Security Adviser | Roger A. Grimes

Fixing the Internet

Curt Franklin — 2008-05-09T03:00:00-08:00

Long–time readers know that I often rant about how insecure the Internet is, and how few solutions will do anything to change that equation during the next 5 to 10 years. I've also recommended a handful of solutions over the years, and accepted the resulting criticism that goes along with proposing big ideas. Privately, and not so privately in this column and other public forums, I've been proposing specific solutions to make the Internet significantly more secure during the next five years. If you know me personally, you would also know that other than my family, I think of nothing... READ MORE

Zero-second exploits

Roger Grimes — 2008-05-02T03:00:00-08:00

Microsoft SQL server hasn't had a public vulnerability announcement since 2004. The SQL Slammer worm struck in 2005, but the hole the worm exploited had been patched six months before. The holes that MS-Blaster and Code Red worm attacked had been patched, too. But back just a few years ago, no one really cared about patching really. We just didn’t patch. Over the course of malware history, the number of days between a vendor patch being released and the malware exploit being announced has shrunk. Consequently, in today's Internet-connected, crimeware world, you've got to get patched as soon as possible.... READ MORE

Be careful with transitive trust

Roger Grimes — 2008-04-25T03:00:00-08:00

I just got through reading about another hugely popular, legitimate Web site hosting malicious code that redirects visitors to a malicious Web site. Once redirected, the new Web site runs a fake virus scanner and -- surprise, surprise -- finds multiple malware programs on the user's computer as it offers to install new "anti-virus" software to the end-user. Of course, users foolish enough to install the software end up installing what is likely to be the only malicious program on their computer. Gone are the days when you could tell your end-users not to visit "untrusted" Web sites to minimize... READ MORE

Virtual machines aren't really more secure

Roger Grimes — 2008-04-18T03:00:11-08:00

I've been at several recent conferences where virtual machine (VM) and security “experts” were telling audiences how VM technology can be used to improve computer security. Wow! They are either drunk on the marketing Kool-Aid, misinformed, or simply trying to misrepresent VM capabilities to sell more product. VM technologies are very cool, and great at saving money (and space, electricity, and more), but in all but a small minority of cases, they will not improve your overall security posture. Most of the time, using VM technology will increase overall risk. In a large percentage of the cases I've been involved... READ MORE

Don't throw out ActiveX (or Java)

Roger Grimes — 2008-04-11T03:00:00-08:00

For years, many security consultants and well-meaning guidelines have recommended completely disabling ActiveX in Internet browsers (mainly Internet Explorer) to prevent a particular type of Web client-side attack. Running a browser without ActiveX enabled can be a frustrating experience for end-users, as many popular and legitimate Web sites use ActiveX to enhance the user's overall experience. Barely a week goes by without one or more ActiveX controls from various vendors being declared unsafe, so I can understand the caution. You should always disable unneeded and unauthorized software, but running a browser without ActiveX enabled when other more reasonable alternatives exist... READ MORE

It's the applications, stupid

Roger Grimes — 2008-04-04T03:00:00-08:00

It's always written that the first Presidential candidate Clinton posted, "It's the economy, stupid!" as a banner marquee in his campaign office during his premiere run. This saying supposedly helped focus the staff, resulting in a surprise win for the Democrats. Well, if you're reading computer security headlines these days, we should all have "It's the client applications, stupid!" in our war rooms. Nothing I'm saying in this blog post is news. I just want to reiterate it so that everyone is on the same page. Most of today's popular operating systems are becoming fairly hardened at the OS and... READ MORE

Will a whitelist save personal computing?

Roger Grimes — 2008-03-28T03:00:00-08:00

I've previously written about how traditional anti-virus programs are finally outliving their usefulness as a preventative measure. Server-side polymorphic malware programs and malicious programs using custom, unscannable packers are making static anti-virus scanners less and less accurate. Using all sorts of tricks, malware writers are making millions of seemingly "unique" (although they aren't) programs a year. I'm not sure we have millions of legitimate program executables in a given year. When unique malicious programs outnumber unique legitimate programs, it makes sense to have a whitelisting program. A whitelist is a collection of legitimate approved values (for example, DNS entries, program... READ MORE

Thousands of Web sites under attack

Roger Grimes — 2008-03-21T03:00:00-08:00

Organized criminal groups are hacking Web sites by the tens of thousands to steal money, identities, and passwords. On March 12, McAfee's AVERT labs reported 10,000 Web pages using Active Server Pages (ASP) had been infected through SQL injection. A few days later, Microsoft employee Neil Carpenter detected 14,000 maliciously-modified Web pages. After the initial SQL injection, the automated attack injected a malicious Javascript or Iframe code to redirect visitors to criminal-controlled Web sites. The malicious Web sites then attempted to invisibly exploit end-users using multiple, previously patched vulnerabilities, or if no vulnerabilities were found, attempted to socially engineer the... READ MORE

To solve the unsolvable problem

Roger Grimes — 2008-03-14T03:00:00-08:00

At least once a week someone comes to me with an unexplainable, random problem that they begin to think might be malware-related. Some of the scenarios are almost laughable. Here's one I heard this week: "We upgraded the file servers for a particular application last week, and now we are having random printing problems. Do you think it might be a computer virus?" They seemed surprised when I tell them I don't know of a malware program that causes random printing problems on upgraded server applications. What are they thinking? I guess security people are pretty good troubleshooters to ask... READ MORE

Re-thinking the security of virtual machines

Roger Grimes — 2008-03-07T03:00:00-08:00

Recently, I've heard many security officers talking about using virtual machines as a way to increase security. If your developers need local administrator rights and privileges and they can't have them on their normal PCs, just give them a VM. If an end-user needs to circumvent a few enterprise policy settings but can't get the management approval, give them an unmanaged VM. If people need to browse untrusted Web sites, give them a VM they can easily reset. At least, these are the reasons I'm hearing why security-lessened VMs were created. And here's what I want to communicate: If you... READ MORE

Security Development Lifecycle trumps code complexity

Roger Grimes — 2008-02-29T03:00:00-08:00

In last week's column, I talked to Bruce Schneier about complexity, one of the main reasons it will be hard for computer security to improve in the future. As software becomes more complex, in terms of more lines of code or functionality, the harder it becomes to stay secure. More lines of code mean the potential for more security bugs. Increasing feature sets means more opportunities for programs to be used and manipulated in unexpected, malicious ways. In general, I wholly believe in this axiom, but it doesn't always have to be true. In fact, there is empirical evidence that... READ MORE

Is your Web site FIPS compliant?

Roger Grimes — 2008-02-15T12:23:52-08:00

FIPS compliance can be the key to working smoothly with servers and clients both in and out of government service I've been involved in a lot of FIPS-compliance Web site testing lately. I'm a crypto hobbyist, not a crypto expert, so I hesitate to write about it, but I'll explain the basics as well as I understand them. Crypto experts, please write in if I messed up something important. FIPS stands for the Federal Information Processing Standard, essentially a series of standards and mandates for U.S. government agencies and supporting contractors. In many cases, if your product or service is... READ MORE

Computer security: Why have least privilege?

Roger Grimes — 2008-02-08T13:54:44-08:00

Least privilege won't solve every security problem, but it's a significant step in the right direction My previous column on the questionable long-term effects of least privilege created a firestorm of controversy and discussion. Personally, I think controversy is good if it gives people on both sides of the argument a chance to reconsider their previous conclusions. If the argument changes your mind, then maybe your original conclusions needed more consideration. And if it strengthens your support, one way or the other, then at least you had an opportunity to reexamine your beliefs and provide yourself even stronger arguments. What... READ MORE

Strategic security: Get a handle on authentication

Roger Grimes — 2008-02-01T13:59:40-08:00

One rational, standardized authentication policy across the organization will make all your applications more secure It's a common dilemma: You host multiple Web-accessible applications, for both internal customers and external users. A few of your developers are keeping up on the last programming trends and security models, while some of your highest-seniority employees are stuck in programming models outdated a decade ago. You've got a hodgepodge of access and authentication methods, along with a lot of client-server interaction, and a little bit of Web services and SOA, as well as Citrix or Terminal Services thrown in. There are even a... READ MORE

Control user installs of software

Roger Grimes — 2008-01-25T15:20:30-08:00

Learn how to verify the status of applications and data without wresting all control over what users put on their hard drives I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons. First, it doesn't cross over to home computers. Most home users are... READ MORE