A no-win strategy

In the Jan. 11, 2013 issue of SANS NewsBites, editor Brian Honan writes:

It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software.  New vulnerabilities will always be discovered in the software we use.  If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry.

In this case, the advice was to disable the Java plugin in the browser, which, in fairness, is something many users could do without impact. Still, I couldn’t agree more with Honan’s comment. Here are a few other examples of common advice from security professionals and journalists that contradicts the way software is designed to be used:

  • Don’t click on links in email messages (even though email software automatically adds links to URLs for convenience).
  • Don’t install Android apps from anywhere other than the official app store(s) (thus negating one of the advantages of an open platform without a central gatekeeper).
  • Don’t click on ads (which most Web businesses depend upon for revenue).

As Honan says, we have to find a better way to protect our users and our systems than saying “don’t use technology the way it’s designed to be used.” His comment goes on to point to the CSIS Twenty Critical Security Controls, which are great guidelines for large and/or high security organizations. For consumers and small businesses, though, we’ll need to look to other answers: increased industry cooperation and law enforcement to reduce the threat, improved interfaces and signals to help users make safer choices, more secure architectures, and so on.

Patching really does work

I’ve been wanting to do a study like this for a long time. I’m glad someone else finally did:

The German Federal Office for Information Security (BSI) previously recommended that users should keep their Windows systems up to date, should ideally use Google Chrome and should avoid using Java at all if possible. The efficacy of these simple protection measures has now been demonstrated in a study carried out by the BSI. It used two different Windows systems to visit a total of 100 web sites hosting drive-by downloads (malicious code which spreads primarily by exploiting security vulnerabilities).

Unsurprisingly (to me, if not to certain security cynics), keeping your browser and plug-ins patched (and disabling Java if not in use) is effective in most instances:

The results speak for themselves, with the vulnerable system picking up 36 infections from visiting infected websites, whilst the system configured according to BSI recommendations picked up none.

The message is clear: teaching users a few basics, like how (and why) to keep their browser and plugins up to date, can dramatically reduce users’ risk of infection.

(hat tip to Denis Sinegubko for the link)

The unwarranted war on AV products

“Antivirus software a waste of money for businesses” crows the headline of a recent story, one of many missives against antivirus (AV) software driven by an outdated understanding of how such software works. The truth is that the death of AV tools’ effectiveness has been greatly exaggerated.

Traditionally, antivirus software was powered by signatures: digital fingerprints that uniquely identify malicious files or code snippets. The AV software on a computer would receive updates of its signatures once per day or week from the AV company, ensuring it could protect the user from the latest threats. The effectiveness of an AV product was determined primarily by the number of different signatures available and how quickly they were distributed. Tools like VirusTotal arose to make it easy to see which AV tool could detect a particular piece of malware. Product testing labs and tech journalists could load up a computer with a bunch of malware files and easily compare detection rates across products.

Today, everything has changed. Malware evolves far too quickly—sometimes even on a per-download basis—for AV products to depend on daily signatures. As one would expect, most of the major vendors have responded, dramatically increasing the frequency of signature updates and supplementing signatures with new approaches. Here are a few features that have become popular in major AV products recently:

  • If you download a file, the AV product will check it against a whitelist of known safe files. If it’s not on the whitelist and it doesn’t match a malware signature, the product will analyze the file’s behavior and/or reputation in real time (either on the computer or via the cloud) before allowing it to run.
  • If your browser connects to a website/URL known to distribute malware, the user will receive a warning and/or the browser will be blocked from downloading potentially harmful files.
  • If unknown software on your computer attempts to engage in a potentially harmful behavior (e.g., installing a new add-on in your browser), it will be  blocked and/or the user will receive a warning.
  • If a web page or online ad attempts to exploit a vulnerability to install malware on your computer, the AV tool will block the attempt.

By layering several approaches (including the use of signatures) atop each other, today’s AV products protect users far more effectively than their predecessors. Unfortunately, many people, even in the security industry, are not aware of this evolution. It’s common to see articles like the one above that claim AV tools are still primarily signature based and that use VirusTotal (which only assesses signature-based detection) as a gauge of AV effectiveness. In reality, this is like assessing the effectiveness of a building’s security system based only on its window alarms, while ignoring its motion detectors and cameras. When you look at tests that attempt to simulate real-world user behavior, such as visiting malicious websites and opening infected email attachments, it’s clear that AV is far more effective than the pundits claim. A recent set of studies by Dennis Technology Labs, for example, found that products prevented infection in between 53% and 100% of cases—far more effective than the pundits claim. The range of results shows that the more important discussion is about which tools and methodologies work best. (Some other important areas of comparison are false positive rates, the tools’ impact on system performance, and user experience.)

It’s time to end the unwarranted war on AV products. They may not be perfect—nothing is—but they do continue to earn their place alongside a range of other security measures in companies and homes alike.

Real world consequences of malware

Earlier this week, a pair of hospitals near Atlanta closed their doors to new patients (except severe trauma cases) because malware had infected the hospitals’ computers. Despite years of doomsday threats like “cybercriminals will shut down the power grid” and “malware will release toxic chemicals into the drinking water,” there have only been a small number of newsworthy incidents where malware very visibly had an impact on the physical world. (Others include Stuxnet, which damaged Iranian nuclear systems, and this recent story about malware that could be used to remotely open prison doors.)

While sensational incidents like the ones listed above and those described by scaremongers are few and far between, the reality is that nearly all malware has an impact in the “real world.” Anyone who has been scammed out of $59 by scareware or worked for a small business that lost thousands to unauthorized transfers can tell you that the effects of malware extend beyond the screen. In fact, in 2010 Consumer Reports estimated the costs of spyware and malware to consumers alone at nearly $4 billion!

It’s not just financial losses, either. In a society where stress beyond comfortable levels is the norm for many people, the added fear and aggravation of learning your computer has been infected is a very real cost. So too is the time spent running AV scans, searching online for solutions, and taking the computer to the store (and waiting in line, and being without your computer for several days, and going back to pick it up…). Then there are the opportunity costs: the things you could have been spending your time doing when instead you were stressing out about your infected PC.

It is still the case that many people think of malware as an “online” threat. There is a false distinction made between cyberattacks that affect the physical world and those that don’t. But next time you hear someone whose voice is shaking because his PC is infected and he doesn’t know what he’s going to do, remember that malware affects the physical world every day.

Nudges for hosting customers

A few months back, I mentioned the book Nudge, which advocates for structuring the choices we give to people in a way that helps them make better decisions for themselves.

I’ve been leafing through the book a second time, thinking about how Web hosting providers, which serve as “choice architects” for website owners, could help nudge their customers in ways that would reduce the risk of their sites becoming compromised. Here are a few ideas I came up with:

  • Offer a short security “class” online and reward customers that complete it (and perhaps pass a short test/quiz) with a free month of hosting.
  • Allow certain features to be accessed, or certain apps to be installed, only if the customer opts into higher security (e.g., password-protected ssh keys instead of username/password, SFTP instead of FTP).
  • Ensure that default installations of apps (e.g., WordPress or Joomla), and of course the default hosting environment, are secure out of the box. For example, make sure that directory permissions are locked down on WordPress installations, instead of assuming customers will do this themselves.
  • Wherever customers are prompted to create a password, display a password strength indicator.
  • Automatically notify customers via email and their dashboard/panel when applications have security-related updates available.

I’m sure there are many other opportunities to nudge hosting customers to safer choices. If you think of others, please post them in the comments!

Stop blaming the victims

“Laziness is compromising our online security.” That’s the headline and message of an article by Lee Matthews over at ExtremeTech. Here’s the basic gist of the argument:

Basic security, such as updating web server software, is easy. Most people don’t do it. Therefore, most people are lazy. This is a core cause of the Web’s security woes.

This is a classic case of “blame the victim,” and if anything is lazy here, it’s the thinking. Keeping software up to date isn’t easy. Consider WordPress, which has made things much easier in recent years with its one click update feature. Except, in reality, it’s still not really one click. First you have to logged in to even know that there’s an update available. Then, when you click, you’re encouraged to back up both the database (another one-click operation) and your files (a manual process involving connecting via FTP to your web server). Then, after you update, you might still have to update plugins, and of course you have to check that the update didn’t break anything. As for updating the underlying PHP platform, this is often impossible for a site owner using a shared hosting plan and non-trivial for hosting providers that risk breaking their customers’ PHP applications in the process.

Even when things are easy, people have various reasons for not doing them. Laziness is just one. Maybe updating WordPress is less important to their lives or their businesses right now than other items on their to do lists. Maybe they don’t understand the security implications of not updating WordPress (which could affect how they prioritize it). Maybe they’re overwhelmed by all the things each week that they’re supposed to update: smartphone apps, the operating system, web browser, plugins, etc.

The technology industry still has a long way to go to make technology easy to use securely and to keep secure for users. Most of those users are not tech geeks like the readers of ExtremeTech. And the majority of them, most likely, aren’t lazy.

Base security should not cost extra

Microsoft’s release yesterday of Office 365, a suite of cloud-based services for small and mid-sized businesses (SMBs) and enterprises, has been getting a lot of attention in the press. One egregiously poor decision by Microsoft, though, has not been talked about quite as much. Ed Bott over at ZDNet, though, picked up on it:

If you sign up for one of the Office 365 Enterprise plans, all your users can connect to SharePoint using secure (HTTPS) connections. If you have a Professional (small business) plan, you don’t get that capability. For a small business that deals with sensitive documents, that’s a potentially dangerous configuration.

Let me be very clear about this: baseline security is not an option, and it shouldn’t be sold as a value-added feature. Microsoft claims “Office 365 comes with the robust security and reliability you need to run your business, all for $6 per user per month.” Offering SharePoint, which provides businesses with document sharing and other intranet capabilities, without protecting the confidentiality of data transmissions to and from the server, is not “robust security.”

One has to wonder what other security trade offs Microsoft made with Office 365 that are not yet evident. Until Microsoft demonstrates that it really stands behind its “robust security” claims, SMBs would be well advised to avoid this new offering.