RE: Vista Security
Today I received an email:
Dennis,
I recently attended a seminar of a consulting company pitching Microsoft. Is it true that Vista has only 11 vulnerabilities all of which were fixed? Seemed like a low number and this pro-MS company was pushing it. Thought you may know off the top of your head.
Dave
This is my reply – and a very, very brief synopsis of my thoughts:
Vista has a much better track record right now – but it is also having a very difficult time getting adopted. Additionally; it really has not been out all that long compared to its predecessors. Michael Howard is a very important security figure at Microsoft itself; and he has issues with the fundamental security model used in the operating system itself.
As I see it the problems are thus;
- Microsoft is entrenched – firmly; can you say “backward compatibility” – it must remain backward compatible; enterprises are not willing to spend billions to re-engineer their enterprises to work with new products, and in some cases simply can not because of legacy systems.
- “developers, developers, developers, developers” – you have all seen the video. Microsoft has built its empire not on an OS as much as it has a development platform. When you give developers API access to every bit in the system – you give all software access to every bit in the system. And as such; you have an inherent security issues right down at the engineering level.
Compound all of that with the fact that if your job has not been “National Security” for the last 30 years; security is a brand new concept, let alone industry. And the issues are not just with Microsoft. TCP/IP is fundamentally flawed – it also has no security model, it has no concept of trust, authentication or even identity. The framework for security doesn’t even exist at the network stack level – and this is the foundation we to build upon?
Ken Thompson; wrote papers about IT security in 1984 – “Reflections on Trusting Trust“; but more specifically; just 23 years later, Mark Curphey (the founder of OWASP) created a project to identify all of the attacks that could make a web application vulnerable. It was a project known at the time as “Attack Categories” that Jeremiah Grossman volunteered to head up. In October of 2001; I (co-founder of OWASP) put forth my own “Classification of Vulnerabilities” Identifying attacks by cause; rather than by types of attack. It was at this time that “Input Validation“; a major problem in web applications; came into use. However, it is really the re-identification of Ken Thompsons earlier “reflections on trusting trust”.
The Morris worm – the invention of buffer overflow; pure genious! (in fact Robert Tappan Morris is now a professor at MIT) Buffer overflow remains a very effective attack vector to this day; but further on the network side – the litmus test of security as set forth by Stephen Northcutt; is the recognition of the Morris worm; not a single firewall product; nor network device and even most Humans would not be able to recognize nor mitigate the risks of this attack today. This vulnerability has remained unchanged since 1988!! The attack vector “sendmail” has been patched – but that is simply the attack vector! The risk actually remains! Buffer overflows are not “solved”.
There is exactly one text book in the united states on computer security… Mathew Bishops.
No serious study of the problem outside of his exists in the USA. Further; the press and the government vilifies security professionals as evil hackers.
People talk about Microsoft; but honestly the problem is much, much deeper – it is cultural even.
The problem with security in this country is that there is so much to do; so much that it is difficult to know where to begin. You can pick anything and significantly advance the body of knowledge. And this is in no way any attempt to minimize the incredible work done so far; but rather an attempt to help you understand the magnitude of the problems facing security professionals.
For example to illustrate the magnitude of the problem:
Are you familiar with the idea that your password should change every 90 days and have certain characters and be of a certain length? Those ideas come from the Department of Defense in 1985! Unfortunately, in todays computing environment those recommendations are as obsolete as the equipment they were designed to mitigate risk on. Rainbow Tables allow passwords to be cracked instantly. And if they are brute forced; it doesn’t take very long either. Fortunately there is some sanity to be had if you know where to look and yet many websites created today require you to create passwords that conform to the standard as set forth by the DOD in 1985!?
And if you ask me – I wonder if passwords are really the best method of Access Control in the first place.
Everything needs to be rethought.
I am sorry that I did not do more linking to substantiate my ideas; however, I could very well spend another day or two linking to all of the ideas that I reference; and in days to come I may very well do that; but for now I am done.
In addition to the works of Matthew Bishop’s, I would also recommend Security Engineering and other papers by Ross Anderson and his fellow graduate students from University of Cambridge in England.
His book is available online for free and in my opinion, every person doing security should read.
His papers on Information Security Economics make great reading as well, I specifically liked “Topology of Covert Conflict” and “Why Information Security is Hard – An Economic Perspective.”
Marcin
September 21, 2007
Thanks so much for the response and I love the blogging approach. Clearly we are standing in front of one of the biggest problems that exist today in society – improving the security of the electronic world. As corporations increasingly store data electronically, interconnect systems, and utilize computers to be more efficient, we have to figure out a method to improve the security of that digital information. My intention was not to bash MS; however I was simply curious on feedback relating to a message that a consulting company was impressing on CIOs. That message seemed to me to be, that they have less to be concerned about relating to security with Vista. For example, they left the impression that there are only 11 vulnerabilities and that seems like an extremely small and manageable amount (comparing to previous OS’s). I can hear the CIO’s saying to me, “Hey we may not even need that patch management system anymore, just let the end users install the 11 patches and we’ll be good to go. Helpdesk calls should be predicable or minimal as the likelyhood of those 11 patches breaking applications is much less b/c the number of patches is much less. We’ll be able to save money, which is what I am continually tasked to do by my boss! Looks like it’s possible if they continue to reduce the number of vunlerabilities (from 11 to 1 or 0 in future OS’s) that we’ll be able to get rid of our patch management software!”
Clearly this is one of the major issues in my mind that CIO’s are being given a false sense of security and have the impression that something can be 100% secure (or we are getting close to it – with Vista). The veterans in the IT security industry that I’ve spoken all concur, that 100% security impossible. That’s just logical. My opinion is that IT professionals (non-security to be specific) need to lend more advise to their clients that the issues with IT security are ones that needs to be addressed without complacency and to seek the assistance of professionals that focus and have expertise on IT security. This is why my opinion is that IT security professionals need to develop strong relationships with other IT professionals (non-security types) and help communicate that point. Just my 2 cents.
Dave
September 21, 2007
Marcin,
Indeed there are many great academic security books outside of the USA; in fact my good friend Mark received his degree in information security from Royal Holloway in the UK. My point was that here in the USA; security professionals are seen as whistle blowers rather than embraced as valuable members of society. This is a result of our country being run by corporations; and the all mighty ‘falling’ dollar being more important that people.
dennisgroves
September 22, 2007