Occasionally, one happens to find themselves in the situations that look quite unpromising... yet, even having been eaten one always have at least two ways to escape ;).
Friday, October 28, 2011
Security Is... Issue 2
Occasionally, one happens to find themselves in the situations that look quite unpromising... yet, even having been eaten one always have at least two ways to escape ;).
Tuesday, October 25, 2011
Security Is...
Our company launches a "Security Is..." series of weekly thematic comic strips. The main goal of the series is dethroning a popular fear that information security is something extremely complex, and showing that that "intricate security stuff" is in fact pretty much close to the basic things in our life that we come across every other day. We also hope that our little effort will help people start "thinking securely", that is essential in today's realities.We would be thankful to everyone for sharing the pictures with your family, friends and co-workers - let's populate the idea of "living securely" together!
Monday, November 1, 2010
Some governments around the world, frightened by the interception of two bombs directed to the United States, decided to introduce stricter security measures for air transportations. To my sincere disappointment, the decisions made illustrate the complete helplessness and lack of "security thinking" of the tops.In particular, the following additional measures were put in place:
As a precaution Britain said it was banning air passengers from taking large toner cartridges onto planes as hand luggage, while Nigeria said it would improve the scanning of cargo bound for the United States.
Okay, the terrorists will never be able to bring bombs on board inside toner cartridges anymore. They have nothing to do but use laptops, smartphones, pocket radios, Kens and Barbies and electric guitars for this purpose. The terrorists originating from Nigeria will just buy two tickets, from Nigeria to, say, Moldova (to bypass improved cargo scanning), and, further, from Moldova right to the United States.
Germany said it had suspended passenger flights from Yemen, and was considering expanding a cargo flight ban to other unnamed countries.
Wow. If Moldova won't accept flights from Nigeria, I know the country to use instead ;).
Britain said it was also banning all air freight sent from Somalia, adding to a ban on Yemen cargo flights imposed at the weekend.
Just another shot at the sky.
All the above cases share the same problem. There is a number of holes in the fence the attackers can reach the rancho through. Having caught the attackers by the hand getting through one of that holes, the government patches it... but does not consider the other holes, even though they are pretty close to the patched one. Disallowing to bring cartridges on board with a hand luggage, as well as rejecting flights from Yemen and Somalia, will change nothing. There is nothing that stops terrorists from simply using hand stuff of other kind and different countries to reach their goals. This is so obvious that I tend to think that either the governments have nothing to oppose to the terrorists with, or... well, nevermind.
Thanks to cracksinthepavement.com for the picture.
Tuesday, September 14, 2010
Security versus Usability
I've been watching yet another Air Crash Investigation movie on NG yesterday. The film was dedicated to DC9 crash in Detroit (August 1987). The first thing that impressed me much was that the crash was very similar to MD82 crash in Barajas two years ago (August 2008). In both cases the pilots did not extend flaps and slats for taking off. In both cases an aircraft failed to gain enough lift and crashed in seconds after takeoff.
The second thing I'd like to mention here is a principal one. The system that must have warned the pilots about bad takeoff configuration was turned off. Moreover, it has been turned off far before takeoff, and it has been turned off intentionally. The investigation has shown that the warning system was designed quite badly; it used to fire false "bad takeoff configuration" alarms in irrelevant situations. It was also discovered that it was a "good practice" amongst DC9 pilots to turn that system off just to prevent annoying false alarms. Thus, when the aircraft was accelerating down the runway, there was no advisor to let the pilots know that the aircraft is not ready to take off.
That was obviously a usability issue. The system was too annoying, so most of the pilots decided to turn it off just to save their ears from that zz-zz-zz-zz humming (even though turning it off caused a real risk for their lives).
So what do you want from a user (a skilled one or a dummy -- it doesn't matter) who is forced to scramble through that firewall warnings, antivirus software warnings, SSL certificate verification prompts, phishing or "dangerous site" warnings, ...? All that warnings (and correct answers to them) are vital for the PC to remain secure. However, a user does not want to think about security. All they want is to solve their problems: connect to an office via SSH, check mail at Google, download some new game to play. All that warnings just prevent them from solving their problems effectively; besides (and it is quite important) they will be able to resolve the problems simply by accepting everything asked by the protecting software. "Do you trust this certificate?" - "Sure I do, let me get in faster". "This distribution is not signed by the vendor. Should we run it?" - "WTF, that's a brand new Doom VII, you MUST run it!". And so on.
What I intend to say is that users will react similarly to DC9 pilots until security software stops annoying them. It is silly to ask users myriad of vital security-related questions a day and expect them to answer to each of those questions thoroughly. As a matter of fact, most of home PC security software is more or less perfect. However, a user is the weakest link in the chain and can make castle walls disappear with a single mouse click.
Because of all these, the strategic direction of IT security concepts (and, as a result, security software) is quite clear for me. It's all about usability. The perfect "secure system of the future" does all the security at the background, invisibly to the user. This might seem impossible in today environment (as all the today security depends on the trust relations in the end, and the user is the final instance to define trust), but it is the only way to make the things more or less secure. It is an absolute requirement to exclude the user from being involved into the process of making security-related decisions.
The second thing I'd like to mention here is a principal one. The system that must have warned the pilots about bad takeoff configuration was turned off. Moreover, it has been turned off far before takeoff, and it has been turned off intentionally. The investigation has shown that the warning system was designed quite badly; it used to fire false "bad takeoff configuration" alarms in irrelevant situations. It was also discovered that it was a "good practice" amongst DC9 pilots to turn that system off just to prevent annoying false alarms. Thus, when the aircraft was accelerating down the runway, there was no advisor to let the pilots know that the aircraft is not ready to take off.
That was obviously a usability issue. The system was too annoying, so most of the pilots decided to turn it off just to save their ears from that zz-zz-zz-zz humming (even though turning it off caused a real risk for their lives).
So what do you want from a user (a skilled one or a dummy -- it doesn't matter) who is forced to scramble through that firewall warnings, antivirus software warnings, SSL certificate verification prompts, phishing or "dangerous site" warnings, ...? All that warnings (and correct answers to them) are vital for the PC to remain secure. However, a user does not want to think about security. All they want is to solve their problems: connect to an office via SSH, check mail at Google, download some new game to play. All that warnings just prevent them from solving their problems effectively; besides (and it is quite important) they will be able to resolve the problems simply by accepting everything asked by the protecting software. "Do you trust this certificate?" - "Sure I do, let me get in faster". "This distribution is not signed by the vendor. Should we run it?" - "WTF, that's a brand new Doom VII, you MUST run it!". And so on.
What I intend to say is that users will react similarly to DC9 pilots until security software stops annoying them. It is silly to ask users myriad of vital security-related questions a day and expect them to answer to each of those questions thoroughly. As a matter of fact, most of home PC security software is more or less perfect. However, a user is the weakest link in the chain and can make castle walls disappear with a single mouse click.
Because of all these, the strategic direction of IT security concepts (and, as a result, security software) is quite clear for me. It's all about usability. The perfect "secure system of the future" does all the security at the background, invisibly to the user. This might seem impossible in today environment (as all the today security depends on the trust relations in the end, and the user is the final instance to define trust), but it is the only way to make the things more or less secure. It is an absolute requirement to exclude the user from being involved into the process of making security-related decisions.
Friday, August 20, 2010
Fundamental vulnerability in PDF
Florian Zumbiehl discovered a fundamental flaw in the PDF standard that makes it possible to create valid digital signatures over an arbitrary content.
The flaw allows an attacker to create a pre-defined document with two different contents (say, one "visible" to the signer and another one "hidden"), make the signer sign the "visible" content, and then substitute it with the "hidden" one without invalidating the signature. I should note that signing should be performed with special software that "knows" about the flaw and the "Janus" feature of the document, and can sign it in the proper way to make content substitution possible in the future.
As far as I am aware of the way the Acrobat works, it cannot be used to perform such an attack on the signer. However, the flaw itself is extremely serious and may lead to various problems in future. For instance, one can attack their own signature and then insist on revoking it, arguing that the signature was attacked by a third party.
The flaw allows an attacker to create a pre-defined document with two different contents (say, one "visible" to the signer and another one "hidden"), make the signer sign the "visible" content, and then substitute it with the "hidden" one without invalidating the signature. I should note that signing should be performed with special software that "knows" about the flaw and the "Janus" feature of the document, and can sign it in the proper way to make content substitution possible in the future.
As far as I am aware of the way the Acrobat works, it cannot be used to perform such an attack on the signer. However, the flaw itself is extremely serious and may lead to various problems in future. For instance, one can attack their own signature and then insist on revoking it, arguing that the signature was attacked by a third party.
Friday, June 25, 2010
Big Red Brother (and his buddy) are Watching You
What would you say about the software that silently installs another piece of software from third-party vendor to your computer, which, in turn, collects information regarding your computer's security features (the presence and version of firewall, anti-virus software etc.) and requires Internet connection (!) to be available?
The software is called Adobe Flash Player extension for Firefox; the silently installed third-party tool is McAfee Security Scan Plus. That's it -- having installed a minor extension to a browser, you get a system-widetrojan curios piece of software installed to your PC.
Leaving aside the moral and legislative aspects of such scheme (and please don't say it's just business -- similar schemes were neglected even by Russian gangsters in 1990ths), just wish to warn you to be careful with these. Nobody knows what exactly information collects and sends out the installed tool, neither what is the purpose of collecting such information.
The software is called Adobe Flash Player extension for Firefox; the silently installed third-party tool is McAfee Security Scan Plus. That's it -- having installed a minor extension to a browser, you get a system-wide
Leaving aside the moral and legislative aspects of such scheme (and please don't say it's just business -- similar schemes were neglected even by Russian gangsters in 1990ths), just wish to warn you to be careful with these. Nobody knows what exactly information collects and sends out the installed tool, neither what is the purpose of collecting such information.
Tuesday, May 4, 2010
SecureBlackbox the eighth
SecureBlackbox 8.0 is out. We are happy to introduce a number of exciting new features, including Silverlight 3 and 4 support, secure Cloud components (Amazon S3 and Windows Azure data storages are initially supported) and secure DNS capabilities. I wish everyone to have a good experience with the product!
Subscribe to:
Posts (Atom)