Qubes OS: The Bento Security Model in Action

One of my favorite jokes about security people is that you can divide them into two types: Builders and Breakers. Builders like to make things, like web applications or identity management infrastructures. Breakers like to find holes in things. They tinker and hack. Usually, you gravitate towards one skillset or the other; it is extremely rare to find someone who does both well. It’s like running: you either sprint, or run marathons.

So it was with great curiosity that I read about the announcement of the Qubes OS by Invisible Things’ Joanna Rutkowska. Joanna is best known as the bête noire of the virtualization world; her “Blue Pill” hypervisor-breaking software was widely noted, even by us. Her Black Hat speeches are legend. She is clearly in the Breaker camp, and one of the best ones too.

Qubes is a new operating system based on Linux and Xen that divides up the operating system into multiple isolated VMs that work together. It allows arbitrary portions of the operating system, such as the web browser, to run in one VM while other portions run in other VMs. Certain functions, like networking and storage, run in their own VMs. The VMs share a GUI (again, compartmentalized from the other VMs) and can exchange files. I won’t attempt to describe it in detail — the architecture document does that well enough:

Read more

The Mobile Security Threat is Overblown: the complete post

Earlier this week SC Magazine published my comments on mobile malware: why I believe there will not be mobile malware pandemic any time soon, and probably not ever. My reply exceeded their length limit, so some of the context was lost. Here are my comments in their entirety.

Security software vendors like to bleat about how mobile phones will be the next big target for malware writers. There’s a sense of inevitability about this, and the story goes like this: Mobile operating systems are becoming a lot like PCs. PCs have lots of malware. Therefore smartphones will have lots of malware — any day now. Security vendors are hoping this will become true so they can sell mobile security software. This idea has at least three problems:

Read more

Plain speaking about industrial spying

Or: why “advanced persistent threat” is the wrong phrase

Google's revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written several illuminating posts about the nature of the attacks.

The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the “Advanced Persistent Threat,” concisely described by Lockheed Martin’s Mike Cloppert as “any sophisticated adversary engaged in information warfare in support of long-term strategic goals.” In his posts, Mike also nearly always uses APT in conjunction with the word “actor” (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is:

Read more

The Devil’s Dictionary, InfoSec Edition

Ambrose Bierce’s The Devil’s Dictionary is a wickedly witty piece of work (and website). It slyly redefines common words and phrases, usually with a bitter, contrarian, or comic touch. But why should Mr. Bierce (or more correctly, his estate) have all the fun? It is time for one in the information security field. Here are a few nominations. Most of these are original, but a few were gleefully filched from others:

ALE: an intoxicating liquor that gives imbibers perceived omniscience and discernment, but with one unfortunate side effect: it causes their pants to spontaneously fall down

Advanced persistent threat: a security product manager hyping new categories

Blended threat: a hemlock smoothie

Claims: a more expensive form of assertions, officially sanctioned with George Orwell’s posthumous blessing. cf “flatbread” v. “pizza”

Collective intelligence: the dawning epiphany that the cyber-villains have already won

Data leak prevention: adult undergarments for stopping electronic incontinence

Device control: using Super Glue to plug holes in the sides of laptops

Full disclosure debate: a ritualistic Kabuki performance that ends with a fist-fight amongst members of the audience

Actionable: providing information of sufficient detail and clarity to enable one party to sue another* 

Full disk encryption: spray-on auditor repellent

Read more

Categories:

The Attack on Google: What It Means

Unless you have been living under a rock for the past few days, you probably have heard about some big changes Google has made regarding an attack on its infrastructure. Here is what we know:

Read more

Three Nominations For ISSA's 2009 Retrospective Awards

According to my friend Pete Lindstrom, the Information Systems Security Association (ISSA) is surveying its members for suggestions on three 2009 stories that, in retrospect, were the "most" of something. I'm not a member of the ISSA, but awards are fun, right? Here are my nominations:

Most significant breach of 2009: Heartland Payment Systems

Yes, this breach happened in 2008. But the story broke in 2009, so I'm counting it.The significance of the breach wasn't just the size (130 million credit card numbers). The story that surrounded the breach provoked some interesting debates about the role of PCI, the effectiveness of auditors, and the willingness of clients to QSA-shop, ignore advice, and blame third parties for their own failures.

Most overhyped story: "The cloud is insecure, m'kay?"

It is easy and appropriate -- today -- to discuss the risks assoociated with putting applications and data on semi-public devices you don't own. Criticizing is easy, but the fixing is more interesting. I predict that in time "the cloud" will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the "information" back into Information Security. This is exactly the discussion we need to have.

Read more

Chrome OS is coming, and it is impressive

Today, Google made its first public announcements about Chrome OS, a Linux-derived operating system that it positions as secure and easy to use. I listened in on the Web cast today, and had some initial impressions.
Overall, I am impressed. Google had the luxury to design an OS using a clean sheet of paper, and as a result produced an OS that has some very interesting security properties:

Read more

The iPhone “Worm” Presents No Risk to Most Users

Andrew Jaquith

Much breathless prose has been written about the Ikee malware circulating amongst iPhone owners. Described as the first iPhone worm, Ikee does something fairly funny: it replaces the user’s lock screen with a picture of Rick Astley, of 1980s “Never Gonna Give You Up” fame. In other words, it RickRolls your phone. According to the author, the worm circulates by scanning the phone’s local IP address range for other iPhones running the SSH daemon, and if it finds any, attempts to log in using the default root password. It then copies a JPEG file of the sainted Mssr Astley to the location where the picture is stored.

Read more

Your New Client Security Analyst

Andrew Jaquith

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.

Read more

Your new client security analyst

Andrew Jaquith

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.

Read more

Categories: