Sorry for the hiatus.  I have some posts culminating but I figured I would fire this one off while it still seemed relevant.  There is a lot of coverage about the current CanSecWest contest and the MacBook Air being compromised in two minutes, which has lead me to many different trains of thought.

First, I think the coverage of "Macbook Air Hacked in two minutes" illustrates very little research on the part of the authors, or an intentional aim at a misleading headline for sensationalist purposes, however my reasoning has nothing to do with the fact that a full day went by before the a successful attack (those arguments are really grasping at straws).  The details of the contest rules are posted here. It should be evident from the rules that the contest was broken up into three days, where each day represents a chance to attack a certain target on the computer.  Day one was essentially an attack against the OS and default services/daemons over a network, day two was an attack against default installed applications (web browsers, media players, etc), and day three was against popular non-default installed third party applications (acrobat, flash, etc), with each day representing a perceived easier target and thus less prize money.  If you read the rules there is one other thing that should stand out; they were posted a couple weeks ago. The hack took two minutes from execution to success, which isn’t surprising, but it took a great deal of time prior to the event for the researchers to find the vulnerability, which they did since they were given a heads up. The researcher didn’t find a vulnerability, write an exploit, and launch an attack in two minutes. The point really was to see what zero days would be found in a couple weeks of competitive research.

This is by no means a scientific way to evaluate security.  If you want to know the relative chance of your platform being vulnerable you have to look at trend data over a period of time and extrapolate the likelihood of a zeroday being known at a given moment, plus vendor patch rates, patch success rates (any recalls, history of not patching root cause), and a billion other factors.  It is complicated enough that the industry has not come up with any common metric of how "secure" an application/platform is.  A contest is not the common metric everyone has been looking for.

That said, this is a black eye for Apple, though one I think most researchers were expecting.  Apple has a strong rhetoric (by that I mean FUD) regarding their security relative to their competitor, but the fact of the matter is that when many very bright minds set their will to compromising the three platforms, Apple fell with perceived ease while neither of the competitors did.  This is going to hurt them, though as I said, I don’t think most security folks were surprised.  Apple has been very vocal about being more secure but their entire rationale seems to be that there is little malware available for their platform (which can be attributed properly to many non-security reasons; economics and propagation potential mostly, which is a post that I really need to finish), rather than the effectiveness of their secure development policy (a subject they have said precisely nothing about, which begs the question exactly what policy they do have) or the skill of their security experts (individuals who seem to have no public reputation, as opposed to the many vocal Microsoft security experts beginning with Michael Howard and working down the list).  An argument like that isn’t exactly convincing, especially when vulnerability data contradicts it.

That Apple got a black eye amuses me, I’m not a fan of false smugness, but I don’t even find that noteworthy.  What I do find noteworthy is the amount of misunderstanding on the various technical blogs/news sites in which this story ran.  Reading the likes of ArsTechnica, Slashdot, or to a lesser extent Engadget and Gizmodo, disturbingly few of the commenters have even a basic clue about security (but boy is it easy to spot the Microsoft employees; just look for the comments that have a clue and mention the SDL).  Misunderstanding or flat out false ideas are rampant among essentially the upper crust of the general consumer technology world.  If the more technical of the end users are this off base it paints a very grim landscape for end user security.  Security starts with education, education of both the developers and the end users.  If the end users don’t understand even the basics of what threats they are exposed to they are not going to understand what they need to do to secure themselves.  If someone doesn’t understand that anyone can walk into their house if they don’t secure the front door they aren’t going to know they need a lock.  Worse, if they think a lawn gnome is better security than a lock they are in trouble (unless it is the lawn gnomes from Invader Zim).

From the Mac user populace, at least in general, I don’t find this surprising.  They have been actively encouraged by their OS vendor to ignore security, which I think is a horribly bad idea, that security is not their concern.  However I would have thought that the more advanced Windows users would be more knowledgeable just based off of the hostility their OS faces regularly, and that Linux users would know more just based off of what they need to know to use the OS.  Sadly this doesn’t seem to be the case.  The top three misconceptions (and my rebuttals) among the threads on the subject seem to be as follows:

1. I don’t run as Root - I have user/os role seperation: Essentially the belief that if you need to sudo, go through UAC, etc, then malware is castrated.  This seems incredibly prevalent among Mac users and surprisingly from Linux users as well, and is a profound misunderstanding.  It first assumes that there is no means to escalate privileges through a flaw in the OS or common application running with increased privileges, which history has shown is not the case.  Worse, it assumes malware would need to.  They don’t seem to understand that malware can do anything that the current user can do.  If the current user has read/write/execute permissions to a resource (choose a combination) then so does the malware.  I don’t know of many users even in Linux that insist on running an account where they need to sudo for everything, because that would be tedious as hell.  Malware as a general user can read from any document that user has normal read access to (say, browser cookies, contact lists, personal documents) and even if there are pretty strict outbound firewall rules can probably use an existing application that already has outbound access to send data.  Firefox is quite extensible after all, and the IWebBrowser2 COM object has the same rules as IE (because it is IE).  Don’t get me wrong, I think account separation is a great thing, but it isn’t horribly limiting to malware, especially when they don’t need to hide from virus scanners. (it is also probably pretty easy to socially engineer a user on either Mac or Windows to allow your malware further access by naming its process iTunes anyway).
2. This wasn’t a big deal as it was an application flaw, they couldn’t compromise the OS: It seems many people think that since no one managed to hit the core OS and services on the first day of the competition that this somehow makes the attack against the browser less important.  I would argue that against the end consumer, even if the OS was open to remote code execution, malware authors would find it easier to target web facing applications like the browser, plugins (flash, quicktime, acrobat), email clients, etc.  OS exploits are dangerous when targeting a specific system, or when many systems are in proximity to each other to facilitate their spread.  It is great for intranet attacks, but not so great for internet attacks, in terms of being able to exploit.  I would posit that OS based attacks are primarily a bane of corporations rather than consumers.  Even in the heyday of the worm, when Windows OS security sucked, the worms most successful at propagation went through email, and relied on email client flaws (well, ignoring worms that had multiple attack vectors like Nimbda; obviously multiple means of propagation is beneficial, all other things being equal).
3. Who cares, this was a browser exploit, just don’t go to sketchy websites: There seems to be a huge perception among people that Internet/browser based attacks only come from questionable websites.  Even if this were true I think it ignores the surfing behavior of most users.  If they see a link in a forum or off of digg, or in a blog comment thread that seems interesting they click on it without thinking.  There are very few people who really are paranoid about everywhere they go on the Internet.  Further, it seems most users are utterly unaware that websites they trust can be compromised, either through some application level injection attack (with estimates of 80% of websites having XSS vulnerabilities of some form I think it is safe to say they will eventually view a compromised website) or through a host/network misconfiguration.  Study after study show that a large percentage of malware is hosted on compromised servers.  Social engineering really isn’t necessary to hit someone with a browser exploit; all that is necessary is to compromise a popular site.

I think the lessons to take away from this contest have little to do with the contest itself, but rather the general public’s response to the contest.  Awareness is the most potent tool security professionals can leverage but it seems clear to me that even among the reasonably knowledgeable geeks we have precious little awareness.  These three seemed the most common and egregious misconceptions, but it is hardly an exhaustive list.  I think it is simply a good demonstration of the incredibly minimal amount of progress made in public education and awareness about security. 

~Joshbw