Fitness functions and risk management

Posted on June 7, 2011 by John

I’ve written before about fitness functions. When we implement security measures, we’re implicitly setting a bar for the attacker (one of my favourite Gary Larson cartoons has a lumpy Godzilla staring disconsolately up at a large sign; in the distance looms a metropolis. The sign has a horizontal line and reads “You must be this tall to attack the city”).

This why the SecureID story isn’t that surprising (I write this with my 20-20 hindsight goggles clamped to my head. Many others will be doing the same today). It does highlight one of the limitations of usual risk management approaches. In an old rant I lamented the public sector’s impact level framework; I shan’t repeat myself, but let’s look briefly at how we deal with risk management in government.

Extant policy (primarily Infosec Standards (IS) 1 & 2) is reasonably new – autumn 2010. It even takes threat into account (though I’m not a fan of the way it classifies attackers and their capabilities. It’s the policy writer’s curse – while attempting to write generically useful things, over-abstraction always threatens).

I’ve written elsewhere that policy writing is destructive – it’s often hard to discern the original intent behind a policy statement – we lose the reasoning behind the position, if you will. In the case of IS 1, it’s even more apposite. We end up selecting from a heavily quantised set of threat levels, which is simply a bridge too far – or a bridge too abstract, to be accurate.

Attackers want what you have. To succeed, they will do what is necessary. That includes indirect attacks on your supply chain, your people and your technology – whatever works. Attackers also exist within their own ecosystem. The attack on RSA might be indirect – it’s an opportunity to resell tools or techniques to other criminals.

Let’s explicitly make the link. One of the key elements of the public sector risk management approach is estimating the likelihood of an attack. This is hard for two reasons. One is our difficulty dealing with Black Swans. I’ll assert that the RSA compromise is such a Black Swan.

Posted in Cyber Security | Comments Off

Security and the Red Queen’s Race

Posted on May 19, 2011 by John

So many subjects to choose from. Let’s start with something short and sweet. This Apache announcement bought a rueful smile. It’s a Tomcat security constraint bypass caused by an error in the fixes for two other security constraint bypasses (here and here).

It’s a good illustration of the Red Queen’s Race – running to stand still.  We often find ourselves discussing marketictures (e.g. Android) as if they were monolithic and unchanging. Not so. Here’s a good diagram from Tim Bray:

Android components

Tim Bray's take on Android

Zoom in on Linux. The Linux Foundation’s 2010 kernel development report is illuminating. Wet finger, we’re talking around five commits per hour. Now, Google doesn’t cleave religiously to the Linux kernel development cycle (which irks some), but I hope it makes the point – code changes, and some of those changes will introduce new bugs. Some of those bugs, in turn, will be exploitable vulnerabilities.

Android 2.2 (Froyo) was based on Linux kernel 2.6.32. Android 2.3 is based on Linux kernel 2.6.35. Between those two versions there were 30,115 patches applied to the kernel alone. Not all will be relevant to Smartphones -  again, it’s more to indicate the scale of change on one portion of the Android ecosystem.

Now this brings us, meanderingly, back to a more prominent news story – the leaking of Android OAuth credentials, as reported here. All Android versions prior to 2.3.4 are affected (and 2.3.4 doesn’t remedy everything).

Like many folk, my HTC Desire runs Android 2.2, and I’m not holding my breath for an update. We can rant and rave about this – “2.2 to 2.3.4 – how hard is that – Google you ********s – where’s yer don’t be evil now?” – which is a case of marketecture hiding the complexity (and concomitant cost) of the underlying changes.

As I don’t like scaremongering, let’s finish with an attempt to put the problem into perspective. Not all Google apps are affected (e.g. Calendar, Contacts, Picasa). It only applies if you’re using public Wi-Fi. There are technical remedies (e.g. using a VPN).

It’s not a trivial problem to solve, mind – encryption obviously shortens battery life. With current technology, we trade potential information disclosure (dodgy protocol) for availability loss (flat battery). I’ll write more about this tomorrow.

Posted in Cyber Security, Mobile | Comments Off

Please let this be real…

Posted on May 13, 2011 by John

Off to Yorkshire to see my beloved family, so blogging will continue to be light. However, having despaired as the industry has regressed from 16:10 to 16:9 screens, this made me happy.Please, please let it happen soon.

There’s nothing magical about 16:10 as a resolution – it’s more of a vertical real estate fetish. There’s even a (tenuous) security link. In order to analyse code, you have to understand it. Getting as much as possible visible at once helps.

I should note that we’re talking about C/C++ code here – from experience, such developers are not given to the short’n'sweet routines beloved of the Rubyists/Scalafarians.

Posted in Personal | 2 Comments

Dishonest minorities and other social problems

Posted on May 10, 2011 by John

Bruce Schneier gave us a status update on his latest book on why human societies need security. Let me brutally summarise his thesis:

- All complex systems contain parasites.
- Defection (à la game theory) can be rewarding, but mass defection leads to societal collapse.
- Society has evolved internal (morals, reputation, ethics) and external (laws, technical measures) means for controlling defection .
- ‘Dishonesty’ is not a moral judgement – those not following societal norms may have noble ends (the ensuing discussion gets bogged down debating this point).

Interesting points, one and all, but the key was  this:

- It is not possible to reduce the dishonest minority to zero.

Why? You’ll probably have your own theory.  Let me assert that your answer will reflect your political views and technical/business background. Is it income and wealth inequality? The existence of a criminal under-class? The law of diminishing returns? The defenders’ dilemma? Weak international law enforcement cooperation? Immoral banking practices? Poor software engineering practices?

I wish I had a pat answer; I don’t think an adequate one exists. However,  (and I’ve touched on this before) we should always ask the question: “cui bono?” – “who benefits?” Criminals must think they benefit (or that they have no alternative, if we’re being empathetic).

Who else? Well, we, the security industry do, of course. The existence of ‘cyber-criminals’ generates a large market for countermeasures (the link estimates around 15.5 billion euros last year, with a CAGR of around 13.3%).  It drives academic research, creates employment, the development of august professional bodies and so on. We’re one of several industries at least partly driven by fear  (be that fear of aging, ill-health, baldness or loss of sexual potency).

You may feel this is pointing out the bleeding obvious. However, it brings us back full circle to Bruce’s original thesis. Societal controls don’t just exist to manage criminality. Ethics (enforced by regulation) dictate that doctors’  shouldn’t prescribe unnecessary (or unnecessarily expensive) treatments, IFAs shouldn’t promote those investments that net them the most commission – I  could go on.

It’s particularly challenging in our industry, as the link between investment and payback is so tenuous. We have an innate bias to “gold plate” solutions – we often talk about risk management, but the incentives are for risk avoidance.

We seek to develop complex security solutions, but  the root causes of several recent calamities are simple, and could be easily remedied. Poor patching policies. Manual processes used in complex production environments. Poor password management. In many cases, what we see is the difference between public aspiration (i.e. what management espouses as fact) and praxis.

I’ll be very interested in whether Bruce examines the other side of the coin; if we accept that criminals will ever be with us, the interesting part is how to foster effective societal responses. We have to remember that one man’s healthy CAGR is another’s escalating overhead – that’s not sustainable in a globalised economy.

Posted in Cyber Security | 2 Comments

Proverb Power

Posted on May 7, 2011 by John

This post was sparked by my previous entry. We’ll get to security eventually (gotta be thematic!), but by way of a soupçon of English cultural history and a few proverbs.

Ruth Wajnryb wrote a wonderful book, which I highly recommend if you’re interested in English as a language. It shares pride of place on my shelf with Melvyn Bragg’s “The Adventure of English“, ( I’d also recommend Bill Bryson’s “Mother Tongue” as a more relaxed view of the same topic).

While there’s plenty of concern over the decline in global language diversity,  let me lament the simplification of one of the most ubiquitous – English. I  think there are two main factors driving that simplification.

Firstly, English has become a truly international language. In order to teach such a  complex language, it makes sense to strip out a lot of the cultural baggage – adages, colloquialisms and the like. Many English idioms draw on our polyglot past, our nautical heritage and, unfashionable though it may be, our old Empire. All are often alien and superfluous to someone to whom English is a second language learned as a lingua franca (oh the irony!) for business or technical domains.

Secondly, there’s the gradual loss of a common cultural context. Many of you won’t fully appreciate the dearth of broadcast media as my generation grew up:

- BBC 2 began broadcasting when I was four, giving us a whopping three channels to choose from.

- BBC radios 1 & 2 began when I was seven, doubling the number of non-commercial stations.

-  Channel 4 came along when I was twenty two.

No consoles, no personal computers or phones – we really were under the lash of a broadcast oligopoly. It didn’t feel like suffering at the time.

It’s almost certain that my contemporaries would recognise “Boom! Boom! Mr Derek!” or “You are awful – but I like you!”, “The play what I wrote”, or “Not now, Arthur!” .  Whether that’s a good thing, I leave you to judge ;) . It certainly promoted cultural cohesion and homogeneity.

School syllabuses were also more restrictive; I’d wager most British fifty-somethings have read some permutation of “To Kill a Mockingbird”, “The Crucible” or “The Lord of the Flies”.

Now, I’m not certain how many broadcast channels I have available – it’s dozens if not hundreds. On that basis I’ll wager that you and I have no recent shared experiences outside of Hollywood blockbusters. I’m not going to over-egg this argument – it’s a diminution of shared experience, not a total lack.

Does it matter? Probably not, at least on one level. One of the aims of communication is to be clear – to communicate intent, feelings, arguments etc. – on that basis, simpler is better, right? While true, particularly for an international audience,  there are a number of factors that make that simplification poignant. I’ll just pick one -  for brevity.

We lose some of our ability to convey nuance, allusion, emotion. We’re a long way from Newspeak, but there are some real cultural drivers (self-affirmation, the cult of celebrity, fear of litigation, political correctness) pushing us in that direction.

In a business context, it may already be too late; we’ve long since lobotomised ourselves – corporate communications are relentlessly upbeat and positive to the point of shrillness, mixed with generous helpings of Doublespeak. It’s a rare company that does otherwise. When Sony assert that they take information security seriously, I feel justified in raising a skeptical eyebrow – actions, my dears, speak louder than words.

On that note – a toast to proverbs. Like Latin text, proverbs are information-rich. There’s little waste – they’ve been polished over centuries. They’re memorable, with rich associations – assuming you have the cultural context. I may be stretching the point, but they’re the design patterns of language. Less pompously, they’re my personal antidote to over-blown policy documents.

My personal maxim, drilled into us as quivering six year-olds in Miss Podmore’s (God bless you ma’am!)  class is  -  “Do as you would be done by”. Seven words. It makes an excellent mission statement for customer-facing folk.

With that premise, I thought it would be fun to trawl through my list of proverbs (or are they adages?), looking for those relevant to security. Here’s my first pass – I’d be pleased to receive more – do drop me a mail with your thoughts. Now, let us strike while the iron is hot:

On the insider threat – “Opportunity makes the thief” or “In a thief’s mind the moon is always shining

On the need to treat security in the round – “A chain is as strong as its weakest link

On the dangers of analysis paralysis – “Better is the enemy of good enough

On pro-activity – “An ounce of prevention is worth a pound of cure

On agility – “A stitch in time saves nine

On the cloud – “Don’t put all your eggs in one basket

On humility (essential for security folk) – “Doubt is the beginning, not the end, of wisdom

On personal resilience – “Fall down seven times, stand up eight

Security, its place in business – “Don’t put the cart before the horse

Security business cases – “Don’t piss into the wind

Proper incident handling – “Don’t shut the stable door after the horse has bolted” or  “It’s no use crying over spilt milk”

On standards – “The exception proves the rule

On human behaviour – “What cannot be cured must be endured

On good design – “Don’t spoil the ship for a ha’porth of tar” or “For the want of a nail, the kingdom was lost

On HB Gary Federal (and oh so many others) – “Cobbler’s children go barefoot

Finally, as a truly brilliant summary of the frustrations of the security profession – “Damned if you do, damned if you don’t

Posted in Personal | 1 Comment

if (eggs.basketCount == 1) initiateCatastrophe;

Posted on May 6, 2011 by John

I enjoyed Jay’s post on security benefit accrual. It illustrates another area of fluidity.

I’d expect an outsourced provider to be ‘better’ at security than, say, a SME’s IT staff , just as I expect the Bouncy Castle developers to be better at developing cryptographic libraries than Joe Java-developer – specialisation is rewarded.

A successful service provider will grow and scale up. If the assets they manage are monetisable, they become a more attractive target -  the key point. Think farming; monocultures gain higher yields, at the cost of more damaging consequences if  disease does strike. Imagine if pests and diseases were Lamarckist – it’s a reasonable model for network-based attacks.

As we’re finding with some of the recent high profile breaches, talking up the attacker’s capabilities is asinine. If what we hear about Sony is true, then they were fruit ripe for falling into the hands of the veriest dilettante. Amazon just tripped and fell.

[An aside: I'm prepared to give Sony partial benefit of the doubt. The Slashdot report linked to this article which flatly states that Dr Stafford testified :

"Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user account".

Reading Dr Stafford's testimony he actually said:

"I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk"

There's at least a chance that this is the Internet feeding on its own rumours. We'll see.]

Where I mildly disagree with Jay is that it’s not just the ‘cloud’ – we’re dealing with the eternal verities here. The fact that there’s a proverb about putting all your eggs in one basket shows that this is an old, old challenge.

The need for defence in depth does not go away; technology advances don’t change that fact. Isn’t it  irritating that so much of what we write in the security field circles back to the basic “There is no silver bullet. Security requires thought”?

It’s a complex field; oversimplification is always a risk. However, put a gun to my head, make me pick one point and it’s this:

- Only you know how important your data is to your business and your customers.
- Only you know which threat actors you need to protect against.

You can’t abdicate those responsibilities to third parties. If you do and it goes wrong, compliance isn’t going to save your reputation, anymore than PCI-DSS compliance will save Sony’s.

Posted in Cyber Security | 4 Comments

BlackBerry and tales from days of yore.

Posted on May 5, 2011 by John

I’ve been working for 30 years now. When I started it wasn’t much different from “Life on Mars”. Administration was paper based.There were typing pools. People smoked in the office. You went to the pub for lunch (people were half-cut in the afternoon). We had one dumb terminal in the branch. And so it goes. Truly, the past is a different country.

It may seem strange to you, oh child of the Internet, but I’ve seen two great wars fought over IT – both of which seem odd in retrospect.

The first was the introduction of the PC. I saw intelligent, committed, sensible executives die in a ditch trying to keep them out of their businesses – and for plausible reasons. They were expensive . They were insecure. The applications were primitive. Support and training costs were high. Early PC roll outs were conducted like guerrilla warfare (Only IT were authorised to purchase computers. Ours were invoiced as ‘miscellaneous office equipment’).

Ultimately, it didn’t matter. The users (loathsome term!) wanted them, spreadsheets were a killer app, game over (I’m painfully aware that summarising an incredibly hard-fought, complex battle in such a way is inadequate, but this isn’t a scholarly white paper).

The second was open systems. I used to work for a company that tried (and failed) to wrap itself round the entire ICT space. Mini-computers (VAXes). Dumb terminals (VT340 with! colour!). Wordprocessors (DECwrite). Compilers (VAX C). Printers, disk drives, tape drives. On and on. Critics accuse Apple of trying to build a walled garden; my dears, Steve Jobs is the merest amateur – we wanted you all to come and dwell forever on Planet DEC. We were quite sure you wouldn’t want to leave.

There are plenty of epitaphs to DEC. Let’s repeat my previous handwaving and point to the rise of Unix and Windows (though giant executive egos and battlin’ business units didn’t help). DEC’s special sauce became increasingly less special, and more importantly, less valuable to its erstwhile customers.

We’re all coloured by our experiences. To me,  the consumerisation of IT feels like a  reprise of those old battles. Like the PC, the infiltration of iOS and Android into Big Enterprise is a bottom-up struggle, led by users. The main difference is probably in the seniority of many of those users – it’s not Nerd Rebellion II – this time the boardroom has a yen for the technology. If IT or security folk oppose it, they’ll lose.

Like open systems, globalisation is relentlessly commoditising and standardising technology. Imagine if we treated our  children the same way (“You’re different. That’s bad”).  These two trends are bad for RIM, which relies on proprietary value-add – just like DEC (and many other mini-computer manufacturers).

In many ways this is a shame. I was CESG’s original lead evaluator for BlackBerry (trivia:  I accepted the first DVD containing all of RIM’s IP in the car park of B&Q Cheltenham – encrypted using my boss’s GPG public key. It’s the closest I’ve ever come to that John Le Carré feeling.). RIM’s BES is a wonderful software system, beautifully architected. It doesn’t have all the answers, but looking at the market, I’m not sure anyone does:

However,  I share Tim Bray’s puzzlement – I’m not sure what the right number of mobile platforms is, or even if, over time,  that’s a sensible question (“How many buggy whip vendors do we need?”). However, even in RIM’s government heartland, customers are searching for alternatives – see my previous posts here, and here plus DARPA’s recent RFI on full encryption for iOS and Android.

I see Smartphones and tablets  as the latest, possibly ephemeral, manifestation of the 1980s Xerox Parc concept of Ubiquitous Computing. The tagline “one person, many computers”, seems apt. This war may be, by Internet standards, a very old one.

Posted in Mobile, Personal | Comments Off

PSN and SOE – twin storms in a teacup

Posted on May 3, 2011 by John

This post is about keeping a sense of proportion. We live in a world of hazard, true.

In the West, it’s one that’s becoming less hazardous year by year. Let me back that up with some facts, from the WHO and ONS;

  • In 1900, male life expectancy was 43. The life expectancy for a man my age is 71 years. For a new born, it’s 80.1 years (77.7 for boys, 81.9 for girls).
  • In 2008, the number of road deaths was the lowest since 1926(!). Road deaths peaked in 1966.
  • Violent crime is now at the same level as 1981; this despite population growth and public perceptions. The number of murders has almost doubled since 1960, but the absolute number is still low at just over 600 per annum. This is low enough that Harold Shipman could single-handedly distort national statistics.

Murder rates

By now, I’m probably trying your patience; what the hell has this got to do with Sony? I think it’s this; in the absence of  tragedy, we substitute irritation. I’ve been struck by the concern expressed over strange metrics like how long it took Sony to apologise, or the apocalyptic pronouncements about its fate. Brought to it’s knees? Really?

In terms of the Sony breaches (PSN and SOE), I have to declare an interest – I’m a long time MMO gamer, from Anarchy Online to Eve (which is a fascinating security topic in its own right). I’ve played Everquest II, an SOE game on and off for around four years. I received SOE’s “mail of shame” this morning. It’s typical of the genre – “Dear valued SOE customer” (your personal details are sprayed all over the Internet but we can’t remember your name) – “we apologise for the inconvenience caused by the attack” – “we take information protection very seriously”. Hmm, do you now – I am in the presence of an oxymoron, methinks.

In terms of the Playstation, most gamers have made a considerable financial investment in the platform – games aren’t cheap. The console market is an oligopoly – you’ve a choice of three or four platforms, with no interoperability. I don’t believe there’s a long term impact – it’s platform exclusives and price/performance that drives the console market.

When it comes to MMOs, the level of emotional investment in your characters and your guild is huge. I’m annoyed at SOE, but it wasn’t their security that stopped me playing – it was their renaming my main after a server merge. Instant emotional disconnect (irrational, I know, but I know nothing of Clarisx, she’s a stranger to me). Merely losing my credit card details would be a bagatelle.

I’ve lost credit cards, had them stolen, had vendors make accidental charges, fraudulent charges, you name it. In every case, my providers (hat tip: Barclaycard and Nationwide) has remedied the problem, kept me informed and replaced my cards in three or four days. I have, at worst, been mildly inconvenienced.

You can argue that Sony are inflicting cost on the financial industry, and that’s fair enough. However, anyone who’s had exposure to a large customer base will know that people’s fecklessness far outweighs crime in terms of support costs. Statistically, people are remarkably stupid.

We have to accept the downsides of a digital society. Any Roman emperor would envy us our lifestyles – we live far better than even 19th century royalty. We all love to complain and emote, but we should take time to pause and reflect every now and again. Do we have a genuine complaint, or are we merely…whining?

Posted in Cyber Security, Personal | 2 Comments

Thoughts on the Amazon post mortem

Posted on April 30, 2011 by John

Copious amounts of sackcloth and ashes here. I’ve a lot of sympathy for Amazon, though I’ll likely be in the minority amongst the baying hounds.

Amazon identify two factors exacerbating the early stages of the primary outage. One was algorithmic, the other a race condition. Both are hard to model or reason about (unless you’ve your irate 20-20 hindsight Internet Goggles on – then it’s cake).

People are serial thinkers – it’s hardwired (pedant alert: I know that the underlying wetware is massively parallel, thanks). I’ve made heavy use of static analysis tools in my career (mostly Klocwork, Fortify and Coverity), all were useful to varying degrees, but none of them were much help with concurrency bugs – which is going to be a big issue in Cyberland.

Amazon’s relational database service then surfaced a previously undiscovered bug (sometimes we find our own 0-days. It’s usually a miserable experience), which meant that around a fortieth of their customer’s databases stopped replicating across availability zones. This is bad; Amazon are particularly contrite on this one – a proportion of their customers designed with redundancy in mind and ended up being punished for it.

The rest (not to dismiss it, it’s fascinating stuff) is mostly around what happens when *thing* experiences conditions beyond *thing’s* original design parameters – whether *thing* is a secondary network, a control plane or a web service. Amazon therefore joins an illustrious throng (yours truly is already a member), which includes the designers of the Titanic, the Hindenburg and a hell of a lot of software developers.

As rationalising animals, we’re always pleased to have our biases confirmed. This next part gave me my tiny warm glow. Amazon’s Pudding Lane was as follows – while innocently performing a routine network upgrade:

“During the change, one of the standard steps is to shift traffic off of one of the redundant routers in the primary EBS network to allow the upgrade to happen. The traffic shift was executed incorrectly and rather than routing the traffic to the other router on the primary network, the traffic was routed onto the lower capacity redundant EBS network

Manual processes always have an error rate. Always. Yes, always (you’ve no idea how often people have argued differently – it seems obvious to me). Amazon recognise this, and amongst the many sensible preventive measures they’ve outlined we find this:

“We will audit our change process and increase the automation to prevent this mistake from happening in the future.”

However, they’ve not lost sight of the fundamental fact – which is directly analagous to the security industry:

“we focus on building software and services to survive failures”

Which I think is healthy and mature. Shit happens. Shit will happen. It always has, and always will. It’s resilience and recovery, not simply prevention (pedant alert: you are still allowed to do preventive activities – it’s not mutually exclusive) that counts in the long run.

Posted in Cyber Security | Comments Off

Windows Thin PC

Posted on April 29, 2011 by John

I like this (though disagree with some of the conclusions – the public sector is even slower than big enterprises, so this WTPC has a fighting chance). Go read Microsoft’s overview, or associated faq, but if you’re feeling particularly lazy, here’s why I like it, mostly stolen from said faq.

  • Heavily constrained application set (remote desktops, management & security tools, media players).
  • Smaller attack surface than (though the same minimum requirements as) vanilla Windows 7.
  • Write filters to stop modification of the client image (though without additional evidence, I’m not yet buying the assertion that this ‘ensures the OS returns to a pristine image on every reboot’). In principle: excellent.

Support for:

  • BitLocker/BitLocker ToGo – that normally require the Enterprise or Unlimited SKUs (hardly ever bundled by OEMs – go figure). I often pour scorn on our obsession with data at rest protection (which is only useful when the machine is off and bugger all use in practice), but I’d like to see disk encryption completely commoditised, even if it’s only to deprive the Daily Mail of one source of stories and faux outrage, and this is another step on that journey.
  • AppLocker. Again, usually only supported on Enterprise or better.
  • RemoteFX. Brian Madden positions it nicely against other bitmap streaming protocols that you may have heard of. I think it still uses RC4 encryption, but don’t quote me.

Of course, you have to be a Microsoft shop, but a lot of government customers are. Check the faq for the complete laundry list of management support.

It’s ironic that we may end up reprising a lot of the security features we enjoyed back in VT220 (dumb terminals if you’re not a vet) days, proving that history doesn’t just repeat itself – it goes round in circles.

Posted in Cyber Security | Comments Off