Tag Archives: security

iTunes hacks: whose fault are they?

A big story today concerns irregular activity on Apple’s iTunes store, the one and only means of purchasing applications for iPhone and iPad and central to the company’s strategy. The reports allege that developers are hacking iTunes accounts to purchase and give favourable review to their apps – which can only be a short term strategy since you would imagine that such activity would soon be detected and the perpetrators traced through the payment system.

As it happens I’d been meaning to post about iTunes security in any case. I blogged about an incident just over a month ago, since when there have been a steady stream of comments from other users who say that their iTunes accounts were hacked and fraudulent purchases made.

A recent comment refers to this thread, started over a year ago and now with over 200 comments from similarly afflicted users.

Despite the number of reported incidents, there is no reason to suppose that Apple’s servers have been broken into. Several other mechanisms are more likely, including malware-infected computers on which users may have stored passwords, or have keystrokes logged; or successful attempts to guess passwords or the answer to so-called “security questions” which also give access to account details.

Such questions should be called insecurity questions, since they are really designed to reduce the burden on helpdesks from users who have lost passwords or access to obsolete email accounts. Since they allow access to accounts without knowing the password, they reduce security, and even more so when the questions are for semi-public information like mother’s maiden name, which is commonly used.

Given the number of iTunes accounts, it is not surprising that there are numerous successful hacks, whether or not there is some issue (other than the insecurity questions) with iTunes or Apple’s servers.

That said, there is a consistent theme running through all these threads, which is that Apple’s customer service towards victims of hacking seems poor. Contact is email-only, users are simply referred to their banks, Apple promises further contact within 24 hours that is often not forthcoming, and there are reports of users losing access to credit or previous purchases. It was an instance of the latter which prompted my earlier post.

Apple therefore should fix its customer service, even if its servers are watertight. I’d like to see it lose the insecurity questions too.

image

Microsoft TechEd 2010 wrap-up: cloud benefits, cloud sceptics

Microsoft TechEd in New Orleans continues today, but I’m back in the UK; unfortunately I was not able to stay for the whole event.

So aside from discovering that walking the streets of New Orleans in June is like taking a Turkish bath, what did I learn? The biggest takeaway for me is that Microsoft is now serious about cloud computing, at least on the server and tools side represented here. As I put it in my report for The Register, the body language has changed: instead of “we do cloud if you must”, Microsoft is now pushing hard to promote Windows Azure and BPOS – hosted Exchange, SharePoint and Live Meeting – while still emphasising that Windows continues to give you a choice of on-premise servers.

That does not mean Microsoft is winning in the cloud, of course. There is a question in my mind about whether Microsoft is merely exporting the complexity of on-premise to serve it over the Internet, rather than developing low-touch cloud systems. I think there is a bit of both. Windows InTune is an interesting case. This is a sort of cloud version of system center, for managing laptops and desktop PCs.On the one hand, I was impressed with its ease of use in the demos we saw. On the other hand, what does managing the intricacies of desktop PCs have to do with cloud computing? Not much, perhaps, except that it is a task that still needs to be done, and if the cloud can make it easier then I’m all in favour.

Although Microsoft was talking up the cloud at TechEd, many of the attendees I spoke to were less enthusiastic. One telling point: I spoke to a training company in the vast exhibition and asked what were the most popular courses. Among other things, he said he was doing a lot of Silverlight, a little WPF, and that there was little interest in Windows Azure.

I also attended an “expert panel” on cloud security, which proved an entertaining affair. The lively Laura Chappell said the whole thing was a nightmare, and none of the other experts dared to disagree. I chatted to her afterwards about some of the issues. Here is a sample:

One of the things is ediscovery. You have something on your computer that indicates someone is planning something against the president of the united states. With the Patriot Act, they can immediately go to that service provider, and they don’t care if it’s virtualised across 10 different systems, they are going to shut them down, and they do not care who else’s stuff is on there, the Patriot Act gives them the power to do that. You went out of business, so did 7 other companies, and they don’t have a timeline, with the patriot act, for them to bring their servers back up.

If anyone sceptical of the benefits of cloud went along, they would not have come away reassured.

Finally, there was a ton of good stuff announced at TechEd. I attended a press briefing the day before, with sessions on Server 2008 RS SP1, InTune, and other topics. The most interesting part of the day was a session which I am not allowed to talk about; but I will say mysteriously that Microsoft’s strategy for the product was not too far removed from one that I proposed on this blog, though I am sure there is no connection.

The other announcements were public. If you have not checked out the new Azure Tools, don’t hesitate; they are much improved. Unfortunately I hardly dare to use Azure, because although I have some free hours from MSDN I’m worried about leaving some app running by mistake and ending up with a big credit card bill. Microsoft needs to make Azure more friendly for developers experimenting.

Windows AppFabric is now released and pretty interesting, though it was not prominent at TechEd. Given that many business processes are essentially workflows, and that this in combination with Visual Studio 2010 makes building and deploying a workflow app much easier, I am surprised it does not get more attention.

Switching from Windows will not protect your data, says Trusteer CEO

I’ve just been sent some quotes from Mickey Boodaei, CEO of Trusteer, which caught my eye. It’s a response to the story that Google is directing employees not to use Windows because of security concerns.

Boodaei says that while switching from Windows may reduce the prevalence of common malware, it will not protect against “targeted attacks” – in other words, attempts to penetrate a specific network to steal data:

Enterprises that are considering shifting to an operating system like Mac or Linux should realize that although there are less malware programs available against these platforms, the shift will not solve the targeted attacks problem and may even make it worse. Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections.

In a targeted attack where criminals decide to target a specific enterprise because they’re interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise.

The security community is years behind when it comes to security products for Mac and Linux. Therefore there is much less chance that any security product will be able to effectively detect and block this attack. By taking that action the enterprise increases its exposure to targeted attacks, not reducing it.

This sounds plausible, though there are a couple of counter-arguments. Windows has some flaws that are not present on Mac or Linux. It is still common for users to run with full local admin rights, even though user account control in Vista and Windows 7 mitigates this by requiring the user to approve certain actions. On Windows, it’s also more likely that you will have to give elevated rights to some application that wants to write to to a system location; there’s a specific “Run as administrator” option in the compatibility options.

Further, I’m always sceptical of statements from the Windows security industry. Are they simply trying to protect their business?

Still, I’m inclined to agree that switching OS is not a silver bullet that will fix security. Take a look at this recent report of malware-infected web sites offering tips for a current hit game, Read Dead Redemption.

The attack is essentially psychological. It plays on the common knowledge that Windows is vulnerable to malware, informing the user that malware has been detected and they must clean it up by running a utility. The utility, of course, is in fact the malware. The chances are good that the user will consent to giving it elevated permissions, once they have been taken in. In principle this kind of attack could work on other operating systems, except that the user might be more sceptical about the presence of malware because it is less common – a rather frail defence.

The insecurity of Verified by Visa and MasterCard SecureCode

An article on the H points to this paper by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide. In addition, 3DS undermines privacy by sending a full description of each transaction to the card issuer or its contractors.

Banks also use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.

What’s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.

The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.

I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:

3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed.

Well, with this post I am doing my bit.

The end of Code Access Security in Microsoft .NET

In the early days of .NET I remember being hugely impressed by Code Access Security. It gave administrators total control over what .NET code was permitted to run. It’s true that the configuration tool was a little intimidating, but there were even wizards to adjust .NET security, trust an assembly, or fix an application – great idea, that last one.

image

Well, now the truth is out. Code Access Security was too complex for humans to configure. Buried deep in the documentation for .NET Framework 4.0 you can find Microsoft’s confession, under the heading Security Policy Simplification:

In the .NET Framework 4 Beta 2, the common language runtime (CLR) is moving away from providing security policy for computers. Historically, the .NET Framework has provided code access security (CAS) policy as a mechanism to tightly control and configure the capabilities of managed code. Although CAS policy is powerful, it can be complicated and restrictive. Furthermore, CAS policy does not apply to native applications, so its security guarantees are limited. System administrators should look to operating system-level solutions such as Windows Software Restriction Policies (SRP) as a replacement for CAS policy, because SRP policies provide simple trust mechanisms that apply to both managed and native code. As a security policy solution, SRP is simpler and provides better security guarantees than CAS.

The section below, headed Obsolete Permission Requests, is even more damning of the old system:

Runtime support has been removed for enforcing the Deny, RequestMinimum, RequestOptional, and RequestRefuse permission requests. In general, these requests were not well understood and presented the potential for security vulnerabilities when they were not used properly.

It goes on to explain why they did not work, with explanations like this one for RequestOptional:

RequestOptional was confusing and often used incorrectly with unexpected results. Developers could easily omit permissions from the list without realizing that doing so implicitly refused the omitted permissions.

The new .NET Framework 4.0 no longer enforces these obsolete permissions.

Microsoft is right. As far as I’m aware, few used the .NET Configuration tool, and I cannot even find it in Windows 7, even though Visual Studio and all the versions of the .NET Framework are installed. Developers feared, with justification, that tinkering with the settings would simply cause mysterious exceptions that were hard to resolve.

I recall though that Code Access Security was considered a highly strategic feature when .NET was first released. One of the promises of .NET was that applications would be more secure and malware less prevalent. The fine-grained permissions were a selling point versus Java.

The painful lesson is that simplicity is a feature. Of course some things are inherently complex; but technology succeeds when it simplifies rather than complicates the tasks that we face.

Government security advice is misguided; switching browsers will not make you safe

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.