Insider Threat

The FBI says 70% of attackers originate from inside the organization (or is it 80%). So why do we all talk about hackers and Internet-bound attacks?

The achilles heel of the Internet

It won’t surprise you if I say the achilles heel of the Internet is passwords. But the problem is not that our passwords are too weak: in fact, the bigger problem is that our passwords are too strong.

Preventing brute force password attacks is a problem we know how to solve. The problem is that web service providers have bad habits that cause our passwords to be less secure. Remember the saying “the chain is only strong as the weakest link?” If you are strengthening an already strong link in the chain but weakening another, you are not improving security and usually decreasing the overall security of the system. Those “bad habits”, mostly of web services that require a login, are all wrapped in supposedly ‘security concerns’: meaning some security consultant fed the CSO a strict compliance document and by implementing these rigid security methods they are actually making their users less secure.

Here are some examples.

Don’t you remember who I am?
What’s the easiest way to fight phishing? Have the web site properly identify itself. When the bank calls, most people don’t ask the person on the other side of the line to prove they are really from the bank (though they really should). The reason is you assume that if they knew how to reach you, they are indeed your bank.

So why not do the same for phishing? The bank of America uses Sitekey, which is a really neat trick. But you don’t have to go that far: just remember my username and I’ll have more confidence that you are the right web site. In fact, if I see a login page that does not remember my username I’ll have to stop and think (since I typically don’t remember all the usernames) and that gives me more time to spot suspicious things about the page.

If you can tell me what my username is, there are higher chances you are the legitimate site. But some sites block my browser from remembering my username, on the excuse of increasing security. Well, they’re not.

Let me manage my passwords

This is where most financial sites really fight me – they work so hard to prevent the browser from remembering my passwords.

Why? I can see the point when I’m on a public terminal. But what if I’m using my own laptop? By letting my browser remember the password I am decreasing the chance of phishing, and in fact if I know for certain a web site will let me remember the password (rather than force to type it in) I select a strong, complicated password – since I don’t have to remember it. In some cases I even stick with the random-assigned password; I don’t care as long as my browser remembers it.

But some people are stuck with “security!=usability” equation. They are wrong; in many cases usability increases security. This is one of those cases.

Not to mention they will almost always lose the fight. If paypal won’t let firefox remember the password, I’ll find ways around it. Or maybe I’ll just write a post-it note and put it on my monitor. All of those ways are less secure than firefox’s built-in password manager.

Oh, and forcing me to choose a strong password (‘strong’ being something absurd and twisted that makes no security sense)? Good luck with that. I don’t really mind these silly efforts just because they are so easy to circumvent they are not even a bother anymore. But just remember that putting security measures in place that will be circumvented by 90% of your users means teaching them not to take your security seriously.

Stop blocking me
Next week I will have my annual conversation with the Lufthansa ‘frequent flyer’ club support people. It’s a conversation I have at least once a year (sometimes more) when my login gets blocked.

Why does my login get blocked? Because I get the password wrong too many times. What’s “too many”? I wish I knew. Since I usually pretty much know what my password is, I get it right within 4-5 tries, so I guess Lufthansa blocks me after 3 or 4. I don’t know for sure, because I also need to guess my username (long story, lets just say Lufthansa has 2 sets of usernames and passwords and you need to match them up correctly). So the bottom line is that I get routinely blocked and need to call their office in Germany to release it.

Why are they blocking me? I’m guessing to prevent brute-force password attacks, and that’s a good thing. But why not release it automatically after a day? A week? An hour? Why not authenticate me some other way (e-mail)? I bet I can guess why: Because everybody that complains is told that “it’s due to security concerns”. Nobody can argue with that, can they? After all, security is the opposite of usability. Our goal as security professionals is to make our services not work, and hence infinitely secure.

So Lufthansa is losing my web site visit, which means less advertising money, and they are making me agitated which is not the right customer retention policy. Some credit card issuers like to do this a lot, which means I can’t login to see my credit card balance and watch if there is any suspicious activity. Now that’s cutting your nose off to spite your face.

Don’t encourage me to give out my password
How many web sites have my real twitter password? Must be over half a dozen, maybe more. If you are using any twitter client, you have given them your twitter username and password. If you are using twitterpic, or any of the other hundreds of web 2.0 that automatically tweet for you, they have your login credentials. Heck, even facebook has my twitter credentials – I bet Facebook can flood twitter in an instant if they decide to fight dirty.

Twitter wants me to use all these clients because it raises my twitter activity, and that’s ok. But there are plenty of single-sign-on methods out there, that are not too complicated, and are all more secure than spreading my real username and password all over the place. Even Boxee has my twitter login, which makes me think. If I was building a web 2.0 service and asked everyone who opens an account to give me their twitter login details – how many would do that just out of habit?
Giving my credentials is not necessarily a bad thing. Services like mint and pageonce are good because they make it unnecessary for me to login to all my financial web sites; the less I login the better: assuming these sites have better security than my own computer, I’d rather have them login to my financial accounts than me. This leap of faith is not for everyone – some will ask what happens if these startups go out of business. Cybercrime experts like Richard Stiennon will argue that an insider breach in one of those companies can be devastating. And of course Noam will say that until they’ve been scanned by Beyond Security he won’t give them any sensitive information. I agree with them all, and yet I use both and PageOnce. So I guess it boils down to a personal judgment call. I personally think there’s value in these type of services.

Stick with passwords

One thing I am almost allergic to, is the “next thing to replace passwords”. Don’t give me USB tokens or credit-card sized authentication cards. SMS me if you must, but even that’s marginal. Don’t talk to me about new ideas to revolutionize logins. A non-trivial password along with a mechanism that blocks multiple replies (blocks for a certain period of time, not forever – got that Lufthansa?) is good enough. It’s not foolproof – a keylogger will defeat all of those methods, but those keylogging Trojans are also capable of modifying traffic so no matter what off-line method you use for authentication, the transaction itself will be modified and the account will be compromised. So Trojans is a war we have lost – lets admit that and move on. Any other threat can be stopped by simple and proper login policies that do not include making the user wish he never signed up for your service.
There are other password ideas out there. Bruce Schneier suggests to have passwords be displayed while typing them. I think that makes absolutely no sense for 99% of the people out there, but I do agree that we are fighting the wrong wars when it comes to passwords, and I think fresh thinking about passwords is a good thing. The current situation is that on one hand we are preventing our users from using passwords properly, and on the other hand we leaving our services open to attack. That doesn’t help anyone.

Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Vanishingly small utility …

This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype – rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

C-level execs ignorant of Web 2.0 dangers

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

Madoff, insiders, internal controls, and fraud

The Madoff story is extremely interesting, for a number of reasons.  However, primarily, the tales now coming to light of ongoing suspicions and investigations (such as this Wall Street Journal piece) point out the weaknesses and limitations of audit and internal controls in controlling insider attacks and fraud.

AVG’s NOPslide

AVG's NOPslide

AVG Technologies (formerly Grisoft) has been through a lot the last 17 years. Its almost considered an adult! From specializing in security software to… well actually they still do the same thing, they just focus greatly on antivirus and antimalware technology today.

In April 2006, AVG acquired Ewido Networks and bumped up their own antivirus’s version from version 7.1 to 7.5. Soon thereafter, Microsoft (!@#$) stated that AVG’s products would even be DIRECTLY available from the Windows Security Center in Vista.

Not cutting many corners, lets shift our focus now on AVG’s acquisition of Exploit Prevention Labs in late in 2007. AVG liked their ‘LinkScanner’ code and later released it in the next huge ‘revision’ of the AVG antivius suite, AVG 8. Now before I bash AVG 8, I will tell you that I used to be a big AVG fan. I always recommended it to everyone, whenever I had the chance. It WAS great — AVG offered advanced protection and ran so smooth and so clean. But at the moment, its bloated, clunky, very slow, a huge resource hog, and I am glad that I don’t have to use it. LinkScanner seems to have great intentions but has, so far, gotten off to a rocky start (or finish). A friend of mine warned me about it when it first was released, and I tried to give it the benefit of the doubt, keeping it on the ‘good’ list. I just simply don’t like the fact that it has been near ruined recently, thanks to AVG’s poor decisions.

Just like in poker, “Its about making the best decisions”, and how true that is when you think about it for the software industry too. Everyone makes mistakes, but AVG: PLEASE BE GOOD AGAIN!

Kaspersky’s SAFE Internet


Recently Kaspersky, the company who makes your favorite, or not-so-favorite anti-malicious software, called upon government and banking institutions to be more secure. But is it really up to these agencies to make draw the perfect picture of security, or should the end users stop making such bad decisions, both on and offline?

If these ‘safety nets’ are deployed, it won’t going to make the best out of security situation, but it will help. On the other side of the packet, using outdated software or insecure browsers (cough!*IE*cough!) that do little or nothing to protect the web surfers, directly and indirectly, should also be of major concern. Wouldn’t it be something if, when accessing one of these websites running INSECUREBROWSER, it suggested you use MORESECUREBROWSER, FOR SECURITY REASONS IF NOTHING ELSE? Woah, wouldn’t that be a different color light bulb. Especially if it was something like, say, Internet Explorer VS Firefox (Yes, I am saying that Firefox’s security is better than Internet Explorer. I believe both core and rendering engines are better, too).

Now, if they try to regulate the internet with security laws and cyber architecture boundaries, its just going to be one big mess. If you’d like one reason it wouldn’t work, just think about how outlawish the internet already is, and has been, since its inception. Then take a break and elaborate on it. I’m sure you’ll find more than one reason we can’t import some crazy set of regulations and actually believe they are going to work and/or solve our problems.

Here is some more fuel for thought: How about separating the internet for low and high bandwidth data flow. Interconnected, but bridged. Not a good idea? Well why not? As long as we are on the same network, there will be fighting over who owns what (more than just headers and footers). But as long as we put the big with the small, there is going to be controversy. There are going to be debates. This last part may have been a little off topic, but I feel like it needed to be said. Security isn’t made, its planned and implemented before regulation begins.