David Matoušek (Matousec Transparent Security) shares his views of Internet security
Opening the series of our interviews with security experts, David Matoušek, the founder and head of Matousec Transparent Security lab has agreed to answer our questions. Anyone who has ever compared and assessed personal firewalls and their protection qualities will benefit from reading the reports of this Czech-based team. Security vendors are best acquainted with Matousec leaktests, however, the team is involved in a number of different projects. Now let’s give the stage to David Matoušek himself…
Q.: Hi David, the first question is: How did you get started? Could you tell us a few words about your team and its goals?
A.: Since high school, I have tried to establish or join a serious team for various projects many times. These attempts always failed. In the college, I have met more skilled people and decided to try to establish a team once more, this time with strict internal rules. It has been working better than before but still there have been quite a lot of problems with people who overestimate their spare time capabilities or enthusiasm.
From the beginning, we have focused on the security on the Internet, especially on the related software for Windows NT platform. We found out that any of the top desktop security products really achieved what its vendor promised. There always were easy methods to bypass some of its important functionality. And this was true not only for personal firewall products that we chose to focus on a bit more. We have decided to try to change this situation. So, our main goal has been to help to create solid security products. Another goal is to reveal which vendors really care about their customers and which care about the profit only. We would also like to help end-users to choose the best products for them.
Q.: What made you become a security researcher; how did you arrive at an idea of setting up a website that would measure up-to-date security programs’ performance and maintain current scores of their robustness? Was that a pioneering project?
A.: In the computer world, there are countless extremely interesting topics. Security and internet, however, are also very current topics that have real impact on many people today. Almost every computer owner deals with these topics. This is why one may become a security researcher.
Our website has been set up for various reasons. There are many factors connected to each other. We wanted not only to deal with vendors but also to offer something interesting to end-users. When you have something for end-users, you can get the attention, which is needed if you want to deal with the vendors. It is also an instrument that you can use to push on vendors in case they ignore you, because they may ignore you, but they can hardly ignore their customers who are interested in software they use, support or pay for. All these things are connected and work well together.
A good and extensible scoring system is what makes it manageable to compare as many products as we want to. I have to admit that we did not come with such a system at first. We have found a good way to deeply examine personal firewalls and related software but the main problem is that it is extremely time-consuming to test a single product with it.
We fully recognized this when we started with leak-testing, which converts to reasonable results much faster. Our original methods are good for extensive software testing and we still use them for commercial testing where they help us to find many security holes in every tested product. But these methods are not suitable for comparing tens of products. This is why we are working on a new testing system now, which should be ready in a few weeks.
The idea to analyze and compare security solutions was not new when we started but our approach was. Most of the comparisons available even today are ad-like reviews of people that do not understand the software they are testing deeply.
We go to the lowest level and that is what makes our research unique.
Q.: You conduct extensive research of firewalls’ functionality. Can you name the five top features that should be present in every firewall of choice?
A.: It should be noted that the products we mostly focus on are not common firewalls. We work with products that implement process-based security, we call them personal firewalls.
There are many software firewalls that do not do that and just filter packets. These firewalls are not worse than personal firewalls, they are just different kind of software – for different kind of users. We require personal firewalls to include host protection features too.
Now, if it is clear what kind of products we are talking about, we can discuss what we expect from them.
In our opinion, personal firewalls should prevent spying and data and identity theft.
Naming the top five features, personal firewalls should implement packet filter functionality to prevent direct online attacks – i.e. not to let malware get in. Personal firewalls should control software installed on the computer to prevent malware to integrate into the operating system.
Then the malware should not be able to get the user’s private data, thus anti-sniffing, anti-keylogging and personal data protection features should be implemented too. And even if the malware succeeded to collect the information it should not be allowed to send it outside the protected system and this means implementation of the outbound network traffic control.
To achieve all these is much harder a task than it seems. The protection system also has to prevent attacking trusted process and other components in the system. Otherwise, the malware would be able to use trusted parts of the system to integrate into the operating system, to collect or steal sensitive data and/or to send the data outside the system without being noticed. So the next feature that is required here is control of untrusted processes’ activities and that is the hardest task for personal firewalls. It also includes the implementation of self-protection mechanisms because the malware should not be able to terminate the protection, which implies some other features to be implemented and so on. It is very difficult to design and implement a solution that really works.
Q.: Do you have any other plans rather than assessing security programs for their protection, maybe operating system analysis roundup from the security perspective?
A.: Security software testing might be the most visible activity of our group but in the background there are many other activities. We closely work with several software vendors, for which we do the security research related to the software they develop, we also help to design security software, we provide consulting and we also do our own research including vulnerability discovering.
Q.: You told throughout your pages that you’re preparing a new slate of tests for the future, one of the most demanding and hard to pass. In this context two questions:
a) What’s the main goal of this change? Would you like to make the new ones more strenuous?
b) What kind of tests are they going to be, what kind of protection are they going to analyze?
A.: I have already mentioned that our original system was too heavy for testing tens of products. On the other hand, there is the leak-testing approach, which is very easy and fast.
We are to combine these two strategies into a solid testing system. We will base the system on small testing programs, very similar to leak-tests, but we will cover many parts of what our original system examined too. We believe that this approach would allow us to test as many products as with leak-testing and cover many more features than the leak-testing does.
Another thing is that the current leak-testing is no longer manageable. Many of the leak-tests do not work anymore without proper hacking. For example, some of them rely on the Internet servers that do not exist anymore. Then transparency is another reason for new tests. Many current tests are available in the binary form only and one could only guess what they really do. We want to recode all techniques from scratch and provide source codes for free. We will also try to unify the usage of the testing programs as much as possible. Recoding the tests has also another positive impact. Once we know how each test really works, we can remove duplicities and possibly improve the techniques of the tests.
This all should result in much easier, faster, more efficient and more transparent testing.
In the long term, we would like to cover as many features of personal firewalls as possible. Our new system should be flexible enough to allow adding new tests later. We will start with a set of leak-tests, probably supported with some self-protection tests. We would like to have stability tests, later also performance tests, sniffing, spying and keylogger protection tests etc.
We will be also open to ideas of other security researchers. If someone comes with a new idea for tests, we will be happy to implement it and include it into our system. In fact, we have already received a few new ideas.
It should be noted, however, that such generalized tests will never be able to examine all aspects of the tested products. So even if we try to cover as many features as possible, the vendors should always find testers who examine their solution more deeply and thus reveal details that can never be found using the generalized tests that we will use for our public testing.
Q.: What in your opinion are the most promising security technologies of the nearest future, how do you think the security industry should evolve to address the threats that are obviously getting out of hand?
A.: As for the desktop security products, we are involved in several projects, but I can not give you the names. Among these, there are a few brand-new ideas that might work against today’s malware very well. And this also is a good way to go in security industry in general – to implement and use new ideas and to get rid of old unsecure technologies. We should not be afraid of big steps that may hurt at first, but in long term, they may result in excellent results. Take IPv6 (Internet Protocol version 6) as an example of this.
On the other hand, there are many rooted technologies that are insecure by design and should not be used at all. Again, these are used because people are afraid of big steps. An example of such technology is today’s credit cards or today’s email service. The biggest security problems exist just because of using the old rooted technologies that we are scared to replace.
Q.: In your regular activity, do you personally use security software and what types of it?
A: Personally, I base my PC security on encryption, virtualization and use of alternative software products. There are many high-quality and often free products that can be used for this purpose. I also use various utilities for system monitoring including custom-made tools and, finally, I use a packet-filtering firewall. However, I would not recommend this configuration to anyone who is not familiar with the system internals.
Q.: Do you frequent other Internet security sites and forums, how much of collaboration does your team have with other prominent security groups?
A.: Unfortunately, there is no time left for this. Naturally, we are interested in results of other security-related sites including underground e-zines, and if a relevant content is published, we eagerly study it. But no regular contribution to other sites or forums is possible because of the lack of time.
Q.: Our site is for regular Internet users who want to know more about Internet security. What is your advice to them and where do you think they should look at to attain a better, more sound security stance?
A.: To understand Internet security topics it is crucial to understand how each part of the Internet works. Such knowledge should start with understanding the operating system.
This would help common users to use their computer more safely and would also help to mitigate many of false beliefs about the system security. Another important thing is to understand how the Internet as a network works, especially the Internet protocols.
A lot of good information is available freely on Wikipedia, which is also great for its objectivity and understandability. Usually, Wikipedia articles also link other information sources on the selected topic, so it is definitely a good site to start with.
I would also like common users not to be afraid to push on the vendors of software they use, especially in case of commercial software.
Q.: Thank you for your answers, David! And best luck with your security projects!
Posted in Security Experts