So, I was out on a date, and we started discussing IT, security, and productivity. She was explaining some of the frustrations with getting approval for business critical applications and tools at a certain employer, as well as the obstacles certain security configuration had on getting the job done efficiently. The end result was that people looked for ways to bypass the IT department and its controls.
Stating the obvious, technology, and security, need to be incorporated into business processes, into helping people get their jobs done and protecting their ability to do so. When tension arises between, say, IT department policies and procedures and how people actually do their jobs, people are going to start looking for ways to circumvent those policies and procedures. After all, if a firm is not productive, not providing value, it won’t exist for long.
Which reminded me of this paper that has popped up in numerous places,
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
Herley’s advice summary,
First, we need better understanding of the actual harms endured by users. [...] A main finding of this paper is that we need an estimate of the victimization rate for any exploit when designing appropriate security advice. [...]
Second, user education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. [...]
Third, retiring advice that is no longer compelling is necessary. [...]
Fourth, we must prioritize advice. In trying to defend everything we end up defending nothing. [...] In fact prioritizing advice may be the main way to influence the security decisions that users make. [...]
Finally, we must respect users’ time and effort. [...] We must understand that when budgets are exhausted, attention to any one piece of advice is achieved only by neglect of something else. [...]
More focused on communities (e.g., companies, agencies, etc.) smaller than the general population of Internet users, I wrote this about user education way back when.
First off, we need a threat model. We need to figure out what we want to protect, its value, the potential attacks, the likelihood of those attacks, and the potential damage of those attacks. Determine the risks, and then mitigate them. Very important here is figuring out who needs to be held responsible for what mitigations and countermeasures. And, this threat model has to be reviewed periodically to keep it up to date. The assets that need to be protected change, the way business is done changes, the risks change, the mitigations change. Security is not static.
With that (and building that is certainly not trivial), we have these people, you, me, our parents, that are part of this threat model. They pose risks, and they help to mitigate risks. We need to minimize the former and maximize the latter. To do this right, I think we need people to feel responsible for security. To build this sense of responsibility, we need these security responsibilities audited and we need effective training to convey and reinforce these responsibilities – the combination of these two may be a linchpin to people security.
So, we talk to people about our threat model. Not only do we teach it, but we get feedback on it. And, we make sure everyone understands that threat model, and their place in it. To do this, we bring vivid examples from security audits into our security education, which help to build security training programs that provide exactly that which we learn the most from, experience.
(Side note, I may have gone kind of crazy with the audited training in that post.
Now, pull the results of these attacks into your security training. Will there be an impact?
Well, I think so. You don’t quickly forget seeing yourself and/or those around you up in lights, as it were, and the attacks can certainly be used to increase the sense of responsibility felt by every employee. The demonstrations hit home because they can be related to – the attacks happened to you, your neighbors, your community. Whether the attacks succeed or fail, they amount to a shared experience for the organization, and teach people their importance to the security of their organization.
I think people would feel like their security responsibilities are not just words but actual obligations which have real consequences to the security of an organization. The threat model lays this out, but the experience drives it home. Also, people would be aware that their organization takes security seriously and is willing to proactively audit that security. And, those audits involve real life employees, doing the right thing and maybe even the wrong thing. It lets people know that they are at the root of security.
However, when I look at things like the foiled airplane bombing attempt on December 25, 2009, I do see a kind of user education inline with that excerpt playing an important role. The people tackled the alleged bomber because they knew their lives and the lives of others might depend on it. The experiences of, say, 2001-09-11 were taken to heart. They were the last line of defense, and they knew it.)
-
Perhaps a related bit on cooperation and reputation,
The possibly irritating message is that for promoting cooperative behavior, punishing works much better than rewarding. In both cases, however, reputation is essential.
-
And, I saw this on trust.
I’ve long advocated instead saying “is vulnerable to”, which makes it much clearer what is going on, so I would say “CNNIC is a certificate authority everyone is vulnerable to”. “Trusted third party” would become “Third party you are vulnerable to” and so on. Kinda clunky, but you know where you stand.
This ramble of mine discussed trust in these terms.
There is this big word we have all said before, trust. Trust can mean lots of things, but, at its heart, trust implies risk or vulnerability. Trust is about having faith that someone or something will act a certain way when it counts. While you may be able to influence that someone or something to act that certain way, in the end, the actions are out of your total control.
And, this other ramble of mine may have been criticized as naive optimism, but it also made this sort of point.
There are lots of inputs to trust – inputs like direct experiences, such as not dying when eating food from a particular restaurant or how you build friendships, or indirect experiences, such asking a friend about what plumber to use or credit ratings. We use these inputs to calculate levels of trust, which are basically estimates of how much vulnerability we are willing [to] expose to the trusted. This leads to trade-offs, such as limiting the amount of trust you place in someone/something – you might only take a nibble of that unknown food to limit the risk of getting sick if it disagrees with you, or divide tasks amongst a group of people to limit the risk of any one person having too much access – versus the costs of these limitations – that nibble is not enough to meet your nutritional requirements forcing you to seek out additional food, and all those people/processes mean less work getting done. This is a balancing act, if you will.
-
Look at that,
The OpenSSL project team is pleased to announce the release of version 1.0.0 of our open source toolkit for SSL/TLS. This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.8n. For a complete list of changes, please see http://cvs.openssl.org/getfile?f=openssl/CHANGES&v=OpenSSL_1_0_0.
Congratulations to the OpenSSL team!
-
So, this has been making the rounds.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The paper can be found here. Matt Blaze discusses some implications.
What this means is that an eavesdropper who can obtain fake certificates from any certificate authority can successfully impersonate every encrypted web site someone might visit. Most browsers will happily (and silently) accept new certificates from any valid authority, even for web sites for which certificates had already been obtained. An eavesdropper with fake certificates and access to a target’s internet connection can thus quietly interpose itself as a “man-in-the-middle”, observing and recording all encrypted web traffic traffic, with the user none the wiser.
A while back, I had to do some research on web filtering technologies. It was quite standard for enterprise level web filtering to include SSL MITM functionality. Generally, this involved taking advantage of having an enterprise’s CA certificates rolled out to end users, but it could have leveraged any trusted root certificates.
Anyway, I noted the following posted about.
The Monkeysphere project’s goal is to extend OpenPGP’s web of trust to new areas of the Internet to help us securely identify each other while we work online. The suite of monkeysphere utilities provides a framework to leverage the web of trust for authentication of HTTPS0< (TLS) and SSH communications.
In other words, Monkeysphere allows you to use your web browser or secure shell as you normally do, but you can use the OpenPGP Web of Trust to identify the servers you connect to and to prove your own identity to them. This brings to the web and ssh the possibility for key transitions, transitive identifications, revocations, and expirations of public keys1. It also actively invites broader participation in the OpenPGP web of trust.
That reminds me of something I wrote a while back.
This is an active research area. Petnames have been proposed, which I like (think PGP web of trust in some form). This has similarities to the SSH-type trust model, which has also been proposed and which I also like. In recent minutes to an IETF-PKIX meeting, the Opera people were looking at “extended validation” certificates. There has been all sorts of talk, pros and cons, about “high-assurance” certificates.
-
I saw this rant about rekeying by one of the people that had to deal with the SSL rekeying mess.
It’s IETF time again and recently I’ve reviewed a bunch of drafts concerned with cryptographic rekeying. In my opinion, rekeying is massively overrated, but apparently I’ve never bothered to comprehensively address the usual arguments. Now seems like as good a time as any…
This post to the Matzger’s Cryptography mailing list by Adam Back seemed most in line with my thinking.
Another angle on this is timing attacks or iterative adaptive attacks like bleichenbacher’s attack on SSL encryption padding. If re-keying happens before the attack can complete, perhaps the risk of a successful so far unnoticed adaptive or side-channel attack can be reduced. So maybe there is some use.
Simplicity of design can be good too.
Tradeoffs.
-
Complete shocker (note: the link is to a news article, but there is a quote therein containing a possibly profane word).
BAA is investigating an incident in which a Heathrow security operative “ogled” a female colleague who’d wandered into a body scanner, the Sun reports.
John Laker, 25, allegedly copped an eyeful of Jo Margetson, 29, when the latter “entered the X-ray machine by mistake”. She was “horrified” as Laker “pressed a button to take a revealing photo” and remarked: “I love those gigantic[...]
I should note that the ubiquity of digital video equipment (e.g., cell phones) renders moot whether or not these scanners record images.
-
Speaking of leaks, I saw this.
Here’s the background: Secure web connections encrypt traffic so that only your browser and the web server you’re visiting can see the contents of your communication. Although a network eavesdropper can’t understand the requests your browser sends, nor the replies from the server, it has long been known that an eavesdropper can see the size of the request and reply messages, and that these sizes sometimes leak information about which page you’re viewing, if the request size (i.e., the size of the URL) or the reply size (i.e., the size of the HTML page you’re viewing) is distinctive.
Consider a search engine that autocompletes search queries: when you start to type a query, the search engine gives you a list of suggested queries that start with whatever characters you have typed so far. When you type the first letter of your search query, the search engine page will send that character to the server, and the server will send back a list of suggested completions. Unfortunately, the size of that suggested completion list will depend on which character you typed, so an eavesdropper can use the size of the encrypted response to deduce which letter you typed. When you type the second letter of your query, another request will go to the server, and another encrypted reply will come back, which will again have a distinctive size, allowing the eavesdropper (who already knows the first character you typed) to deduce the second character; and so on. In the end the eavesdropper will know exactly which search query you typed. This attack worked against the Google, Yahoo, and Microsoft Bing search engines.
The paper can be found here.
-
Remembering the exploitation of wireless cards and their drivers, here comes some other fun stuff with network cards presented at CanSecWest. [via cypherpunks mailing list]
The presentation was entitled “Can you still trust your network card?”. The talk explained how an attacker could be able to exploit a flaw to run arbitrary code inside some network controllers (NICs). The attack uses routable packets delivered to the victim’s NIC. Consequently, multiple attacks can be conducted including: Man in The Middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim’s computer host platform (see SS 2).
The slides can be found here. From slide 38,
On this particular NIC and firmware version, an attacker is able to
perform arbitrary code execution:Initial jump
->an attacker can overwrite a return address in the stack;
->she can find a stable (for a firmware version) memory address for username;
->she can put exploit code in username and jump there.
Game over at slide 40,
Now the attacker can:
->run arbitrary code on the RX RISC;
->provide new code using simple packets;
->rewrite the firmware if needed;
In between the excerpts is a summary of the attack. Slide 49 is a hoot too.
Also from CanSecWest, kernel exploitation is the new black by the people that post content at the cr0 blog, such as this.
-
To end this rainy day on a fun note, the following caught my eye.
The same post at Quomodocumque has this completely odd video of an interview with William Thurston and fashion designer Dai Fujiwara. Apparently, Thurston provided the inspiration for Issey Miyake’s fall fashions, “8 Geometry Link Models as Metaphor of the Universe”.
You can see the finale of their Paris fashion show here, including Thurston joining Fujiwara on stage.[...]