Archive for aurora

Operating System Choice Does Not Equal Security

Posted in security with tags , , , , , , , , , , on June 2, 2010 by hellnbak

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article. 

To steal from the FT.com article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

I cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: “Switching to Mac OSX or Linux will make you more secure”.

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

Let me paraphrase what was said by myself and other “experts” back in February 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html)

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in. 

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods. 

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues…………..

Clueless FUD Article…

Posted in security with tags , , , , , , , on April 2, 2010 by hellnbak

I haven’t blogged anything of good use lately so I thought I would start up again by calling out this completely useless and incorrect opinion piece.  On the Dark Reading blog an article appeared entitled; “Share — Or Keep Getting Pwned”

Sigh.  Clearly zero research was done in to this posting as there really is a lot of information sharing going on in the industry.  While I will admit that the industry as a whole needs to be better organized the assumption that no one shares inside the industry is a wrong one and very misleading to the sheep who actually believe what they read.

Take the second paragraph for example;

“Take the attacks on Google, Adobe, Intel, and others out of China (aka “Operation Aurora”). McAfee and other security firms investigating victims’ systems each had is own fiefdom of intelligence, occasionally publicly sharing bits of information, like the Internet Explorer zero-day bug used in many of the initial attacks. But did anyone have the whole picture of the attacks?”

 

Actually, yes.  Yes multiple people at multiple different organizations did in fact have the whole picture.  I personally was witness to a lot of inter-vendor information sharing that was extremely helpful for those affected by this issue.  I obviously am not going to comment on who exactly shared what information or what was shared.  But a lot of information that was never made public was in fact shared amongst many parties.  Even more “shocking” this was done without the use of silly non-disclosure agreements (NDA) and done based on reputation and personal trust relationships.  Meaning that there was zero corporate bullshit in the way of moving forward.

Using a second example, that I can talk more publically about without getting myself in trouble, we all remember the Marsh Ray TLS MITM bug from earlier this year.  Marsh Ray and Steve Dispensa both went above and beyond what was expected with sharing information with anyone.  They even attempted to leverage the muscle at ICASI (http://www.icasi.org) to pull all the major vendors together and share.  Taking things a step further, Marsh personally offered to sit down and work directly with any vendor having issues with the bug.  Sure, the vulnerability release did not go as planned, these things rarely do happen that way, but it was handled in a very open and progressive manner.

These are only two of multiple examples.  There are even private mailing lists where COMPETITORS on the product side of the house routinely share information on various threats ranging from malware to new exploitation techniques.  So again, the whole process could use some improvement (maybe I just found a use for VulnWatch) but the insinuation that sharing doesn’t happen because of jealousy or competitive reasons is way off base.  Most want to do the right thing even if it means working directly with a competitor.