Monday 29 September 2008

You are the weakest link (r)

You know, one thing about blogs is that it is hard to make plans about what you will write. I was all set to talk about mechanisms used by bad people to get software to run on your machine. Maybe that software would be a bot or maybe it would be a remote admin tool or maybe a bot that has remote admin facilities… but all bets are off once malicious software is running on the system. The 10 immutable laws still apply. Which 10? These 10. .

To save you looking, here they are in full. They are things of beauty to me.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Notice that the word “Windows” does not appear in this list. There is nothing specific to any operating system here. These apply to Linux and Unix and any other system that you care to name.

Clearly law #1 applies. If there is someone else’s program running on your system then you have less control over it than you should and someone else has more than they should. This isn’t quite as true as it used to be. If a program is running in a sandbox or with reduced rights and there are no elevation of privilege vulnerabilities then it may be that it can’t do any real harm without a little social engineering. Of course, a lot of installers work by using a little bit of social engineering.

Law #2 is really an extension of law #1. Pretty much all of the operating system that people see is user mode programs so there is no practical difference between a hacked OS component running with your rights and wholly new component. Of course, in kernel mode, a malicious component completely owns the box.

Law #3 is a good one. I had cause this weekend to bypass the security on a network of Vista machines. I did it for perfectly legal reasons, with the owner’s permission and without using any trade secrets. It was an extortion situation. How did I do it? There are a number of ways if you have unlimited physical access. Of course, it is a heck of a lot harder if the system is secured with Bitlocker. Some of the techniques involve a screwdriver and some just need some fiddling about. Why was it needed? The owners were the victims of social engineering. I referyou to rule #6.

Law #4 relates to letting people upload programs to your website. Well, the website is just a computer when all is said and done so this is something of a rehash of law #1 – except with a twist. If he makes it content that can be downloaded to others, you have potentially allows hundreds or thousands of other systems to be infected. These are likely to be the systems of your customers, the nice people who give you money for things. They are not good people to upset. Hackers are big fans of this approach, not least because people are more likely to trust components downloaded from your site than some previously unknown site. Social engineering is a big factor in this too.

Law #5 is perfect. Weak passwords trump strong security. Amen, brother. If you are like me, you will look away when people type their passwords but I bet that you know a few that belong to friends or family or colleagues. Spouse’s name and the year of marriage? Eldest son? Youngest daughter? Pet’s name? Would the information be on their MySpace or Facebook page? The easiest of all were the 4 digit passwords that travel agents used for the old teletext services that they used way back in the day. There was one 4 digit number that every ABTA travel agent knew – their ABTA number. It was displayed on the wall .Oops!

Law #6: A computer is only as secure as the administrator is trustworthy – ah yes. Who watches the watchers? QUIS CUSTODIET IPSOS CUSTODES is the original from the Roman poet Decimus Lunius Luvenalis who died in the second century AD. If your administrator feels aggrieved then passwords and biometrics will not serve you. Of course, he might be a wonderful person who loves the organisation but there are ways of turning a man. Better to have two, one to watch the other. Of course, that reminds me of the old Russian joke. Why do KGB officers go around in threes? One who can read, one who can write and one to keep an eye on the two intellectuals. Is this really one for social engineering rather than a technical point? Yes, seems to be.

Law #7: Encrypted data is only as secure as the decryption key. This is true. There is a technique known as rubber hose cryptanalysis. It is a simple technique. You beat the person who knows the key until they tell you. A variant much loved by a certain section of society is to kidnap the family of the person that you want to control. Security is not always a field that shows you the best that people have to offer. A simpler and more common vulnerability is to simply have the key written down. This is a good sensible thing to do. It is important to store it somewhere safe though. A post-it note under the keyboard is not a safe place unless it is a very secure facility and even then… Anyhow, a pure social engineering point again.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all. Ah, a technical point at last. Older viruses are not much of a risk these days. You won't get them on email because the server will filter them out. You are unlikely to find them on a website because it makes more sense to put a recent one up there instead. Even if you somehow got Sasser onto a modern PC, it couldn't spread because it relies on vulnerabilties in products that have long since been replaced as obselete. Also, most malware is fairly new because the rate at which variants are written is ever increasing. Of course, you do need to check for the older ones as well but they are a minority case.

Law #9: Absolute anonymity isn't practical, in real life or on the Web. This is the one that has weathered the storms of time least well. It is still true but the key word here is “absolute”. You can use an anonymous proxy if you would like. There may be records kept by the proxy provider though and there are forensics to be examined on the local PC – though there are ways around that. Some proxy providers claim not to keep records. Some promise that all logs get wiped. Of course, there may be a record that your system connected to that proxy. Personally, I don’t worry too much about this since I am pretty open. People know where to find me. My phone number and address are not hard to locate. The scary people would find out anyway. I only conceal information that is not mine to share.

Law #10: Technology is not a panacea. Ah, how true. You can not make a system fool proof because fools are so ingenious! The better the security of the technology, the more you target the user. Social engineering is such a great tool.

Of course, that doesn’t mean that a buffer overrun is not going to allow a worm to spread across the world in hours or days. We need to guard the doors and the windows of the house. However, it does occur to me that it is harder to apply a service pack to people than servers. We need to educate people but we also need to make it easier to do the right thing and harder to do the wrong thing.

These are interesting times, my friends.

Signing off,
Mark Long, Digital Looking Glass

No comments: