Immutable Security

When I went searching for a better interest rate for my emergency fund, I ran across a bank that offered over 5%, with relatively few restrictions. I thought this might be a good bank to work with.

So I set up an account, and immediately noticed some things that had me concerned from an information security perspective. The password length was limited to six characters, e-mails to their support contact resulted in a bounce message from two people who apparently no longer worked there, and they were leaking other information that gave me details about their internal network. This was all noticed without actively probing them in any way at all. Finally, when I brought the issues to their attention, the best response I got was that they were planning a system upgrade sometime around September.

In that case, the actual price to me of taking an action to protect my information security, assuming I had invested $25,000 with them, would have been almost $100 a month in lost interest.

Cost does not necessarily equate to price, though. Price can be expressly measured in very finite terms, where cost is often a collection of values. In the example above, we might say that the price is around $100 a month, but the cost could include stress, time and aggravation from a resulting security breach.

I am reminded of this lately with the recent news surrounding the backscatter x-ray machines currently in operation at US airports, combined with the “enhanced” pat-down procedures for those that refuse to go through the machine. I don’t think its too strong to say that we are left with the choice of having a revealing picture taken of us, or being fondled by a TSA agent.  This is the trade-off we are supposed to accept for enhanced security.

This might be an acceptable trade-off if the technology and procedures significantly reduced the risk of dying in a terrorist attack. But according to reason.com, the risk of dying in a plausible attack is actually far lower than the risk of dying by crossing the street, and this was before the machines. And when asked about the technology, Rafi Sela, a security expert at Ben Gurion airport in Tel Aviv, Israel, had this to say:

“I don’t know why everybody is running to buy these expensive and useless machines. I can overcome the body scanners with enough explosives to bring down a Boeing 747″

On the surface, it would seem that the machines simply aren’t worth it.

Now ask yourself how you would feel if the system stopped a major attack, and it could be shown that no other countermeasures would have stopped it? How would you feel if someone close to you was killed by a terrorist?

Or maybe the question is, how would you feel about your three-year old daughter being photographed by one of these machines?

These provocative questions go beyond the statistics to the essence of what we are–human beings. They at the same time expose our fears and our fallacies; our fear of attack and the fallacy of not being able to accurately intuit risk.

We’re being asked to pay a higher and higher price for our safety and security, but at what cost? Are these trade-offs worth it? Have we taken a rational look at the alternatives? Are we being led by fear, allowing our liberties to be usurped by largely ineffective security measures? Will our children accept this as normal and routine? How far will it go? Before you answer, could you have envisioned this even five years ago?

At what point will the answer simply be, “No!” Security always has trade-offs. What are you willing to give up in the name of security?

I recently had the displeasure of visiting the hospital emergency room when a family member needed some urgent care. Thankfully, everything turned out OK, so while I was sitting there waiting (and waiting.. and waiting), I had the opportunity to observe some information security practices in action.

Doctors and nurses were making heavy use of laptops, both on portable carts and by simply (awkwardly) carrying them around. Clearly, a wireless network was in use. Of course I didn’t attempt any actual assessment other than observing how people handled information.

While we was seeing the patient, one doctor placed his laptop on a trash can with a slightly pitched lid. I noticed that the laptop was starting to fall while he was, well, being a doctor, and intercepted it before it could crash to the floor. He was just trying to do his job (being a doctor that is, not a techie).

The intake lady (I don’t know what her title was) handed me a bunch of legal agreements to be signed. These were basically consents for treatment and payment, without which I assume we would not have been seen.

The forms simply had big X marks where I was supposed to sign. I noticed that most of the areas where one had to make a choice were not filled in. For example: did I wish to allow electronic access to the records or not? If I followed the instructions of the intake lady I would have simply signed on the dotted line, while my silent choice could have easily been made for me later.

I opted out of access to electronic information, but as I was waiting (and waiting.. and waiting), I started to wonder if that was the wrong choice. The form asked if I wanted to allow authorized users access to electronic information. It did not speak to the storage of said information, which undoubtedly is still electronic. So by not allowing authorized users access to information which is likely already stored electronically, I may have simply made their job harder, while the bad guys, who don’t care about access controls and agreements, might have a crack at it anyway.

The information security problems I observed had little to do with technical security. One doctor was struggling with an awkward laptop. That laptop almost became a write-off and would have probably resulted in some downtime for his to access information (availability). Another problem had to do with consent to access information. While it seemed to be well-intentioned (and probably mandated by HIPAA), the net security effect of my decision didn’t seem to matter much.

Information security is about allowing people to do their job effectively and getting out of the way. It is our job as security professionals to study how other professions operate so that we can enable them to work effectively, with safety of information built into that workflow. It is also about finding the subtle nuances of the controls we put in front of people and thinking it through the entire way. It’s a game of “what ifs,” which often leads to surprising conclusions.

From the “What can we do to stop terrorism, without actually addressing terrorism” department, comes the news that scientists are researching how to sniff out scared people at checkpoints.

In the research, scientists discovered that they could literally detect the pheromones produced when someone is afraid. That’s not so surprising, but what is mind-boggling is that one of the proposed implications of the research is to be able to identify “scared” terrorists.

I’m not even sure where to begin with this one, but let’s give it a try. Here are just some of the potential vulnerabilities in this stupid idea:

• Many terrorists seem to be so brainwashed into believing that they are about to get 72 virgins that they’re probably more likely to be a bit “happy,” rather than scared if you know what I mean.
• Sociopaths won’t be scared.
• When we recently took my three year old daughter through an airport checkpoint she probably would have been tagged. It would have been because they took her Cabbage Patch doll to scan for hidden bombs.
• We better hope there are no nearby spiders and arachnaphobes.

Do I really need to continue?

Fighting terrorism with stupid ideas like this only serves to take the focus off those areas where we need to pay attention. With limited resources, we can’t afford to divert our attention from those techniques law enforcement has been using for years and which are proven to detect and stop criminals.

This idea smells stupid because it is.

VoIP, or Voice Over IP is quickly usurping traditional phone lines. It’s not hard to understand why. VoIP service allows you to do things previously impossible with traditional phone service. You can use physical phones or an application on your computer. You can setup internal company PBX systems previously only available to those with lots of money. You can even use VoIP to answer your front door.

The insecurities of VoIP are being discussed, but few are listening. We already know that VoIP is insecure in many ways. But I have not heard much discussion about the practical implications of VoIP insecurity. The discussion is still a bit too academic.

Let me give you an example. Most providers that I know of do not support transmission over TLS/SSL. The practical implication of this is that whatever you discuss is being transmitted over the Internet in the clear. It is fundamentally no different than putting the same info in an e-mail.

If you have VoIP service or are considering it, consider whether you would be confortable transcribing what you are about to say and sending it in clear-text e-mail. If your conversation contains SSNs, credit card numbers, passwords or your strange affliction for <insert subject of fantasy here>, you may want to reconsider discussing it in a VoIP call.

In the June 2009 issue of the ISSA Journal, I wrote about my experiences setting up utilities and other essential services after a cross-country move. I detailed how I was able to not disclose my social security number after only some gentle persuasion. I had another success today. A visit to my new otolaryngologist (ear, nose and throat doctor) was  successful in not disclosing my SSN. Now, both of us are protected from the liability of having to handle this information. Although they still have serious responsibilities to protect my PHI, at least that’s one less thing both of us have to worry about. It makes one wonder why the information is requested in the first place. Like many business processes, I suspect it’s simply something that works and therefore, they haven’t had a strong incentive to change.

You can help to change these types of practices. The next time someone asks for your SSN or other sensitive information, cheerfully discuss what other options may be available to you. You may be surprised to learn that it’s not really necessary, but a simply a formality from days past.

Welcome to Immutable Security. It is my pleasure to begin this journey with you. As we move on, we’ll cover topics of interest to information security practitioners and those who value privacy and liberty in the information age.

Why another blog? I have a few reasons for wanting to contribute to the dialogue:

1. Too may security blogs focus on the vulnerability or exploit of the day, while ignoring the bigger picture. We’re stuck in this cycle of reaction to the latest threat, when the sad reality is that most organizations fail at the security fundamentals. We need to take a step back to explore where the world of information protection is heading, and whether we’re working on the right problems.

2. The digital age has made handing over you fundamental rights to liberty and privacy all to easy. Whereas the first-sale doctrine was once well understood, licensing terms on digital goods constrain what we can do with goods we legitimately purchased. Fair use is attacked en-masse with DMCA take-down notices, while digital locks prevent us from something as simple as taking a small excerpt for classroom discussion. And just when we thought we were doing the right things, the terms change. The balance has shifted unnaturally from the consumer to the rights holder. This deserves attention and discussion.

3. In my career in information security I have learned so much from others. I feel I have something to give back. I would not be where I am today had it not been for others posting their tips-n-tricks on the web. While many of the postings will be conversational, expect deeply technical postings, as well. I’ll share what I have learned so that you may better protect yourself.

I hope you stick around for the ride. It’s sure to be an interesting one.