For three days, InteropNet is one of the largest hacking targets on the planet. Attacks and threats come from both inside and outside the network. While the external attacks are certainly more malicious in intent, most of the internal ones ended up being due to misconfiguration or just plain misunderstanding.

Let’s play a game. It’s called Malicious or Not.

1. Video streaming devices flooded the network with millions of multicast packets per second. EM7 noticed a big bump in latency on that network segment at the same time that the Enterasys Dragon IDS caught the flood of packets. Both tools could tell the origin of the packets and traced them back to misconfigured video multicast devices. In this case Not Malicious, but the result was still degradation to that network segment until the problem was fixed.
2. One vendor at the show purposely scanned all other devices on the show network to model them in their product demos. They didn’t ask anyone’s permission (or at least they didn’t ask ours). They purposely used multiple community strings to see if any would work. Malicious or Not? I’ll let you guys take this one. Personally I don’t think they meant it to be malicious, but as a monitoring tool in this space, they should have known that doing all that scanning would actually degrade network and other vendors’ device performance. I wonder if this is the vendor that was telling people that it does this at every show, and this is the first time it’s been caught.

Connect the Vendors

Enterasys took care of external attacks by identifying them and asking Qwest to block them. But it’s with the internal “devices behaving badly”, that the real fun began. It took a combination of vendors to identify, confirm and track down the offenders on the network.

First Enterasys Dragon IDS alerted on suspicious behaviors. Dragon identified what IP, MAC address or port on a switch was having the issue – which information was cross-checked against vendor registry info in EM7 to track down offenders to a booth, a room or a wireless access point in the facility. Splunk was also used to look at logs and verify the source of bad behavior.

For tracking down wireless misbehavior, Aruba Networks had a cool tool that took the info from Dragon and EM7 and used it to literally triangulate the location (down to a laptop).

Before the show started, we played wireless security hide and seek – testing our security process by sending people out with laptops and finding them, gps-style, whether they were walking around or hiding under a desk.

Overall, I think the real-life multi-vendor network security solutions I’ve described here are great examples of why interoperability is so important and why InteropNet was such a great experience.

ShareThis

Clause 12.11 of the code deals with liability for losses:

If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

Clauses 12.5 and 12.9 include some debatable advice about anti-virus software and clicking on links in email (more on this in a later post). While malware and phishing emails are a serious fraud threat, it is unrealistic to suggest that home users’ computers can be adequately secured to defeat attacks.

Fraud-detection algorithms are more likely to be effective, since they can examine patterns of transactions over all customers. However, these can only be deployed by the banks themselves.

Existing phishing schemes would be defeated by two-factor authentication, but UK banks have been notoriously slow at rolling out these, despite being widespread in many other European countries. Although not perfect these defences might cause fraudsters to move to easier targets. Two-channel and transaction authentication techniques additionally give protection against man in the middle attacks.

Until the banks are made liable for fraud, they have no incentive to make a proper assessment as to the effectiveness of these protection measures. The new banking code allows the banks to further dump the cost of their omission onto customers.

When the person responsible for securing a system is not liable for breaches, the system is likely to fail. This situation of misaligned incentives is common, and here we see a further example. There might be a short-term benefit to banks of shifting liability, as they can resist introducing further security mechanisms for a while. However, in the longer term, it could be that moves like this will degrade trust in the banking system, causing everyone to suffer.

The House of Lords Science and Technology committee recognized this problem of the banking industry and recommended a statutory change (8.17) whereby banks would be held liable for electronic fraud. The new Banking Code, by allowing banks to dump yet more costs on the customers, is a step in the wrong direction.

Adam Shostack here. Blogger Ian Grigg has an interesting response to my threat modeling blog series, and I wanted to respond to it. In particular, Ian says “I then would prefer to see the threat - property matrix this way:”

I wanted to share an additional table from our training, and talk about repudiation a bit more.

Actually, I’d like to repudiate the term “repudiation.” It’s an awful name that most people never run into in day-to-day life. It doesn’t hit the simplification bar the way say, “denial,” would. Unfortunately, STDIDE (Spoofing, Tampering, Denial, Information Disclosure, Denial of Service, Elevation of Privilege) doesn’t make a very memorable acronym. Memorable is important when training people. Our reviewers have raised this as an issue, and ’d love to get feedback from our readers. How can we ensure that the software we build has the right level of logging and audit-ability? What evocative words can we use, and can you help us come up with a word or phrase that starts with R? Let us know!

And then, here’s the chart:

(Ian’s post is here https://financialcryptography.com/mt/archives/001013.html . IE users will see a warning about certificate authorities when visiting this site.  As I wrote this, Gunnar Peterson added commentary at "Threats, Mechanisms and Standards.")

The Transportation Security Administration is interested in evaluating -- and eventually approving –- the design of certain laptop bags, so travelers would be permitted to pass through security checkpoints without having to remove their laptops.

[...]

To accomplish this, the TSA RFI pointed out that the laptop bag would need to meet the following requirements:

• The carrying bag cannot exceed any one of the proposed dimensions – 16 inches in height, 24 inches wide and 36 inches long.

• The materials that make up the bag cannot degrade the quality of the X-ray image of the laptop.

• No straps, pockets, zippers, handles or closures of the bag can interfere with the image of the laptop.

• No electronics, chargers, batteries, wires, paper products, pens or other contents of the bag can shield the image of the laptop.

TSA is inviting bag designers and manufacturers to come up with creative ways to meet these design requirements, but it has also suggested three concepts of its own:

• A bag that would open completely, and lie horizontally on the X-ray belt, such that one side with hold only the laptop.

• A bag that would open completely, leaving the laptop standing vertically, supported by clips.

• A bag that would pull apart in separate compartments, with one compartment containing only the laptop.

Doesn't sound like a particularly useful laptop bag.

I've been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better.  Better means faster, cheaper or more effectively.  There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products.   One of the things that I've learned is that we ask a lot of developers, testers, and PMs here.  They all have some exposure to security, but terms that I've been using for years are often new to them.

Larry Osterman is a longtime MS veteran, currently working in Windows audio.  He's been a threat modeling advocate for years, and has been blogging a lot about our new processes, and describes in great detail the STRIDE per element process.   His recent posts are "Threat Modeling, Once Again," "Threat modeling again. Drawing the diagram," "Threat Modeling Again: STRIDE," "Threat modeling again, STRIDE mitigations," "Threat modeling again, what does STRIDE have to do with threat modeling," "Threat modeling again, STRIDE per element," "Threat modeling again, threat modeling playsound."

I wanted to chime in and offer up this handy chart that we use.  It's part of how we teach people to go from a diagram to a set of threats.  We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.

Property	Threat	Definition	Example
Authentication	Spoofing	Impersonating something or someone else.	Pretending to be any of billg, microsoft.com or ntdll.dll
Integrity	Tampering	Modifying data or code	Modifying a DLL on disk or DVD, or a packet as it traverses the LAN.
Non-repudiation	Repudiation	Claiming to have not performed an action.	“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Confidentiality	Information Disclosure	Exposing information to someone not authorized to see it	Allowing someone to read the Windows source code; publishing a list of customers to a web site.
Availability	Denial of Service	Deny or degrade service to users	Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
Authorization	Elevation of Privilege	Gain capabilities without proper authorization	Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

[Update: fixed the table so it displays all four columns.]