Home
Contents
Search
Up

Opinions

 





The happenings of September 11th, 2001 are well documented by the various news agencies. My reactions to the changes in our world give rise to the topics of the following sections.

Canada in the World after the WTC disaster

My sons have both been in the Canadian Air Cadets, and I have been fairly active with the 583 Squadron here in the Maple Ridge, Pitt Meadows area. As a result, my sons both have what I see as a far more nationalistic and patriotic attitude towards Canada than many of their peers. Having said that, I find that neither of them are really well enough educated in the history of the world to truly understand what has happened and why, and to understand my attitude towards the US and the terrorists.

I grew up in the era of "the bomb", and understood its power and capabilities better than even my parents did, mostly due to my proclivity towards high technology, physics and such as my reading matter. Looking back from my 50 years as a Canadian, I am appalled at the changes in our attitudes towards patriotism and national identity. The "powers that be" seem to consider nationalistic pride and identity as politically incorrect. Instead of the United States' "melting pot" of peoples and cultures, we have pushed "cultural diversity" - to the point where we don't have any identity except that of our individual ancestors. About the only truly unifying aspect of Canadian culture has been Hockey night in Canada on the CBC, but even that is waning.

If I were truly paranoid, I'd say that the Canadian Federal government has actually worked at eviscerating the armed forces with the exception of those stationed in Quebec - but I'm not that paranoid, so I can only observe that we have no leaders who have served in or had any experience in any military unit.

We've stopped singing O Canada at school. We've stopped all manner of nationalistic "indoctrination" of our children, and we don't teach enough about Canadian history or world history to give them any base to understand what the world is all about.

Hopefully, this will change in this new world. 

(Internet) Security Today

As a natural follow-on to the work I've been doing with embedded network devices, I've spent quite a bit of my time recently reading about and working with Internet security software. Part of my consulting work for the past 20+ years has dealt with security in one form or another - from physical security, to employee training, to computer security, and I've always approached it from the "risk management" point of view. I've also tended to fairly radical demonstrations of the problems and solutions, but more on that later.

Today I received a pre-release copy of the NSA's "The 60 Minute Network Security Guide (First Steps towards a Secure Network Environment)" - their latest in a line of such documents which can be seen at www.nsa.gov under the security recommendation guides. In going over it to comment on it, I got to thinking about the changes that have come about in the Internet since I first got a permanent connection back in the late 80's, as well as the similarities between today's home/SOHO LAN and the multi-user Unix systems I used to install in small offices.

I'm also re-reading Bruce Schneier's "Secrets and Lies (Digital Security in a Networked World)" - and have been reading some of his and other's writings on various security web sites.

NSA's document seems to fall into the trap that many have, including by his own admission Bruce Schneier prior to Secrets and Lies, of expecting the hardware and software to do all the protecting, and assuming that the users and administrators are infallible. It advocates changing passwords every so many days, using systems to force password changes on users, and using long, convoluted passwords with a different one for each protected system.

In a perfect world, with perfect people, such instructions might actually be followed, and might make the systems marginally more secure.

In the real world, Sally will change her password every 30 days as her system forces her, alternating from one to another and back. 

In the real world, Ken, who has to deal with 7 different systems over the course of a month, will write down his passwords in his daybook.

In the real world, the cracker will phone the receptionist and pretend he is from the MIS department and ask her for her password - and she'll give it out without thinking.

In the real world, a thief will steal a laptop from the security checkpoint at the airport while the executive is being frisked to discover the nail clippers he has in his coat pocket.

Now, to be sure, the NSA's document and many others such as RFC-2196 (Site Security Handbook) are intended to provide a blueprint for at least thinking about security as much as they are about actually securing networks. The problem is that they don't go beyond the physical realm of the actual network to include the rest of the "system" surrounding it - the paper system, the human system, the physical security, etc. These documents must be put into the context of the overall needs and desires for security of those who use the systems.

Passwords, Pass-phrases and PINs

I'll highlight my concern about NSA's password suggestions. The concept of changing passwords every xx days and not using the same password for more than one system is great where there is complete control over the life of the password holder, or they have an IQ higher than 95% of the people in the world, i.e. the NSA or the military. In real life, it just doesn't work. In my experience, this leads all but the most security conscious (and even some of those) to write passwords down somewhere if they are complex, or choose too-simple passwords - especially if there are several/many different passwords needed, and use is infrequent. Many consumers can't even remember the PIN for their cash-card without writing it down - and that is typically only a few digits.

Far better to divide systems into a small number of categories, and use the same well chosen, complex password/phrase for all systems in each category - and not change it for long periods so it need not be written down. Categories might include:

bulletLAN workstation administrator account - in a single site (unlikely to be sniffed, and complex to change frequently) - change if/when administrative staff are replaced. In larger workplaces, there is a department with staff to look after such things - but in the home or SOHO, there is usually only the owner or head of the house. Changing the administrator password might be done if the business (or house) is sold with the systems intact. Even in larger businesses, the cost of changing passwords frequently is far to high compared to the risk of not changing them. The risk is that they won't be changed if/when someone with the password leaves employment.
bulletPersonal Workstation account - any workstation you use, wherever, or split by personal/business use. If you choose a secure password initially, and don't give it out or expose it to anyone (including the administrative staff - since they have the administrator/root password, they don't need it) then you shouldn't need to change it at all frequently. Using the same password on several systems, even (especially) if they are not on the same LAN, should not impact the security nearly as much as the risk of the user writing the password down somewhere or someone watching them type it in.
bulletLAN server admin account - might even be complete garbage in cases where root access is via SSH. I have administered many servers from my desktop system. When I log onto my desktop the system asks for my SSH passphrase once. Thereafter I can log onto any of the remote systems without having to retype the key. Note that this means I cannot leave my desktop system unattended without locking the screen - and that if I don't lock the screen with at least as secure a password as my key, I've compromised all the systems.
The point is that I don't need to know the root/administrator password for any of the other systems provided that my public key is in the authorized_keys file on the remote system. 
bulletBusiness E-mail/e-commerce/B2B accounts - via SSL/SSH so not sniffable. These types of accounts need to be established with trusted entities. If I don't trust my bank or my business partners, then I shouldn't deal with them. This involves making a value judgment, and may mean that I'll have to change all such accounts' passwords if any one of them abuses the trust in some way. In all cases, the account password should be something that I can set, and that I know is stored only in encrypted form by the service. 
bulletFinancial PINs - but guard them well from shoulder surfers and keep cards in sight at all times if in the hands of clerks, etc. Change at "cusps" such as card expiry or on your birthday. The biggest problem with bank-card PINs is that they are compromised by carelessness, not cracking. Shoulder-surfers (watching over your shoulder via camera or binoculars, or standing close by you) see you put your PIN in - pick your pocket/purse for the card, or hold you up for it. Don't let the card out of your sight (clerks have been known to "double-swipe" a card through a hidden scanner) and don't let others know your PIN - even your spouse or kids. Having the same PIN on all your cards, provided it is not a short one, and provided that you take care not to let others see or have it, is much less risky than having so many that you have to write them down, or choose simple ones (such as all the numbers in one column, or row, or your birthday, etc.).
bulletOther WAN accounts (Hotmail, Yahoo, Netscape, magazine subscriptions, etc) - plain text, little need to be more than a way to slow crackers down - sniffable - this is the only type of account I'd change passwords on at all regularly (not frequently) - and then change them all as they "come due" (renew subscriptions, etc.) to the same new password. Using these services, you are open to far more varieties of abuse than someone reading your e-mail or messages. Again, using the same password doesn't lower your security - you should assume you don't have any to begin with, and govern your uses of the service accordingly. Don't send sensitive information through them, and don't assume the recipient is the only one who will read things - or that you are receiving from who you think someone is. Of course you should also know about Echelon and Carnivore - the spy agencies' eavesdropping systems.
bulletPublic workstations/terminals - Library, malls, etc. - only use them for the "other" WAN account activities - and wash your hands afterwards ;) These types of systems - where you don't know what software is in them, who owns them, who administers them, and how they are connected to the rest of the world - should be treated with care. Don't use them for anything that you don't want posted on a signboard outside your house.
bulletPDAs and other portable devices, especially wireless (cell phones, web-pads, etc.) - unless you know they have been set up to be secure, treat them as if they are being listened to by anyone within range. This applies to your normal cordless telephones too by the way.

In all cases, choose a password/phrase/pin as long as possible up to 60 characters using the mixture of case and non-text characters suggested in the document - using the shortest of any category to determine what is used for the rest in that category if systems won't ignore extra characters. Shun services that restrict PINs and passwords to less than 6 characters (and all that don't require passwords/PINS such as the new gas pump payment key-fobs)

If you still can't deal with these categories, at least divide your passwords up into those that are for your own systems, those that are for financial systems, and all the rest. This should leave you with a fairly secure password on your workstation and/or server, an equally secure one for web access to your bank and online trading, a secure PIN for your cards, and a simple password for the rest of the world. Then all you have to do is remember not to send anything damning or damaging through email or when filling in web-forms.

I'm Mean

I promised an example of what I've done in the past to get employees to understand my security concerns. In the retail and service sectors, many employees are young. While there are also problems with some employees actually stealing things themselves, most are honest, but don't think about security until they have met a problem in real life (a thief with a gun, or a mysterious loss) or had intense "paranoia" training. Both of these experiences are expensive to the business owner. 

I've been in the position of being the manager of staff both in the retail sector and in the service/office sector. At times, I've resorted to demonstrations to drive home a point after several warnings about insecure practices. Each time, the individual involved has finally understood the problem and learned the lesson.

I was general manager in an office with an emergency back door which was normally locked, and was in fact in the back of one of the offices which was not used all the time. The staff had the habit of using this back door to go the washrooms as it cut about 100 feet off the journey. The problem was that they didn't always take their key to get back in, they left the door unlocked instead. The first problem was the fact that the door was left unlocked at all, but since the business owner was one of the prime culprits, I couldn't cut its use out altogether. I did, however, insist that the door get re-locked ASAP since there were valuables in the office and it was out of normal sight lines from the rest of the offices.

One employee (the 18 year old receptionist) kept forgetting to re-lock the door when she returned. Even after several warnings about the problem, she still forgot.

Late one afternoon, after I saw her return from the washroom, I went out the front door, walked around to the back door, and removed the computer terminal from the office. Walking back in the front door with the terminal in my hands, I asked the receptionist if she wanted to purchase a computer terminal. Her response was "no, why?".

My answer was "to replace the one just stolen from the back office", at which point she turned white. Her attitude changed to the point where she became the one who asked people if they had re-locked the door - problem solved.

But I Managed the Risk

This was before the advent of the Internet as we know it. This particular office's computer system was part of the UseNet news/e-mail via UUCP, but was not continuously connected at that time. What it did contain, however, was the personal information of several thousand customers, including financial and historic items. I was not as worried about the information as I was about the terminal and other physical items around the office. The server was in a separate, physically secure area, and stealing the terminal was not in itself dangerous to the business. Even sitting down at it would not likely have gained any unauthorized person anything.

The SCO XENIX system it was connected to used the original Unix password facility. Up to 8 character passwords, stored in an encrypted form in a world readable file. The difference between then and now is that the processing power to crack the password file in a reasonable time simply didn't exist. The system was a '286 with 8 Megs of RAM and the primitive version of "crack" that existed even at that time would have taken several years to crack all but the most trivial 3 and 4 character passwords - and I had trained my users to use the full 8 characters allowable at that time, with random capitalization and at least one "non-normal" character.

The terminal didn't have any data writing facility (floppy disk or tape at that time), even if the cracker had gained access, and at the 19,200 bps rate the line ran at, it would have taken several days to transfer a significant portion of the data (I know, that's how I got it to the next generation system it was replaced with).

Today, the "terminal" in the back office would probably be a full PC - with local storage, and copies (or worse, originals with no backup) of all sorts of data on it. It is connected to anyone on the Internet by a high speed LAN, capable of transferring several years worth of an individual's documents in a few minutes. Stealing the data or compromising it so it can be used for spam or denial of service attacks can be done over the network. In fact, it can be done by "script kiddies", using tools they can find elsewhere on the network. 

But it can also be stolen physically - and that is every bit as dangerous as stealing the data remotely. 

Today, the risks are completely different from those of as few as 5 years ago, certainly from those of 15 years ago when this story took place... but they're still as much about physical things as they are about the network or the computers.

richard

 

Home ] Contents ] Search ]
Up ]

Copyright © 1993-2007 Richard C. Pitt - all rights reserved
Updated June 17, 2005