Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
Getting rid of your best people
by James Costello
A friend of mine recently had a very Dilbertesque experience at work. The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling. Sort of…
Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years. The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office. This was reasonable, and most of the staff saw this as a good business move. Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.
Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date. The new seating chart was printed, offices were assigned, and additional requests were made. Here is where we take a turn for the weird:
Treating your people like they are worthless: Elimination of a position announced through the new seating chart.
One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks. Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”. Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s mouths.
Generate a menial or pointless task.
Actually, this one is a little worse than pointless, it is counterproductive. Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities. This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1. The company wanted real data for that entire time. Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago? 6 days ago? As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections. They were told, effectively, not to worry about it and that the data analysis team would take care of it. To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.” Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.
So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works? Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible. If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say. Don’t make decisions in a vaccum. If it impacts people, get their input. Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.
“Civilian” Use of Malware Technology?
by Dennis Kuntz
The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.
Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.
Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.
This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.
This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).
The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.
Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?
Embracing Manjoo’s Madness
by Dennis Kuntz
There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.
The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?
A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4×0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.
The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:
“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “
With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:
- If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
- If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
- If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.
I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.
Trust, Sociology, and IT
by Ioana Justus
In my last blog, I talked about how to build trust with a customer, and the advantages of doing so. By building a relationship of trust, communication becomes more open, allowing the customer to feel comfortable sharing their needs, and allowing the IT service provider to better customize service and anticipate needs. This concept also extends to intra-IT interactions – or regular life interactions, for that matter.
Sociologists will tell you that humans are social creatures – even the most introverted of our species require interaction with others. There is also the concept of the “inner circle” – each person has an “in” crowd that they trust and want to interact with. Evolutionarily, having such a group ensured survival: the group would mutually protect each other and they worked together to find food and raise children. The flip side of this evolutionary model is the rest of the world: If you’re not part of the inner circle, you’re not trusted and are thus treated with suspicion, prejudice, or even disdain. Individuals in your inner circle get the benefit of the doubt when they do something wrong, and you are compelled to help them through it. Individuals not in your inner circle are assumed to be malicious when they do something wrong, and you are compelled to be defensive and accusatory toward them for it.
It frequently surprises me how people assume that things in the IT or business world work so differently than they do in daily life, when there is actually little or no difference. We are the same humans with the same genetic make-up whether we’re home in our sweats or at work in our suits. Everyone knows that the best way to get a new job is to network with people at the target company, and many a manager has been accused of favoritism – Mary got a perk that I didn’t get because the boss “likes her better” (i.e., trusts her more) than me. Even security networks are built on trust (e.g., PGP): if I trust you and you trust John, then I can trust John.
So it stands to reason that if we can increase trust in the workplace, everything gets better: issues get resolved faster, there are fewer nasty surprises, there is greatly increased communication, and a strong desire to be inclusive. This then results in better collaboration between IT teams, which increases sense of ownership that in turn decreases errors and improves the overall quality of deliverables. All of this makes the customer – and thus the boss – happier.
But how do you go about this? Theoretically, it’s simple: communicate and include. Practically, it’s quite a bit more challenging. Make it a point to build trust with your coworkers, especially where you know it doesn’t exist today. At work, your inner circle is most likely your immediate team. But you probably work regularly with other teams. Are you accusatory of them? Do you have a less than impressed opinion? Do you think they screw up or are sub-par? Do they point their fingers at you? Those are the individuals you most want to target. Be sure to have face-to-face meetings with them – it’s a lot harder to think someone’s a jerk when they’re sitting right there. When you invite them to the table, ask everyone (including you and your team) to leave their prejudice at the door. Talk about what’s going wrong openly and honestly, with the intent to fix the problem, not lay blame. This may take some time, but have the good will to keep trying, and consider engaging a practiced facilitator if needed (many people are naturally good facilitators, but if you need someone who has been specially trained, try looking in HR or the training department). Extend gestures of goodwill by inviting the other team to an outing (e.g., lunch or drinks after work) or to meetings that they should’ve been invited to but weren’t. Above all, really listen to their perspective and make an effort to see their point of view. It might take a while, but what you’ll notice over time is increased respect and much smoother workings between you.
It may be a bit pie-in-the-sky, but imagine if you had trust with every team you worked with. I guarantee you’d be a happier employee and you’d enjoy your job a lot more. You’d also get work done faster with higher-quality results, making your customers and supervisors happier, too. And in this tenuous economic climate of cost-cutting and down-sizing, that’s maybe as close to job security as any of us can get.
Why You Have Something to Hide
by Aaron Titus
If you have nothing to hide, why do you need privacy? This question, famously attributed to the McCarthy era, has gained currency again in this era of terrorism and national security. The question implies that privacy is a form of dishonesty, that the things people want to hide are the very things others should know about.
I admit that I bristle every time I hear someone say, “You have nothing to worry about if you have nothing to hide.” Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt.
I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.
A person may share intimate secrets with an ecclesiastical leader that they would keep private from parents, because they fear the parents may not act reasonably or rationally when presented with the same information. During World War II, the government acted unreasonably and irresponsibly with Census data about the location of Japanese-American citizens. Privacy from government entities is paramount.
In addition, can you imagine how much damage you would impose on innocent people if you spoke every thought that came into your head? Or if doctors, lawyers, and accountants disclosed everything they knew about you?
The need for privacy is the recognition that most individuals, organizations, or institutions cannot be trusted to act reasonably, responsibly, in the best interest of the person, or in the best interests of society, when in possession of certain types personal information. Humans are biased. We have limited cognitive and analytical abilities, and never know all of the facts. We are infamously poor judges of character. We change our minds, and come to conflicting conclusions. So, the next time someone asks whether you have something to hide, do not hesitate to say, “Yes, of course I do.”
Three Challenges to Building Trust (and how to overcome them)
How hard is it to build trust?
“When people honor each other, there is a trust established that leads to synergy, interdependence, and deep respect. Both parties make decisions and choices based on what is right, what is best, what is valued most highly.” –Blaine Lee
In my last article, I introduced the efforts of CompTIA to address a growing need in business today with the Trustmark certification. The Trustmark, initially focused on small and medium-sized VARs, represents a promising step forward in how businesses demonstrate and verify they protect information. As outlined in part one, I see a far larger benefit for small and medium businesses everywhere – provided Trustmark is positioned and grown properly.
Note: The more I think about Trustmark and the challenges of getting it right, the more I see vast potential. As such, I’m lengthening this article into a series of posts to share more ideas and invite constructive conversation.
The Challenges
Now I turn my attention to addressing the key challenges – with suggestions on how to meet and overcome them. This is also a call to action for professionals to come together to tackle these challenges industry-wide.
When I left the Trustmark workshop, I sensed the start of a necessary program that is heading in the right direction. In the weeks since, I have continued to consider the approach – and the challenges that must be overcome — in the context of my own experience with frameworks, education and industry measurement.
Aside: these challenges are not unique to Trustmark – these are challenges many of us face every day, especially when it comes to presentations, standards development, projects and our day-to-day activities.
The next few articles will address some of the key challenges and provide some insights – based on my experience – to successfully address those challenges.
- No Need to Reinvent the Wheel
- Provide Transparency with Support
- Establish a Sound Audit Process
Make a Difference
While you may not (yet) share my enthusiasm for a way to verify how vendors and other businesses protect information, your experience, concerns, insights and ideas are essential to the success of this and other efforts. So – reach out to me by email, telephone, twitter or join me in the Security Catalyst Community to sound off. I’m interested in any and all feedback – especially from small business owners, VARs, vendors, anyone who has been through this process.
By blending our voices and experience together, we are able to influence positive change (while actively considering and addressing unintended consequences).
Stay tuned…
Engage with Michael
-
Journey Into the Breach
