Hosted by

The Promise of Trustworthy Computing

And why most of corporate America will never benefit from it.

Roberta Bragg

Hosted by

“Trustworthy Computing is a 10-year project, sort of like (President) Kennedy sending people to the moon. We're (only) a year into it. We want to get to a point where the end user says, I trust this technology, my privacy is protected, and it is reliable."

-- Scott Charneychief security strategistMicrosoft

Hosted by

“Trusted computing proposes a computer

with security measures built into both

the hardware and software, without the

need or ability of the computer's user to

implement or disable it”

--Stephen J. Vaughan Nichols, DevChannel.org,

April 17, 2003

Hosted by

Trustworthy Computing Initiative

Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium• Vaulted computer storage and CPU accessible only to TC

processes

• Data encrypted as it moves between computers and components

• Nexxus or manager of trusted code - kernel, no third-party code allowed

• Use special CPU

• 5 hardware parts must change CPU, chipset, Input device, video output, unique identification chip

Hosted by

TC Initiative

Trusted Computing Platform Alliance

(TCPA), an industry group (Compaq, HP,

IBM, Intel, and Microsoft, now over 190

member companies) • Special cryptographic chip.

• www.tcpa.org

• Version 1.97 , July 2002?

Hosted by

TC Initiative

Intel's LaGrande.

hardware-based foundation for security.

protected execution, protected memory, and protected

storage.

Forecast to be in the Prescott chip design, which will

succeed the Pentium 4 second half of 2003.

Shades of 1999 digital identification chip?

Hosted by

Good

IBM's ThinkPad T30 high-end laptop use

an Atmel processor based on some

aspects of the TCPA specification

Hosted by

Good

Intel’s TPM (Trusted Platform Module)

(for future Centrino chipsets) will

provide a digital certificate . This could

be used to authenticate the computer on

a network configured to do so. Think

secure wireless communications for

example, using 802.1x.

Hosted by

Bad

Intel’s Centrino chipset TPM : Could the

certificate be used to identify the

machine on the Internet to anyone who

can? Would you know at all times where

I am? (as long as I have my computer

with me?)

Hosted by

Good

Microsoft Work stoppage in 2002 to re-

write server 2003 code

And train programmers

Spent 100 million

Hosted by

Good

Employees also treat the company's security personnel differently (Jonathan Schwartz, software design engineer for Windows Security at Microsoft) security folks were seen as "the crazy voices from off in the woods."

"We understood what a buffer overflow was, and we would yell and scream until it got fixed," Schwartz said. Now the security team has the opposite problem: More people point out bugs, and many are relatively minor.

CNET january 16,2003

Hosted by

Good

Created the Security Business Unit: • Responsible for

securing Windows

spearheading company-wide security efforts

developing new security products for market.

Hosted by

Good

Revamped Microsoft Security Response

Center (MSRC)

Greater authority to coordinate

vulnerability investigations and develop

fixes.

Hosted by

Good

Incorporated severity ratings in security

advisories and patch releases.

Goal to give admins better ability to

judge patch/advisory criticality.

Hosted by

Bad

Some say new severity ratings are

flawed

Hosted by

Good

Retrofitted XP and 2000 from knowledge

learned in debugging Server 2003.

(SP1 and SP3, respectively).

Incorporate security patches for scores

of known and publicly unknown

vulnerabilities.

Hosted by

Bad

Unknown vulnerabilities?• Should we know what these are?

Hosted by

Good

New quality control tools for the

Windows compiler

Checks code for buffer overflows

Compiler changed after first version of

Server 2003 released

Hosted by

Bad

Some think compiler is excuse for not

writing good code

Hosted by

Good

Software Update Services• Patch management service

• Automatically downloads patches from Microsoft to

a local server

• Enterprise customer can test, approve patches

before pushing them to endpoints.

• Can deploy patch servers for isolated systems

• Product available for free

Hosted by

Good

Released Microsoft Baseline Security

Analyzer, a free tool that checks

Windows systems for basic security

configurations.

Hosted by

Good

Achieved Common Criteria security

certification for Windows 2000, the first

operating system to meet the standard.

Hosted by

Good

Windows Server 2003!• By default multiple services turned off

• By default more secure security settings enabled,

restricted – hundreds of them

Hosted by

Bad

300 million windows users

100 million of them still on windows 95• Designed in 1993, release 1995

• Designed for 386, 10s of megahertz, 16 MB RAM.

• Things like strength of encryption keys are based on capabilities of machine

• “In practical terms the rate of evolution of the attack moves at the speed that the computer system evolves.” Craig Mundie, Microsoft Technology chief, idg.net, March 12, 2002

Hosted by

Is that good design?

“It's like saying in conventional warfare that I think I know what the bombs and bullets look like; I'll go and build a bunker. It'll have one-foot thick walls and be eight feet under the sand. Then along comes a guy with a bunker buster bomb and, boom, you're dead. Did the guy who designed the bunker do a bad job? Well, he only designed for the capability of the threat he knew.”

--Craig Mundie.

Hosted by

Good

Released free security guide for Windows Server 2003 now available; 200+ pages

• http://go.microsoft.com/fwlink/?LinkId=14845

Windows 2000 Security Operations Guide (and other prescriptive guidance documents)

• http://msdn.microsoft.com/practices/

Almost 300 page free document “Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP”

All accompanied by tools, templates and auxiliary

documents.

Hosted by

Good

Attentions of security researchers turned to other systems than Microsoft, found flaws and published them too

BSD

SSL

Sendmail

Cisco

More…

Hosted by

Good

Many of these flaws are fixed now too

Hosted by

Bad

We learned that some vendors are not so

eager to fix flaw

Some companies acted as if the problem

was not there’s and have been less than

forthcoming

Hosted by

Good

More announcements of ‘security

awareness, security training’ positions

and programs in companies

Hosted by

Bad

Lots of out of work security managers

Hosted by

Bad

This was posted to a public forum last month:

“I broke into a bank kiosk” • I changed the URI on the browser

• Firewall prompted for a password

• I clicked cancel

• It then connected me to the external location and let me browse

• I found a location of the corporate internal home page

Hosted by

Good

Hosted by

Bad

Hosted by

Good

Hosted by

Good

Cooperation between industry and government :

sharing info on vulnerabilities, risks, attacks so

that large scale attacks on infrastructure can

hopefully be avoided, or identified early and thus

the impact is minimal

• Infragaurd

• Information Sharing and Analysis Center (ISACs)

For example, one for public utilities

Hosted by

Good

InfraGard chapters - over 5000 members. I

the most extensive government-private sector partnership for infrastructure protection in the world

FBI provides to InfraGard members free of charge.

shares information about cyber intrusions and vulnerabilities through the formation of local InfraGard chapters and public WebSites, an alert and incident reporting network, local chapter activities, and a help desk.

secure electronic communications capability to all InfraGard members

Hosted by

Good

The NIPC initiated the establishment of an Information Sharing and Analysis Center (ISAC) Support and Development Unit, whose mission is to enhance private sector cooperation and trust, resulting in two-way sharing of information and increased security for the nation's critical infrastructures.

representing energy, telecommunications, information technology, banking and finance, emergency law enforcement, emergency fire services, water supply, food, and chemical sectors (and other)

Hosted by

Bad

If someone reveals a vulnerability, or

cooperates by providing info that is no

guarantee that anyone will fix it. Whose

responsible for the fallout?

Will you get sued?

Hosted by

Good

More companies are doing their own

security initiatives or at least talking

about security;• http://www.macromedia.com/devnet/security/article

s/mmsecurity.html

• http://www.cisco.com/security/

• dozens more

Hosted by

Bad

Some sites hard to find security contact

information

Some sites hard to find security

vulnerability information

Security lipservice != security

Hosted by

Good

Book on Secure programming• Michael Howard and David LeBlanc

• Writing Secure Code

Adaptation for college course• Leeds University first to offer

(sharing the lessons learned)

Hosted by

Bad

Using automatic update to media player

to add ‘adds’

I shouldn’t have to pay for being able to

correct flaws to your software

Hosted by

Why most of Corporate America will never benefit from it.

Hosted by

Some part of it will not be liked

So the whole thing won’t be adopted

Hosted by

It will be too restrictive

I can’t control my own system, do what I

want

Hosted by

Fear

They’ll track me on the web• Security chip uniquely identifies computer

• Who can identify the chip?

I can’t run what I want

Its’ going to break my systems

Hosted by

Incompetence

Not implemented properly so seen as not

secure

Hosted by

Legacy systems

Can’t get rid of my thousands of

applications

Can’t get rid of old hardware

300 million windows users

100 million of them still on windows 95

Hosted by

Misunderstanding

Double negatives in Microsoft Security

options

Multiple security recommendations even

within Microsoft

Hosted by

Expense

To develop• New hardware must be developed

To implement• Attitudes of users , management, IT must change

• New hardware software much be purchased

• New skills must be learned

To maintain

Hosted by

Wrong Design Decision?

Shouldn’t put into hardware what we

don’t understand.

Building security into the processor? We

can’t deicide what security is?

Otherwise we are doomed to failure.

Very hard to change.

Hosted by

Confused with DCMA

Some see as a prescription from the Motion

Picture Association of America, record

companies and the like

Seen as safer for copyright holders, less so for

users and privacy

Hosted by

Counter movements

Cable company Super DMCA.

Outlaws use of firewall other security

efforts.

Passed, or similar bill passed in handful

of states, under consideration in many

others.