July 9, 2012

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

BK: How did you get started in computer security?

Grossman: For me it was…I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don’t know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn’t go to college to be infosec pros, it just kind of happened. They followed opportunity.

BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?

Grossman: It’s tough to give solid advice without knowing more about a person. For instance, are they interested in network security or application security? You can get by in IDS and firewall world and system patching without knowing any code; it’s fairly automated stuff from the product side. But with application security, it is absolutely mandatory that you know how to code and that you know software. So with Cisco gear, it’s much different from the work you do with Adobe software security. Infosec is a really big space, and you’re going to have to pick your niche, because no one is going to be able to bridge those gaps, at least effectively.

BK: So would you say hands-on experience is more important that formal security education and certifications?

Grossman: The question is are people being hired into entry level security positions straight out of school? I think somewhat, but that’s probably still pretty rare. There’s hardly anyone coming out of school with just computer security degrees. There are some, but we’re probably talking in the hundreds. I think the universities are just now within the last 3-5 years getting masters in computer security sciences off the ground. But there are not a lot of students in them.

BK:  What do you think is the most important qualification to be successful in the security space, regardless of a person’s background and experience level?

Grossman: The ones who can code almost always [fare] better. Infosec is about scalability, and application security is about scalability. And if you can understand code, you have a better likelihood of being able to understand how to scale your solution. On the defense side, we’re out-manned and outgunned constantly. It’s “us” versus “them,” and I don’t know how many of “them,” there are, but there’s going to be too few of “us “at all times.  So whatever your solution is or design criteria, you’re going to have to scale it. For instance, you can imagine Facebook…I’m not sure many security people they have, but…it’s going to be a tiny fraction of a percent of their user base, so they’re going to have to figure out how to scale their solutions so they can protect all those users.

BK: What kind of programming languages do you think are most relevant, useful and applicable to today’s environments?

Grossman: Learning to program in something, anything, is really helpful. My personal preference is Javascript and browser based languages. That seems to be the future, and it’s also what I like to code in. But it’s good to know software — for example .NET and Java on the server and Javascript on the client.

BK: What’s the best way for people who have already have coding skills to cut their teeth on security work?

Grossman: If they’re at an established organization, they can go to their security department and ask how they can get involved. If they can code, believe me there’s stuff they can do in security to help automate the process. Most every place that has a CSO or IT department where they do some stuff in security, someone interested in this field could ask to take on some projects to start cutting their teeth – code some things and implement things, and start that way. At least for me, I find learning on the job far superior to going back to school or going to get a cert. Just try to start finding areas where you can add value.

BK: I’m guessing you’re not big on certifications?

Grossman: At least in security, I never had one. But I might be an anomaly. A lot of people that have them seem to derive value from them. But I hire people all the time, and I never gave a crap about security certs.

BK: Well, then how do you determine whether someone knows what they’re doing or talking about?

Grossman: I think we’re the exception and not the rule, but we try not to hire security people, because they have bad habits. We prefer to train our own. So we’ll take programmers or computer science students and train them in our way of security. But again, other Fortune 500 companies, I’ve heard CISSPs are mandatory. For good or bad reasons, it is what it is.

BK: So is Web application security where it’s at? Is this a relatively safe field for people to specialize in?

Grossman: It seems to be. It’s probably not the only one. But Web security is a subset of all application security, and anything in appsec seems to be hot.  Finding 0days, working for governments, things like that…those seem to be pretty interesting, up-and-coming fields. VUPEN is on the record saying they wouldn’t sell their Google chrome 0day for a million dollars, because they’re going to get more money from other governments. And the field of exploit writing and development has gotten a whole lot of PR recently with Stuxnet and Flame and Duqu and all that.

BK: I would think you’d have to be fairly advanced at what you do to play in that field, no?

Grossman: Well, I think if you’re a really good, let’s says C# developer, and you know the guts of ASLR and DEP, I don’t think it’s more than a couple of months past that point to actually understand how to go about finding vulnerabilities and exploiting them. I don’t do that myself, but there are a couple of core technologies that you absolutely must learn to do this stuff.

BK: But if nobody is teaching security and programming securely, how do people — even if they endeavor to grasp something like C# and understand how it’s supposed to be written — how can they be confident of learning it well enough to find the bugs in the security stuff? Or should they be thinking about that from the get-go — to question their own assumptions?

Grossman: What’s interesting is all that all the new 0days that are coming out, none of them are using new techniques. They’re using techniques that are already well known, and then chaining them together. I think it was a 19-year-old kid who won a competition this year at CanSecWest by chaining together [a number of] bugs to make a full bypass in Google Chrome’s security. It only gets difficult when you’re finding a brand-new technique and bringing the industry forward. But if you’re willing to research all the white papers and read about the different ways to manipulate software…it’s only first time that’s hard. The second time is easy. If you’re building the next Stuxnet for the government and you need to find some zero days to do so, you don’t need to break new ground. You just need to use some known techniques in the existing software to find bugs no one else has found yet. And they’re there.

BK: So, focusing on finding zero-day vulnerabilities is a career path you’d recommend in infosec?

Grossman: For better or for worse, ethics or not, this is the future that we’re going to have to deal with infosec. A recent quote resonated with me, by Haroon Meer; he said everyone is one zero-day away from compromise. And if that’s the case, if you take a particular piece of software, whether it’s Flash or IE, ask yourself what does a zero day cost? And that cost is how much money it takes to break into a target, provided they have perfect security today.

BK: What advice would you give to folks who want to get hands-on and learn how to break and fix stuff?

Grossman: It depends on what they want to break, whether it’s web sites or, say, mobile devices. OWASP has something called Webgoat, which is something you can install yourself to practice your hacking skills on. It’s a purposely broken webapp, and you can use it to start learning some tricks. If you want to do some live exploration, there are a number of sites out there that let you safely, legitimately hack them.  Google, Facebook, Mozilla, and you can try your hand at it. There are a bunch of them listed at Dan Kaminsky’s site. Some will pay you money if you find and report bugs, and some won’t. But either way, they’re public and they’re legal. They all have bugs, and at it seems like at least one is posted in Google like every week or two.

BK: Well, you know what they say: It’s not what you know but who you know. Any advice for getting to know some security geeks who might one day introduce you to your future boss?

Grossman: That’s easy…go to a security conference. They’re not all expensive. There are at least one or two every week now, all over the world and in just about every country. I think 200-300 days out of the year there’s a security conference going on.

[EPSB]

Have you seen:

How To Break Into Security: Schneier Edition…Last month, I published the first in a series of advice columns for people who are interested in learning more about security as a craft or profession. In this second installment, I asked noted cryptographer, author and security rock star Bruce Schneier for his thoughts.

[/EPSB]


25 thoughts on “How to Break Into Security, Grossman Edition

  1. Tim

    The thing that seems to be missing from this series of posts is the requirement for, in addition to technical skills, common-sense business skills such as good communication, business awareness, project management, general interpersonal skills…etc.

    If you work in InfoSec for a large company, you’re going to be involved in many implementations such as DLP, encryption solutions, SIEM, IDS/IPS, web content filtering, endpoint management….etc.

    Implementing these solutions means that you will need to be able to communicate effectively with both the business managers (who will be complaining that you’re making their lives more difficult) and the various infrastructure teams (who will be complaining that you’re going to be messing with their precious systems).

    I have come across numerous IT pros in my career who were true technical geniuses…but who failed utterly at what they were trying to achieve because they could not communicate to business managers what they were doing and why they were doing it and managed to piss off just about everyone they worked with.

    By all means learn to code and get certified…but if you can’t manage the basics of how to understand the business you’re supporting; how to manage a project properly and how to communicate, you’re always going to be struggling.

    Tim

    1. Terry Ritter

      @Tim: “The thing that seems to be missing from this series of posts is the requirement for, in addition to technical skills, common-sense business skills”

      Another thing missing is a larger view of the industry itself: Does the computer security industry *really* want to stop attacks, or does it enjoy malware as a sales tool? After all, nobody is going to be selling much security software if users are not being frightened half to death.

      Suppose the industry found a way to defeat attacks and malware; would they open that to society, thus putting themselves out of business? And if not, does an industry which embraces problems for their users deserve any respect at all if they manage to solve some?

      It does not take a security genius to realize that if users could just reboot their computer before banking to be secure, we would not have the problems we have. Unfortunately, a simple reboot does not create security on ordinary computers because our hard drives are easily infected. The main security problem is thus hardware, not software (and not even the user), yet all we hear about for computer security employment is software (and now business) expertise.

      Two decades of malware and software design experience testify that even periodic OS re-design, with frequent patches and add-on software cannot deliver a secure system. OS-enforced “privilege” levels become useless when the OS has been subverted or “owned.” Sandboxes are effective until it becomes worthwhile for attackers to break that code. 2-factor authentication and SSL seem secure, but only until a bot infection exposes accounts.

      And yet, even a normal computer, with the hard drives removed, booting from a “Live” DVD, can be very secure after each simple reboot. It is past time to take this seriously.

      1. Silemess

        I’m sure that there are those in the Computer Security industry that are in it for the money, who cares about actually defeating malware. But I’m equally sure that there are those who are genuinely involved and regard the paycheck as a nice side benefit (assuming that they’re even paid).

        But security is never the going to be perfectly achieved. All it takes is someone subverting the reboot process (Some of the BIOS malware perhaps) and suddenly the LiveCD might have a few things riding in ahead of it.

        There’s always a way to subvert a computer because they’re utterly agnostic about where their instructions come from. We try to make sure they run only the “right” instructions, but making sure that that happens is via instructions so you’re back to a chicken-and-the-egg routine. How do you make sure that the secure stuff runs before the malware?

        1. Terry Ritter

          @Silemess. I have been talking about this stuff for years, in comments on this blog, and also in articles on my pages, so details are available.

          “security is never the going to be perfectly achieved”

          There is, and can be, no absolute security. All security solutions are necessarily compromises, and security evaluations are necessarily comparative. Just because two systems both have imperfect security does not mean they are similarly “secure.”

          For example, infected computers are less “secure” than uninfected computers. Easier-to-infect computers are less “secure” than harder-to-infect computers. That means hard-drive systems are less “secure” than systems without hard drives. Also, widely-used systems are less “secure” than less-used systems, because widely-used systems are attacked vastly more often:

          Most distributed malware arrives on a computer essentially at random. The probability of malware execution can be taken as just the probability of randomly encountering a computer with one of the weaknesses the malware can handle.

          Profit is the goal. Optimal profit does not mean making every last dime. To optimize profit, malware must be designed to take over the most-likely systems, but not necessarily every possible system. Although malware might be written to handle different systems, each added option also requires continued maintenance, and for what? In most cases, it will be cheaper to slightly increase the size of the distribution than to maintain attack code for targets which contribute almost nothing to the bottom line. For example:

          As of September, 2010, “99.4 percent of malware is aimed at Windows users.” Using those figures, the ability to additionally target something other than Microsoft Windows could at most have added 0.6 percent to the expected profit.

          The McAfee Threats Report for Q1 2012 counts about 6.8M pieces of Windows malware, and about 280 pieces of Mac malware (about 0.04 percent). Adding Mac capability to malware adds almost nothing to profit.

          As a result, a user running Microsoft Windows is vastly more likely to be attacked and infected by malware than a user running some other OS. Less common software is less likely to be attacked, because it is less likely to deliver a profit from an inherently random encounter.

          The most important step for users who wish to avoid malware is not to find some magic software add-on, but simply to run something other than Microsoft Windows when on the Web. The next most important step is to use a DVD-load system, hopefully without hard drives, thus to avoid or eliminate infection.

          “BIOS malware”

          The idea of malware which re-writes flash memory BIOS code is real, but it is not clear that it is a significant threat at this time. It is vastly easier for malware to infect a universal standard like a hard drive (or a USB flash drive) than it is to identify the particular process for re-flashing a particular motherboard, and do it correctly.

          Written properly, a BIOS infection could hide in a normal system, but software is often not written properly. If the flash update is not done well, the result, as likely as not, would be a complete failure to boot from anything whatsoever. That would be a major equipment failure which we would expect to hear about, even if nobody knows why it happened. Malware makers would just ask how all this BIOS stuff would improve their profits.

          In the end, a system which supports both BIOS infection and hard-drive infection is inherently less “secure” than a system which only supports BIOS infection. A system with a hard-drive (or a USB flash drive) is inherently less “secure” than one without a hard-drive. A system which is widely vulnerable to real, in-the-wild malware is massively less “secure” than one which may (or may not) be vulnerable to theoretical threats.

          1. Silemess

            @Terry Ritter

            I agree that security is a necessary compromise. A computer that can’t be broken into is one that’s unplugged from everything, including power, and sealed in cement. Admittedly, that’s going to prove to be a problem for the user. What prompted my initial response was the broad generalization condemning the security industry. That security is that balance of acceptable risk, to lambast those who are trying to make things better because some of their peers are just trying to make a buck… that wasn’t acceptable to me.

            As for the rest: Cost & Risk vs Reward drive most interactions. So yes, Windows is going to be a prominent target for years to come. But that target could switch as soon as something else wins the the cost/reward formula. Consider the development of the Android malware and its expected growth.

            To which, the wit will point out that the iPhone and its market is reasonably secure. And that goes back to our necessary compromise. Most users prefer the ability to make their own choices (Though they’d prefer not to be held to the consequences of those choices). So those who are willing to be limited to only what has been vetted as safe, will have a more secure experience even if they don’t get as much variety. Those who want variety, will also be more exposed to attack. I will be curious to see how the smartphone market develops, and whether users in this new era of computing power make a switch to protected environments or retain their desire to load and run programs/apps at their whim.

            We’ve only had a few examples of malware attacking BIOS, but that proves that it’s not been overlooked. It’s just not worth a fullscale attack outside of niche interests.

            I always remember that trite meme: “Secure, Fast or Cheap; pick two” I prefer to switch out “fast” for ease of use. You can run a MAC, and then have the additional hurdles to deal with to connect with others. Or you can run on a Windows PC and have to deal (or ignore) the additional hurdles of protecting yourself.

            1. Nick P

              It seems Ritter’s statements on the matter still stand. I haven’t seen an alternative presented in your comment. You’ve sort of argued against his recommendations citing esoteric attacks and general principles, yet not provided anything of your own that’s better.

              ” So those who are willing to be limited to only what has been vetted as safe, will have a more secure experience even if they don’t get as much variety. Those who want variety, will also be more exposed to attack.”

              Ritter’s approach has the benefits of both. Why the false dilemma? Minor inconvenience. Only needs to be done when risk justifies it or regularly. I added periodically restoring to clean state, then applying updates. I used to do that monthly. Solves other problems too.

              “We’ve only had a few examples of malware attacking BIOS, but that proves that it’s not been overlooked. It’s just not worth a fullscale attack outside of niche interests.”

              I proposed a solution to that problem elsewhere. Yet, leaving it unsolved doesn’t detract from solutions aimed at common problems. So, it’s kind of a red herring in a discussion about fighting most malware. We deal with it when it becomes a big issue & some medium to high assurance solutions already consider it. (It’s an issue for them.)

              “You can run a MAC, and then have the additional hurdles to deal with to connect with others.”

              Another general dismissal of sorts: running a Mac involves additional hurdles. Once basic knowledge is there, most Mac users seem to do stuff quite easily. Additionally, the stuff Mac users typically do on their machine (browsing, email, media) interoperates well with Windows machines. What hurdles again? And how many does that apply to?

              “Or you can run on a Windows PC and have to deal (or ignore) the additional hurdles of protecting yourself.”

              Now, an understatement to make using a Mac and using a PC sound equivalent in issues. They’re not. Dodging malware on a PC is like walking through a minefield unharmed. You must buy security tools, use Ritter-esq strategies to defeat persistence, and so on. Mac’s market share is slowly getting them to this point, as botnets are targeting them now. Yet, until they get the attention of Windows, a lay person can safely use a Mac, but will get owned on Windows eventually.

              Note: I speak as a long-time Windows user doing involuntary tech support for friends and family, who also knows many Mac users. Plenty of first hand & second hand experience in that debate.

      2. John

        @Terry Ritter,

        I think there are enough real problems with security that the industry does not yet have a problem trying to protect their jobs. Certainly scareware vendors thrive today, but there are always unethical opportunists.

        If such a thing as to “stop all attacks” existed, don’t you think Microsoft wouldn’t have already paid a king’s ransom to roll it out to their customers.? They have the most incentive to fix the issues, and would be unaffected by pressures of the security industry to “leave a few bugs for us, please?”

        What you’re really asking is for people to give up 20 years of home computing convenience in exchange for security. That’s a difficult course correction. What would be more effective, and less disruptive, would be to remove the value from the users’ computers.

        Instead of more desperate hardening of the intermediate devices (computers, networks, browsers, etc.) we should harden the endpoints that actually represent the value. The credit cards (and other financial instruments) should become sealed, tamper-resistant devices that communicate only with the banks via encryption. Tiny on-card PIN entry keyboards and little LCD screens would ensure that only trusted user input, not originating from the host computer or network, could unlock the value within.

        Then the only problem remains social engineering, in which an attacker convinces someone to transfer value to a destination other than intended. And that problem exists outside of the payment mechanisms. Technical measures might be of some help there, but ultimately it requires fixing gullible users, and we know that’s not possible.

        1. Terry Ritter

          @John: “If such a thing as to “stop all attacks” existed,”

          DVD-load systems do not, and are not intended to, “stop all attacks.” Indeed “front end” attacks via the Web will continue, as will the overall lack of success in stopping them. Instead, DVD-load systems work on stopping *infection*, making that “difficult or impossible.” Since infection is the source of most malware execution time (by causing malware to be re-loaded on every new session), stopping infection delivers massively improved “security.”

          “don’t you think Microsoft wouldn’t have already paid a king’s ransom to roll it out to their customers.?”

          The DVD-load concept is not secret, so no ransom need be paid. Surely various parts of Microsoft do realize that it is a security advantage, and that current implementations merely hint at the possibilities for fully-engaged systems using that technique. In practice, such a system might have a bank icon which would cause a reboot and connection to a bank, and then reboot again thereafter. That does not require complexity or cryptography.

          Microsoft could and should make their own DVD-load OS which would substantially improve online security for many, many users. That Microsoft could, but chooses not, to do these things, is a fact which speaks for itself.

          “What you’re really asking is for people to give up 20 years of home computing convenience in exchange for security.”

          This idea that a DVD-load thin-client system is “inconvenient,” is just nonsense. Yes, some learning is required. Some things may be less convenient. Personally, I glorify in the absence of a shutdown delay: I just turn off the power and I am gone. And having less worry about malware infection is a real and continuing plus.

          1. Nick P

            We’ve discussed this before. It’s a good idea. It does help in practice. Targeted attacks are unlikely until it’s a very widespread practice. I still prefer a user-controllable, trusted boot option. Previous discussions with others led me to believe the root of trust must be stored in ROM, with something like Flash to allow BIOS/firmware/whatever updates. Chromebooks essentially do this, I’m told, and that validates the concept.

            So, taking your idea further, I’d prefer USB or HD for speed. The LiveCD/DVD’s I’ve used were horribly slow. Burning is a slow update process. The storage medium doesn’t last as long as a HD with multiple writes. A scheme like in the above paragraph gives us a start for having a way to safely load an arbitrary system image, check its validity, and run it. Quickly. From an untrusted storage source. A way to register public keys into the trusted boot process should exist.

            The cool thing about my scheme is it can be done with existing hardware. Not the non-modifiable part, of course: just a BIOS replacement that loaded & checked the *real* system from an external source, then ran it. Add the ‘Trusted Boot from USB’ or ‘Trusted Boot of Banking OS’, then we get similar benefits. The trusted firmware can check, sign and store updates. It can also optionally check to see if TCB software has been modified & disallow an update if unauthorized mods have taken place.

            All in all, it’s doable today (and partly done by commercial offerings). It also allows trusted boot of an OS for sensitive stuff without external media. It allows for quick, free updates. It’s also as convenient as dual booting. Having a trusted boot switch on the box could make it even easier. (Similar to those laptops with a main OS and a minimal, websurfing OS.)

            Thoughts?

      3. Nick P

        I disagree about inevitability of security failure at current levels. Modern OS’s aren’t designed even to the security requirements of the 1980’s (the good one’s). There are exceptions. I find it very hard to believe that any hacker would be able to exploit the GEMSOS or Boeing SNS products’ TCBs. The design of XTS-400 made it quite resistant to penetration a la a Windows box. The SourceT and Multics designs were provably immune to buffer overflows (among other benefits). Trusted Xenix was immune to Setuid vulnerabilities with 2 tiny modifications to UNIX’s design. Hydra Firewall is highly resistant to subversion by design. Modern micro/sepkernel solutions & certain capability designs enforce POLA during many compromises & help secure decomposition very well. And so on.

        So, I would totally agree with you if you claimed that mainstream OS’s and software products aren’t designed in a secure way. I’d agree if you said they’re likely to get compromised. I even agree that reboots are nice. Matter of fact, academics and even moi have been pushing so-called recovery-based architectures and approaches that use that principle, but some don’t have the downtime issue. However, the reason 8 year olds can point and click for remote compromises is due to intentionally insecure design driven by economic and psychological forces, not that things inherently can’t be done better.

        It can be done better. It was done better. There’s just not much demand for it or market for it. We can still cost effectively do better in a business setting with our tech/processes, as things like Cleanroom & INTEGRITY RTOS show. We can still immunize to certain threats with little extra cost & greatly reduce issues with others at varying costs. Until businesses & app developers learn this, periodically rebooting & clean slating a machine has proven benefits in both reducing malware persistence & improving performance/stability. THAT is true.

  2. Jay Pfoutz

    I really like the appeal of this interviewee, because of his advice towards security careers. I think that many of the best programmers and malware researchers have a bright future in the security field.

    It is easier to get a job in security with good job security (no pun intended), because the need for it is much greater.

    I agree with the scalability part, when it comes to developing security standards!

  3. Richard Steven Hack

    “we try not to hire security people, because they have bad habits.” LOL…

    “A recent quote resonated with me, by Haroon Meer; he said everyone is one zero-day away from compromise.”

    But one simple compromise is useful only if you’re a “drop shell monkey” pen tester… If you can’t exfiltrate useful data…

    This just reinforces the notion that security is a matter of preventing “compromise”, i.e., compromising one or more machines. Which leads to people buying more or less useless crap like firewalls, IDS, UTM, and other acronym-based hardware which many hackers already know how to bypass.

    If you listen to many of the presentations at hacker cons by top level penetration testers, they hardly ever use 0days any more. They don’t NEED to because security in all other respects is so poorly done.

    “And that cost is how much money it takes to break into a target, provided they have perfect security today.”

    Did he use the phrase “perfect security”? I assume he meant that as a hypothetical – because it doesn’t exist in reality.

    1. Nick P

      The funny part is that even the “mandatory” CISSP cert illustrates the importance of making every aspect of security work in a company. There is technical, procedural, legal, personal, etc. in the course materials. Then, someone from one of those companies say “yeah, they’re gonna nail us as soon as they get a 0 day.” Uh, no, one of them just came through the backdoor. No, not the “trojan horse,” the actual backdoor: he was smoking with the others dressed similarly & they thought he forgot his card.

  4. Rob

    These are great articles, you should also speak with people who have switched to management.

    IE: I went from arrested being arrested as a “hacker” in 1990 to becoming CISO as I found managing people and building companies over time was a more difficult and rewarding challenge. As much as we need highly technical and competent programmers, we need people to lead them and justify their salaries to executive management 🙂

  5. Rich

    Brian,

    I think it would be great if you could get some advice for folks who do NOT currently work in IT but are looking to make a career change.

  6. Curt Wilson

    “Security” is of course more than technical security research based around compromises or malware. If you consider the typical “confidentiality-availability-integrity” theme you can break this into technical, quasi-technical and non-technical roles which will need to be filled across any given enterprise, carrier or elsewhere. Security research, especially the “breaking things” types of security research is popular and gets a good amount of press but don’t forget about people in the trenches all over the world that are dealing with situations such as trying to root out compromises from persistent attackers. I hope that you continue this interesting series, and get more perspectives from the various areas of security. Some ideas are perhaps interviewing a CISO, talking with an Incident Response lead from a major org, someone who is doing hard-core forensics, etc. would broaden the surface. While it is of course interesting work, not everyone wants to, or needs to make exploit code or break into systems, despite the popularity and interest of such topics.

  7. Silemess

    @Nick P

    My understanding of Terry Ritter’s proposal is that he was advocating a wholesale migration from existing OS (specifically Windows) to other systems. But his acknowledgement that targeting is based on maximum returns, so changing the the ratio of user numbers to another system simply means that the other system becomes profitable to target.

    I would also like to see a solution, and admit from an outside perspective that my comments are the equivalent of saying “Do nothing.” Yet it is my concern that simply shifting the general user from one system to another is being falsely paraded as a solution. Macs have been shown to not be immune to users opening things they shouldn’t have. They also have not been worth the time to invest in attacking, yet.

    I apologize that part of our dispute comes from an apparent misunderstanding on values. My experience has been trying to talk people through the switch, usually done remotely, which adds to the complications. As I’m the unofficial tech guy for my circle of friends and family that means that I’m the one approached no matter the distance. I don’t have a Mac myself, so when I’m not on site, I have a harder time directing them to solve their problems since I can’t just look for the analog myself. Thus my reason for emphasizing hurdles. I will say that I have not had one of my Mac friends come to me with a virus.

    My reason for deemphasizing the viral risks is that the easiest way to get infected is still the opening up suspicious files from email or failing to keep programs such as flash and java up to date. There are plenty of free AV solutions that are almost, if not as, effective as paid. Same with Firewalls. The lay person wants a fire-and-forget solution, paid or not. Even though that is a terrible method for remaining secure.

    As you made note of in your conclusion, the lay person on a Mac can currently remain relatively blissfully unaware of threats because they aren’t being targeted. But that’s only currently. If there was a wholesale switch to Macs and people continued to be practice poor security (or are encouraged to on the premise that they are now “safe”) then we have merely deferred the problem. A Mac’s safety from being targeted lies in the fact that so few make the switch when encouraged.

    So far, the obvious solution has been restricting access to what can be used and run. A LiveCD neatly avoids triggering whatever may have boobytrapped the user’s system (again, barring the development of a widely dispersed BIOS infection). To avoid getting infected in the first place, the iPhone app store vs Google’s app store provides the best experiment. I’d be curious to know what choices prompted the user to select their phone type, and whether they are inclined to stay with that OS or switch, given their experiences. As customers purchase apps off the store, it increases the chance that they stay locked in to that system (why switch when you’ve already invested money?). I’m worried that it’s the upfront cost that’s driving consumers to select their phone instead of the options/security choice that I would like to see.

    I apologize that I haven’t been following your other comments on this directly, I may have put my foot in my mouth if I’ve said something you’ve addressed elsewhere.

    1. BrianKrebs Post author

      Thanks for the thoughtful reply, Silemess.

      I’d just like to add a thought in response to a line of criticism I see generally in the comments here and almost every time I write about the Live CD approach.

      Many people are quite critical of the idea, pointing out the 151 ways that Live CDs could in theory be compromised, backdoored or otherwise undermined. Nobody is saying they’re foolproof, or even a desirable solution. But they are cheap and for the most part very effective. Same with the advice to bank online with a Mac vs. a Windows machine.

      To me, arguing against using a Live CD is like telling a person in a leaky boat not to get into a comparatively seaworthy rescue craft because the rescue ship might get hijacked by Somali pirates at some point.

      1. Nick P

        “To me, arguing against using a Live CD is like telling a person in a leaky boat not to get into a comparatively seaworthy rescue craft because the rescue ship might get hijacked by Somali pirates at some point.”

        haha that’s nice

    2. Nick P

      I appreciate your comment and clarifications. If he seemed to advocate wholesale migration from Windows, that might have been what he was saying & might not. He was mainly focusing on the advantages of LiveDVD-based platforms & rebooting a system.

      As for Mac, similar effect. It’s not inherently better or anything. I’d even say it’s 5-10 years behind Windows security overall. Thing is, a properly configured Mac as a solution to avoiding malware WORKS. So, might make a nice holdover until we get something better.

      ” To avoid getting infected in the first place, the iPhone app store vs Google’s app store provides the best experiment. I’d be curious to know what choices prompted the user to select their phone type, and whether they are inclined to stay with that OS or switch, given their experiences.”

      It will be interesting to see the numbers. Apple has a strong review process, so it should have less issues. Of course, Apple’s review process is an issue according to many developers. On picking a phone, if you ask around enough, you will probably find that security is one of the least important reasons most people pick a phone. 😉

    3. Terry Ritter

      @Silemess: “My understanding of Terry Ritter’s proposal is that he was advocating a wholesale migration from existing OS (specifically Windows) to other systems.”

      Well, laying aside any “ownership,” my position is to recognize reality and use that knowledge:

      Microsoft Windows is by far the most-used OS on the Web, attackers design malware for maximum profit which means they attack Windows almost exclusively, so we can avoid almost all malware simply by using some other OS.

      “But his acknowledgement that targeting is based on maximum returns,”

      Which necessarily means that “only” the *most* common OS is attacked, because any other target is vastly less likely to be encountered. (There will be some tries on others, of course.)

      “so changing the the ratio of user numbers to another system simply means that the other system becomes profitable to target.”

      Only if some OS becomes actually more popular than Windows, which seems unlikely, or at least not soon.

      “simply shifting the general user from one system to another is being falsely paraded as a solution.”

      That obviously depends upon your understanding of what a “true solution” would be.

      No operating system is, or can be, immune. Mac malware exists. Linux malware exists (at the very least for servers). At issue is what the malware owners choose to deploy:

      As of September, 2010, “99.4 percent of malware is aimed at Windows users.” That means a similar-size distribution attacking any other OS had at most 0.006 the success of a Windows attack.

      The McAfee Threats Report for Q1 2012 counts about 6.8M pieces of Windows malware, and about 280 pieces of Mac malware. That means Macs might expect to encounter 0.0004 of malware of a Windows machine.

      “My reason for deemphasizing the viral risks is that the easiest way to get infected is still the opening up suspicious files from email or failing to keep programs such as flash and java up to date”

      First, if the user is running something other than Windows when online, the attacks which do come in probably cannot run their exploit code.

      It is *possible* to build malware to attack multiple platforms, and we see reporting on that specifically because it is unusual. However, for the attacker, each platform requires separate continued maintenance, adding hassle for almost no reward at all.

      There has been some movement to exploit cross-computer execution platforms like Java, and the various scripting languages. Extending the base platform in this way massively extends the malware attack surface. Except for JavaScript, do not do allow those platforms to be active while banking.

      Next, a LiveDVD is not just about preventing attack success, it is about preventing infection, even after a successful exploiting attack. Who cares what happens *after* an attack? Almost anyone who realizes that bots may hide from session to session only to pounce when a bank is contacted. By preventing infection, we prevent the pounce.

      “There are plenty of free AV solutions that are almost, if not as, effective as paid.”

      Which is to say, almost completely *ineffective*:

      “if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.”

      http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/

      “If there was a wholesale switch to Macs and people continued to be practice poor security (or are encouraged to on the premise that they are now “safe”) then we have merely deferred the problem. A Mac’s safety from being targeted lies in the fact that so few make the switch when encouraged.”

      But if, as you say, few make the switch, we *can* defer the problem, almost forever. We defer at least until the Mac becomes the dominant Web machine, and then we have Linux, unless that somehow becomes dominant.

      Presumably, the point of all this is to argue that, well, gee, Windows is not so bad. The facts show that Windows really is bad, though. And, in my view, no suite of add-on security software whatsoever can ever harden Microsoft Windows enough to make it safe for online banking.

      1. Nick P

        Nice post. And….

        “And, in my view, no suite of add-on security software whatsoever can ever harden Microsoft Windows enough to make it safe for online banking.”

        …very well-said. Now, just change “online banking” to “very high value assets” and the bigger picture shows up.

Comments are closed.