I’ve been reading up on new Windows 7 security features (more on them perhaps later), but one caught my eye – SmartScreen. It’s a web filter (like the one Firefox has) that checks the websites you visit against a list of known bad websites. If it’s on the list, you get a red nasty warning screen telling you not to visit. What I was thinking about though was the privacy aspect – whenever you visit a new website your browser automatically sends the URL to Microsoft. Not just the domain, but the entire URL. They do of courser have a privacy policy, but nowhere in that policy do they actually say how they will or won’t use the data collected (we can of course, always assume the worst).  They also do other data collection:

From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website.

I don’t know about this one – sounds more like a marketing tool masquerading as a security tool.

I was thinking some more about the RAM skimmers mentioned in the last post. I wasn’t really paying attention the first time I read the report, but I later noticed that Verizon mentions that the RAM scraper was found on a P.O.S.  (point of sale – the system a cashier will use to check out a customer in a store) system. A P.O.S. system would seem to be a system which could be very well defined in terms of what should be running on it, and would seem to be an ideal candidate for whitelisting software. Getting rid of the AV on P.O.S. systems and replacing them with whitelisting software which only allows specific applications to run would seem to be an ideal way to greatly increase the security of these systems, and make them future-proof against whatever the next generation of malware is.

In Verizon Business’ most recent data breach investigation report they mentioned a new class of malware which I’d never heard of before but found interesting – RAM scrapers. The basic idea is that they grab data straight from RAM. Verizon goes on the conclude that the recent increase in the use of encryption and limitations on what data can be permanently stored (mostly thanks to PCI), scammers have had to start looking to other areas to gain access to unencrypted data. I guess this shouldn’t really surprise anyone too much – we already know that for every measure there is another countermeasure. This is also another good example of Shamir’s third law of cryptography – “Cryptography is typically bypassed, not penetrated”.

According to Symantec, Cybercrime is now the number 1 crime in terms of profit, having recently passed Illegal drug trafficking.

A few weeks ago Bruce Schneier wrote an article entitled “memo to the next president“. In it he has several pieces of advice, including asking the president to use the government’s immense buying power to increase the security of products. The government’s buying power has been used before to influence products, whether deliberately or accidentally, and Schneier wants to see the government weild this power for the greater good. This is logical – after all the government exists to provide for the greater good where no other actor is able to do it.

On the same theme, OMB recently announced that it was requiring all government agencies to start deploying DNSSEC, and then gave them a deadline of January 2009. (See the wikipedia page on DNSSEC if you don’t know what it is). While it will almost assuredly be completed behind schedule (it is government after all), it is great news. Simply put, DNS is inherently flawed. As was pointed out by commenters in a previous post, assuming that the first response is the correct one is just a bad idea. DNSSEC fixes all of that by enforcing digital signatures. Most commercial enterprises right now are simply applying the newest patch and leaving it at that. As everyone knows though, continuing to try and patch over breaches in the dike will only work so long – eventually you have to build a whole new dike (In this case DNS). Hopefully with such a large entity getting behind DNSSEC, we’ll see a large movement to it, and we can avoid the next DNS cache poisoning attack before it ever comes, because we all know it will.

In general, when people try to use the legal system to prevent free speech, they fail.

The DoJ wants private corporations to more openly disclose cybercrime when it occurs. This is one of the major differences between the way government works and the way private industry works. (I’ve got information security in both, and it’s something I’d noticed a long time ago). In government, there is a strict procedure and a chain of reporting for everything, and one of the main focuses is openness. Individuals in government are rarely accountable as long as they follow the correct procedures. (In other words, the “I was just following orders” argument has worked countless times inside the beltway). In the private sector, the main focus is profit, and people are held accountable for what occurs, even if they feel they did nothing wrong. Reputation loss is a serious concern, and corporations are loath to report information breaches. This is one of the reasons data breach laws have been necessary – without them private entities would rarely disclose when something bad happened. Now the DoJ and FBI want corporations to disclose even more so that it can allocate it’s crime fighting abilities correctly. While this is clearly a laudable goal (and crime fighting is one of the major responsibilities of a modern government), private entities will not comply unless they are either required to by law (like the breach notification laws), or have a compelling financial interest (as in the case where they believe the authorities can help recover lost assets).

Several news outlets are reporting that TippingPoint researchers have cracked the “kracken” botnet and have actually been able to commandeer at least a part of it. The researchers are now faced with an ethical dilemma – whether or not to use their control ability to automatically fix the infected computers. This is by no means the first time someone has had to make this decision, and it’s not the first time that they’ve reluctantly found themselves faced with almost this exact argument against doing so:

The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone’s life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it’s running and carrying out the rest of it’s functionality.

Now the life support issue is a bit sensationalist, but it can be treated as simply a way of demonstrating his argument – that making an unauthorized change to someone else’s machine, no matter how well intentioned, has it’s risks and therefore should not be done. I also have a hunch, which has been confirmed by quotes in computerworld, that it is not so much the moral distaste for changing someone else’s machine as much as the legal liability which has scared of management. (As a parenthetical note, I would like to take a moment to lament the sad state we find ourselves in here in America where the word legal has almost universally replaced the word ethical).

While I don’t think that legal liability should trump all other concerns in matters such as this, it certainly plays a part. For that reason, automatically cleansing the machines may be impractical since I’m sure TippingPoint wants to stay on the right side of the law. However, if I’ve learned anything about engineering ethics, it’s to always try and find a technical method of avoiding the ethical dilemma in the first place. In this case, how about using the control they have to simply direct all the infected computers to a webpage which explains (in the simplest terms possible) that the person is infected and how to clean their machine, as well as a link to the MS patch which would prevent reinfection. That should satisfy all parties.