernel that cannot be tampered with or compromised by anyone. Adding a deliberately designed security flaw to enable a third party to stay in business providing a partial plug for the deliberately designed hole is utter lunacy! Back to removable media, AutoRun is, and always has been, completely trivial to completely, utterly and irrevocably disable -- and I have been doing so since, well, since this idiotic mis-feature first appeared somewhere in the early 90's. The same applies to other crap-ware vectors such as Flash. Just because some people are slow or do not pay attention to what has been going on in the world for 20 years on, does not make these "new". Its like dogs -- they have been around for thousands of years. Some people just don't notice that they have teeth until they, through their own stupidity, get bitten by one. Now, back to your regularly scheduled programming ...
On Fri, Jan 15, 2010 at 2:07 PM, Bruce Williams <williams.bruce@gmail.com> wrote:
Mark Rasch, former head of the Department of Justice computer crime unit, called the attacks “cyberwarfare,” and said it was clearly an escalation of a digital conflict between China and the U.S.
As if the old threat models weren't bad enough...
Bruce
It appears this is just western propaganda because: One analyst said Friday that he is not sure the attacks point to the Chinese government. Rob Knake, a cybersecurity expert with the Council on Foreign Relations, said his analysis of results from a technology firm investigating the attacks suggests that they "were not state-sponsored or the work of an elite, sophisticated group such as the Chinese military." http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503... Andrew
On Fri, Jan 15, 2010 at 2:07 PM, Bruce Williams <williams.bruce@gmail.com> wrote:
Mark Rasch, former head of the Department of Justice computer crime unit, called the attacks cyberwarfare, and said it was clearly an escalation of a digital conflict between China and the U.S.
As if the old threat models weren't bad enough...
Bruce
It appears this is just western propaganda because:
One analyst said Friday that he is not sure the attacks point to the Chinese government. Rob Knake, a cybersecurity expert with the Council on Foreign Relations, said his analysis of results from a technology firm investigating the attacks suggests that they "were not state-sponsored or the work of an elite, sophisticated group such as the Chinese military."
http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503...
It's kind of a stretch to go calling it "western propaganda" just because one cybersecurity expert "is not sure". If another cybersecurity expert suggested that it seemed possible that little green men might be responsible for the attacks, would you suddenly believe in Martians? There is almost always someone who will take up an opposing point of view. It's certainly good to keep in mind that there's a margin for error in these sorts of things. However, it's also smart to keep in mind that a large number of people have looked at this issue, most certainly including a slew of experts from the government, who would have had to agree with the China assessment prior to the State Department decision to issue a formal protest. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
-----Original Message----- From: andrew.wallace
It appears this is just western propaganda because:
One analyst said Friday that he is not sure the attacks point to the Chinese government. Rob Knake, a cybersecurity expert with the Council on Foreign Relations, said his analysis of results from a technology firm investigating the attacks suggests that they "were not state-sponsored or the work of an elite, sophisticated group such as the Chinese military."
http://www.washingtonpost.com/wp- dyn/content/article/2010/01/15/AR2010011503321.html
Andrew
At some point, due to fundamental human nature, it doesn't matter if a government is doing it or not. Imagine if private citizens of one country were shooting at the citizens of another country across the border while the army stood by and simply watched. The country on the receiving end asks for it to stop but the country where the shooting is originating from says "hey, we aren't doing it! It is originating from our country but it isn't the government doing it" where the receiving side says "I don't care who is doing it, please make them stop." It can be damaging to a country's or network operator's reputation as a good neighbor if they allow such chaos to continue without doing anything about it. In many other countries where governments exert less control, the network operators themselves often police their users by disconnecting those who are seen to engage in such activities. A network operator who refuses to cooperate is often seen by their peers as somehow "rogue" and may be shunned by the community. The point is that it doesn't matter who is at the keyboard or who is coding the malware. If they are enabled by their network operator or government looking the other way, then it is a natural tendency for people to instinctively hold them partially responsible for the conduct as being complicit in it. And that isn't anything unique with China in particular, the same thing goes for a network operator or government anywhere on the planet. I think in this case because China does exercise a lot of control over their network traffic, there is a natural tendency for people to become frustrated when they get the feeling that the government is doing nothing to stop this sort of traffic while other types of traffic are vigorously policed. So the next question would be, to what extent do the various network operators in China assist in disconnecting the sources of such traffic? I think I already know the answer.
participants (21)
-
andrew.wallace -
Brielle Bruns -
Bruce Williams -
Damian Menscher -
Fred Baker -
Gadi Evron -
George Bonser -
gordon b slater -
James Hess -
Jared Mauch -
Joe Greco -
Jon Lewis -
Jorge Amodio -
Keith Medcalf -
Marcus Reid -
Marshall Eubanks -
Steven Bellovin -
tvest@eyeconomics.com -
Valdis.Kletnieks@vt.edu -
Warren Bailey -
William Pitcock