The InfoSec Blog

http://techbuddha.wordpress.com/2008/08/13/passwords-suck/

Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith’s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ’say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Related articles by Zemanta

• What is worse than reusing passwords? (Markus Jakobsson/Markus Jakobsson’s blog)

My collegue Sami O. Koskinen said “I always felt like the new biometric passport is just a show” and I have to agree with him. He also has reservations about the idea of building a national fingerprint database covering all citizen, and I would think visitors to a country. He points out that the justification for this in his home country of Finland is that fingerprints are already taken for ID and passports.

The normal justification for such a policy, which seems to exceed those of even the most represive times at Stalinist Russia, is that it would ease solving crimes and help in crime prevention.

Well, for a start, I see from discussions in other forums that many people in IT and security don’t understand the difference between preventive and detective controls, or even that detective controls are part of an effective security profile, so why should tech-ignorant (and proud of it) politicians see that point.

Fingerprinting is a baseline detective method in law enforcement, at least with serious crimes of violence. But then again, this has been well publicized and is only really of use in impulsive crimes where the perpetrator has not had the time or foresight to wear gloves.

A few years ago I went through a stage of reading a lot of detective novels. Lets face it, these are ‘entertainment’, not true crime’. As such, twisted plots are common. Never the less, there are no shortage of plots whereby fingerprint and DNA evidence is spoofed and subverted. There are no laws or controls that prevent criminals or potential criminals from reading these books, and nothing what so ever to stop them from coming up with even more creative and ingenious methods.

We’ve had references here to Schneier’s “security as a state of mind” and how we security professionals have “twisted minds”. That “twisted minds” designation has historically been applied to ingenious and inventive criminals.
According to my database of quotes, John Tandervold said:

“Each new law makes only a single guarantee. It will create new
criminals.”

A similar thing can be said about security controls in general. Each will have have people who will find ways to bypass or subvert it.

Related articles by Zemanta

• E-Passports ‘can be cloned’
• New E-Passports Cloned
• Biometric passport chips ‘can be cloned in an hour’
• Post Office aims to collect ID card fingerprints?
• Newer Forensic Techniques Help Solve Cases
• ID Cards cost cut to £5.6bn
• Cost of ID card and passport rises to £100
• Airport fingerprint plan sparks a domestic dispute
• Weighing Fingerprints As Forensic Evidence

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

Toronto - OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

Data can leak from partially encrypted disks

“Information is spilling out from the encrypted region into the unencrypted region”

Help me here. Why would you have an only partially encrypted drive? Yes, that’s easy to set up with Linux where you have many partitions. In fact failing to encrypt swap is a classical mistake.

But with Windows you have to quite explicitly set up partitions and move stuff around. The ‘out of the box’ default is a single partition with the system, data and swap all in the one partition. Yes, I’ve set up “D:” partitions and moved the user data (desktop etc) there. I’ve also set up a partition for the swap file. It helps with matters like fragmentation and backup management. But it takes thought, planning and deliberate action.

So why might you be keeping only part of your hard drive encrypted? I don’t know.

I can imagine a Windows user who has an encrypted USB drive and a clear (as in out of the box) main drive could hit this situation, but as data leakage goes I suspect this is small fry. The ‘potentially huge issue‘ may not be that earth shattering.

Since this is being presented at Usenix HotSec later this month perhaps it is a Linux issue. Damned journalists - so vague … Full-Disk Encryption Is Partial Protection, Analysts Say

My friend and mentor, Donn Parker, observes:

Build your security assuming that the enemy knows as much about
your security and what you are doing as you do.

The lesson of history, InfoSec, industry, literature, warfare and politics tells us this is so.

Chapter 13 of Sun Tzu’s great work, “On the use of Spies“, advises:

What enables the enlightened rulers and good generals to conquer
the enemy at every move and achieve extraordinary success is
foreknowledge.

Foreknowledge cannot be elicited from ghosts and spirits; it
cannot be inferred from comparison of previous events, or from
the calculations of the heavens, but must be obtained from
people who have knowledge of the enemy’s situation.

Therefore there are five kinds of spies used:

Local spies, internal spies, double spies, dead spies, and
living spies.

He goes on to say

Only the wisest ruler can use spies; only the most benevolent
and upright general can use spies, and only the most alert and
observant person can get the truth using spies.

Which is of course pandering. And then:

It is subtle, subtle!

Which is pandering still, but none the less true.

There is nowhere that spies cannot be used.

Which is also true. Hence http://privateeyespyshop.com/

Generally, if you want to attack an army, besiege a walled city,
assassinate individuals, you must know the identities of the
defending generals, assistants, associates, gate guards, and
officers. You must have spies seek and learn them.

However these days, many companies and countries publish all this information on the web. The identity theft in “Day of The Jackal” (which has been copied by many other authors since) can now be performed from the comfort of you local hot-spot equipped café or in some locals commuter train.

http://redtape.msnbc.com/2008/07/cambridge-mass.html#posts

Charlatans don’t bother creating detailed schemes for deception. They
just have a feel for what fools people.

Its not about technology…

Bad guys have better people skills
Criminals usually don’t bother learning all the ins and out of the
technology they exploit — they simply learn enough to be dangerous. But
they spend endless hours understanding the people they plan to fool.
Hackers long ago learned a short cut, what they call social engineering:
Why spend years trying to hack into a bank when you can just ask an
account holder to give you their name and password?

and not only that, but adding technology won’t fix things.

The technologists, on the other hand, tend to fight this battle with one
hand tied behind their back. They generally spend most of their time
studying technology, learning all its nooks and crannies from the ground
up. They write careful research papers following the strict rules of
scientific method. They must spend endless hours defend their findings
against all comers, and they can’t hurt anyone while conducting studies.
They know the technology well, but they have little time to sit around
understanding how people work.

I’ve been saying for over a decade that InfoSec qualifications should focus on psychology and sociology and business rather than technical matters, but exams & qualifications such as CISSP, CISA, CEH, and SANS focus on technical matters.

Part of this is “the metrics problem”. We focus on what can be measured, the “if you can’t measure it, you can’t manage it” myth that started with Taylorism and has been promulgated by people who only see the numbers side of Deming’s principles. His “System of Profound Knowledge” advocated that all managers need to have a deep understanding
of psychology and human nature. His famous “14 points” are about attitudes towards management of work, not about numbers; in fact he was against many ‘numbers’ such as quotas. He viewed managing by numbers to be a “deadly disease”, along with an emphasis on short term results (more number-keeping), and relying on technology to solve problems that are really based in the organization, management and psychology of the workplace and corporation.

So how do we actually manage? How we evaluate people and their work?
How do we grant certifications and issue awards? How do we solve our business problems?

The media says that InfoSec is a growing market. I wonder sometimes if that growth isn’t in the sales of appliances - throwing technology at the problem and resisting the changes that are really needed, changes in organization, attitudes and management.

http://www.theregister.co.uk/2008/07/03/browser_insecurity_survey/

I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ’snuck in’ by various methods such as XSS.

Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected - I’ll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?

Unsurprisingly the study concluded that update features within different
browsers played a key role in determining how quickly users update their
software. Firefox users “typically updated” within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.

So that makes me one of the ‘good guys’, a Firefox user. Actually I update my plug-ins ’same day’ - which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)

The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.

Now lets be fair, not everyone has control over what they use.

“I think it may be a little unfair for many IE users to be grouped in
the ‘less diligent’ bucket because they’re stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, ‘unfair’ isn’t
going to keep them safe,” Ollmann writes.

As it says in the article I’ve referenced …

A white paper on the study, Understanding the Web browser threat, can be
found here.

http://news.cnet.com/8301-13505_3-9970323-16.html

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community’s respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn’t downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it
was so badly configured that it may well have already been hacked, said
Tami Loehrs, a forensics investigator hired by Fiola’s defense team. The
Microsoft Systems Management Server software on the laptop was
misconfigured and was not receiving critical software updates, and the
laptop’s Symantec antivirus software was either misconfigured or not
working properly, she said.

“He was handed a ticking time bomb,” she said.

In this case, it’s called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola.
Could this have happened with Linux or the Mac? Yes and maybe.

Yes, because weak IT yields weak security.

But maybe, because both of these Unix-like systems handle security much better than Windows traditionally has. But that’s not really the point.

No, what’s really the point is things like this and the case where a teacher was accused of exposing her class to
pornography.

The article ends with

Did Microsoft create this problem for Mr. Fiola? No. If anything, it
sounds like his IT department is to blame. But if it were me, I’d be
asking for a Mac when joining a new company. With the Mac, my odds of
having a Fiola-esque experience go down dramatically.

Which makes me think of another article I saw that indicates

MacOS experienced 50% growth as a primary development platform and 380% growth as a targeted platform during the period.

http://blogs.zdnet.com/hardware/?p=1998&tag=nl.e539

Adrian Kingsley-Hughes
tries out the latest Live CD for Ophcrack.

Of course you idea of “strong” may differ from his.