RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  And so this week at RSA, I think more people should be eating the security community’s cryptographic dogfood.

As I evangelize the use of crypto to meet up at RSA, I’ve encountered many problems, such as choice of tool, availability of tool across a set of mobile platforms, cost of entry, etc.  Each of these is predictable, but with dogfooding — forcing myself to ask everyone why they want to use an easily wiretapped protocol — the issues stand out, and the companies that will be successful will start thinking about ways to overcome them.

So this week, as you prep for RSA, spend a few minutes to get some encrypted communications tool. The worst that can happen is you’re no more secure than you were before you read this post.

P0wned! Don’t make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it.

In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did not catch the substitution. I believe the attackers were not out to harm me, but that this trojan was put in place partially for lulz, and partially to allow a more-important attack on the systems RBAC mechanisms to succeed.

Attack Details

I was attempting to purchase a six pack of New Belgium Rampant IPA, shown immediately below.

IMG_2242.JPG

I obtained the six pack from the canonical location in the system – a reach-in refrigerator in the supermarket’s liquor aisle. I proceeded to the cashier, who rang up my purchase, bagged it, and accepted payment.

I realized upon arrival home, that this was a trojan six pack, as seen below:

IMG_2243.JPG

Clearly, the attacker to care to make his payload look legitimate. What I noticed later, was the subtle difference I zoom in on below

IMG_2245.JPG

:

IMG_2244.JPG

Yes, the attacker had substituted root beer for real beer.

Needless to say, this was a devious denial of service, which the perpetrators undoubtedly laughed about. However, this was likely not just “for the lulz”. I think this was the work of juvenile attackers, whose motives were to defeat the RBAC (real beer access control) system. Knowing that a purchase of real beer would be scrutinized closely, I believe they exfiltrated the target beer by hiding it in a root beer package.

Mitigations put in place by the system did not catch this error – the cashier/reference monitor allowed the purchase (and likely, the offsetting real beer as root beer purchase).

Possible Countermeasures

The keys to this attack were that the trojan was in the right place in the search path, and that it appeared legitimate. Obviously, this location must be readable by all, since items need to be fetched from it. However, allowing items to be placed in it by untrusted users is a definite risk. Technical constraints make the obvious countermeasure — allowing only privileged stocking, while permitting “world” fetching — presents serious usability concerns, and increases system cost, since the privileged stocker must be paid.

Nonetheless, such countermeasures are in place for certain other items, notably where the cost to the system — as opposed to the user — of an illicit item substitution is quite high.

Lessons learned

Ultimately, system usability and cost tradeoffs put the onus on the end-user. Before taking a non-idempotent step, inspect the objects closely!

Please vote for the social security blogger awards!

Alan Shimmy has the nominations for the 2014 Social Security bloggers award!

New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.

Now, I have no idea what it means that Emergent Chaos would represent the security industry. I’m hopeful that it’s intended as a complement.

What will the archaeologists think?

Over at the BBC, we read that the “home of Anakin Skywalker threatened by dune,” with awesome pictures:

So my question is, what will archaeologists think in 1,000 years when they dig this up? How many careers will be wasted trying to link the bizarre architecture to some real culture? How many anthropologists will be confused by the strange objects they find?

I hope someone has at least left them a note.

Which and That

Can we just agree that “which” and “that” are pretty much interchangable? If you’re relying on a modern audience to be able to perceive the difference in meaning between restrictive and non-restrictive clauses, you’ve pretty much already lost.

Which, as they say, makes a mockery of that rule.

Alternately, “That, as they say, makes a mockery of that rule.”

Alternately, “That, as they say, makes a mockery of which rule.”

I think we may be taking this too far.

2013 PET Award for Outstanding Research in Privacy Enhancing Technologies

You are invited to submit nominations to the 2013 PET Award.

The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS).

The PET Award carries a prize of 3000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from April 16, 2011 until March 31, 2013.

The complete Award rules including eligibility requirements can be found at http://petsymposium.org/award/rules.php.

Anyone can nominate a paper by sending an email message containing the following to award-chairs13@petsymposium.org:

  • Paper title
  • Author(s)
  • Author(s) contact information
  • Publication venue and full reference
  • Link to an available online version of the paper
  • A nomination statement of no more than 500 words.

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. I went to a tiny school, Simon’s Rock, and on December 14, 1992, Wayne Lo murdered my friend Galen Gibson and Professor Ñacuñán Sáez. He also shot my friend Tom McElderry. I can still remember the phone call from my friend Chi, telling me that Tommy had been shot and was in the hospital. I remember being up all night, spreading what little information we had by phone, and wondering what the hell was going on. I remember that weeks later, I’d get emails from co-workers whose local papers in places like Japan finally carried the story. For years after, I took December 14th as a day off, because it was hard to handle life with that weighing on you.

It’s a sad reality that we now have enough school shootings that one of them was going to fall on an anniversary of another. (Statisticians call this the birthday problem.) It’s also a sad reality that we have enough of them that schools, police and emergency responders have plans for them.

What a fucking world.

Some people like to say things like “time heals all wounds,” but you know? Greg Gibson isn’t going to get his son back. Ñacuñán’s family isn’t going to get him back. And twenty or more families in Sandy Hook will never again be the same. I’m having trouble editing this more than a month later because of how the memories flood back.

All that to say that I have some understanding of these events, and I think I can talk about them differently than a random observer.

A lot of people are using this tragedy to say we need gun control. I understand where they’re coming from, and I disagree. We’ve had a lifetime of marijuana control, and it didn’t work. We suffered under crypto controls, and they didn’t work. Assholes who want a gun will likely to be able to get a gun whatever regime we put in place. There’s some truth to the claim that if guns are outlawed, only outlaws will have guns. Maybe we’d gain some ability to catch these nuts early, but maybe not. Those who say that easy availability of guns drives murder rates must do better than simply cherry picking data. What makes the US worse than Switzerland or Israel?

Yesterday, the President outlined a set of proposals including expanded background checks, and signed executive actions including one to “encourage federal agencies and state governments to share more information.” And now I find it hard to speak, and hard to remain silent.

Infringing privacy would not have stopped the events at Sandy Hook, and I worry that reducing privacy around mental health care is going to deter people who need health care from getting it. That may mean that more people will end up hurt or dead. I’m confident that no one wants that, and we need to rationally consider the tradeoff.

I also see a lot of people who are worried about gun control being so strident that they’re undercutting their own case. I agree that gun control is a poor response, and I think the NRA are coming off like a bunch of idiots. I’m trying not to be strident, just add a voice to say that even from a position of grief, it’s possible to see that what’s proposed probably will not meet the goals.

I don’t know what we should do. I do think that taking the entire TSA budget and moving it to mental health care would be a fine start.

Another fine way to proceed would be to threat model and try to judge the efficacy of the mitigation techniques. (For those who don’t know me, I spent a few years designing threat modeling tools and techniques which you can read about here.) Perhaps that starts from data on how people who use guns to hurt themselves or others get them. There’s an easy trope of “buys a gun and shoots someone.” Is that because it’s common, or because the stories are highly “available” and spring to mind? I don’t know, and in that vein, more studies of gun ownership and gun violence are probably going to help. Whatever approach to threat modeling we take should also include the hundreds of millions of guns owned by hundreds of millions of people and not misused.

We can and should do better than bringing back ideas that didn’t pass muster in calmer times. We should be cautious about trading a little liberty for a little safety. And whatever we do, we should do so respectful of the victims.

Comments are closed.

Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another.

I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that most people who blog blog about.

We set this up and I have finally gotten around to making a test post.

So thank you, Adam and the rest of the jazz combo. I’m Jon Callas, and I’m on bari sax and english horn.

An Argument Against Jargon

Lately I’ve been savoring Kahneman’s “Thinking, Fast and Slow”. Kahneman is one of the originators of behavioral economics and a Nobel prize winner. The book is tremendously thought provoking, insanely well written, jargon-minimizing, and just comes together beautifully. It’s a book where you struggle with the ideas and their implications, rather than struggle through the prose to get to the ideas.

One of the little things that made me squee with delight was where he said:

Why call them System 1 and System 2 rather than the more descriptive “automatic system” and “effortful system”? The reason is simple: “Automatic system” takes longer to say than “System 1” and therefore takes more space in your working memory. This matters, because anything that occupies your working memory reduces your ability to think.

I am totally dropping that on the next person who uses “novel” where they mean “new”. (And yes, you can make the argument that novel means “not really new but not publishied in some peer-reviewed place, and you can take that argument, fold it until it’s all nice and sharp, and then store it as appropriate.)

Twitter Weekly Updates for 2012-06-10

  • RT @DeathStarPR Easy way to feel like Darth Vader: stand over a heap of dirty laundry and imagine you've just killed a Jedi. #StarWars #
  • RT @runasand We have managed to determine exactly how Ethiopia blocks #Tor and we have developed a workaround: https://t.co/snTjeVbN #
  • RT @derekcslater What I learned when I left security http://t.co/AexcK8NN Advice on exec communication – great story, valuable perspectives #
  • RT @hellNbak_ @adamshostack @derekcslater anything with Scott Blake has to be worth reading. #
  • Imma let you finish @asus, but If you get past how sexist & asinine @asus was, you realize it's so bad it's hard to satirize #
  • RT @jeremiahg "Samsung Bug Bounty Program is under maintenance." ooops, did linking to just kill the site? << & will you get bounty? #
  • RT @jeremiahg Interesting twist on CloudFlare breach "..involved breach of AT&Ts systems that compromised oob auth" http://t.co/4nDDAxtB #
  • This Cloudflare blog http://t.co/KeUHAfoR shows how much we can learn when we talk about attacks, rather than hiding them. #
  • RT @netik OH: Of course you need extra gorilla suits. You can't wear a white gorilla suit after labor day. Geesh. #
  • http://t.co/On6Vcws7 doesn't make it easy to opt out (and if you're an AT&T customer, you should). Why not work from a phone #? #
  • New Blog: "On @Cloudflare's post-mortem" http://t.co/quXhyd3z #
  • RT @joshcorman follow for DM? << You know, there are email tools that give you 150+ characters, subject lines? :) #
  • RT @451wendy RT @rachelchalmers: There's a little black spot on the sun today. < It's the same old thing as yesterday. #
  • RT @thedarktangent Secretary says Cyber and Aviation security consume more of her time than ever before. #DHS < This juxtaposition scares me #
  • RT @thedarktangent honored to co-chair new task force on #cyber workforce development to develop a long term strategy for #DHS < Congrats! #
  • RT @Beaker Updated BYOD security profile/policy pushed to my iPhone this morning. String passwords on phone unlock (really?) = PiTA. #
  • Intrusive password policies spend compliance #
  • Bad password policies give no benefit while absorbing your people's willingness to help with security. #Fail (cc @beaker) #
  • RT @moxie If LinkedIn hasn't confirmed the breach, they havent fixed it either. You can change your PW, but attackers can just get it again #
  • MT @amrittsering Too bad there've been so few data breaches to help folks deal with the linkedin breach, if only we had a more learning opps #
  • RT @aloria Another password breach, another round of "how to create strong passwords" lectures. THEY'LL TOTALLY LISTEN THIS TIME! #adorable #
  • MT @jeremiahg Instincts telling me these incidents are connected. Wondering if all 3 using the same DEV framework. << or same PR checklist? #
  • I'll bet we see 10-20 announcements of password breaches hoping to be in the LinkedIn PR shadow. Reminds me a bit of Heartland/inauguration #
  • RT @451wendy @securityninja That would be fantastic. We need more security card games besides Elevation of Privilege. #
  • There's a fascinating difference between security people & normal folks when there's a guy on the bus with a test LTE wifi gateway. #
  • RT @AngryBFlay A dash of granola is a great way to add excitement to a dish if you have zero grasp of what the fuck excitement means. #
  • RT @MSFTnews To track or not to track? Not just a question, a choice for consumers and industry http://t.co/906dY7D4 #
  • RT @philvenables More new school thinking from the Feynman archives. Listen to this while thinking of InfoSec. http://t.co/SiFpDkxT #
  • RT @3ricj Now everybody but me has my linked in password. This can only lead to future job offers. #

Powered by Twitter Tools