Roger's Security Blog : Competition

Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS

rhalbh — Thu, 19 Nov 2009 21:18:21 GMT

To be clear upfront: This is not a “Microsoft versus Google” post. I cannot even judge how far Google pushed security with the Chrome OS. But the following article raised quite some questions how we look at security: Inside the Google Chrome OS security model. This article, like so many when security of an Operating System is to be discussed, is completely feature driven. So, we talk about Process Sandboxing, Toolchain Hardening, Kernel Hardening etc. But how relevant is this really?

Do not get me wrong: It is. But these features have to be the result of an engineering process. These features have to be designed to reduce a certain threat vector – a possible attack scenario and they have to be laid out in a way to reduce this vector. I recently had a discussion with somebody who wanted me to convince about their security software. My very first question was: How do you develop software? The answer was: We have a great CTO and good developers which engineer our software. My next question: OK, how do you do Threat Modeling? Answer: Our CTO does this since years and knows everything in and out…

To me Threat Modeling and a transparency with regards to the development process is key! Why shall I trust features? I have to know why and how they are engineered. I need process transparency – and not necessarily code transparency. There is no way I can review code. I am not a security development specialist on the one hand side nor do I have the time to look through the code anyway. The only thing I can build my trust on is the engineering and the response processes.

So, why do we not rather raise a process discussion than a feature discussion? When we had the initial press conference about SafeCode , I was asked a pretty interesting question by an analyst: As SafeCode is about sharing best practices with regards to secure development, other vendors who do not use such processes will become a target. Yes, and now? The industry has to learn that engineering and development processes are much more important than features! We use our Security Development Lifecycle – will this lead to absolutely secure code? No, not at all but to a much, much higher bar. We have great examples where we can show that this does not only reduce the number of code defects but also to a better defense framework adopting defense in depth concepts. This is what we need. Let’s shift the discussion from features to processes!

And a final comment: This discussion is even more important in the cloud!

Roger

When it comes to security, who do you trust more - Microsoft or Google?

rhalbh — Sat, 26 Sep 2009 05:18:00 GMT

I started to read the article and actually just wanted to Tweet about it but then I voted and had to publish at least the current state:

When it comes to security, who do you trust more?

Microsoft (44%)
Google (32%)
Neither (22%)
Both (3%)

Total Votes: 716

This is just now – might change but it is very good to see.

Take your vote (if you need help where to click, let me know…)

Roger

Internet Explorer 8 best to protect customer

rhalbh — Fri, 21 Aug 2009 17:25:41 GMT

NSSLabs just recently published a study on browser security with regards to Phising and Malware protection, which we comissioned. To take it upfront: The whole methodology is transperent and therefore rather than challenging the results, let’s learn from them how we can improve.

As I do not want to take the joy away for you to read the study, I just want to show you two pieces of information from the report:

Let’s look at the Phising study first:

They looked at how long a user has to wait until a Phishing URL is blocked by the browser:

Browser	Avg. Add Time (hrs)
Internet Explorer 8	4.96
Firefox 3	5.24
Opera 10 Beta	6.19
Chrome 2	11.08
Safari 4	54.67
mean	16.44

Scary to me is that Safari by far increases the mean of the group. Even though Chrome 2 is behind the other three, I guess that Internet Explorer, Firefox and Opera are comparable here (even though we are more than 20% faster).

So, speed is one thing, accuracy and completeness another one. Let me quote from the report: The average phishing URL catch rate for browsers over the entire 14 day test period ranged from 2% for Safari 4 to 83% for Windows Internet Explorer 8. Internet Explorer 8 and Firefox 3 were the most consistent in the high level of protection they offered. Statistically, Internet Explorer 8 and Firefox 3 had a two-way tie for first, given the margin of error of 3.96%. Opera 10 beta came in third due to inconsistent protection during the test. Chrome 2 was consistent, albeit at a much lower rate of protection, and Safari offered minimal overall protection.

Or in graphical terms:

Again, the scary piece is the huge difference between the different browsers. Whereas Internet Explorer and Firefox are similar, the rest is far, far (and Safari even further) spread out.

Then they did a similar test with regards to socially engineered Malware protection:

Again, looking at the response time, I guess we can improve when it comes to the comparison with other browsers:

Browser	Avg. Add Time (hrs)
Opera 10 Beta	5.5
Firefox 3	6.7
Internet Explorer 8	9.2
Safari 4	31.5
Chrome 2	76.8
mean	25.9

But again, there is a huge gap between the best and the worst (and they are very bad). When it comes then to the block rate, the game changes:

Again, to quote the report:

Internet Explorer 8 caught 81% of the live threats, an exceptional score which surpassed the next best browser (Firefox 3) by a 54% margin. Windows Internet Explorer 8 improved 12% between Q1 and Q2 tests, evidence of concerted efforts Microsoft is making in the SmartScreen technology.

Firefox 3 caught 27% of live threats, far fewer than Internet Explorer 8. It was, however, the best among products utilizing the Google SafeBrowsing API. (Note: Firefox 3.5 was not stable enough to be tested during the course of this test. A patch has subsequently become available to address the stability issue. We were able to manually verify that the protection was identical between versions 3.0.11 and 3.5).

Safari 4 caught 21% of live threats. Overall protection varied greatly, with two short periods of severe dips. Chrome 2 caught just 7% of live threats an 8% drop from the previous test.

Opera 10 Beta caught a mere 1% of live threats, providing virtually no protection against socially engineered malware. In our test bed validation, we verified there was effectively no difference between Opera 9 and Opera 10 Beta.

So, this is definitely interesting material for your next browser discussion

Roger

Welcome to reality: Apple Acknowledges OS X Malware

rhalbh — Thu, 11 Jun 2009 22:53:00 GMT

A few years ago, we ran a huge event in Switzerland: We offered people in Switzerland to come to us (we were for a whole week at the airport in Zurich) with their PC and we check it for malware, patch it etc. We did this with a lot of partners and had live TV coverage at primetime in Swiss TV. A huge success and a lot of people came! However, we wanted to do it in partnership with Apple – well, I am not sure whether “partnership” would have been the right term: We offered them the Internet access, the network, the room, etc. They would just have had to bring the people.

The Swiss team seemed to me to have wanted to join in but the ww management decided that they do not want to do that “as Apple does not have a security problem”.

And then we had this funny event: Apple Recommends Running Multiple AV Engines and a day after Apple pulled the advisory Article was Bogus: Do Mac Users not need Anti-Virus Protection?

Honestly, the whole discussion is ridiculous as Cybercrime is a fact of life and so is malware. As soon as Apple users become a profitable target on some scale, they will be attacked. Everybody who thinks differently puts their head in the sand.

And now finally Apple arrived in today’s world: Apple Acknowledges OS X Malware and on their website they write:

The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.

I think that this is a big and a very good move! I would now welcome Apple to join the industry communities like SafeCode to work jointly on getting products more secure or initiatives like 2CENTRE to train law enforcement. I am a big supporter of industry/government collaboration but when it comes to Law Enforcement, there are often not too many companies at the table.

Security to me is not only products and processes. It is about partnerships!

Roger

Google Chrome and Silent Patching

rhalbh — Mon, 11 May 2009 04:58:49 GMT

This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without letting the user know, even if Chrome is not running and there is no way to disable this. Here are some of similar stories:

Give me a break here.

I am really tired of hearing those things. When Chrome shipped, three things actually hit my inbox:

Chrome was shipped (in a Beta) with a few pretty significant vulnerabilities in, which were known for quite a while (like the carpet bombing flaw). The excuse by Google was “it is just a beta”. Tell me please, how you would comment if we would have done the same with Windows 7.
I got quite some mails by angry customers and journalists telling me that Chrome found a way around User Account Control as Chrome installs without UAC kicking in. Journalists called as they claimed to have found “a severe vulnerability”, customers called as they were angry with us as Chrome simply popped up all over the place in their network even though their user were non-admin. Well, well, Chrome simply installs an executable in the user context. Directories which the user has write permissions. So, for sure Chrome can install – really bad practice in my opinion.
There was a pretty strange paragraph in the EULA which was then removed later.

And now the silent patching. A few years back, when we designed Windows XP SP2 we talked about switching Automatic Updates on by default. This caused a lot of people screaming and telling us that it is unacceptable to switch AU on by default (which we actually do in the meantime). We recently updated the Windows Update client – and it caused a lot of you to scream and tell us that it is unacceptable for us to silently update a component on Windows. And we heard you loud and clear. And now I hear that Chrome is best practice because they silently fix security vulns? And you cannot even switch this off? So, what is the policy the industry shall follow?

I agree that the most secure way for consumers would be to automatically fix security vulns. This is actually what I tell my parents: Simply install security updates. This is for consumers and there is an option. Not having an option is unacceptable – at least for me. Additionally, again for the consumer, having Anti-Malware being part of the Operating System out of the box and enable by default would be desirable. However, this is not acceptable today for competition reasons.

So, what I do not get is why people do not look at these problems holistically and more from a policy perspective rather than from a company by company perspective. Silently installing components without even giving me the option to choose is not acceptable today for me – but I want to have the option to do it if I want.

And finally: I would question the enterprise-readiness of such software. At least, I would never deploy it in an enterprise environment.

Roger

News from the Interop front

rhalbh — Tue, 10 Feb 2009 19:50:24 GMT

Not directly security related: I am often asked about the interoperability between our products and third-party products. Additionally people claim that we do not allow others to use our technology – that we lock you in.

Just now I read the following news:

Google just announced Google Sync, which licenses our Active Sync technology. As Horacio Gutierrez our Deputy General Counsel and VP for Intellectual Property & Licensing puts it: Google’s licensing of these Microsoft patents relating to the Microsoft Exchange ActiveSync protocol is a clear acknowledgement of the innovation taking place at Microsoft. This agreement is also a great example of Microsoft’ s openness to generally license our patents under fair and reasonable terms so long as licensees respect Microsoft intellectual property. This open approach has been part of Microsoft’s IP licensing policy since 2003 and has resulted in over 500 licensing agreements of the last five years.

They base that on the Exchange ActiveSync IP Licensing Program.

So, I would look forward for our competitors to do similar things and allow interop between their products and other vendors like us

Roger

Is Mozilla really the most secure Web Browser?

rhalbh — Tue, 20 Jan 2009 00:14:31 GMT

On http://en-us.www.mozilla.com/en-US/firefox/security/ Mozilla claims that Firefox is “The Safest Web Browser”. Unfortunately they leave a lot of their claims unsupported.

This is something our Jeff Jones looks into. Since a lot of years Jeff looks into figures and metrics around security and is very well known for his vulnerability analysis. So he is looking closer into their claims and analyses them. Just as an example:

Here is the chart with regards to “Days of Risk” Mozilla published:

And this is Jeff’s view for Firefox:

Pretty big difference – isn’t it?

As he will publish a series of articles, here are the first two:

If you want to argue about the figures, use Jeff’s articles as he is the one owning the data and knowing what he wanted to say

Roger

Apple releases Keyboardless Laptop

rhalbh — Fri, 09 Jan 2009 17:55:32 GMT

Wow, there are news, which we cannot cope with. Apple just announced the first laptop without keyboard:

Apple Introduces Revolutionary New Laptop With No Keyboard

and additionally the new Mac Tiny:

They even talk about the Mac Nano in this video

Enjoy

Roger

Article was Bogus: Do Mac Users not need Anti-Virus Protection?

rhalbh — Thu, 04 Dec 2008 10:48:38 GMT

Today I was having a discussion with a religious Mac fan claiming that the only problem with security on the Internet is Windows and then I read this article on ZDNet: Despite what blogs (and Apple) say, Macs will eventually have malware

In there it is referenced that the article I was quoting yesterday seems to have been bogus – see here: False Alarm: Apple Mac OS X Anti-Virus Recommendation Is Old

Now, it still seems that Apple users feel extremely safe – despite the fact that they have significantly more vulnerabilities than us. And it is just a matter of time and a matter of an attractive target until Mac will be attacked. It is ridiculous to think that anybody is safe – it is just a matter of economy: How much time and money do you want to invest in attacking a platform…

The three steps (Firewall, Computer Updates, AV-Software) to me are as important on Mac and Linux as they are on Windows

Roger

Apple Recommends Running Multiple AV Engines

rhalbh — Wed, 03 Dec 2008 20:45:14 GMT

This is an interesting thing: I just read this post on ZDNet. The blamed us for being the key target for viruses and they always told me that they do not have a security problem. I am convinced that there is no software product having no security vulnerabilities and Apple proved over time that they are not doing that good and that their marketing and reality is sometimes pretty far apart. The following chart is from Jeff Jones’ Desktop OS Vulnerability report:

At least it seems that the technical side of Apple realizes that running AV software is absolutely key. I quote the blog above:

Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.

Even though I understand the reasoning of running more than one AV product (we were doing that on Exchange and SharePoint as well), I do not think that it makes a lot of sense – from a resource consumption standpoint – to run more than one product on the Desktop. But the change in strategy is remarkable and I am more than happy to see that

Roger

This is about processes: Google Chrome Vulnerable to Carpet Bombing

rhalbh — Wed, 03 Sep 2008 18:21:17 GMT

This is the kind of stuff I hate to see – definitely within Microsoft but to a similar extent within competitors. I think we have a joint mission: Make the Internet a safer (and more trustworthy) place.

There was quite some noise yesterday around Google Chrome. And a lot of noise about "safer browsing" and security. Now, I started to read articles that Google built its new browser on a Safari version which is outdated and not yet patched against the Carpet Bombing flaw.

This is about processes and quality assurance (and trust) and not about technology. This is about a Security Development Lifecycle with proper testing and QA. Google published a long comic on Chrome and talks extensively about testing – I think there is some real room for improvement here.

Do not get me wrong: We are far away from perfect. We will never achieve the "perfect" level. But we worked hard to implement strong processes and even share them with the industry (see SAFECode). So, why do companies like Google, Oracle, sun, etc not join such initiatives to jointly make sure we do not release products with vulnerabilities in, which are known since a long time…

Roger

Servers still not patched

rhalbh — Fri, 29 Aug 2008 13:20:00 GMT

I just read an article this morning on Linux servers under the Phalanx gun: A problem with people, not code. There were quite some things which made me think when I read it:

There was a statement in there, which I – obviously – did not like at all: Linux may be inherently more secure as a system, which is always an interesting discussion. The guy writing the blog post claims that Linux is easier to secure than Windows, which I completely disagree with. If you know what you do you can secure each and every system. However, we do a great deal of work to make sure that our systems are as secure as possible by default and additional provide you with tools (like the Security Configuration Wizard) to make sure you can secure the system as far as possible and additionally run as secure as possible. We know and proved it with a lot of figures that our systems have by far less vulnerabilities than others (e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx) and third-party research showed clearly that our systems are less at risk than others.

But as I commented several times already, this discussion does not really lead to more secure systems but just some entertainment for people who like these debates.

Coming back to the article above: One of the conclusions in the article is, that patching is often a people and process problem, rather than a technology problem. This is not new either. The question to me is, why do people not deploy? We do customer surveys about their satisfaction with Microsoft every now and then. People are still not too satisfied with the security of our products. So, there is still a lot of work to do. However, if we ask then whether our updates are easy to deploy, we get a very, very high rating all across the segments and audiences. So, why do they not deploy? Is it because they are afraid of the downtime? Could be, so we have to work harder to reduce the number of reboots (is this different in other OS? I do not know but I doubt). Is it the tools? Is it lack of knowledge? Is it ignorance?

I do not know but would love to understand

Roger