The InfoSec Blog

http://techbuddha.wordpress.com/2008/08/13/passwords-suck/

Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith’s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ’say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Related articles by Zemanta

• What is worse than reusing passwords? (Markus Jakobsson/Markus Jakobsson’s blog)

My collegue Sami O. Koskinen said “I always felt like the new biometric passport is just a show” and I have to agree with him. He also has reservations about the idea of building a national fingerprint database covering all citizen, and I would think visitors to a country. He points out that the justification for this in his home country of Finland is that fingerprints are already taken for ID and passports.

The normal justification for such a policy, which seems to exceed those of even the most represive times at Stalinist Russia, is that it would ease solving crimes and help in crime prevention.

Well, for a start, I see from discussions in other forums that many people in IT and security don’t understand the difference between preventive and detective controls, or even that detective controls are part of an effective security profile, so why should tech-ignorant (and proud of it) politicians see that point.

Fingerprinting is a baseline detective method in law enforcement, at least with serious crimes of violence. But then again, this has been well publicized and is only really of use in impulsive crimes where the perpetrator has not had the time or foresight to wear gloves.

A few years ago I went through a stage of reading a lot of detective novels. Lets face it, these are ‘entertainment’, not true crime’. As such, twisted plots are common. Never the less, there are no shortage of plots whereby fingerprint and DNA evidence is spoofed and subverted. There are no laws or controls that prevent criminals or potential criminals from reading these books, and nothing what so ever to stop them from coming up with even more creative and ingenious methods.

We’ve had references here to Schneier’s “security as a state of mind” and how we security professionals have “twisted minds”. That “twisted minds” designation has historically been applied to ingenious and inventive criminals.
According to my database of quotes, John Tandervold said:

“Each new law makes only a single guarantee. It will create new
criminals.”

A similar thing can be said about security controls in general. Each will have have people who will find ways to bypass or subvert it.

Related articles by Zemanta

• E-Passports ‘can be cloned’
• New E-Passports Cloned
• Biometric passport chips ‘can be cloned in an hour’
• Post Office aims to collect ID card fingerprints?
• Newer Forensic Techniques Help Solve Cases
• ID Cards cost cut to £5.6bn
• Cost of ID card and passport rises to £100
• Airport fingerprint plan sparks a domestic dispute
• Weighing Fingerprints As Forensic Evidence

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

Toronto - OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

Data can leak from partially encrypted disks

“Information is spilling out from the encrypted region into the unencrypted region”

Help me here. Why would you have an only partially encrypted drive? Yes, that’s easy to set up with Linux where you have many partitions. In fact failing to encrypt swap is a classical mistake.

But with Windows you have to quite explicitly set up partitions and move stuff around. The ‘out of the box’ default is a single partition with the system, data and swap all in the one partition. Yes, I’ve set up “D:” partitions and moved the user data (desktop etc) there. I’ve also set up a partition for the swap file. It helps with matters like fragmentation and backup management. But it takes thought, planning and deliberate action.

So why might you be keeping only part of your hard drive encrypted? I don’t know.

I can imagine a Windows user who has an encrypted USB drive and a clear (as in out of the box) main drive could hit this situation, but as data leakage goes I suspect this is small fry. The ‘potentially huge issue‘ may not be that earth shattering.

Since this is being presented at Usenix HotSec later this month perhaps it is a Linux issue. Damned journalists - so vague … Full-Disk Encryption Is Partial Protection, Analysts Say

http://www.theregister.co.uk/2008/07/03/browser_insecurity_survey/

I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ’snuck in’ by various methods such as XSS.

Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected - I’ll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?

Unsurprisingly the study concluded that update features within different
browsers played a key role in determining how quickly users update their
software. Firefox users “typically updated” within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.

So that makes me one of the ‘good guys’, a Firefox user. Actually I update my plug-ins ’same day’ - which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)

The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.

Now lets be fair, not everyone has control over what they use.

“I think it may be a little unfair for many IE users to be grouped in
the ‘less diligent’ bucket because they’re stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, ‘unfair’ isn’t
going to keep them safe,” Ollmann writes.

As it says in the article I’ve referenced …

A white paper on the study, Understanding the Web browser threat, can be
found here.

http://news.cnet.com/8301-13505_3-9970323-16.html

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community’s respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn’t downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it
was so badly configured that it may well have already been hacked, said
Tami Loehrs, a forensics investigator hired by Fiola’s defense team. The
Microsoft Systems Management Server software on the laptop was
misconfigured and was not receiving critical software updates, and the
laptop’s Symantec antivirus software was either misconfigured or not
working properly, she said.

“He was handed a ticking time bomb,” she said.

In this case, it’s called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola.
Could this have happened with Linux or the Mac? Yes and maybe.

Yes, because weak IT yields weak security.

But maybe, because both of these Unix-like systems handle security much better than Windows traditionally has. But that’s not really the point.

No, what’s really the point is things like this and the case where a teacher was accused of exposing her class to
pornography.

The article ends with

Did Microsoft create this problem for Mr. Fiola? No. If anything, it
sounds like his IT department is to blame. But if it were me, I’d be
asking for a Mac when joining a new company. With the Mac, my odds of
having a Fiola-esque experience go down dramatically.

Which makes me think of another article I saw that indicates

MacOS experienced 50% growth as a primary development platform and 380% growth as a targeted platform during the period.

http://www.networkworld.com/news/2008/042308-how-not-to-hire-a.html?page=1

One of the first questions to ask during an audit is “Do you have Policy?” (which is part of the ISMS - see ISO-27001)

Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.

Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
(CMM etc)

See also “Who Ya Gonna Call?“

http://aluigi.altervista.org/adv/quicktimebof-adv.txt

You’d think by now … after all, SC Magazine, at least in the print edition, lists the “top 5 attacks” used by US and foreign hackers, and ‘overflow’ attacks have been in the number 1 or number 2 slot for as far back as I can remember.

I keep going on about how the Morris Worm brought this to the public attention TWENTY years ago. I keep going on about how I continue to meet programmers of varying maturity, not just the ones fresh out of college, who are unaware of this kind of programming flaw - along with many other flaws and egregious habits.

I suspect what we have is the old phenomena of assigning junior (aka inexperienced) coders to doing the maintenance programming. Why else would this kind of bug be introduced into a mature product?

Did I say ‘introduced‘? Perhaps it was there all along, which is even worse, since it means it took this long to discover it.

Perhaps this applies to ore than Oracle users?
Sybase? MySQL?
Windows?
Perhaps even Linux!

http://www.informationweek.com/news/showArticle.jhtml?articleID=205603104

Slavik Markovich, chief technology officer of Sentrigo, a database
security firm, said he’s been making presentations at Oracle Users
Groups around the U.S. since August, and at each one he asks for a show
of hands on how many attendees have adopted one of the two most recent
Oracle Critical Patch Updates. He also asks how many have adopted at
least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the
answers that he’s gotten have surprised him. At that meeting last
August, two out of 40 attendees said they had installed one of the two
latest patches; 15 said they had installed at least one patch in the
four years of the program. That left 62.5% who had not installed any
patches since the program began in November 2004.

And the effect of this?

“That leaves many databases vulnerable to what are now publicly known vulnerabilities.”

I think we could have guessed that.
The issue is did the people in the organizations that run un-patched systems think about that, think about the consequences of that.

Probably not.
All the studies I’ve read indicate that the ‘high performers’ not only follow though on security procedures like this, but have proactive monitoring (e.g. IDS, log file scanning) and proactive response procedures. The people who don’t bother to patch will in all likelihood not even know if they have been hacked unless the hack has catastrophic results. If the hacker was subtle and just did some identity theft, small-but-many financial theft, then the database owner might never know.

So: When did you …

• last update ..

• your OS
• your browser
• your database

Enquiring minds want to know, and many of them belong to malicious hackers.