Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squids Have Personality |
| Counterfeiting an Entire Company »
April 29, 2006
Security in Comics: Missing the Threat
Over the Hedge.
Attackers are adaptable.
Posted on April 29, 2006 at 10:53 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Another great example of layered security at it's best. :-)
Cute cartoon, but in reality of course, they would have simply broken into a neighbor's garbage.
There is a value to overt overkill in a front line defence, deterrence. However this doesn't work if you are being specifically targeted only if you are "one of a pack".
That's why these impressive front line defences work against most burglars and muggers, but do not work against assassins or (for countries) terrorists.
Assassins will not choose another victim because it's convenient or easier.
Terrorists will not choose another country/target group because some points of their defence is well/over defended.
This is what comes from using simple personal analogies (burglars/muggers) for security versus actually thinking through the attackers complex motivations and likely actions to achieve what their goals may be.
Sun Tzu said (from memory) "know yourself and know your opponent, and you will be victorious in every battle".
It would seem to me that if you choose to ignore your actual vulnerabilities and don't wish to think about what your opponent will likely do, you are doomed to failure.
Sadly there is a lot of this going on these days and we are fortunate that our attackers aren't pressing the attack locally.
Extremely perceptive, David. We need people who think that way in Washington DC.
Attacker modes and motives vary. So do defensive strategies. There is such a thing as too much security creating a new vulnerability. You need to be prepared for threats ranging from the mild to the extreme, but spending too much time on preventing sniper attack is very embarrassing when your protectee dies of a heart attack and his bodyguards didn't know CPR . . .
Criminologists identified displacement theory many, many moons ago. You don't have to have security good enough to keep out criminals -- you just need to have better security than your neighbors.
Gentlemen, start your engines. Arms race, anyone?
There was a saying, "Generals are always fighting the previous war." Meaning that the first response is always one that was known to work in the past; which may or may not be useful in current conditions.
Sadly, we now see the same error being made within homeland security in many countries. Unless an airline with extrordinaryly bad security is discovered, the next major attack will not be via aircraft yet that seems to be the start and end of thinking in many parts of government.
We saw the effect of a small number of bombs on public transport within London. This resulted in clueless politicians calling for "airport style" security checks on the underground and buses. With this level of stupidity we are all doomed.
What happen to the one time use credit card number that been around since 2000.
The financial intitutions using this method says it keep your credit card number from being transmitted over the Internet and are still able complete the transaction. So why isn't this method being used. This sound like a solution for the credit card number and the third party storage of data problem. Now if we can solve the authentication problem, we would have this whole mess beaten.
Maybe there is something that I don't know
So can someone enlighten me
Unfortunately, these does not happen only in cartoons. Sadly I see it in company environment also. Almost everyone is resistant to change even the way they do is hard or costly. It is likely that we will experience many such cases in the future.
Not sure exactly what Citibank are doing, but it can't be truly a one-time card number; in a 16-digit number, with some structure to it, they have relatively few digits to play with (relative to the number of card transactions). They must be generating a 'random' number out of a certain range that's under their control, then presumably they mark that number not to be reused for a while, but they must reuse it sometime.
@Jim Dermitt-The answer is to use an offline encryption device (there are many of them) not connected to the OS. Any solution that is connected to the OS has been hackable. The "one time use credit card number" (google for more information) combine with the offline card reader will solve the problems: Authentication (Card Present, Multi-Factor), Personal information never transmitted over Internet, and no third party data storage. No need to educate on phishing, key logging, etc. Personal information is safe because it never leave you.
"Better security than your neighbour" only works if your neighbour's garbage smells as good as yours. If yours smells better - if what you're protecting has greater value to your attackers - you have to have significantly better security.
The displacement bit reminds me of some of the jokes heard while camping. These are the ones with the punch-line, "I don't have to run faster than the wolves / climb higher than the cougar, I just have to run faster / climb higher than you."
It is impossib;e to defend against terrorism.
The only way to defeat terrorists is to eliminate their need or their ability to continue. You eliminate their need by succumbing to their demands. You eliminate their ability by either killing each and ever one of them or by having their own social structure: in which they hide, nurture and feed themselves and their ideas: deem thier terroristic practices are no longer beneficial/acceptable
You must win the people.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.