Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Illusions of security InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Illusions of security

Published: 2006-01-18
Last Updated: 2006-01-19 15:54:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

First off, I'm not bashing vendors, pet operating systems or even people. Just trying to make people realize they might have illusions. So stop reading here if you cannot deal with disillusions.

Windows

I recently purchased a computer for my wife at a small shop. I really like the shop. They customize off-the-shelf hardware to make extremely silent high performance PCs. So after the waiting for this new monster's parts to be collected and customized, I went to the shop to pick it up.  The shopkeeper takes the time to open up the case to show their work, turns it on, and I verify the hardware properties to make sure my custom build machine has all the right parts. All good, I still like them.

Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware.

I'm very worried about the less security savvy consumer. I'm not convinced other shops give that much better advise. Sure they might want to try to sell me an anti-virus and personal firewall bundle. So we need to get the word out to the world at large. Do not believe all to easily you are safe, no matter the fancy explanations.

  • A personal firewall will help, but it will not protect you from everything out there.
  • An anti-virus program will help, but it will be unable to protect you from everything out there, especially new things go undetected very easily.
  • Updates from Microsoft are critical to be installed as soon as possible after they have been released. Microsoft does not release patches unless there are exploits against it.
And yes, experience shows installing patches is one of those moments you are more likely to get a blue screens of death. But you'd get them anyway, even if you did not install the patch. It's just a sign your machine was already becoming unstable. And it is a good opportunity to rebuild the machine and install the patches. See: no problem installing the patch on a clean system!
I've seen large IT support departments revert their policy from a shy away from patches to a patch ASAP policy for their desktops/laptops. Their conclusion was simple: we have less work in total and it is more spread out if we encourage immediate patching.

Mac OS X

Myself I use a powerbook. I like it a lot but I see a few things that worry me a lot:
  • Often we get answers -even here at the Internet Storm Center with our much more security minded population of readers- that go like "I'm using a mac, no security worries". Why can you be sure there are worries ? Check the number of security patches you got, they fix vulnerabilities. Well you have security worries, just no (mass) exploits.
  • Apple is switching to Intel CPUs away from the PowerPCs. Most script kiddies out there know Intel CPUs much better than they know a G4 or G5, so exploiting it becomes much easier for them. And yes, that Intel Duo is a dual core centrino, and a centrino is what it's just their cup of tea, plenty of machine code coders for it.
  • Apple uses open source software as a basis. One of the reasons I like OS X is exactly that it's based on BSD unix. But that open source community fixes vulnerabilities documenting the vulnerability in source code and at a very fast rate. Apple takes a bit longer to issue fixes for the same vulnerabilities. And that leaves a relative long window of vulnerability to exploit.
  • Apple is gaining market share. History has shown more popular OSes get attacked more. Exploit developers like to say there are zillions of affected customers. Look at it the other way: Seen any recent high profile exploit against AIX, Windows 3.1, Ultrix, IRIX, ... ? I'm pretty sure they are not 100% vulnerability free, just not that interesting as a target.
  • Anti-virus, anti-spyware, ... software for OS X? There is such software, I tried to buy it.
    • I went to the website of a well know anti-virus vendor, found they had something for Tiger, but when I tried to go to their consumer ordering system, I got a nice message I needed to use Internet Explorer to order anything. Hmm, I'm happy to say I do not have Internet Explorer on my Mac, and want to keep it that way.
    • I went to their business side of the web, and unexpectedly, I could order there the OS X version of their product, and their shopping basket was working for both safari and firefox. Funny, it looks like it's the same software for that basket. But apparently corporate customers are not meeting the roadblock that prevents them from entering that part of the website even if they do not surf the web with MSIE.
    • They only sell their OS X product in bundles of 5 licenses. I don't have 5 Macs, just 2. Nor am I likely to buy 3 more macs in the near future.
So, for as far as they are concerned, I'm still without anti-virus and anti-spyware protection on my Mac, guess the rest of the network will have to live with me not helping in protecting them.

So somehow we'll need to live with the constantly increasing risk and a user community that thinks it is invulnerable.

Browsers

Many security professionals will try to avoid Microsoft's Internet Explorer (MSIE). We can see this at isc.sans.org: about 50% of our hits come from MSIE, while less security minded sites get more like 80% of their hits from MSIE.
But are those alternatives safer ? Probably. Are they 100% safe? No, those browsers all have had their share of problems and they all support executing downloaded code and tracking technology (java, javascript, cookies). Add to that vulnerabilities in the code itself and you should not feel safe surfing with any of these browsers to any hacker's website.
Even the tools used to gather known malicious content such as wget and lynx have been suffering from vulnerabilities.

The rest

Please, don't try to convince me your favorite OS is immune to everything.

To take just one example: Linux: sure better security due to most of the users not using it with superuser rights. But is it immune to worms, trojans etc. ? No. And for the rest you'd better reread the Apple story above as most of it applies to Linux as well.

Not even OpenBSD has a zero defect track record.

Paranoia?

There are other solutions than unplugging the network permanently. It's called defense in layers. You choose the least vulnerable, the least exposed, the least targeted, the least commonly used solution and you choose them in layers around you so that each layer protects you redundantly.  And if all fails you are ready to mitigate the consequences, learn form the experience and rebuild.

But living with the illusion of security is the worst solution as far as security is concerned.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives