Risque Management : Stupidity

When security doesn't work

Slav — Mon, 28 Dec 2009 04:02:00 GMT

A few days back, a hater named Umar Farouk Abdulmutallab tried to explode an airplane and kill 289 people aboard and maybe more on the ground. He was stopped by another passenger, Jasper Schuringa, a Dutch movie maker.

The US Department of Homeland Security and its Transportation Security Administration quickly issued statements. They introduced new security measures. The TSA doesn't really say what those measures are, but various reports and airline Web sites mention stuff like this:

Air Canada said in a statement that new rules imposed by the Transportation Security Administration limit on-board activities by passengers and crew in U.S. airspace. The airline said that during the final hour of flight passengers must remain seated. They won't be allowed access to carryon baggage or to have any items on their laps.

Flight attendants on some domestic flights are informing passengers of similar rules. Passengers on a flight from New York to Tampa Saturday morning were also told they must remain in their seats and couldn't have items in their laps, including laptops and pillows.

Note this: if the rules were already in place and the passengers strictly followed those, Mr. Schuringa wouldn't be able to subdue the terrorist: he had to leap over few seat rows to do that. Apparently, it's no longer allowed. It doesn't matter that explosives and flammable liquids were not allowed on the plane in the first place, and the TSA failed to enforce them. They issue a new ruling that doesn't make sense (last hour, huh?) and is almost impossible to enforce. Reminds me of the TSA requirement not to congregate on a plane headed for the United States.

This is not security, this is damage control. Happens too often in the government, and in the corporate world as well.

Doing your job is hard but not impossible: analyse why security measures failed, and correct the problem. If the measures are wrong, try something new. Like, in case of transportation security, sedating all passengers.

It is okay to acknowledge your errors. But it is a definition of waste not to, and keep doing same. Take information security. Firewalls don't work? Implement more firewalls. Intrusion detection systems don't detect intrusions? Rename them intrusion prevention systems, and spend some more. Sounds familiar?

US Senate: security through (more) bureaucracy

Slav — Sat, 04 Apr 2009 23:15:00 GMT

When I first read the news on the Washington Post web site, I thought this is a 1 April joke: Senate Legislation Would Federalize Cybersecurity. The April Fool's day has come and gone but all the signs are to that this is for real: the press releases trumpeting arrival of the legislation are still there. The bill's summary is available from the US Senate Web site (I cannot find the full text of proposed legislation yet). The problem definition is a typical scaremongering:

This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life.

So get ready for digital Pearl Harbor. Real one: Conficker virus, another April Fools' event, which some described as just that, caused zero noticeable impact.

Coming from professional politicians, the bill unsurprisingly proposes to improve the cybersecurity situation by introducing colossal new bureaucracy, headed by the US Cybersecurity Fuehrer (or Tzar, or Leader, if you so wish). If it becomes a law then the governemnt will have control over information security matters in private sector:

The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.

Although the press release and the summary mention specifically critical infrastructure controlled by private entities - utilities, banking, transportation, health and telecommunications - apparently the bill's scope is not limited thereto. That would dwarf Sarbanes-Oxley and HIPAA information security rackets and create massive compliance burden on the economy. Layers upon layers of firewalls, "endpoint security" and "intrusion prevention" technologies, and regular compliance audits may become mandated by the law.

The bill would also attempt to place a dollar value on cybersecurity risk. Ironically placed uder the Foster innovation section, it means this:

The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.

Welcome to the cybersecurity cap-and-trade scheme!

This is not the first attempt to create cybersecurity bodies in the government. Think of the DHS and its Cybersecurity Center, the people who brought us this:

Yet according to the senators all the efforts have basically failed. Maybe that signifies a problem with the approach? It does. Government-mandated dogma is not a substitute for a pragmatic approach to security threats.

Compliance is not security

Slav — Mon, 16 Feb 2009 02:50:00 GMT

Tim Holman comments on the latest card processing system breach:

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:

http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf

QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.

Yes, they are just tick in the box. If you look at a security certification audit (any kind thereof), it's mostly hands-off process confined within a scope that leaves most of windows of opportunity out. And the auditors have no accountability for the ongoing business security. Corporate bureaucracies are magnifying the problems by resisting changes (and real security tests) originating from within the organisation, and putting most trust in the assorted audits instead. "Audit remediations" are getting more focus and resources than the real issues. In too many cases, internal security operations give up security and become compliance-driven. That is a recipe for trouble.

One might say that something is better than nothing. I reject that notion: it is better to do nothing than spend time and money on something that results in worthless certification, while security stays poor. HPY is yet another proof.

Virtually hopeless

Slav — Mon, 30 Jul 2007 08:54:00 GMT

I don't know if that's CIOs, or the press, or both. Recently Byte & Switch, CMP Technology's zine on storage networking, published a chef d'oeuvre on troubles with virtualisation. Some amazing thoughts by the captains of the industry. Take this one:

Time is definitely a major concern of ours," said Jim Steinmark, director of architecture and engineering at Fidelity Investments. "One of the big challenges is the time that it is taking to get people to accept virtualization as a production-ready technology," added the exec, who uses VMware, Citrix, and SoftGrid within his infrastructure. For this reason, Steinmark estimates that it probably takes 40 to 50 percent longer to get an application deployed on virtual machines than it would on physical servers. A complex virtual application shared by a number of different users, he said, could easily take a year to deploy.

The whole idea and practice of virtualisation is to implement an efficient hardware abstraction layer. Applications don't know and don't care if they are running in a virtual machine. Even detecting virtual environment is not a trivial task. How it will increase implementation time at all is beyond me. Any clues? Here's another product of disturbed minds:

Another attendee, George Scangas, lead IT infrastructure analyst at Welch's Foods, warned that developers are often the hardest group to get on board. "A lot of them are from the old school of thinking -- they want to run [applications] on a physical box," he added.

If developers have concerns like that, they are thoroughly unprofessional (Mr. Scangas's colleagues definitely are).You cannot develop application for a box with redundant power supplies and six cooler fans inside. With few exceptions (like device drivers, operating systems and virtual machine hypervisors) applications have requirements like certain operatins system, runtime libraries, disk space and available RAM - nothing that cannot be provided in a virtual environment. And if there's somebody who's hard to get onboard, that is not developers or system administrators.

How to prevent 1% of cybercrime?

Slav — Fri, 04 May 2007 22:50:00 GMT

An interesting picture appears on the PBS Shop Web site:

Because of what it says I felt an urge to click on it. The first attempt (a right-click) resulted in the following message box:

I think the law that prohibits copying the picture doesn't exist. Otherwise my Web browser would be breaking the law by caching the picture, for example. And the trademark law, at least in Australia, USA and other Western countries, actually allows nominative fair use (as well as parody).

But I don't need to do any copying anyway. The "HACKER SAFE" picture above is provided to you directly from its source, controlscan.com (and "certifies" sites other than this weblog). Clicking on it will show a page that says, among other things:

Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.

I would be really interested in the methodology of that research. Why 99% and not 99.9%? But mentioning research is just weasel words here.

The company that brings you the "HACKER SAFE" picture provides many services related to Web security and privacy protection. Every single one comes with its own picture (they are called "trust seals"):

That, as I wrote, gives a false sense of security. Looking at the service offerings reveals more interesting facts:

The company provides vulnerability scanning for those who need to be compliant with flawed and largely useless Payment Cards Industry Data Security Standard;
The company offers vulnerability scanning bundled together with EV SSL certificates - overpriced ones, supposedly more secure and with questionable benefits;
EV SSL certificates are positioned to secure E-Mail applications among other things. Internet email standards generally don't require a browser, and current EV certificates' main distinction is the green address bar in IE7. You can encrypt SMTP using SSL but the fact that the the SSL certificate is Externed Validation will make exactly zero difference compared to any other SSL certificate. I won't be surprised though if EV flavour of mail signing certificates will emerge;
And the certificates are positioned as those giving the Highest Level of Digital Encryption available in industry - even though the level of encryption doesn't really have much to do with the type, or issuer, of the certificate.

Vulnerability scanning has its value. It's a very basic security control mechanism that allows to identify trivial system administrators' mistakes independently of their process. But it doesn't prevent 99% of security exposures. If it does, what about the remaining 1%? Is one attack out of a hundred successful? One attacker out of a hundred? That doesn't make sense.

In the example above we see how aggressive marketing can be misleading, even deceptive, and therefore diminish the value of otherwise useful service.

News: Web is dangerous

Slav — Tue, 01 May 2007 01:38:00 GMT

VoIP is scary, if you rememeber. Now, there's something else that is scary: WWW, the World-Wide Web. And thanks to Tim O'Reilly and his invention of Web 2.0, it's scarier than ever.

As in: there's much more to FUD about. Here's a perfect example: Web 2.0 Threats and Risks for Financial Services (by Shreeraj Shah). It's full of dung, as pretty much any other FUD. But being targeted at the financial industry (people with your money) it excels at that. Let's analyse:

The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format.

RSS is just a way of delivering dynamic content (not quite a format), and not much of financial information really can use RSS. Market news (think of Reuters and Bloomberg services) and that is pretty much all. And the model is simple: authenticate and deliver content securely. RSS has no security implications here. And where the figure of 95% came from?

Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises.

Of all corporations, financial industry is one of the most conservative. Every technology that is used undergoes rigorous assessment. And adequate (to the organisation's risk management and regulatory requirements) security is one of the top priorities there. The process of the evaluation may not be the most efficient, but that's a different issue - nothing to do with Web. Besides, Flash belongs more to entertainment industry: it's neither critical nor required by financial institutions for business-critical applications.

In the last few months, several cross-site scripting attacks have been observed, where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information on the victim’s system. Poorly written Ajax routines can be exploited in financial systems. Ajax uses DOM manipulation and JavaScript to leverage a browser’s interface. It is possible to exploit document.write and eval() calls to execute malicious code in the current browser context. This can lead to identity theft by compromising cookies. Browser session exploitation is becoming popular with worms and viruses too. Infected sessions in financial services can be a major threat. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.

AJAX doesn't add any new dimension to the XSS attacks: both the attack techniques and the ways to prevent cross-site scripting haven't changed.

One of the key elements of Web 2.0 application is its flexibility to talk with several data sources from a single application or page. This is a great feature but from a security perspective, it can be deadly.

And may be not. The decision to use multiple data sources is driven by functional requirements. And it can be well-secured.

Web 2.0 based financial applications use Ajax routines to do a lot of work on the client-side, such as client-side validation for data types, content-checking, date fields, etc. Normally client-side checks must be backed up by server-side checks as well. Most developers fail to do so; their reasoning being the assumption that validation is taken care of in Ajax routines.

At this point, an example is necessary. Abstract applications and developers aren't good enough. In the past couple of years the developers actually have learnt server-side data validation and more often use it than not. And the risk is of stupid developer, not of AJAX - if anything, AJAX is raising the bar for developers.

Web Services are picking up in the financial services sector and are becoming part of trading and banking applications. Service-oriented architecture is a key component of Web 2.0 applications. WSDL (Web Services Definition Language) is an interface to Web services. This file provides sensitive information about technologies, exposed methods, invocation patterns, etc. that can aid in defining exploitation methods. Unnecessary functions or methods kept open can spell potential disaster for Web services. Web Services must follow WS-security standards to counter the threat of information leakage from the WSDL file. WSDL enumeration helps attacker to build an exploit. Web Services WSDL file access to unauthorized users can lead to private data access.

Mr. Shah seriously suggests that security though obscurity is essential. That's rubbish.

A lot more analysis needs to be done before financial applications can be integrated with their core businesses using Web 2.0.

If we need analysis, that must be nothing like Mr. Shah's.

False sense of security

Slav — Thu, 19 Apr 2007 09:31:00 GMT

Anyone noticing security seals on the Web sites? If not, here's how they look like:

This is how they work: you click on the seal, and a pop-up window opens telling you that the bearer of this is indeed who they claim they are. Plus some marketing material and sometimes a link to abuse report form. Please go to the web sites of the SSL certificate vendors to see this amazing functionality yourself. Moreover, according to Verisign:

Displaying the seal on your Web site can increase visitor-to-sales conversions, lower shopping cart abandonment, and result in larger average purchases.

They also call it a trust mark. Never mind that the real trust mark is the padlock that is displayed by the browser. Well, there's one problem with that: not too many people are paying attention to the padlock. So someone in the marketing department came up with the seal idea.

In reality the seals closely resemble Web page ads. And they have a similar role: the seals allow vendors of SSL certificates to collect information about visitors of the owners of Web sites using those SSL certificates. Thawte even displays a convinient invisible image (https://extended-validation-ssl.thawte.com/dot_clear.gif), the type often used for user tracking, to those who click their seal.

Meanwhile the users tend to ignore picture ads - especially those saying "click me". So the primary, advertised function isn't achieved. Not that the picture, or the pop-up windows prove anything. Spoofing is trivial.

Commercial certification authorities must end this practice. As something that gives false sense of security, the secure seal is bad for security.

VoIP threats are seriously overrated

Slav — Mon, 26 Mar 2007 09:13:00 GMT

For over a hundred years, the public switched telephone network (PSTN) has gained reputation of stable and secure service. Even though it's neither: it is indeed very hard to bring down a whole telco network, but local outages are not unseen; and wiretapping is somewhat trivial attack - but financial institutions bravely offer phone banking without any additional logon protection. Cordless and mobile phones took PSTN security paradigm to radio spectrum.

Enter Voice over IP. All of a sudden, VoIP Is Scary. We have VoIP vulnerability scanners and SIP firewalls. Consultants and press endlessly warn us about VoIP threats and risks. Some bits are just lovely:

We will also start to see more and more VoIP specific attacks, particularly aimed at the enterprise. There is more and more scrutiny of VoIP systems and attackers will find more issues that are unique to VoIP and the systems that enable it.

This is one of VoIP security trends for this year, according to Mark Collier, a VoIP security blogger and speaker. I can't help noticing that VoIP can be really replaced with any relatively new but popular technology (XML Web services, AJAX, peer-to-peer networks), and it still going to be a trend for this year. Hackers, you know. Reminds me of the Cisco's security CTO moronic escapade about Vista.

Someone needs a reality check: VoIP still offers a telephone service. And you shouldn't expect more than PSTN security levels - unless you intend to create closed, strictly controlled network. One may argue - telephone switches are now using commodity hardware and operating systems, so risk of attack is higher. I'd say - by replacing security through obscurity with commodity system security, we have good chances of increasing overall security. Anyone who thinks that proprietary systems are safer can be disillusioned by reading Phrack and 2600. So don't worry too much - VoIP isn't scary after all.

Forbes on public Wi-Fi: You Get What You Pay For

Slav — Sun, 18 Mar 2007 17:24:00 GMT

Forbes, a respectable business magazine, writes about wireless security in the issue of 26 March 2007:

Computer security firm Authentium in Palm Beach Gardens, Fla. warns about an emerging Wi-Fi fraud aimed at air passengers. What road warriors sitting in a departure lounge think is a free authorized Internet connection turns out to be an "ad hoc" network broadcasting from the laptop of a scamster sitting nearby. Besides collecting passwords and credit card numbers, the crook might even install software that will later forward other private data. One tip-off: The wireless connection window the unwary traveler often sees labels the tainted free site a "computer-to-computer network".

Threats from rogue wireless access points aren't new - I wrote about disabling Windows firewall and exploiting Intranet zone using those a while ago. However, this Forbes article highlights two important problems with communicating technology issues to the businesspeople: wrong assessment and wrong advisory. I am under strong impression that by using executive summary language, consultancies, research companies and the press fail communicating real issues to the decision makers. That's because they often those translating the original information into executive summaries and press releases, often are saying what their audience want them to say - and without much understanding of the information in question. And if quality of the original research is substandard (which I think is the case with Authentium's Wi-Fi alert), the things only get worse.

Another evidence - IDG's PC World's take on the same Wi-Fi issue:

The next time you're at an airport looking for a wireless hot spot, and you see one called "Free Wi-Fi" or a similar name, beware -- you may end up being victimized by the latest hot-spot scam hitting airports across the country.

You could end up being the target of a "man in the middle" attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.

If you're a Windows Vista user, you're especially susceptible to this attack because of the difficulty in identifying it when using Vista...

The problem is that it's not really a hot spot. Instead, it's an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you're using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.

In addition, because you've directly connected to the attack PC on a peer-to-peer basis, if you've set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.

Such a pile of rubbish - as usually, with a twist of Vista-bashing.

Now, let's analyse:

Positioning the rogue AP attack as happening mostly in airports is wrong. We get those rogue access points everywhere now, the last one I saw in the lobby of Westin hotel in Seattle. Municipal Wi-Fi projects will set expectation for wireless service being available not just in select spots, but in entire business districts;
Name of the service/access point, or the fact that the service is free, is irrelevant. Title of the article in Forbes - You Get What You Pay For - falsely attributes the attack to free services. In fact, paying customers of T-Mobile access points (found in Starbucks all over the States - I'm using one in SFO airport right now), and other commercial operators, are perfectly susceptible to the attack;
It's not only computer-to-computer networks that may exploit unsuspecting users - access points are equally dangerous;
There is no "free authorized Internet connection" that is mentioned by Forbes. The word "authorized" doesn't make sense here.

Keeping your system locked down, and using SSL or VPN for sending credentials and accessing private information will make the man-in-the-middle attack much harder if possible at all - and Vista does help here. I challenge black and white hats of the world to compromise my laptop using a rogue wireless connection. I'm afraid, fixing communications around information security issues will be at least as difficult.

Mobile banking is a bad idea

Slav — Mon, 12 Mar 2007 04:43:00 GMT

New mobile banking products are rolled out every so often. The latest example is www.takeyourbankwithyou.co.nz. That's a Java applet that Kiwis are to download on their Java-compatible mobile phones (but not BlackBerry handhelds; and not Windows Mobile devices) to manage their accounts at National Bank of New Zealand.

Someone's not getting the signal. WAP's dramatic failure wasn't enough. Just to remind you: WAP (Wireless Application Protocol) was was a protocol similar to HTTP, using a cut-down version of HTML (called WML). It was optomised for small-screen, small-bandwidth devices. WAP picked up really well in the devices (e.g. mobile phones) . However, while new WAP services tried to make it to the market. all high-end phones started to support HTML quite well, eliminating the need for WAP (the other part of the mobile phone market doesn't need much but voice calls and perhaps SMS).

So WAP has been doomed. However, ideas of special services designed for mobile devices with special features - those different from general-purpose PCs - are still popping up every now and again. Even after Apple's iPhone presentation, which point was to show that the general-purpose Web browsers will make it to the phone.

So enterprise architects and business people - please, stop designing something for my mobile phone. Just make sure that your Web application works on a smaller (not that small) screen. And doesn't require separate user registration.

A new cult of personality

Slav — Fri, 09 Mar 2007 17:53:00 GMT

Inspired by Qantas inflight entertainment.

Devil Wears Prada is about a despotic CEO who turns out to be kinda cool - after transforming somebody to someone else, more to her standards.

The Queen is not about a CEO. Well, not only. It's about a chairwoman who is detached from what's going on in her organisation (having only a limited exposure through senior management) and tries to get to terms with the CEO. Tony Blair in the movie looks more like Nicolas Sarközy today - I wonder if the authors plan a sequel.

Anyhow the micro cults are all over the place, fueled by the media. Linus Torvalds doesn't play the cool CEO game, and suddenly he doesn't matter. Meanwhile, Eric Schmidt, a hired suit who presided over chain of failures at Novell and Sun, suddenly becomes a visionary. That is really stupid.

Readers who are current or aspiring CxOs - please don't take it personally. There's nothing wrong with your aspirations or achievements as such. Plus, I have an ultra-excuse: I'm very jet lagged.

Analysing phishing white noise

Slav — Sun, 04 Mar 2007 09:37:00 GMT

Phishing is a big problem, and it grows in both volume and sophistication. Nothing new. The sky is falling. You've been warned. There's one thing that was bothering me for a while: why the absolute majority (at least four out of five) of the phish that...(read more)

Resist googlisation!

Slav — Sat, 24 Feb 2007 09:57:00 GMT

I don't use Google Search . That's because I see dangerous thing going on: googlisation of everything. Too often people say "just google for it" referring to the way to get facts, without realising that Web search is only going to return the most popular...(read more)

The most secure modern OS, Part I

Slav — Fri, 23 Feb 2007 07:17:00 GMT

It's in wide use, it's mature yet modern (a new version was released just recently), and it's the most secure consumer OS out there. It's a Microsoft product. The OS in question is Windows Mobile. Formerly known as Windows CE, it became nameless power...(read more)

Life without firewall and antivirus

Slav — Thu, 22 Feb 2007 03:19:00 GMT

I don't run firewall or antivirus software on my personal computer. And the operating system there isn't Mac OS. And I work logged on as the Administrator. The reason is simple. I want to know if the intruders out there will outsmart me - by coming up...(read more)

Kashrut, Sarbanes and Oxley

Slav — Wed, 21 Feb 2007 07:30:00 GMT

This is about interpretations, and how they transform law into something unrecognisable. The first example is karshrut, the orthodox jewish diet. Its origins can be traced mostly to the eleventh chapter of the third book of Bible (or Torah, if you like...(read more)