Friday, April 25, 2008

Should Microsoft encrypt/obfuscate patches?

Securityfocus has this story about a group of researchers that have found a way to semi-automate the creation of exploits.
... Microsoft has not taken adequate steps to make such attempts more difficult, Brumley said. The researchers suggested possible avenues that Microsoft could pursue to increase the likelihood that customers received patches before attackers could reverse engineer them, including obfuscating the code, encrypting the patches and waiting to distribute the key simultaneously, and using peer-to-peer distribution to push out patches faster.

The researchers recommend the above for Microsoft. However, each method may create more problems than it solves. Let us consider them, one by one:
1)Obfuscate the code - Obfuscating the patching code doesn't help at all. One could simply snapshot the system before and after applying a patch and get the diffs. Obfuscating the application code (the application that is being patched) if done manually will make it prone to more bugs and hence more exploits. Automated obfuscation will not introduce any extra bug/exploits but it could make the application run slower.

2)Encrypt the patches and withhold the key - Well, the key will have to be distributed eventually. The window of opportunity for automated exploit generators will be smaller assuming the key can be distributed faster than the patch. However, the window of opportunity for zero-day exploits will be bigger. Also, the exploit generation can be done by using as input IDS/IPS signature updates instead of the patch. So should you encrypt those as well and withhold the key?

3)Using peer to peer distribution of patches - This could work...but why is it better than using other content delivery methods?

Friday, February 15, 2008

Can I protect private data from the threat of coerced password disclosure?

Bruce Schiener mentioned the threat of government authorities asking you to divulge the password to your encrypted file or disk:

The latter threat is becoming more real. I have long been worried that someday, at a border crossing, a customs official will open my laptop and ask me to type in my password. Of course I could refuse, but the consequences might be severe -- and permanent. And some countries -- the United Kingdom, Singapore, Malaysia -- have passed laws giving police the authority to demand that you divulge your passwords and encryption keys.

This is indeed a pain. The same could be done by an adversary by holding you at gun-point etc. Truecrypt, a free disk encryption software that I use, has a partial solution. It allows you to create a hidden volume within an encrypted volume. So to protect yourself from the above threat you can enter the password for the outer volume and deny the existence of any inner volume. I don't know how Truecrypt implements this but I think it works somewhat like this:

The descriptor of the inner volume(and not just the user data) is stored at a fixed location and encrypted with the inner volume's password. Until that password is typed there is no way to know whether there is a valid descriptor(and hence a hidden volume) or not.

This is nice since one can pretend that the inner volume does not exist and the adversary has no way to prove otherwise(all unused space is initialized with random bytes). However, a clever adversary may threaten to overwrite the fixed location where the hidden volume's descriptor resides. At that point you can choose between disclosing the data to the adversary or losing it forever. And in many cases it is good to have that choice.

Tuesday, January 15, 2008

To WPA or not to WPA?

Renowned security expert Bruce Schneier wrote a controvertial essay arguing about the benefits of keeping his home wireless network unsecured. He talks a lot about less important things like the possibility of someone using your network for doing bad stuff and getting you involved in legal proceedings. He is not concerned about it and neither am I.

However, as this article points out Bruce mentions the most important point only in passing: he has secured his computers in a way that the wireless link being unsecure does not matter to him(perhaps disk encryption and VPN). This is probably because he travels a lot and uses unsecured wireless access often. Many people don't. I don't use any public wireless network. I don't have a reason to use PGP or any other disk encryption techology on my laptop. I do however have a desktop at home which is accessible only from behind my internet firewall and since it is connected only via a wired link I do not have to lock it down (use long and difficult passwords, change passwords often, use disk encryption etc). If I make my wireless network open, drive-by hackers can easily hack into my desktop and laptop. Passive eavesdroppers can read my mail, instant messages etc. easily when I am using my laptop to access them. Choosing between taking that risk and enabling WPA is a no-brainer for me.

Regarding WPA Bruce says:
"This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are."
The question is not whether WPA has any flaws or not, it is whether any have been found and are easily exploitable by drive-by hackers. In his own words "security is a tradeoff". As a I mentioned above this tradeoff is a no-brainer to me.

The bulk of Bruce's argument centers on social politeness. He has an open network to provide people "stranded without internet access" the courtesy of using his network. If this can be done without jeopardizing my own security I won't mind. However, I am not going to encrypt my disks, use strict password policies etc in order to do that. Bruce already did that for other reasons and "sharing" is easy for him. Good for his neighbors!

However, the social politeness argument involves another party: the ISP. This article does a good job of explaining that factor. Under most ISP's terms of service, sharing your internet connection is analogous to sharing your cable TV: it is illegal. There may be other terms of service where you buy internet access "by the byte or by the hour" and in those cases it is perfectly OK to let others use your connection. However, how many people will continue to extend this courtesy if it cost them by the byte? It is easy to share something that doesn't cost you anything extra. Bruce uses economic reasoning particularly the concept of externality often to explain security issues. That concept applies here: the action of a subscriber to extend his internet access to neighbors and others has a consequence for the ISP. Charging by the byte or by the hour makes this externality "internal".

In conclusion, regarding the question of whether to use WPA on your home wireless or not, I find that it really depends on your situation. If your computers are secured and your ISP does not mind, you may decide to extend "internet access courtesy" to those in your wireless range. Otherwise, it is better to secure your wireless connection.