On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (the “Ware Report” referred to in the podcast)
• Secure Computer Systems: Mathematical Foundations - The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities - Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

For the third year in a row, the government’s overall FISMA grade improved. But don’t get too excited; the grade only improved from a C- to a C this year. (And D+ in 2005).

But there’s a lot to hide in an “average grade”. Turns out that the reality is a split between overachievers and underachievers.

The agencies/departments with a grade of A-, A or A+:

• Department of Justice
• US AID
• EPA
• NSF
• SSA
• HUD
• OPM (I would hope so)

And, sadly the ones that got an F:

• Department of the Interior
• Department of Treasury
• Nuclear Regulatory Commission
• Department of Veterans Affairs
• Department of Agriculture

FISMA (Federal Information Security Management Act) became a federal law back in 2002 as part of the E-Government Act. Six years later, there has been improvement, but there’s still clearly a long way to go.

So what’s the disconnect? Speaking from a vendor perspective, we’ve had first-hand experience with the lack of actionable, concrete guidelines around FISMA – for processes, monitoring and check-list assessment items. We even contacted NIST directly to get more guidance on how their very broad guidelines should be translated to actual features and reporting in something like our monitoring solution. The end goal, after all, is to help our government customers not only meet the FISMA requirements but also to be seen/assessed as meeting those requirements. As we do for other compliance/governance requirements like Sarbanes-Oxley, the more that EM7 can automate and report on, the better.

But that leads to the second issue here. How accurate is the FISMA scorecard? SC Magazine writes, “Many have seen organizations get an A when they believe they should have received an F, and vice versa” and some experts “blame this on the lack of a standardized evaluation, as well as censorship among auditors.” There’s talk about language ambiguities and opinions that the scorecard is not “one size fits all” – that small agencies face different IT security challenges than the big guys.

So what’s right about FISMA? We can point to a heightened awareness about the importance of security and the “security picture” in each federal agency. Certainly, from our own survey at FOSE, we saw the difference just from last year to this one:

• 91% surveyed said FISMA was important (up from 66% last year)
• Over 50% had solutions installed to help with FISMA (up from only 14% last year)

Based on these numbers, we’re not surprised to see the FISMA average grade go up, but we expected it to be even higher. So what will it take to get the government on the honor roll? From Rep. Tom Davis, “We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don’t measure up…We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box.”

ShareThis

There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity -- Todd Davis, 457-55-5462 -- LifeLock is a company that's easy to hate. But the company's story has some interesting security lessons, and it's worth understanding in some detail.

In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta, credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up -- LifeLock, Debix, LoudSiren, TrustedID -- that automatically renew these alerts and effectively make them permanent.

This service pisses off the credit bureaus and their financial customers. The reason lenders don't routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy -- it's the American way.) So in the eyes of credit bureaus, LifeLock's customers are inferior goods; selling their data isn't as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.

And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn't do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn't even protect Todd Davis, and that his identity was allegedly stolen.

It wasn't. Someone in Texas used Davis's SSN to get a $500 advance against his paycheck. It worked because the loan operation didn't check with any of the credit bureaus before approving the loan -- perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.

The Experian credit bureau's lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone "who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime" can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.

As to deceptive business practices and fraudulent advertising -- those just seem like class action lawyers piling on. LifeLock's aggressive fear-based marketing doesn't seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won't go anywhere.

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.

LifeLock does a bunch of other clever things. They monitor the national address database, and alert you if your address changes. They look for your credit and debit card numbers on hacker and criminal websites and such, and assist you in getting a new number if they see it. They have a million-dollar service guarantee -- for complicated legal reasons, they can't call it insurance -- to help you recover if your identity is ever stolen.

But even with all of this, I am not a LifeLock customer. At $120 a year, it's just not worth it. You wouldn't know it from the press attention, but dealing with identity theft has become easier and more routine. Sure, it's a pervasive problem. The Federal Trade Commission reported that 8.3 million Americans were identity-theft victims in 2005. But that includes things like someone stealing your credit card and using it, something that rarely costs you any money and that LifeLock doesn't protect against. New account fraud is much less common, affecting 1.8 million Americans per year, or 0.8 percent of the adult population. The FTC hasn't published detailed numbers for 2006 or 2007, but the rate seems to be declining.

New card fraud is also not very damaging. The median amount of fraud the thief commits is $1,350, but you're not liable for that. Some spectacularly horrible identity-theft stories notwithstanding, the financial industry is pretty good at quickly cleaning up the mess. The victim's median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. Even assuming your time is worth $100 an hour, LifeLock isn't worth more than $8 a year.

And it's hard to get any data on how effective LifeLock really is. They've been in business three years and have about a million customers, but most of them have joined up in the last year. They've paid out on their service guarantee 113 times, but a lot of those were for things that happened before their customers became customers. (It was easier to pay than argue, I assume.) But they don't know how often the fraud alerts actually catch an identity thief in the act. My guess is that it's less than the 0.8 percent fraud rate above.

LifeLock's business model is based more on the fear of identity theft than the actual risk.

It's pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they've turned this requirement into a multimillion-dollar business.

Get LifeLock if you want, or one of its competitors if you prefer. But remember that you can do most of what these companies do yourself. You can put a fraud alert on your own account, but you have to remember to renew it every three months. You can also put a credit freeze on your account, which is more work for the average consumer but more effective if you're a privacy wonk -- and the rules differ by state. And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name.

This essay originally appeared in Wired.com.

Being commanded about by the child-monster has slowed down my news consumption. So, big thanks to Portswigger for the heads up. Apparently the UK gov’t wants to set the new detention limit without charges to 42 days. This has triggered a firestorm.

From BBC:

Shadow home secretary David Davis has resigned as an MP.

He is to force a by-election in his Haltemprice and Howden constituency which he will fight on the issue of the new 42-day terror detention limit.

Mr Davis told reporters outside the House of Commons he believed his move was a “noble endeavour” to stop the erosion of British civil liberties.

The 59-year-old is one of the best known Tory MPs and his resignation came as a complete surprise in Westminster.

He told reporters outside the Commons: “I will argue in this by-election against the slow strangulation of fundamental British freedoms by this government.”

BBC Political Editor Nick Robinson said it was an extraordinary move which was almost without precedent in British politics.

Read on.

Article Link

There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity -- Todd Davis, 457-55-5462 -- LifeLock is a company that's easy to hate. But the company's story has some interesting security lessons, and it's worth understanding in some detail.

In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta (.pdf), credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up -- LifeLock, Debix, LoudSiren, TrustedID -- that automatically renew these alerts and effectively make them permanent.

This service pisses off the credit bureaus and their financial customers. The reason lenders don't routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy -- it's the American way.) So in the eyes of credit bureaus, LifeLock's customers are inferior goods; selling their data isn't as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.

And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn't do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn't even protect Todd Davis, and that his identity was allegedly stolen.

It wasn't. Someone in Texas used Davis's SSN to get a $500 advance against his paycheck. It worked because the loan operation didn't check with any of the credit bureaus before approving the loan -- perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.

The Experian credit bureau's lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone "who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime" can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.

As to deceptive business practices and fraudulent advertising -- those just seem like class action lawyers piling on. LifeLock's aggressive fear-based marketing doesn't seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won't go anywhere.

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.

LifeLock does a bunch of other clever things. They monitor the national address database, and alert you if your address changes. They look for your credit and debit card numbers on hacker and criminal websites and such, and assist you in getting a new number if they see it. They have a million-dollar service guarantee -- for complicated legal reasons, they can't call it insurance -- to help you recover if your identity is ever stolen.

But even with all of this, I am not a LifeLock customer. At $120 a year, it's just not worth it. You wouldn't know it from the press attention, but dealing with identity theft has become easier and more routine. Sure, it's a pervasive problem. The Federal Trade Commission reported that 8.3 million Americans were identity-theft victims in 2005. But that includes things like someone stealing your credit card and using it, something that rarely costs you any money and that LifeLock doesn't protect against. New account fraud is much less common, affecting 1.8 million Americans per year, or 0.8 percent of the adult population. The FTC hasn't published detailed numbers for 2006 or 2007, but the rate seems (.pdf) to be declining.

New card fraud is also not very damaging. The median amount of fraud the thief commits is $1,350, but you're not liable for that. Some spectacularly horrible identity-theft stories notwithstanding, the financial industry is pretty good at quickly cleaning up the mess. The victim's median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. Even assuming your time is worth $100 an hour, LifeLock isn’t worth more than $8 a year.

And it's hard to get any data on how effective LifeLock really is. They've been in business three years and have about a million customers, but most of them have joined up in the last year. They've paid out on their service guarantee 113 times, but a lot of those were for things that happened before their customers became customers. (It was easier to pay than argue, I assume.) But they don't know how often the fraud alerts actually catch an identity thief in the act. My guess is that it's less than the 0.8 percent fraud rate above.

LifeLock's business model is based more on the fear of identity theft than the actual risk.

It's pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they've turned this requirement into a multimillion-dollar business.

Get LifeLock if you want, or one of its competitors if you prefer. But remember that you can do most of what these companies do yourself. You can put a fraud alert on your own account, but you have to remember to renew it every three months. You can also put a credit freeze on your account, which is more work for the average consumer but more effective if you're a privacy wonk -- and the rules differ by state. And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

The Card Rewards program allows anyone with a Starbucks Card to register it with Starbucks for freebies, including Wi-Fi. There's an interesting choice (when it worked) where you can select whether to have freebies like free exotic milk options or brewed coffee refills by themselves or with Wi-Fi on top. If you choose Wi-Fi, you're redirected to SBC servers (for nostalgia's sake), at which point everything seems to fall apart.

Trying two separate cards, I was unable to set up an account and get the cards to take. The errors weren't clearly spelled out. Clearly, the system was neither designed to handle demand, nor designed to fail gracefully, blocking users until capacity was available.

For loyal Starbucks patrons, this doesn't come across very well at all.

[Photo by Matt Davis. Used under Creative Commons license.]

And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean:

• SC Magazine
• IDG
• IT Business Edge
• Federal Times
• Washington Post
• Security Focus

Yeah, yeah, I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know.  In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are?  It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.  The GAO and OMB reports that I’ve covered in much detail are much better and have a pretty decent level of analysis.

But fer chrissakes, the report card is issued by Congress, how much detail do you think it will ever contain?  =)

My rapidly expanding queue of pet peeves about this time of the year:

• People who think that FISMA is just a report card and that we should re-examine how we measure security:  the grades are not even required by the law, it’s just technique and we can change that easily enough.
• People who criticize but do not offer an alternative:  even if you had an alternative plan, the environment for execution still involves the same IT assets and the same front-line employees.
• People who don’t understand enterprise-wide security much less a federation of semi-independent enterprises: it’s the nature of government-wide security metrics that they’ll be indicators which can be faked.
• Sound bites from people who have never implemented any aspect of FISMA:  come on, SANS and Gartner?  GAO and the Cyber Security Industry Alliance are a little bit better but taken out of context.
• Nobody ever asks me for a quote on FISMA numminess:  I’ll be pouting for the rest of the week, TYVM.  =)

Not that I’m the world’s best expert at fact-checking, but something caught my eye in the report:  it’s issued by Tom Davis and the url is from the Minority Office for the House Committee on Oversight and Government Reform.  Tom Davis is the representative from Northern Virginia and is the sponsor for FISMA back when it was signed.  Until the last election, he was the chairman of the House Committee on Oversight and Government Reform.  The committee is now chaired by Henry Waxman. 

Time for a new concept in your vocabulary:  LGOPP (OK, actually it’s LGOP, but I added an extra “P” for comedy purposes).  Imagine June 6th, 1944, paratroopers scattered all over the French countryside.  What happens is you pick up the people around you, the senior person becomes the leader, and you carry out the mission.

Photo of Paratrooper Stained Glass in Sainte Mère Église by Nelson Minar

Hence the true meaning of LGOPP: Little Groups of P*ssed-off Paratroopers.  An equivalent phrase is “isolated pockets of brilliance”.

In the words of somebody I went off to war with:  “LGOPPS are the spirit of the infantry:  a handfull of 18- and 19-year-olds with fully automatic weapons who can barely remember what their mission is running around the woods raising hell”.

Now, I know you guys, you’re wondering what this has to do with security?  Well, this is relevant because it’s an election year.  What that means is that instead of being bothered with all this security stuff, Congress is involved in playing “gotcha” with the Executive branch.  After the election, it’s rearranging deck chairs on the Titanic and all of the leadership will change.

Instead of any national-level security agendas and strategizing, we’ll have to be content with security LGOPPs fighting the fight wherever they end up gaining enough critical mass.

And in the case of this year’s FISMA report card, the LGOPP that is Tom Davis’s staffers issued the report while the rest of the committee was busy worrying about elections.

Bookmark to:

There was always that one kid in class. You know, the one that didn’t always get it. Or spent most of the day staring out the window. Daydreaming knuckle heads that were nowhere near inclined to excel. Well, it appears that they US gov’t is one of those kids. Well, on average anyway.

From the Washington Post:

The federal government earned an overall grade of “C” for securing its computer systems and networks from cyber attack last year, a slight improvement from the “C-minus” mark the government was given in 2006.

The report cards were issued today by Rep. Tom Davis of Virginia, the ranking Republican on the House Committee on Oversight and Government Reform.

Nine agencies earned failing grades for 2007, including the departments of Agriculture, Commerce, Defense, Interior, Labor, Transportation, Treasury, Veterans Affairs, as well as the Nuclear Regulatory Commission. The grades are based on data submitted by the agencies and agency inspector generals to the White House for fiscal year 2007.

There are a couple bright spots. The DOJ, SSA, EPA and the GSA were among eight agencies that managed to score an “A” on their report card. They get to go to McDonald’s.

But, the NRC gets no hot apple pie with their happy meal.

Article Link

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.