Skip to content

Blog

The Changing Face of Vulnerability News

Heartbleed logo  Shellshock Logo

The recent news about the bash vulnerability being called “ShellShock”, and the degree to which it is getting mainstream press has got me thinking about how software vulnerabilities are now being reported in the mainstream media.

Apparently, no vulnerability these days is complete without a catchy name and logo — see Heartbleed and Shellshock! Joking aside, though, the very fact that these vulnerabilities are making non-tech news headlines puts pressure on everyone running potentially vulnerable systems to do their duty — usually as straightforward as running a pre-packaged security update.

The Heartbleed and Shellshock stories are taking the place of what we used to see reserved for particularly influental computer worms, like Sasser and Mydoom. It’s most definitely positive that some vulnerabilities are getting attention — unfortunately it is still the case that for some companies and system administrators, only outside pressure will convince them to promptly, diligently and consistently apply security updates.

What I’d like to see, is some way for people interested in improving computer security, the “good guys” for lack of a better term, to leverage this media interest to send a message to system administrators that it’s always necessary to apply software updates promptly, even when they don’t get on the TV news!

The Curse of The Black Box

The other key issue that Shellshock highlights, as did Heartbleed, is the issue of embedded ‘black box’ systems that might be vulnerable. This kind of system is everywhere — and because in many cases they are ‘set it and forget it’ machines, they represent a particular risk. It’s often very difficult to convince vendors of these systems of the importance of pushing upstream software updates down to end users, particularly when there is a lack of understanding and a lack of financial incentive.

Something big and mainstream, like Shellshock and Heartbleed, might convince system administrators to badger vendors to release patches for this kind of product, but we need to extend this further, and make it a social (or even a legal) expectation on vendors to supply security updates for any product they ship, for a reasonable lifetime period for that product.

The security landscape is too complex, and everything too interconnected, for anyone to have the opinion that “I don’t need to patch that, because there’s nothing important on it”.

Leaving Yourself in the Loop

I want to part with a few bullet points, with some actions I try to take to stay up-to-date. Automatic updates are increasingly common, but not universal, and these simple things can help you not miss a known vulnerability.

  • Document and understand the whole software footprint of the systems for which you are responsible. (This means embedded systems, software libraries, and more!)
  • Subscribe to announce mailing lists, follow Twitter accounts of the software projects and systems you use. (It pays to be in the know about available updates, and not hear about them after it is too late!)
  • Look for useful vulnerability resources for particular projects you use. (For example, for WordPress, the recently launched WPScan Vulnerability Database.)

Quarantine Your Machine?

'Your computer might be at risk' popup on computer screen
‘at risk’, by booleansplit / Robert S. Donovan on Flickr

Scott Charney of Microsoft’s ‘Trustworthy Computing’ effort wrote a blog post recently discussing the threats presented by botnets and other malware installed on users machines, where the user is unaware of or apathetic about the presence of that software.

Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.

I have argued previously against the “there’s nothing important on my computer, so I don’t care” response that some have to the discovery of malware on their machines, and I certainly believe that it is an irresponsible attitude that contributes to these greater threats.

But I am concerned about some of the solutions which Scott proposes — particularly those that might seek to create legislation and obligations on individual computer users.

» Read the rest of this post…

On Teaching Computer Security to Non-Geeks

I can’t stand the attitude of “there’s nothing important on my computer, so I don’t care about whether it is secure or not”. The simple fact of the matter is that any infected computer connected to the internet is probably at the mercy of a malicious third party. Even if you don’t care about the impact of your computer being infected, your lazy attitude is affecting innocent other people’s computers, potentially in the form of sending mass spam and attacking unwitting websites.

Computer security is hard and very complex.

How we explain computer security and insecurity to average computer users, non-geeks if you will, is really important. And I really think that we are taking the wrong approach at the moment.

We teach computer users that in order to keep their computer secure and clean, they must have:

  • An anti-virus program
  • A firewall
  • Up-to-date software
  • … and other practical, simple steps

While these are all very important steps to encourage (especially keeping software up-to-date, in my mind), I think that we are making this advice a bit too practical. We’re ignoring complexity and only ever offering the most basic practical steps.

In my mind, a lot of computer security comes down to a model of trust. For example, I feel confident that a conversation with my internet bank is secure because:

  • I trust the integrity of the SSL connection for the purposes of keeping my information private and untampered with as it goes across the internet
  • I trust my local machine to be ‘clean’
  • I trust the remote machine at the bank is genuine and set up properly

All three of those things must be in place for me to have that ‘safe’ feeling. A safe SSL connection to your bank is meaningless if there’s nasty software on your local machine sending your keystrokes to a third party.

I’d like to see this model of trust be encouraged amongst all computer users. It maybe does take a little bit more time and effort to understand the basic principles of what is going on, but looking at security this way round, rather than from an entirely practical viewpoint, allows people to make informed security decisions, rather than blindly trusting some ‘security’ software to do everything.

Social engineering is a very easy way to get some nasty inside someone’s computer. It’s disappointing, but oftentimes you can trick the human into deliberately giving permission to something more easily than you can find a hole in software to do the same thing. Instead of relying on ‘last resort’ antivirus programs to catch known malicious programs running at the last minute, we should encourage people to ask questions:

  • Why am I being asked to run this software?
  • Where did it come from? Do I trust the group of people that wrote this program?
  • Is there anything suspicious or unusual about this? Is it really coming from who it says it is?

Obviously, you need to combine this with practical advice and some knowledge to enable people to spot things that are ‘out of place’. But I think if we did, people would be in a much better position to make sensible informed decisions and to understand better what is actually going on.

This rant only really covers one aspect of computer security. As I said at the start, computer security is really complex and really hard to get right. So this approach isn’t necessarily the answer and it isn’t going to be applicable everywhere. There are going to be groups of people for whom this will be too complex, and groups of people that ‘won’t care’. But I’d like to see it done more often.

Photo is Secure. by Wysz from Flickr. Licensed under Creative Commons BY-NC.