|(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix
Prev | Contents | Next
Yalta, September 21, 2013
This interview took place during celebration of Doctor Web, Ltd's twenty years of product development (and simultaneously 10 years since creation of the company -- Doctor Web, Ltd). For additional information about the anniversary see Doctor Web Anniversary Match and Facebook Community Page about Doctor Web.
The leading analyst of Doctor Web, Ltd Mr. Vyacheslav Medvedev kindly agreed to talk about current security problems with the editor of Softpanorama. Mr. Medvedev is a frequent speaker on various security conferences, where he often represents the company.
NNB -- Nikolai Bezroukov
VM -- Vyacheslav Medvedev
Now along with "old-style" security against malware growing importance acquires
"informational security" or privacy of companies and peoples information. How popularity of smartphones
and tablets change the "security/privacy landscape" both in "personal" and enterprise markets?
Does Android repeats security architecture mistakes made by Windows or it made
its own and now has own vectors of malware creation and propagation?
What do you think about the possibility to create software-based defenses which
would prevent "overexposure" of users and leaks of important enterprise information via social sites,
such as Facebook, Odnoklassniki, etc ?
Recently a new class of malware became prominent. Malware customized for a certain person ( or
a certain company) which retrieves some confidential information and sends it to the
command and control center. For example, bank account information in case of "Bank Trojans". What new program tools
this new situation requires and how generally we should react to this new threat?
Now let's touch the problem of the lack of variety among mainstream security programs that are used
for malware defense. Malware scanners that dominate are known from DOS days. The only other
type of security programs that became widely used is a firewall. For some reason standalone integrity
checkers such as ADinf dies out.
Now let's discuss the security of cloud computing. Now it is clear that cloud
computing creates additional vulnerabilities and first of all leaks from the cloud provider.
Does this mean that the current tendency to move data to the cloud providers should be
amended or reversed?
Do you think that commercial mainstream press (MSM) creates unrealistic, exaggerated expectations for new technologies and tries to promote technologies which, if not questionable, at least need considerable enhancement before they can come mainstream?
NNB: Now along with "old-style" security against malware growing importance acquires "informational security" or privacy of companies and people. How popularity of smartphones and tablets changes the "security/privacy landscape" both in "personal" and enterprise markets?
VM: Proliferation of tablets and other similar mobile gadgets makes security on enterprise-level definitely worse. The problem is that people do not understand importance of security and the complexity of the problem. This is especially true about small and medium business, where people often start working together as friends, close, 100% trusting each-other partners, people who initially think that they have a single goal. In this situation everybody have access to all the resources of the company. But later the business inevitably experiences a crisis: personal conflicts arise, partners drift apart and split, and those who stay suddenly discover that they can't control the confidentiality of critical information neither within the company, not for the people who are leaving. People who are leaving, leave with a substantial "portfolio" of information and first of all with the content of their mailboxes.
This is difficult to change. In small companies much of the business is based on trust and to segregate information which is essential for avoiding leaks in this environment is impossible. Critical for the company information is typically duplicated on many personal computers both owned by company and private. As functions are not well defined, they spread between people with few limitations. Naturally people who leave the company take their personal computer, tablets and smartphones with them. And the amount of sensitive corporate information on those devices is a huge problem. The size of this problem is such that in such companies we generally can't talk about informational security. They, of course have an antivirus program, they try to conform to those state requirements that their business faces (for example, in healthcare), but this is all superficial as there is neither real privacy of information, nor informational security in such a company. The key aspects of "informational security" are never addressed and constant "leaks" is the fact of life.
And this is not an easy problem to solve. Employees and founders of the company now work with data "at any place, at any time". Not only at work, but also at home, often in cafe or restaurants and during vacations.
But with growth of the company situation changes and the demands for some level of segregation of critical information from the rest increase. And there is a growing understanding that there should be some "information security policy" and corresponding protocols. But there are already habits and those are strong habits. Attempts to enforce this new more secure environment "from above", will typically fail. People used to work as friends, but now hierarchy is enforced and this can be a huge shock. Your key, most productive employees, might not accept this new environment and just leave. Moreover all information is already distributed and, for example, customers database is typically assessable to most people in the company. Everybody is responsible and have information about all the clients.
Here we are talking not only about "corporate data", but also about email. Mail file on a home computer of a key employee is a huge trove of data. It typically contains important intellectual property and important for the company contacts. If this file "leaves" the company, that means that such company can be deprived of considerable part of their intellectual property.
So, generally, we are talking about difficult, under-appreciated and, as a result, almost impossible task. I am very pessimistic. My impression is that it is very difficult for fast growing companies to prevent leaks either on political level, or on technical level.
On the level of personal user information, the situation seems to be even worse. The main consumers of ultrabooks, tablets, expensive smartphones and similar portable devices are young people. Those people are usually technically adept, energetic and are trying to advance their carriers and/or improve their standing in business. In a way, they do not understand the term "informational security" or "privacy" at all. If we are talking about IT people, they live in the world of IT were they assume that they have an absolute right to deal with the information they have, as they please, believe in "absolute freedom of information exchange" ( especially, for the enhancement of their career.) They assume that everybody has the right to have all the information and have the absolute right to expose what they want and first of all their successes on Twitter, Facebook, Odnoklassniki, and other social sites. So maximum self-revelation is, in a way, their chosen life-style.
They do not understand that somebody can easily "get" them. Let's try a very simple example. Just knowledge were a particular device (with its owner) is located is a very important, very sensitive information. And based on just this information alone you can, in principle, rob the house of this person. Of course, this is a simplistic example, but some real cases along those lines definitely exist. If we are talking about personal preferences, especially "non-standard" preferences, such old method as blackmail also works.
NNB: Does Android repeats security architecture mistakes made by Windows or it made its own and now has own vectors of malware creation and propagation?
VM: I would say that in some ways Android security architecture is closer to DOS rather then Windows. I don't remember the internals of Windows 95-98 as I was working with Linux at the time. But Windows NT from which modern version of Windows were derived was created from the beginning as a system which possesses a well defined multiuser security architecture (actually the team which developed Windows NT was the same team that developed famous DEC VMS -- NNB). The architecture which distinguishes the role of user and the role of administrator. It is so to speak mature, "adult" OS. Let me concentrate on this single topic to illustrate the scope of Android security architecture problems as I see them.
Android was created as a user-friendly device. And security issues were pushed to the background. Only in version 4.3 SE Linux was finally implemented. For corporate devices absence of multiple roles, multiple users has grave implications. There is a strong tendency to use a single device both as a corporate and private smartphone. This is so-called bring your own device (BYOD) trend that is now very strong and which, with the current versions of Android, can lead to trouble. Because BYOD requires multiuser or multirole functionality with the separation of application and data spaces between enterprise and "private", family usage. For this role Android fails miserably.
Companies strive to ensure that the data they have on portable devices be protected and, if necessary, encrypted. This implies limitations on the user behaviors including, but not limited to access to email attachments, certain sites and types of data. For example access to Facebook or Odnoklassniki can be prohibited. At the same time at home the user should be able to access from his phone Facebook or Odnoklassniki, if he/she wants. Why he/she can't ? Such a restriction just does not make sense. The only pre-condition is that such usage should not directly or indirectly endanger corporate data on the same phone. And if we look at the products which are on the market for converting Android phone into a corporate device, we see that they all impose severe restrictions on user activities. He can install applications only from the company portal, mail is encrypted, some sites are off limits, access to MicroSD card might be blocked, etc. And if an employee brings his own Android phone and wants to use it as an enterprise phone as well, saving money for the company, he will lose the ability to use it as a personal device.
So we need some mechanism for switching of roles. This absence of roles and separation of private and enterprise data space in current version of Android is a grave security deficiency. Even for individual user it probably should be a separate user space to perform such activities as online banking, much like many phones have two SIM cards.
Of course, there are also some hardware-related issues here, but for phones with over 1GB of RAM and 8GB or larger SSD it should not be a problem. But it will definitely somewhat slow the phone down and make it less user friendly. Because full reimplementation of role separation and multiuser functionality of Linux or Windows and the separation of user spaces increases hardware requirements for the smartphones. There is no free lunch. But this is a necessary compromise. The same is true about modern Linux which is as heavy as modern Windows as for hardware resources requirements.
There are other security problems with Android platform, but the problem that I mentioned illustrates the scope of Android security problems quite well. They stepped on the same DOS-style rake again and that's why we now have banking Trojans for Android too.
NNB: What do you think about the possibility to create software-based defenses which would prevent "overexposure" of users and leaks of important enterprise information via social sites, such as Facebook, Odnoklassniki, etc ?
VM: Such methods, of course, exist. If we are talking about prevention of information leaks, then we can put an infrastructure which would block offloading of certain corporate data to social sites, but I am not convinced about their efficiency.
First of all we can filter text files that are transmitted using some kind of sophisticated filter. But even here there are considerable difficulties: we face the same spectrum of problems that exists in filtration of spam, a very challenging problem on solving which considerable amount of money were spend with only limited success. And even if we manage to solve all those problems for text, but what about graphic data? Is the photo posted on Facebook from a corporate desktop just a photo of people at lunch or an important meeting with a competitor that should be kept confidential. This requires face recognition, which is a task for artificial intelligence and progress here so far is very limited. Such systems, even if they exist, are immature, prone to false positives and they require considerable hardware resources. I doubt that they can be installed on corporate laptops. Generally I think that, realistically, such capabilities currently belong to the area of science fiction.
NNB: Recently a new class of malware became prominent. Malware customized for a certain person ( or a certain company) which retrieves some confidential information and sends it to the command and control center. For example, bank account information in case of "Bank Trojans". What new program tools this new situation requires and how generally we should react to this new threat?
VM: It might be that program tools are not enough. I think that those Trojans create a new environment and that in this new environment standards and procedures should play considerably more prominent role. The problem is that most people and most companies, which face such problems, do not use even existing (partially outdated) standards and have inadequate procedures. Relevant methods and procedures exist for a long time, but were mostly limited to military and defense industry. Now they should be extended to financial industry and critical infrastructure objects as well to people who access their bank accounts from their personal computers, tablets and smartphones. This is a very difficult task.
First of all we need to improve security education. That includes increased understanding of existing standards and development of better methods of ensuring compliance. Here security companies like Doctor Web, Ltd can play an important role. We can show customers how to deploy a particular standard and how to integrate existing security tools into this standard framework. Role base access (RBAC) can restrict the ability to use flash drives, run unsigned software, etc for certain roles. But unfortunately most companies rely almost exclusively on antivirus packages and think that deploying just a single package is enough to prevent penetration of any type of malware into their environment.
In other words, the most important problems in this area are not related to software, but are organizational. People do not understand the real dangers in using modern portable devices and PCs. Moreover they tent to make mistakes and (in retrospect) perform stupid, dangerous actions, despite the fact that formally they were trained and may even pass a corresponding test. For example, typical "good" email security policy consist of, say, five or six pages. Most people don't read that much ;-). And even if they read it, they surely forget most of it in a month or a year. As the result they can click on some plausible link which was sent to them and face consequences. Or even respond to fake "letter from the bank" with data about their account. Here continued education and annual compliance review can help.
That means that existence of good up-to-date standard and procedures is not enough, the actual level of compliance is much more important. So there is a place for a new organizational role similar to "quality controllers" in manufacturing: it is necessary not only to have procedures, but to have manpower to ensure that people comply with them. Here, again, a certain role can be played by companies like Doctor Web, Ltd as they know which parts of standard are the most relevant better then others.
The other problem is the quality of standards. Existing standard are usually outdated, sometimes they are excessively complex. They typically reflect the past threats. That is true both for the US security standards, such as published by NIST, or corresponding Russian standards. It is unclear to me how to improve their quality, make them less lagging and better reflecting new threats. The current process of periodic updates is inadequate. This is a complex task and I do not see an easy way of achieving this goal. Better cooperation between security companies and government bodies might help.
Another problem exists with devices that should always be online, devices where downtime is limited to scheduled hardware maintenance and generally is quite costly. And where the cost of the wrong patch, that disrupts the functioning of the system, is tremendous. For example, ATMs. Often such devices are not updated on a regular basis or at all, until some breach occurs.
NNB: Now let's touch the problem of the lack of variety among mainstream security programs that are used for malware defense. Malware scanners that dominate are known from DOS days. The only other type of security programs that became widely used is a firewall. For some reason standalone integrity checkers such as ADinf died out.
VM: Yes, standalone integrity checkers dies out. I think that while they are necessary, the functionality of standalone integrity checkers is limited. If they just calculate CRC or simple control sum they can be fooled.
NNB: So cryptographic control sums such as MD5 should be used, right?
Yes, but also is always possibility to find the place in the system which allows to bypass this defense , for example by modifying path when instead of system library with correct MD5 hash another is loaded ( if the loader accepts unsigned executables -- NNB)
NNB: Then the proper place is system loader and "total" switch to signed executables, right?
VM: Right, but you need to control path, registry, etc as well. Also what to do with custom software, created within the organization ? Another problem is that some systems and applications for various reasons are not updated regularly. Often, not all applications can be updated to the most recent version. In this case it does not matter whether the control sum or cryptographic sum is correct. Vulnerability exist in an outdated executable and can be exploited directly in memory via browsers or similar applications without writing the "rogue" executable to disk.
NNB: Let's discuss the security of cloud computing. Now it is clear that cloud computing creates additional vulnerabilities and first of all leaks from the cloud provider. Does this mean that the current tendency to move data to the cloud providers should be amended or reversed?
VM: I would say that cloud computing needs to be enhanced. And the key problem here is what to do in case of outages. When cloud computing was introduced the main advantage that was advertized was better security and better uptime. And yes, they achieve better real physical security as they are a specialized company, but what about security against natural disasters. If your network pipe to cloud provider is broken, or the roof of the cloud datacenter is gone, and you do not have an alternative datacenter, you are stuck. You need probably to use two different providers with different, independent routes to ensure that if a disaster occurs you can continue to function. That costs additional money. And natural disasters, air conditioning, electrical and network outages happen with cloud datacenter as often as with regular enterprise datacenters. Without "cloud redundancy" downtime can be considerable as for a cloud provider you are just "yet another customer".
The question of information leaks has a more prosaic side. Rogue sysadmin can extract God knows how much of your most important, vital information and sell it, or disclose it. And you do not control datacenter staff. Also a blunder of the administrator of a cloud server can wipe your data and the last backup contains only data from the last day. It is unclear how to counter those threats.
So the notion that cloud computing can save money is exaggerated, because you need to pay money to ensure redundancy. You also need to duplicate part of offloaded to the cloud infrastructure on your site so that in case Internet connectivity is gone, some minimal office functions are still supported. One example would be an internal file server. Another is a local mail server. In addition to that, you need periodic data audit functions that probably can be paid services provided by companies like ours. Another important task is calculating "cloud risks" where companies like Doctor Web can provide valuable services.
NNB: Do you think that commercial mainstream press (MSM) creates unrealistic, exaggerated expectations for new technologies and tries to promote technologies which, if not questionable, at least need considerable enhancement before they can come mainstream?
VM: It goes without saying. Typically MSM journalists are not specialists in the narrow technology areas they cover, including such complex areas as security or cloud computing. And often they do not have special computer-science education at all. But the real question is about people who understand limitations of abilities of journalists to understand a particular technology issue and instead of educating them and helping to collect the objective information in particular area try to exploit this lack of understanding for misleading public and selling their half-baked solutions.
NBB: Thank you for the interview.
VM: It was a pleasure. Thank you for your insightful questions.
Google matched content
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to to buy a cup of coffee for authors of this site
Last modified: March, 12, 2019