Immutable Security

PhysOrg.com and many others are reporting a new attack against WPA encryption, which is used in wireless networks. While WEP encryption has been proven to be all but worthless, attacks against WPA have mostly been limited to acedemic and brute-force attacks.

The two Japanese scientists apparently have found a method to crack WPA when combined with the TKIP algorithm, however the attack does not apply to WPA2, a more recent version of the standard, when combined with AES.

This might be a good time to verify the settings on your home wireless network. If the option to use AES and WPA2 is present, it makes sense to use it. But I wouldn’t rush home in a panic.

While you’re in there, make sure your admin interface requires a strong passphrase and your WPA2 keys are equally protected. At least for the keys, use a strong, randomly generated password since you generally only have to key them in once per device. Here’s an online generator you can use from grc.com.

I have observed a trend recently that has me internally debating the ethics of the practice. Security professionals are probing public web sites for vulnerabilities, then going through a “responsible” disclosure process with the owners of the site. Then they blog about their exploits and how responsive the owner was to being notified.

How is this different than traditional hacking by the bad guys? Does the disclosure process make it any better? Does the fact they do security for a living and write for security journals make it more ethical? And what of the applications that are vulnerable to routine exploits? What does one do with a successful SQL injection query that just gave you a table full of social security numbers?

On the surface, it seems unethical to me. Attempting to break access controls, even if they are weak, is unethical and maybe illegal. Doing something untoward against another computing resource for which you do not have authorization is treading on thin ice.

But there’s another side to the story here. Applications are moving more towards the software-as-a-service, or SaaS model. Whereas once you would have been able to download the software and legally and ethically reverse-engineer it, now the application is only hosted on another computer. This changes things in a big way, since you’re working on someone elses computer now.

The argument could be made that since the application is public, then there is an expectation that it wil be poked and prodded, so it might as well be the good guys who do it. The bad guys aren’t going to go through a responsible disclosure process, so by the good guys testing the application and making the flaws known to the application owner, everyone benefits (as long as they actually fix it). It can also be said that for security to continually improve, we have to continually test it. If the world is moving towards a web-centric model, we have to move with it.

Honestly, I can see both sides; yet, I am still left with the feeling that, in many cases, it’s nothing more than the security guy trying to have some fun and make a name for himself. If that’s the case, he should carefully consider what that name may be.

I’d like to start by apologizing to all who I have forced to create complex passwords. They made me do it. I know it’s cruel. You’re a human being, and I failed to see that.

Information security, despite being centered around computers, is not a discipline practiced by computers. It is practiced by people. Human beings design the software and hardware, they write the processes and procedures and they are the attackers. Information security is a human problem.

Why then, do we design security solutions that address the machines? That would make sense in a world of androids, but we’re dynamic, emotional and flexible. Designing security solutions that match these characteristics makes sense.

Passwords are a perfect example of a security measure that doesn’t match our human needs. We require people to conform to archaic rules: they must be a minimum of eight characters, complex, not a dictionary word, upper and lower case, and not guessable. Don’t use a birthday, anniversary date, spouse or child name, or your favorite sports team. Don’t write them down. Don’t share them. In other words, submit to our technologically-advanced torture device.

We ask social beings to not be socially-engineered. We ask grandmothers to patch their computers. We tell everyone not to click on links and open attachments, except for those that point to company policies. We tell them that e-mail can be spoofed and let them figure out the cruel joke.

When people forward warnings about the latest threat, we call shenanigans and usually point out that it’s a hoax. When they try to backup their data, we tell them that it’s not encrypted. When Google entices them with “the cloud,” we warn of thunderstorms in the cloud.

I’m fully expecting an uprising of unassuming office workers everywhere, rounding us information security geeks up and making us watch Punky Brewster reruns.

If information security is to progress, if it is to provide new solutions to age-old problems, if it is to innovate, we need to take the focus from machines and place it where it belongs: with people. Developers need simple and fun tools, where writing secure programs is more akin to gaming. User interfaces need to anticipate and conform to the behavior of the end-user and get out of the way. Executives need such a strong financial incentive to endorse an effective security program that to not do so could be seen as irrational.

When information security can be seen as a close cousin to the hospitality industry, we will have made some significant headway.

As for me, I have an SSL certificate warning to click OK on.

Computer scientists at the University of California, Irvine are using predictive systems in an attempt to know who might launch an attack. Similar to how Amazon recommends a book based on your past choices, researchers Fabio Soldo, Anh Le and Athina Markopoulou are using log data from hundreds of millions of security logs in their research. The idea is that maybe we can identify the attack sources most likely to hit us and pre-emptively defend ourselves.

Honestly, this sounds a bit Orwellian to me.  I can see several problems with this:

1. Attackers often mask their true origins behind compromised systems. Block those systems and you also block legitimate users of your services. Perhaps Grandma, who has a computer that’s part of a botnet, wants to purchase three new computers for her grandchildren. Do you subscribe to a predictive service like this at the cost of losing the sale?
2. Past indicators aren’t always indicitave of future indicators, although I guess that’s where the predictive part comes in.
3. What recourse will users who are inadvertantly blocked have to correct the situation? This would be particularly troubling when considering access to governmental public services.
4. This doesn’t appear to reward anyone who may have been an attack source in the past and is no longer a threat. Or, what if the network was transferred to a new and non-threatening organization?
5. Log data isn’t always reliable. Attackers spoof source IPs, log data is often unauthenticated and it can be intercepted in transit. Over-reliance on anonymous log data can lead to a house of cards.

The most interesting part of this research to me is that they have access to so much log data. What else could we learn by examining the hidden gems contained in so many logs?

Read the entire article here.