The InfoSec Blog

http://techbuddha.wordpress.com/2008/08/13/passwords-suck/

Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith’s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ’say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Related articles by Zemanta

• What is worse than reusing passwords? (Markus Jakobsson/Markus Jakobsson’s blog)

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

Toronto - OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

http://redtape.msnbc.com/2008/07/cambridge-mass.html#posts

Charlatans don’t bother creating detailed schemes for deception. They
just have a feel for what fools people.

Its not about technology…

Bad guys have better people skills
Criminals usually don’t bother learning all the ins and out of the
technology they exploit — they simply learn enough to be dangerous. But
they spend endless hours understanding the people they plan to fool.
Hackers long ago learned a short cut, what they call social engineering:
Why spend years trying to hack into a bank when you can just ask an
account holder to give you their name and password?

and not only that, but adding technology won’t fix things.

The technologists, on the other hand, tend to fight this battle with one
hand tied behind their back. They generally spend most of their time
studying technology, learning all its nooks and crannies from the ground
up. They write careful research papers following the strict rules of
scientific method. They must spend endless hours defend their findings
against all comers, and they can’t hurt anyone while conducting studies.
They know the technology well, but they have little time to sit around
understanding how people work.

I’ve been saying for over a decade that InfoSec qualifications should focus on psychology and sociology and business rather than technical matters, but exams & qualifications such as CISSP, CISA, CEH, and SANS focus on technical matters.

Part of this is “the metrics problem”. We focus on what can be measured, the “if you can’t measure it, you can’t manage it” myth that started with Taylorism and has been promulgated by people who only see the numbers side of Deming’s principles. His “System of Profound Knowledge” advocated that all managers need to have a deep understanding
of psychology and human nature. His famous “14 points” are about attitudes towards management of work, not about numbers; in fact he was against many ‘numbers’ such as quotas. He viewed managing by numbers to be a “deadly disease”, along with an emphasis on short term results (more number-keeping), and relying on technology to solve problems that are really based in the organization, management and psychology of the workplace and corporation.

So how do we actually manage? How we evaluate people and their work?
How do we grant certifications and issue awards? How do we solve our business problems?

The media says that InfoSec is a growing market. I wonder sometimes if that growth isn’t in the sales of appliances - throwing technology at the problem and resisting the changes that are really needed, changes in organization, attitudes and management.

http://www.baselinemag.com/c/a/Messaging-and-Collaboration/Collabortion-Is-Still-a-Singular-Personal-Experience/?kc=BLBLBEMNL052908STR3

The primary collaboration tool today is still what it was 10 years ago: sending an e-mail attachment with a PowerPoint deck or Word document back and forth between two or more parties. It is a serial form of collaboration: I put together my work product, send it to you, and you send back your thoughts or changes. It is fraught with problems: I have
to wait to receive your revisions before adding my own, and if I don’t agree with them, we pretty much have to start the process from scratch.
I have seen documents that had more changes and comments than the original text.

I’ve long been a supporter of Wikis and similar whiteboard tools.
There are now on-line shareable mind-maps and flow-charters.

But it has to take a business change. And that’s coming slowly.

We’ve been talking about the ‘paperless office’ for decades but we still think in terms of paper. Our sending back and forth word documents illustrates this (not least of all when plain text e-mail would suffice). Many are hung-up on PDF not because its un-editable (I now always send out may key documents like resumes in PDF since I found recruiters were altering them!) not because they render the same on different platforms (unlike HTML and very much unlike MS-Word) but because they look like the printed page.

Or perhaps not.

The media talks of “Gen-X” that lives with their ‘berries and IM.
Well Whoopie Dee! They make out that my (?our?) generation are technically lame. Not so! We place more emphasis on utility than toys.
My father, who would be in his 80s now if he lived, was a MS MVP/Developer in his 70s, was much more of a gadgeteer than I am or ever was. I pioneered commercial applications of UNIX in the 70s, skipped MS-DOS and went to small systems UNIX from SCO and others, and was an early adopter of PDAs - The Newton. Many the non-technical people my
age that I know are tech-savvy; those who view me as an expert are all high level users.

And one thing about high level users - they use the technology for a function that is of value. No geekishness.

But one thing the author of this article forgets is that there are other social shifts. Whether they are the result of technology or not is beside the point. Intellectual and creative work is still primarily an individual activity and the ‘confluence’ is there to synchronise, organise and direct.

Databases, wikis, blogs, e-mail, IM, all the other tools are there to store and communicate. May of them get around the problems of traditional tools like paper (“you can’t grep dead trees”), physical presence, common language, different time zones and many others.

The article refers to “all those nifty Web 2.0 mashups” as if they were a Good Thing(R) on the one hand and then goes on to point out that they aren’t really about collaboration.

Perhaps one reason that tools like Lotus/IBM Notes and Microsoft’s Groove haven’t got much traction is that they don’t really reflect the way we work.

And there are many variations in the way we work - even as individuals, depending on context.

Once upon a time an executive of a telegraph company predicted that the telephone would never catch on because people would not tolerate the continuous interruption. I can’t imagine what he’d think of today’s environment with cell phones that double as cameras that double as personal juke-boxes and movie theatres.

We all know what the telecommunication companies think of ’sharing’ using P2P and such legitimate alternatives to FTP as BitTorrent as well as multiple users sharing a single connection.

http://www.networkworld.com/news/2008/042308-how-not-to-hire-a.html?page=1

One of the first questions to ask during an audit is “Do you have Policy?” (which is part of the ISMS - see ISO-27001)

Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.

Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
(CMM etc)

See also “Who Ya Gonna Call?“