Home
Contents
Search
Back
Up
Next

July - Security

 

January - Crime and Punishment
March - Iraq Fallout
June - Summer Solstice
July - Security
July - Speed
August - Fire
September - Smokers
October - parking fees
November - ponderings
Merry Christmas

(Internet) Security Today (revisited)

The following was originally posted as part of the "opinions" page for my October 2001 Digital Rag. I've changed some of it in light of such things as keyboard logging and my opinions of the new laws enacted or considered here in North America since 09/11.

As a natural follow-on to the work I've been doing with embedded network devices, I've spent quite a bit of my time recently reading about and working with Internet security software. Part of my consulting work for the past 20+ years has dealt with security in one form or another - from physical security, to employee training, to computer security; and I've always approached it from the "risk management" point of view. I've also tended to fairly radical demonstrations of the problems and solutions, but more on that later.

I received a pre-release copy of the NSA's "The 60 Minute Network Security Guide (First Steps towards a Secure Network Environment)" - their latest in a line of such documents which can be seen at www.nsa.gov under the security recommendation guides. In going over it to comment on it, I got to thinking about the changes that have come about in the Internet since I first got a permanent connection back in the late 80's, as well as the similarities between today's home/SOHO LAN and the multi-user Unix systems I used to install in small offices.

I'm also re-reading Bruce Schneier's "Secrets and Lies (Digital Security in a Networked World)" - and have been reading some of his and other's writings on various security web sites.

NSA's document seems to fall into the trap that many have, including by his own admission Bruce Schneier prior to Secrets and Lies, of expecting the hardware and software to do all the protecting, and assuming that the users and administrators are infallible. It advocates changing passwords every so many days, using systems to force password changes on users, and using long, convoluted passwords with a different one for each protected system.

In a perfect world, with perfect people, such instructions might actually be followed, and might make the systems marginally more secure. In the world of NSA, where your job (and their effectiveness) depends on the security of the systems you access and your not exposing their systems to break-in, the focusing effect of job security will be such that remembering a 30+ character passphrase for every system you use will be trivial - something like being able to recall your whole life when you are in danger of dying. Most other applications don't come with the threat of job loss or criminal conviction if you use a trivial password or write it down - pity ;)

In the real world, Sally will change her password every 30 days as her system forces her, alternating between 2 or 3 that she has used "forever" if the system will let her. Few off-the-shelf systems remember past-used passwords to check that you are not reusing an old one.

In the real world, Ken, who has to deal with 7 different systems over the course of a month, will write down his passwords in his daybook.

In the real world, the cracker will phone the receptionist and pretend he is from the MIS department and ask her for her password - and she'll give it out without thinking.

In the real world, a thief will steal a laptop from the security checkpoint at the airport while the executive is being frisked to discover the nail clippers he has in his coat pocket.

Now, to be sure, the NSA's document and many others such as RFC-2196 (Site Security Handbook) are intended to provide a blueprint for at least thinking about security as much as they are about actually securing networks. The problem is that they don't go beyond the physical realm of the actual network to include the rest of the "system" surrounding it - the paper system, the human system, the physical security, etc. These documents must be put into the context of the overall needs and desires for security of those who use the systems.

Passwords, Pass-phrases and PINs

I'll highlight my concern about NSA's password suggestions. The concept of changing passwords every xx days and not using the same password for more than one system is great where there is complete control over the life of the password holder, or they have an IQ higher than 95% of the people in the world, i.e. the NSA or the military. In real life, it just doesn't work. In my experience, this leads all but the most security conscious (and even some of those) to write passwords down somewhere if they are complex, or choose too-simple passwords - especially if there are several/many different passwords needed, and use is infrequent. Many consumers can't even remember the PIN for their cash-card without writing it down - and that is typically only a few digits.

Far better to divide systems into a small number of categories, and use the same well chosen, complex password/phrase for all systems in each category - and not change it for long periods so it need not be written down. Categories might include:

bulletLAN workstation administrator account - in a single site (unlikely to be sniffed, and complex to change frequently) - change if/when administrative staff are replaced. In larger workplaces, there is a department with staff to look after such things - but in the home or SOHO, there is usually only the owner or head of the house. Changing the administrator password might be done if the business (or house) is sold with the systems intact. Even in larger businesses, the cost of changing passwords frequently is far to high compared to the risk of not changing them. The risk is that they won't be changed if/when someone with the password leaves employment.
 
bulletPersonal Workstation account - any workstation you use, wherever, or split by personal/business use. If you choose a secure password initially, and don't give it out or expose it to anyone (including the administrative staff - since they have the administrator/root password, they don't need it) then you shouldn't need to change it at all frequently. Using the same password on several systems, even (especially) if they are not on the same LAN, should not impact the security nearly as much as the risk of the user writing the password down somewhere or someone watching them type it in.
 
bulletLAN server admin account - might even be complete garbage in cases where root access is via SSH. I have administered many servers from my desktop system. When I log onto my desktop the system asks for my SSH passphrase once. Thereafter I can log onto any of the remote systems without having to retype the key. Note that this means I cannot leave my desktop system unattended without locking the screen - and that if I don't lock the screen with at least as secure a password as my key, I've compromised all the systems.
The point is that I don't need to know the root/administrator password for any of the other systems provided that my public key is in the authorized_keys file on the remote system. 
 
bulletBusiness E-mail/e-commerce/B2B accounts - via SSL/SSH so not sniffable. These types of accounts need to be established with trusted entities. If I don't trust my bank or my business partners, then I shouldn't deal with them. This involves making a value judgment, and may mean that I'll have to change all such accounts' passwords if any one of them abuses the trust in some way. In all cases, the account password should be something that I can set, and that I know is stored only in encrypted form by the service. 
 
bulletFinancial PINs - but guard them well from shoulder surfers and keep cards in sight at all times if in the hands of clerks, etc. Change at "cusps" such as card expiry or on your birthday. The biggest problem with bank-card PINs is that they are compromised by carelessness, not cracking. Shoulder-surfers (watching over your shoulder via camera or binoculars, or standing close by you) see you put your PIN in - pick your pocket/purse for the card, or hold you up for it. Don't let the card out of your sight (clerks have been known to "double-swipe" a card through a hidden scanner) and don't let others know your PIN - even your spouse or kids. Having the same PIN on all your cards, provided it is not a short one, and provided that you take care not to let others see or have it, is much less risky than having so many that you have to write them down, or choose simple ones (such as all the numbers in one column, or row, or your birthday, etc.).
 
bulletOther WAN accounts (Hotmail, Yahoo, Netscape, magazine subscriptions, etc) - plain text, little need to be more than a way to slow crackers down - sniffable - this is the only type of account I'd change passwords on at all regularly (not frequently) - and then change them all as they "come due" (renew subscriptions, etc.) to the same new password. Using these services, you are open to far more varieties of abuse than someone reading your e-mail or messages. Again, using the same password doesn't lower your security - you should assume you don't have any to begin with, and govern your uses of the service accordingly. Don't send sensitive information through them, and don't assume the recipient is the only one who will read things - or that you are receiving from who you think someone is. Of course you should also know about Echelon and Carnivore - the spy agencies' eavesdropping systems.
 
bulletPublic workstations/terminals - Library, malls, etc. - only use them for the "other" WAN account activities - and wash your hands afterwards ;) These types of systems - where you don't know what software is in them, who owns them, who administers them, and how they are connected to the rest of the world - should be treated with care. Don't use them for anything that you don't want posted on a signboard outside your house. This is especially true for "Internet Cafe" facilities. The people who run (or at least set up) these are typically fairly technically competent and have no reason to respect your privacy except to retain their reputation - and I consider them to have no reputation to retain in general. Expect that the systems in these businesses have keyboard logging programs on them, either put there by the owners, or by other users, or by viruses/worms that the systems might be infected with. This means that even though your bank's web access portal has a button (such as this one on RBC's login page):
 
Enhanced Security :
(Recommended for access from shared or public terminal, internet cafe, or library. Select the check box.)

you still should not use such a public terminal for your banking!!! The keyboard logging on such a terminal will still be able to see your password and account information, no matter how secure the connection to the bank's site is - it sees it as you type it into the form, keystroke by keystroke.
 

bulletPDAs and other portable devices, especially wireless (cell phones, web-pads, etc.) - unless you know they have been set up to be secure, treat them as if they are being listened to by anyone within range. This applies to your normal cordless telephones too by the way.
 
Since I originally wrote this, the practice of "war driving"  has become rampant; driving along in urban areas with a laptop and WLAN (802.11x) card and some readily available software, finding open WLAN routers and sniffing traffic on them. In fact, it is well known that in many cities you can get Internet access with a normally configured laptop and WLAN card almost anywhere in the business district and in many areas of the residential districts just by walking around. While many of these sites are in fact set up to allow this purposely, the number that are simply poorly configured systems put up for the systems' owners with no thought about security needs or consequences is growing daily.

In all cases, choose a password/phrase/pin as long as possible up to 60 characters using the mixture of case and non-text characters suggested in the document - using the shortest of any category to determine what is used for the rest in that category if systems won't ignore extra characters. Shun services that restrict PINs and passwords to less than 6 characters (and all that don't require passwords/PINS such as the new gas pump payment key-fobs)

If you still can't deal with these categories, at least divide your passwords up into those that are for your own systems, those that are for financial systems, and all the rest. This should leave you with a fairly secure password on your workstation and/or server, an equally secure one for web access to your bank and online trading, a secure PIN for your cards, and a simple password for the rest of the world. Then all you have to do is remember not to send anything damning or damaging through email or when filling in web-forms.

I'm Mean

I promised an example of what I've done in the past to get employees to understand my security concerns. In the retail and service sectors, many employees are young. While there are also problems with some employees actually stealing things themselves, most are honest but don't think about security until they have met a problem in real life (a thief with a gun, or a mysterious loss) or had intense "paranoia" training. Both of these experiences are expensive to the business owner. 

I've been in the position of being the manager of staff both in the retail sector and in the service/office sector. At times, I've resorted to demonstrations to drive home a point after several warnings about insecure practices. Each time, the individual involved has finally understood the problem and learned the lesson.

I was general manager in an office with an emergency back door which was normally locked, and was in fact in the back of one of the offices which was not used all the time. The staff had the habit of using this back door to go the washrooms as it cut about 100 feet off the journey. The problem was that they didn't always take their key to get back in; they left the door unlocked instead. The first problem was the fact that the door was left unlocked at all, but since the business owner was one of the prime culprits, I couldn't cut its use out altogether. I did, however, insist that the door get re-locked ASAP since there were valuables in the office and it was out of normal sight lines from the rest of the offices.

One employee (the 18 year old receptionist) kept forgetting to re-lock the door when she returned. Even after several warnings about the problem, she still forgot.

Late one afternoon, after I saw her return from the washroom, I went out the front door, walked around to the back door, and removed the computer terminal from the office. Walking back in the front door with the terminal in my hands, I asked the receptionist if she wanted to purchase a computer terminal. Her response was "no, why?".

My answer was "to replace the one just stolen from the back office", at which point she turned white. Her attitude changed to the point where she became the one who asked people if they had re-locked the door - problem solved.

But I Managed the Risk

This was before the advent of the Internet as we know it. This particular office's computer system was part of the UseNet news/e-mail via UUCP, but was not continuously connected at that time. What it did contain, however, was the personal information of several thousand customers, including financial and historic items. I was not as worried about the information as I was about the terminal and other physical items around the office. The server was in a separate, physically secure area, and stealing the terminal was not in itself dangerous to the business. Even sitting down at it would not likely have gained any unauthorized person anything.

The SCO XENIX system it was connected to used the original Unix password facility. Up to 8 character passwords, stored in an encrypted form in a world readable file. The difference between then and now is that the processing power to crack the password file in a reasonable time simply didn't exist. The system was a '286 with 8 Megs of RAM and the primitive version of "crack" that existed even at that time would have taken several years to crack all but the most trivial 3 and 4 character passwords - and I had trained my users to use the full 8 characters allowable at that time, with random capitalization and at least one "non-normal" character.

The terminal didn't have any data writing facility (floppy disk or tape at that time), even if the cracker had gained access, and at the 19,200 bps rate the line ran at, it would have taken several days to transfer a significant portion of the data (I know, that's how I got it to the next generation system it was replaced with).

Today, the "terminal" in the back office is probably a powerfull PC - with local storage, a CD or even DVD writer, and copies (or worse, originals with no backup) of all sorts of data on it. It is connected to anyone on the Internet by a high speed LAN, capable of transferring several years worth of an individual's documents in a few minutes. Stealing the data or compromising it so it can be used for spam or denial of service attacks can be done over the network. In fact, it can be done by "script kiddies", using tools they can find elsewhere on the network. The securing of such PCs, whether at home, in the office, or on the road (laptops and PDAs) is the subject of another article.

The point of this article is that the securing information (the password/phrase) or the actual device can also be stolen physically or through guile (human engineering) - and that is every bit as dangerous as stealing the data remotely.

Today, the risks are completely different from those of as few as 5 years ago, certainly from those of 15 years ago when this story took place... but they're still as much about physical things as they are about the network or the computers.

richard

 

Home ] Contents ] Search ]
Back ] Up ] Next ]

Copyright © 1993-2007 Richard C. Pitt - all rights reserved
Updated June 17, 2005