CanSecWest 2009 Pwn2Own and Misc Security Thoughts

This year’s pwn2own at CanSecWest hasn’t been targeted at operating systems but at browsers and mobile platforms. This has drawn some heat because it didn’t include Opera, which is increasingly popular on mobile devices. Rather, it was only IE, Firefox, and Safari on Windows and OSX as well as phones.

While I approve of targeting specific applications, especially given the role browsers now play in most users’ lives, there are significant enough differences between operating systems and how they’re used by most users that I wish contests like these would continue to include OS-specific targets.

Let me also say that to a certain degree, the change in this year’s format does better illustrate the bigger problem of software security which isn’t at the OS level but in the wider area of applications. As software is increasingly cross-platform, the problems are often not limited to one platform: a vulnerability in Firefox may or may not affect more than Windows, but it’s more likely than not going to affect Windows users for two reasons: Windows is the biggest target by nature of its widespread adoption and Windows has a more standardized set of libraries than other operating systems. Everyone wants to dish out on Microsoft (and I want to dish out on Apple, whose software I believe is tremendously less secure than Windows) but the magnitude of “problems” with it is due to the issue of critical mass — more people use Windows so it’s always going to be a bigger target for crackers.

Security  through obscurity isn’t security, it’s just obscurity. This is one reason why Linux wasn’t a target at pwn2own this year. It’s not that Linux is invulnerable to cracking or to malware like rootkits, it’s that hardly anyone in the aggregate uses it on desktops. Not security, obscurity.

If you want more security that way, use an even more obscure OS. Something nobody else is using, like BeOS or Haiku.

Change the topic from desktop to server and then look at the market share Linux has in that category and it’s a different story: where Windows desktop machines are great for botnets, they’re often herded from cracked Linux servers. Where Linux has less obscurity, it’s bigger target.

The number of compromised Linux servers — which  can only be estimated from the number of botnets shut down or observed to be operating (another part of security through obscurity that is dangerous is the feeling of invulnerability and the lack of tools to detect system compromise) — attests to the real problem with security: it’s not OS-specific, but rather a problem of buggy software and poor implementations and procedures. Just as it’s bad practice to use unpatched software on a Windows desktop, it’s bad practice to use unpatched software on a Linux server. And vice versa — buggy Linux desktops are just as bad as buggy Windows servers. Just as it’s poor procedure to run everything as administrator in Windows, it’s equally poor procedure to implement shoddy permissions in Linux (and some Linux CD-based distros run only as root). The problem really isn’t the OS, per se, but what’s being run on it and how it’s being run. The problem is really the user, the weakest link in the chain of security.

Desktop Linux users also tend to fit a less than lucrative target profile. While many people do choose Linux and BSDs for more than the free-as-in-beer reason, Linux users tend to fall in a very small demographic and it’s not a financially lucrative one. Whom would you target if you wanted money, someone who can afford to purchase a license or someone who brags about how Linux can run on cheaper, older hardware and doesn’t cost more than the cost of the installation media? People who try to rob cheapskates usually starve. In comparison, Bernie Madoff’s client list wasn’t filled with kids living in Mom’s basement but with celebrities and high society types and groups with considerable assets. Willie Sutton famously said he robbed banks because that’s where the money is; cybercrime targets Windows users because that’s where the money is — both in the aggregate (over 90% of desktops) and in the user demographics (above median income).

One more thing about this at it relates specifically to Linux. Tipping Point gives away computers and a few thousand dollars. These exploits have significant market value, more than a few thousand and an inexpensive laptop. There may be some prestige among colleagues in the security field for being able to crack something. But it pales to what others are willing to pay for exploits on the open market, whether from government agencies or from criminals. It’s folly — a non sequitur — to suggest that the lack of Linux-specific or even -targeted exploits at events like this indicate there are none or even few.

Back to pwn2own news… 

Day One was exciting with four zero day exploits against the targets. The first victim, and as usual the easiest and fastest one, was OSX via Safari. Charlie Miller won the MacBook for the second consecutive year. Then IE8 fell to “Nils,” whose three exploits netted him a Vaio (for being first to crack IE8 this year) and $15k (at a rate of $5k per demonstrated zero day exploit).

Day Two, with relaxed rules, proved less eventful. At last report, there were no more zero days demonstrated and few, if any, attempts to pwn phones.

CanSecWest closes today.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: