Steve Riley on Security : security theater

The bad guys will use BitLocker, too

Steve Riley — Fri, 13 Jul 2007 21:03:36 GMT

Got an email today from a customer asking about how BitLocker will affect the ability of law enforcement to conduct forensic analysis of a protected hard drive. Specifically, the person was asking about any back doors that law enforcement could use to bypass the encryption.

The answer is very simple, and I'm sure not what he wanted to hear: there are no back doors. Period.

Think about it for a moment: if there were a back door, would you trust the technology? Of course not. If Microsoft incorporated a mechanism to bypass the encryption, then we'd be weakening the technology for 99.9% of the population to favor the needs of 0.1%. And, surely, the bad guys would find out how to exploit the bypass -- meaning that BitLocker becomes completely useless for you.

Here's a similar example: some people have advocated that cell phones be disabled in certain public places (movie theaters, tunnels, sports stadiums, and so on) because terrorists might use them to remotely trigger bombs. What a bunch of nonsense this is. Communications tools are far more beneficial to the millions of good guys who use them every day (perhaps to save lives?) than to the few bad guys who also use them. Why destroy beneficial utility for everyone just because someone might misuse the technology?

Encryption is amoral. Good guys will use it, and bad guys will use it. We've got to accept that fact. It does no one any good to render beneficial technology useless just because there's the potential that someone might misuse it.

TechNet: Exploring the Windows Vista Firewall

Steve Riley — Wed, 30 May 2007 02:01:00 GMT

New article up...

Back in the days of the paleocomputing era, no one ever thought about installing firewalls on individual computers. Who needed to? Hardly anyone had heard of the Internet, TCP/IP was nowhere in sight, and LAN protocols didn’t route beyond your building or campus. Important data lived on the mainframe or file servers—the information people kept on their desktop computers was rarely mission critical and the computer’s own weight afforded a certain amount of decent physical security. If there was a connection to the Internet available, there were likely some protocol translators in the way and a packet-filtering router (I mean "firewall") at the edge, probably configured with too many rules and exceptions.

Modern computing environments wildly diverge from those ancient times. Everything is connected to the Internet (and talks TCP/IP now) and portable devices are now the standard. Your employer has likely given you a laptop, not because they care about you, but because they care about getting more out of you—they fully expect you to work anytime you’ve got five spare minutes and a Wi-Fi connection. Laptops might cost more than desktops, but that investment is surely repaid in productivity. You see, it’s the portability that makes them so alluring—to you and your adversaries.

...continued: http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx

America, wake up: stop being "security sheep"

Steve Riley — Tue, 02 Jan 2007 21:49:00 GMT

OK, I need to complain a bit here.

Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these."

"Sure," he replied. He found the keys, unlocked the cabinet, pulled out a box, and said, "I'll meet you at register four."

"Eh?" I asked. "Can't I just carry it?"

"No, the policy is that I have to carry it."

"What a stupid policy," I grumbled, "treating all of your customers as if they're thieves."

Then when making the purchase with a credit card, the cashier demanded to see my ID. "Why?" I asked.

"To verify your identity."

I walked out of the store, with my camera, but not in a good mood at all. I spend a lot of money at Best Buy and I don't appreciate the assumption that I'm there to steal something. Furthermore, asking for ID during a credit card purchase is just dumb. Credit card companies really don't care who you are. Once the authorization is received, the transaction has already been processed, which includes a serious amount of "transaction authentication" to detect and reduce fraud. This is far more reliable than some clerk comparing names or -- worse -- signatures. And how come it never seems to dawn on the policy-making folk at these stores that online purchases don't require ID?

How did we get into this mess of distrust by default? My thinking followed this process:

First I blamed the September 11th terrorists. You bastards, if you hadn't done what you did, then Americans wouldn't be so afraid of strangers and so quick to assume that anyone who doesn't "look right" is a rapacious murderer.
No, it isn't the terrorists. It's the media. Owned by money-grubbing conglomerates with their lips pressed firmly against the wrinkled white flesh of the other Washington's (that's D.C.) buttocks, the media assists the politicians in their drive to keep America terrified. For when the people are terrified, they can be controlled, and even have their civil liberties illegally stripped away without nary a peep.
Finally, I realized: it's our own fault. We as free citizens have the solemn responsibility not to allow ourselves to be manipulated by those who would benefit from our sheepishness. While we citizens have no control over the media (this is a good thing) and little control over our current government (this is a bad thing), we have complete control over how we react to the tactics of both -- as well as the tactics of those who would do us physical harm.

America is paralyzed by fear, and this fear has caused us to regard with great suspicion those whom we necessarily interact with every day. The only way to move beyond this is to refuse to allow yourself to be manipulated. While you can't just refuse to show your ID if you want to buy something with a credit card or get on an airplane tomorrow, you can begin having conversations with your friends and neighbors -- help people understand that only when we all rise against the backlash will there be change. And chat up a stranger, too. In my travels around the world I've met hundreds of folks; I'm convinced that the overwhelming majority of people are kind and decent and simply looking for someone to listen to their stories. Be a listener -- it's amazing what you can learn. And little by little, we can undo the paralysis that defines life in the 21st century.

Mythbusters beat "unbreakable" fingerprint door lock

Steve Riley — Thu, 21 Sep 2006 08:15:00 GMT

My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of a fingerprint already present on the reader and creates a latex copy that he adheres to his own thumb. Initial attempts fail, but when Adam licks the latex, the door opens. Next, Jamie tries a ballistics gel copy of the fingerprint. Sure enough, the door opens right away. Adam remarks that some cheap computer fingerprint reader was actually more difficult to hack than the "unbreakable" door lock! Finally, Adam tries the simplest of all attacks: a photocopy of the authorized fingerprint. No warmth, no pulse, only a lick -- and again, the door opens.

Biometrics is identity, not authentication. Authentication requires a secret of some kind, like a PIN or password. Anything you leave behind, like the fingerprint Adam lifted from the reader, can never be used as a secret, and thus can't be considered authentication.

File under: "You've got to be kidding!"

Steve Riley — Sun, 12 Mar 2006 04:15:00 GMT

Today I upgraded the brain on my i-mate K-JAM. Which, of course, requires a hard reset, meaning that I get to spend a relaxing day re-installing and configuring all my applications. Usually when I do this (too frequently, it seems) I browse around for new and improved software.

While perusing www.pocketgear.com for updated travel-related software, I stumbled across something that's incredibly funny and woefully tragic at the same time. You gotta check this out, if only for comic relief!

2004 Terrorism Survival Bundle 3.0
Don't be caught unprepared in the case of another terrorism attack. The 2004 Terrorism Survival Bundle includes:

Terrorism travel planner - international
Terrorism travel planner - USA
Terrorism survival plan database
Terrorism survival response database

I especially enjoyed the list of less common international threats: children, driving, food, kidnappings, landmines, missiles, piracy, soft targets, and vehicle explosions! How are children threatening?

New site at the top of my favorites list

Steve Riley — Wed, 16 Nov 2005 12:46:00 GMT

You know, stupid security abounds. I just discovered this site today, and I plan to become a regular visitor -- and probably a contributor, too! I encourage you to explore it and enjoy. Oh, some advice: it probably would be unwise to read an offline archived version of this site on an airplane. :)

Stupid Security: Exposing fake security since 2003
http://www.stupidsecurity.com

The Internet routes around outages -- and censorship, too

Steve Riley — Tue, 27 Sep 2005 12:28:00 GMT

Have you seen this yet? "Grokster ruling begins the good fight" If you haven't, it's worth your time to read -- it's a terrible shibboleth for a U.S. "national firewall."

Coursey is promoting the idea that all U.S. Internet access should pass through a firewall that will block file-sharing and gambling sites. Since most of these sites have moved off-shore, Coursey claims that this isn't censorship, but it's the only way to ensure that "when the Internet is being used on American soil, it should comply with American law." Later in the article he chides the Chinese government "for filtering the Internet as delivered to residents of the communist dictatorship." He contrasts this with file-sharing and gambling and says that "since [these] are not accepted as universal human rights," it's OK to "stop illegal content from reaching American citizens."

Does Coursey lack a sense of irony? It seems so. In one swell foop he maintains that America should be allowed to filter what America has declared illegal -- file-sharing and gambling -- while denying that China should be allowed to filter what China has declared illegal -- political and religious content that's counter to and threatens the government.

Am I the only one who sees a problem with this? Now of course China's actions completely violate all sense of human rights, but adopting their solution -- censorship -- will be no better in this country. If we establish a precedent of censoring illegal content, what's to stop various interest groups from galvanizing politicians to declare illegal anything that the groups don't like? Where will it end?

(Post script: I'm writing this from Taiwan! Also, last week in China, their "national firewall" was pretty useless...)

Cluelessness abounds

Steve Riley — Wed, 14 Sep 2005 19:08:00 GMT

So yesterday I received a rather interesting email. Subject: "INFOSEC Scholarships & Fellowships for PhD or MS + Free CISSP Exam Prep Events." Hm, I didn't know that "information security" suddenly became an all-caps acronym. How come no one asks me first about these things? Anyway, it purports to come from the University of Fairfax, who seems to be outsourcing their spam to IQMailer.net. I suppose if you're gonna set up an outsourcing business, spam is as good as anything. There's no paperclip icon next to the message, so I open it. Sure enough, it's an ad enticing me to "advance my INFOSEC career to the next level" (the next time I hear "to the next level" I'm gonna throttle whoever says it) because "the federal information security budget will grow to $20B+ by 2008, will your INFOSEC career grow as fast?" I'm so happy that the University of Fairfax and Aladdin Knowledge Systems care so much about me! I'm honored! Yeah right.

Here's the clueless, somewhat frightening, and hugely ironic part. This message -- sent to me because I'm a subscriber at SearchSecurity.com, advertising a way to learn more about security through courses and exam prep, had an ActiveX control attached! You'd think that people teaching security would know better, and you'd also think that SearchSecurity.com would know better too and at least make sure the email abides by standard security practices. I guess not. Shame on you SearchSecurity.com, and shame on you University of Fairfax. You're doing exactly the wrong things to appeal to your intended audience.

Lousy security

Steve Riley — Wed, 14 Sep 2005 01:33:00 GMT

Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit, i love griping about). Here I have in mind lousy computer security. And lest you think I'm proceeding to engage in naval-gazing introspection, no -- I'm not going to write about our own products.

Jesper already wrote up his impressions of a popular wireless router. Now I'd like to tell you about some software I encountered recently.

Rights management systems (no, not evil DRM that stops you from using, on your own devices, music you've purchased) are becoming more critical in business information systems these days. It's becoming more and more difficult to use a network function -- in this case, file system ACLs -- to enforce access control to objects that can live in many places outside the network. This is the beauty of rights management systems: they offer you a way to enforce access control no matter where an object resides.

Sure, we have some pretty cool rights management stuff. But I'd like to tell you about another one. Recently at an event Jesper told me about a vendor who approached him. This itself isn't so unusual. But this gentleman was bubbling over with excitement about his new rights-management system that was entirely client based -- unlike Windows RMS, it required no server infrastructure. "Hm," thought I, and I agreed to let him show me the product.

Operationally, it was fairly straightforward -- while their software is running, any documents you create can be protected through the system. On the hard drive it's just an AES-encrypted blob. Good so far. I started chatting with him about how authorization is enforced, and while listening I tried an experiment. I had Jesper open a protected Word document inside Notepad -- always a good thing to do if you want to get an idea of how a file might be modified. At the top of the file was some XML, followed by random binary goop. Sure looked encrypted all right. Then I said, "Hey, save that thing right back to the hard drive and re-open it in Word," wondering whether a simple read-save in Notepad would do anything to his system.

We loaded Word, opened the document, and -- yes! -- a blue screen! Wham! Cue rapid expressions of surprise and fear across the sales robot's face.

What happened here? Originally the document was in Unicode. Notepad saved the file in ANSI. Obviously, then, their protection system is incapable of handling non-Unicode files, and the developers made the disastrous assumption that all input is valid. "Who would ever do that?" must have been their answer to the question "What if someone tries to open a non-Unicode file?" Probably, though, they never even thought to ask the question in the first place. The system should have checked the collating sequence and either rejectd non-Unicode files or adjusted for ANSI.

Now why do I relate this tale? It's simple -- software is difficult. Good software is more difficult. Good secure software is monumentally more difficult. Thinking about how a bad guy might abuse your application and developing reslient software that doesn't just blow up in the onslaught of attacks is something that the entire industry is only now beginning to figure out. Jesper's even talking about this now and demonstrating the good and bad in a new event session called "Is that app really safe?"

People bash Microsoft stuff for being insecure, but at least we have dedicated people whose job is to try to break our stuff. We've got the resources to do that. I'll tell ya, sometimes I'm not sure about some third parties, especially those selling "security software." Conduct your own dilligence, test the crap out of anything before you buy, and reward good vendors with your money.

Airport security silliness

Steve Riley — Fri, 22 Jul 2005 06:23:00 GMT

So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal, so far.

As the suitcase passes through the x-ray machine, the TSA droid's brows begin to furrow. "Oh crap," thought I. They run the bag a second time. More furrowing.

"Is this your bag?" they ask. There seemed to be a bit of trepidation combined with glee in their attitude -- or maybe I was just imagining it.

"Yeah, can you tell me what's wrong?"

"There's something that we can't figure out what it is. We'll need to do a secondary screening."

So then they carry it to one of those infernal explosive detection machines. You know, where another doughnut-gorged TSA droid sticks a little chamois pad on the end of a wand and lovingly caresses your bag's zippers, then inserts the chamois pad into the detection machine. There was nothing, of course. As far as I can tell from my research, none of these machines in any airport in the United States has ever actually found an explosive. What an absolute waste of time, money, and resources.

Then -- get this -- Mr. Doughnut hands me my bag! So let me get this straight. The supposedly highly-trained x-ray operator can't figure out something inside my bag, and so they inspect the exterior zipper? What are these people smoking, and why don't they share? Sheesh! Security theater, indeed.

New column - debunking security myths

Steve Riley — Tue, 12 Apr 2005 22:58:00 GMT

There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance with some security configuration or hardening guide to be compliant with security policy. In other environments security configuration guidance is strongly encouraged. Before you start making security tweaks, however, we feel that it is very important that you understand some of the fundamental problems with them. These are what we call the myths.

Part 1: http://www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx

Part 2: http://www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx