The Security Skeptic

During a recent thread on the Firewall Wizards email list, one participant called attention to a familiar analogy used to explain Security. Four critical attributes of security are likened to the four legs of a stool. The four attributes, also known as the Four A's, were defined as

"Authentication (who are you)

Authorization (what are you allowed to do)

Availability (is the data accessible)

Authenticity (is the data intact)"

The analogy drawn is also familiar:

"Attack any of the legs and you seriously weaken or break the stool."

I believe this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data.

Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user. Read about these here and here.

So let's prepend "admission (endpoint device is free of malware, threats)" to this list, and come up with a 5-legged stool, or call it the Pentagon of Trust.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID410 by Dave Piscitello  

My friend and colleague Marcus Ranum delivers a "no holds barred" assessment of deep packet inspection and firewall proxy technology in this editorial. Some stateful inspection advocates will no doubt take exception to Marcus' analyses, but IMO, it's a bluntly accurate piece. From Marcus, you'd expect nothing less.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID409 by Dave Piscitello  

I routinely receive review copies of security books from several publishers. Today, I received a copy of "The Unofficial Guide to Getting a Divorce, 2^nd Edition". Aside from the possible ambiguity of one of the chapter titles - MAKING THE MOST OF IT - I don't see any reason why I might be sought out to review this work.

My immediate worry was that my wife might become upset, imagining that I had plans to bail just shy of our 20^th anniversary. Fortunately, she laughed when she saw the book.

According to the review guide, nearly 1/2 a million marriages end in divorce each year. I assure you, Molly, that I am not eager to join that less than elite group.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID408 by Dave Piscitello  

I occasionally visit a site and service that performs a reverse DNS lookup as a loose security and auditing measure. The theory is that one should always be able to obtain the domain name corresponding to the IP address of a "legitimately" configured host, even those that are assigned dynamic IP addresses. By insisting on strict reverse DNS configuration, some site operators feel they have an added measure of security against bad actors.

I'm not certain I would sleep any better if I did this for my sites, but this apparently keeps someone happy, or busy.

All my hosts are protected by a firewall that doesn't have a domain name and so my visits to sites so protected are short-lived, and often exasperating. I don't really *want* a domain name for my firewall, but to avoid the occasional "service denied", I decided to do as my partner Lisa suggested and bind a meaningless name to my firewall's IP address using NO-IP's free managed DNS service.

I assigned a name out of the "bounceme.net" domain.

I really wanted "keepyourmittsoffmy.damnedserver.com" but use of that very clever domain name requires an enhanced (for fee) subscription at NO-IP. Of course, $12.95 for a lifetime use of this vanity name isn't really prohibitive, so I might just change the assignment.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID407 by Dave Piscitello  

I recorded a webinar for Aventail Corporation on Friday the 13^th. The recording went well in spite of the less than fortuitous date. The first broadcast of the webinar is May 24, 2005, 2:00 pm US Eastern Time. If you are interested, you can register at eSecureLive.

I intend to follow up with an "opinion piece" article on this topic early this summer.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID405 by Dave Piscitello  

I am giving my son my laptop for personal and school use. Since my Norton Antivirus annual subscription terminates this month, I took the opportunity to try another free for personal use antivirus software, Antivir Personal Edition Classic from H+BEDV.

In past blogs, articles, and at my Antivirus Resources page, I've recommended AVG's Avast! Antirivus personal edition for home users. My wife uses Avast! on her laptop, and it is a reliable, easily configurable product. AntiVir has basically the same features as Avast!: resident Virus Guard, macro protection, boot and master boot protection, scheduled Internet updates, nominal spyware protection, repair/delete/quarantine of detected malware, and (of course, my favorite) multi-levels of event logging.

An who can help but like an antivirus product that calls its full scanner Luke Filewalker?

Effective blocking, timeliness of signature delivery, and program updates will of course be the ultimate metrics on which to judge AntiVir, but at first blush, I believe it will do for a personal laptop.

Companies like H+BEDV and AVG do an enormous service to the Internet community at large by offering free personal edition software. While skeptics might claim such products are loss leaders for 2^nd tier antivirus companies desperate to increase market share, I'm comfortable believing there's some "nobler purpose" behind this sort of activity.

And I'll look hard at small business licensing from both companies when time comes to renew my annual Norton subscriptions.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID404 by Dave Piscitello  

Kenny Patterson observed that I had failed to mention an important vulnerability when I commented on the NISCC announcement of IPsec ESP vulnerabilities in my blog entry #400.

Hi Dave,

Just read your excellent blog at http://www.securityskeptic.com/catVPNs.htm, and especially enjoyed reading the latest article on the recent NISCC annoucement on IPsec vulnerabilities.

I think it would be a valuable service to your readers to make it clear in your blog that the attacks don't just result in bit flipping of selected header fields: that could be interesting - for example packets could get sent to the wrong upper layer protocol - but wouldn't be particularly serious as an attack (in my opinion).

In fact, the attacks described in the NISCC announcement achieve something more: they result in the complete decryption of ESP-protected packets. Thus they defeat the objective of ESP in providing a confidentiality service. Sorry if this seems a bit nit-picking, but I think the attack is a potentially a good deal more serious than your article tends to convey.

I very much liked the seatbelts and airbags analogy.

Cheers,

Kenny

Color me embarrassed for failing to include the most troublesome threat this vulnerability poses. Thanks, Kenny, I've corrected the blog entry.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID403 by Dave Piscitello  

I've been using Walmart's Music Download Store ($.88/song) for a month or so. The service is based on Microsoft Media Player/DRM. You pay, you download, you verify you have a license for the song(s), and "you've got music." As long as you protect your licenses, you can always download the music again.

The copying rights are pretty straightforward. You get to make *one* digital copy for a WMA/DRM-compatible digital music player and up to 10 burned copies on CDs. You can of course duplicate any CD you've burned with a minor loss of quality, so I'm not certain how effective this "control" is.

Lots of folks get bent out of shape about music pwnership and digital rights managment, and I don't really want to get into that rat nest again. Frankly, this arrangement and implicit "contract" doesn't seem entirely bad. The CD burning direct from Media Player/DRM is generous - let's face it, if you're burning more than 10 copies, it's not for archival.

The bad news is that if you want to keep using a pre-WMA/DRM MP3 player, you have to download, burn an audio CD, rand ip from the audio CD to get MP3. This is tiresome and of course the "copy" is not *perfect*. But I for one can't hear *perfect*, and lots of the music I enjoy is digitally remastered (most sixties music is).

I grew up listening to LP records and often the digitally-encoded music I download sounds wrong without that whisper of a needle brushing against vinyl (the word 'plastic' comes to mind). There's also something really eerie about the complete absence of sound between songs. I keep expecting to hear the turntable click off:-)

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID402 by Dave Piscitello  

I wrote an opinion piece for Interop Preview 2005 with the proviso that I would be able to publish it here following the conference. In this piece, I present some of the arguments in favor of implementing "scan before connect" security measures.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID401 by Dave Piscitello  

NISCC reported several vulnerabilities in IPsec's encapsulating security payload implementations. When a CBC mode encryption is used for confidentiality without a companion message integrity check, attackers can use bit-flipping techniques to modify the destination IP address, IP options, and IP PROTOcol field of the ESP payload (the encapsulated IP packet); worse, they can result in the result in the complete decryption of encapsulated IP packet. For a full description ,see CVE CAN-2005-0039.

Bit flipping attacks against CBC encryption algorithms are not new. Bruce Schneier and Mudge disclosed a similar vulnerability in Microsoft's early PPTP implementation of MPPE. Cisco has a very good and readable description of the well-known bit-flipping attacking against the IEEE 802.11 ICV to derive a key stream: IEEE 802.11 has since replaced WEP with successively more robust integrity checks in WPA and WPA2.

See a pattern here?

We know certain confidentiality algorithms don't protect individual bytes against modification. This is one reason we use message integrity checks.

Is the sky falling? No, because we know the answer is "always use the strongest *set* of security parameters available when configuring IPsec security associations". If you always insist on both the strongest confidentiality algorithm *and* strongest integrity algorithm, and you complement these with the strongest authentication, key refreshing, and perfect forward secrecy, you shouldn't have to worry about bit-flipping attacks, or (practically speaking) most any attack against your "cipher set" (oh, that's an SSL term, sorry!)

Organizations who create IPsec SAs that don't include a signed hash are like automobile drivers and passengers who assume air bags will protect them and so choose to sit on their seat belts rather than buckle them. They are ignoring a simple measure and an excellent opportunity to reduce their risk. Cars come with seat belts and airbags. You don't have to use both, but your chances of a close encounter of the windshield kind are greater if you choose to sit on your seat belt rather than buckle up.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID400 by Dave Piscitello  

Two recent surveys - you might even call them social engineering studies - reveal that office workers have no difficulty disclosing their passwords for a bribe. Infosecurity Europe 2004's organizers were able to obtain passwords from 71% of workers surveyed by offering them chocolate, and TechWeb reports a similar finding (67%) from workers offered three dollar Starbuck's coupon.

Token and certificate-based authentication can't solve this problem (both employ PINs or passwords). Biometrics might raise the stakes: a pound of Teuscher Champagne Truffles is pretty tempting. But the root cause - behavior - must be changed.

What we have here is a rowboat pressing upstream without an OAR: ownership, accountability, and responsibility. Workers who will concede authenticated access to their organization's information network and assets aren't engaged in the security process. These folks don't know, don't care, or trivialize the problems associated with granting access to unauthorized parties. It's not their data, not their network, and claims that the company could suffer serious financial harm are overblown. It's someone else's problem (no ownership).

Perhaps password protection is a reflection of a broader social condition. How often do we claim they are not responsible for a circumstance or problem? And even when proven they are, how often are we held accountable in some punitive way? How often are we contrite enough to change behavior?

Workers need to care about information security before we can consider any authentication *stronger*. Before you invest in technology, see if your workforce is willing to invest in your organization.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID399 by Dave Piscitello  

MediaLive International dropped the dopey Networld from the Interop brand; left the smokey-lowkey Hilton and the cavernous and unfriendly confines of the LVCC, and turned in a show that really proved true to its origins. I ran the security conference again this year, and had great attendance in my sessions, informative and lively moderated panels, and solid presentations from an overwhelming majority of the speakers we invited. Low on the marketing noise, high on information signal. Yes!

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID398 by Dave Piscitello  

Preparing for a security session I moderated at Interop in Las Vegas, I began thinking about the subject of unsolicited messaging. The session, entitled "Is the end in sight, or will SPAM, SPIT and SPIM spin entirely out of control?", seemed to overlook one category of unsolicited messaging that has recently become a burden to cell phone users - spamming short messaging systems.

Colleague Caleb Sima at SPI Dynamics has done several presentations explaining how it's possible to DOS certain cell phones using SMS. In some cases, the subscriber is billed for thousands of unsolicited messages. In others, the phones freeze. And of course there are messages that you simply don't want to receive (The Do Not Call List notwithstanding...).

I realized that I had not seen an unique acronym applied to SMS spam, and one quickly came to mind: SPASMS - Spam Against Short Messaging Systems!

You saw it first here.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID397 by Dave Piscitello  

My white paper, Next Generation Secure Application Access, is available in pdf here. This work for hire for Aventail Corporation examines past and current secure remote access; identifies objectives still not satisfied by existing solutions; and explains how Aventail's Smart SSL VPN meet the objectives I define.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID396 by Dave Piscitello  

To tap the potential of wireless, many small businesses will (eventually) require multiple APs to fulfill performance and coverage needs. This Watchguard Live Security column explains how to plan and deploy multi-AP (Extended SSID networks).

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID395 by Dave Piscitello