The Security Skeptic

On Wednesday, October 25^th 2006, Kaj Tesink of SAIC/Telcordia died following a long and hard-fought battle against pancreatic cancer.

The Internet and international communities lost a valued and energetic contributor to telecommunications and Internet standards. I lost as dear a friend as I could ever hope to have.

To the Internet community, Kaj leaves a legacy of enthusiastic and *constructive* participation. He also leaves his mark in 15 RFCs. Kaj published numerous articles in telecom and Internet journals and trade publications, and co-authored, with colleague Bob Klessig, a fine book on a pre-ATM broadband access technology, SMDS.

To his friends, Kaj leaves a wealth of happy and bittersweet memories. Kaj was more soft-spoken than outspoken, but rarely one to concede an argument without thoughtful deliberation. Kaj was as analytical a personality style as you'd ever expect to meet. He was also kind, thoughtful, and generous, never realizing he was "paying it forward". When Kaj was diagnosed with pancreatic cancer over a year ago, Friends of Kaj appeared seemingly out of nowhere to lend support, comfort and to help Kaj and his wife Elysia use the time he had to their maximum enjoyment.

Kaj loved board games, especially backgammon and cribbage; playing the latter, he was uncharacteristically competitive. Kaj would tell you he beat me in these games more often than not. I'd argue otherwise. The truth is lies in the middle. Nibbling on Dutch licorice was mandatory for these activities. Although I have not enjoyed that treat for many years, I know I will always think of my friend whenever the scent of licorice is present.

Born with Marfan's syndrome, Kaj never enjoyed the luxury of an entirely healthy life, yet he enjoyed biking, hiking, and other outdoor activities. A native of Holland, he led a lifestyle most Americans would consider traditionally European. He immersed himself in books more than television. He read newspapers, listened to BBC, and was better informed of international politics than most Americans are of their home town news.

Kaj is survived by his younger brother Winifred and his wife and soul mate, Elysia. I had the good fortune of serving as Kaj's best man when he and Elysia married. I recall I wished them a long and happy life together and ended the toast with "cient anni", a traditional Italian blessing that wishes the couple "100 years" of happiness together. I take comfort that part of my blessing came true. While their time together was too short, it was richly lived. Kaj was never happier than when he was with Elysia, and the feeling was mutual. Elysia was as resolute, resourceful, and completely committed a partner as any of us should hope to have when crisis and tragedy strike. Sadly, we live in a time when barely half of all married couples are willing to try to resolve the most trivial matters. Elysia serves as a role model of everything we promise when we say "in sickness and in health".

Elysia asked that donations be made in Kaj's name to the Nature Conservancy (the international branch). If you are so inclined, visit http://www.nature.org and make a donation in his name.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID563 by Dave Piscitello  

Endpoint, admission and exit control are hot topics these days. Combined, these security measures attempt to block entry to compromised and infected systems and prevent unintended disclosure of sensitive information such as user account credentials on managed end points. They also protect networks against misuse from systems users might employ that lie outside the administrative reach of an organization's IT staff, such as home and publicly accessible systems.

Justifying an investment in "prevention technology" can be a hard sell in some organizations. IT often only has speculative numbers to offer to CFOs. "If we invest $100,000 now, we can save five times this figure over the next 2 years in system administration (restoring infected systems to a usable state), and possibly ten times more if we are able to avoid a security incident." Such arguments are hard to sell, and vendor case studies and customer testimonials are often insufficient to influence the decision.

I'm not entirely sold on admission and exit controls. I think they are technically intriguing but they are ultimately an automated method of compensating for the vulnerabilities of both end points and those that use them. I also think they are ultimately dangerous because they make users more dependent on automated security and less committed to understanding security and appreciating their individual roles in maintaining an effective security profile.

I'm tired of hearing claims that "users aren't sophisticated enough to secure their systems". I see evidence in elementary, middle and high school classrooms daily that this will not be a legitimate claim ten years from now. I also see evidence today that makes me pause and ask, "would we really be worse off if we invested security budgets in incentive-based rather than preventative programs?"

In every organization, there are users who are "computer savvy". They are eager to understand the technology they use. They appreciate the need for information and system security, and to the extent permitted in the organization, they proactively engage in the security process by implementing antivirus, antispyware, firewall and other desktop measures on their systems. They protect and change passwords regularly, and are suspicious of unsolicited mail and the potential for phishing attacks.

The trick is to get *everyone* as engaged as the "security power users". So I propose an experiment that requires the participation of two similarly sized organizations with similar security needs. Organization Alpha must solicit an RFP for a technology-based admission and exit control solution. They must calculate the initial investment and ongoing cost of administration and support of the solution over a period of two years. The organization must implement the solution, and monitor the cost and efficacy of the solution over the two year period.

Organization Beta is to take the estimated cost of the solution. Part of this budget is used for security training. Each training session should address a security measure typically compensated for by admission and exit controls - antivirus, antispyware, antispam, firewall, VPN... - and explain "why you need to implement this security feature" and "here's how to do it". Another part of the budget is to be used as a monetary incentive for employees who attend security training, and who successfully implement and maintain the security measure on their systems. A final part of the budget is used to provide quarterly bonuses to employees based on success the organization has in avoiding security incidents.

At the end of two years, the organizations should compare results.

Which organization will have a better result? Is security that exploits "employee need and greed" is as or more effective than one that exploits F.U.D. and perpetuates user ignorance? Vote!.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID562 by Dave Piscitello  

Yesterday, I published my last Live Security Service Editorial. To close this chapter in my writing history, I added the following author's note:

My tenure as a LiveSecurity columnist is coming to an end. For nearly six years, WatchGuard Technologies has provided me with enormous editorial latitude so that I could explore a multitude of security issues and take you, my audience, beyond firewalls.I've had the distinct pleasure of working with a very fine technical staff, an outstanding editor, and an appreciative audience. I cannot thank you enough for your positive feedback on so many of my columns, and wish you all great success in your future security endeavors.

I received several comments from LSS subscribers, but none made me feel more appreciated than this one from Jon Chorney, a systems administrator at Master, Sidlow & Associates:

Dave,

Over the last few years, the Watchguard bulletins have grown from useful to vital and remarkably literate. Yours will be an extremely hard act to follow and I, like countless others of your readers, will be hoping that whoever comes after you will make every effort to match what you have done so consistently well.

Should you find yourself producing another bulletin or blog, I do hope you’ll feel free to let me know so that I can keep learning from you.

I wish you the very best in all that lies ahead for you.

Jon.

Jon's added to my digest recipients list. I hope he finds my blog as rewarding as I found his compliment.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID561 by Dave Piscitello  

Mich Kabay's 17 October 2006 Security Strategies Newsletter discusses the difficulties of identifying forged digital images in the absence of watermarking. Mich begins by explaining that image forgeries are "a growing concern" in criminal cases. The problem is actually a twofold one: many people quickly realize how forged photographs and other images can be used for fraud, extortion and other crimes, but few people consider how a prosecutor's case resting on digital photographs can fall apart if the defense can claim the photograph is not authentic (implying that this evidence has tampered with).

Mich also mentions the doctoral thesis of Micah Kimo Johnson, who presents three new digital image forensic analytical tools: illuminant direction, specularity, and chromatic aberration. I found find Mich's abstracts of each method intriguing enough to visit and read the thesis itself. I recommend you read both the newsletter and the thesis.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID560 by Dave Piscitello  

On behalf of ICANN's Security and Stability Advisory Committee, II recently completed a study of approximately 5000 domain name registration records, randomly selected from several million from com, net, and org. The purpose of my study was to approximate the extent to which personal contact information can be extracted from domain name registration information. For this study, I defined personal contact information as "sufficient attributes" to feel confident that the registrant is an individual, or an individual operating a home business. I also wanted to determine if it would be possible, using the information collected, to speak with or visit the individual at his or her residence, e.g., make personal contact.

I applied the same kinds of information gathering techniques one might expect an attacker to use when he attempts to identify a target for an attack. Similar techniques might be used by a private investigator or law enforcement agent. I used a variety of databases and search tools to learn more about the registrant from the information collected by registrars and made available via a Whois query or in bulk::

• A real estate database (trulia.com)
• An Internet telephone directory (whitepages.com offers reverse number lookup)
• Search engines (Google, Yahoo!)
• Aerial photographs of the registrant's address (GoogleEarth)
• E-maps (Map Quest)
• Companies and Industries directory (hoovers.com)
• Web sites hosted at registered domain name
• and my personal familiarity with geographic region I chose (Philadelphia, PA).

I classified registrants based on a set of matching criteria, with the underlying assumption that the more criteria (out of a possible 10) that are matched, the higher my confidence would be that the registrant information identifies an individual (or business).

The findings from my study are now available in presentation format at the ICANN SSAC web pages.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID559 by Dave Piscitello  

A Smallville, USA mother and her three young children were killed in an automobile accident yesterday when her automobile was struck by a teenager who misjudged a traffic light at the intersection of Maple Avenue and Pine Street. The teen and his three companions also died in the accident. The community's reactions to this tragic event were captured in the local newspaper editorials. Some feared future accidents while others expressed outrage that the tragedy could have been avoided had town counsel been more responsible when installing traffic lights. Town counsel laid the blame on the shoulders of the Traffic Engineering Division.

The town counsel hired consultants to determine if some measures could be taken to mitigate future such tragedies. The consultants recommended that the red (stop) signal should be extended for 20 seconds in all directions at the intersection of Maple Avenue and Pine Street. The delay would dramatically reduce the likelihood of another accident.

The solution worked extremely well. Months passed without an accident. The community, however, soon complained that the 20 second delay created intolerable and unavoidable delays and interfered with business. Town counsel instructed its traffic engineers to reduce the delay to 10 seconds at the intersection of Maple Avenue and Pine Street.

Months again passed without an accident. The community prospered and the population grew. The community again complained that the 15 second delay created intolerable and unavoidable delays and interfered with business. Town counsel instructed its traffic engineers to reduce the delay to 10 seconds at the intersection of Maple Avenue and Pine Street.

Lather, rinse, repeat...

Two years after the incident, the traffic signal at the intersection of Maple Avenue and Pine Street has no extended red signals.

Imagine that Smallville is not a town but an organization. Maple Avenue and Pine Street are not roads but segments of an IP network. The traffic signal at the intersection of Maple Avenue and Pine Street is an Internet firewall. The organization has just witnessed a security incident rather than an automobile accident.

Too often, organizations behave exactly like the citizens of Smallville. Immediately following a security incident, management and users express fear and outrage. Management holds security staff accountable for failing to secure the organization's assets and hires consultants, who recommend that the organization enforce a stringent security policy. Management directs the security staff to implement the recommended security measures, which include two-factor authentication, role based access controls, encryption of sensitive information in motion and at rest, and other measures considered to be industry best practices.

The solution worked extremely well. Months passed without an incident...

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID558 by Dave Piscitello