Is Sandboxing the End-All Solution?

When you have millions of lines of code, like you have in an Operating System, you will have bugs. Hackers can use these coding bugs to create exploits. Microsoft and Adobe products have been a favorite target for hackers. But how do you protect software from hackers when there are unknown bugs?

The answer just might be sandboxing. But what is sandboxing? According to Wikipedia:

A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

We see this technology used in Virtual Machines. Several guest operating systems can run on a host system, and each has its own memory space, hard drive storage, etc.  They are on a single machine but are not allowed to communicate with each other. These types of features are being used in the development of secure Operating Systems. The client user space will not be allowed to communicate (or theoretically infect) the core functions of the system.

Programs can be sandboxed too.  Google and Adobe have added sandboxing features to their Chrome and PFD Reader products. If the products are compromised, this should limit the ability of the hacker to access the rest of the system.

But how well will this work? Sandboxing is a great idea, and will help a lot in dealing with buggy code. Although in reality is just another level of defense. Granted it adds to the difficulty of penetration, but it will be compromised just like everything else is over time.

Unfortunately security, like Anti-Virus, is a constantly evolving process. As soon as a new anti-virus definition comes out for the latest virus, three more new viruses are detected. The same is true in the security field. When a new security product comes out to address an issue, exploits and ways to bypass it follow along shortly.

At this point in the game, your hope is that you have added enough protection to your systems that the attacker gives up and moves on to easier pray. And to keep logs and monitor your systems in case they don’t.


America Switching to “There is no Security Anymore” Policy?

An interesting statement came out from an National Security Agency (NSA) employee last week. According to a Dailytech article, the NSA is switching its computer security mindset from defense to the realization that the bad guys will get in.

Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more.  The most sophisticated adversaries are going to go unnoticed on our networks.  We have to build our systems on the assumption that adversaries will get in.  We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

This is a change in policy from trying to keep people out, to monitoring and limiting the damage done when they do get in. And get in they have, numerous reports of large corporations, government, and military breaches have made headline news over the years. Foreign Governments, Terror organizations and Nation States had made it a priority to compromise American security and gain as much intel as possible.

The U.S. has been under increasing attack digitally from foreign intelligence agencies, including China and North Korea.  Foreign spies have infiltrated defense contractors, and retrieved information from lost U.S. government hardware.  Deputy Defense Secretary William Lynn, in the September/October issue of the journal Foreign Affairs, estimated that at least 100 foreign intelligence agencies are trying, night and day, to hack into U.S. government systems.  He says that many of these agencies have the sophistication to succeed, at least some of the time, in their plots.

China alone has the manpower to unleash thousands of hackers against a single target. And many feel that foreign powers already have access to critical infrastructure systems. According to Mike McConnell (NSA chief from 1992 to 1996), “[There is not a major computer system of consequence] that is not penetrated by some adversary that allows the adversary, the outsider, to bleed all the information at will.”

What we will probably see is more monitoring and backdoors in software and hardware devices. Things like Lawful Intercept in Cisco routers are well known. Allegations have also been made that the FBI placed several backdoors in OpenBSD:

“… a former government contractor named Gregory Perry came forward and told him that the FBI had put a number of back doors in OpenBSD’s IPsec stack, used by VPNs to do cryptographically secure communications over the Internet.”

The biggest fear is over reaction, like the TSA’s full body scanners. More security is a good thing, as long as it does not continue to erode our personal privacy and freedom.

Pictures of the other New York

Just a quick break from the computer security world. Found about 500 pictures that my dad had taken before he passed away. They were all on 3.5″ floppy and needed to be converted. Amazingly, I found a computer that had a 3.5″ floppy drive. And I had no read errors on the disks even though they were about 15 years old!

I just wanted to share some of these pictures that I found with you.

At my first corporate job out of school, I had to order parts and supplies. This was in New York State. Now, one of our main parts vendors was in San Francisco. My customer service rep would give me a hard time whenever I called to order parts. He always harassed me about living in New York.

“It’s all just one big city” he would say.
“No,” I told him, “I Live in Upstate NY, we have cows and trees!”. 
“No,” he would say, “You have skyscrappers and muggers!”

But try as I might, I could never convince him otherwise.

Anyways, here are some pictures of “The Other New York”, I hope you enjoy them.