Security Threat Analysis: Interview With Dino A. Dai Zovi
Minimizing Risk
Alan: Reading between the lines, do you know of a startup that’s working on such a solution? The Mac would actually be a great platform as the proof-of-concept--there’s a predictable set of hardware that would have to be supported.
Dino: There are a number of products that provide behavior-based anti-malware for Windows, but I also would love it if there would be a solution for Macs as well.
Alan: When we talk about general, rather than signature-based solutions, and think about Gray Hat strategies, we have to talk about things like Deep Packet Inspection technology. The “Golden Shield” project (a.k.a. the Great Firewall of China) was developed by the Chinese government to censor the information their citizens have access to. The NSA used Deep Packet Inspection to identify Voice-Over-IP packets to allow wire-tapping of VoIP conversations in the same way they could do so with the regular plain old telephone system.
With that said, what do you think is the role for desktop deep packet inspection? If I had a box between my computer and the Internet, it could make sure that random data wasn’t going out.
Dino: I don’t think deep packet inspection has a role on the desktop. That is a like watching your living room TV from your backyard. You already have the data and processes running on your machine, your security systems should examine them in that state where they have more information on the behavior.
Alan: But as a separate box, it may be possible to minimize the risk of a sophisticated exploit that disables the security systems that are running on the same machine. The box would have its own OS, would not be exposed to breach via Web browsers or plugins that run on the same device? Or do you think that today's security tools are "good enough" where that extra level of paranoia is overkill?
Dino: A secure hypervisor or even a kernel driver would be secure enough for most home users if they didn't run as an administrator when they were surfing the Web. It is way easier for malware to evade packet inspection than it is for it to exploit a kernel vulnerability. There is absolutely no reason why Web malware couldn't be delivered over SSL, except that it hasn't been necessary up to this point.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Alan: Many of the exploits demonstrated at Pwn2Own have come through non-core operating system elements such as QuickTime (your exploit in '07), Adobe Flash, or Web browsers (IE8, Firefox, and Safari).
In hindsight, was there anything that could have been done on the user end? That is, if you had outgoing firewalls, anti-spyware/anti-malware software, weren't logged in as a root user, would that have done anything to limit the extent of these exploits? Or are we at the mercy of the software developers to protect us?
Dino: No matter what, users are at the mercy of application and operating system software developers. The user can only take secure configuration and third-party security add-ons so far. Outgoing firewalls still have to allow the Web browser to connect to Web-based TCP ports, so an attacker can simply program their exploit payload to do the same. Anti-spyware and anti-malware systems catch high-level actions that malware takes, such as installing back doors, so they may not notice the simpler remote shell payloads used in Pwn2Own exploits. Even if users log in as less-privileged accounts, an attacker may still gain access to their data. A less-privileged account makes it more difficult for spyware to maintain persistent access to the system, but does not prevent gaining initial access.
Disabling unneeded plugins reduces the risk of attack, but there are not enough options in current Web browsers to disable little-used functionality or restrict them to trusted Web sites. Internet Explorer has the most flexible security policy settings, but even it does not let you grant Flash or Java access to selected sites. Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve.
Current page: Minimizing Risk
Prev Page Hypervisors And The Cloud Next Page Picking The Most Secure Platform-
mrubermonkey If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.Reply -
AlanDang Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.Reply -
"Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".Reply
They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock. -
vaskodogama mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :DReply
-
pcworm I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is officialReply -
Gutbop Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.Reply
Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that? -
Gutbop Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.Reply
Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that? -
Gutbop Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.Reply
Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that? -
I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.Reply