The Scientific American, no less, has published an article on malware.  Not that they don’t have every right, it’s just that the article is short on fact or help, and long on rather wild conjecture.

The author does have some points to make, even if he makes them very, very badly.

We, both as security professionals and as a society, don’t take malware seriously enough.  The security literature on the subject is appalling.  It is hard to find books on malware, even harder to find good ones, and well nigh impossible to find decent information in general security books.  The problem has been steadily growing since it was a vague academic topic, and has been ignored for so long that, now that it is a real problem, even most security experts have only a tenuous grasp of it.

Almost all reports do sound like paranoid thrillers.  Promoting the idea of shadowy genius figures in dark corners manipulating us at will, this engenders a kind of overall depression: we can’t possibly fight it, so we might was well not even try.  This attitude is further exacerbated but the dearth of information: we can’t even know what’s going on, so how can we even try to fight it?

It is getting more and more difficult to find malware, mostly because we are constantly creating new places for it to hide.  In the name of “user friendliness,” we are building ever more complex systems, with ever more crevices for the pumas to hide in.

Yes, then he goes off into wild speculation and gets all “Reflections on Trusting Trust” on us.  Which kind of loses the valid points.

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera [...] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.

In case you hadn’t noticed, Steve Jobs has died.  If you hadn’t noticed, you haven’t been on the net today.  I suspect that all the posts about him are degrading overall net performance.  I know that this is the case on Twitter: performance and posting retrieval have been iffy for a least the past dozen hours.

Steve Jobs founded and built an extremely successful company.  He had a genius for marketing, and was a dab hand at assessing style.  He had a way of creating a vision and then getting people to buy into it.  All useful skills.

However, a number of the bios and tributes are going overboard.  He is being credited with inventing computers, tablets, smartphones, operating systems, music, networks, social media, cloud, and the mouse.  I am waiting for the first person to claim that he cured cancer, completely unaware of the irony.  (Oops.  Too late.  Time magazine is claiming that most people with pancreatic cancer live five months, but Jobs lasted for seven years.  They do not note that he had a rarer, slow-growing form.)

People are getting a little desperate to think of another claim to make for Jobs.  I just read an article that said “… the man helped us write. Jobs was the first to give us a real choice of fonts, and thus the ability to express ourselves digitally …”  Siri-ously?  (Sorry.)  Jobs invented LaTeX?  Fonts?  I could make a pretty good case that fonts actually damaged our ability to write.  Have you never received one of those letters/flyers/posters made up by someone who has just discovered fonts, and uses every single one?  And, in the grip of enthusiasm, fails to include vital information?

Jobs was a leader, did some good stuff, and changed things.  Yes.  But lets keep a little perspective, OK?

A recent Twitter post by Team Cymru pointed at a (very brief) debate about the value of security awareness training.  It’s an issue that has concerned me for a long time.

I got interested in security starting with research into viruses and malware.  Early on, I did a lot of work reviewing the various available products.  In the responses I got to my efforts, one point was abundantly clear: everyone, almost without exception, was looking for the “perfect” antivirus.  Even though Fred Cohen had proven that such an animal could not possibly exist, everybody wanted something they could “set and forget.”

Notice two things.  The first is that perfect security doesn’t exist.  As (ISC)²‘s marketing phrase has it, security transcends technology.  The second point is that people aren’t particularly keen on learning about security.  They fight against it.  They have to be motivated into it.  And that motivation tends to be individual and personal.

Which means security awareness training is hard, and individual, and therefore expensive.  Expensive means that companies are loath to try it, in any significant way.  Hundreds of thousands or millions of dollars can be spent on a raft of security technologies, but security awareness programs can only get a budget of a few thousand a year.  Which means they can’t be individual, which means they won’t work very well, which means companies aren’t willing to try them.

The default position people take is to resist security awareness.  They don’t want to know extraneous stuff.  They just want to get on with their jobs.  So, even if you were to produce a really good security awareness program, there would undoubtedly still be some who would resist to the end, and not learn.  They wouldn’t benefit from the program, and they would still make mistakes.  So security awareness training won’t be perfect, either.  Sorry about that.

However, I’ve noticed something over the years.  I get asked, by all my friends and acquaintances, for advice about virus protection, and home computer protection.  Some learn the ins and outs, the dangerous activities, the marks of a phishing email message.  They never ask me to clean their machines.  Some just ask about the “best” antiviral software.  Usually after they’ve asked me to clean off a computer.  I identify what they’ve got, and tell them how they got it.  You shouldn’t [do music sharing|do instant messaging|go to all those weird Websites|open attachments you receive] I tell them.  They always have reasons why they must do those things.  (Not very good reasons, mind you, just reasons.)

You know that old medical joke about “Doctor, it hurts when I do this” “Well, do do that”?  It’s not funny.

People ask me what antivirus program I use at home.  Very often I don’t use one, unless I’m testing something.  (At the moment I’m testing two, and I’m about ready to take both of them off, since both of them can be real nuisances at times.)  There are long periods where I run without any “protection.”  I know what not to do.  My wife knows what not to do.  (After all, she read my first book seven times over, while she was editing it.)  We don’t get infected.  Not even by “zero days” or “advanced persistent threats.”

Security technology isn’t perfect.  Security awareness training isn’t perfect.  However, at present, and for as long as I can remember, the emphasis has been on security technology.  We need to give awareness more of a try.

Is security awareness “worth it”?  Is security awareness “cost effective”?  Well, we’ve been spending quite a lot on security technologies (sometimes just piecemeal, unmanaged security technologies), and we haven’t got good security.  Three arguments in favour of at least trying security awareness spending:

1)  When you’ve got two areas of benefit, and you are reaching the limits of “diminishing returns” in one area, the place to put your further money is on the one you haven’t stressed.

2)  Security awareness is mostly about risk management.  Business management is mostly about risk management.  Security awareness can give you advantages in more than just security.

3)  Remember that the definition of insanity is trying the same thing over and over again, and expecting a different result.

I’ve mentioned this before.

We seem to have had a number of disasters this year: earthquakes, tsunami, a few hurricanes (with one currently sweeping Japan, and another building right now off the east coast of the US), wildfires, you name it.  In the US, this is National Preparedness Month.

So this is a good time to get trained.  It gets you CPEs, usually for free.

And, in a disaster, it makes you part of the solution, not part of the problem.

The CIA is complaining that news media and other entities are giving away information about it’s agents and operations.

Trouble is, the information being analysed has been provided by the CIA.

If the CIA is being too eager to promote themselves, or careless in censoring the material they do provide, is that the fault of the media?

In doing the CISSP seminars, I use lots of security war stories.  Some of them are from my own work.  Some of them I’ve collected from the attendees over the years.  It’s not hard to use the story to make a point, but leave absolutely no clues as to the company involved, let alone individuals.

I hate illiterate elevators.  I know what buttons labelled “Open Door” and “Close Door” mean.  I have trouble figuring out what two isosceles triangles with their bases towards a vertical line means, as opposed to two isosceles triangles with their vertices towards a vertical line, especially if someone is running for the elevator.  (Particularly when elevator designers insist on making the markings on the buttons chrome on chrome.)  (If I didn’t hold the elevator door for you, that’s why.)

Back when I was doing a lot of computer support and “hands-on” training I developed Slade’s Law of Computer Literacy: There is no such thing as computer illiteracy, only illiteracy itself.

Generally speaking, when I had to help someone who was frustrated because a) the computer wouldn’t do what they wanted, or b) they couldn’t understand what the computer wanted, the answer was right on the screen.  “You must enter user number to proceed.”  “Please indicate you have understood by pressing `Y.’”  “Press any key to continue.”

Windows 7 is going the illiterate elevator route.  Where the buttons on the XP taskbar had a small icon next to the name of the program or file that was open, the Win7 taskbar just has icons.  Of course, if you hover over the icon button, you get all the active windows of that program laid out for you, and the files or titles are given there.  But that doesn’t give me the quick access to exactly the window I wanted anymore.  There is an intermediate step.

(I find this is affecting my operation of the computer in unexpected ways.  I’m using the mouse more, and keyboard shortcuts less, since I have to use the mouse so much for other things.)

Of course, this is all in the name of ease-of-use.  And I dare say that the vast majority of users like it this way, and I’m an old command-line dinosaur who can’t adapt to change.

But I’ve always noted that convenience and hiding-stuff-from-the-user-for-their-own-good generally leads to security problems at some point.

Today when I signed on I got a bit of a shock.  The computer warned me that my password was going to expire in 5 days, and I should probably consider changing it.

It was a shock because this is my computer, and I go along with current password aging thinking, which is that a) we can’t figure out who first figured that password aging was all that hot an idea, and b) if it ever was a good idea, in the modern computing environment, password aging is a non-starter.  Given that passwords should probably exceed 20 characters, and likely should be somewhat complex, trying to get people to choose a good one more than once every few years (when rainbow tables have been extended) is likely more security compromising than enhancing.

So, I went looking.  Having dealt with security for a number of years, it wasn’t too hard for me to figure out that I didn’t want the control panel (since I hadn’t seen anything along that line while I was modifying other settings), and that I likely wanted “Administrative Tools,” and under that “Local Security Policy.”  I had to read through all the options to determine that I probably wanted “Account Policies,” but, under that, it was obvious I wanted “Password Policy,” and, once there, “Maximum password age” stood out.  With no particular options or actions I went back to the menu bar until I found that “Action” had a “Properties” function, bringing up a dialogue box with an entry box with a number in it.  I figured that setting it to zero might turn off password aging, but I didn’t want to do anything that might require me to set a new password every time I signed on, so, when I saw that one of the tabs was “Explain,” I choose that.

(Allow me to digress for just a second here, and note that I suspect that the average home or small office user would not have found it easy to find this setting, and thus would have been stuck with the default.  And all that that implies.)

The explanation did confirm that setting the number of days to zero does mean the passwords never expire.  But it also told me that “It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user’s password and have access to your network resources.”

Microsoft, you’ve got to be kidding.  If an attacker has enough access to your system in order to start cracking your passwords, then they’ll almost certainly succeed within a few days.  Unless you’ve chosen a really, really good password, in which case it might be some years.  So 30 to 90 days makes very little sense.  (And, if you’re really serious about the maximum of 90 days, how come the entry box allows up to 999?)

But then, right down at the bottom, it tells me that “Default: 42.”

Oh, sorry, Microsoft.  Obviously you are kidding.  Nobody could take that seriously as a default.

(But then, why is that the default, and why is it enabled by default? …)

The issue prompted a little more thinking on my part.  Was it really 37 days (42 minus 5) since I’d installed the machine?  Ah, but then, it couldn’t be.  As previously noted, I had to take it back to the store to clear up some OS registration issue.  They, of course, didn’t ask what password I’d set, they just blew off the passwords.  So, the 37 days would start from that point, wouldn’t it?

Well, apparently not.  When I checked my journal, it was obvious that the 37 days started when I first started setting up the computer, not when the store eliminated the passwords.

Interesting version of “history” there, Microsoft …

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)² says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

Complexity is the enemy of security.

I always emphasize that point in the app sec domain when we have those two adjacent slides showing the old system/application environment, and the new.  I also point out that the “new” is now rather old.  When trying to update that slide I came up with eleven different levels without half trying.  Then, of course, you have to add bi-directional arrows between all adjacent components, and between all components on a given level, and between most components on adjacent levels.  Gets convoluted real fast.

Went to a real-time/component trade show recently, and was talking to some people who did embedded systems.  One of their promotional handouts shows a model that has six layers.  (And, of course, you have to add bi-directional arrows between all adjacent components, etc.)  And that’s just for “simple” embedded devices.

We seem to have lost the KISS battle a long time ago.  I guess now we have to try for KIASAPS (Keep It As Simple As Possible, Stupid).

For years, Gartner has been recommending VA/VM as the effective way to prevent successful attacks, only they’ve been a bit too low key about it in my opinion. Of course as a VA vendor I’m not even going to pretend to be objective here, but I always wondered if the fact most leading vendors are relatively small made Gartner pay less attention to the field.

Whatever the reason was, Gartner just came out with “Strategies for Dealing with the Increase in Advanced Targeted Threats“.
Here are some nice quotes; I especially liked the one about 0-days. I’m in complete agreement with all of them:

Quotes from this article (emphasize is mine):

“ Enterprises need to focus on reducing vulnerabilities “

” There are existing security technologies that can greatly reduce vulnerability to targeted attacks.”

” … the real issue [is] focusing on the vulnerabilities that the attackers are exploiting. “

” The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them, not the country that appears to be the source of the attack”

” Own the vulnerability; don’t blame the threat: There are no unstoppable forces in cyber attacks” (this one should be printed on T-shirts).

“If IT leaders close the vulnerability, then they stop the curious teenager, the experimental hacker, the cybercriminal and the information warrior”

“Many attacks that include zero-day exploits often use well-known vulnerabilities as part of the overall attacks.”

At a local conference, one presenter had a topic of “Blow Your Own Horn.”  The point was to be ready with some kind of success story (any kind of success story) ready for presentation.  Elevator pitch level stuff, except you aren’t selling anything specific, just success.

For example: “Last year you (the Board) approved purchase of a $50,000 licence fee for AV software on the email server.  This past month, records show it stopped 1 million viruses, which would otherwise have gotten through.  Had they been run, they would have cost $500 each (estimated industry average) to clean up.  Therefore, your prescient decision to spend $50,000 has returned $500,000,000 to the company.”

(OK, yes, any infosec professional knows the holes in that logic.  And you are turning it so that you are creditting the Board with what should be *your* success.  But you get the idea.)

I suggest everybody have a file in some readily accessible drawer, for scribbling down any idea you come up with along these lines, using company specific data.  One idea per page.  Any time you get called to the Boardroom (or, depending upon how many ideas you can come up with, any meeting) grab a sheet and read it in the elevator.  Whatever they asked you to talk about, walk in and start off with, “Thank you for your interest in X.  Before I begin, I’d like to let you know that, because of our investment in a $2,000 course in Ethereal, for one of the net sec admins, last April’s intrusion was detected within 5 hours, and we were able to ensure that all servers were hardened against that particular attack within only a further 12 hours, all within house.  Normally such an attack would be undetected for three days, and would have required outside help at a usual cost of $7,000.”

(Yes, this gets down into the weeds in regard to architecture, but security is a lot more about politics than technology.  And people love stories.)

A few interesting … “undocumented features” of Windows 7 observed in the last couple of days.

One is that Windows 7 seems to have a great deal of difficulty remembering the window settings (placement, size, full screen, etc.) for non-Microsoft software.  Not terribly important, perhaps, but greatly annoying, and new to Windows 7.  (XP had some faults in that regard, but nothing like Win7.)

I plugged in one of my cameras this morning.  Normally this would just be plug and play.  However, I couldn’t find any entry for it in Windows Explorer, even though the computer had said that the new device was found, and the driver successfully installed.  Unplugged and plugged again, and it still wouldn’t play.  Finally went looking for devices and printers, and, under removeable storage it simply did not appear.

However, I noticed that one of the other devices had an oddly familiar name.  When I clicked on that, I noticed that one of my mapped network drives was no longer that network drive, but the camera.  Very odd.

(I must say that, once I found out [via Google, not Microsoft Help] how to access it, I very much appreciated the fact that you no longer have to go through contortions to get yourself a command prompt function via Windows Explorer.  A “Shift-context menu” seems a bit arcane, though …)

Having gotten some of the software and XP Mode problems out of the way, I now need to install some of the old (and some new) hardware to the new desktop.

The HP LaserJet P1005 installed just fine as soon as it was plugged in.

I suspected that the Epson Stylus CX6400 wasn’t going to be quite so simple, since I recalled having to run the install software before I connected it the last time.  And, yes, sure enough, the installation software (once I found the old CD and instructions) didn’t run under Windows 7.

So, off to Epson.  I checked under Drivers and Support, specified my “All-in-One” (it’s get a printer, a scanner, and some memory card readers), and asked for Windows 64-bit drivers.

Now out of Epson EasyPrint v3.10, ICM Color Profile Module Update v1.20, TWAIN Driver and EPSON Scan Utility v3.04A, TWAIN Driver and EPSON Scan Utility v2.68A, and Printer Driver v5.5aAs which would you pick?  Yeah, I didn’t know either, and the descriptions weren’t an awful lot of help.  But I knew (from the dim and distant past) that TWAIN (we used to say that it stood for “Technology Without An Interesting Name) had something to do with scanners, and the v2.68A was listed for 64-bit only, so I chose that.

It ran.  After a while I got the scanner part of the Windows Fax and Scan program.  It didn’t have many options.  Epson Scan had been installed, but it insisted that it couldn’t run, and Epson Scan Settings insisted the scanner wasn’t installed.  I used the troubleshooter (seemingly provided by Epson) but it was no help.  I rebooted the computer: that was no help.  I tried help and searching on the Epson site: you guessed it, no help.

I did some Google searching.  Found a mention of device drivers, and having to uninstall the Microsoft brand, and install the proper Epson driver.

Well, thought I, I installed this with installation and setup stuff from Epson: surely Microsoft wouldn’t have messed it up in that short time.  But I had a look at Device Manager anyway.

And, lo and behold, the driver that was installed was signed by Microsoft.  Uninstalled that, searched the disk for related drivers, found two.  One was for CX6300/CX6400, and one just for the CX6400, so I installed the latter, on the theory that the more specific was more likely to be from Epson.

And now Epson Scan is happy to run.

(I also installed the original XP software from the CD within XP Mode.  That didn’t work …)

There are some … interesting aspects to running XP Mode.

If you are running XP Mode in a window within Windows 7, the “Windows” key on the keyboard brings up the Start menu on Windows 7, rather than XP Mode, even if XP Mode is the active window.  I suppose that is reasonable, since the Windows key seems to override pretty much anything else that is happening at the time, although it’s annoying that you can’t use the keyboard shortcuts for things like opening Windows Explorer and issuing the “Run” command.

What seems a little odder is that the F1 key seems to be sent to both Windows 7 and XP Mode if XP Mode is the active window.  Whatever action you wanted with F1 within XP Mode (and the active program there) takes place, but you also get the Help box for XP Mode itself (which can also be annoying.)

The Shift-Tab for switching between windows also immediately shifts you out of XP Mode and into the next Windows 7 window.  Understandable, I suppose, but arrgghh!)

You can, of course, avoid these difficulties by switching into Full Screen mode.  Unfortunately, Windows Virtual Machine seems to have some problems there: it seems to momentarily lose all the “integration” functions, and has to re-enable them.  This seems to result in strange effects, such as the loss of access to shared drives (so, if you were pointed at a specific directory, when you switch you are no longer “there”).

Well, further observations on XP Mode.

It may be necessary, but it’s touchy as all get out.  Also, so far I have not found anything that seems to be willing to do a restore.  There is a function called “Undo Disks,” but that possibly makes the system less stable when it is enabled.  More on that later.

After the crash on Gloria’s account, I found where the files were, particularly the disk file.  Since I had my account working, and since I had already applied all the Windows Updates to it, I copied my disk file to her directory.

It fired up just fine,and I made the necessary changes, setting it to her preferences and installing and testing some programs she wanted.  I tested the program setup, and everything seemed to be fine.  So I shut the program down.

It came up again demanding a username and password.  No matter what I tried, nothing worked.

So, I tried copying my disk file over top of hers again.

(Let me say, at this point, that all this is taking much longer than would be evident.  The disk files are enormous, multiple gigabyte files.  Just copying them takes about a quarter of an hour at times.  Also, each time you shut down, and start up, the virtual machine, it takes at least five minutes just to start.)

I got the same kind of crash as before, a missing file.  Different file, but same result.  No possible way to get it to start.  By this time I had found the setting that allows me, when closing the system, to shut it down, rather than just hibernating it.  (If you allow it to hibernate, it is, as far as Windows is concerned, still running, and therefore cannot be messed with.  Or fixed.)

By this time I had found the original, plain jane, basic, vanilla XP Mode virtual disk file.  It is stored elsewhere on the computer.  So I tried getting rid of some of the (obviously corrupted) working files, and tried to start from scratch.

Somehow this has created two virtual XP Mode “machines.”  Well, if one of them will keep working, it may be worth the wasted disk space.

Ah, yes.  I promised more on “Undo Disks.”  Given the name, you would think that this would allow for a sort of restore point type situation.  Well, it does, but it does it in a fairly kludgy manner.  If you enable Undo, the virtual machine, when you make a change to the disk (write a file, modify settings, whatever), the change isn’t actually made on the virtual disk.  It’s held in a separate file.  You can see that this might create problems, since the system has to read the basic virtual disk file, and then has to read the diff file, as it were, and apply the changes as a kind of journalling.