Archive for microsoft

Operating System Choice Does Not Equal Security

Posted in security with tags , , , , , , , , , , on June 2, 2010 by hellnbak

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article. 

To steal from the article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

I cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: “Switching to Mac OSX or Linux will make you more secure”.

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

Let me paraphrase what was said by myself and other “experts” back in February 2010 (

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in. 

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods. 

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues…………..


Counting Vulnerabilities and SDL – No One Hears the Tree Falling

Posted in security with tags , , , , on April 20, 2008 by hellnbak

Those of you who have known me since early on in my career as an “infosec guy” know that I have always been very critical of Microsoft.  Between the days of Information Anarchy, my old school rants and the “AusCERT Incident” I have always been ready to pounce on the boys in Redmond when I felt that they were being shady or crossing a line.  That said, those that know me also know that I am a reasonable person and won’t jump on someone just for the sake of jumping on them.

Sadly, I am a sheep, and like most of you, I am on Facebook.  One of my Facebook (and professional/real life) friends is Ryan Naraine over at eWeek.  I noticed his status late this week was – “Dave Litchfield is also wrong –

So, wondering what the next Information Security drama was I headed over to Dave’s BLOG (which I didn’t know existed till now and I highly recommend it) and gave the post a read.  It seems that the hoopla is all about the Secure Development Lifecycle and counting vulnerabilities.  Dave’s post was simply a response to this post by Peter Lindstrom who is apparently some sort of analyst.


I have been on all ends of the security puzzle.  Two of those many ends are the vendor and, of course, the vulnerability researcher.  Based on my experiences I feel that I have a good insight in to not only the vulnerability reporting process but also the Security Development Lifecycle.  In fact, with all due respect to Dave and Peter, I think I have a much clearer insight than the both of them.

Let me say this right now. SDL works. 

You name the major vendor – Microsoft, Apple, IBM, HP, VMWare, etc… I have worked with them on getting vulnerabilities fixed and I have been doing so at different times during my 15 year career.  I was sitting at the lunch table in the 90s when a Sr. Microsoft executive looked at a group of researchers and said “If I had my way people like you would be in jail”.  I was there when Scott Culp during his MSRC days called every Security Researcher a Terrorist.  I have also watched the vendor everyone loves to hate — Microsoft — take a complete 180 on their security philosophy. 

So before you comment calling me a fan boy let me say this.  Is Microsoft perfect with how they deal with security vulnerabilities and bugs?  No, they are far from it.  But, they are better than the majority of the vendors I have had to deal with. 

Apparently what caused the drama amongst security bloggers was this comment:

Microsoft has systematically hired and/or contracted with every one of their most vocal critics (and most seasoned bugfinders) to do the work behind the scenes and they don’t count those vulns!

Dave Litchfield, who has a sucessful company in the UK, took offense to this remark.  To be honest, I don’t blame him.  Dave is best known for being the guy that completely destroyed Oracle Security as well as a few really good Microsoft bugs found by him and his team over at NGSS.  It is also common knowledge that NGSS does a bit of work for Microsoft on MS SQL that happens to fall into Microsoft’s SDL process.

Peter on the other hand, with all due respect and to the best of my knowledge, has never found, reported, or fixed a security vulnerability before.  In fact, even on his own blog he says the following:

“I have very little security background or knowledge”

Don’t get me wrong.  I have met Peter, once, and he seemed like a cool enough guy and someone that does in fact have more than a little security knowledge so I am not trying to pick on him but in this case he is blatantly wrong.

Ok lets be fair, he is not blatantly wrong.  He is three-quarters wrong.  Let’s look at his statement again:

Microsoft has systematically hired and/or contracted with every one of their most vocal critics (and most seasoned bugfinders) to do the work behind the scenes and they don’t count those vulns!

The first part is close to being right.  I wouldn’t say that Microsoft has hired every critic (if so where the hell is my check?) but they have hired/contracted most (perhaps only the good ones thus no check for me heh) SECURITY RESEARCHERS that have been successful in finding bugs in Microsoft software.  Note I did not say CRITICS as it is easy to be a critic and it is very hard to be a Security Researcher.

The part of the statement above that is laughable is the fact that it is an issue that Microsoft does not count any vulns found by their contract QA Engineers (hey security guys, we are really nothing more than QA).  All I can say here is no shit they don’t count them.  I know those of you who are are developers on commercial products are laughing at the thought of this right now.  But, could you imagine if every bug you found in your development lifecycle (which included the security component) had to be reported to Mitre, assigned a CVE, then counted publicly.  Not only would development time triple, but you would find yourself flooding those that count vulnerabilities with a whole lot of useless information.

(I know this post is getting long, for that I apologize, I am drinking my favorite drink (crown royal, 7-up and cranberry) while watching the UFC pay per view so I will try to end this quickly.  By the way, my money is on Serra not St. Pierre — yes I know I am going against the fellow Canadian.)

Perhaps we need to rethink our definition of a vulnerability to put this into the proper context but a bug found internally during the development process is not a vulnerability and therefore should not be counted.

The vulnerabilities that need to be counted are the ones that actually affect the end users and can compromise the security of those end users.  The “vulnerabilities” found during the SDL should not have to be public as they do not affect the public in the least.

It really is that simple folks and I am kind of surprised that after all this time we are still arguing about such a thing.  So yes, much like the tree falling in the forest… no one hears a vulnerability that is fixed during the SDL process nor should they.