Security

Biggest Threat To Mac Users

2011-05-21T10:08:00.000-07:00

These are my personal opinion and not pronouncements by Intel.

FUD -- Fear, Uncertainty, and Doubt -- a campaign designed to use a person's fears against them to cause them to either act against their own best interests or keep them from acting.

A lot of security work is raising awareness of real threats and sometimes of potential threats. However, like the boy who called wolf, the strategy doesn't always work and sometimes backfires. In my humble opinion, that appears to be true for threats against the Apple Macintosh today. As security workers have zealously tried to show that Apple users were not immune to threats, nor are Linux users, we have inadvertently paved the way for exactly such threats to happen.

While Apple users are not immune to threats, the raising of fears has enabled a specific kind of attack to be leveled against them. An attack that the more smug and naive among them would ignore and be immune to. It is poetic irony. The ones who listened are at the highest risk.

The attack is Fake Anti-Virus Software (sometimes referred to as "Rogue" AV). This is software the claims to be software to protect your computer, but which is actually a virus. So, yes, it is a virus that attacks Mac users. However, it only attacks those who are trying to protect themselves from such viruses. Thus, the conundrum.

The truth is that there are real anti-virus programs that do help protect your Mac. Running one of them is a good idea. You will be safer if you do. However, a real anti-virus program is not likely to be sent to you in an email, nor if you get a virus is it likely to pop-up on your screen and fix your program if you just send money to a web-site. Those are most likely fakes.

The real issue is that most attacks are still Social Engineering attacks, con games designed to mislead you. No program can protect you against bad judgement, especially not when coupled by bad luck. If you click on a link (or read an email attachment) that promises too much, it is likely that the link (or email) will download a virus onto your system. Some viruses such as those running on FaceBook don't even need your computer, so it doesn't matter what kind you have.

The virus writers of the world are out to trick you. If they can do so, by playing on your fears, they will do that too.

So, do some research and find a reputable anti-virus vendor that makes a Mac version and downloaded it before you are infected. Doing that in a calm time where you can way the options will help you make a rational decision.

However, if you don't follow that advice and find yourself infected, don't just click on the software the pops up on your screen promising a quick fix. That's most likely a scam. Again, calm down and find a reputable place to have your computer repaired. It may cost you a few days to do so, but in the long run it will probably save you money, because the virus will actually get removed and you won't have sent the virus writers any money rewarding them for their efforts.

The Fresh Round of Twitter Hacks and Attacks

2010-09-26T14:03:00.001-07:00

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Well, twitter has been "safe" and quiet for some time. People have begun to let their guard down. However, a new set of vectors for exploits is being mined. It started about a week ago with a tweet exploit that became a worm and spread porn and other unsavory stuff. Now, a second version has appeared. It looks like this new version has been nipped in the bud. However, the risk is ever present. There are people out there looking for security holes and when they find them, either playing pranks or spreading something more vicious.

Sadly, it is the nature of software to have such flaws. Thus, it is only wishful thinking to hope it goes away. We can erect better fences, but there will always be someone who finds out how to scale them and uses that ability to their advantage and our disadvantage. As a result a certain level of caution, vigilance, and even paranoia is appropriate. But do so in balance, if you let fears dominate your life, the result is just as bad, because your fears will cause you to miss opportunities.

So, keep the following in mind. There are people out there who are out to trick you and they are very clever and have very little scruples. These people are anxious to imitate anyone you trust as that's a source of leverage for them. Thus, they will pretend to be your bank, the government, some famous company, your friend, a web site that you often visit, a new web site with an interesting game, anything they think that will get you to trust them They will do this by every means possible: by spam emails, by links to sites that download malware, by sending misleading tweets, by hacking into your computer, by hacking into the computers of places that have your info. The more valuable they think your information is or the easier they think it is to get, the more effort they will spend getting it.

However, in most cases, they are not targeting you specifically, they are just looking for the easiest mark that will fall for their trap. Therein lies your advantage. You don't have to outrun the bear, just the other hikers. This is why fish swim in schools. Sure that makes the entire school a large target and the fish along the edge do get eaten, but the ones in the center tend to survive and breed a new generation. Your goal is to be in the safe part of the school.

Thus, when you read safety advice on the internet, remember that it is not fool-proof. Some people who do everything right will still get hacked. However, it is the best advice we have. It will keep you from doing things that are too risky and too likely to get you into trouble. It will increase your odds of using the internet safely.

See the next entry for some safety advice recommendations.

Common Sense For The Fresh Round of Twitter Hacks and Attacks

2010-09-26T11:53:00.000-07:00

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Here are some basic safety principles and examples of their use:

Don't trust unsolicited information.
1. If you get an unsolicited email or phone call or direct message or @ message or wall posting etc., don't presume the sender is who they claim to be, especially if they ask you to do something you wouldn't normally do (e.g. give out your bank account number or phone number).
2. If you do believe that you need to something in response to a message (e.g. you are worried your account might be overdrawn), use an alternate channel for taking action. Don't click on a link embedded in the message. Log into your bank in a separate browser window by typing in the address you know (or have written down from a safe and calm time). Better yet, don't do it online--call or visit your bank.
Keep your secrets safe.
1. Don't post details about upcoming trips when you will be away from your house for a significant period of time.
2. Check that public information sites like spokeo aren't giving out information that can be used to impersonate you.
3. Don't post pictures of your kids nor give out their names and ages.
4. Don't post details of your life (or pictures of yourself) that you aren't willing for the world to see. Don't even send such pictures to friends.
5. Use strong passwords. Not a word in a dictionary. Not an easily typed sequence of numbers. Not something about you that can be guessed or looked up online.
6. Don't reuse the same password for multiple places, especially not important ones. Make certain that even if one of your passwords gets cracked, your other passwords are still not easily guessed.
When something bad happens, don't panic.
1. Calm yourself down first. Realize that it probably isn't as bad as it seems right away.
2. Plan the steps to limit the damage before doing anything else. That will force you to be more focused.
3. Make sure you are thorough. For example, if you have an account that is hacked, make sure you take all the steps to make the account secure, check your computer is secure, and then check to be certain your other accounts are safe also. If your the account broken into has a password, change it to a new one as part of the plan.
4. Don't do other things until you have verified that you have solved the problem. If you have a hacked FaceBook account, don't check your bank until you've fixed that problem first and verified that you don't have a virus or keylogger on your computer. If you skip steps, you make spread the problem to other parts of your life. This is where making a calm plan can come in handy.
Stay aware.
1. Watch for alerts as problems are spreading. There is often specific advice on things not to do as they are found.
2. Read various sources on the issues. Get a variety of opinions and guidelines so you can make informed choices.
3. Keep your protections up-to-date. Don't just download a virus tool and think the problem is solved. Get updated definitions regularly. See if there aren't other tools you should use. Also, change your passwords at least from time to time, even if you haven't been hacked that you know of.

Hopefully, the above list doesn't seem too long. There is a lot of good that can come from using the internet. It can make your life easier, richer, and more fulfilling. If you make the above into "good habits", they shouldn't take much time at all. Moreover, these good habits aren't just for using the internet. They are more "common sense" things that you should practice everywhere. While the internet has its own unique risks because it brings the whole world right to us, much of the most dangerous things were already in our life. Most of us have already learned to cope with them.

Foursquare: Don't Bury One's Head In The Sand

2010-07-02T15:12:00.000-07:00

The opinions expressed here are purely my own and not those of Intel. However, what I write about is clearly influenced by my job and exposure to ideas at Intel.

As an introvert, many parts of social media aren't intuitively obvious. Foursquare is a pretty good example. My intuition immediately links it to PleaseRobMe.com. Thus, I find it hard to recommend for someone wanting to protect their privacy, safety, and security.

However, to ignore the changes in modern society is simply to be an ostrich and assume that ignoring something will make it go away. Yes, sometimes that works, but it isn't a sound strategy.

Moreover, people enjoy games and that adding fun to one's experience actually enhances one's life. This can be coupled with many a corporations desire to know more about you. A big part of social media is trading our privacy for some other benefit. One common way corporations attempt to extract that info is by involving you in games and contests.

Much of this blog is trying to help you avoid making that trade unintentionally, giving away your privacy or safety for something of dubious value. That is still a sound principle. Being aware that most internet and social activities are designed to extract information about you and repackage it for resale is important.

I (sadly at one level, but ultimately peacefully) gave up playing games on the internet almost ten years ago, because I realized that the information I was giving up and the risk I was putting myself in were not worth the value I was receiving from playing. This was particularly true for the online lotteries. Although the aphorism that you can't win if you don't play is true, in the end I determined that I probably couldn't win by playing either and was simply putting myself at risk for downloading malware.

The same holds true for me for a host of other online games. At one time in my life, I truly enjoyed the fantasy of role-playing games. I can even understand those who are willing to get dressed up in costume and go to conventions for their favorite escape. However, the risk for me of having my privacy invaded by participating keeps me far on the sideline.

Given this context, you can understand why I would be reluctant to recommend Foursquare to anyone. Using foursquare certain gives away information about you. I would certainly recommend anyone considering it to think carefully through what you are trading, for what you are gaining. You need to be clear that you are getting something back for that information you are giving away.

When will using foursquare put you at risk, and what will it put you at risk for?

After assessing that, what potential will you possibly gain from using foursquare.

At the same time, you need to consider those alternatives rationally and honestly and realize that by our very nature, we as humans are particularly poor estimators of risk and the trade-offs between risk and reward. As humans our tendency is to over-estimate risks that seems particularly detrimental and under-estimate ones that involve common-place events. Otherwise, we would never get on a chair as a substitute ladder to reach something just a little bit too far away and ending up falling--a surprisingly common error we all make.

In light of that, determine for yourself how much additional risk you are taking by joining foursquare. Are you broadcasting information that isn't readily available already? Can that information be used in some way to your detriment?

To make this concrete, let us consider a couple of specific examples based on the PleaseRobMe.com model.

You are a single 9-5 working person living in an apartment. In this case, it is probably obvious that you work all day and that your apartment is vacant during that time. Incremental risk from using foursquare to check in at your favorite restaurants, probably limited.

You work from home and thus stay at home almost all the time. In this case, tracking the times you are away might be significantly valuable. Especially, if long trips are involved. Incremental risk from using foursquare to check in at Disney, much higher.

The key distinction is whether the fact that you are away is unusual. That makes it more valuable.

However, if one really wanted to do the analysis, one would need some numbers to work with. To my knowledge, no one has yet compiled any comparative statistics on the number of people whose homes were robbed who were using foursquare versus non-users. While I would expect some marginal incremental risk, I would expect that the number would be less significant than the location of one's house. Some neighborhoods just get robbed more than others. I would be willing to bet that the choice of neighborhood was a more significant variable than foursquare usage in home robbery rates.

Therein lies the point. Don't skip using foursquare simply because the fear of a home robbery is so dreadful that you over magnify its probability. Skip using it only if the benefits are dubious to you. If you find something interesting that you might be able to benefit from by using foursquare, the risk from using it is probably not that high, so go ahead and indulge.

For example, if you attend a conference, like IDF, where Intel is involved and you have a foursquare account, there is a good chance that there will be contests and giveaways for those who check-in. By the way when you do so, read the fine print first. Intel has a very strict policy about how it can use the information it gathers, so we will have to tell you what your checking in means and how we might use that information in the future. That's a standard everyone should be held to.

When Will We Wake Up?

2010-06-25T09:23:00.001-07:00

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel. Note that the examples used in this posting are not unique and not the most extreme cases. They are simply ones that have become lodged in my mind.

This is the other half of the issue I just wrote about in this post, where I addressed the need for people to be conscious of how choosing convenience might be lowering their security and privacy.

Here I'd like to ask the question from the implementers point of view. In particular, we have long known that some systems are easy to crack. I am going to list some easy flaws of convenience and ask why haven't we learned to avoid them.

Obvious default passwords and insecure default settings: In high school my friends and I were taught on a large computer and given the instruction manual for the operating system, compilers, and so forth. In those books were the instructions on how to run the system that assigned accounts and passwords and the examples used names like "password" for the system accounts. Gleefully, we tried those passwords, and no one had ever changed them. They were the same as in the book. Since, no one had never heard of cracking accounts back them, those administrators could be forgiven.

However, in the 2000's when I bought a router, leaving the name as "linksys" and the password as "administrator" would have been tragically foolish. Still the recommended installation procedure did not change those names and in fact connected one to the internet as a required early part of the process. I changed mine, of course, as soon as I had the router to the point where I could do so. However, I'm sure there are many extremely insecure wireless routers out there. Everywhere I go, I find linksys routers, my laptop wants to connect to. If routers become a major pool of malware infections, it will not surprise me.

Much more security aware is the way that the F-Secure SSH client automatically builds a random number when you install and first use it. The security is turned on right from the beginning and there is no worry that someone will use an insecure password and none for the person to remember.
Back doors and escapes with unlimited power: Many people have spent a lot of time figuring out how to prevent the browser from down-loading .exe files and running them. However, this whole time, one could down-load a .pdf and in it have commands that would down-load the files we were trying to prevent. There are some security provisions built-in, but they are circumventable by social engineering. Sadly, this is not a flaw in some .pdf implementation, but a designed part of the spec.

Building in an escape hatch or back door is an easy way to circumvent the limitations of a product. However, when that escape allows arbitrary code execution, you have abdicated control to those who would abuse your application.
Installations that require too much privilege: Although this is slowly getting better, far too many applications still get installed with too much access to the system. This is definitely a convenience issue. It is time consuming to get the minimum access an application really needs, especially if you don't know whether someone else sharing the computer might need another feature and more privileges. Users will almost always opt for installing all the features in the most unrestricted fashion when given the choice. That is much more "convenient" than picking a narrow set of features and restricting them and then finding out later one needs more. Especially, in those cases where expanding the privileges might require stopping the application mid-task (or worse rebooting the entire system). The user will always opt for the convenient choice.
Systems that require restarting to reset: Even worse that restarting the application to expand its privileges are those applications that have to be restarted on a regular basis. It makes sense that a system that is holding onto some personal information (e.g. the browser session visiting your bank or the system that allows you to send emails) wants to time-out so that one doesn't accidentally walk away leaving that information unprotected. However, other applications fail after running for a while for no obvious reason. My assumption that this is due to careless resource management and that some resource is eventually exhausted and the application falls over or simply hangs. However, whatever the cause, this practice has tended to train users to expect to re-login to various applications on a regular basis. Thus users are much more cavalier about entering their security information than they should be.
Loading obscure software to build unimportant candy: A pretty user interface is appealing, but many applications put too much emphasis on sizzle rather than functionality. A common symptom of this issue is the web sites that seemed to require a new browser extension for each site. Again, this has improved somewhat, but still in the process, many users were "trained" to download all sorts of software to make their web applications work, and the malware writers took full advantage of this loading first malware via such links and more recently fake malware scanners that were actually malware

Similar to this problem was the password manager I wanted to download that required loading a completely new-to-me language (groovy) into my browser to run it. Here was a system that I was using to attempt to increase my security, but which required me to perform a potentially unsafe action in able to do so. While password security isn't exactly candy, it isn't core functionality. It certainly isn't obvious why one would need to download a new language onto one's computer to get the browser to export passwords.

These are just some examples of lessons as developers we should have learned where we have traded user security for user convenience. Admitted, convenience is a nice thing. However, we have to be more protective of those who are depending upon us. We made the mess that allows malware to flourish. We could do our part to clean it up.

Convenience Versus Security

2010-06-25T08:31:00.000-07:00

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel.

For a long time, we geeks who built the internet (and I can't take any significant credit for that) have lived in a fairy tale sandcastle in the sky. We believed in the essential goodness of people and thereby developed our hardware and software with our main focus on what what convenient and not what was secure. We also made that worse by concentrating on features rather than stability and lack of bugs.

In the security field, the bugs have gotten a fair amount of attention. People are very aware of the buffer overruns and other ways of breaking software like browsers to introduce malware into your computer or your network.

However, the convenience factor needs equal attention. Some of those lessons have been learned. When I administered my own linux server back in 1995, I learned the hard way (i.e. by being cracked and having a rootkit installed) about the importance of closing up and securing ports. Having an open telnet port was convenient for logging into my server not only for me, but for all the miscreants who thought access and using my computer might be fun or profitable.

Still, this lesson needs to be repeated over-and-over again. The sites the are open to the attacks in this video have not properly secured their assets. If you leave your property open and unlocked, someone will eventually "borrow" it or play a prank on you through it or do something else you don't want and hadn't intended. Especially, if the info on how to do so is on popular sites like bitrebels.

So, when you buy that new webcam or baby-monitor think before you expose it to the internet. The out-of-the-box configuration was probably designed by geeks who wanted to make it convenient for you to use, not to keep your private information private. That doesn't mean you can't make the device secure, just that you will need to do extra work to do so. Work that might not be detailed in the instruction book that comes with the device.

Although we geeks who design and build such devices emphasize convenience and features as that's what we've trained ourselves to do and what the market has traditionally rewarded, if consumers want safer more secure devices, we will make them. Companies are already realizing the need for that. The culture is ripe to grow and spread. Consumers just have to make informed choices that demonstrate that preference.

If you are an implementer and want to ponder some of the ways, we have helped users trade security for convenience, try reading this.

Viruses on Linux

2010-06-15T11:31:00.000-07:00

As always, I want to reinforce that these are my personal opinions and not the stated policies, recommendations, or positions of Intel.

It has been discovered that an Open Source application that runs on Linux has had some of its repositories cracked and some of them were serving a malware infected version, as reported here and here. Now, while some has reacted like this reporting is an attempt at spreading FUD (fear, uncertainty, and doubt) among potential Linux users, it is simply one more incident showing that there is no security silver bullet.

Simply choosing a more secure OS is not sufficient to protect against all forms of attacks. Complacency will always leave one vulnerable. Reading your email on a Linux box will not prevent spam or phishing emails from entering your mailbox. If you click on an infected .pdf file, you probably won't get infected because the malware was probably customized for Windows. However, that doesn't mean someone couldn't infect a .pdf file with a Linux virus. Someday, someone will. Moreover, if the attack wasn't attempting to infect your system, but simply to get you to install a tracking cookie in your browser, Linux is no protection at all. Running Linux doesn't magically make one immune to social engineering.

This isn't a criticism of Linux. Linux out-of-the-box comes generally configured to be more secure than typical Windows desktop systems do. A good example is that on Linux systems root (superuser) access is done via a separate account rather than one's normal account. Many other features of Linux are specifically designed to improve security also.

However, Linux systems also often have more to configure and more to exploit. A Linux system will often run ssh and ftp servers and not just clients. Running nfs or samba servers on Linux is also very common. You might even run http or sql servers. Server systems require more complex and careful administration, because servers were designed to share their resources. Sharing requires more attention. Sharing opens avenues for attack.

If you button your Linux system up, it can be secure. However, if you run it with the telnet, ftp, ssh, and nfs ports all open to the world and without any security on them, you will eventually find more viruses and rootkits on your system than you can imagine. Believe me. I've been there. In fact, to my knowledge, the only system I've ever run that has been cracked was a Linux box. It was in part due to configuring the system to be more convenient rather than more secure.

I think that is appropriately instructive that the word rootkit derives from the name of the administrative account on Unix derivative systems. The first worm was also designed to attack Unix (not Windows) systems. Likewise, Ken Thompson gave as his Turing Award lecture how to embed a Trojan Horse in the C compiler, which shows simply compiling from source is also not a panacea either.

So, enjoy the security Linux is able to give you. Open Source is a good thing. There is ample reason why many cryptographers prefer trusting an open source algorithm. However, don't assume running Linux without appropriately configuring it makes you magically immune to attack. Life isn't quite that simple. Security still requires work. Always will.

Fooling Turing Tests for Chats with Bots

2010-06-11T16:18:00.000-07:00

As always, I want to be upfront that the opinions in this posting are only mine and not official statements made by Intel.

Way back in college, I came across the program called Eliza. If you haven't ever encountered it, you simply type messages to it and it types messages back, just like a person on a chat-site. The program is realistic enough that people have been known to treat it as a real person. Therein lies an interesting question. How do you tell the "person" you are talking to is a real person and not a computer? That question is so important, it is called the "Turing Test".

The Turing Test basically says a judge is allowed to talk (as one does in a chat-site by typing messages back-and-forth) to two contestants, one of which is human and the other a computer. The computer loses if is is properly identified as a computer, but if the computer is misidentified as a human it wins.

Well, in our world, there are lots of variations on chat sites, where we type messages to people rather than talk to them. Some of them are social like Facebook and Twitter. Have you met people on one of those sites that you haven't yet met in real life? Are you sure they are for real? They aren't always real. There are "bots" on these sites whose sole job is to impersonate a person and in doing so get unsuspecting users to click on malware links.

We see the result of these from time-to-time, when there are outbreaks of tainted links circulating. When that happens, people post warnings not to click on links attached to messages like "Is this really you in this picture?" or "ha, ha, this is a funny one".

Fortunately, most of these attacks are simple. The bots are not very sophisticated impersonators. Many of us have learned not to click on links from people we don't already trust and even from them only links that are in line with info we already trust from them. We apply our personal versions of the Turing Test relatively efficiently. This is partially because we are expecting these bots.

However, let's imagine someone who wants to cheat and win a Turing Test. Suppose someone wanted to insert a "computer" into the contest, but have it be real enough to fool people. One simple way of cheating is to have the "computer" be a real person. There was a famous chess-playing computer built just that way called "the Turk". Inside this computer there was actually a small chess playing person moving the levers.

As discussed here in Dark Reading or here in their PDF paper, recently some researchers figured out a way to do a variation on this cheat in a chat situation. Instead of hiding a human in the computer. They made the computer tie two humans together. That way both humans were talking to other humans, but both thought they were talking to the person who the computer was pretending to be. On both sides of the chat, a human was moving the levers. However, on neither side was the person talking to whom they thought they were. Both chatter thought they were talking to the fake ID created for the bot, rather than the real person to whom the bot forwarded their conversation. The bot is executing a classic man-in-the-middle attack.

However, even though the bot was primarily forwarding the conversations between two humans, it was still a bot, and it was able to deliver malicious payloads, either send a link which could have been to malware (but wasn't since this was a research project) or ask a phishing question (which also was a benign surrogate question for the research purposes). The bot was able to get high response rates to both forms of attacks, because the attack was in the context of an otherwise human-to-human conversation, and thus was camouflaged. The exact details of the attacks and how they were inserted and success measured are in the PDF paper or in this summary.

The effectiveness of these attacks while worrisome are dwarfed by a potential highlighted but not explored in the paper. A similar man-in-the-middle attack could be executed on online banking help chat sessions. If a bot is inserted in a banking help conversation, the bot could potentially be similarly effective at phishing details from the users. The users would be expecting to be asked questions to validate them to the system, extra questions about personal details would not be surprising. Similarly, the bot could insert questions to the help side that might help the attacker move money. Again, the help agent would not be surprised at questions on how to do various actions, as the user was calling with troubles and the helper is trained to ask "is there anything else I can assist you with?"

These results should be particularly scary for people worried about phishing attacks. The technology involved is not sophisticated. The idea while creative was not far fetched and had been predicted.

I am a prophet!!!! I eluded to this at #phneutral http://bit.ly/9BgN6L via @intel_chris and @darkreadingless than a minute ago via TweetDeckDave Marcus
DaveMarcus

That means there are probably malware writers out there who are already trying to figure out how to incorporate this attack into their repertoire. The key thing about this paper is this kind of attack is no longer just an idea. There is a real proof of concept (PoC) implementation. It will not be hard for others to replicate this work.

Is an iPad a Non-Programmable Computer?

2010-05-30T12:16:00.000-07:00

As always, before I write anything, I need to add a disclaimer. I work for Intel and tweet under @intel_chris. However, these tweets and blog entries are simply my own opinions and not the official pronouncements of Intel in any way.

Before we look at that question, we need to define what it means. There are devices that perform computations that are not programmable. However, that isn't what I'm asking about, although it is close.

So, Sherman set the way-back machine to 1890, the time of Herman Hollerith and the census. It was a big task collating the answers from all around the country and it was done by using machines which sorted the punched cards into various slots.

If you look at old movies, you can sometimes see some of these machines. (More information and pictures at technikum29.) Early on in my career, I even used them.

Now, to perform their function these machines could be programmed, by the use of levers (in the case of the ones I used) or wires that could be connected or disconnects (in others). However, the key point is that the cards themselves could NOT affect the program, only the switches or wires could. Thus, although the machines could be programmed, from the point of view of the cards, they could not.

Modern computers keep the program in the same memory as the data. This is called the Von Neumann architecture. This architecture allows the program to be changed by sending data to the computer. It is an important advancement in what computers can do. However, it also allows computers to become infected with viruses. When a modern programmer wants a computer, this is what he wants, something he can send data to in order to reprogram. This is the kind of computer your PC or MAC is.

However, there is a "computer" in my house that I never reprogram. It's my TiVo. Inside the TiVo there is a computer that can be reprogrammed, and some people "hack" their TiVo's and change that program. However, I never do. I simply let the program run and do its thing.

Now, for those of you wondering, I do change the shows I watch and various things and that might seem like programming it. However, it isn't. It is configuring it. It's like the punch cards. Changing the shows I watch never changes the way the unit functions. Most importantly, changing the shows cannot introduce a virus into the TiVo. This is a non-programmable computer.

Of course, as I noted above the computer can be programmed. In fact, TiVo (the company) does so every once in a while. However, I never program it. More importantly, I have never heard of any virus writer ever sending malware to a TiVo.

The question worth asking is whether an iPad is more like a PC or MAC or more like a TiVo? If you don't Jailbreak your iPad (or your iPhone) I would argue that it is more like a TiVo. It provides certain services. Moreover, once you have a set of apps on your iPad, you don't reprogram it, until you add another app. Using an application on an iPad, even surfing the web, does not reprogram your iPad.

Compare this to surfing the web on a more normal computer. These computers are reprogrammed regularly. In fact, for the longest time, whenever you went to a new web site, there was a reasonable anticipation that the web site was going to use some new rendering software (e.g. a new version of flash) and would link you to a site to download it. That is one of the hooks many virus writers used to get you to load their malware onto your computer. You wanted to see Anna Kournikova and you were willing to reprogram your computer to do so.

On the iPad, one doesn't do that. One has a set of applications and they do their jobs. Moreover, Apple specifically vets all of those applications. At this level, an iPad has a virus-proof OS. If you never Jailbreak your phone, and you never download any apps that aren't approved, you should never get a virus.

Now, before everyone goes out and buys an iPad and says @intel_chris said it would protect them from viruses, let me add two caveats.

The fact that one programs an iPad at all, and more importantly, the fact that down deep within an iPad is a computer that can be programmed, means that it is possible to create iPad viruses. Someday, someone will do so. The more popular iPads become, the sooner that will happen. Moreover, things like Javascript embedded in web pages, are small programs, which means at some level your iPad gets reprogrammed a little by almost every web page it visits, but these programs are not supposed to persist after the web page is no longer being viewed.
Not all malware requires a virus be installed on your computer. In fact, spam and phishing emails are often not viruses at all. They simply get you to do something you shouldn't, e.g. order medication from a place you have never heard of, or send your banking information to a site that isn't your bank. In addition, even properly working web browsers have techniques (e.g. Javascript as mentioned above) that allow malware writers to put up deceptive web pages and surreptitiously collect information from you.

However, despite that I think that the iPad being a non-programmable computer is actually a good thing. For many jobs, we want something that just works and we really don't care how it works. For me, my TiVo is the perfect example of that. The fact that it is programmable, only rarely tempts me to do so. (Yes, I'm still a geek, so it does tempt me from time-to-time, but I can always find better more interesting things to program than it.) An iPad looks like another device that could act that way. Would I really want to program it, or just use it? I think for most people, just using it is the obvious answer.

If just using it has a side-effect of making us even just a little safer, that is a wonderful side benefit.

Is FaceBook A Utility

2010-05-16T15:39:00.000-07:00

Disclaimer: These opinions are strictly my own. They do not represent the views of Intel.

Recently, Danah Boyd, @zephoria, posted an excellent article, "Facebook is a utility; utilities get regulated". If you haven't read it, you should (including the comments) and form your own opinion.

To me the real question and I believe Danah captured it well is what is the commodity the Facebook is selling. What does Facebook have a monopoly on? The answer to that question is the connectivity to its network and the private information that people have placed on it. It is that private information people want to protect. It is that connectivity they cannot afford to lose.

I will not argue with the other people commenting that Google is not as significant a near-monopoly as Facebook, nor that Facebook won't eventually be replaced by another network. In fact, I do not use Facebook that much. I prefer a different near-monopoly Twitter for most of my connections. I haven't also placed signficant private information on it at all.

However, Facebook has one attribute that some of its competitors do not, access to some of our private information. That is the information that Facebook wants to monetize. That is what has us upset. This is what people will clamor to regulate.

People do not care so much whether Facebook is a utility or not, except as it potentially exposes that private information without our consent to a much larger audience than we intended. If you read the recent polls on youth online behavior and attitudes, you will see that many of them assume that such protections against that kind of sharing are already in place. Moreover, the Facebook users who have been using the site for years also have that expectation, because that was previously the expectation set by the company.

The convenience of Facebook for reaching one's friends is hard to deny, although it does not seem to include those whom I would like to reach. In fact, the true "utility" of Facebook, what I would dearly love to have, is the universal email-address finder. The one which would allow me to find email addresses of long lost friends, and not just their home addresses and property value which I can find through scary services like Intelius. The hope that Facebook holds out is the hope of reconnection and the hope of staying connected.

Facebook is seeking to trade that for the price of our personal privacy. A price it hopes that others value more than we do. However, it has done that through what appears to many to be a bait-and-switch operation. That is what has people upset. It is not the bargain they signed up for. It is not what they were promised.

And, it is that private information that distinguishes Facebook from Google or Twitter for most people. Neither of those sites has ever asked to share information that I wouldn't naturally consider public. However, if I had a protected account on Twitter, where my tweets were construed as private I would be just as upset about having them monetized and potentially exposed. Similarly, the woman whose email name was shared to her abusive ex by Google when she joined Buzz had similar (and more dramatic) cause for upset. To whom we connect and who we are is private information.

Holding of private information is in some sense a sacred trust. It is the real reason why these companies are likely to get regulated, not their ubiquity.

Phishers are Here on Twitter

2010-04-03T18:15:00.000-07:00

As always, I will start this note reminding you that while I work for Intel on security features on some future Intel chips, I don't speak for Intel on security matters and what I write about is purely my own opinions.

Perhaps it is irony. Maybe it is karma. However, after retweeting that twitter links were safer than google, I got a tweet with a phishing link from a user called @FasterComputerZ.

It looked innocent enough. It came as an @ message from someone who looked like one of the many security people who follow me and whom I follow. Sure, it was a new follower, but I get new followers every week. It also looked a little bit selling oriented, but that isn't completely suspicious by itself either. This wouldn't be the first person that was trying to make money and hoped to connect with twitter to aid that.

It did include a link to a web page. Since, my link expander didn't show any problems, I foolishly followed it. When I got there I saw ads for anti-spyware programs I had never heard of before. More importantly some of them had subtle grammatical errors. This increased my suspicions.

Therefore, I asked my good friend @teksquisite to look into the site. Sadly, it turned out to be a phishing site. Of course, I had already visited the site. I've since run scans on my computer and they've found and fixed some problems. Now, they may have come from elsewhere, but given that the site contained phishing scams, it is suspect.

Could I have been more suspicious in the first place? Yes. However, not everyone has access to the security resources that I have. So, unless you want to live like a hermit and never click another link, you need to realize that someday you will probably visit an infected site.

Keeping your anti-virus and anti-spyware up-to-date should help protect you.

Being extra cautious when things seem suspect with also help. In particular, your security programs probably have more extensive scans that you can run, like mine did. If you think you may have visited an infected site, run those extra scans.

Also, while you aren't sure things are ok, don't expose yourself (and others) to more risk. Don't visit web sites from your suspect computer. If you think you got the infection via twitter, facebook, myspace, or some other social media site. If you can, go to another computer and change the relevant password(s). If you can't get to a computer that you know is uninfected, wait until you have disinfected your computer before changing the passwords.

Finally, if you want to be particularly cautious, you might choose to segregate your life into different compartments. Keep one computer for doing important and private things like banking. Use a different computer for social media and web surfing. That way, if your surfing computer gets infected, your banking and private information is not at risk. I sleep better at night knowing that my banking information is not on this computer where I twitter.

Another form of segregation you can do is to use different strong passwords (that aren't related) for the various things you access. That way, if somehow one of your passwords gets stolen, it doesn't make guessing you other passwords easier.

I've Been Hacked

2010-01-28T16:29:00.000-08:00

There comes a time in every security worker's life, that they get hacked. In fact, it usually happens more than once.

Now, for the necessary disclaimer. I work on security for Intel, not securing Intel, but developing devices that may someday go into chips that Intel sells to make you more secure. This blog, however, is only my own viewpoints and experiences, and is in no way an official Intel declaration, recommendation, or pronouncement. It's just me getting up on my soapbox and talking about what interests me, and what I've learned about being secure in a very open world.

Sometimes, like around April 1st, it happens because one of your co-workers decides that they want to amuse you. I got some very clever emacs macros 1 year, that changed the way the screen looked to put the status bar on the other side. I actually decided I liked emacs better that way and kept them there.

Other times, one gets hacked because one has tightened the security of something enough and someone actually does break in. I used to have a very nice Unix system for the software company I own, but which I had to administrate for myself.. I left that system too open and I got root-kitted. After that, I bought a nice firewall, and tightened up the permissions on the systems ports and was safe until I retired that machine.

Well, given the rash of facebook and twitter attacks going on last fall, I figured I was about due for another learning experience. It was never really clear what perpetrated the attacks, although the koobface virus and some suspicious IQ test links sent via DM were the top suspects. However, we were never certain that the problem was resolved and that the threat had dissipated. In fact, it is quite likely still a threat, just not an active one.

So, when I turned on my tweetdeck session and saw the note that I had tagged @barackobama using this web based twitter service, I feared the worst. Here is a wonderful twitter service, that I had been using and now my account there had been hacked. Moreover, since the account is based upon my twitter credentials, those had probably been hacked too.

Remembering the preceding viruses, I immediately tweeted out that my id had been hacked and not to follow any links I had sent. I then went about turning things off.

I closed all windows except those I needed to turn things off.
I revoked the service's access to my twitter account from a machine where I hadn't been running the service.
I changed my twitter password.
I closed my last twitter session and went to a machine where I hadn't been running it and logged in and them immediately changed the password again.
I then felt secure enough to turn twitter back on.

By that time, the problem had been tracked down. It wasn't a virus that had hacked me. I was actually reporting a problem to the folks at the service and they had logged into my account there to check out the problem, but had forgotten to log out and the practical joke had been played there.

And, there lies the real moral of this story. In the end, most of our trust has to be in people. It was a person who forgot to log out of my account. It was a person who saw that as an opportunity to play a joke. All of the characters in this story were people. That is true in most security incidents. It usually isn't some very clever program that causes a security breach. It is usually some persons action, logging into a web site that one shouldn't have. Posting their vacation itinerary on their facebook wall. Choosing 123456 as their password.

Fortunately, this incident was more illustrative than dangerous. Plus, to live successfully, one must trust some people. Therefore, in the end, I decided I still trust the folks at the service. Although, I did ask them to read this entry, so that they can think about how to be more careful with other people's data.

However, when one encounters what looks like a hack attempt, one cannot be too careful. Taking immediate action to prevent the problem from getting worse was the prudent thing to do. I'm happy that the incident appeared to be more in my head than reality, but I'm still glad I didn't let it get out-of-hand, and would have been more so had I really been hacked by someone malicious.

Epilog

After writing this description, I had some additional exchanges with the fine folks at the service who explained what actually happened as opposed to what I perceived, I include some of that here:

Fair enough, but you have to know that I wasn't playing any kind of "joke" on you ... I was multi-tasking and trying very hard to help a valued user. And NOBODY else had access to your account --- the @barakobama "tag" was just the next thing I did in our service and I failed to notice that I was spoofed in as you via our system.

I readily admit the mistake and the tone of your post is very fair so I have no qualm.

I have not, however, figured out the issue you're having ... and I have to "spoof" your account to do so. Just as an FYI, I don't have ANY ACCESS to your Twitter account. We use Twitter to authenticate you but the resulting cookies are written to your computer (same as Twitter) and NEVER save that information on our end.

We know some applications do keep credentials and we see this as the type of grave threat you describe. And I personally only allow two applications access to my Twitter account (Our service being one.)

Anyway, when I diagnose your RT issue I will be more cautious, I promise.

Thanks for sharing and for being as generous as possible with your written commentary. We hope to keep you as a regular user, and we hope you continue to find value in our service.

Is Twitter Still Safe?

2009-11-11T20:29:00.001-08:00

That's a good question to ask. Fortunately, with a little "common sense" the answer is still yes. But, as I've warned so many times, the world isn't as safe as it appears, so you have to be careful, maybe even a little paranoid.

So, why do I warn so often that I'm beginning to feel like the boy who cried wolf?

The answer is I work on making your computer more secure. I do that for Intel. They also gave me the right to twitter about things I work on--not to give away secrets, but to relay things that I have learned in my job. That doesn't mean I speak for Intel. These are my own insights and opinions. So, while my job at Intel is not to give advice on internet safety, I don't feel I would be doing my job if I didn't pass on things I learned along the way that could help you stay safe. Thus, I pass along these personal tips, one fellow human being to another.

If you've read previous blog postings by me, you will see how I've talked about related topics before, email spam, general twitter safety, etc.

This time, I'm going to address the current variation of that same problem: Direct Message (DM) attacks.

Twitter has gotten popular and important enough to merit its own attacks. It is not clear how serious these attacks are, but we know for certain that the attacks are acting like a worm or virus, spreading from one hacked account to others. The way this attack appears to spread is through DMs sent from the hacked accounts. The DM goes out to the followers and invites them to play a game (test your IQ) or visit a site where the followers information is supposedly saved. I've gotten both of those messages from tweeps who I was following and were hacked.

Next, when you visit the site, the site needs your twitter information, either by you logging in, or by you telling twitter to allow the application access to your account. Either way, the application then gets accessed to your account, and you've been "pwned". The application now can mascarade as you and use your follower list to spread farther.

Now, if this is all the hack is, it is basically a proof-of-concept test. Someone needed to prove that they could use twitter to spread a virus. And, so far, that may be the case. On the malware scale, this is quite benign. It takes some work to clean up, but it hasn't done any real damage, except perhaps to the hacked people's reputation.

However, experience has shown that these initial "prank" hacks get quickly replaced by more serious attacks that our out to steal something from you, something that likely has more tangible value-often to steal information that can used for identity theft or other forms of fraud.

Therefore, we need to take these pranks seriously and use them to alert us to the imminent danger that is coming when someone figures how out to use this method of spreading a virus to send a more dangerous cargo.

So, what is a person to do?

The first step is to stop following links in DMs. If someone sends you a link in a DM, treat it like it was spam email.
Moreover, do your firends a favor and don't use DMs to send your friends links either. If we make it a practice, to never send a link as a DM, then any DM we get with a link, is clearly a phish or a hack. In fact, I like to think of a DM as the twitter equivalent of a whisper. So, the only time I DM is when I want something to be private, something I would whisper. However, sharing information is not something I do in private (unless it's private or secret info), so DM'ing a link is odd to me, since a big part of twitter is sharing with the world.
Change your password now, before you are hacked. Make it something safe and make it something different from all your other passwords. Write it down if you have to. Better yet, use a "password manager" to remember your passwords for you, so you can have lots of safe passwords, all different.
Go through the list of applications you have given access to your twitter info to and revoke the permissions for any you don't use or that seem suspicious. That list can be found in your twitter settings/connections.
If you have been hacked, do steps 3 and 4 at least twice in a short period of time. This will hopefully, keep the malware from noticing that you have changed the information and restealing it. There is a small window of "vulnerability" if the software has both your password and is authorized to act on your behalf that the malware can fix up the one you change by using the other access right. However, it is unlikely that this version of the virus is sophisticated enough to do that.
In addition, if you suspect you may have been hacked, run your computer's virus/spyware scanner(s). Right now, it doesn't look like this particular attack is loading other malware onto systems, but it is only a matter of time before someone modifies it to download other malware onto your computer at the same time it is spreading itself.
Be prepared for the attack to change. Right now the attack is spreading via DMs. The attack could have just as easily spread via @ messages or RTs or even plain tweets. That means we all have to be careful about which tweeple we follow links from.
Figure out who you trust and what you trust them on. For example, if you are reading this, you probably trust me for security related tweets and maybe another topic or two, Intel, programming, science, MBTI, Enneagram, or twitter itself. However, if you were to get a tweet from me on a hot-stock pick, you should probably realize that I don't have that kind of information, and wouldn't share it in a tweet even if I did.
Next, if you are sharing links, check them before you send them. Make certain the link you are sharing actually points to the item you want to share. And, if you are going to share links, make sure your virus software is running, so that you will know when you get hit by a drive-by infection from a bad link before you RT that link out to others. And, if you are visiting a link from someone you aren't certain you trust (a new friend, you have just started following for instance), use one of the tools that help you expand short links before you follow them, so that you can check that it looks like a reasonable address before actually visiting the site.
Remember that these are only guidelines to stay a little safer. For now, they should suffice, but some of us still will get hacked. Eventually, unless we find a way to convince all the criminals to stop spreading malware, we will probably have to be more careful, so watch for follow up advice.

I hope this advice helps you stay safe and unhacked. If you think of something I didn't say, add a comment. If we work on educating each other, we can hopefully make common sense actually something we share in common.

Be Paranoid

2009-10-11T20:07:00.000-07:00

I'm not naturally a paranoid person. In fact, I'm very gullible. Just ask those who've played practical jokes on me. I like trusting people. Generally, I find myself rewarded for doing so.

However, when it comes to email, I'm not. Unfortunately, there is good reason for that. Using email is about the least safe thing you can do. And after reading the great blog post Five messages to never trust in your e-mail box, I realized that one should be even more cautious than sjvn suggested.

That doesn't mean you can't send emails to friends and colleagues or read those that they send you. In most cases, those will be safe. However, even sometimes reading those is risky, and I will expand on that in a bit.

The problem is that email has no security. You have no idea whether the person sending you an email is who they say they are or not. This includes email that looks like it is coming from your friends and co-workers. The problem is that there are people who take advantage of that and are getting quite sophisticated at abusing the system to steal things from you via email.

Now, this stealing can be relatively benign, as in spam, where the sender is simply sending you an unwanted advertisement that you can ignore and the only thing stolen is the effort it takes to wade through the mounds of spam you receive everyday. Moreover, the email services do weed out some of the spam, so that you can one-click dispose of much of it.

And perhaps, you actually like reading certain kinds of advertisements--I actually watch certain ads on TV from time to time because they are worth watching. However, with email I advise you not to. The reason again, is that the sender and/or message can be forged. On TV, (or radio) someone has to pay good money to get the message on the air, so it isn't cost effective to attempt to do a forgery.

However, email forgery is essentially zero-cost. A criminal can use computers infected with certain viruses (called bots) to send out as much email as desired with no cost, except for the small risk of getting caught. That means it is worthwhile to try and con people by impersonating someone they would normally read. That means if you read an advertisement in email, even if it looks like someone you would normally deal with, it may be fake.

Let's use an example to make it more clear. Once I took an Alaskan cruise and allowed the cruise line to add me to their email mailing list. Now, I regularly receive messages that report to be about low cost cruises that they are offering. I'm sure most of those offers are real. However, if just 1 is a fake and includes a link to a site that seems to be the cruise line's site and I follow that link thinking I'm about to get a good deal, I could be clicking on a link that loads a virus onto my computer which then captures my credit card information, as it passes the information on to the real site and registers me for the real cruise deal. Since, I get to go on the cruise, I'm none the wiser that someone has stolen my credit card information, until sometime later when charges I've never authorized start appearing. And, yes the criminals who are doing these misdeeds are getting that good.

So, if the situation is that bad what does one do.

1) Never click on any link (or call any "commercial" phone number) in any email message. If for some reason, you want to respond to the email message, contact the relevant party by another means.

For example, I once received what appeared to be a phishing message suggesting one of my accounts had been hacked. I did not click on the web address in the message nor call the number listed. Instead, I f0und the company phone number from a separate reliable source (e.g. by calling information at the telephone company) and got in touch with the company's fraud department that way. It turns out, the original link and phone numbers were both fraudulent and had I not been cautious, I would certainly have been scammed.

I had a similar experience when I received a message that suggested an account I had had been granted a special offer, but it wasn't one I regularly dealt with. Again, I got a separate number to the company and contacted them that way. The company was able to identify the special promotion that was being offered and make it available to me. The company was not able to identify the phone number that was in the offer though. So, who knows who I would have reached if I had called it.

2) Know that your bank or other company is never going to contact you about legal matters through email, unless you are already in an ongoing email dialog with them.

The closest you will get to that is "privacy notices" stating general policies or alerts you have specifically requested. However, if something happens to y0our account, email is unlikely to be the banks first choice for contacting you. It tends not to protect their legal rights, so it isn't in their best interest to do so.

If you have alerts set up, say for a credit card balance, again remember to check the information using a separate method of contacting the company. Don't click on the link in the alert. With a credit card, you can login to the web site (the one that you know because you've used it before and written down the web address) or call the number on the back of your credit card to check your balance.

3) Even if the messge appears to be from a friend, don't click on the link unless this si someone who regularly sends you such links.

Another way that is becoming increasingly popular is called spear fishing. In this case, the miscreant finds a way to get someones email address book and forges emails from the person to the addresses in the book. Those messages can look more liegitimate than ones from a bank. Such messages could contain viruses (or links to viruses). So, unless you and your friend regularly exchange information via links, assume that the link in the email is not actually from your friend but an imposter. This is particularly. true if the link appears to be to some "good deal" web site that you just must see to believe.

3) Don't reply to emails or forward chain-mails.

While some of them may be legitimate, that doesn't mean they can't be intercepted for misuse. A chain-mail can have hundreds of real email addresses on it, email addresses of people who typically will forward chain mails. Once, one of those gets into the hands of a criminal, the criminal has a whole list of easy marks to target, marks who will further spread the message to other unsuspecting people.

Unfortunately, this also includes many charity requests. Sadly, you don't know if the person sending the request really does have a child with cancer or not. Any money you send might actually be going to a criminal. Even if the message appears to be from a friend, criminals still could be diverting the money into fradulaent accounts.

Again, if you really want to do something, find a way to contact the person through another reliable channel and then mail the person the money. If you really want to give to a charity, validate that your money is really going to the charity--all charities have real addresses where you can send them a check in a letter. Almost all of them have phone numbers listed with the phone company and will happily take money that way too.

Finally, these hints apply to unsolicited phone calls, to people going door-to-door, to people communicating by twitter or facebook, to any place where you don't know the person. You can still generally buy cookies and candy safely from the kids coming to your door, but beyond that everyone you don't know is suspect. And therein lies the real lesson, the internet may have made the world a smaller place and made it easier for people with bad intent to try to scam us, but the basic techniques have been known by con-men for ages, and they will keep reworking them and making them more sophisticated to try and steal from us.

However, a little paranoia can stop you from being an easy victim. It has saved me and I would normally be an easy mark. And if you aren't an easy victim, perhaps you won't be a victim at all.

Disclaimer, I work as a security researcher at Intel, but my job has nothing to do with this advice. I don't work in fraud prevention or in securing Intel's email or web sites. All information in this posting is based solely upon my experiences and opinions.

The Weakest Link

2009-08-29T10:04:00.000-07:00

The latest twitter security vulnerability emphasizes one of the hardest parts of making things safe: the weakest link. It's more than just one of those many game show ideas. It is an important "common sense" concept, where we know as the old adage says that a chain is only as strong as its weakest link.

In our case, the software we use is now highly interconnected. We don't build systems from the ground up. We rely on software built by others to make it work. There are operating systems, compilers, databases, browsers, networking stacks, libraries, etc. and those are just the major categories. More importantly, the lines between these categories have blurred.

Twitter is a great example of this. At some level twitter is an application hosted on some set of servers in the cloud. This is why it was subject to the Denial of Service (DOS) attack that affected it recently. Like many network applications, it can be (and often is) accessed via html using a browser. Thus, twitter is subject to all the flaws present in your browser and any pages it serves up can trigger those flaws. Like many html applications, the rich interactive interface cannot be served up by html alone, so browser extensions like Javascript are used to program features not present in raw html. That introduces a whole new layer of flaws that can be exploited. Moreover, that rich content, often uses other extensions like Flash players that we have to download onto our computers, which is a very rich vein of flaws to exploit.

The potential weaknesses don't stop there. Because web pages get traversed by "spiders" like Google looking for content, they have to be sophisticated to help defeat those who "game" the system doing "Search engine optimization" (SEO) and attempt to get all our searches directed to their pages. Those pages can be legitimate or they can be malware (i.e. that get us to download fake versions of a flash player, which is really a virus) or pornography or a scam. Twitter turns out to be particularly sensitive to attacks by malicious web pages because it allows "applications" to enter web pages into the system, and it then runs those pages on your computer.

That vulnerability turns out to be the new weakest link. It means just by running twitter on the web you can be "sent" to a web page that you have never clicked on--a malware writers dream.

The bright spot in this particular cloud is that reading your tweets with an application like tweetdeck, you don't have quite as rich an experience and it doesn't send you to the web page. Therein lies the protection.

Eye candy such as animated web pages do make for a very compelling internet experience and have let companies like Google offer web-based applications that are slowly breaking the control of the desktop away from Microsoft. However, this rich experience has come with a very high price. The bazaar we inhabit on the web has not only a wide variety of goods at very cheap prices but also pick-pockets, con-men, drug lords, and all the other undesirables.

A less "rich" experience would make us safer. Certainly, I love playing Sudoku on my computer, but I fear getting addicted to a twitter version of some immersive reality game, where behind my back many different hidden transactions are occurring and downloading and uploading all sorts of things I don't know about and can't control.

For that reason, for a long time, I kept my email off of servers like Hotmail and Google and read it through a text only service (on an unpopular architecture) where to read a mime message, I had to manually copy the file to a different location, and run a special program, which then put the text somewhere I could read it using a different program. If that sounds inconvenient, it was, but in all that inconvenience was safety, because breaking any one of the links did not break the whole chain. Unfortunately, like everyone else, I slowly succumbed to the siren call of the rich and simple internet experience. My work email is in Microsoft Outlook and personal email is on Google. Those services are more protected than they were, but I am still vulnerable like everyone else to any flaws in them.

Therein lies the crux of the problem to me. to fully participate in this world, especially to take advantage of what's new and exciting, one has to expose oneself to a whole variety of software built on long chains of leaks, each of which can be broken, and over which one has little or no control. Even though most messages I send and receive are text, I can't go back to a simple text only world. The interconnections and dependencies have grown so strong that even to send plain text I need to participate in a much more complex ecosystem of interacting applications doing things for me automagically, often without my knowledge or asking my consent.

In that way, it is surprising that we don't suffer more infections and breakdowns. However, I attribute that to the fact that most people are actually honest and honorable and as a result we can keep some reigns on the attacks we are subjected to. That inherent honesty is an aspect of human nature that helps blunt all the bad aspects and why in most cases we can depend on there to always be security researchers like David Naylor who find the flaws in our software and don't exploit them, but instead attempt to get them fixed by posting blogs with advice. before someone does exploit them and this is not just an icon.

Latest Twitter Vulnerability

2009-08-28T16:02:00.000-07:00

While Blogging about the twitter attacks another round has happened. This one is more serious for twitter users, because it makes you vulnerable if you simply use the twitter web interface and not some tool like tweetdeck. You don't have to click anything, just view an infected message in your stream while viewing from the web.

Once the infected message is sent to you and you see it from the twitter web interface, the attacker can exploit the flaw. If your browser allows running Javascript, which you probably let it do, since so many web sites need such extensions to deliver the "rich" experience we have all come to expect, the browser can run a malicious Javascript program on your computer. Anything that twitter can do, the attacked can do by exploiting this flaw. In fact, you don't even necessarily have to allow your browser to run code to be at risk as any flaw exploitable via html links can cause the issue.

Because the twitter flaw allows code to be run, the attack can use it to create a worm, where the attacker puts up one infected message and gets one user to read it via the web, takes over that user to copy the infected message to that users account where it spreads to other users.

The malware criminal can also make the attack more subtle so that they steal information from your computer silently without you realizing you've been attacked.

Fortunately, the original discoverer of the flaw, David Naylor, instead of doing something evil posted this blog with advice and just used it to pop up this image to make the warning clear:

The good news is that the folks at Twitter have been made aware of the issue and are presumably working on a fix (and not just the patch they originally tried to bandage over the problem) and that the folks at Mashable are also aware of the issue to keep the media spotlight focused on the problem until it is addressed.

One can expect that it will take time before a complete fix is in place given how twitter first attempted to solve it, by simply disallowing spaces in the problem field. This is the opposite of the draconian but trivial fix that more conservative companies might have tried, such as disabling the feature entirely or limiting the feature to a known white-list of values, both of which would have been significantly more secure, but would have essentially crippled that aspect of twitter.

The approach that twitter has taken thus far suggests that they will attempt to do the minimum necessary to correct the problem. That is a difficult line to draw. However, each step they make in that direction will give us additional protection by making it harder to exploit.

That is the nature of most security measures, they aren't absolute protection, they just make exploiting the weaknesses sufficiently difficult that it isn't worth doing. When that point is reached, we are "safe enough".

While we are waiting for it to become safe enough, we pedestrians have to be very careful.

Avoid using the twitter web interface until you know this issue is fixed.

If you are more cautious, you may wish to unfollow people whose motives you doubt or whom you may fear are infected--although there are no known infections that exploit this flaw yet.

For now, this is just a vulnerability and not an actual attack. However, it is a simple enough vulnerability to exploit, that unless fixed quickly, it will become an attack.

Twitter Comes of Age (Part 1)

2009-08-18T20:27:00.000-07:00

Upfront disclaimer: I am a security researcher for Intel and my work is likely to result in products that Intel will want to sell (not necessarily to you, but to solve your problems). However, this particular blog entry does not address the technical problems as much as it addresses the underlying social issues that drive the problems and contains only minimal concrete suggestions to solutions. I will try to later supplement this with some concrete technological steps one can take, but first I had to address this overwhelming issue that isn’t something a new configuration file parameter could make disappear.

Recently Twitter, Facebook, and several other social media sites came under a Denial of Service (DOS) attack. Since that time, twitter has been the victim of a koobface virus attack and implicated as part of the control structure for a bot net. Prior to that there was a mild uproar on twitter about it removing many followers from people, having suspected those followers as "spam" sites. Just prior to that there was a twittergate where many of twitter's internal confidential documents were leaked.

Is this the end of the world for twitter? Not exactly. These are facts of life in the always-on-world-wide-internet-connected-got-to-have-it-now age. In fact, for twitter, they are probably a good sign, a coming of age, a sign that it is worthy of being noticed and has made it onto the malware writers’ radar.

There are also other ways to look at what has happened. We could look at what twitter tells other site managers about what attacks they might expect as they launch internet services and those services become popular. In the future, I hope to explore that topic.

We can also look at what it means to us the general populace as users of twitter, facebook, friendfeed, and other social media sites. That’s what I’ll explore in the next section of this blog article by giving it a historical perspective.

Artwork: The picture of the dead twitter bird is by almisakti from the photobucket.com collection.

The world is not as safe and friendly as it might seem. (Part 2)

2009-08-18T20:20:00.000-07:00

The internet and the social media sites have become a place where you should never share photos of your kids, your travel plans, your address. If you think about social media and what they are trying to do, connect us, those are very typical of the things one would want to share. They are also the same things that sexual predators, identity thieves, and burglars want to know about us. That contradiction is one of the roots of the problem. As the police officer is quoted as saying, “What you say can and will be used against you. ”

The internet was once a very congenial place, one that seemed very safe, like the place immortalized in the Music Man, where the biggest danger was the chance that someone might introduce a pool hall. As John Levine points out, the internet was born of such places: the Arpanet where everyone was a student or a researcher and the worst we did was play Adventure or talk to Eliza, the business LAN where we were mainly worried if we could get our TPS reports done, or the community bulletin board where we could share free software and our latest clever hacks to make something work. All of those were small communities where any miscreants could easily be spotted and exiled.

However, the internet grew because it was easy to leverage those small groups and join them together. As an entrepreneur I recall when joining Usenet required buying just a Telebit modem, or when AOL users became a mass influx onto the internet, or Starbucks first gave away wifi access with coffee. Those events precipitated a tragedy of the commons--an analogy to how the Pilgrims overused their shared pastures (known as commons) and ruined them in the process. We found ways to over utilize the shared internet resource until it has become almost useless for everyone, like the other day when someone was unsuccessfully attempting to use the wifi at the gym to broadcast his daughter’s ballet lesson over Skype and made it impossible for the rest of us to even get our email, because the bandwidth wasn’t there.

Still, the internet is a major part of enabling the global economy and making the world a smaller place. It helped drive the cost of distributing software to zero, which drove the price of software itself to zero. Not the cost of writing the software, that is still expensive, but the amount one could sell the resulting software for. That is not something we could or would actually want to reverse, at least not as consumers. It is really nice that I can get updates of my software from major vendors automatically and with no extra cost. This globally connected, hard-to-charge-above-cost world is here to stay.

There was an interesting side-effect of that revolution though. Just as one could download a new version of flash to display ever more complicated animated web pages, one could also (accidentally) download malware such as viruses, Trojans, and phishing software. Every silver lining came with a corresponding cloud.

The malware evolved with the network. The first malware spread on floppy disks when that was how hobbyists shared software. As email and the web became dominant, we got email messages that tried to get us to sites that were fake copies of our favorite banks. Now, we get tweets that suggest some sites where we need to download some new viewer software, which is actually a virus that install bots on our PC’s which then watch twitter pages to know what nefarious deeds their masters want them to commit.

What does that mean to us end-users? (That's in the next section.)

One must be ever vigilant and suspicious (part 3)

2009-08-18T19:58:00.000-07:00

I have two twitter accounts that I follow that recently gave me reason to be suspicious. They may be hazardous and they may be benign. Only by treating them carefully can I be safe.

The most recent instance was a one-time message from a user I know and trust, but which contained information about a virus. At first, I wasn’t sure whether to pass on the link in the warning message or not. What if the link was a pointer to the virus itself? The person sending the warning was not a person I knew to be sophisticated about such things. They could have made a mistake or the account could have been hijacked. Eventually, I found a safe way to check the link out, and it was a message that showed how the virus was being spread and not the virus itself. Thus, I was happy to send the link along. However, the realization made it clear to me that caution needs to be on ones’ mind always.

The other one of them is a tweeter who sends me good security information which I’ve checked out and then retweeted. Unfortunately with the good info I’ve also gotten a stream of tweets suggesting how I can get more followers and make easy money on the web—spam that I don’t want. My interpretation is that this is a real person, who just happens to be caught up in the make-money-easily trap, but who is worthwhile because they do send me good info in the process. I remove all the unwanted tweets from this user’s stream before sending the information on. In that way, I am performing a filtering service, my readers get the good content and only I have to wade through the muck to find it. If the ratio to useful info to spam gets worse, I will probably have to unfollow that user or at least find a way to filter out the spam from his tweets.

In the long run, this trend could be problematic. If too many accounts get hijacked, or too many people get caught up in MLM (multi-level marketing aka Ponzi) schemes, the ability to use twitter to spread good word-of-mouth information will be compromised beyond usefulness—it too will suffer the tragedy of the commons.

Some of the hardest hit people will be the “motivational” tweeters and those who hope to make contacts to sell things. I rarely read the tweets that such people post in any event, because they don’t generally provide much value to me—and I’m certain there are others who do likewise. Still, I occasionally do. Imagine how difficult it will be for them to get their message out, if everyone suspects that they can’t even read a tweet from an unknown person as it may infect them.

In fact, the scariest aspect of twitter coming of age is that there are people developing software to try and mine the various tweets and links to come up with ways of combining the information into useful trends. That may help Intel, Wal-Mart, Starbucks, Coca-Cola, et. al. find ways of knowing what they should try to sell to you, but it will also eventually get used by the various criminal organizations to better target their marks too. Sadly, it will probably help the criminals find easy targets before it helps normal companies find ways to sell us things we will enjoy better.

To me this is the ultimate tragedy of the commons, the fact that there will always be criminals and some of them will be one step ahead of us and in the process they will take all the nice things we invent to make our lives better and abuse them to make some of our lives worse. I fervently hope these problems won’t affect you.

The good news is that for most of us, these threats will remain just possibilities or minor annoyances. The adequate protections for most of us will not be severe and will become part of "common sense", just as they are in real-life. Most of us will never have our identities stolen. Not even me whose lost his wallet on several occasions and always had it returned with the money untouched. Similarly, even though I had one UNIX system I owned hacked, there was no harm that came from it other than having to rebuild the system from scratch and start running the appropriate protections. The anti-virus software that the Intel IT folks keep installed on my laptop appears to be adequate for most surfing that I do, and although it occasionally detects a virus, it always manages to delete the containing file.

You will still be more likely to be shot by your spouse (or yourself) if you keep a gun in the house than you will be the target of an internet attack that destroys your life. Your biggest risks will still be the drive you take to commute to work or slipping in the shower. Yes, if you use twitter to hook-up with someone interesting, word of that will probably get back to your spouse and their lawyer and used in your divorce, but that’s the risk of hooking up and not of the internet. The person who the twitter DOS attack was directed at was not an ordinary person, but an activist trying to bring about change where there are powerful forces already at work. If you are the next Gandhi, that may be an issue for you. If you are not, you will probably never be interesting enough to be singled out, sorry.

The risky things in life have not changed because of the internet. The internet has just made the world a smaller and more open place. It is much harder to hide your foibles. Hopefully, it may also make it harder for criminals to hide their tracks too. And, that may be the ultimate victory.

A Virus Proof OS-- Possible?

2009-07-09T15:24:00.000-07:00

First, disclosure, I work for Intel on computer security--as such I have biases. Moreover, I haven't seen the specs of the system, and this is purely guess-work on my part.

My apologies for the unclear writing of this post. At first, I started by agreeing with Bruce Schneier, but as I thought through the argument, I realized that my position was reversed and Google's claim is not idiotic, but quite sensible from the right perspective.

The only way to make a system totally immune to viruses is to make it non-extensible.

As long as you can execute programs of your own, you can catch a virus, a program someone else has written masquerading as one you have written. Protections at the low level are not sufficient to stop viruses. In particular, many viruses are spread via social engineering, you ask the OS to load the virus onto your system (oh, you were expecting pictures of Anna Kournikova, maybe you got those too). Now, sandboxing and similar techniques can limit the effect of unintended downloads, but unless the system prevents you from saving the file, or prevents you from running programs you have saved, it will be possible to infect the system.

However, if they make a totally closed system, where the only program which can list or change the files on your computer is an app that comes from Google (or perhaps they don't keep the files on your computer at all--that's very Google-like), then they can make a system which is virus proof, at least under a fairly strict definition. It's no longer extensible, but it is virus-proof. It doesn't get rid of all malware, social engineering will always work at some level, (If you go to a site and type in your credit card information, you can still leak that information), but it gets rid of a lot of it.

Still, if you think of the computer as a tool for communication like a phone, that's not necessarily a bad solution. How many years did we have phones before we had viruses? All of them ... up until we started making our phones extensible like computers. Maybe going the other direction isn't so bad. How many people really want to "program" their computers?

Moreover, such a non-programmable appliance-like computer makes a lot of sense in the net-book market. All the intelligence is out on the web anyway. Your computer is really just a display device, especially if Google is hosting your files. They want a better service, they upgrade their web-site. Your computer [almost] never needs reprogrammed.

The only thing you can't do with that model is fix the software if it's broken, you have to wait for Google to do that. Of course, the last time I could fix the actual spreadsheet program (not the spreadsheet itself, but the program running it i.e. excel or 123 or visicalc) was never--maybe I could have if I used star-office of open office, but realistically never.

But, technically a virus-proof (not malware proof, but virus-proof) OS is possible, it just isn't a programmable computer any more. If you want to deny that's a real computer, fine. Most consumers won't care as long as they can send messages and photos and videos and do their taxes etc., especially if it just works.

Note, this doesn't require Google to invent any new mythical powers. Ordinary programmers can do the job, they just can't let you program it. The only hard thing Google has to do, is make certain that the software on their site doesn't let you introduce any new code into it. As long as you can't any programs to their inventory, you can't add any viruses.