Random Thoughts on Improving Internet Security

Disclaimer

IANACSE (I am not a computer security expert.) But…

When I was in my final year of high school, I had the opportunity to study with the Australian Mathematics Olympiad Squad. I didn’t make it into the team, but a friend of mine and I got close enough to be invited to the training, and be lectured to by Paul Erdos for a week. I’d love to say that this was an inspiring experience, but unfortunately the impenetrability of his accent was exceeded only by the material he was covering. It didn’t help that, alone among the participants, my friend and I hadn’t spent years in gifted programs and/or at universities getting exposed to graduate-level math.

For me, the highlight was a field trip to a presentation at a math conference about cryptography. I only understood the outlines of what the speaker was talking about at the time, but the subject matter was the theory underlying what is now known as public key cryptography. So, attending and not understanding that presentation, and a hazily recalled education in Pure Math, are my only special claims to domain knowledge.

The Problem(s)

The most commonly used internet protocols — http, ftp, and POP/IMAP/sendmail — are hopelessly insecure.

The standard solution for http is to switch to https.

With ftp at least there’s sftp. If your ISP doesn’t support sftp, use another ISP.

Email is pretty much a lost cause because even if your connection to your email provider is secure, the email transmission is not going to be, so anyone who cares about email is encrypting their email content using PGP or something similar.

I haven’t had an email exchange with anyone, ever, that required me to use PGP, so it’s obviously not very popular. By now, PGP should be built into every mail client and operate transparently (it would make spam harder and more expensive to send, too), instead our best option is usually webmail via https, or a proprietary solution like Microsoft Exchange or Lotus Notes (which has, laudably, been secure from the beginning — it’s a shame it sucks dead dog’s balls in pretty much every other respect).

OK, let’s ignore everything except http

I’ve recently been looking at implementing some kind of security for logging in to websites over http. The usual, simple solution for this is to switch over to https, but the vast majority of the world’s web servers are serving http, and this includes all kinds of services with logins and passwords that people don’t really think too carefully about. How likely is it that some username/password combination a given person uses for an insecure website (e.g. a blog, forum, or whatever) is also used for a secure website somewhere else? Even if https is secure (which is open to doubt), it’s undermined by the insecurity of http.

Here’s the actual form code for Digg.com‘s login form (modulo whitespace):

<form method="post" action="/login/prepare/digg">
<div class="form-row">
<label class="dialog-label" for="login-username">Digg Username</label>
<input class="login-digg-username text" name="username" value="" type="text">
</div>
<div class="form-row">
<label class="dialog-label" for="login-password">Digg Password</label>
<input name="password" class="login-digg-password text" type="password"> <a class="dialog-link forgot-link" href="/login">Lost username or password?</a>
</div>
<div>
<input name="persistent" checked="checked" type="checkbox"> <label class="inline"><strong>Keep me logged in on this computer</strong></label><br>
<input value="Login" type="submit">
</div>
</form>

I’m not trying to single out Digg — it’s just an example of a large scale, popular site that requires user logins and offers zero security. Facebook — a very high profile, popular site — is just as stupidly insecure (the relevant code is a bit harder to read). Why isn’t this a scandal?

It seems to me that it’s criminally negligent of the folks running these sites, and the people developing the most popular open source website software — phpbb, wordpress, drupal, etc. — not to have addressed this, when the solutions are so very straightforward and have been publicly and freely available for so long. Apple got into quite a bit of hot water — and rightly so — for (allegedly) not sufficiently securing MobileMe chatter between web apps and servers, but many of us spend a lot of time on all kinds of websites requiring passwords that make no real attempt at keeping our information safe.

  1. By default, during the setup of any of these programs, the admin should be forced to provide an encryption key, or — better — set parameters for automatically generating such a key for the website. Ideally the key would be refreshed periodically (or even created on-the-fly if the horsepower is available). Some security is better than no security at all, so even if the default key is “only” 64-bit this would be very helpful.
  2. The login page (and any other page where the user enters sensitive information) should simply incorporate JavaScript that takes the public key supplied by the server and encrypts it before posting it back to the website. Encryption in JavaScript, even on fairly slow machines and browsers, is close to instantaneous, and could be done in the background. If JavaScript is disabled, the code can warn the user and fall back to the usual (insecure) method.
  3. The web server then decrypts your private information using its private key.
  4. All such programs should make it easy for users to have their password sent to them encrypted via a supplied public key. (I.e. tell the user where to go to get crypto software to make their own key, and then allow the user to provide a public key (perhaps even store it in their profile) and use it to encrypt password reminders, etc., when necessary. The same techniques should be used to handle “secret question” transactions and the like (obviously).

Correction: as Andrew, my loyal reader, points out — servers shouldn’t store passwords at all. The server should store the hash, and for login attempts the server should ideally provide “salt” which should be added to the hashed password and encrypted before sending. Then, a hacker probably can’t “replay” the encrypted/hashed username/password combination to break in (since they won’t usually be able to enter the session which had that particular salt). Even if the server is totally compromised, no cleartext passwords are stored in the system. It follows that users can never have their old passwords sent to them, they can only be given an opportunity to reset their passwords. If a web service offers to send your password to you, avoid it if you can and treat it as utterly insecure otherwise.

The problem is that, in the end, the password restoration process is only as secure as email, so while the server shouldn’t store passwords and should allow resets instead of sending old passwords, ultimately you’ll need some mechanism to restore access, and if it goes over email we’re back to hopeless insecurity.

Steps one to three, of course, are essentially what https does (but only applied to sensitive data, rather than the whole web page), but has a number of added benefits. It allows reasonable levels of security on commodity http servers. And it will make https even more secure, since https is currently a single point of failure. Here are random hackers discussing methods for cracking or spoofing https. (Do you think your local Savings and Loan or Credit Union paid to have any additional security beyond https for its online banking software?) And it will give criminals headaches in trying to deal with a bizarre cornucopia of — possibly layered — security protocols. (It’s better to have ten different and not entirely reliable layers of security than one that you’re convinced is incredibly good — even if it is incredibly good.)

If nothing else, it’s a competitive advantage. After all, no security is impregnable — the trick is to be secure enough that would-be hackers pick an easier target.

Apple’s Security Issues

Rixstep is one of the most intelligently critical Mac-centric (well, originally NeXT-centric) websites around. Here’s their latest commentary on Apple’s security issues — an issue they’ve been railing about for years.

Now, I’m not about to switch to Windows for the superior security of Vista (which, if anything, is more vulnerable to social engineering attacks, which are by far the biggest threat*), but it would be nice if Apple closed some of the glaring holes before there actually are some real world exploits.

Note: * all the remote attacks to which Mac OS X is vulnerable are in essence going to require a social engineering approach to work in the first place. Whether it’s getting a user to visit a web page with a specially crafted QuickTime movie, or getting a user to download a trojan, the point is getting the user to do something. Vista screws up its warnings by crying wolf so often that the chance of a user inadvertently clicking “yes” at a critical juncture is much higher, and this is something CanWest et al don’t measure.

OS X Patches, Secunia Stats

Yesterday, Apple patched the DNS bug everyone was so worried about a few days ago (because some security researcher got ticked off that his name hadn’t been mentioned in dispatches). Time to revisit the whole “Mac OS X is less secure than we think” meme.

Remember, this is all versions of OS X since January 2003 vs. Windows Vista. (If I wanted to be nasty, I’d show the graphs for Windows XP Professional, various versions of Office, etc.. (At least Secunia has stopped treating each Microsoft SKU as a different platform.)

According to Secunia*, the most severe flaw in OS X in the last couple of years is this. If you’d like to skip reading it, the basic idea is this — there was a bug in Apple’s zip utility that would execute a specially tailored payload in a zip archive. So if you were using Safari with default preference settings and you clicked a link, the zip archive would download to your hard disk, get decompressed, and — potentially — arbitrary code could execute. Note that this is not a “Trojan Horse” in the sense that you don’t need to type in a password or deliberately do anything except click a link in a web page, so this is pretty severe.

This is rated by Secunia as¬†extremely critical — do you ever get the feeling that security researchers should be given a free thesaurus? — (“5” on their 5 point scale), even though (1) it requires some user action (it’s not like port vulnerabilities in Windows which allowed worms like BLASTER to simply take over a PC as soon as it was hooked up to the internet) and (2) there are no known instances in the wild.

Windows XP and Vista have a bunch of vulnerabilities rated highly critical (4/5) which are equally nasty. E.g. buffer overflows in the way Windows handled images in web pages that could cause arbitrary code execution. Casual user activity (browsing pages) could, theoretically, result in arbitrary code execution in user space. Apparently, for a problem of this severity to be rated extremely critical for Windows there need to be known examples in the wild.

Presumably, a vulnerability on the Mac requiring zero user action which obtained root access and had instances in the wild would rate mindbogglingly critical (8/5) on Secunia’s scale for consistency. I guess when there’s finally a worm out there that can compromise Macs, heads will explode.

* Why do I keep using Secunia? Because as security research firms go, they’re not quite as grotesquely anti-Mac as typical, and they offer links to embed live versions of their graphs.

Post Script

Apple’s patch doesn’t fix the DNS bug properly. It’s worth noting that this is only going to hurt servers (since most people don’t use OS X desktops as DNS servers, and indeed it’s not switched on by default) so technically this is a server bug. Still, it needs fixing and it’s another misstep by Apple (along with the whole MobileMe fiasco) in a short period.

Post Post Script

Also note that Apple’s initial patch did fix the vulnerability in OS X server (and, apparently, in server-like devices such as Airport Extreme), so basically all the whining was about nothing. It’s one thing to conflate OS X (desktop) with OS X (server) in counting bugs, and another to complain about OS X having an unpatched defect in a service that’s turned off by default and very few people would have switched on.

Windows vs. Mac Security. One of these operating systems has a destructive virus built in

Oh the irony. So here I am watching the last Steve Jobs keynote (the aluminum iMac introduction) on my Dell Windows Vista laptop (the one I use for testing the software I write, and incidentally use to surf the web when in bed) and Windows logs out on me without warning.

Why? Well to update Windows of course.

It’s funny how Windows thinks that it’s OK to shut down my computer without so much as a by your leave in order to patch itself, since — presumably — the reason you patch your computer is to fix security problems and bugs, each of which could potentially cause your system to crash without warning or corrupt your data.

In contrast to this, when my Mac patches itself, its updater patiently waits for me to restart.

I’ll take the OS without malware built in by design, thanks.

Windows Vista: the most secure Operating System

Disclaimer: I use Vista for testing and casual web browsing and Mac OS X for web and software development. I use both nearly every day. I’ve had no security issues with either. That said, Vista’s “allow or deny” behavior is probably about as annoying as spam or popups.

Various sites (e.g. ZD-net and Engadget) are essentially regurgitating some Microsoft press release (complete with graphs, it appears) on a Microsoft-funded “research” project which shows Vista to be the most secure OS ever released (with XP coming in second — which kind of screams credibility right there).

Secunia is my favorite (well, least loathed) security site for two reasons. First, even though like most security companies it has a vested interest in promoting Microsoft (since almost every Microsoft user pays for some form of virus protection and almost no-one else does) it seems to be relatively impartial. Scandinavian sensibilities, perhaps. Second, it gives you pretty nice graphs.

Apparently, according to Secunia, Mac OS X (versions 10.0 Public Beta thru 10.4, client and server) is one product while, say, Windows Vista is one product (and, more interestingly, Windows XP Professional is one product). This means that when you look for security problem statistics, Windows Vista is in its own separate category, while Tiger is lumped in with the 10 or so other versions of OS X. Secunia also tends to downplay the severity of Windows issues and overstate the severity of Mac OS X issues (yes, if you download a malicious script file, run it, and type in your admin password when asked, it can take over your system) — but we’ll let all that slide (especially since I’ve ranted about it in the past).

Here’s the story in pictures:

The gorey details are here.

And here is all of Mac OS X since 2003 or so for comparison:

The gorey details are here.

And finally, to give you a good laugh, here’s what this “research” claimed was the second most secure OS:

The gorey details are here.

This data is live — so it may change after I finish this post. But right now as I look at it, Mac OS X has a better record historically, and fewer issues since Vista’s release than Vista. And XP — which according to this same “research” comes in second to Vista and ahead of OS X — has a track record based on these statistics (and much personal experience) which is simply embarrassing.