• Vulnerability Auction

    Posted over 7 years ago
    by rhalbheer}

    I wrote several times already about responsible disclosure and irresponsible disclosure. My point on that is clear: Every vendor has to have transparent and clear processes to handle vulnerabilities. These processes ensure that there will be a timely reaction on responsible disclosed as well as on irresponsible disclosed vulnerabilities causing so called zero-days. These zero-days pose a major risk to all the computer users on the Internet. One could agree now, that not the zero-day is the problem but the vulnerability itself.

    Let's take an analogy: My house has certain protection measures against burglars but there are limitations and certainly vulnerabilities. What would you argue there? Is it my fault if the burglar gets in the house or is it a criminal action? It is clear isn't it? How would you think if somebody would pin a piece of paper at the blackboard of the local shop describing in detail how you would be able to break into my house? Not really ethical, isn't it? What would you think if the person would actually sell this information on an Internet auction? Would this be ethical? Criminal?

    So, let's come back to the IT industry: I am a firm believer of some facts:

    • As stated above: Every company has to have transparency in its processes to handle those vulnerabilities without "zero-daying" itself - meaning making previously responsible disclosed vulnerabilities public.
    • Each fixed vulnerability shall be transparent. There are very few exceptions to that rule of the company itself finds the vulnerability and nobody outside knows about it.
    • Making vulnerabilities public puts the ecosystem at risk and is definitely unethical - not saying criminal

    So recent history showed that there are people who start to look for vulnerabilities for a living - not being paid by the vendors (e.g. I hire somebody to find the problems at my house) but on their own. They wanted then to sell them to the vendors. Our policy here is crystal clear. We do not buy vulnerabilities. We acknowledge the finder in the bulletin. Additionally we bring them together with our Executives and developers at a conference called "Bluehat". As the selling did not work, they sold them on e-Bay. e-Bay acted responsibly and blocked these auctions. The "highlight" now is a new auction site I found, auctioning only vulnerabilities. They have an interesting ethics: "xyz is aiming to a single moving target: to bring the world closer to zero risk.
    If the world must become a safer place, the first part of the recipe is simple: to provide a better rewarding for the security researchers, organising an efficient and transparent marketplace, here to maximise the results of their efforts.    " But going back to the house analogy: If I do not ask anybody to look for vulnerabilities in the concept how I defend my house and somebody finds it and then wants money for that - looks to me like blackmailing.

    Coming back to ethics: Why is it always so different on the Internet? Why do people think that selling "vulnerabilities" of my house would be blackmailing but selling software vulnerabilities is making the world a "safer place".

    Last but not least, are you sure who is buying the vulnerabilities? Are they criminal? Are they willing to fix the problem? The auctions started around €500 and they actually have bidders already…

    At least it seems that I have a different set of values as they do but this might be the reason why I work for Microsoft. If you remember the pillars of Trustworthy Computing: Security, Privacy, Reliability, Business Practices and these practices definitely do not fit to our values

    Any thoughts?

    Roger

  • How to React on Malware Attacks

    Posted over 7 years ago
    by rhalbheer}

    Often the Small and Medium Businesses do not have IT resources available and it they have, the person is a IT Generalist. We try to help these kind of people to get structured and organized around the core security challenges. Therefore we published yesterday the Malware Removal Starter Kit with a lot of information around incident response. If personally think that even the bigger-medium companies can take different learning from this document.

    Roger

  • Buy Your Enigma

    Posted over 7 years ago
    by rhalbheer}

    It is probably the most important and known encryption device ever: The Enigma – the machine that had a strong influence on WWII. Now you can buy your Enigma on e-bay: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=270146949978

    Roger

  • Security not only a Microsoft problem – iPhone finally rooted

    Posted over 7 years ago
    by rhalbheer}

    It was to be expected – not because Apple built bad security in their iPhone, I am definitely not in the position to judge, but because it was going to happen. Any software product is going to have vulnerabilities as a matter of fact. The more attractive a device or a piece of software is, the more likely it is that the bad guys look at it and publish exploits and vulnerabilities – and the iPhone is very much on top of this list.

    We have been blamed for several years now with regards to security and we have been in the key focus of this movement. We accepted this and changed heavily. During my first speech about Trustworthy Computing about 5 years ago I said that the whole industry will finally have to move…

    Read yourself about the iPhone: IPhone Flaw Lets Hackers Take Over, Security Firm Says. One quote actually underlines my statement above: "Windows gets hacked all the time not because it is more insecure than Apple, but because 95 percent of computer users are on Windows," he said. "The other 5 percent have enjoyed a honeymoon that will eventually come to an end." – this quote is from Aviel D. Rubin, Independent Security Evaluators' founder and the technical director of the Information Security Institute at Johns Hopkins University.

    Roger

  • Only the Easiest Way is the Secure Way

    Posted over 7 years ago
    by rhalbheer}

    We, being security professionals, are often "just" looking for the most secure way to implement a certain task. Often we tend to forget the user when we implement these measures. I once visited a customer showing me their ultimately secure solution to do VPN and access mail:

    • Boot the computer
    • Log on
    • Start Virtual PC
    • Start the secure OS
    • Log on
    • Within the secure OS, open VPN
    • Within the secure OS, start the mail client

    Tell me the average user who understands, what I just described. And the next question is just rising: How do you transfer data from the "secure" VM to your machine? I know that this works but how to tell the average user…

    A similar problem is discussed with the banks: The least trustworthy part of Internet banking is outside the control of the bank: The user and the user's PC. So, how to address this? Well in Western Europe two-factor authentication is definitely the standard which addresses at least part of the phishing attacks – but unfortunately they get more and more sophisticated: We see targeted Trojans just attacking a single bank, installing a Browser add-in and doing a Man-in-the-Middle just within the Browser. How to address this? The banks are thinking about virtualization. So, the same scenario as described above – and you will definitely lose my mother as a customer as she will not understand, what to do. Internet Banking is a huge saving for the banks and therefore they are really reluctant to change anything at their systems that would make customers moving back to traditional banking – rather risk losing some money.

    So, what are the approaches we see?

    • Accept the fraud and live with it
    • Make the customers pay for the loss of money as well if they act irresponsibly (today, the banks usually refund the lost money)
    • Use virtualization and risk losing some customers
    • Use something like Terminal Server Application Mode, where the user just accesses the application sitting on a Terminal Server. In the future he/she will not see a difference between online or offline
    • Boot from a special CD

    Option 1, is what we are doing today: Close the eyes and make sure the press does not talk too much about it. This is paradise for the bad guys – they will never get prosecuted…

    Personally, I think that option 2 will start to come up (in combination with other measures)– at least partially and I think it is right. Why should the Internet Banking users care about PC security if there is nothing in for them? However, this is dangerous. We saw already successful attacks on Windows XP SP2 machines, where one would have to say that the user did everything we told him/her to do: The firewall was on, the machine was patched and AV as up-to-date. The only problem he had: He was local Admin – but who isn't at home? Windows Vista will make it definitely harder to have malware installed but up until then, we should not make these users's pay for getting malware installed. But there are a lot of other users who do not care at all and they shall pay for their negligence!

    Option 3 and 4 will have some future as the application is not within the control of the user anymore – but it has to be seamless for the user. My mother shall not see the difference between Microsoft Word on the local PC and the Banking Application remote of virtual.

    Option 5: Well, tell me mother that she shall prepare her paying on the PC, then reboot with a special CD to do Internet Banking – and by the way, how does the file with the payings come over to the "Secure OS"? Mount the original disk? How does my mother then find the file? She just goes to "My Documents" normally… There is some research around this: Bootable disc eliminates viruses for safer banking – but in my opinion, we are addressing this problem from the wrong angle…

    Roger