Ok, last post of the day…. A panel discussion from Black Hat 2012 was a debate on who should be responsible for information security: the government, the company/website/service provider, or the user?
My answer is all of the above, but it the easiest/most effective way starts with the government. The government, in conjunction with the Information Security industry, needs to set the standards. Then, they should do 1 of 2 things: enforce those standards, much like they already do with HIPPA and PII related information, or, start a consumer watchdog organization that rates companies/sites based on their compliance with those policies. The watchdog also would apply adjustments based on when/how their security is breached.
The companies should be self motivating, but sadly they need a push. Google, Dropbox, Microsoft, Apple, Bank of America, etc… should all care about the security of their customer’s data. Let’s breifly look at some memorable breaches as of late; in particular LinkedIn and Yahoo! Voices. These services failed to use industry standards by either not encrypting the username/password database, or using a very simple form of encryption. That also ignores how they failed to protect the database from the malicous users. This will someday take its toll.
Eventually people will weigh their choices on given services factoring in their confidence in their security vs. the inconvenience of that security. I loathe that I know of many sites that have an upper limit to password lengths that isn’t unreasonable to go over (10 for one in particular) and/or limit what characters you can use in that password like a dollar sign. In fact, I have cancelled a credit card when the site wouldn’t allow me to use more that 10 characters in my password. I would also refuse to use a site that required people to use passwords that are 16 characters or longer. Why? Because I have the good habbit of changing my passwords periodically, not using a cyclical password (like having a number that I add 1 to every time I change it), and trying to vary my passwords form site to site. I am a CISSP certified cybersecurity geek, so my demands might seem unresonable to many. (Which makes for a nice segway into the inconvience factors of security measures.)
Security that is to strict has its consequences just as too lenient security standards. One example is the ever increasing length and complexity requried for passwords. In 1993, my AOL password only had to be 4 characters long, with no additional requirments. Today, most sites require at least 8, are case sensitive, and need at least one number. My network at home is at least 12 characters, requires 3 of the 4 categories (Uppercase, Lowercase, Numbers, Special Charaters), and cannot contain more than 3 characters in a row from your username or real name. This (or something similar) is also common at most corporations that rely on passwords for user logons Some are even longer and more complex. This process of requiring longer and more complex passwords will eventualy lead to bad security habbits such as writing them down or using the same password for everything. Of course, this will trigger the cybersecurity industry to press for alternatives. Many already exist and are used more and more.
Smartcards and biometrics are examples of these alternatives to passwords and are much easier/cheaper/safer than 15+ character passwords for most people. For example, some reasons for a company to require their employees to use smartcards to access their network is the reduced risk of break in due to weak passwords that happen to meet the requirements (ex. Password1111111) and the improved security by requiring the user to have a unique physical item in addition to knowing the password to access that item. They also reduce helpdesk costs associated with password resets and with the cost of recovering from breaches. These benefits are a by product of few lockouts and the greater difficulty for being hacked. Once smartcards become common place or easily hackable, you move on to include biometrics.
Now, before I post this… I want to warn you: you are only partway into this article, and I am going on a huge tangent, or series of tangents, that only an obsessive and scatter brained mind like mine can see the connections to the question of who should be responsible throughout the blog posting. Also, keep in mind that I am a geek, supposedly good at my job, and I love to splooge knowledge to anyone and everyone (to the point my wife yells for saying things she may already know and talking at her, not with her.)
As I have said, I am a big time cybersecurity geek and love to explain things to a painful/nausiating level of detail. To secure the authenticity of a user’s identity, the computer effectively asks you to say who you are, and prove it by providing it with something that you and it knows and no one else. Again, common methods include passwords, “random” number generators, smartcards, and biometrics.
Traditionally, you identify yourself with your username – something anyone can know (like your real name), and prove it with your password. Thus proving you are who you say you are by providing something you know. Passwords can be guessed, hacked, or be otherwise provided by someone else claiming to be you. You are responsible for much of that, unless the site or network does not allow you to have longer, more complex passwords or allow you to change them periodically. Regardless, a password system’s shortcomings can be overcome. One method, as previously mentioned, is smartcards.
A smartcard is an electronic ID device that is about the size of a credit card, contains a small ammount of flash memory, and a simple program. While RFID based cards exist, the most common form has a gold contact that is similar, if not identical, to the SIM cards for many cellphones. With thes smartcards, you who you are by merely having the card and reader for it- the card has a form of serial number uniquely assigned to you -and then you prove your identity by providing a password or code to access the contents of the card – again providing somthing you know. The authenticity of the card is then proven by checking the contents of the card against the internal database… much like a cop running your license number and comparing the information on the card against the database. This can also be called two-factor authentication because it checks two things. In this case, as I called out, something your have and something you know. There are other two-factor or multi-factor methods, which includes biometrics.
Biometrics: something that in all cases, is unique to you. The etimolgy is rather straight forward: Bio, meaning life, and metrics, meaning a system of measurments. There are many forms of biometrics, some than might not be exactly unique, like DNA. Identical twins share the same DNA – baring any spontaneous mutations, but other things influence quicker methods of life-measurment comparisons. Even in the case of twins, overall health can affect your retina’s pattern of veins, the geometry of your hand, face, or ears, and life experience(scars, chemical exposure, friction exposure) can affect some common biometric measurements. Some of these subtleties are how people can tell the difference between twins. Biometics prove identity by proving it through something you in fact are. Now you may ask, how is that multi-factor? The answer is for several reasons. First and foremost, like the smartcard, your have whatever is being measured, and the second is that it is something your are. To add depth, these systems combine either typing in a user name or providing a passcode, along with the appendage being measured.
Basically, the beauty of multifactor authentication is the fact is asks for more than what someone else could know or guess. Practically speaking, what does that mean for you? Good question, besides having a new laptop with a swipebased fingerprint reader, there are some ways you can use a multi-factor approach for security.
Think about a home WiFi network. How does it know the computer/device is authorized? Assuming you’ve secured it in some way, it typically does it by you providing the correct password. However, other layers of secutiry exist as well. First, you can set your router to hide itself by not broadcasting the network ID. Also, you can limit the access to preauthorized devices by filtering MAC addresses. A MAC address is a unique String of 12 characters made up of a combination of numbers (0-9) and letters (A-F). This is usually displays as 6 pairs separated by hyphens. The first 3 pairs represent the manufaturer of the network device, and the last 3 are a sort of serial number unique to that card. By enabling these 3 options, the network can ask for something you know (the name of the network and/or password) and something you have (an approved network device). Some high-end home routers may even keep a list of usernames so that you also have to prove to be an authorized user, not just a random user of an approved device who knows the password. I mention this in part because of a recent CNN story about a European company that created a wi-fi deflecting/absorbing wall paper.
In short, the WiFi security wall paper limits how much of your wi-fi signal escapes your house (limiting it to ceilings, floors, and windows) and also limits how much signal can get in. The impressive part is how it only blocks 2.4 GHz (the RF range of WiFI) signals, leaving cellphones and other signals alone. I mention this layer of security because many of the comments on this story ask “why should anyone bother since I can encrypt and/or hide my network” and my answer is simple, “because that isn’t enough”. No security is perfect.
Most home WiFi, in order to meet ths standards to be called WiFi, must have an effective, unobstructed transmission range of 100 feet. My router is not even 100 feet from the road, let alone my neighbors. This means someone could capture my signal and use my connection, right? The answer is yes, even if it is hidden and/or encrypted. If the hidden signal is leaking outside of any phsyical control, ie your house, it still allows someone to guess the name or at least listen for the data in the air. Eventually the hacker will see your signal. Your data on that signal will occasionally indicate the digital ID of your network, thereby making the hidden nature pointless. Did I forget the encryption for that signal? Nope. Even if the captured data is encrypted, that isn’t enough to gaurentee its security. WEP is the oldest, and sadly still very common encryption method. It can be hacked in minutes by my Driod. WPA, while newer and better, can be cracked in an hour by my 6 year old laptop. WPA2 is the best consumer grade encryption, but like it’s predessesor, can be cracked. Remember that all encryption is designed to be decrypted, otherwise why not destroy the information our right? If a hacker/cracker collects enough data, patterns will emerge, and those patterns will contain common functions based on the TCP/IP protocol. Since not all common household devices allow you to manually set your IP, one pattern that can be detected is your DHCP requests. DHCP is what allows you to automatically get an IP address that will work on that network. That DHCP request packet will become part of the primer for cracking the encryption. Next, the hacker/cracker can make the assumption that the IP address of your router will be either 192.168.0.1 or 192.168.1.1. Why? Because first, it is in one of the 3 “private” IP ranges that is part of the rules of internet addressing. Second, because its what the top 5 router manufacturers default to. Third, people are either ignorant or lazy and don’t change it. The last bits of infomration the hacker/cracker can use is more of a buckshot: they can assume that a good part of the traffic will be going to, or coming from, youtube, facebook, and twitter. This, combined with an understanding of how the common encryption algarithms work, creates a recipe for an advanced cracking attack. Or they can simply connect to you network directly… When presented with the password for your network, they try your name, address, phone number, or any of the top 10 passwords used in the US. If those fail, and basic brute force attack (which tries any and every possinle combination of characters) will eventually succeed. Eitherway, they can get in even if you encrypt/password your network. Now, suppose you’re smarter/less lazy than most and therefor also use MAC filtering. Well, MAC addresses can be spoofed. In fact, I bet your router is spoofing one of the computers in your house right now. Basically you should remember if your data can be captured and cracked by the attacker, they are likely able to spoof your MAC address. All said, however, the level of difficulty involved, plus needing to be physically close to the network, it is highly unlikely that unless the hacker has a reason to target you specifically, they won’t bother… because they too are likely lazy and need a motive to do all that work. My point is ultimately is to say implementing multifactor/multilayered security, while imperfect, is a huge deterrent to most hackers.
At this point, I’ve established how multifactor options work by answering different questions, but is that the end-all be-all that the responsible party should require? Simply speaking, no. I say this because no system is perfect and they can be hacked in one way or another. I showed this above while discussing home WiFi security measures. Now, I would to get back to the basic act of logging on to something: Remember no encryption or authentication method is perfect, even advanced tools such as bio metrics.
Some weaknesses exist in biometrics – beyond what you see in TV and movies. First, I want to dispell many of those TV and Movie myths. Hollywood implies tricks such as the dead thumb on the scanner is a weakness. Well I must say that is doesn’t work today because of how most modern scanners are designed. These devices don’t look at your thumb like a photograph, unless that photo is a highly sensitive thermal image. In another words, you hand must be warm enough to be alive, and the difference in temperatures within the patterns must also be enough to detect the design of the print itself – so you can’t just warm up a dead thumb either. Now you are asking, “Ok, what are these weaknesses if the body part must be alive?” First and foremost, it isn’t always cheap – especially if you want quality. Second is accuracy. You do not want “false-positives” which would allow a 3rd party to be accidently granted access. This happens when sensitivity/accuracy is too low. Nor do you want “false-negatives”, or when an authorized person is denied access because of a misread. This can happen when the system is setup to demand too much accuracy. Third, there are theoretical ways to trick the system as seen in some movies. Unique vulnerabilities to biometrics include ways to copy things such as finger prints. One method, as seen in “Gone in 60 Seconds” is gluing an artifical print on top of your fingerprint. (I know they didn’t use them to hack, but it can be done for that purpose). This will get warm enough, and keep the needed thermal variance. Another movie, which I think it was one of the Tom Cruise “Mission: Impossible” films, showed a chemical that was sprayed onto the scanner. The chemical reacted to the oil print left behind by the previous authorized user and formed their print on the scanner glass. The unauthorized user pushed on the print with a latex-gloved finger. Much like the glued-on false print, the gloved finger warms the fake print enough to show enough thermal variance of a live finger wiht an authorized print.
The system feature that prevents a dead hand from being used also has some faults by nature. If the fingerprint is used to access a building in any location that gets cold, like outside entrances to buildings in Chicago, IL or Buffalo, NY, the cold can cause a major issue. The system won’t allow the authorized users hand if it is too cold. Meaning, if the surface temperature of your hand is colder than the system is designed to allow then it will not accept the print even if it is valid, thus creating those annoying false negatives. This proves that biometrics aren’t perfect either.
Multi-factor systems can be vulnerable to other attacks that can be used on traditional logins as well. One such hacking method being a “replay attack”. Basically, if the hacker records the authentication process, even while encrypted, repeats the same stream of data at a later time. This vulnerability was hampered a long time ago with a security method call Kerberos. Basically, the encryption used to transmit authentication data uses a timestamped access ticket. If that timestamp is outside the programed time limits, it is ignored, denied, and/or logged. Why do I bring this up? Because that is an element of existing layered security. There I go with that layered security mumbo-jumbo again. Go ahead, and ask me ”why mention that again? what is behind this obsession with layered security?” Or don’t and realize the next paragraph will answer those questions.
Layered security is how you make it so difficult to break in that it isn’t worth trying to do so in the first place. This is the de facto stance of security pros. We accept the fact that regardless how much we try to prevent it, our system in vulnerable in one way or another merely because it exists in the first place. Our job is to limit how often that it can be exploited. This is done by the massive layering based on the value of what is being protected (or so we tell our bosses, sometimes we slip something through just because the feature is cool). “So, you’ve gone on and on and on, how does this tie into everyone being responsible for their information security?” I’m getting to that!
I promised in the begning of this article that I would tie this all back into the original premise: The government, businesses, and users are all responsible for cyber security. The logical arguments I intially suggest are: Businesses are driven by money and being hacked hurts financially – either in recovery costs or through loss of time and customers, people have responsibility for their own information – afteralll it is their information, and the government is responsible for the mass protection of the people. What’s that? I didn’t support the premis I initially stated? The opinion the government should not only be involved but also be the one to start the whole thing? And where is the layered security tie in?” Patcience people. The governments should start it all because no other entity can single handedly enforce laws and penalties like a government. Meanwhile businesses will respond because laws will make it a more significant/costly of an issue, creating a threat to their financial stability. Regarding the rest of the people? Well, users are lazy and must be forced to do something, even if for their own good. Christ, these are the same people that are why we have seatbelt laws! They are responsible for their part because if their security shortcomings leads to a costly security breach, the following law suit could strip them of everything they have. OK? You still need to hang on because I haven’t tied this all to my obsessive layered security yet!
If you follewed me to this point, I thought you might be a geek like me and wouldn’t need this tie in fine print. Alright, fine. Here it is in plain English: The laws can change, and are only really enforced after an entity’s shortcoming gets caught. Think about speeding tickets. I drive 70-80 MPH going to and from work every day and am yet to get a speeding ticket. I willingly break the speed laws, but since I have not been caught yet, the law is pointless or weak. This makes laws and their enforcement is incomplete in their security. Add a layer! Businesses desire to be profitable and if being held accountable fo their shortcomings makes them practice and enforce stronger security policies, that becomes an additional layer! A drive of compliance with the law or customer demands is needed in order for them to stay profitable and out of jail. Thus leading to better use of defesive/preventative tech. However, neither the government nor the businesses can prevent users from being lazy and/or slow in terms of security. However, if we start holding people accountable for their potentiallly criminal negligence is as a good of a motivator for doing simple things like using different passwords that are complex and changed regularly as anything. Thus creating a third layer of security. 3 layers, just like a username, fingerprint, and pin number, is by definition multilayered security. Layers of security is exactly what is needed to improve cybersecurity for all people.