Sponsored Links

Ponderings, opinions and analysis on IT Security

Wake Up And Help Burn Away The Stupid PDF Print E-mail
Friday, 14 May 2010 09:52

The biggest failure in information security is actually a failure in information technology implementation.

For many, many decades the operating systems and applications that have been made for computers have come with built-in security features. The very idea of a username and password to log into a computer pre-dates home computers by at least a decade, with Multics back in 1964. And it wasn't the first.

But what has happened over this time is the old "arms race" where the so-called bad guy finds a way around the restrictions put in place, so newer and more elaborate restrictions are put-up. More elaborate and complex security systems require more time to set-up, more knowledge to implement and a generally higher degree of intelligence.

In the business world, there is little tolerance or interest in the needs of Information Technology, but an excruitiatingly large demand. Most IT departments run on very tight budgets with minimal personel, the majority of funding going to hardware and obscenely expensive software licensing. If you don't offer very high pay and very good benefits, you can't really attract the very best IT employees.

So for the last 23 years or so, the information technology field has turned to 3rd party solutions for complex security. "Solutions" include antivirus, antispyware, Intrusion Prevention Systems, Firewalls, anti-spam, web filters and more. There are host-based and network-based versions of all of these, plus other variations and specialized implementations. There is deep-packet inspection, source-code analysis, vulnerability assessment, penetration testing, and on and on and on.

The end result? In a typical production environment of a Fortune 500 company, you have dozens, hundreds or even thousands of computer systems that essentially run with a default, base Operating System install and all the 3rd party security tools bolted on as an after-thought. No patching is done at all, or only the absolute minimum needed to keep the systems running. Many unused services are left installed and running. Local security policies are never configured, or only a few token changes are made. Services like HTTP, SMTP, FTP, IMAP, POP and the like also run with default configurations.

 

Wha... Wha.--WAHT TH# FUKC?>!!

 

These systems are INCREDIBLLY VULNERABLE AND EASY TO HACK! They can be broken into remotely or locally. We're talking $150,000 premimum servers that can be turned into digital scrap with the equivalent of a toothpick. They are the electronic equivalent of a frail person with no immune system, kept alive by a thin plastic bubble. That bubble? The 3rd party security software that has been installed on the server and the network. And that very expensive, five million dollars worth of security solutions? Very likely has also been thrown in place with default settings, providing only half-assed protection.

This all happens because IT departments are overworked and full of lazy, ignorant people. Not every IT staffer is an idiot slob. But there are enough overworked, stressed IT workers mixed with enough faux-IT employees to result in the mess that the world find itselves in today: A billion computers in shitty health.

It's time to wake up and shake the cobwebs out of our heads. We can build computers configured properly that they are not immediately vulnerable to every single exploit that is published. We do not have to rely on a dozen layers of expensive, 3rd-party security software to protect outselves! I'm not suggesting we do away entirely with firewalls and other measures. But we can make our servers, workstations and websites many times more secure than they are without anything more than additional man hours. Which in the end, is probably cheaper than overpriced security software.

Computer security follows the biological threat model. A healthy computer system is hard to infect or exploit. Not impossible. Just hard. Hard enough that the infection/exploit vector (be it automated script or malicious hacker) will just go and find something easier to attack in most cases. Even when a healthy computer system is violated, it will be easier to recover from the attack.

What makes a healthy, secure computer system? Here's a short list to start with:

  1. Install all operating system patches that are applicable, not just the ones that are "approved".
  2. Absolutely no unnecessary software installed. If you don't need it, yank it!
  3. If you can't uninstall something you don't need, turn it off, delete it, restrict access to it in some other way.
  4. Turn off the services you don't need (which you should uninstall if you really don't need them!)
  5. Configure a local security policy to at least enforce password security and enable auditing of security events.
  6. For any of the services you DO use, including 3rd-party software, make sure to enable the security features included such as authentication, encryption, access restrictions, etc.
  7. Update your 3rd party software as well as the operating system. That means patch that crappy Java engine and that piece-of-shit Adobe Reader!
  8. Backups. If your critical system isn't being backed-up every single day, you are putting a gun to your head and asking people to pull the trigger. I am not joking. Lack of backups is literal suicide, people!
  9. Monitor your systems! Monitor the hardware sensors, the disk capacity, the network usage, the CPU load, everything you can get your hands on.
  10. All of the logging on your servers should go to a central syslog server as well as locally. If your server becomes a burning, molten hole in the ground you still have logs of what the fuck happened.
  11. Test your systems! Make sure that all the redundant hardware actually works, that backups are restorable, that patches installed are active (schedule reboots on a weekly basis), and any other behind the scenes scheduled jobs actually run to completion.

Does that look like a long list to you? Am I hearing some of you whine that it's too much work? TOUGH SHIT! IT ISN'T FOR WIMPS, DAMN IT! Suck it up and earn your paycheck, kids!

Only after you've got a healthy, secure computing system should you than look at installing any 3rd party quackery like antivirus, IPS and the like. And you know what? Keep that crap off the servers. Just used network-based implementations. That way when those idiots in networking screw-up, it doesn't reflect badly on you.
 
The Puppetmasters New Clothes PDF Print E-mail
Thursday, 07 January 2010 13:20

In the Science Fiction novel "The Puppet Masters" by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to.

But back to the book. It's a pretty typical "alien possession" novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The "slug" can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity.

Correct, the only way to tell if a human was possessed was to require full nudity. Heinlein established that even a naked woman carrying a purse was suspect because she kept her hand in her purse which allowed her to remain connected to the slug. Now, part of the reason Heinlein wrote this solution into his novel is because he was a big fan of nakedness (hardly any of his novels don't mention it). But also because it's the obvious, simple solution to the question "How do I know if you are really you?". The slugs were too big to not be visible and obvious when attached to a victim.

Now, the $1.69 question: Is this a reactive security measure, or a proactive one?

Thanks to Richard Reid, we now have to take our shoes off at many airports. And most likely, we'll have much more invasive body scans to look for hidden explosives (even though there's no evidence such a scan would have caught Nigerian Abdulmutallab's hidden explosives). These are reactive security measures. Why? Because even looking at a person stark naked, you cannot tell if he or she is a terrorist. "The Puppet Masters" has a specific threat that can be visually identified and is known to be hostile to humanity. So the nudity solution is actually rational, if socially awkward. No such test exists for humans that intend harm to other humans.

This does not stop the TSA and law enforcement to follow profiling methodologies, unfortunately. Many innocent citizens are taken aside because of their religious beliefs, skin color or "atitude". Timothy McVeighs', Richard Reids' and Umar Farouk Abdumutallab's lesson have not stuck: Terrorism is an action, not a kind of person, a belief system or a clothing style. Most of the security measures taken in airports and on airplanes since 9/11/2001 have been reactive, "security theatre" then actually proactively useful.

So what proactive security measures should be taken in the wake of the failed Christmas Bombing? Move security screening back to boarding gates. Improve the intelligence gathering and sharing community. Train more air marshals and put them on more flights. And most importantly, stop wasting resources on reactive measures.

 
 
Consequences of Overzealous Security PDF Print E-mail
Tuesday, 07 October 2008 15:09

Part of Information Security is not making assumptions. You don't assume that computer systems are safe, you check them. Even if they were safe when you checked them, you check them again months later to make sure they are still safe. This sort of regular assessment is no different than security guards making regular rounds in an office building late at night. Such as at a bank.

When something suspicious is discovered during a systems check or pentest, you investigate it in order to verify that what was found is what you think it is. Evidence of a server break-in needs to be checked carefully before one goes blurting out "We've been hacked!". Just like a bank doesn't say "We've been robbed" because some accounting numbers don't match-up.

Such verification and re-verification on a regular basis can sometimes seem like paranoia. But paranoia is the unreasonable sense of persecution. Banks have ample reason to be concerned about their security, as there is a long and rich history of criminals robbing banks. However, there is a point at which one may indeed have to ask oneself, "Am I being too cautious?"

Such is the case with the bank that Blue Moon Fiber Arts signed-up with for processing credit-card orders for their "Sock Club". A sock club is, for those of us who are ignorant of the textile arts, is a knitting hobby club where you pay a yearly fee in order to receive monthly kits. Yes, it is a sock subscription, and you have to assemble the socks yourself. For people who like to knit, this is fun (as I am told).

When Blue Moon Fiber Arts started their 2007 Sock Club, they needed a bank to process credit card orders (as doing it without a bank is much more expensive and complicated). The bank was suspicious (or maybe just initially surprised) at the volume of orders. The bank contacted Blue Moon, which explained the purpose of the orders and the business model ("Customer gives money, customer gets product!" I suspect sums it up). For whatever reasons, the bank decided that it was improbable for large numbers of people to be interested in knitting socks, never mind spend lots of money on it. So the bank refused to process any more orders, canceled all the existing charges and refunded the money.

I can only guess as to why the bank did not take this further and attempt to involve law enforcement. Without more details, I can only assume the bank just didn't feel like it was confident enough to involve the law, but was suspicious enough to pull-out of the situation entirely. In the end, Blue Moon Fiber Arts found a bank that would process the credit card orders, and all the Blue Moon folks had to do then was send out a letter explaining what happened.

The consequences of overzealous security in this particular case were trivial. One bank lost a customer and another bank gained a customer. Some people were forced to re-sign-up for a sock club and a lot of knitters got justifiably angry at the sheer stupidity of the situation. Yet the consequences can be much more severe. What if a person staked all of their savings on a new business venture, and the first week of business the bank decided no one could possibly want to buy the product or service, and yanked all ability to deal with credit? Someone could literally lose everything they owned, because a bank manager simply made some assumptions.

Banks are of course only one  entity that needs information security. Media companies must protect their copyrights, engineering firms have patents to guard and software shops are very much dependent on both copyrights and patents. Failing to enforce those rights could lead to rampant piracy, yet overbearing enforcement often leads to alienating fans, false accusations and some very nasty, drawn-out lawsuits. There are many cases on record where lawyers making assumptions have caused more harm than good for their corporate clients, including Microsoft, SCO, Intel, and another random bank.

 In the end, it is up to each organization to make its own judgements in these matters, as there can never be any absolutely objective method to measure the risk involved in not being cautious. And each organization should be prepared to face the possible consequences of their actions.

 
Open Letter to Congressman Edward Markey PDF Print E-mail
Saturday, 28 October 2006 20:41
(This is in response to this Slashdot article, about this gentleman, and the events described in this Wired article.)

Congressman Markey,

  I am writing to you as a Senior Information Security Analyst with Northrop Grumman corporation. I am employed with NGC on behalf of the United States Postal Service. I am a CISSP (Computer Information Systems Security Professional) and help protect the IT systems of America's postal system.

  I am writing you about the topic of Christopher Soghoian. This past Friday you called for his arrest due to the creation of the "http://www.dubfire.net/boarding_pass" website.

  As you are hopefully aware of now, the security flaw in the TSA boarding methodology is not new. Bruce Schneier, a security expert who has done significant work for the US government, wrote about the exact same flaw in 2003. Senator Charles Schumer made a press release about it in 2005. I myself have been aware of the flaw since I read Bruce Schneier's article earlier this year. I will repeat myself: It is not new.

  It is irresponsible to have continued to ignore a fundamental problem with TSA security in airports for so many years. Mr. Soghoian was irresponsible in putting together a website for public consumption to exploit it. But he was being QUITE responsible in outing this flaw.

  Neither you nor the rest of congress should continue to stick your heads in the sand. The TSA is NOT doing their job to the fullest extent necessary. Bruce Schneier has pointed out other problems in TSA security systems before, but has often been ignored.

 The US government is passing laws and  performing actions that reduce personal freedoms to try and bolster security. That is the wrong path. Security should come at the cost of convenience, not freedom. That way both security and personal freedoms are assured.

 Thank you for your time. I look forward to your response.
 
Security Balances PDF Print E-mail
Saturday, 16 September 2006 00:04

From this Yahoo! article:

He was sympathetic, but accepted the Transportation Security Administration's reasons for the ban.

"What are you going to do?" he said. "I guess you have to be safe."

Amanda Volz, a TSA screener in Minneapolis, said she hoped more travelers would take that attitude Friday.

"There's some moaning and groaning, and a few people who get angry, but once you explain it to them, they are more lenient about giving it up," Volz said. "You just try to make them understand that it's for their safety."
Lots of things are done for safety. But they aren't always the best choice, or the most useful. And there's usually more than one way to make something safe and secure.

A temporary ban on liquids being brought on to the planes makes sense in this situation, because of the possibility of copycats and/or a missed accomplice. But at most this ban should last a few weeks and be lifted.
Instead, it will become permanent. Some idiot politicians are already yelping that it's the end of carry-on luggage all together. Sort of premature, especially since Congress has no direct involvement in that sort of decision.

Banning carry-on would hardly eliminate the possibility of explosives being smuggled aboard. Remember the "shoe bomber"? Of course explosives could be ingested and then excreted, or hidden inside body cavities. Every method used for drug smuggling could be used for explosives. Only difference is the need to trigger the explosive once onboard. Bio-chemistry and electronics make that remarkably easy.

Explosive checking on carry-on baggage is a good idea, and should apply to all boarders, attendants and pilots included. But the real focus has to be on catching and stopping terrorists before these plans get implemented. This plot was foiled literally at the last minute. Why? Was it not detected sooner? Were the law enforcement agents hoping to catch more terrorists? Or glean additional info? Maybe that'll come out over the next few months. But I for one would rather the plans to commit attrocities be cut-off well in advance of implementation.

Better screening of passengers would be a big step forward. Currently it's still too easy to get a ticket. You don't even need to show your face to do so, it can be done entirely online. Stolen credit cards can even be used if a malicious person acts quickly enough. And anyone can walk into an airport, including baggage pick-up areas. While I'm not in favor of losing all the advanages the Internet provides in terms of travel arrangements, the proper balance of security and convenience must be obtained.

Socially, politically and technically our country has been focused on balancing security with freedoms, to maintain convenience. This is the wrong formula. We should be balancing security and convenience to maintain freedom.
 
More Articles...
« StartPrev12NextEnd »

Page 1 of 2