Wednesday, January 28, 2009

Security's Crux: Real Problems vs Point Solutions

Security has a serious problem.

There are more problems than we currently have solutions for, and the solutions that are being presented are ill-conceived, poorly though-out, and don't actually solve the whole problem thus perpetuating the problem in the long run. Recently American Express learned that if your website has cross-site scripting (XSS) issues an effort must be made to sanitize all input rather than mitigating a single attack vector someone has demonstrated to you. This sort of problem is pervasive, unfortunately and extends out into vendors as well (more on that in a minute).

For some reason, few people are interested in solving actual problems and are instead focused on either selling products or simply solving a point-in-time singularity such as American Express did. I'm not picking on AmEx specifically but their example simply underscores my point. Why is this trend ticking upward faster than previously?

In an analysis of the issue, we can can blame a failing economic climate and therefore falling budgets, or short-sighted CIOs, or worse, security "professionals" with little vision. The fact is all of those factors have been around since long before this problem became so pervasive, and therefore we have to look to alternative reasons for such a collapse in strategic judgement. Nae, I think the problem revolves around the need to stay relevant. Allow me to explain.

Haven't you worked with (or for) someone who refuses to automate a process or teach others simply because he or she feels like they will be made obsolete? You know how flat-out stupid that sounds because it is those people who in the end create an unpleasant end for themselves, instead drowning in their self-created hell. I think the security industry is headed in much the same direction...

I keep reading Giorgio's posts on the Internet Explorer 8 BETA1 release and "ClickJacking" protections offered therein (here and here), yes he's the guy who does NoScript, and it's all of the sudden become clear to me. Once again, Microsoft has solved an industry-wide problem by perpetuating their own proprietary technologies and then marketing them as ground-breaking. NoScript addresses the UI Redress attack (more commonly known as ClickJacking), but since IE is so proprietary and closed... they have to re-invent the wheel to self-serve. This perpetuates the need for Microsoft to "save the masses"... since most people that don't know better are hooked on Microsoft's IE technology like crack.

There is an excellent paragraph I think everyone should read:
"As I had anticipated, IE8’s “clickjacking protection” is just an alternate scriptless way to perform frame busting, a well known and simple technique to prevent a page from being “framed” in another page and therefore becoming an easy UI Redressing target. Microsoft had to follow its own special path because the traditional JavaScript implementation can be easily circumvented on IE, e.g. by loading the targeted page inside an {IFRAME SECURITY=restricted} element. But the other major browsers are equally “protected” (if we can call “browser protection” something relying on the good will and education of web authors) by “standard” frame busting. Therefore, slogans like “the first browser to counter this type of threat” (James Pratt, Microsoft senior product manager) were marketspeak at its best. Furthermore, this approach is useless against Clickjacking in its original “historical” meaning, i.e. those attacks involving Flash applets and other kinds of plugin embeddings which led Robert “RSnake” Hansen and Jeremiah Grossman to invent the successful buzzword."

This IE8 anti-ClickJacking feature is by far not the only incident of self-serving short-sightedness. Why is it that every time we have a very serious issue (ClickJacking, after all, is not a hack but an abuse of legal, spec-defined HTML functionality) everyone jumps to throw their "quick solution" to the problem, then we consider it solved, and we move on.... why?

It's like a bad joke... "[Patient] Doctor, my arm hurts when I bend it like this. [Doctor] Well, then don't bend it that way, problem solved!" DNS was fundamentally broken back in the 90's... but it wasn't until an earth-shattering PR move that every (or almost every) vendor issued a patch... a short-sighted solution. Is DNS still for the most part fundamentally flawed? Yea-ha. Are we going to wait until the next major hack to solve that singularity? Yea-ha.

Are the folks who make the security world go-round just afraid that if we write fundamentally more secure code, solve the root problems, and address security issues at the grass-roots level we'll all somehow become unemployed? As we keep proving, security issues will never go away, there is no end-game in security, as I've always said. Why not, rather than continuing to pile-on the proprietary crapola, join the party and solve the UI redress issue in a cross-platform/browser way? Why not, rather than patching browsers, actually address the problem inside the HTML standards?

I don't get it. Are we doomed to solving singularities and creating products to be point solutions? Or am I simply too philosophical to realize that this is a self-perpetuating issue which won't ever actually go away?

1 comment:

Andy Steingruebl said...

I object slightly to the categorization that this was done without consultation with anyone else, that it is proprietary, and that it isn't a good idea.

Restricted rights iframes are actually a really goo security idea. They allow you to use an iframe n your site but restrict what the child can do, including top-nav'ing the parent, running any JS, etc. Until MS created this new header there was no standardized way to guarantee that your site couldn't be framed. turns out that it really tricky to do so, and yet entirely necessary for a number of important use cases.

So, MS went ahead and created a new universal mechanism for doing it. I think they did consult with a few other folks on it but behind the scenes.

Additionally, while I don't think it solves the problem the noscript solution is heuristic based and fires on lots of legitimate use cases as well, because sites have no standardized way of advertising their framing policy. You can disagree with the exact solution MS came up with in IE8, but at the same time no one else was pitching an architectural solution, so I don't see much to complain about.

I'm hoping we can get the FF adn webkit (Safari and Chrome) folks to pick this up as a standard.