Josh's Blog

I found this great explanation of how vendors should respond to security flaws:
Matt's Guide to Vendor Response

If you're a vendor, where vendor is also an Open Source project, it would be worth your time to read this. It has some great tips and is a quick read.

Ten years later and still funny!

So 2009 is pretty much done. Nothing truly amazing sticks out in my mind. That means it was either so bad I've blocked all traces out, or nothing overly exciting really happened.

I'm pretty sure it's the latter.

As it's my duty as an Internet citizen to make up crap that I can't possibly know will come true, I predict 2010 will be just like 2009, but with more disaster movies coming out.

I think the universe of security is getting dull. This is a good thing though, as it means the good guys are doing their jobs. There are always going to be things like botnets and evildoers looking to take advantage of the unsuspecting, but this is no different than in the physical world. There are bad guys, they exist because there's money to be made from exploiting others. I imagine thief is the second oldest profession.

The real stories of security are the few number of things like worms and wide scale defacements of the days of old. Most admins understand that updates must be applied promptly, and many vendors are now releasing those updates ASAP. There are technologies that can help make exploits very hard to write.

The future of exciting security research will probably move to virtualization; it's currently a lot like Swiss cheese in terms of keeping things secure. Unfortunately security is generally a reactive thing, so until there are problems found, I don't expect much proactive work done in virtualized security.

This is a great article about virtual server security.

It's always nice to see good articles that talk about how virtualization is not a security feature. As they often say, the first step is to admit you have a problem.

The best quote of the article being

... when I read about the take-up of virtualisation, the feeling of foreboding is not unlike seeing a five-year-old play with Daddy’s collection of Samurai swords – while nothing awful has happened yet, one can’t help thinking it’s a matter of when, not if.

I ran across this article quite some time ago:
4 Unreasonable Security Practices You're Probably Following

It brings up some good points, and mentions risk quite a bit. Risk is the real issue when dealing with any type of security. Nothing is ever 100% secure, security is like a logarithmic graph, where you can make a really big difference by taking a few easy steps in the beginning, but as things try to get more secure, it gets much much harder for minimal gain.

An easy to understand example would be a door into a secured bunker. Imagine it's just an opening into a wall with no door. This is obviously very insecure. Adding a door and a simple lock would bump the security up substantially, but to get it much more secure, you need to start adding rather difficult things that wouldn't provide significantly more security. Some additions could include biometric locks and an armed guard, but in all honestly, the increased security from those isn't even comparable to the increase in security just from adding a door and a lock.

I bought a 16 Gig USB drive for $20 yesterday at Frys. This itself is pretty cool, but I figured I'd try to install Fedora 12 onto it. I don't mean a USB livecd-iso-to-disk sort of install, but a real install, where anaconda treats it like a regular disk. I was amazed to see that it installed fine, but also boots perfectly.

I've tried this in the past, probably around Fedora 10, and it didn't work for me, so this is a pleasant surprise.

I was happy to find an article talking a bit about Hypervisor Security Concerns. It's not overly in-depth, but does point out the very real issue that virtualization poses some serious security concerns.

I think sometimes it's easy to get caught up in all the hype and forget about all the other issues a technology could create for us. I really like the title in the article

A New Definition of “Privilege Escalation”

Since it sounds cool, we should start calling a guest that breaks into the hypervisor, Hyper Escalation. It both sounds cool, and is fun to say. (I have bolded, underlined, and italicized it to stress its coolness)

In all seriousness though, this is a good discussion point, and an issue that will likely continue to come up for many years to come. Virtualization, like many things to come before it, wasn't built with security in mind, so it's going to take many many years to hammer out all the dents.

It's not often you read a security story that blames people for the problem. I found this one to be quite interesting.
Federal IT Face Cyber Attacks Daily

The best quote from the article is this:

Federal employees are still the main cause for security flaws because of their careless online activity along with failure to comply with organization policy, finds the research. It also finds that across civilian and defense organizations, 66% of those surveyed caught employees conducting irrelevant Web-surfing during 2008, while 44% found their workforce noted passwords on office stick-notes that could become public.

The hard part here is how do you get people to care? It's not much different in the real world, where people are rather careless about keeping belongings and personal information safe. It's even harder to convince someone to keep something intangible things safe.

The Internet of today is comparable to Fagin and his band of little pickpockets. The difference now, is the modern day Fagin doesn't use orphans, but zombie computers, and millions of them. Imagine trying to walk through a marketplace so full of thieving children you can't move. That's pretty much today's Internet.

I watched Johnny Mnemonic (there's also a short story the movie is based on, go read it) last night for the first time in a long time. The movie takes place in 2021, only 11 more years!

I think the most striking thing was that he was to carry around 320 Gigabytes of data in his head. The first time I saw that movie in 1995 or so, I remember thinking that 320GB was an insane amount of data. Today I type this on a computer with almost double that much storage capacity. I love it how movies that involve computer things age terribly. I suppose that's part of what makes them so fun to watch.

Except Tron, that one is still pure awesome.

It's been a while since I've posted anything, I've been annoyingly busy. Someday it'll slow down ... right?

So the first story that caught my eye today was this:
Security Report Finds Enterprise Infections Up 100 Percent
It's the normal story about how enterprises are full of viruses and worms and all sorts of other bad things. I suspect the real story here is that enterprises are looking for and finding malware rather than ignoring it (or not finding it).


The really interesting story of the day is this one though:
Tech Futurist Sees Rosy Prospects for Net Security
It's a story about how in the future all the ISPs and sites we visit will be stomping on malware for the good of all humanity. This probably will never happen unless there are drastic changes to our telecommunications laws. Right now data carriers are generally not liable for the data that travels over their network. This basically means that the ISP isn't responsible for what the two parties using you for transport do. If ISPs decide they need to start stopping malware, there are two potential problems. Who defines what malware is, and what happens if they miss some.

I'll explain this a little better. The first being the definition of malware.

Let's say I write a new operating system called door, and it's all the rage. My competitor decides they REALLY need to get rid of me, so they convince a bunch of ISPs (where convince is a giant bag of money) that I'm malware. Unless you have a huge army of lawyers on your side, there's probably little that can be done to resolve this situation.

The other possibility is what happens when the ISP doesn't block something new.

Perhaps I go to a legitimate web site and suddenly this new worm has infected my corporate network, causing a loss of millions in downtime. Right now, you could maybe go after the site hosting the malware, but probably not the ISP. If your ISP is claiming they can stop malware and they don't, they could potentially be sued by customers. Obviously they don't want this.

It's a slippery slope, but also a problem where they're hoping to fix the network rather than the endpoints. I'm not sure which would be easier.

An article caught my eye today entitled:
How to Defeat Full-Disk Encryption in One Minute

When you read this, it's a clever idea. Someone basically wrote a boot sector virus that sniffs hard disk encryption passwords and saves the password for later retrieval. This attack certainly isn't anything new, I'm not sure if anyone has written an easily consumable utility for it before now though.

If you're worried about keeping the data on your laptop secure (who isn't), it's not just about encrypting your hard drive. It's probably a good idea to use a bios boot password and keeping your laptop physically secure. If you're traveling, don't leave it lay on a desk in plain sight. When you're not using it, put it away in a bag. Make sure you lock your doors. When the machine is powered on, don't walk away even for a minute without locking the screen.

If someone wants to target you specifically, they'll likely get what they want eventually (unless you catch them at some point). The trick to sane security measures isn't to stop people like that, the goal is to make sure that a random attacker is going to pass you up in favor of someone who is more lax about security. This is comparable to locking the door to your house. If someone wants to get in, they can, but the lock can help persuade the bad guys to go look for an unlocked door.

So this weekend, my home server machine, that does all sorts of stuff for me, decided to crash. I rebooted, and noticed that one of my virtual machines running inside vmware didn't start. Upon spending some time with it, it became obvious that the disk was corrupt, well beyond what an fsck could fix. So I reinstalled, luckily I had backups. Later that day, same thing. At this point I fsck the real disk (fsck on 1TB takes a long time), which fails miserably. So I rebuild that drive, then rebuild my virtual machines, then the next day the server crashes again.

This sad game went on for a while longer before I finally ran memtest86. It lit up like a Christmas tree (note to self, do this first next time).

So the real point of this post though, is to comment on how painless the Corsair RMA process is (they made the RAM in question). Everything was via a web site, and in a few hours, I had my RMA sheet and was off to the post office. It's always nice when I'm ready to throw the computer in a lake, something goes right.

The extra cool thing is I bought this memory as a 2 stick deal, they offered to replace both sticks. Sadly I need this computer to be running, so that didn't happen, but I still dig the idea behind it.

In a strange way, this also makes me happy, as CentOS 5.4 is just days away, so I figure I'll wait and use KVM instead of vmware, which will give me a whole new world of headaches

The ClamAV folks have announced that they're going to EOL the 0.94 branch of ClamAV in favor of the 0.95 branch. They're doing this due to certain features in 0.95 which will allow them to distribute more complex signatures in an efficient manner.

I'm normally a rabid supporter of backporting fixes to older versions and keeping them alive forever, but in this instance, I think the ClamAV folks are doing the right thing. They're giving everyone plenty of notice, they're not being dishonest about why they're doing this, and it's certainly for a net gain.

The malware detection world is like an arms race, where the good guys are always a step behind. The real value ClamAV provides isn't in the detection software, it's in the malware signatures that the software processes. Anything that can give us better signatures and detect more malware is a good thing, even if it causes some temporary pain.

So while visiting my bank today, I noticed a shiny metal box on the side of the building clearly marked as "Burglar Alarm". I hope for the sake of sanity, that's not REALLY the burglar alarm, but rather just a shiny box to trick stupid thieves and make us customers feel safer.

So today Microsoft released something called Microsoft Security Essentials. It's basically a free anti-virus program from Microsoft.

Two things come to mind.
1) Why did this take so long?
2) Why do we still need this?