From the Heresy Desk

Theatre Security

Before Bruce Schneier started using the term, “Security Theatre” was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more important than what you can do. I was told that perception is the majority of security: “Maybe not two-thirds, but definitely more than half.” As the team built the system, we took this to heart, which made it more fun, at the very least. But I also heard from someone I know who nmapped our system and received an nmap in return that he decided it wasn’t a good idea to go further. In that case, at least, the security theatre worked.

We also used a bit of security-through-obscurity. We tweaked some of our network protocols so that they were merely incompatible with the off-the-shelf stuff. Our protocol banners lied. We particularly enjoyed having them declare that they were known vulnerable in odd ways. It was at least informative that the random attacks that came by were not tailored. No one ever tried Sparc vulnerabilities on that server claiming to be SunOS 4 with Bind 3. They hit it with the Windows buffer overflows anyway. That was disappointing, but we also learned an important lesson — the only people who care what your banners say are the good guys. The bad guys find it more economical to just spray you with whatever exploits they have in their bag of tricks. Or at least most of the bad guys.

Security through obscurity has gotten a bad rep in part because there are people who think that merely by being obscure is being secure. There are also people who think that a mediocre security system can be made secure by being obscure. If, however, you start with good security and then put a bit of obscurity on the top, it’s a bonus. Think of security as armor and obscurity as camouflage. Camouflage is not armor; obscurity is not security. People who tell you it is are trying to sell you something. However, if an attacker is faced with armored things that are also camouflaged, their job is harder. If you back up the camouflage with good log analysis, then you can take the element of surprise away from the attacker. The total effect is good security theatre, a theatre that might result in deterrance. Just be honest about it, especially to yourself. If the attacker discovers you have no armor behind the camouflage, then you have a well-prepared opponent.

There are other reasons to eschew obscurity. It isn’t scalable, and it doesn’t lead to market solutions. You can’t shop around for the best obscurity. The notion of a global secret is somewhere between ironic and silly. This is why DRM systems don’t work against determined attackers. However, not everything needs to be open, scalable, and market-driven. If you are building a system that is closed, proprietary, and local (such as the secure NOC I was working on), obscurity can be a valuable spice in the dish that makes a tasty meal tastier.

We are also seeing changes in the threat model that justifies a revision in our defense model. A few years ago, the attackers were using broadcast attacks. They didn’t look at the lies we told them because they were unskilled attackers throwing all the handy exploits they had. They wouldn’t see embarrassments that didn’t fit their model. I have a story about that I’ll post soon.

The trend in attacks is that they are becoming slow, targeted, and with a clear goal — money. They also want not only to succeed, but to succeed undetected. A measure that increases the attacker’s uncertainty increases the attacker’s risk of being caught.

Here’s an informal example. Suppose I divide my system into an external “red” network and an internal “black” network. All connections use TLS with AES-256, but on the black network, we are not using standard AES, we’re using a modified AES that real cryptographers agree is as secure, just incompatible with AES; call it AEN for Advanced Encryption Non-standard. Cryptographers have a formal notion of this that they call “family keys.” AEN is my spice. On the black network, you’re expected to use AEN. We just compiled it into OpenSSL where AES was supposed to be. The resulting system is just as secure as one that uses AES everywhere, but has this extra little twist. It makes the attacker’s job harder, and makes our job of detecting an attack easier. It has costs, of course, which you can think of as well as I can. But in my system, which is not only closed, but I want to be closed, they’re not bad costs to pay. Even better, if I publicize that I’ve done this, I might convince an attacker to target someone else.

If you remember that obscurity is not security, that it is camouflage rather than armor, that it is not scalable, that it is only as good as the obscurity itself is, there might be places you can use it effectively. Also, not all security theatre is bad. What is bad is only having theatre and not backing up obscurity with real security.
Photo of theatre security courtesy of Luigi Rosa.

Anarchy in the UK?

big brother congestion.jpg
Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:”

The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts.

Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do not have to disclose details of the breach – even to those affected.

Martin Carmichael, CSO at McAfee, told silicon.com: “I think companies should be accountable. Accountability is a vital part of security and if a company has a data breach I think they should be prepared to talk about it.

My take: they monitor everything else in the UK, why not?

Photo: “Big Brother Congestion” by Jeroen020.

Ptacek scores, Pre-Blogging Department with the assist!

Matasano’s Thomas Ptacek had a Groucho-like reaction to being included as a “Top 59” infosec influencer in ITSecurity.com’s recent list.
EC’s Pre-Blogging Department was initially caught flat-footed on this, but predicted in an update that Tom’s view would gain traction. And it has.
Meanwhile, Mark Curphey has stirred the pot by leaving the Security Bloggers’ Network and explaining why he chose to do so.
I hadn’t heard of the SBN until news of the top sekrit security bloggers’ dinner at RSA started to hit the intertubes, although EC is on it. Bejtlich, even though he doesn’t read EC (come on, buddy!) has a view essentially identical to mine on this subject.
One aspect of the ensuing discussion that I think is great comes from a CSO who emailed Mark, and whom Mark quotes as asking about:

…the guy who does nothing but conferences and magazine columns, but mysteriously nobody can actually recall him/her actually being a meaningful contributor, holding a senior infosec management post, or similar real world qualification?

I’ve heard this archetype discussed over beers, as I suspect many of us have. Nice to see that there’s a sense out there that while a “real list” of influencers may be a matter of opinion, we can profit from discussing it. Again, Curphey gets it right when he writes of mysterious omissions from the Top 59:

Dan Geer, Mike Howard, James Gosling, Andy Jaquith, Phil Venables, Spafford, and so on.

I might quibble at the margins (No Wietse Venema, Ross Anderson?). Just finger @matasano.com for some influential but lesser-known names, tending toward the vuln research end of things.
I don’t know what the point of all this is, but to the extent that it stirs things up and adds a little chaos into the mix, it’s good. Speaking of stirring the pot, Alan “BalrogShimel has weighed in, too:

Fighting over whether the list is accurate, is the list full of crap or who should be on the list, is just frigging asinine.

Hey, don’t hold back, dude.
Finally, it would be remiss not to credit InfoSec sellout for providing a handy taxonomy.

Backus Having Drinks with Hopper

John Backus

John Backus, leader of the Fortran team has died at the age of 82, according to The New York Times. Fortran itself celebrates its fiftieth birthday this year, and you can still write it in any other language, even Haskell. Even Lisp.

Back in the days when I would rather have died than work for IBM, in part because of their dress code, but also in part because of their dress code, but also because of the influence that Ted Nelson had on me, I remember being impressed with Backus’s way of flouting form. IBM employees were required to wear suits; Backus always wore a denim suit. I remember the picture of him in the newspaper. It’s a little thing, but it meant a lot to me. I’m glad that the photo I found of him on IBM’s site has him in denim, and glad that I can explain why dressing in denim was at one time radical.

I also think it important that even the NYT today wrote “Fortran” and not “FORTRAN.” Writing it as a proper noun and not an acronym was an annoying eccentricity of mine in those days as well.

Emerging at the Intersection of Art and Commerce

dollar-art.jpg

I never really thought much of Hamilton, either.

I’m glad this wasn’t done on one of the New Ten Dollar bills. If it was, the Constellation EURion might have prevented me from scanning it for your amusement. (Today, that “feature” is mostly in copiers, but expect it to spread.)

In other looking at money news, Steven Murdoch notes that the UK has introduced a new 20 pound note. It’s entertaining advice of what to do if you think you have a counterfeit note ends “If the note is genuine, you will be reimbursed.” I can’t think of a better way to get people to want to not notice counterfeits.

Posted in art

If I Screw Up, It’s Your Fault!

itsyourfault.jpg

I can’t help but wonder how many bits have died to hold disclaimers like this one:

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, use or copying of this communication is strictly prohibited. If you received this message in error, please immediately destroy this message.

I get these from various countries (I love the bilingual ones), with many variations on it. Spotlighting my email with “received in error” did a good job of getting many of them, and they’re all a waste of bits. I like this one because it’s vaguely threatening. Oooo, prohibited. By whom?

There’s nothing in law, custom, treaty, or ethics that says that if I accidentally send you mail that you meant for someone else that it’s anyone’s problem but mine. All the laws pertaining to postal mail are quite explicit that it now belongs to the recipient. While email is not postal mail, it’s hard to imagine it being any other way. There are enough precedents for the Internet that it’s pretty clear as well.

My office dreamed one of these up, and I stomped over to Counsel’s office and snarled just that. Yes, I was told, you’re right. We debated, with him taking the position that you have to protect intellectual property, and me taking the position that a disclaimer that you know isn’t supported by anything isn’t going to hold up in court, and will even be worse than nothing.

I didn’t change the company policy about stupid disclaimers, but I got a dispensation not to use it myself, and I suppose that’s better than nothing.

I’ve considered writing my own parody disclaimer, but haven’t come up with one I like. They’re all too whiny or bombastic to be funny. So let’s try coming up with a good parody disclaimer. Send them to me and I’ll do an article with some good ones.

Photo, “It’s Your Fault” courtesy of jarrod z.

“You Don’t Need to See His Identification”

Well, here we are, on a list of top influencers in information security, and we’ve barely said welcome to any new readers! Welcome!

Luke Skywalker and Ben Kenobi in Mos Eisley

If you’re just showing up, we’d like to influence you to understand that identification rarely solves security problems by itself.

I posted “You Don’t Need to See His Identification,” using a famous scene from Star Wars to illustrate a point, and followed that up with a series using scenes from “Star Wars to Illustrate Security Principles of Saltzer and Schroeder.” You might enjoy it. We try to inject humor into the blog, you might enjoy our Amusements category archive. If you’d like some deeper thinking, the breach analysis category has, I think, been good recently, or you can feel free to explore.

Incidentally, Tom Ptacek influenced me to think about the nature of the list, with his post “Take me off your list,” and he does so using the term ‘flattery attack.’ That sounds, to me, like a variant of Schneier’s ‘publicity attack,’ and that reminds me of my co-blogger Mordaxus asking “Let’s Stop Cutesy Names for Attacks.” Perhaps we’re not so influential as we hope.

We’re number 18, but we try harder…

Adam (or perhaps EC?) is one of the top 59 infosec influencers, sayeth itsecurity.com
Cool.


18. Adam Shostack
http://www.emergentchaos.com/
Emergent Chaos is a group blog on security, privacy, liberty and economics - a self-declared “Emergent Chaos jazz combo of the blogosphere. ” While the EC bloggers tend to drift off topic with political posts, they shine at the nexus of politics and IT security, like their March 1, 2007 posts on banking security and the fine print issues surrounding the National ID card legislation.

Update: Thomas “14 is a Product of 2 Primes” Ptacek provides some deeper analysis. Read it.
Update2: Make sure you read the comments to Tom’s post @Matasano’s blog. The EC Pre-Blogging Dept. predicts wider blowback.

Dating & Background Checks in China

Shimrit sends in this Shanghai Daily story, “Matchmaking site works to cut down deception:”

A LEADING Chinese matchmaking Website is to check the age, marital status and other personal details of prospective cyber daters against an official database to prevent deception.

Beginning today, Baihe.com will screen its eight million online daters against an ID authentication system it jointly developed with the Ministry of Public Security, said Jason Tian, CEO of the online service that uses extensive personality profiles to match couples.

“In the long run, we’ll arrange dates only for those who are proven to be telling the truth,” he said.

See, that’s pressure. Not getting a passport is one thing, not getting a date? Different place in Maslow’s hierarchy, as Alessandro Acquisti and Ralph Gross pointed out in a paper on the social pressure to join Facebook and Myspace.

We’ll get off the dating kick shortly. I found the extension of the official identity database to be interesting and scary.

Reports on Reporting, Compliance

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes:

One important outcome of the legislation is improved information about the types of security breaches. Many of the news stories between 1984 and 2004 report palty details, with sources being off the record and vague estimates of the severity of the security breach. Since mandatory reporting legislation in many states, most news coverage provides more substantive details. In 2006, only 10 of the 257 news stories were unable to make some attribution of responsibility for a security breach. (Emphasis added.)

Even better, Erickson and Howard draw on the Attrition dataset (which I’ve been saying is important) and add to it, with their dataset. (500kb .xls)

In contrast is the data from the Symantec-backed “ITpolicycompliance.com.” This is work by Jim Hurley, so I was expecting a lot, but their report, “Taking Action to Protect Sensitive Data” makes claims that I’m finding hard to believe. In particular, they claim that organizations suffering a publicly reported breach are losing 8% of their customers and 8% of their revenue. (Page marked “1,” Executive summary, under “financial impacts.”) Unfortunately, this number isn’t sourced or explained, and unlike the UW report, the underlying data isn’t being shared. Is that an 8% loss each? Is that median? Mean? What’s the variance? Are there outliers?

I’ve done some work recently, in the hopes of finding SEC filings that discuss these revenue losses. You’d figure 8% is, how do Messrs. Sarbanes and Oxley say? Material! I think that’s the word! A material impact on revenues. I’d think an 8% drop would justify some SEC filings. The thing is, having done some digging, I can’t find any. So, I’m skeptical.

I’m optimistic that in the future, we will be over our strange fears of talking about breaches, and we’ll be able to talk about our data in a more mature way.

Mommas, Don’t Let Your Babies Grow Up to be County Clerks

grandma-abilene.jpgAt first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing.

However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social Security Numbers violated state and Federal law punishable by jail time.

This means that the poor county clerks, who are tasked with redacting records, would be left holding the bag for any screwups. If I were such a clerk, not having some sort of protection would lead to my resignation.

I’m left wondering how we’re going to ensure that things get done correctly, but the larger issue is the way the government is reacting. I know that I speak for The President when I say that not everything that’s bad and needs to stop has to have jail time and fines on it.

It looks like the pendulum of breach control is swinging a bit wildly in Austin. Just go to SXSW, guys, have a beer, listen to some music, and be stable on this. Thanks for working to get this right.

Grandma Abilene” courtesy of Curran Andre Hugo.

Ignorance is Strength

Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club:

David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery.

The board … gave its findings to the Multnomah County district attorney’s office. Prosecutor Christine Mascal presented the grand jury with a witness who balked at providing names of other possible victims of Burleson. … The witness, through his lawyer, argued instead that patients, if told about the abuse, might be scared away from further medical treatment.

I expect regular readers will see the tie to those who lose control of your personal information, and want to not tell you. But on the off chance that you don’t see the link, one more quote:

“If the sexual contact was touching only without penetration, then the victims would be living in a state of ignorant bliss about what had happened to them,” [one attorney] said.

From “Ruling keeps sedated victims in dark” at Oregon Live, via “A ‘Right to Blissful Ignorance’?

I think I’m going to start awarding a “Liddy” for best coverup of the month. It’s named for both G. Gordon Liddy, and for those wanting to keep a lid on things.

“Terrorists Proving Harder to Profile”

profile.jpg

…terrorism suspects from atypical backgrounds are becoming increasingly common in Western Europe. With new plots surfacing every month, police across Europe are arresting significant numbers of women, teenagers, white-skinned suspects and people baptized as Christians — groups that in the past were considered among the least likely to embrace Islamic radicalism.

The demographics of those being arrested are so diverse that many European counterterrorism officials and analysts say they have given up trying to predict what sorts of people are most likely to become terrorists. Age, sex, ethnicity, education and economic status have become more and more irrelevant.

So reports the Washington Post, in “Terrorists Proving Harder to Profile.” Of course, this is unsurprising to anyone who’s read “Who Becomes a Terrorist and Why.”

Those who haven’t will simply demand more and more information, in the vain hopes that something useful will come out if you pour enough garbage in.


Photo: “Due,” by Fotoharing, with no implications: it’s simply a cool photo of a profile.

[Update: added a word, in italics, to that last sentence.]

Dating and Background Checks in the UK

detective.jpgMy friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes:

With all the current craziness surrounding online dating background checks, I asked Adam if I could offer my 2P’s worth and give a view of things as they are in the UK at the moment. I need to point out that the views expressed below are my own and do not represent the company I work for in any way.

At the moment, there is no demand for background checks on UK dating sites.

There haven’t been many heavily-publicised cases of online dating foul play here and the UK market is still going strong, so there is not yet a need for companies to create a demand for such a service to make themselves stand out. I think much of the fear-mongering in the US at the moment has more to do with online dating companies needing to draw more customers than with any actual security concerns. I don’t know what personal information companies can get about people in the US, but in the UK it’s a joke.

We were recently approached by a sales agent for some background checking company and the information the guy said they could provide for us was sparse and not in any way guaranteed. They could basically do basic electoral roll checks and credit checks. It’s worth pointing out that the electoral roll here is by no means a foolproof way of proving someone’s age, place of residence or even real name.

While telling people you’re going to run a check on them is likely to put them off using your site, the information you would get is not likely to be very relevant to their needs.

You could potentially find out whether someone has a mortgage or a joint bank account with someone else, but this would be expensive to do and would not necessarily show that the person is married or attached. The sales guy pushing this stuff kept making it very clear that we must never ever use the word “guaranteed” and yet he was
talking about adding an element of trust to our sites. I fail to see how you could trust something that is not guaranteed. Unfortunately, I can see clever marketers giving people the impression they can guarantee safety without actually using these words, which is very very bad. If you did want to go the extra mile and check for a criminal record (assuming you want to open that can of worms: should people with a criminal records not be allowed to date?) you would need to put the onus of proving integrity on the potential members. They would be charged money for a police reference, which is, again, far from foolproof as it’s easy and free to change your legal name in this country. Unless there is a real demand for such a service, nobody would want to sign up for it and it would take a lot of fear-mongering to make people demand something so costly and annoying. In the UK, I reckon it would take a case of some paedophile hooking up with a single parent online and then molesting the children. Either that or a very quick succession of online dating rapes and murders within a short period of time and a whole load of PR work. Of course, even if you did criminal record checks, there is no guarantee someone with a clean record isn’t going to one day freak out and kill someone. There’s a first time for everything.

Background checks are basically just the latest round of hype, aimed at giving people the illusion they are safer dating on a particular site when actually they’re not any safer at all. As far as I’m concerned, they are bad for two reasons. The obvious one is the breach of privacy and the other one is that the illusion of safety can make people complacent to the point where they relax the basic safety issues we constantly try to drill into their heads. The best way to ensure people’s online safety is education. Anything else is marketing. Sadly, with the growth rate of the American online dating market slowing down, we’re going to be seeing plenty more unnecessary services being touted as essential.

“Voluntary” ID Cards

Anybody who objects to their personal details going on the new “Big Brother” ID cards database will be banned from having a passport.

James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out – but in return they must “forgo the ability” to have a travel document.

With one in every eight people saying they will refuse to sign-up, up to five million adults could effectively be refused permission to leave the country.

So reports the Daily Mail in “Don’t like ID cards? Hand over your passport.” I have two brief comments:

First, that’s not an “ability,” Mr Hall, it’s a human right, covered in things like the UN declaration of human rights. Your government used to criticize the Soviets for not allowing their serfs to travel.

Second, all non-trivial privacy fears come true–many are enumerated in the Daily Mail story, so I won’t re-hash.