the whitelister's dilemma

you remember marcus ranum's 6 dumbest ideas in computer security? #2 on that list was enumerating badness (aka blacklisting), which he believed should be replaced with enumerating goodness (aka whitelisting).

ignoring the fact that his underlying assumptions about relative sizes of the malware and legitimate software populations was incredibly wrong*, there's a much more fundamental problem with turfing blacklisting in favour of whitelisting:
the only meaningful criteria we have for deciding something is good or safe is that we haven't found anything bad in it yet.
oh sure you could assume that a system is currently malware free and start your whitelisting regimen from that (potentially pre-pwned) state. you could assume that software direct from the vendor is safe to add to a whitelist too (because microsoft never accidentally distributed infected materials, right?). you could even assume that things that are digitally signed are safe (it's not like stuxnet was digitally signed or anything).

of course, we know what happens when you assume. the reality is that even if we do adopt whitelisting we have to continue enumerating badness for the purposes of maintaining the whitelist. whitelisting stands on the shoulders of blacklisting - it has to, our only other criteria are assumptions that have all been proven false in practice.

as such, whitelisting can never replace blacklisting, it can only ever complement it.

[* according to figures by whitelisting vendor bit9 that i mentioned here, and frankly the idea of a malicious few coders out-producing the benign many seemed silly anyways]


the mac malware phenomenon

i posted something to twitter earlier (which was already too big to actually fit in a normal tweet) but i think there's more to be said.

those who downplay the mac threat landscape by comparing it to the pc are missing the point. the mac will never be the pc, it'll never follow the same path or be in exactly the same place, but the mac community was sold false hope and many of them are either unaware or in denial about the fact that they were lied to.

one of the most crippling thing about mac security awareness is the pc comparison. people can't look past the fact that things aren't as bad for the mac. does that really matter? crime in your neighborhood likely isn't as bad as crime in a ghetto (unless you happen to be unfortunate enough to be living in a ghetto), does that mean it's safe to leave the door to your house or car unlocked? no.

stop thinking about the comparison, stop thinking about the pc entirely. imagine there are no pc's. think about the things that have happened in the mac landscape over the past several years and what they mean to the various subsets of the mac user population.

there are users who believe macs are immune to viruses. that was proven technically false five years ago (i wrote about it here). the viruses that have been produced may have never reached epidemic proportions, but epidemics are a poor yardstick for measuring risk. car crashes aren't exactly an epidemic, but you should still fasten your seatbelt.

there are users who believe macs are inherently secure because of their *nix lineage. this, in spite of the fact that the initial academic investigation of the concept of computer viruses involved successful experiments in a professionally administered unix environment. also in spite of the fact that rootkits originally come from the *nix family of platforms. also in spite of the fact that a security researcher renowned for successfully attacking the platform on multiple occasions has explicitly contradicted the notion that macs are especially secure.

there are those who believe that for something to be a real threat it has to activate by itself without user intervention, that something that requires the user's help is only an issue for dumb users. this despite the obvious success of social engineering attacks like phishing that are already platform agnostic.

there are users who believe macs aren't really a target of criminals yet. they believe that the criminals have bigger fish to go after so the mac isn't worth the effort. they believe criminals have to make an either/or decision about which platform to attack. these beliefs are in stark contrast to a nearly 4 year old reality of professional cybercriminals attacking the mac platform - specifically the zlob gang taking their already successful windows trojan and porting the important functionality over to the mac (which i mentioned here and here). the more recent example of java based malware is an indication that the cybercriminals are trying to take the either/or question out of the equation entirely.

and then there are those wonderful users who are actually security aware but somehow believe the rest of the mac user community is largely like them so the efforts to raise awareness of security issues are pointless and alarmist. this is even though it's plain to see that security aware people are a minority in any population. and as far as the mac user population goes, apple's marketing was quite clearly designed to appeal to people based on style, image, and simplicity, and told users that security was something they didn't have to worry about. to imagine such a population is somehow better at dealing with security issues than the average person seems more than unjustifiably optimistic.

macs can be attacked, they have been attacked, their attackers are enjoying increasingly numerous successes, and not enough mac users know it. it's a growing threat and there has yet to be a compelling argument put forward that it won't continue to grow. knowledge is the first prerequisite for people to be able to protect themselves. stop pretending everyone knows what you know or are smart enough to make the threat a non-issue, there's just too much variety amongst humans for that to be true.


Snake-Oil 'R' Us

it seems that snake-oil is changing with the times, evolving and getting worse.

worse? how could it possible get any worse?

well, i've mentioned in the past how certain products very names can represent snake-oil - names like "total protection" or "total security" instill in the user the false belief that they are totally protected and don't have to worry anymore.

well pretty soon there's going to be "total defense" too.

how is that worse? well, "total protection" and "total security" are just product names. total defense? that's apparently going to be a company name. a company that has snake-oil running through it's veins, i suppose. probably not a surprising move for updata partners, the technology venture company running the show - a venture company's focus is on making money, they're buying computer associates' internet security business unit, they aren't existing members of the security or anti-malware community/industry. but they're going to be part of the anti-malware industry, they're buying they're way into it, and they're starting from a position without the established norms and ethics of either the community or industry. no wonder the ethical landscape has been eroding over time.


security small talk

[i'm republishing this secmeme post here because, although the topic is more fitting for secmeme, the intended audience is better addressed here - and if you're like me, you probably hate being directed to some outside site when you're going through your RSS feed.]

pursuant to a brief discussion i had with @diami03 (aka michelle k.) on twitter earlier today, some thoughts popped into my head.

specifically, with regards to how well known the concept of the nigerian 419 scam is, i said

she was not happy with that. admittedly it was a rather crass way of expressing the principles i had in mind, but i stand by them (even if i also find them disappointing).

put differently there are two things in play. the first (and probably the one most are familiar with) is that people often prefer to be entertained rather than informed. if i'm being totally honest, i feel the same way sometimes.

the second is that (at least to my mind) a good indicator of how well our culture has assimilated a particular piece of information is how easily/frequently that information finds it's way into everyday chatter (i.e. small talk).

now normally my memetic ramblings are intended for the broadest audience i can manage, but this is a special case. injecting security into small talk logically must start with the people who are security aware. many security geeks probably already do this to a certain extent - after all, if people can talk about the weather or last night's game, why not security topics too?

now i'm not the best person to advise on how to engage in small talk (far from it in fact) but there are a few things i think are self-evident. first and foremost is that this is not an opportunity to give a lecture, or to talk like you're presenting at a conference. most people don't want to go back to school and if you start sounding like a teacher they're going to tune you out. so how can you shoot the breeze about security with non-security folks? here's a few strategies:
  1. everybody loves a spectacle so keep your eye out for them and use them opportunistically. database breaches aren't sexy or interesting, but sony's loss of over 100 million private records breaks the boredom barrier by sheer size alone. so much so, in fact that you may well find that people have already heard about it in the mainstream media. that's a bonus, it means you can talk about something they've already heard about.
  2. if they're really your friends then it stands to reason that they have at least a modicum of interest in how your day was. did you see a nigerian 419 scam in your email today? great, mention that in passing. did you see two or more of them in the same day? even better. after all, how many dead princes (or whatever) can there really be out there? if wealth and death are as strongly correlated as those scam emails suggest then i think i'd rather stay poor.
  3. when you mention things that you think might directly affect them, you're showing concern about them, you're showing an interest in their well-being. everyone wants their friends to be interested in them in some way so that display of interest should make them perk up their ears and take notice. i used this strategy myself with the epsilon breach, sending links to to the list of affected merchants to some of my friends so that they could look over the list and see if the breach was likely to affect them personally.
if you're concerned about the quality of information that is passing from person to person, it's up to you to help put better information into the mix. don't be afraid to throw in a few security topics when chatting with friends. they probably already know you're a security geek so they'll understand why you're interested in it, and if you can make it even a little bit interesting for them then they might pass it along.


thoughts on viral facebook scams

in response to a certain discussion on twitter, i found some ideas floating around in my head that just don't fit in a tweet, so i thought i'd share them here instead.

one of the ongoing problems on facebook is the phenomenon of viral scams - scams that spread in a viral manner across the facebook userbase and trick users into doing various things (whether it be installing a rogue facebook app, clicking an invisible link, or copy-n-pasting javascript into the URL bar).

there are at least 2 contentious aspects to this phenomenon. the first is whether facebook has things under control. there are certainly those who are arguing that it's not under control, that the numbers are ever increasing. there are also those who argue that, on the whole, facebook is acting in a timely manner to deal with these threats to their users. my own experience is that i rarely actually encounter these viral scams so that certainly could support the argument that they're getting killed quickly - quickly enough that they die before they make their way to me. on the other hand, though, when i do encounter these scams it doesn't appear to me that facebook is dealing with them expediently at all. a day or more to kill a viral scam campaign? really? i think they could do better - in fact, i have some specific ideas that i intend to share a little further on.

the second contentious aspect is what's the best way to deal with these scams: whether it's better for facebook to police it's network more effectively or alternatively to go after the industry whose gray areas are responsible for the lions share of the scamming (ie. the cost per action / CPA marketing industry). technical defenses employed by facebook will always be a bit of a game of whack-a-mole, but they're relatively quick and easy to implement without involving a lot of other parties. investigation and enforcement of legal authority against CPA firms can certainly have some long-lasting effects but there are problems; it takes a lot of time and coordination from the law enforcement community, and CPA is only the current low-hanging fruit from a malicious business model perspective. that means, ultimately, going after CPA firms or even entire industries will also wind up being a game of whack-a-mole, it'll just much slower and it will be law enforcement playing the game instead of a technology company.

i believe both technical defenses and legal authority are appropriate tactics. technical defenses are useful for dealing in the near term with that which has not yet been dealt with in the long term, while exercising legal authority tends to have more of a long term effect and creates a much bigger disruption to malicious business models (potentially requiring entirely new malicious business models to be developed to compensate). right now we don't yet have the benefits that legal authority can provide so we need to use technical defenses as a stop-gap at the same time as we pursue legal avenues. if/when legal authority manages to take out most of the CPA abuse channels that the scammers are currently exploiting, those scammers will monetize something else so we'll continue to need those technical defenses as we adjust our legal tactics to their new business models. in essence, technical defenses and legal authority represent compensating controls in a multi-layered approach to the problem.

to that end, i have some specific technical ideas for facebook.

all viral scams must exploit one of facebook's many communications channels. facebook needs to monitor these channels and apply some heuristics to help identify the viral scams.

to start out with, they should apply a k-nearest-neighbor algorithm or some other suitable similarity measure  to the communications (do not use hashing - i hardly ever see the scams but even in the few i have seen, i've seen hash busters being used) in a sliding window of time (to limit the size of the corpus facebook would need to analyze). messages, wall posts, events, etc that cluster together as being highly similar are likely all part of the same viral campaign and should be classified as such. being part of a large cluster should cause the message (or rather the entire set of messages) to be flagged for additional review at the very least. if that review is manual, one could prioritize the review based on the size of the cluster. not all viral communications are bad, mind you - it could just be a really good joke, or a political activist campaign, or something else legitimate - that's why virality alone isn't enough to classify something as bad, but it is a good start for narrowing the scope of the analysis.

now, even if facebook stopped at this point, they'd still have something very useful for killing viral scams. identifying the set of nearly identical messages that a particular message belongs to means that you can aggregate data and judgments about those messages. an abuse report for one message is an abuse report for all, a flag to disable display of one message is a flag to disable display of all, a flag indicating one message was verified clean is a flag indicating all are verified clean, etc.

if facebook were to go further, though, the next thing they could do as a simple static heuristic is to check to see if the message contains javascript code that is displayed to the user. most users cannot read or understand javascript. for most, the only reason they'd see that in a viral message is if they're supposed to copy and paste it in order to bypass facebook's existing defenses against malicious javascript. that makes it a pretty good indicator of malicious intent.

another simple heuristic would be the presence of a link whose destination is obscured by a URL shortener. a much more contentious heuristic, of course, but i'm not really suggesting any of these on their own should be taken as proof of malice - only that they each incrementally increase the level of suspicion.

a third simple heuristic would be links to facebook applications where the app developers haven't been registered very long. it's not impossible to hit it big on facebook right out of the gate, but there are nuances that aid in growing an application's popularity that you wouldn't really expect a newbie to know right off the bat. a really big viral cluster for a really new app developer should definitely raise some eyebrows.

next, as an active heuristic, an automated process attached to a dummy facebook account could be sent to click it's way through the trail laid out in any message that has a link in it in order to see if any path results in the dummy account sending out a message belonging to the same viral campaign it started from. this means adding applications where requested, following links to outside pages, even pasting the contents of the clipboard into the URL bar when the trail leads back to facebook's domain.

finally, recognizing that different viral clusters could be related, there needs to be a mapping between inputs and outputs of those dummy accounts so that facebook can catch the condition when an incoming message from viral campaign A leads to outgoing message from viral campaign B and which in turn goes through 0-N other viral campaigns as inputs and outputs before arriving back at campaign A.


i don't know what methods facebook is using right now, but if they were aggregating nearly identical messages it shouldn't have taken a day or more to kill the last viral scam i encountered and it shouldn't still be possible to easily find something like this half a month later:
those may be neutered to the extent that they can't contribute to viral spread in facebook's environment anymore, but who knows what the pages those point to could be changed to do to people's PCs now that the main campaign is dead. those events should have been deleted a long time ago. leaving remnants of viral scams in people's accounts is a little like leaving remnants of viral code in disinfected programs.