Steve Riley on Security : security myths

I want a Model 22 HDD Hard Drive Disintegrator

Steve Riley — Wed, 21 Jan 2009 00:43:40 GMT

Here at Microsoft we have an active internal discussion group where most security-minded folk hang out. The topic of data destruction came up recently, it’s actually a lot more difficult than most people think. CIPHER /W and SDELETE do a reasonable job, but they aren’t perfect: the paper One big file is not enough: a critical evaluation of the dominant free-space sanitization technique dives into some interesting detail. Frequently people talk about DoD (U.S. Department of Defense) compliance, but seven wipes really aren’t necessary, according to Secure deletion: a single overwrite will do it. I’ve always thought the notion that bits will somehow “soak” down into the disk and could be recovered by “shaving off” the disk’s top layer is silly—probably invented by the folks who want to sell you secure wipe utilities. If that were really true, then it would be a fairly simple operation to “wash” away encryption, no?

For thorough data destruction, I’ve been a fan of shotgun washing. But for those without shotguns at the office, a company called Security Engineered Machinery has introduced the Model 22 HDD Hard Drive Disintegrator.

This system is built specifically to destroy hard disk drives. Load up to 10 drives on to the automatically indexing conveyor and in 30 minutes you'll have nothing but a pile of metal chips. The unit comes as a complete system, including sound-dampening enclosure and HEPA vacuum to remove airborne contaminants. The disintegrator's rotating knives transform the drives into unreconstructable fragments, leaving all data unrecoverable. the bin is made of aluminum, to prevent magnetic pieces from sticking to it

Watch the video, it’s pretty cool. I love the narrator’s dead-pan delivery, but the resemblance to the Illudium Q-36 Explosive Space Modulator really made me chuckle. They should do a marketing tie-in with Marvin the Martian.

“Oh, recoverable data makes me very angry. Very angry indeed!” (h/t Scott Culp for the quote.)

Speaking of washers and aluminum, my six-year-old Frigidaire front-load clothes washer started making a loud thumping sound during the spin cycle. So I did a little bit of searching and found out that this particular unit, a popular model made by Electrolux and sold under the Frigidaire, Kenmore, and General Electric brands, was apparently designed by someone who lacked a high school understanding of chemistry. An aluminum spider arm is connected to the stainless steel inner basket, which of course gets wet during use. What happens when you apply water to the interface of aluminum and steel? Galvanic action! The aluminum disintegrates. Some owners have posted videos of their washers here and here.

I’ll attempt the $300 three-hour repair, and I’ll paint the new spider arm with some primer and anti-rust paint. Or maybe I’ll convert it into my very own Illudium Q-22 HDD Explosive Hard Drive Disintegrator.

Myth vs. reality: Wireless SSIDs

Steve Riley — Tue, 16 Oct 2007 10:08:58 GMT

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I've written extensively about this before. An SSID is a network name, not -- I repeat, not -- a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it. It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID. And, even if you think your SSID is hidden, it really isn't. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn't behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice -- and it's amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that's permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you're still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you're running Vista, then, you simply need to enable WPA2. We've got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that's more than two years old and you can't upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they're proven in the field, and they'll keep the bad guys out -- even when you're broadcasting your SSID to the world.

Bugged Canadian coin story is...wait for it...BOGUS!

Steve Riley — Wed, 17 Jan 2007 02:39:00 GMT

Surely you've heard, too many times by now, about the radio transmitters "discovered" in some Canadian coins. From the moment I first read about it, the steamy stench of pasture patties loomed large in the air. I watched in amazement as the story grew and the apparent credibility so many "journalists" ascribed to it! Well, the United States Defense Security Service now admits that the statement is "unsubstantiated following an investigation into the matter."

My variation on the rule is this: if something is too stupid to be true, it absolutely is. And, of course, there's a corollary: media attention to silliness is inversely proporational to factuality.

Security myths and passwords

Steve Riley — Sun, 30 Apr 2006 19:07:00 GMT

I like this a lot.

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.

Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

From a high-level perspective, let me observe that one problem with any widespread change policy is that it fails to take into account the various threats and other defenses that may be in place. Policies should always be based on a sound understanding of risks, vulnerabilities, and defenses. “Best practice” is intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment.

New site at the top of my favorites list

Steve Riley — Wed, 16 Nov 2005 12:46:00 GMT

You know, stupid security abounds. I just discovered this site today, and I plan to become a regular visitor -- and probably a contributor, too! I encourage you to explore it and enjoy. Oh, some advice: it probably would be unwise to read an offline archived version of this site on an airplane. :)

Stupid Security: Exposing fake security since 2003
http://www.stupidsecurity.com

The Internet routes around outages -- and censorship, too

Steve Riley — Tue, 27 Sep 2005 12:28:00 GMT

Have you seen this yet? "Grokster ruling begins the good fight" If you haven't, it's worth your time to read -- it's a terrible shibboleth for a U.S. "national firewall."

Coursey is promoting the idea that all U.S. Internet access should pass through a firewall that will block file-sharing and gambling sites. Since most of these sites have moved off-shore, Coursey claims that this isn't censorship, but it's the only way to ensure that "when the Internet is being used on American soil, it should comply with American law." Later in the article he chides the Chinese government "for filtering the Internet as delivered to residents of the communist dictatorship." He contrasts this with file-sharing and gambling and says that "since [these] are not accepted as universal human rights," it's OK to "stop illegal content from reaching American citizens."

Does Coursey lack a sense of irony? It seems so. In one swell foop he maintains that America should be allowed to filter what America has declared illegal -- file-sharing and gambling -- while denying that China should be allowed to filter what China has declared illegal -- political and religious content that's counter to and threatens the government.

Am I the only one who sees a problem with this? Now of course China's actions completely violate all sense of human rights, but adopting their solution -- censorship -- will be no better in this country. If we establish a precedent of censoring illegal content, what's to stop various interest groups from galvanizing politicians to declare illegal anything that the groups don't like? Where will it end?

(Post script: I'm writing this from Taiwan! Also, last week in China, their "national firewall" was pretty useless...)

Airport security silliness

Steve Riley — Fri, 22 Jul 2005 06:23:00 GMT

So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal, so far.

As the suitcase passes through the x-ray machine, the TSA droid's brows begin to furrow. "Oh crap," thought I. They run the bag a second time. More furrowing.

"Is this your bag?" they ask. There seemed to be a bit of trepidation combined with glee in their attitude -- or maybe I was just imagining it.

"Yeah, can you tell me what's wrong?"

"There's something that we can't figure out what it is. We'll need to do a secondary screening."

So then they carry it to one of those infernal explosive detection machines. You know, where another doughnut-gorged TSA droid sticks a little chamois pad on the end of a wand and lovingly caresses your bag's zippers, then inserts the chamois pad into the detection machine. There was nothing, of course. As far as I can tell from my research, none of these machines in any airport in the United States has ever actually found an explosive. What an absolute waste of time, money, and resources.

Then -- get this -- Mr. Doughnut hands me my bag! So let me get this straight. The supposedly highly-trained x-ray operator can't figure out something inside my bag, and so they inspect the exterior zipper? What are these people smoking, and why don't they share? Sheesh! Security theater, indeed.

New column - debunking security myths

Steve Riley — Tue, 12 Apr 2005 22:58:00 GMT

There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance with some security configuration or hardening guide to be compliant with security policy. In other environments security configuration guidance is strongly encouraged. Before you start making security tweaks, however, we feel that it is very important that you understand some of the fundamental problems with them. These are what we call the myths.

Part 1: http://www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx

Part 2: http://www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx