[Snip good collection of security setting suggestions. Does anybody have others or a URL?]
I could never quite understand how anyone could get "phished" by e-mail since I have never ever seen a "phishing" or other malicious message that was not obviously so, even when I don't have me spectacles on!
Your imagination needs serious recalibration. You are a geek, not a naive, dumb, or unfortunately, typical user. Windows security sucks. Most users will pick convenience over security. What fraction of users (customers) would be happy with your suggested settings? Phishers are smart. They are willing to work for high value targets. Google for >spear phishing<. After you have read a few of those, google for > spear phishing RSA<.
From the comments section of an Arstechnica article on the RSA event:
So why do any workplace computers in sensitive environments have Flash in the first place? Because the training materials are no doubt flash based.
:) If you are interested in security, the whole comments section may be worth scanning. My probably naive view is that this type of problem could easily be solved by having the serious work done on a special class of well locked down machines and making a pool of more open systems available for checking mail or facebook or whatever. I've heard stories of people filling USB slots with epoxy so idiots can't insert thumb drives found in the parking lot or brought from home. I forget the context. -- These are my opinions. I hate spam.
Windows security sucks.
The real problem with Windows is that there exist folks who believe that it is, or can be, secured. They believe the six-colour glossy, the Gartner Reports, and other (manufacturers') propaganda. As a consequence they do not act in a fashion which will keep them safe.
Most users will pick convenience over security. What fraction of users (customers) would be happy with your suggested settings?
More than you might think -- still a minority however. There's not 2.437 pounds yet.
My probably naive view is that this type of problem could easily be solved by having the serious work done on a special class of well locked down machines and making a pool of more open systems available for checking mail or facebook or whatever.
You would be surprised at the number of Fortune 500 companies that lock-down their policies into deliberately insecure settings, and refuse to permit more secure settings. I can't quite figure this out, except to observe that there is a very severe shortage of security clue in the world and an appalling over-abundance of ignorance and stupidity.
I've heard stories of people filling USB slots with epoxy so idiots can't insert thumb drives found in the parking lot or brought from home. I forget the context.
This is, unfortunately, a typical reaction which arises from a failure to carry out proper root-cause analysis. The root cause of the issue is not "thumb drives", "baby fingernail drives", or whatever removable media type. The root cause is the propensity of Windows to engage in "magical" behaviour -- to put executable "data" everywhere and then to execute that "data", magically. And a failure to provide a "Magic Off" setting that actually works. Actually, there is -- it is called the power switch. Seriously though most of the magic can be turned off or bypassed, if you want to. Companies that engage in such behaviour are signing their own "all our base are belong to you" death warrants. Rather that voting with their wallets and insisting on correction of the root-cause of the problem, they instead continue to pour money down the crapper investing in never-ending supplies of draino and roto-rooters while at the same time continuing to financially reward the paper-towel flushers so they can buy and flush yet more clogging crap which requires yet more draino and roto-rooters. Shampoo, Lather, Rinse, Repeat. (Looking up the effects of adding those instructions to shampoo by Proctor & Gamble on their sales and profits is left as an exercize for the reader). Security does not require buying more draino and roto-rooters. It just requires that you not do stupid things inimical to security. Stop flushing paper towels down the toilet and you don't need draino and roto-rooters, nor will you need hazmat gear to clean the oozing excrement off the floor. Of course, it might be wise to keep a bottle of draino, a roto-rooter, and some hazmat gear on hand just in case -- but to concentrate on the symptoms rather than the underlying cause is just plain stupidity. Deliberately encouraging and financing those working to ensure the toilet is always plugged up and the crap is always running in the halls is sheer lunacy. Unfortunately, the lunatics are in charge of the asylum, and they have chosen the outcome they shall suffer. Now, back to our regularly scheduled programming, already in progress ... --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
Apologies for lack of attribution beyond the first level, but the previous poster removed that.
From: Keith Medcalf [mailto:kmedcalf@dessus.com]
Windows security sucks.
The real problem with Windows is that there exist folks who believe that it is, or can be, secured. They believe the six-colour glossy, the Gartner Reports, and other (manufacturers') propaganda. As a consequence they do not act in a fashion which will keep them safe.
While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better. Those OS's are no more secure than a Windows box once you plug a few hundred million people into their consoles. Jamie
On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote:
While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
There is an inherent advantage for anything based upon *BSD. It was developed in an evironment where in order to continue to operate it was required to defend itself against many users who wished to exploit the O/S. Windows, being designed for a single-user environment, made a number of design decisions which directly conflict with security. Having spoken to MS security about this, there is no interest on their part in disturbing the "user experience" in exchange for drastic security improvements. Rather, they continue to gradually evolve their existing model to increase security which, in fact, has been improved, however slowly. It is important to understand that there is nothing inherent in the Windows experience which prohibits security. Rather, it is a deliberate design choice on the part of MS.
From: Michael R. Wayne [mailto:wayne@staff.msen.com]
On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote:
While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
There is an inherent advantage for anything based upon *BSD. It was developed in an evironment where in order to continue to operate it was required to defend itself against many users who wished to exploit the O/S. Windows, being designed for a single-user environment, made a number of design decisions which directly conflict with security.
I've been running FBSD since 1994, so I'm well aware of the development model, thanks. The *BSDs and Linux have all had their share of holes in them and more still continue to be found. The only thing saving them is lack of market share. Apple's increasing market share is a nice demonstration of this at work. As far as securing Windows, it can be done, and done well, but it requires policy enforcement at the hardware and personnel level, and that doesn't change no matter what OS you're running. I have hardened Windows systems, and they are no more of a pain the ass to use than the hardened *nix systems. When DSS is done with them, all OS's suck to use. Jamie
On Tue, Jun 12, 2012 at 4:33 PM, Michael R. Wayne <wayne@staff.msen.com> wrote: ...
It is important to understand that there is nothing inherent in the Windows experience which prohibits security. Rather, it is a deliberate design choice on the part of MS.
Windows. A strange game. The only winning move is not to play. How about a nice game of FreeBSD?
On June 12, 2012 at 12:33 wayne@staff.msen.com (Michael R. Wayne) wrote:
On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote:
While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
That assumes the security architectures of all these OS's is similar which is simply not true. There have been security flaws in Microsoft OS's which led to the spread of malware which would have been almost impossible on any unix-like operating system. One of the biggest problems was creating the first and often only user on MS systems with administrator privileges allowing any piece of software they ran to do anything on the system. Even Microsoft recognized this to be a huge flaw beginning with Vista, no need to be more catholic than the pope. The problem at this point is that even with improvements in newer Windows systems there are probably on the order of a billion systems out there, attached to the net, and still running these deeply flawed OS's which can be taken over by just clicking on the wrong mail message. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, Jun 13, 2012 at 5:36 PM, Barry Shein <bzs@world.std.com> wrote:
> On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote: > > While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
That assumes the security architectures of all these OS's is similar which is simply not true.
You're right. Windows has an architecture that's easier to secure, with auditing, ACLs, and capabilities ("privileges") part of every NT-derived release. This means everything interesting doesn't have to be "root", for which there is no equivalent in Windows -- no magic user which bypasses access checks.
There have been security flaws in Microsoft OS's which led to the spread of malware which would have been almost impossible on any unix-like operating system.
One of the biggest problems was creating the first and often only user on MS systems with administrator privileges allowing any piece of software they ran to do anything on the system.
Is it not common to install unix-like operating systems similarly, with setup completed after a root password is chosen but before any human-named accounts are created? I'm not impartial, I once worked for the architect of NT's security. Discount my opinion appropriately. My opinion is 20 years of hardening have likely made Windows a tougher nut to crack than other mass-market OSes. It could hardly be otherwise -- there have been large piles of money fueling a free market in 0-day Windows exploits for many years now. Windows has grown over that time, of course, and more code means more holes, but other OSes have been growing as well. Meanwhile, the most security-sensitive parts of Windows have slower to change and grow. Yes, Windows evolved from an essentially security-ignorant single-user environment. Unix evolved from an essentially security-ignorant multiuser environment. The baseline of unix security with magic root, setuid apps, and primitive access permissions are nonetheless inferior to the baseline of NT-derived Windows. There are varying degrees of ACL support in some unix-like systems, and wide support for capabilities that allow services to start as a non-root user, or "drop root" after starting as such. There is not, across the POSIX world, a strong security infrastructure that can be relied on to be universal. On the other hand, with the death in the wild of the Windows 9x/ME house of cards, today Windows does provide that universal security infrastructure. Unix systems can be secured. So can Windows systems. No OS can simultaneously provide lazy users with power tools and completely protect those users from self-injury. Security costs overhead for too-often no perceived benefit until someone gets hurt. When you are forced to deal with it, it's nice to have the best in class infrastructure under your feet. Cheers, Dave Hart
On June 13, 2012 at 18:20 davehart@gmail.com (Dave Hart) wrote:
On Wed, Jun 13, 2012 at 5:36 PM, Barry Shein <bzs@world.std.com> wrote:
> On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote: > > While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
That assumes the security architectures of all these OS's is similar which is simply not true.
You're right. Windows has an architecture that's easier to secure,
It didn't occur to me that the original comment was referring to professionally secured sites only. I think one of the huge complaints about Windows systems is their appearance by the tens of millions in botnets which tend to be a problem with non-professionally run systems.
with auditing, ACLs, and capabilities ("privileges") part of every NT-derived release. This means everything interesting doesn't have to be "root", for which there is no equivalent in Windows -- no magic user which bypasses access checks.
There have been security flaws in Microsoft OS's which led to the spread of malware which would have been almost impossible on any unix-like operating system.
One of the biggest problems was creating the first and often only user on MS systems with administrator privileges allowing any piece of software they ran to do anything on the system.
Is it not common to install unix-like operating systems similarly, with setup completed after a root password is chosen but before any human-named accounts are created?
Apparently not, given the relative absence of un*x (which includes for example MacOS and Linux) systems in being pwned by clicking "open this attachment" in an email message. But the worst from Windows was the decades when they allowed any app to inject code into the kernel typically for graphics speed-up. Which of course could be any code, and that any code could own the system instantly. The rest is talking around the actual, measurable problem of botnets etc. Where do you think all that spam which pounds your mailbox relentlessly comes from? Botted Windows systems. I don't think saying that a professionally secured Windows 8 release candidate is much better than past systems when we're suffering under excuses or even mitigates the situation. The worst is that many of those features which made Windows so insecure were not removed because they provided marketing advantage (e.g., making any user admin, injecting graphics code for app speed-up.) So MS agonized for years about how to deal with this and not cut into their or their favored vendors' profit model while the rest of the net suffered gabillions of dollars in damage. MS, in effect, made many tens of billions on the flaws in their OS's, at the expense of everyone else. (I'm done but I'll leave the rest of the msg...)
I'm not impartial, I once worked for the architect of NT's security. Discount my opinion appropriately. My opinion is 20 years of hardening have likely made Windows a tougher nut to crack than other mass-market OSes. It could hardly be otherwise -- there have been large piles of money fueling a free market in 0-day Windows exploits for many years now. Windows has grown over that time, of course, and more code means more holes, but other OSes have been growing as well. Meanwhile, the most security-sensitive parts of Windows have slower to change and grow.
Yes, Windows evolved from an essentially security-ignorant single-user environment. Unix evolved from an essentially security-ignorant multiuser environment. The baseline of unix security with magic root, setuid apps, and primitive access permissions are nonetheless inferior to the baseline of NT-derived Windows. There are varying degrees of ACL support in some unix-like systems, and wide support for capabilities that allow services to start as a non-root user, or "drop root" after starting as such. There is not, across the POSIX world, a strong security infrastructure that can be relied on to be universal. On the other hand, with the death in the wild of the Windows 9x/ME house of cards, today Windows does provide that universal security infrastructure.
Unix systems can be secured. So can Windows systems. No OS can simultaneously provide lazy users with power tools and completely protect those users from self-injury. Security costs overhead for too-often no perceived benefit until someone gets hurt. When you are forced to deal with it, it's nice to have the best in class infrastructure under your feet.
Cheers, Dave Hart
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
The problem at this point is that even with improvements in newer Windows systems there are probably on the order of a billion systems out there, attached to the net, and still running these deeply flawed OS's which can be taken over by just clicking on the wrong mail message.
There have been no improvements in Windows security. The Microsoft "execute payload with NT AUTHORITY\SYSTEM" ip option was sheer brilliance, and that *only* appeared in their new-and-improved Operating Systems. Don't believe the propaganda. --- ˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
On Tue, Jun 12, 2012 at 11:44:44AM +0000, Jamie Bowden wrote:
While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.
I've heard this argument many times, and I reject it this time as I have before. If popularity were the measure of relative OS security, then we would expect to see infection rates proportional to deployment rates: thus if operating systems A, B and C respectively accounted for 85%, 10%, and 5% of deployments, we should see those numbers reflected in infection rates. But we don't. For example, passive OS fingerprinting of about a decade's worth of spam-spewing botnets indicates that they are running Windows to at least six 9's, quite possibly more -- which is a markedly higher fraction than we would expect if this hypotheis were true. Windows is not attacked because it's the most popular. Windows is attacked because it's the weakest. (And yes, if it instantly disappeared -- oh happy day! -- the next-most-weakest would take its place, but at least we would have incrementally improved the state of security.) ---rsk
On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
If popularity were the measure of relative OS security, then we would expect to see infection rates proportional to deployment rates
I don't buy that premise, or at least not without reservation. The OS market happens to be a superstar economy. On desktops and laptops, which still happen to be the majority of devices, the overwhelming winner is Windows. Therefore, if you are going to invest in any product for which you want ubiquitous deployment, Windows is the first platform you aim for. You only aim for the others if you're chasing a niche. There is no reason whatever to chase a niche market if your goal is spewing spam, collecting credit cards, or whatever. Perhaps fortunately, we're about to have an empirical trial of these different possibilities. If the above analysis is correct, then we should expect malware targetting iOS and Android in about equal proportions as those sorts of devices displace laptops and desktops as the majority (though there will be some bias and therefore lag in favour of Windows just because of the fact that people already have tools and techniques built around Windows). If you're right that the primary issue is the fundamental security of the target, then perhaps we will not see that pattern emerge. Best, A -- Andrew Sullivan Dyn Labs asullivan@dyn.com
On 13 June 2012 13:33, Andrew Sullivan <asullivan@dyn.com> wrote:
On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
If popularity were the measure of relative OS security, then we would expect to see infection rates proportional to deployment rates
I don't buy that premise, or at least not without reservation. The OS market happens to be a superstar economy. On desktops and laptops, which still happen to be the majority of devices, the overwhelming winner is Windows. Therefore, if you are going to invest in any product for which you want ubiquitous deployment, Windows is the first platform you aim for. You only aim for the others if you're chasing a niche.
I note also that many so-called operating system vulnerabilities are actually flaws in third-party subsystems like Flash or Java. Unix has traditionally had a better isolation model than Windows and so exploits via these attack vectors would be able to infiltrate the Windows core operating system whereas on Linux or OS-X platforms, the attacks might technically be more limited in their impact - not that this would be much consolation to the end user. Aled
On Jun 13, 2012, at 5:33 AM, Andrew Sullivan wrote:
On Wed, Jun 13, 2012 at 07:55:37AM -0400, Rich Kulawiec wrote:
If popularity were the measure of relative OS security, then we would expect to see infection rates proportional to deployment rates
I don't buy that premise, or at least not without reservation. The OS market happens to be a superstar economy. On desktops and laptops, which still happen to be the majority of devices, the overwhelming winner is Windows. Therefore, if you are going to invest in any product for which you want ubiquitous deployment, Windows is the first platform you aim for. You only aim for the others if you're chasing a niche.
There is no reason whatever to chase a niche market if your goal is spewing spam, collecting credit cards, or whatever.
Perhaps fortunately, we're about to have an empirical trial of these different possibilities. If the above analysis is correct, then we should expect malware targetting iOS and Android in about equal proportions as those sorts of devices displace laptops and desktops as the majority (though there will be some bias and therefore lag in favour of Windows just because of the fact that people already have tools and techniques built around Windows). If you're right that the primary issue is the fundamental security of the target, then perhaps we will not see that pattern emerge.
If that were true, the webserver attacks would be aimed at windows while the vast majority of them are aimed at IIS. Attackers aim for the softest targets with sufficient numbers to get what they want. When it comes to target hardness, Micr0$0ft builds porridge in a world of thick sludgy oatmeal. Owen
On 06/13/2012 04:55 AM, Rich Kulawiec wrote:
But we don't. For example, passive OS fingerprinting of about a decade's worth of spam-spewing botnets indicates that they are running Windows to at least six 9's, quite possibly more -- which is a markedly higher fraction than we would expect if this hypotheis were true.
Windows is not attacked because it's the most popular. Windows is attacked because it's the weakest.
Mostly right, except that it is really a weighted average of factors including installed base (read, popularity), likely success of the infection, likelihood of the infection being successfully detected by the user, likelihood of the infection being removable, overall utility of the system to the spammer once it is infected ... I'm probably forgetting a few things. But your basic point, it's not just about the popularity, is sound. The cautionary tale is that merely improving one of those factors isn't going to get the job done. Doug
On 6/12/12, Keith Medcalf <kmedcalf@dessus.com> wrote:
Windows security sucks.
The real problem with Windows is that there exist folks who believe that it is, or can be, secured. They believe the six-colour glossy, the Gartner [snip]
Well, they are right. Windows can be secured. The problem is it It won't be secured in practice. Because that's too hard, and truly securing Windows will be rejected by the user, because many applications used in practice are not implemented securely on the platform. Users of Windows endpoints require functions such as Web Browsers, Flash, their favorite Office applications, PDF Viewers, and remote share access.
You would be surprised at the number of Fortune 500 companies that lock-down their >policies into deliberately insecure settings, and refuse to permit more secure settings. ..
This is because, while you would expect IT to understand the importance of security. "Lock Down" has a perception of security attached to it. In practice, "Lock-Down Policies" and standardization have nothing positive to do with security, but IT convenience, and reducing support costs, by attempting to enforce a standardized endpoint experience. They can lead to less security if done without extra security review. Hopefully they also include a backup/imaging system to recover, when the lock-down policy makes it break, however.
This is, unfortunately, a typical reaction which arises from a failure to carry out proper root-cause analysis. The root cause of the issue is not "thumb drives", "baby fingernail drives", or whatever removable media type.
The windows shell is to blame, but you can provide an alternate shell that doesn't do that "magical executable code insertion" stuff and disable Explorer. -- -JH
participants (13)
-
Aled Morris
-
Andrew Sullivan
-
Barry Shein
-
Dave Hart
-
Doug Barton
-
Gary Buhrmaster
-
Hal Murray
-
Jamie Bowden
-
Jimmy Hess
-
Keith Medcalf
-
Michael R. Wayne
-
Owen DeLong
-
Rich Kulawiec