About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Wednesday, February 23, 2011

McAfee on security

This past week was the RSA conference, and I was able to attend the keynotes on Thursday. McAfee's CTO, George Kurtz gave a keynote talk entitled "Driving Security Down the Stack" (preview here, full video of all keynotes here).

 
The "stack" that Mr. Kurtz' talk title refers to isn't one of the standard definitions of "stack" that I'm used to, his "stack" is this:
  • Applications
  • Operating system
  • Hypervisor
  • Silicon (hardware)

He was arguing that instead of running security applications on top of this stack, it should move downward. This push is in no small part due to the fact that last August, Intel purchased McAfee to build security features deeper in computing systems. After all, hackers and malware authors are attempting to do the same thing, penetrate deeply into this computing stack to hide from security applications and to have more complete control over the system. For example, rootkits install at the OS or hypervisor level.
 
Despite having such an ambitious talk title, Mr. Kurtz spent most of his time arguing that we should drive security deeper into the stack and very little time arguing how to accomplish it. The closest he came to addressing it was something he called "roots of trust" that would establish "trusted columns" through the stack to have areas of computing that could be malware-free. Since Mr. Kurtz said nothing about how this would work, the audience simply has to imagine how this could work.
 
Quite frankly, I can't figure this one out.
 
Modern computer software is highly complex with many millions of lines of code and the bugs that go with them. Modern malware is already highly adept at leveraging these bugs to move horizontally (from application to application or from one part of the OS to another) and vertically (from application to OS to hypervisor).  Mr. Kurtz and I agree that the traditional antivirus blacklisting methods are ineffective, but without any kind of blacklist then how exactly does his "root of trust" determine that the parts of the operating system it relies on haven't been compromised?  Or the application?  Or the hypervisor?  The only part of the stack that approaches a "known good" is the hardware, and I can't think of any way to insert security rules into the silicon that would be comprehensive enough to be effective yet flexible enough to handle the wide range of possible software over the life of the chip.
 
Modern chips already have some security features installed. Back in 2004 (six years ago already?) most hardware began shipping with the Trusted Computing Group's "Trusted Computing" technology, which uses hardware cryptography to allow the operating system to exert control over applications.  This technology has been present in Windows since Vista, but in addition to extensive privacy and security concerns, Trusted Computing hasn't even appreciably slowed the spread of malware.
 
Don't get me wrong, I'm not saying that Intel/McAfee's "hardware security" efforts are doomed, but they won't be the panacea that Mr. Kurtz's talk claimed they would be.  It's just another step in the computer security arms race.
 
 

Tuesday, February 15, 2011

Security B-sides

This week is RSA, when thousands of computer security folks converge on San Francisco to talk shop.  RSA has changed a lot over it's 20 year history, from a small gathering of cryptographers in a motel chatting about the latest crypto algorithms to paying up to this year paying up to $2,195 to listen to high-level presenters talking about the issues of the day.  For those of us who aren't managerial types, there are "expo passes" available so we can get in the building and talk to the assorted sales reps.

Things have changed a lot from those early days, and to try and recapture some of that "small group of people chatting about their experience" feeling, groups of volunteers have started smaller "anti-cons" called B-sides.  This year was my first year attending a Security B-Side conference, and I highly recommend it.  There were a variety of interesting and entertaining talks about everything from low-level techie stuff like reversing Android applications to building incident management policies and "Attacking Cyber Security Marketecture".  Everything was based on real personal experience at a variety of detail levels, which in my opinion was perfect.  Best of all, it was free, thanks to the generosity of the sponsors.  

For more opinions on B-sides, check out all the commentary on the internet and on twitter.  If you're in the area or have any excuse to be in the area, I highly recommend attending next year.

Monday, February 7, 2011

How hackers can use your computer to make money

When I'm talking to people outside of the computer security community, I usually find that people aren't aware of the reasons that modern hackers commit the crimes they do.  Today, I found a great post on ThreatPost (a blog by the antivirus company Kaspersky) called "Inside the Business of Malware" that gives a infographic that summarizes of some of the ways that malware authors can abuse your computer for their profit (image created by graphic designer Jess Bachman.