Culture

What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.

 

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

This is [phishing] news?!?

We seem to be missing the boat on security awareness of phishing attacks: it’s not just for bank and credit card accounts anymore.  This article notes the “DHL,” “tax refund,” and similar queries.  I would have thought these were obvious, but they seem to be the most successful ways to get spear phishing and APT information.

Art, hacking, privacy, and the US Secret Service

“Media artist” creates a form of spyware using Macbook webcams.  Runs it on computers in Apple Stores.  Apple calls Secret Service about the artist.  Lots more.  Some interesting and provocative concepts in the article, covering privacy, legality, search and seizure, and the fact that people show little affect when working with/on computers:

http://www.wired.com/threatlevel/2012/07/people-staring-at-computers/all/

REVIEW: “Learning from the Octopus”, Rafe Sagarin

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Security Transcends Slogans … or not …

I have just got off the phone with a marketroid.  In the course of our conversation (no, I usually don’t talk to them, but this turned our to be a special case), I was explaining to her about ISC2 and the CISSP.  She was puzzled by an annotation on my file with her company, and it wasn’t making sense in terms of what I did, and what their ERM/CRM system was saying about me.

When she looked at the ISC2 Website, during our conversation, she immediately noted the “Security Transcends Technology” slogan.  I dimly recall the great fanfare when this was introduced about 9 or ten years back: our (marketing department’s) proud statement that we were not mere technologists, but covered the whole realm of security.

Well, apparently that’s not what it says to some people.  The simple existence of the “technology” word in our slogan seems to trigger an immediate pegging of us as mere techies.  All of us CISSPs are just basic firewall admins.  We are not
transcendant.

Back to the marketing board … ?