The InfoSec Blog

http://techbuddha.wordpress.com/2008/08/13/passwords-suck/

Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith’s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ’say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Related articles by Zemanta

• What is worse than reusing passwords? (Markus Jakobsson/Markus Jakobsson’s blog)

http://www.baselinemag.com/c/a/Messaging-and-Collaboration/Collabortion-Is-Still-a-Singular-Personal-Experience/?kc=BLBLBEMNL052908STR3

The primary collaboration tool today is still what it was 10 years ago: sending an e-mail attachment with a PowerPoint deck or Word document back and forth between two or more parties. It is a serial form of collaboration: I put together my work product, send it to you, and you send back your thoughts or changes. It is fraught with problems: I have
to wait to receive your revisions before adding my own, and if I don’t agree with them, we pretty much have to start the process from scratch.
I have seen documents that had more changes and comments than the original text.

I’ve long been a supporter of Wikis and similar whiteboard tools.
There are now on-line shareable mind-maps and flow-charters.

But it has to take a business change. And that’s coming slowly.

We’ve been talking about the ‘paperless office’ for decades but we still think in terms of paper. Our sending back and forth word documents illustrates this (not least of all when plain text e-mail would suffice). Many are hung-up on PDF not because its un-editable (I now always send out may key documents like resumes in PDF since I found recruiters were altering them!) not because they render the same on different platforms (unlike HTML and very much unlike MS-Word) but because they look like the printed page.

Or perhaps not.

The media talks of “Gen-X” that lives with their ‘berries and IM.
Well Whoopie Dee! They make out that my (?our?) generation are technically lame. Not so! We place more emphasis on utility than toys.
My father, who would be in his 80s now if he lived, was a MS MVP/Developer in his 70s, was much more of a gadgeteer than I am or ever was. I pioneered commercial applications of UNIX in the 70s, skipped MS-DOS and went to small systems UNIX from SCO and others, and was an early adopter of PDAs - The Newton. Many the non-technical people my
age that I know are tech-savvy; those who view me as an expert are all high level users.

And one thing about high level users - they use the technology for a function that is of value. No geekishness.

But one thing the author of this article forgets is that there are other social shifts. Whether they are the result of technology or not is beside the point. Intellectual and creative work is still primarily an individual activity and the ‘confluence’ is there to synchronise, organise and direct.

Databases, wikis, blogs, e-mail, IM, all the other tools are there to store and communicate. May of them get around the problems of traditional tools like paper (“you can’t grep dead trees”), physical presence, common language, different time zones and many others.

The article refers to “all those nifty Web 2.0 mashups” as if they were a Good Thing(R) on the one hand and then goes on to point out that they aren’t really about collaboration.

Perhaps one reason that tools like Lotus/IBM Notes and Microsoft’s Groove haven’t got much traction is that they don’t really reflect the way we work.

And there are many variations in the way we work - even as individuals, depending on context.

Once upon a time an executive of a telegraph company predicted that the telephone would never catch on because people would not tolerate the continuous interruption. I can’t imagine what he’d think of today’s environment with cell phones that double as cameras that double as personal juke-boxes and movie theatres.

We all know what the telecommunication companies think of ’sharing’ using P2P and such legitimate alternatives to FTP as BitTorrent as well as multiple users sharing a single connection.

At “10 dumb things users do that can mess up their computers” Debra Littlejohn Shinder brings up some interesting common failings. Lets look at her list, because I have a different take.

#1: Plug into the wall without surge protection
#2: Surf the Internet without a firewall
#3: Neglect to run or update antivirus and anti-spyware programs
#4: Install and uninstall lots of programs, especially betas
#5: Keep disks full and fragmented
#6: Open all attachments
#7: Click on everything
#8: Share and share alike
#9: Pick the wrong passwords
#10: Ignore the need for a backup and recovery plan

Well, they seem interesting, but …
The big “but” gets back to one of my favourite phrases:

Very simply, in my own context most of this is meaningless. It may well be in yours as well.

Lets first look at the stated and unstated context, which should have been made clear up front.

The author mentions Windows XP a couple of times without making it clear which version, and only a passing reference to other versions of Windows. There is no mention of any other operating systems, Mac OSX, Linux, BSD, OLPC, or even embedded systems in PDAs. I can surf the net with Trusty Old Newton. More on that in a moment.

She also fails to mention the context in which the computer is being used. Is this a home personal system, a home office system, a small business or a larger commercial enterprise with its own IT and InfoSec departments? This matters not only from the point of view of meeting this points but of legal ramifications.

Many of us in InfoSec use the terms “diligence” and “care”. We usually omit the word “due” so as to avoid the legal meaning and the gunnysack of baggage that gets dragged in. ‘Diligence‘ means a constant and earnest effort and application. ‘Care‘ means the effort is serious and devoted. Neither of these terms are used in the article. However one would reasonably expect these to be part of the approach in business of any kind or even in a home setting where personal assets need to be protected and perhaps children to be cared for. The author fails to mention this too.

Plug into the wall without surge protection.

I’d rate this as ‘necessary but not sufficient’ for a number of reasons.
First and foremost the author does not make it clear that a UPS and a surge protector are not the same thing. Yes, many UPSs include surge protection, but think about these two things for a moment.

1. You can have surge protection but still loose data when the power fails.
   This isn’t just about the work that you’ve done sine the last ’save’, although loosing that can be serious. That loss of power may occur at a critical point for the hardware causing corruption of the file system (disk drive, networked or USB). It is almost certainly going to cause a loss of your train of thought, and that may be very serious.
2. Surge protection wears out.
   Most people are unaware that surge protectors have a limited life and its not measured in time but in how much energy (aka surges) they have to absorb. So one day your surge protector isn’t going to protect you any more. FINIS. Game Over. The surge gets though and your machine is toasted.
   How do you know when your protector has used up its surge capacity? Generally you don’t, though some newer ones do have an indicator.
   What can you do about it? Not a lot, except buy a new one.

That’s why I like using a high-end laptop as a workstation. The power-brick and the battery do protect against surges and the battery acts as UPS. Sort of.

But please note that not all UPSs are created equally. Its not just about battery power. I’ll save that for another article.

Surf the Internet without a firewall.

While this is good advice in general, the specifics are the killer.

My firewall is a separate machine, an old HP Vesta P1 with 256Meg of RAM and a 30Meg and a CD reader. If you feel so inclined you could probably pick up something like this from the Salvation Army for about $10.
I run the IP-COP firewall on it. I’ve run other firewalls including the Mandriva MDF with its sophisticated GUI. I loved playing with Shorewall, which is one of the most flexible open source firewalls I’ve met. But IP-COP is small, fast and reliable. It has plugins for caching and for handling Dynamic DNS, as well as many other functions if you chose to install the plugins.

Why have I chosen to run a separate firewall rather than the software or modem based approach that the author of the article suggests? There are may reasons, but prime among them is the principle of Separation of Duties. I’m a firm believer in the idea that each thing should do just one thing and do it well, and the idea of a ’security appliance’ or of running the firewall on the host (i.e. the target) doesn’t appeal to me.

Perhaps there should be a “solely” in there.

Neglect to run or update antivirus and anti-spyware programs

This is another “Context is Everything” situation.

At home, even though I have an ‘always on’ broadband connection, I have a Linux based firewall and all my servers and laptops run Linux. Its not that Linux is guaranteed 100% protection against all forms of malware, but at least its not the highly vulnerable situation of Windows that necessitates running AV software.

And lets face it, as Bob Bergener at VMyths points out, AV software is getting less and less effective and the cycles of malware are getting more capable and more aggressive and more insidious.

But its not just me and its not just Linux. I have a number of high profile clients who put AV software on their corporate laptops and workstations … but it is disabled. Its there, I’m forced to conclude, to satisfy the auditors. However these organizations don’t suffer from malware attacks for other reasons, most notably that they have strict control over outside access. For the most part, there is none. Internals users are not allowed to use the Internet except under special conditions. Incoming and outgoing mail is aggressively filtered.

We’re beginning to see this kind of access control with products from Ironport (Cisco) and Proofpoint. These are “appliances” more available to smaller sites. In all probability most users of these products aren’t going to use their full capability and will still want another layer of protection against malware.

Sadly, the most effective one is the one that is weakest and is also the most easily subverted. Its user awareness and discipline. Don’t open unexpected attachments, download and run strange programs, visit dubious sites. See below.

Please don’t think that I’m saying having a firewall is an excuse for not keeping your software well maintained. There are many reasons for keeping up to date quite apart from making the software attack-proof. The the mantra “If it ain’t broke, don’t fix it” is not a reasonable stance with something as complex as software. It may be broken in ways that you don’t see or haven’t seen yet. This is quite different from choosing not to apply a change because you’ve analyzed it and determine that it is not appropriate.

And lets not forget that a firewall has lots of limitation - most are designed to protect the internal network from the outside world and assume that the internal network is trustworthy. Hence its no use at all if an internal machine is infected by some other means.

Install and uninstall lots of programs, especially betas

I was at IT360 and heard David Rice, the author of “Geekonomics” speak on software quality. One point he made was that the large software vendors treat all users as the “beta testers” for their products. He says:

“Software buyers are literally crash test dummies for an industry that is remarkably insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems.”

So while this point may be a good one, we are all on the roundabout and can’t get off.

Keep disks full and fragmented

This is a meaningless and unhelpful generalization.

Firstly, I see an amazing amount of nonsense published about de-fragmentation. It warrants a posting and discussion in its own right, but please, don’t buy into this myth.

The second thing is that I DO keep a disk full and never run de-fragmentation on it. But then I have my hard drives partitioned. One contains the operating system, just what is needed to boot; another contains the system and libraries. These are pretty full and apart from the upgrades and occasional patches (which are less frequent and less extensive with Linux than Windows) there is very little “churn” on these partitions. I can leave them almost full. This includes auxillary programs where I keep on-line documentation (”manual pages”) and things like icons, wallpaper, themes and so on.

Next up is the temporary partition - /tmp in Linux parlance. Its the scratch workspace. It is cleaned out on every reboot and by a script that runs every night, but most programs clean up their temporary files after themselves. This partition looks empty most of the time. There’s no point de-fragmenting it and no point backing it up.

Another few partitions deal with what can be termed “archives”. These may be PDFs of interest or archived e-mail. Backup of these is important but they are in effect ‘incremental’ storage so there is no ‘churn’, just growth, so de-fragmentation is completely irrelevant.

So what’s left? Partitions that deal with “current stuff”, development, writing, so forth. These are on fast drives, aggressively backed up, and use journaled file systems for integrity.

But overall I simply don’t do ANY de-fragmentation. I think its a waste of time for a number of reasons.

The first is that it simply makes no sense in any of the contexts above. The second is that given high speed disks and head activity and good allocation strategies in the first place, its not going to help.

The third and most significant is that since I use volume management software it can’t possibly help.

I use LVM on all my Linux platforms to manage disk allocation. If you read up on it you’ll see that it means that a contiguous logical volume may not correspond to a contiguous physical allocation on the disk. Since LVM subsumes RAID as well, it may not even be on a single physical drive.

Remember:

Now, after reading that article, speculate about how I do backups

Open all attachments

Good advice at last! Sadly human nature seems perverse. People seem to be sucked in to reading attachments and visiting dubious web sites (see below) and admonishions don’t seem enough to change their behaviour.

Perhaps evolution has failed us; perhaps we need a Darwinian imperative so that people foolish enough to do this can no longer contribute to the gene (or is it meme?) pool.

Click on everything

More good advice, more efforts to overcome human stupidity.

Share and share alike

“Context is everything“

Oh dear. This doesn’t make sense any more. To be effective in business you do need to share data. I don’t need to go into detail, but I will mention that most businesses need a web site to share information with customers, prospects and investors.

There are now many web-based businesses based on sharing, Flicr, Facebook, LinkedIn and the like.

And lets not forget that the whole “Open Source” model is about sharing.

Pick the wrong passwords

There are two things I object to here.
The first is the hang-up with passwords. They are, to coin a phrase, “so twentieth century“.

The problem isn’t dreaming up passwords - we get nonsense like this:

Lets face it, there;’s no real problem dreaming up passwords.
Certainly not for me. I had to learn by heart poems and passages from famous works, chunks of Shakespeare and that kind of thing at school. I can always pull out something, take first letters, mange them however.

But the real problem, whether you have this repertoire or whether you use a generator software tools, is remembering them. Oh, and forgetting them when you have to change them. Oh, and knowing which one applies where.

This is the point that Mike Smith makes in his book, “Authentication” and is why people write down passwords or use passwords that are essentially mnemonics or use the same password for many situations.

Twenty years ago I only had to deal with a few passwords, now I have to deal with hundreds. Almost every web site I visit demand that I log in.

We have reached a point now where using ’strong’ password technology is becoming a liability and using passwords is and of itself an increasing risk. The likelihood that a new employee will re-use a password he’s used on a public web site for his corporate login is high. The load on his memory is just too great. This is why there is a market for software that remembers your passwords. But how portable is it? USB drives, you say? I seem to loose USBs with alarming frequency.

So, how happy are you with doing financial transaction over the Internet using just a password as authentication, even if it is over a SSL connection? I’m not very happy. This is a subject that deserves a long blog article in its own right, but lets just point out that banks in Canada and the US have chosen not to use the more secure “two factor” and “one time pad” authentication systems that are normal for European and Scandinavian banks, and so have put their customers at risk. Not all the risks have to do with the Internet connection.

Some banks have moved to what they call “two factor” authentication. Well, it certainly isn’t really what the security industry calls “two factor”. At best it might be called ‘two passwords‘ - instead of asking you just your password they will ask for the password and then one of a set or previously agreed questions like “what was the colour of your first car“. It gives the illusion of security, but its just a double-password. Compare it to having a lock on your screen door and your front door. If the theif comes in by breaking a window or by stealing your keys (or the book you have your passwords written down in since you have so many of them!) then this doens’t help.

Real “Two-Factor” authentication has two different things. A password is “something you know“. The colour of your first car is also something you know. Its also something other people can know.

A real second factor would be “something you have” like your bank Client Card that you use with your personal identification number (P.I.N.) which is “something you know“. Both have to be used together. Someone might know - or guess - your PIN without you knowing about it, but if you loose possession of the card you do now about it.

Another factor is “something you are” - biometrics. Recognition of your fingerprint or iris along with a password.

Of course these more secure methods require more technology which is why most web sites fall back to the only thing they are sure you have - a keyboard.

Rick Smith’s book is …
“Authentication: From Passwords to Public Keys” ISBN 0201615991

See his home page at http://www.smat.us/crypto/index.html
He refers there to ..

A companion site, The Center for Password Sanity, examines the
fundamental flaws one finds in typical password security policies
and recommends more sane approaches.
http://www.smat.us/sanity/index.html

See also ‘The Strong password dilemma’ at http://www.smat.us/sanity/pwdilemma.html

And not least of all the cartoon at http://www.smat.us/sanity/index.html

Seriously: go read Rick Smith’s book.

There is a lot of nonsense out there about passwords and a lot of it is
promulgated by auditors and security-wannabes.

Ignore the need for a backup and recovery plan

As you can see above, I’ve made things easy for backups.

One reason for this is that the real problem is not having a backup and recovery plan, is the doing of it, making it a habit, a regular part of operations.

That is one reason most larger organizations use centralized services, so that the IT department takes care of backups. Its a major incentive for “thin clients” where there is no storage at the workstation that needs to be backed up.

Its also one reason that I partition my drives so I can identify what is ’static’ and what is ‘dynamic’.

One of my great complaints about Microsoft Windows is that everything is on the C: drive. I very strongly recommend partitioning your drives. Having a D: drive and remapping your desktop and local storage there makes things so much easier. It also helps to have a separate partition for the swap area and for temporary files. Sadly, while this is possible and is documented (search Google for details), its not straight forward. Which is sad, because it is a very simple and effective way of dealing with many problems. No the least of which is that you can re-install Windows without over-writing all your data.

http://www.theregister.co.uk/2008/01/17/globalization_of_crimeware/

… In many respects, malware creation mimics open
source communities, in which legions of programmers spanning the globe
tweak one another’s code to add new features and fix bugs.

So what happened to the proverbial socially maladjusted hacker in the bask room eating twinkies and drinking jolt?

“It seems somewhat different than the standard way of thinking of a
hacker,” says Thomas Holt, a professor of criminal justice at
the University of North Carolina at Charlotte, who presented his
findings Thursday to military and law enforcement officials at the US
Department of Defense’s Cyber Crime Conference. Crime groups “are
looking to one another for assistance. It’s no longer just a single
person distributing malware. Now there
appear to be groups and there appears to be a distribution of labor.”

And this when so many ‘mainstream’ companies are finding reasons to avoid using open source. No doubt they will misunderstand and use this as another reason.

http://aluigi.altervista.org/adv/quicktimebof-adv.txt

You’d think by now … after all, SC Magazine, at least in the print edition, lists the “top 5 attacks” used by US and foreign hackers, and ‘overflow’ attacks have been in the number 1 or number 2 slot for as far back as I can remember.

I keep going on about how the Morris Worm brought this to the public attention TWENTY years ago. I keep going on about how I continue to meet programmers of varying maturity, not just the ones fresh out of college, who are unaware of this kind of programming flaw - along with many other flaws and egregious habits.

I suspect what we have is the old phenomena of assigning junior (aka inexperienced) coders to doing the maintenance programming. Why else would this kind of bug be introduced into a mature product?

Did I say ‘introduced‘? Perhaps it was there all along, which is even worse, since it means it took this long to discover it.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045738&pageNumber=1

The computer magazines are full of “green’ and IBM is running adverts about green that are painting the server room walls green. Green is obviously one of the hot IT buzzwords.

But what about home computing?

With the advent of DSL and cable internet many homes are running “always on” internet. This is a big “multiplier”.

Those of us who are smart have a firewall at the CPE doing the ‘always on’ part. I also have a server that uses fetchmail to fetch the mail from all the mailboxes I have around the world, so limiting my exposure.

While there are very low energy consumption machines like the Asus or solar powered laptops or very low power hacks this is all leading edge stuff. Many homes are running “legacy” equipment.

My firewall, for example, is an old HP Vectra desktop. It also makes a nice support for my monitor. The monitor is ‘Energy Star’ compliant and powers itself down. My server and laptop are more modern and have energy saving features. Since I run Linux I make use of ‘powersave‘ to use the BIOS to throttle the CPU and shut-down disk activity.
Similar features exist for Windows.

The issue is “how many people use them?”

It would be nice for the green advocates if machines shipped with powersave features turned on, but its also easy to imagine grandma at her PC pecking out the letters while sending e-mail pausing to think what to say next and seeing her screen go blank. Panic sets in.

Ah, awareness. Always an issue.

So what does this have to do with security?
Well, apart from grandma panicking, this is one more thing that can affect issues such as availability. While a battery-conserving road-warrior will tolerate the delay of disk start-up, its not appropriate in many other settings. Certainly not in a server farm!

Often the IT world can become obsessed with issues that are tangential to its main focus. Being Green should be a corporate strategy, one that is systemic. There are many other ways that a corporation can cause energy to be consumed other than its own electrical demands.

Telecommuting might seem a good idea but do work out the details. Is it more energy efficient for workers to come to an office and turn their own home energy demands down? Crunch the numbers. It may be less expensive for the company, allow it to have smaller premises and energy demands, but all its doing if offloading its energy demands onto its telecommuters. Good for its own profits but short-sighted with respect to the community at large.

And “going green” by telecommuting has its own InfoSec risks!

On the face of it, this looks like a perfectly reasonable message with a perfectly reasonable URL from a perfectly reasonable address:

Dear Workopolis member,

Workopolis Technical Department requests you to complete Online Employer
Form.
This procedure is obligatory for all clients of Workopolis.
Please select the hyperlink and visit the address listed to access
Online Employer Form.

http://www.workopolis.com/database/employer_form

These instructions are to be sent to all Workopolis members.
—————————————————————
Copyright � 2007 workopolis.com. All Rights Reserved.

In reality, its HTML mail that is used to hide the real URL.
What I’ve shown in plain text above reads like this in HTML:

Please select the hyperlink and visit the address listed to access
Online Employer Form.


http://www.workopolis.com/database/employer_form?

What’s really there is http://www.workopolis.com.ieooo2.xz.cn/database/employer_form?session==79414285156108018779442998768454048168113142102426838

As you see, what you see and what you get aren’t the same.

My spam detector, spamassassin, is smart enough to spot this.
Its really crude spam!

X-Spam-Report:	* 1.7 HOST_EQ_D_D_D_D HOST_EQ_D_D_D_D
	* 2.9 RM_hm_EmtyMsgid Message ID is empty, or just spaces - probable spamsign
	* 0.1 SPOOF_OURI URI: URI has items in odd places
	* 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com
	* 2.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: ieooo2.xz.cn]
	* 1.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

But the really important thing is that a HTML message can hide reality.

Why do I mention this? For most of us its obvious.

Well at a recent ISSA meeting I spoke with another CISSP, a security manager with a local organization that has an operating budget of over 200 Million dollars. All their internal mail is “HTML” - he says that’s the standard, so the MUAs read mail as HTML by default. Mail from his is in proper MIME format, the text part as well as the HTML part. I pointed out that this means his organization is paying extra for storage and that it gets multiplied when mail is cc’d. He just said “well its the corporate standard“.

Now the corporation may not care that its paying extra for all that storage, after all, storage is cheap.

But humans have always been the weak link. Someone might get mail like this and click on the URL. We’ve been telling users for years not to open unsolicited attachments, but they still do. Why would we think they won’t click on URLs in mail messages.

The reasons my colleague at the ISSA offered included “HTML offers formatting options that our users require. Plain Text does not.” But that was with no explanation of why they might need those options.

Personally I think that’s a specious answer. For EVERY message? We do fine here with plain text.

HTML mail represents a risk. User’s need to be educated to realize that. A baseline policy of “all mail should be html” also means all readers default to html and so can hide what’s really in the message. Not least of all, there have been bugs in the html rendering code in the past that have led to exploits. Does anyone really think that users won’t click on the URLs in mail from the outside?

Perhaps you also need a front-end ’sanitizer’ like http://www.impsec.org/email-tools/procmail-security.html
or http://mailtools.anomy.net/ which is the one I recommend.

Perhaps you need to be wary about MIME e-mail in general, both HTML mail and attachments.

“Security theater”? That’s one of Bruce Schneier’s lines. I’m surprised he hasn’t mentioned this at his blog.

Technorati Tags: security, australia, les bell, Bruce Schneier, policy

http://www.informationweek.com/news/showArticle.jhtml?articleID=202101781

Convicted hacker Robert Moore, who is set to go to federal prison this
week, says breaking into 15 telecommunications companies and hundreds of
businesses worldwide was incredibly easy because simple IT mistakes left
gaping technical holes.

“It’s so easy. It’s so easy a caveman can do it,” Moore told
InformationWeek, laughing. “When you’ve got that many computers at your
fingertips, you’d be surprised how many are insecure.”

Even before I took up auditing as a profession every client I dealt with had glaring errors and omissions in their security arrangement, be it physical, logical or documentation.

Yes, this includes divisions of banks (brokerage firms were the worst).
Most of the horror stories would be familiar to people who read and contribute to security forums and blogs. This is what is, when it comes down to it, really astounding. The omissions from the ‘baseline’ of good practice and obvious issues like documentation (so as to span the employment of different sysadmins and communicate within the IT group); restriction on access to root password (especially for developers); not doing development on the production machine/database; backups - that reflect the business and not just the convenience of the hardware/sysadmin; documenting (and hopefully approving!) changes; actually installing and configuring the firewall, which, of course, assumes there is policy which
reflects the business needs rather than the ‘best guess’ of the sysadmin to determine how its going to be configured.

And so on and so on.

So it gets to be, if you’ll pardon the analogy, like worrying over the diseases of civilization like Alzheimer’s, Osteoarthritis/Osteoporosis, ALS, Macular degeneration, diseases due to over-rich diets, Senescence in general when you don’t have a adequate diet or clean water to drink.

“Standards” like a ISO-17799/27001, ITIL aren’t trying to do anything more than lead people though a process to make them deal with the basic good practices. When they talk of things like Risk Analysis they are trying to get people to think about risk and their risk posture, and that is, all to often, sadly, something most firms don’t seem to have got around to.

Judging by what I see people asking - as well as asserting - on other forums about security and risk, most of the IT industry is in a bad way and doesn’t even know it. Of course the dominance in IT departments of the techie-geek-and-proud-of-it who has a dislike for ’suits’ means that there is an unhealthy obsession with equipment (rather than business processes) as assets, and with identifying and enumerating individual threats and vulnerabilities rather than they effect - as classes - on the business processes and how to mitigate or recover from those effects. (In other words FMEA. You knew I was going to get around to saying that, didn’t you )

Lets worry about the baseline before we try to address the esoteric.

http://blogs.zdnet.com/storage/?p=184&tag=nl.e539

Years ago, David Cheriton and others built a distributed OS - THOTH I think it was called, and the HARMONY extension to UNIX. Cheriton went off t build “The V System” in which there was a message passing micro kernel on each CPU and the processes, even the subroutines of the device drivers, were distributed. Essentially all (well not quite all) subroutine calls were low cost messages. The result of this was that the load was always balanced across all available nodes. The dining philosophers problem not only became trivial, but stayed trivial as more philosophers turned up and/or more tables and plates were added or subtracted.

We’ve now got to the point where we desperately need this technology. We’ve got two, four, sixteen or sixty four processors on a chip, which is a real high speed backplane! Stack a few of them with a high speed switch like in this article ….

At the end of the article he says “another 10 years you�ll be able to have tte equivalent of a 5,000 node Google cluster in your den.” Heck, using this technique of four boards in a mini-tower case with four CPUs on each board I can easily get a lot of parallel power on my desktop today.

But the point is that we don’t have the software that will spread the processing across it. We still have an architecture where one process lives on one machine and stays there.

Oh, I know about VMWare, but that doesn’t do the micro-level migration that Cheriton could achieve. Right now, the Beowulf clusters are dedicated to specially written applications, like the chess playing search tree.

Years ago (the 1980s) I wrote RPC-based applications using the SUN XPC protocols. Since then I’ve seen three (or more)-tier applications, like web front ends talking to database engines via TCP links. I’m now seeing RPC embedded in XML embedded in HTML for web sites. But its still about a complete process on a machine and that process unable to dynamically migrate to an idle machine. Yes I know about load balancers - that’s the same trap.

We need a new programming paradigm to deal with the new hardware.

Or perhaps we need new compilers that will break up the program into new modules. Of course some programmers will still use a style that fights the compiler.

Lets see …. When the Macintosh first came out it had an overlay scheme borrowed from one of the not-quite-virtual-memory models of the IBM 360 range. The idea was that an application had modules and a dependency tree for them, so that not all the modules needed to be loaded at once. You could write:

main(argc, argv)
{
do_Initialization();
do_Process_command_line();
do_Interactive_stuff()
do_shutdown();
}


and compile that as one module. The “do_Initialization()” module, also compiled in parts, would load and then unload … and so on. So a 800k program might only need “main()” - at less than 1k - and the data and some other modules loaded, amounting to perhaps 250k. Great if your machine only had 256k!

But LO!, some application developers (I recall Adobe being one of them!) didn’t Get It. They compiled the application into one big module. Perhaps this was deliberate so that you couldn’t run anything along side it

Of course the advent of demand-paged virtual memory made all this moot. It had been a technique to allow for lower cost hardware - even back in the 360 days. The cost of the additional hardware for instruction interruption and restart was non-trivial back when. Now, its all just on the chip.

But the approach to distributed programming that that Cheriton illustrated in his papers on the V System did require a new paradigm. In the same way that classical SQL (i.e. before cursors) turned the nested “for each” blocks inside out, so too did Cheriton’s approach to subroutines get turned inside out.

Certainly this is going to be an area for research if massively multi-node computing is going to end up on the desktop.