RE: EBAY and AMAZON

[Snip good collection of security setting suggestions. Does anybody have
others or a URL?]

I could never quite understand how anyone could get "phished" by e-mail
since I have never ever seen a "phishing" or other malicious message that
was not obviously so, even when I don't have me spectacles on!

Your imagination needs serious recalibration.

  You are a geek, not a naive, dumb, or unfortunately, typical user.

  Windows security sucks.

  Most users will pick convenience over security. What fraction of users
(customers) would be happy with your suggested settings?

  Phishers are smart. They are willing to work for high value targets.

Google for >spear phishing<. After you have read a few of those, google for >
spear phishing RSA<.

From the comments section of an Arstechnica article on the RSA event:

So why do any workplace computers in sensitive environments
have Flash in the first place?

Because the training materials are no doubt flash based.

If you are interested in security, the whole comments section may be worth
scanning.

My probably naive view is that this type of problem could easily be solved by
having the serious work done on a special class of well locked down machines
and making a pool of more open systems available for checking mail or
facebook or whatever.

I've heard stories of people filling USB slots with epoxy so idiots can't
insert thumb drives found in the parking lot or brought from home. I forget
the context.

Windows security sucks.

The real problem with Windows is that there exist folks who believe that it is, or can be, secured. They believe the six-colour glossy, the Gartner Reports, and other (manufacturers') propaganda. As a consequence they do not act in a fashion which will keep them safe.

Most users will pick convenience over security. What fraction of users
(customers) would be happy with your suggested settings?

More than you might think -- still a minority however. There's not 2.437 pounds yet.

My probably naive view is that this type of problem could easily be solved by
having the serious work done on a special class of well locked down machines
and making a pool of more open systems available for checking mail or
facebook or whatever.

You would be surprised at the number of Fortune 500 companies that lock-down their policies into deliberately insecure settings, and refuse to permit more secure settings. I can't quite figure this out, except to observe that there is a very severe shortage of security clue in the world and an appalling over-abundance of ignorance and stupidity.

I've heard stories of people filling USB slots with epoxy so idiots can't
insert thumb drives found in the parking lot or brought from home. I forget
the context.

This is, unfortunately, a typical reaction which arises from a failure to carry out proper root-cause analysis. The root cause of the issue is not "thumb drives", "baby fingernail drives", or whatever removable media type. The root cause is the propensity of Windows to engage in "magical" behaviour -- to put executable "data" everywhere and then to execute that "data", magically. And a failure to provide a "Magic Off" setting that actually works. Actually, there is -- it is called the power switch. Seriously though most of the magic can be turned off or bypassed, if you want to.

Companies that engage in such behaviour are signing their own "all our base are belong to you" death warrants. Rather that voting with their wallets and insisting on correction of the root-cause of the problem, they instead continue to pour money down the crapper investing in never-ending supplies of draino and roto-rooters while at the same time continuing to financially reward the paper-towel flushers so they can buy and flush yet more clogging crap which requires yet more draino and roto-rooters. Shampoo, Lather, Rinse, Repeat. (Looking up the effects of adding those instructions to shampoo by Proctor & Gamble on their sales and profits is left as an exercize for the reader).

Security does not require buying more draino and roto-rooters. It just requires that you not do stupid things inimical to security. Stop flushing paper towels down the toilet and you don't need draino and roto-rooters, nor will you need hazmat gear to clean the oozing excrement off the floor. Of course, it might be wise to keep a bottle of draino, a roto-rooter, and some hazmat gear on hand just in case -- but to concentrate on the symptoms rather than the underlying cause is just plain stupidity. Deliberately encouraging and financing those working to ensure the toilet is always plugged up and the crap is always running in the halls is sheer lunacy. Unfortunately, the lunatics are in charge of the asylum, and they have chosen the outcome they shall suffer.

Now, back to our regularly scheduled programming, already in progress ...

Apologies for lack of attribution beyond the first level, but the previous poster removed that.

From: Keith Medcalf [mailto:kmedcalf@dessus.com]

> Windows security sucks.

The real problem with Windows is that there exist folks who believe
that it is, or can be, secured. They believe the six-colour glossy,
the Gartner Reports, and other (manufacturers') propaganda. As a
consequence they do not act in a fashion which will keep them safe.

While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better. Those OS's are no more secure than a Windows box once you plug a few hundred million people into their consoles.

Jamie

Windows security sucks.

The real problem with Windows is that there exist folks who believe that it
is, or can be, secured. They believe the six-colour glossy, the Gartner

[snip]

Well, they are right. Windows can be secured.
The problem is it It won't be secured in practice. Because that's too hard,
and truly securing Windows will be rejected by the user, because many
applications used in practice are not implemented securely on the platform.

Users of Windows endpoints require functions such as Web Browsers, Flash,
their favorite Office applications, PDF Viewers, and remote share access.

You would be surprised at the number of Fortune 500 companies that lock-down their >policies into deliberately insecure settings, and refuse to permit more secure settings.
..

This is because, while you would expect IT to understand the
importance of security. "Lock Down" has a perception of security
attached to it.

In practice, "Lock-Down Policies" and standardization have nothing
positive to do with security, but IT convenience, and reducing
support costs, by attempting to enforce a standardized endpoint
experience.

They can lead to less security if done without extra security review.
  Hopefully they also include a backup/imaging system to recover,
when the lock-down policy makes it break, however.

This is, unfortunately, a typical reaction which arises from a failure to
carry out proper root-cause analysis. The root cause of the issue is not
"thumb drives", "baby fingernail drives", or whatever removable media type.

The windows shell is to blame, but you can provide an alternate shell
that doesn't do that "magical executable code insertion" stuff
and disable Explorer.

There is an inherent advantage for anything based upon *BSD. It
was developed in an evironment where in order to continue to operate
it was required to defend itself against many users who wished to
exploit the O/S. Windows, being designed for a single-user environment,
made a number of design decisions which directly conflict with
security.

Having spoken to MS security about this, there is no interest on
their part in disturbing the "user experience" in exchange for
drastic security improvements. Rather, they continue to gradually
evolve their existing model to increase security which, in fact,
has been improved, however slowly.

It is important to understand that there is nothing inherent in the
Windows experience which prohibits security. Rather, it is a
deliberate design choice on the part of MS.

From: Michael R. Wayne [mailto:wayne@staff.msen.com]

> While MS may be a favorite whipping boy, let's not pretend that if
> the dominant OS were Apple or some flavor of *nix, things would be any
> better.

There is an inherent advantage for anything based upon *BSD. It
was developed in an evironment where in order to continue to operate
it was required to defend itself against many users who wished to
exploit the O/S. Windows, being designed for a single-user environment,
made a number of design decisions which directly conflict with
security.

I've been running FBSD since 1994, so I'm well aware of the development model, thanks. The *BSDs and Linux have all had their share of holes in them and more still continue to be found. The only thing saving them is lack of market share. Apple's increasing market share is a nice demonstration of this at work.

As far as securing Windows, it can be done, and done well, but it requires policy enforcement at the hardware and personnel level, and that doesn't change no matter what OS you're running. I have hardened Windows systems, and they are no more of a pain the ass to use than the hardened *nix systems. When DSS is done with them, all OS's suck to use.

Jamie

...

It is important to understand that there is nothing inherent in the
Windows experience which prohibits security. Rather, it is a
deliberate design choice on the part of MS.

Windows. A strange game. The only winning move is not to play.
How about a nice game of FreeBSD?

I've heard this argument many times, and I reject it this time as I
have before.

If popularity were the measure of relative OS security, then we would
expect to see infection rates proportional to deployment rates: thus if
operating systems A, B and C respectively accounted for 85%, 10%, and 5%
of deployments, we should see those numbers reflected in infection rates.

But we don't. For example, passive OS fingerprinting of about a decade's
worth of spam-spewing botnets indicates that they are running Windows to
at least six 9's, quite possibly more -- which is a markedly higher
fraction than we would expect if this hypotheis were true.

Windows is not attacked because it's the most popular. Windows is
attacked because it's the weakest. (And yes, if it instantly disappeared --
oh happy day! -- the next-most-weakest would take its place, but at least
we would have incrementally improved the state of security.)

---rsk

I don't buy that premise, or at least not without reservation. The OS
market happens to be a superstar economy. On desktops and laptops,
which still happen to be the majority of devices, the overwhelming
winner is Windows. Therefore, if you are going to invest in any
product for which you want ubiquitous deployment, Windows is the first
platform you aim for. You only aim for the others if you're chasing a
niche.

There is no reason whatever to chase a niche market if your goal is
spewing spam, collecting credit cards, or whatever.

Perhaps fortunately, we're about to have an empirical trial of these
different possibilities. If the above analysis is correct, then we
should expect malware targetting iOS and Android in about equal
proportions as those sorts of devices displace laptops and desktops as
the majority (though there will be some bias and therefore lag in
favour of Windows just because of the fact that people already have
tools and techniques built around Windows). If you're right that the
primary issue is the fundamental security of the target, then perhaps
we will not see that pattern emerge.

Best,

A

I note also that many so-called operating system vulnerabilities are
actually flaws in third-party subsystems like Flash or Java.

Unix has traditionally had a better isolation model than Windows and so
exploits via these attack vectors would be able to infiltrate the Windows
core operating system whereas on Linux or OS-X platforms, the attacks might
technically be more limited in their impact - not that this would be much
consolation to the end user.

Aled

Mostly right, except that it is really a weighted average of factors
including installed base (read, popularity), likely success of the
infection, likelihood of the infection being successfully detected by
the user, likelihood of the infection being removable, overall utility
of the system to the spammer once it is infected ... I'm probably
forgetting a few things.

But your basic point, it's not just about the popularity, is sound. The
cautionary tale is that merely improving one of those factors isn't
going to get the job done.

Doug

If that were true, the webserver attacks would be aimed at windows
while the vast majority of them are aimed at IIS.

Attackers aim for the softest targets with sufficient numbers to get what
they want. When it comes to target hardness, Micr0$0ft builds porridge
in a world of thick sludgy oatmeal.

Owen

That assumes the security architectures of all these OS's is similar
which is simply not true.

There have been security flaws in Microsoft OS's which led to the
spread of malware which would have been almost impossible on any
unix-like operating system.

One of the biggest problems was creating the first and often only user
on MS systems with administrator privileges allowing any piece of
software they ran to do anything on the system.

Even Microsoft recognized this to be a huge flaw beginning with Vista,
no need to be more catholic than the pope.

The problem at this point is that even with improvements in newer
Windows systems there are probably on the order of a billion systems
out there, attached to the net, and still running these deeply flawed
OS's which can be taken over by just clicking on the wrong mail
message.

> > While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.

That assumes the security architectures of all these OS's is similar
which is simply not true.

You're right. Windows has an architecture that's easier to secure,
with auditing, ACLs, and capabilities ("privileges") part of every
NT-derived release. This means everything interesting doesn't have to
be "root", for which there is no equivalent in Windows -- no magic
user which bypasses access checks.

There have been security flaws in Microsoft OS's which led to the
spread of malware which would have been almost impossible on any
unix-like operating system.

One of the biggest problems was creating the first and often only user
on MS systems with administrator privileges allowing any piece of
software they ran to do anything on the system.

Is it not common to install unix-like operating systems similarly,
with setup completed after a root password is chosen but before any
human-named accounts are created?

I'm not impartial, I once worked for the architect of NT's security.
Discount my opinion appropriately. My opinion is 20 years of
hardening have likely made Windows a tougher nut to crack than other
mass-market OSes. It could hardly be otherwise -- there have been
large piles of money fueling a free market in 0-day Windows exploits
for many years now. Windows has grown over that time, of course, and
more code means more holes, but other OSes have been growing as well.
Meanwhile, the most security-sensitive parts of Windows have slower to
change and grow.

Yes, Windows evolved from an essentially security-ignorant single-user
environment. Unix evolved from an essentially security-ignorant
multiuser environment. The baseline of unix security with magic root,
setuid apps, and primitive access permissions are nonetheless inferior
to the baseline of NT-derived Windows. There are varying degrees of
ACL support in some unix-like systems, and wide support for
capabilities that allow services to start as a non-root user, or "drop
root" after starting as such. There is not, across the POSIX world, a
strong security infrastructure that can be relied on to be universal.
On the other hand, with the death in the wild of the Windows 9x/ME
house of cards, today Windows does provide that universal security
infrastructure.

Unix systems can be secured. So can Windows systems. No OS can
simultaneously provide lazy users with power tools and completely
protect those users from self-injury. Security costs overhead for
too-often no perceived benefit until someone gets hurt. When you are
forced to deal with it, it's nice to have the best in class
infrastructure under your feet.

Cheers,
Dave Hart

> > > While MS may be a favorite whipping boy, let's not pretend that if the dominant OS were Apple or some flavor of *nix, things would be any better.

> >
> > That assumes the security architectures of all these OS's is similar
> > which is simply not true.
>
> You're right. Windows has an architecture that's easier to secure,

It didn't occur to me that the original comment was referring to
professionally secured sites only.

I think one of the huge complaints about Windows systems is their
appearance by the tens of millions in botnets which tend to be a
problem with non-professionally run systems.

> with auditing, ACLs, and capabilities ("privileges") part of every
> NT-derived release. This means everything interesting doesn't have to
> be "root", for which there is no equivalent in Windows -- no magic
> user which bypasses access checks.
>
> > There have been security flaws in Microsoft OS's which led to the
> > spread of malware which would have been almost impossible on any
> > unix-like operating system.
> >
> > One of the biggest problems was creating the first and often only user
> > on MS systems with administrator privileges allowing any piece of
> > software they ran to do anything on the system.
>
> Is it not common to install unix-like operating systems similarly,
> with setup completed after a root password is chosen but before any
> human-named accounts are created?

Apparently not, given the relative absence of un*x (which includes for
example MacOS and Linux) systems in being pwned by clicking "open this
attachment" in an email message.

But the worst from Windows was the decades when they allowed any app
to inject code into the kernel typically for graphics speed-up. Which
of course could be any code, and that any code could own the system
instantly.

The rest is talking around the actual, measurable problem of botnets etc.

Where do you think all that spam which pounds your mailbox
relentlessly comes from? Botted Windows systems.

I don't think saying that a professionally secured Windows 8 release
candidate is much better than past systems when we're suffering under
excuses or even mitigates the situation.

The worst is that many of those features which made Windows so
insecure were not removed because they provided marketing advantage
(e.g., making any user admin, injecting graphics code for app
speed-up.)

So MS agonized for years about how to deal with this and not cut into
their or their favored vendors' profit model while the rest of the net
suffered gabillions of dollars in damage.

MS, in effect, made many tens of billions on the flaws in their OS's,
at the expense of everyone else.

(I'm done but I'll leave the rest of the msg...)

The problem at this point is that even with improvements in newer
Windows systems there are probably on the order of a billion systems
out there, attached to the net, and still running these deeply flawed
OS's which can be taken over by just clicking on the wrong mail
message.

There have been no improvements in Windows security.

The Microsoft "execute payload with NT AUTHORITY\SYSTEM" ip option was sheer brilliance, and that *only* appeared in their new-and-improved Operating Systems. Don't believe the propaganda.