Some governments around the world, frightened by the interception of two bombs directed to the United States, decided to introduce stricter security measures for air transportations. To my sincere disappointment, the decisions made illustrate the complete helplessness and lack of "security thinking" of the tops.

In particular, the following additional measures were put in place:

As a precaution Britain said it was banning air passengers from taking large toner cartridges onto planes as hand luggage, while Nigeria said it would improve the scanning of cargo bound for the United States.

Okay, the terrorists will never be able to bring bombs on board inside toner cartridges anymore. They have nothing to do but use laptops, smartphones, pocket radios, Kens and Barbies and electric guitars for this purpose. The terrorists originating from Nigeria will just buy two tickets, from Nigeria to, say, Moldova (to bypass improved cargo scanning), and, further, from Moldova right to the United States.

Germany said it had suspended passenger flights from Yemen, and was considering expanding a cargo flight ban to other unnamed countries.

Wow. If Moldova won't accept flights from Nigeria, I know the country to use instead ;).

Britain said it was also banning all air freight sent from Somalia, adding to a ban on Yemen cargo flights imposed at the weekend.

Just another shot at the sky.

All the above cases share the same problem. There is a number of holes in the fence the attackers can reach the rancho through. Having caught the attackers by the hand getting through one of that holes, the government patches it... but does not consider the other holes, even though they are pretty close to the patched one. Disallowing to bring cartridges on board with a hand luggage, as well as rejecting flights from Yemen and Somalia, will change nothing. There is nothing that stops terrorists from simply using hand stuff of other kind and different countries to reach their goals. This is so obvious that I tend to think that either the governments have nothing to oppose to the terrorists with, or... well, nevermind.

Thanks to cracksinthepavement.com for the picture.

Security versus Usability

I've been watching yet another Air Crash Investigation movie on NG yesterday. The film was dedicated to DC9 crash in Detroit (August 1987). The first thing that impressed me much was that the crash was very similar to MD82 crash in Barajas two years ago (August 2008). In both cases the pilots did not extend flaps and slats for taking off. In both cases an aircraft failed to gain enough lift and crashed in seconds after takeoff.

The second thing I'd like to mention here is a principal one. The system that must have warned the pilots about bad takeoff configuration was turned off. Moreover, it has been turned off far before takeoff, and it has been turned off intentionally. The investigation has shown that the warning system was designed quite badly; it used to fire false "bad takeoff configuration" alarms in irrelevant situations. It was also discovered that it was a "good practice" amongst DC9 pilots to turn that system off just to prevent annoying false alarms. Thus, when the aircraft was accelerating down the runway, there was no advisor to let the pilots know that the aircraft is not ready to take off.

That was obviously a usability issue. The system was too annoying, so most of the pilots decided to turn it off just to save their ears from that zz-zz-zz-zz humming (even though turning it off caused a real risk for their lives).

So what do you want from a user (a skilled one or a dummy -- it doesn't matter) who is forced to scramble through that firewall warnings, antivirus software warnings, SSL certificate verification prompts, phishing or "dangerous site" warnings, ...? All that warnings (and correct answers to them) are vital for the PC to remain secure. However, a user does not want to think about security. All they want is to solve their problems: connect to an office via SSH, check mail at Google, download some new game to play. All that warnings just prevent them from solving their problems effectively; besides (and it is quite important) they will be able to resolve the problems simply by accepting everything asked by the protecting software. "Do you trust this certificate?" - "Sure I do, let me get in faster". "This distribution is not signed by the vendor. Should we run it?" - "WTF, that's a brand new Doom VII, you MUST run it!". And so on.

What I intend to say is that users will react similarly to DC9 pilots until security software stops annoying them. It is silly to ask users myriad of vital security-related questions a day and expect them to answer to each of those questions thoroughly. As a matter of fact, most of home PC security software is more or less perfect. However, a user is the weakest link in the chain and can make castle walls disappear with a single mouse click.

Because of all these, the strategic direction of IT security concepts (and, as a result, security software) is quite clear for me. It's all about usability. The perfect "secure system of the future" does all the security at the background, invisibly to the user. This might seem impossible in today environment (as all the today security depends on the trust relations in the end, and the user is the final instance to define trust), but it is the only way to make the things more or less secure. It is an absolute requirement to exclude the user from being involved into the process of making security-related decisions.

Fundamental vulnerability in PDF

Florian Zumbiehl discovered a fundamental flaw in the PDF standard that makes it possible to create valid digital signatures over an arbitrary content.

The flaw allows an attacker to create a pre-defined document with two different contents (say, one "visible" to the signer and another one "hidden"), make the signer sign the "visible" content, and then substitute it with the "hidden" one without invalidating the signature. I should note that signing should be performed with special software that "knows" about the flaw and the "Janus" feature of the document, and can sign it in the proper way to make content substitution possible in the future.

As far as I am aware of the way the Acrobat works, it cannot be used to perform such an attack on the signer. However, the flaw itself is extremely serious and may lead to various problems in future. For instance, one can attack their own signature and then insist on revoking it, arguing that the signature was attacked by a third party.

Big Red Brother (and his buddy) are Watching You

What would you say about the software that silently installs another piece of software from third-party vendor to your computer, which, in turn, collects information regarding your computer's security features (the presence and version of firewall, anti-virus software etc.) and requires Internet connection (!) to be available?

The software is called Adobe Flash Player extension for Firefox; the silently installed third-party tool is McAfee Security Scan Plus. That's it -- having installed a minor extension to a browser, you get a system-wide trojan curios piece of software installed to your PC.

Leaving aside the moral and legislative aspects of such scheme (and please don't say it's just business -- similar schemes were neglected even by Russian gangsters in 1990ths), just wish to warn you to be careful with these. Nobody knows what exactly information collects and sends out the installed tool, neither what is the purpose of collecting such information.

SecureBlackbox the eighth

SecureBlackbox 8.0 is out. We are happy to introduce a number of exciting new features, including Silverlight 3 and 4 support, secure Cloud components (Amazon S3 and Windows Azure data storages are initially supported) and secure DNS capabilities. I wish everyone to have a good experience with the product!

Autoinfect

The invention of autorun (and, similarly, autoplay) feature, in the form it exists today, is one of the biggest platform developers' mistake. A feature with doubtful impact, it has become an easy mechanism for malicious software to reproduce itself. Desktops in Internet cafes and copy centers proved to be excellent friendly hubs where viruses and trojans use to spawn.

What is quite beyond my understanding is that at the same time the very most of the flash drives released today do not promote a write protection switch! This forces me to use my good old 128Mb Chinese noname in public places (such as e-cafes or hotels), as neither of my newer ones provides write resisting capabilities.

As raw criticism is not that constructive, I will explain my own point of view on how autorun should have been implemented correctly (if it should have been):
- Never, NEVER runs without prior OS notification (stating the name of the file, the vendor etc.). If invoked under administrator account, OS displays another dialog proposing to run it under guest account.
- No binaries (neither unmanaged nor managed), no scripts. DHTML (runs in default browser), maybe Silverlight or Flash. "Web" security policy.
- Turned off by default.

It is necessary to understand that autorun is the easiest way to run unknown code on the machine. By simply inserting the untrusted (not yours or write-unprotected) flash card or CD into the drive you can stuff your PC with a swarm of parasites. No further actions are needed. Just keep in mind that someone might silently plug his malicious tiny flash into your notebook's USB when you are drinking your martini at the airport. So the best choice in today environment would consist of three basic rules:

I. Turn autorun off and forget about it.

II. Use a USB flash card with write protection switch and disable writing wherever possible. It would be ideal to only enable writing when inserting the card into your computer.

III. Wherever possible, use "passive" approach to file distribution. Ask your friend to copy down the files you need from his computer to his flash disk; disallow writing on that disk before inserting it to your computer. The same rule applies to the reverse process: copy down the files your friend needs to your flash disk and disallow writing before inserting it to your friend's computer. Such approach will help protect your computer from infecting with the viruses living in your friend's computer, and your friend's one with the viruses living in yours.

Following these three simple rules above will decrease the speed of epidemic spread and make your computer (and the computers of your mates) healthier.

The future of IT security

The situation in the field of informational security is very far from the perfection today. The main problem is that it's just too complex, while a lots of people, mostly unprofessional, are forced to deal with it. Not understanding the potential effects and risks completely, they often prefer to ignore non-important or too sophisticated details (from their point of view), rather than to set up the things as they need to be.

As an example, let's recall the security subsystem available in Windows 2000. The OS itself provided a powerful mechanism for access rights management, multi-user features, flexible PKI support etc. However, most of the users of this system preferred to work with Administrator privileges, negating most of the security features provided by the system and making the core of the system open for external intrusions. What's the reason? The proper configuration of security subsystem involved non-trivial manipulations from a user. It was much easier for him to add himself to the administrators group and throw all the problems away. I am glad to see the progress made in this field by Microsoft in subsequent versions of their OS.

That's why it is obvious for me that the main trend in IT security for the middle-term future is directed to simplification of the interfaces of security subsystems. The unrelated people do not have to deal with e.g. certificate management, web site authenticity confirmation (does anybody read the text displayed on that strange popup in the browser?), or choosing between explicit and implicit TLS modes when connecting to their favorite FTP archives. Transparency of the security subsystems is the main goal for the future. The people only need to be confident that the data they store in their PC's are safe, just as they are confident about the safety of their money on a bank account.