[SecurityRatty] tag: foreseeable

America's Next Top Hash Function Begins

Wed, 19 Nov 2008 23:00:00 +0000

You might not have realized it, but the next great battle of cryptography began this month. It's not a political battle over export laws or key escrow or NSA eavesdropping, but an academic battle over who gets to be the creator of the next hash standard.

Hash functions are the most commonly used cryptographic primitive, and the most poorly understood. You can think of them as fingerprint functions: They take an arbitrary long data stream and return a fixed length, and effectively unique, string. The security comes from the fact that while it's easy to generate the fingerprint from a file, it's infeasible to go the other way and generate a file given a fingerprint.

Originally created to make digital signatures more efficient, hashes are now used to secure the very fundamentals of our information infrastructure: in password logins, secure web connections, encryption key management, virus and malware scanning, and almost every cryptographic protocol in current use. Without cryptographic hash functions, the internet would simply not work. At the same time, there isn't a good theory of hash functions. Unlike encryption algorithms, there are no secret keys involved; this makes it harder to mathematically define exactly what hash functions are.

The National Institute of Standards and Technology, NIST, is holding a competition to replace the SHA family of hash functions. "SHA" stands for "Secure Hash Algorithm." It was developed by the NSA in 1993 to replace the commercial MD4 and MD5 algorithms, and has been updated several times since then. All the SHA algorithms are very similar, and have been increasingly under attack, so NIST wants to replace them.

The competition is important because, unlike other technological standards, committee design — balancing the interests of diverse constituents — isn't conducive to good security. Security is best when it's designed by expert teams and then subjected to public review. And cryptography is best when it's chosen by competition.

In 1997, NIST held a competition for a block cipher to replace DES. Fifteen candidates and three-and-a-half years later, Rijndael became the new Advanced Encryption Standard — AES. NIST is doing the same thing for what it's calling SHA-3 (not, for some unexplained reason, the Advanced Hash Standard or AHS).

The deadline was October 31, and NIST received 64 submissions. This isn't surprising — I predicted 80 — as most of the 15 AES submitters were professors, whose students at the time have become professors themselves, with their own students. (If NIST does a stream cipher competition in another ten years, they should expect about 256 submissions.) These submissions came from academia, from industry, and from hobbyists. CIO magazine recently interviewed one of the submitters, who is 15. Twenty-eight submissions have been made public by the submitters, and six of those have been broken.

NIST is going through all the submissions right now, making sure they are complete and proper. Their goal is to publish all accepted submissions by the end of November, in advance of the First Hash Function Candidate Conference, to be held in Belgium right after the Fast Software Encryption workshop in February.

The group expects to quickly make a first cut of algorithms — hopefully to about a dozen — and give the community a year of cryptanalysis before making a second cut in 2010. After another year of cryptanalysis, NIST will choose a winner in 2011. Expect a final standard by 2012.

My advice for software developers is to let the process run its course. While it's tempting to use the new cool algorithms in your designs, it's far too soon to trust any of them. This process is likely to result in all sorts of new research results in hash function security, and some real cryptanalytic surprises. Give the community a few years to figure out which ones are good and which aren't.

I've previously called this sort of thing a cryptographic demolition derby: The last one left standing wins. But that's only partially true. Certainly all the groups will spend the next few years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms. NIST will select one based on performance and features.

NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart; in this process, the best is the enemy of the good. While there's no rush to choose a new standard — the SHA-2 algorithms will remain secure for the foreseeable future — we don't want to analyze the candidates forever.

Personally, I was part of a group of eight cryptographers that submitted Skein to the competition. A decade ago, writing Twofish and participating in the AES process was the most fun I had ever had in cryptography. These next few years promise to be even more fun.

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

The Importance of Advance Planning in Executive Protection

Sun, 12 Oct 2008 16:10:00 +0000

I was delighted to see the Herald Standard quoting an executive/close protection agent regarding the importance of Advance work.

Sy Alli is an E.P./C.P. team leader for "Limited Brands Inc.," and was speaking at the California University of Pennsylvania's 2nd annual conference on Corporate and Homeland Security.

Mr. Alli was describing a previous trip to Indonesia where he was in charge of the advance to make sure everything was in place before the Principal arrived out with the other protective agents. Very accurately, he described the need to cover every minute detail from the routes of travel to the alternative routes and to include such important features as local hospitals should medical treatment be needed.

Another important point highlighted was the need for agents to have access to contacts in different countries who could assist with logistics, general and specialized support on the ground, current political situations, etc.

Far too often I am approached by security persons (and not even all are qualified/trained in executive or close protection)who find out that we may have overseas work and want to be included. On some occassions, those requesting to be included on the detail did not even have a current passport!

If you are serious about making a career out of this line of work, you owe it to yourself to do your homework. Over the years I have developed hundreds of contacts all over the world who will respond immediately and who can be trusted to support us in any number of situations and scenarios.

This took a lot of preparing and involved constant contact. It is not something that you throw together a day before your client is scheduled to arrive in a country. If you have people in different parts of the country, or world if you wish to work globally, who can assist when you are in need, you will be able to facilitate your client in a way that will not only gain his/her admiration, but will undoubtedly cement your position in that client's security detail.

In these unsure times, there is a lot to be said for knowing your job is safe for the foreseeable future.

This week in history - volcanos, hurricanes, and the risk of Black Swans

Thu, 28 Aug 2008 07:07:47 +0000

Pouring over endless details of risks, regulations, taxonomies, and technologies can sometimes give us a narrow view of the world, so it seems worthwhile to take a minute to mark the 125th anniversary of the cataclysmic eruption of Krakatoa this week. For those of us that want to think big but can’t remember that far back, this week is also the 3rd anniversary of Hurricane Katrina’s devastating sweep across a wide stretch of the US Gulf Coast.

By now, I expect that most of you have read or are familiar with the 2007 book, The Black Swan, by Nassim Nicholas Taleb, which argues that these kinds of unpredictable, outlying occurrences are the ones that really shape businesses, countries, economies, and people. Taleb argues that although these “Black Swan” events are almost completely unforeseeable, we mistakenly try to explain the circumstances at the time and make predictions about similar events in the future.

In my ERM work with clients, and especially in the context of research I’ve been doing with my colleague Stephanie Balaouras on business continuity and resiliency, questions come up about how to plan for catastrophes... and they’re good questions. Were the CardSystems or TJX data breaches foreseeable? What about the Societe General debacle or the 2004 Indian Ocean tsunami? What’s next? Should these types of events be included in our risk assessments?

We’d like to get your opinion on these and other risks that may be on the very edge of the statistical tail. At what point do they belong in your risk register?

Of course, it’s possible to define mitigating controls for crises, disasters, or incidents without knowing for sure what they’re going to look like. That’s one of the hallmarks of a good crisis management plan. And that’s an important point, because trying to predict the next unforeseeable event can be a real challenge sometimes.

Colorado Division of Motor Vehicles cited in audit report

Fri, 11 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
State of Colorado

Contractor/Consultant/Branch:
Department of Revenue
Division of Motor Vehicles

Victims:
Residents

Number Affected:
~3,400,000

Types of Data:
"names, addresses, dates of birth and Social Security numbers"

Breach Description:
"The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing."

Reference URL:
The Denver Post
Report of The State Auditor, Driver's License and Identification (ID) Card Security

Report Credit:
Jessica Fender, The Denver Post - Brought to the attention of The Breach Blog by an informed reader.

Response:
From the online source cited above:

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit.
[Evan] The audit report is here.

At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure

Revenue Department leaders who oversee the division say they are working to hire internal watchdogs and build up their technological defenses.
[Evan] This is putting the cart before the horse. After reading some of the audit results it is clear to me that there is no information security strategy, no effective information security management, and no formal information security program. These administrative issues need to be addressed well before "technological defenses" should be. Addressing "technological defenses" first is often times wasteful and disjointed.

But the state, facing a budget shortfall, will have no additional money in the foreseeable future for new computer systems.
[Evan] Then get creative! No or little money is a poor excuse for not doing the right thing. Many times, we find that an organization actually saves money through effective information security management. Fix the administrative issues and formalize the information security program first. I don't know much about the Colorado state government, but I do know that other state governments are wasteful and disorganized. Information security, when aligned with organizational goals and objectives (not IT) can help organize and cut waste.

Cyber security alone is a $1.5 million problem that will be tough to solve, said Roxy Huber, Revenue Department executive director.
[Evan] I wonder where the $1.5 million dollar figure comes from. We can secure a heckuva lot of infrastructure (and information) with that kind of money. I get a kick out of "Cyber security".

"To tell you that I'm going to have the tools to do what I need to do, I don't know where they're going to come from," Huber said. "But we will continue to do the best with the tools that we have."
[Evan] Where do I start with this comment? The first tool to use is the one between your ears.

Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.
[Evan] This should tell you something! It is even more troubling if your own state government contributes to the problem.

On average, those frauds cost victims $4,041 each for a total of $41.3 million in 2007

Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned,"
[Evan] Yeah, ya think?

No one person is responsible for security
[Evan] Or is it no one is responsible for security?

High turnover - 60 percent of entry-level workers leave during their first year - and low, $26,280-a-year starting salaries make fraud more attractive and management more difficult, DMV officials said.
[Evan] This is another problem that contributes significantly to the risk.

While employees have been caught issuing hundreds of fraudulent licenses, there are no known instances of identity theft or information security breaches, said Department of Revenue spokesman Mark Couch.
[Evan] Come on. Not that we know of anyway. Don't you think that the risk is much higher if a person has already demonstrated that he/she is willing to step over the line?

"It's not like we have a completely defenseless system," Couch said. The audit "says that we need to take more steps."
[Evan] Not completely defenseless, but like protecting a bicycle with a rope.

"Without the appropriate resources, there's no way we can hold you accountable for doing some of the things you're expected to do," said Sen. Nancy Spence, R-Centennial.
[Evan] This kind of talk does not help the cause and does little to serve constituents. I am not close to this issue, but so many of the things I have read about this breach point to mismanagement more than a lack of appropriate resources.

Some problems already have been fixed.

The 33 former employees with database access immediately had their passwords deactivated once auditors identified them, and the DMV now compiles monthly lists of departed workers to prevent future lapses

The division has a long-standing policy of redacting the last four digits of Social Security numbers before they're transmitted, and the division plans to encrypt all transmitted information by June 2009.
[Evan] What? A year? This exposure is now public knowledge and will continue for a year?

Commentary:
Due to the fact that I was a little more critical in my comments above, I should express that these are my opinions and beliefs based on my experiences and knowledge. Take the comments for what they are worth.

There seems like there is a lot of work that needs to be done at the Colorado Department of Revenue and Division of Motor Vehicles. The work must start at the top. Somebody needs to step up and fill the role as the "person responsible for security".

Past Breaches:
State of Colorado:
April, 2008 - CollegeInvest external hard drive goes missing

Power Outages Are A Major Risk That Most Companies Overlook

Thu, 10 Jul 2008 13:31:34 +0000

TechCrunchIT reported today that a Rackspace data center went down for several hours during the evening due to a power grid failure. Because Rackspace is a managed service provider (MSP), the downtime affected several businesses hosted in the data center.

When companies think of disaster recovery and downtime, they typically think of catastrophic events such as hurricanes, tornadoes, and earthquakes. What companies don't realize is that the most common cause of downtime is power failures. In a joint study by Forrester Research and The Disaster Recovery Journal of 250 disaster recovery decision-makers and influencers, 42% of respondents indicated that a power failure was the cause of their most significant disaster declaration or major business disruption.

To prevent power failures, businesses must ensure that they have multiple diverse connections to the power grid as well as install backup power generators and uninterruptible power supplies (UPS) at the data center. But it's not enough to have these preventative measures in place, businesses must test the ability to switch over to backup power must at least twice year. And if your business has a recovery data center, it's best if the recovery data center is on a different power grid and is also equipped with backup power generation.

But despite all these measures, failures might still happen, in the case of the Rackspace power failure, the company successfully failed over to its backup power generators but some of its chillers did not start up correctly.

In North America, the risk of power failures is likely to remain high for the foreseeable future. According to a 2007 report by the North American Electric Reliability Corporation (NERC), long-term capacity margins are still inadequate and significant investment in transmission is still required.

So businesses must not only invest in preventative measures such as backup power generators, they must think about where they locate their data centers. You must avoid areas that have clearly identified congestion issues and focus on areas that have access to cheap and abundant power. And, don't take it for granted that your service provider has effectively managed the risk of power failures.

Why making health records public is not a great idea

Tue, 20 May 2008 03:21:10 +0000

Fred Wilson has an interesting blog up regarding the new Google Health service. Fred filled out his personal medical information and was disappointed that he was not able to publish this data and make it public. Fred would like to have a sidebar widget for his blog with his health profile. Many people wrote to Fred telling him why Google does not do this. Many of them centered on the fact that insurance companies would use this information against you to deny or limit your coverage. Some took shots at Fred's socio-economic status saying that he didn't care if the insurance companies used it against him because he could afford to pay whatever he had to. Fred replies that he thinks withholding or being less than open about health issues to insurance companies, investors, etc. is problematic and in a perfect world insurance companies should not be able to use this against us. In fact Fred says:

Wouldn't we all be better off with an insurance system that wasn't able to discriminate between people based on pre-existing conditions? Wouldn't we be better off if we came together to insure everyone? Wouldn't we be better off if we knew everyone's medical conditions and what treatments worked and what did not? Wouldn't we be better off if we could search for others with the same conditions to share our experiences?

I don't believe Fred feels this way because of his socio-economic status. I think Fred thinks like this because he is I assume in good health. I wonder if Fred were suffering from some medical condition, if his views on this would change. This reminds me of the "nothing to hide" argument that some use to justify the government trampling on our privacy rights. If you have nothing to hide, what do you care. I care because it is wrong. I care about not making health records public because it is wrong. We don't live in a perfect world. Even taking Hillary or Obama's health plans into account, we live in a world where insurance companies can discriminate against those with pre-existing conditions for the foreseeable future. Think about if only healthy people published their records, what would that say about people who did not publish their records?

Fred's point about searching for others with the same condition is fine, if they wanted to be found. It is inherently a persons right not to be found. In fact today if you want to share with a person who shares a medical condition with you, you can search and usually find a group and on line community of people. What is nice is some of these people can share in these groups without revealing their identity. It is this ability to remain anonymous that I think make these types of communities successful.

Fred recognizes that not everyone would want to share their records. I say once we start dividing society by those who do and don't we really already have imposed a penalty on those who cherish their privacy.

Red Hat Punts on Consumer Desktops

Thu, 17 Apr 2008 06:30:48 +0000

The Red Hat Desktop Team has announced that they are not going to be building a consumer-focused operating system product for the foreseeable future.

Microsoft SDL Process in detail

Wed, 09 Apr 2008 15:13:00 +0000

Hello all – Dave here…

I am currently at RSA and decided to take a few moments to blog about some updates to the Security Development Lifecycle. Admittedly, I have been “radio silent” on the blog for awhile – for those that know me, that’s usually a warning signal that I am cooking something up…

Anyway, back when we first started this blog we promised that you would see more about the particulars of the SDL – and I think we have done a reasonably good job. Michael Howard has written some pretty interesting pieces on a wide variety of subjects; bug post-mortems, philosophical notes and the like. Adam Shostack did a fabulous job on the threat modeling series; Eric Bidstrup took a deeper look at the perceived vs. real benefits of the Common Criteria and I have penned a moderately well received screed or two from time to time.

However, one of the common requests (complaints?) that I have heard is that we have been short on the real “guts” of the SDL – that is to say, a point by point examination of how to apply the SDL. I would argue that Michael and Steve’s book on the SDL is a good primer on how to get started. I think Jeremy Dallman added more momentum with his “Crawling toward SDL” post, giving some practical advice on how to approach the issue of secure software development from scratch.

Despite these efforts I have heard that people still want more detail – some folks are curious about how an organization the size of Microsoft programmatically drives culture change; others are looking for guidance that can be repurposed for their own organizations and finally, some folks are convinced that we are deliberately holding back some security “secret sauce” for some reason. Go figure.

With that, let me cut to the chase. Today, we have made the Microsoft Security Development Lifecycle, version 3.2 available for your perusal on MSDN. This has been in the works for quite awhile and has involved a ton of folks in SEC and TWC putting in a lot of hours and resources into getting this published (props to Ziv Fass and Jed Pickel!).

As you can probably guess, this is not an exact duplication of the SDL for a number of reasons – but it’s pretty darn close. Given that caveat, allow me to illustrate a few points about this guidance...

First, we have gone through and removed Microsoft specific jargon, references to internal resources on our intranet, and things that would likely make zero sense to an audience outside of Microsoft (the scrub work was one of the primary inhibitors to publishing previous versions of the guidance).
Second, this is a generalized representation of how the SDL is applied at Microsoft for the development of rich client and server applications – while many of the principles apply to the creation of web applications, I would caution you to view this in the correct context. While Bryan Sullivan has written about web development in the past we’ll have more on SDL and web application development in the future.
Third, for all intents and purposes the SDL is considered the “minimum bar” for security and privacy at Microsoft for those products with meaningful security risk; there are a number of teams that choose to invest more time and resources as necessary to meet product team goals that may exceed the SDL. We salute that behavior. : )

Finally, in reference to the third point above, I am compelled to say the following. (LEGAL DISCLAIMER ALERT – those with weak constitutions should avert their eyes):

The following documentation on the Microsoft Security Development Lifecycle, version 3.2 is for illustrative purposes only. This documentation is not an exhaustive reference on the SDL process as practiced at Microsoft. Additional assurance work may be performed by product teams (but not necessarily documented) at their discretion. As a result, this example should not be considered as the exact process that Microsoft follows to secure all products.

This documentation should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented herein. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, OR STATEMENTS ABOUT APPLICABILITY OR FITNESS OF PURPOSE FOR ANY ORGANIZATION ABOUT THE INFORMATION IN THIS DOCUMENT.

For the morbidly curious: Yes, I wrote that; yes, it passes legal muster; no, I am not a lawyer, nor do I play one on TV. : )

So there you have it – Microsoft SDL 3.2.

There are a few sharp eyed souls that read the blog and will wonder about our publishing schedule for updates – it’s no secret that we examine the SDL every six months and either add new requirements to meet emerging threats or deprecate old guidance. It has been described by some as analogous to “changing tires on a moving vehicle.” Let me say now that we will NOT be publishing new SDL guidance on a six month schedule for the foreseeable future – we’ll settle on a reasonable publication frequency and hopefully accelerate over time.

I welcome your thoughts and comments...

Prediction 3 - A major site gets hacked

Fri, 01 Feb 2008 07:35:00 +0000

I'm not so sure about this one and I have been thinking about it for too long. If I take much longer my predictions will be very accurate because it will be December and I'll have hindsight.

Online service providers (yahoo, gmail (google), hotmail (microsoft)) seem to take their security really seriously and that is great. I think that they are targets but they are aware of this and they realise that an attack could render them dead. Their business is all about trust and a loss of trust would break their business.

However, the web was never designed to be so secure and application based. It is meant to be static pages delivered non sequentially (images load up when they can). This is not a very good base to have for a service.

I see that the hackers are already playing with session keys and such. My prediction is that this year or in the foreseeable future malware (all kinds including bots) will try suck session keys from traffic and use them to steal information or do unauthorised actions on "behalf" of a user. This has happened in the past but I believe that it will become more widespread, targetted and automated.

Example possible attack scenario: "Bob logs onto Gmail from an infected PC. He logs into his account on gmail waking and wakes up the malware which either forwards the session key to the attacker or drafts an email to the attacker from Bob with a list of all his contacts. Attacker sells these good emails to spammer. Or malware downloads a preconfigured spam message and sends the message to all of Bob's contacts. All of this happens in a scripting environment and Bob is not aware of anything strange because windows don't pop up."

If this is happening already then I applogise for coming to the prediction party late.. and I'll just predict that it will increase until http is replaced with something else, new online standards are developed for services or it becomes as bad as spam is today.

BAM Solutions for CEP Engine Users

Wed, 23 Jan 2008 07:50:16 +0000

Today I noticed that SL Corporation has revamped their website with a new page, Solutions for CEP Engine Users. The page is well written, reinforcing some of my earlier posts on the value proposition for CEP; so I hope the folks at SL don’t mind if I repost their excellent thoughts on BAM and CEP here.

Solutions for CEP Engine Users by SL Corporation

Complex Event Processing (CEP) is a relatively new technology that is used to help companies detect both opportunities and threats in real-time with minimal coding and reusable key performance indicators (KPIs) and business models. Just as services are shared and reused in a SOA, CEP permits the sharing and reuse of KPIs in business activity monitoring while efficiently processing events so businesses can act on situations that impact business and take advantage of real-time processing.

Business activity monitoring, often referred to as BAM, is the capability that Gartner and other distinguished analysts use to describe this visualization capability in the business world. BAM introduces a human element to CEP. It is well-established that the human mind is, today and for the foreseeable future, far superior to machine intelligence in making sense out of complicated situations and events. Therefore, BAM is critical to the success of any complex event processing (CEP) solution.

Depending on an organization’s mission, BAM can be used in various levels within an event processing solution to help users visualize and understand the dynamics behind rapidly changing situations and critical business events. In other words, BAM plays a key role wherever there is a need for better insight into the myriad events that effect your business operations.

BAM provides real-time visualization and alerting capabilities for users to better understand how business events impact their organization. BAM software permits users to quickly prototype, build and deploy event processing business solutions. For example, a telecommunications company would find BAM useful to achieve event-driven SLA monitoring and management; and a large retailer would find BAM important as they stay on top of business-critical events in their supply chain.

Insight gained from BAM, in concert with event processing solutions, enable organizations to make better and faster business decisions so they can rapidly sense and respond to threats, problems and opportunities. BAM solutions permit applications to be designed, deployed and modified rapidly with minimal or no coding resulting in significantly lower development costs. Therefore, a key benefit of BAM in real-time event processing solutions is that KPIs can be deployed, monitored, revised, reused and utilized, economically and rapidly.

Depending on the business application, BAM-enabled visualization is required at numerous levels in an event processing architecture. For example, events from across the enterprise are typically processed by a CEP software platforms from companies such as TIBCO, BEA (soon to be Oracle), Progress Apama, StreamBase, Aleri, and Coral8.

Long before KPIs are displayed to the business users, BAM tools can be configured to assist application developers to monitor and visualize the raw event stream. For the developer, their business is developing applications, and BAM can be very useful when designing KPIs for event processing applications.

Fine-tuned KPIs that have been derived from an event processing application are displayed to the business user. These KPIs can indicate risks, threats, problems, opportunities and other emerging business situations that impact the business.

BAM, in concert with state-of-the-art event processing software, provides the framework for a complete sense-and-respond capability for businesses. Processing raw events and event streams for business opportunities and threats requires robust and rapidly deployable visualization solutions. This is the reason that many distinguished analysts believe that BAM and CEP are complementary and critically interdependent core business capabilities. We at SL Corporation agree, and are pleased to be the leading BAM visualization platform in the event processing/CEP ecosystem today.