Translation from English

Wednesday, March 4, 2015

Gizmodo- Nine Most Important Aspects of Computer Security

9 Facts About Computer Security That Experts Wish You Knew

9 Facts About Computer Security That Experts Wish You Knew1
Every day, you hear about security flaws, viruses, and evil hacker gangs that could leave you destitute — or, worse, bring your country to its knees. But what's the truth about these digital dangers? We asked computer security experts to separate the myths from the facts. Here's what they said.

1. Having a strong password actually can prevent most attacks

Yahoo's Chief Information Security Officer Alex Stamos has spent most of his career finding security vulnerabilities and figuring out how attackers might try to exploit software flaws. He's seen everything from the most devious hacks to the simplest social engineering scams. And in all that time, he's found that there are two simple solutions for the vast majority of users: strong passwords and two-factor authentication.
Stamos says that the biggest problem is that the media focuses on stories about the deepest and most complicated hacks, leaving users feeling like there's nothing they can do to defend themselves. But that's just not true. He told me via email:
I've noticed a lot of nihilism in the media, security industry and general public since the Snowden docs came out. This generally expresses itself as people throwing up their hands and saying "there is nothing we can do to be safe". While it's true that there is little most people can do when facing a top-tier intelligence apparatus with the ability to rewrite hard drive firmware, this should not dissuade users from doing what they can to protect themselves from more likely threats and security professionals from building usable protections for realistic adversaries.
Users can protect themselves against the most likely and pernicious threat actors by taking two simple steps:
1) Installing a password manager and using it to create unique passwords for every service they use.
2) Activating second-factor authentication options (usually via text messages) on their email and social networking accounts.
The latter is especially important since attackers love to take over the email and social accounts of millions of people and then automatically use them to pivot to other accounts or to gather data on which accounts belong to high-value targets.
So I would really like the media to stop spreading the idea that just because incredible feats are possible on the high-end of the threat spectrum that it isn't possible to keep yourself safe in the vast majority of scenarios.
Adam J. O'Donnell, a Principal Engineer with Cisco's Advanced Malware Protection group, amplified Stamos' basic advice:
Oh, and my advice for the average person: Make good backups and test them. Use a password vault and a different password on every website. 
Yep, having a good password is easy — and it's still the best thing you can do.

2. Just because a device is new does not mean it's safe

When you unwrap the box on your new phone, tablet or laptop, it smells like fresh plastic and the batteries work like a dream. But that doesn't mean your computer isn't already infected with malware and riddled with security vulnerabilities.
I heard this from many of the security experts I interviewed. Eleanor Saitta is the technical director for the International Modern Media Institute, and has worked for over a decade advising governments and corporations about computer security issues. She believes that one of the most pernicious myths about security is that devices begin their lives completely safe, but become less secure as time goes on. That's simply not true, especially when so many devices come with vulnerable adware like Superfish pre-installed on them (if you recall, Superfish came pre-installed on many Lenovo laptop models):
That's why the Superfish thing was such a big deal. They built a backdoor in, and they built a really bad, incompetent one, and now it turns out that anybody can walk through.
When you're relying on code delivered by somebody else, a service online or box that you don't control, chances are good that it's not acting in your interest, because it's trying to sell you. There's a good chance that it's already owned or compromised by other people. We don't have a good way of dealing with trust and managing it right now. And all sorts of people will be using that code.
The other issue, which erupted in the media over the past day with the FREAK attack, is that many machines come pre-installed with backdoors. These are baked in by government request, to make it easier for law enforcement and intelligence agencies to track adversaries. But unfortunately, backdoors are also security vulnerabilities that anyone can take advantage of. Says Saitta:
I think one thing that is really important to understand is that if you built a monitoring system into a network like a cell network, or into a crypto system, anybody can get in there. You've built a vulnerability into the system, and sure, you can control access a little. But at the end of the day, a backdoor is a backdoor, and anybody can walk through it.

3. Even the very best software has security vulnerabilities

Many of us imagine that sufficiently good software and networks can be completely safe. Because of this attitude, many users get angry when the machines or services they use turn out to be vulnerable to attack. After all, if we can design a safe car, why not a safe phone? Isn't it just a matter of getting the tech and science right? 
But Parisa Tabriz told me via email that you can't look at information security that way. Tabriz is the engineer who heads Google's Chrome security team, and she believes that information security is more like medicine — a bit of art and science — rather than pure science. That's because our technology was built by humans, and is being exploited by humans with very unscientific motivations. She writes:
I think information security is a lot like medicine — it's both an art and science. Maybe this is because humans have explicitly built technology and the internet. We assume we should be able to built them perfectly, but the complexity of what we've built and now hope to secure almost seems impossible. Securing it would require us to have zero bugs, and that means that the economics are not on the side of the defenders. The defenders have to make sure there are zero bugs in all software they use or write (typically many millions of lines of code if you consider the operating system too), whereas the attacker only has to find one bug.
There will always be bugs in software. Some subset of those bugs will have security impact. The challenge is figuring out which ones to spend resources on fixing, and a lot of that is based on presumed threat models that probably would benefit from more insight into people's motivations, like crime, monitoring, etc.
RAND Corporation computer security researcher Lillian Ablon emailed me to say that there is simply no such thing as a completely secure system. The goal for defenders is to make attacks expensive, rather than impossible:
With enough resources, there is always a way for an attacker to get in. You may be familiar with the phrase "it's a matter of when, not if," in relation to a company getting hacked/breached. Instead, the goal of computer security is to make it expensive for the attackers (in money, time, resources, research, etc.).

4. Every website and app should use HTTPS

You've heard every rumor there is to hear about HTTPS. It's slow. It's only for websites that need to be ultra-secure. It doesn't really work. All wrong. The Electronic Frontier Foundation's Peter Eckersley is a technologist who has been researching the use of HTTPS for several years, and working on the EFF's HTTPS Everywhere project. He says that there's a dangerous misconception that many websites and apps don't need HTTPS. He emailed to expand on that:
Another serious misconception is website operators, such as newspapers or advertising networks, thinking "because we don't process credit card payments, our site doesn't need to be HTTPS, or our app doesn't need to use HTTPS". All sites on the Web need to be HTTPS, because without HTTPS it's easy for hackers, eavesdroppers, or government surveillance programs to see exactly what people are reading on your site; what data your app is processing; or even to modify or alter that data in malicious ways.
Eckersley has no corporate affiliations (EFF is a nonprofit), and thus no potential conflict of interest when it comes to promoting HTTPS. He's just interested in user safety.

5. The cloud is not safe — it just creates new security problems

Everything is cloud these days. You keep your email there, along with your photos, your IMs, your medical records, your bank documents, and even your sex life. And it's actually safer there than you might think. But it creates new security problems you might not have thought about. Security engineer Leigh Honeywell works for a large cloud computing company, and emailed me to explain how the cloud really works. She suggests that you begin thinking about it using a familiar physical metaphor: 
Your house is your house, and you know exactly what the security precautions you've taken against intruders are - and what the tradeoffs are. Do you have a deadbolt? An alarm system? Are there bars on the windows, or did you decide against those because they would interfere with your decor?
Or do you live in an apartment building where some of those things are managed for you? Maybe there's a front desk security person, or a key-card access per floor. I once lived in a building where you had to use your card to access individual floors on the elevator! It was pretty annoying, but it was definitely more secure. The security guard will get to know the movement patterns of the residents, will potentially (though not always, of course!) recognize intruders. They have more data than any individual homeowner.
Putting your data in the cloud is sort of like living in that secure apartment building. Except weirder. Honeywell continued:
Cloud services are able to correlate data across their customers, not just look at the ways an individual is being targeted. You may not [control access to the place where] your data is being stored, but there's someone at the front desk of that building 24/7, and they're watching the logs and usage patterns as well. It's a bit like herd immunity. A lot of stuff jumps out at [a defender] immediately: here's a single IP address logging into a bunch of different accounts, in a completely different country than any of those accounts have been logged into from ever before. Oh, and each of those accounts received a particular file yesterday — maybe that file was malicious, and all of those accounts just got broken into?
But if it's a more targeted attack, the signs will be more subtle. When you're trying to defend a cloud system, you're looking for needles in haystacks, because you just have so much data to handle. There's lots of hype about "big data" and machine learning right now, but we're just starting to scratch the surface of finding attackers' subtle footprints. A skilled attacker will know how to move quietly and not set off the pattern detection systems you put in place.
In other words, some automated attack methods become blatantly obvious in a cloud system. But it also becomes easier to hide. Honeywell says that users need to consider the threats they're seriously worried about when choosing between a cloud service and a home server:
Cloud services are much more complex systems than, say, a hard drive plugged into your computer, or an email server running in your closet. There are more places that things can go wrong, more moving parts. But there are more people maintaining them too. The question folks should ask themselves is: would I be doing a better job running this myself, or letting someone with more time, money, and expertise do it? Who do you think of when you think about being hacked — is it the NSA, random gamer assholes, an abusive ex-partner? I ran my own email server for many years, and eventually switched to a hosted service. I know folks who work on Gmail and Outlook.com and they do a vastly better job at running email servers than I ever did. There's also the time tradeoff — running an email server is miserable work! But for some people it's worth it, though, because NSA surveillance really is something they have worry about. 

6. Software updates are crucial for your protection

There are few things more annoying in life than the little pop-up that reminds you that updates are required. Often you have to plug your device in, and the updates can take a really long time. But they are often the only thing that stands between you and being owned up by a bad guy. Cisco's O'Donnell said:
Those software update messages are [not] there just to annoy you: The frequency of software updates is driven less by new software features and more because of some very obscure software flaw that an attacker can exploit to gain control of your system. These software patches fix issues that were publicly identified and likely used in attacks in the wild. You wouldn't go for days without cleaning and bandaging a festering wound on your arm, would you? Don't do that to your computer.

7. Hackers are not criminals

Despite decades of evidence to the contrary, most people think of hackers as the evil adversaries who want nothing more than to steal their digital goods. But hackers can wear white hats as well as black ones — and the white hats break into systems in order to get there before the bad guys do. Once the vulnerabilities have been identified by hackers, they can be patched. Google Chrome's Tabriz says simply:
Also, hackers are not criminals. Just because someone knows how to break something, doesn't mean they will use that knowledge to hurt people. A lot of hackers make things more secure.
O'Donnell emphasizes that we need hackers because software alone can't protect you. Yes, antivirus programs are a good start. But in the end you need security experts like hackers to defend against adversaries who are, after all, human beings:
Security is less about building walls and more about enabling security guards. Defensive tools alone can't stop a dedicated, well resourced attacker. If someone wants in bad enough, they will buy every security tool the target may have and test their attacks against their simulated version of the target's network. Combatting this requires not just good tools but good people who know how to use the tools.
RAND's Ablon adds that malicious hackers are rarely the threat they are cracked up to be. Instead, the threat may come from people you don't suspect — and their motivations may be far more complicated than mere theft
A lot of the time an internal employee or insider is just as big of a threat, and could bring a business to its knees – intentionally or inadvertently. Furthermore, there are distinct types of external cyber threat actors (cybercriminals, state-sponsored, hacktivists) with different motivations and capabilities. For example, the cybercriminals who hacked into Target and Anthem had very different motivations, capabilities, etc. than those of the state-sponsored actors who hacked into Sony Pictures Entertainment.

8. Cyberattacks and cyberterrorism are exceedingly rare

As many of the experts I talked to said, your biggest threat is somebody breaking into your accounts because you have a crappy password. But that doesn't stop people from freaking out with fear over "cyberattacks" that are deadly. Ablon says that these kinds of attacks are incredibly unlikely:
Yes, there are ways to hack into a vehicle from anywhere in the world; yes, life-critical medical devices like pacemakers and insulin pumps often have IP addresses or are enabled with Bluetooth – but often these types of attacks require close access, and exploits that are fairly sophisticated requiring time to develop and implement. That said, we shouldn't be ignoring the millions of connected devices (Internet of Things) that increase our attack surface.
Basically, many people fear cyberattacks for the same reason they fear serial killers. They are the scariest possible threat. But they are also the least likely.
As for cyberterrorism, Ablon writes simply, "Cyberterrorism (to date) does not exist ... what is attributed to cyberterrorism today, is more akin to hacktivism, e.g., gaining access to CENTCOM's Twitter feed and posting ISIS propaganda."

9. Darknet and Deepweb are not the same thing

Ablon writes that one of the main problems she has with media coverage of cybercrime is the misuse of the terms "Darknet" and "Deepweb."
She explains what the terms really mean:
The Deepweb refers to part of the Internet, specifically the world wide web (so anything that starts www) that isn't indexed by search engines, so can't be accessed by Google. The Darknet refers to non-"www" networks, where users may need separate software to access them. For example, Silk Road and many illicit markets are hosted on [Darknet] networks like I2P and Tor.
So get a password vault, use two-factor auth, visit only sites that use HTTPS, and stop worrying about super intricate cyber attacks from the Darknet. And remember, hackers are here to protect you — most of the time, anyway.
43 281Reply
not everyone is a high value target, so not everyone is going to be targeted. Also, not everyone's social data (dob, pet names, friends, mothers, etc) are readily available on the web meaning it would be harder for a hacker to social engineer your passwords. For average people, strong passwords are a very good defense. 
Now, if only we could start requiring better passwords...
I cannot star this enough. Problem is, even though it's an easy code change, so, so, so many sites simply do not allow passwords beyond 16 characters in length, and many, many more, do not allow spaces and still use antiquated requirements like one capital letter and one number.
It's funny and disheartening to see people's faces glaze over when I try to explain entropy to them, so I usually just send them the xkcd comic you posted.
coolest thing ever in college was when I took network defense and counter measures when they made me sign a waiver stating that "Yes I do understand that what I am doing is hacking into a system and if I do anything whatsoever that it will be used for prosecution if I do actually do something." My first thought was "whoa, I'm getting into the real stuff now"
Now I know what you're thinking, "That was the coolest thing in college?" Yes it was. I don't get out much. Jerks.
#1 is a little misleading. All having a strong password does is prevent an attacker from guessing your password. All multi-factor authentication does is prevent an attacker from logging into your account even if they manage to guess the password (assuming a password was 1 factor of the authentication.). 
If your system has been compromised (unpatched vulnerability, opened that attachment or clicked on that link in that phishing e-mail, etc.), It doesn't matter how strong your password is, or how many factors of authentication you use. If an attacker owns your computer, they own everything you do on it. All an attacker has to do is wait for you to use your credentials. Once you do, they can easily do whatever they want, because you've already authenticated for them.
Read up on "Pass the Hash" and watch a demonstration on it. You'll be scared to touch your keyboard for days. ;)
For #8... Cyberterrorism is certainly rare, but Cyberattacks most certainly are not. You're under constant cyberattack simply by being connected to the internet. The internet is a very scary place.
The Electronic Frontier Foundation hopes to provide free and easy certificates to everyone: https://letsencrypt.org/ But, it's not ready yet. They hope to be open for service this Summer.
SSLMate.com offers cheap and easy certificates. Namecheap.com also offers cheap certificates (but with more manual effort to install than SSLMate or Let's Encrypt).
Regarding the "my site doesn't have anything worth protecting" argument: Are you sure? Various middleboxes on the internet mangle traffic by inserting ads, inserting dubious JavaScript, changing the text, and so on. Is that a good experience for your users? (See http://newstweek.com/ for an example of an attack that is easy to mount. See http://www.ex-parrot.com/pete/upside-do... for the humorous version.) And, yes, the attack is common: http://arstechnica.com/tech-policy/20...

4. Every website and app should use HTTPS

Sorry, I cannot get on board with this. There are a crapton of websites that do not contain anything worth protecting at all. 
1 You can argue that having the site be unencrypted makes it so your web browsing activity can be tracked, but guess what, DNS requests are not encrypted, so they already can easily tell which websites you visit whether you visit an https website or not. 
2 Certificates cost money. Why make a bunch of websites more expensive than they need to be?
3. Certificates are a royal PITA. Having to update and replace certificates on all your webservers for critical data is a sucky job, having to do it for the websites that don't contain anything important just complicates it. This leads to people taking shortcuts with certificates. Suddenly people are buying certs that only expire every 5 years (less secure than a 1 year cert in that it can go compromised much longer), and people buying Multiple domain, Wildcard certs (way, way less secure than using several separate certs)
4. Having everything encrypted incentives corporations to do more MITM cracking of certs to monitor traffic for questionable content. When the only sites people are going to that are HTTPS are banks and email, your company probably won't invest in cracking HTTPS without your knowledge. However, when everything you do on the internet is HTTPS, you can be assure that will be a high priority. So that means they will inevitably be able to see your banking info because you insisted that localnews.com is HTTPS. This leads to less privacy not more.
In the end, it is a lot like password complexity. You make a password requirement too complex and it leads to people saving passwords in browsers and on post-it notes, leading to less security, not more. Too many certificates leads to a lot of unintended consequences.
(also, kind of funny that Gizmodo makes this argument while not being HTTPS themselves)
I would like nothing more than for Gizmodo to use HTTPS, and I have argued it. The thing is that HTTPS doesn't just protect the site. It protects users. Without HTTPS, it's easier to plant malicious code on an innocuous site and trick readers into clicking on, say, your malware ad. That can happen anywhere, including on this site.
If you care about your users, you will offer HTTPS protection to them. And that's why so many companies in the industry, including Google, are now going to start identifying non-HTTPS pages as unsafe.
"Eckersley has no corporate affiliations (EFF is a nonprofit)"

EFF is a nonprofit *corporation*. So he has a *corporate* affiliation. Just because a corporation gets a nonprofit IRS designation and is exempt from taxation doesn't mean that it can't or doesn't act like a corporation in every other respect, nor that it is not interested in making money, nor that it doesn't lobby the government just like any other corporation.

You are naive if you think nonprofits somehow don't function by the same rules of self interest as any other corporation (with the exception of tax status).

No comments:

Post a Comment

Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered