Latest Essays
Page 69
Internet Shield: Secrecy and security
THERE’S considerable confusion between the concepts of secrecy and security, and it is causing a lot of bad security and some surprising political arguments. Secrecy is not the same as security, and most of the time secrecy contributes to a false feeling of security instead of to real security.
Last month, the SQL Slammer worm ravished the Internet, infecting in some 15 minutes about 13 root servers that direct information traffic, and thus disrupting services as diverse as the 911 network in Seattle and much of Bank of America’s 13,000 ATM machines. The worm took advantage of a software vulnerability in a Microsoft database management program, one that allowed a malicious piece of software to take control of the computer…
Locks and Full Disclosure
View or Download in PDF Format
The full disclosure vs bug secrecy debate is a lot larger than computer security. Blaze’s paper on master-key locking systems in this issue is an illustrative case in point. It turns out that the ways we’ve learned to conceptualize security and attacks in the computer world are directly applicable to other areas of security—like door locks. But the most interesting part of this entire story is that the locksmith community went ballistic after learning about what Blaze did.
The technique was known in the locksmithing community and in the criminal community for over a century, but was never discussed in public and remained folklore. Customers who bought these master key systems for over a century were completely oblivious to the security risks. Locksmiths liked it this way, believing that the security of a system is increased by keeping these sorts of vulnerabilities from the general population…
We Are All Security Consumers
View or Download in PDF Format
Computer security is vital, and IEEE is launching this new magazine devoted to the topic. But there’s more to security than what this magazine is going to talk about. If we don’t help educate the average computer user about how to be a good security consumer, little of what we do matters.
Dozens of times a day, we are security consumers. Every time we cross the street, we’re buying security. When we brush our teeth in the morning, we’re buying security. We buy security when we lock our door, or our car. When you reach down at a checkout counter to buy a candy bar and notice that the package has been opened, why do you reach for another? It’s because for the price of the candy bar, you want to also buy as much security as you can…
Should Vendors be Liable for Their Software's Security Flaws?
Network security is not a technological problem; it’s a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies – both vendors and users – must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.
The only way to get many companies to spend significant resources to ensure the security of their customers’ data is to hold them liable for misuse of this data. Similarly, the only way to get software vendors to reduce features, lengthen development cycles and invest in secure software development processes is to hold them liable for security vulnerabilities in their products…
Results, Not Resolutions
A guide to judging Microsoft's security progress.
Last week, Bill Gates published a company-wide memo outlining a new strategic direction for Microsoft. Comparing this to the change when the company embraced the Internet, Gates elevated security to Microsoft’s highest priority. By focusing on what he called “Trustworthy Computing,” Gates plans on transforming Microsoft into a company that produces software that is available, reliable, and secure.
“We must lead the industry to a whole new level of Trustworthiness in computing.” – Bill Gates internal memo, 15 January 2002.
Trust is not something that can be handed out; it has to be earned. And trustworthiness is a worthy goal in computing. But unlike performance goals or feature lists, progress toward it is hard to measure. How can we determine if one piece of software is more secure than another? Or offers better data integrity than another? Or is less likely to contain undiscovered vulnerabilities? How do we know if Microsoft is really committed to security, or if this is just another performance for the press and public? It’s not as easy as measuring clock speeds or comparing feature lists; security problems often don’t show up in beta tests. As longtime security experts, we’d like to suggest some concrete ways to evaluate Microsoft’s (and anybody else’s) progress towards trustworthiness. These are specific and measurable changes that we would like Microsoft to make. This is not intended to be an exhaustive list: building secure software requires much more than what we delineate here. Our goal is to provide a list of measurable recommendations, so that the community can judge Microsoft’s sincerity. Some of our recommendations are easier to implement than others, but if Microsoft is serious about security and wants to take a true leadership position, they can’t shirk any of them. Some of our changes are easier to verify than others, but it is our goal that all of them be independently measurable. In the end, the pronouncements and press releases don’t mean a thing. In security, what matters are results. If we can distill our recommendations into a single paradigm, it’s one of simplicity. Complexity is the worst enemy of security, and systems that are loaded with features, capabilities, and options are much less secure than simple systems that do a few things reliably. Clearly Windows is, and always will be, a complex operating system. But there are things Microsoft can do to make even that complex system simpler and more secure. Microsoft must focus its programmers on designing secure software, on building things right the first time…
Con: Trust, but verify, Microsoft's pledge
Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we’ll have to wait to see if his call represents a real change or just another marketing maneuver.
Microsoft has made so many empty claims about its security processes—and the security of its processes—that when I hear another one, I can’t help believing it’s more of the same flim-flam.
Anyone remember last November when Microsoft’s Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default? Not only did the Universal Plug and Play (UPnP) vulnerability that was found last month exploit an unneeded feature that was enabled by default, but it also was a buffer overflow…
The Case for Outsourcing Security
View or Download in PDF Format
Deciding to outsource network security is difficult. The stakes are high, so it’s no wonder that paralysis is a common reaction when contemplating whether to outsource or not:
- The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore.
- The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake…
Banners and Internet Protocols
You may already be vulnerable
It used to be that when you connected to one of Counterpane’s mailers, it responded with a standard SMTP banner that read something like the following:
220 counterpane.com ESMTP Sendmail 8.8.88. 7.5; Mon, 7 May 2001 21:13:35 0600 (MDT
Because this information includes a Sendmail version number, some people sent us mail that read (loosely interpreted): “Heh, heh, heh. Bruce’s company runs a stupid Sendmail!”
Until recently, our IT staffs standard response was to smile and say, “Yes, that certainly is what the banner says,” leaving the original respondent to wonder why we didn’t care. (There are a bunch of reasons we don’t care, and explaining them would take both the amusement and security out of it all.)…
Protecting Privacy and Liberty
The events of 11 September offer a rare chance to rethink public security.
Appalled by the events of 11 September, many Americans have declared so loudly that they are willing to give up civil liberties in the name of security that this trade-off seems to be a fait accompli. Article after article in the popular media debates the ‘balance’ of privacy and security—are various types of increase in security worth the consequent losses to privacy and civil liberty? Rarely do I see discussion about whether this linkage is valid.
Security and privacy are not two sides of an equation. This association is simplistic and largely fallacious. The best ways to increase security are not at the expense of privacy and liberty. Giving airline pilots firearms, reinforcing cockpit doors, better authentication of airport maintenance workers, armed air marshals travelling on flights and teaching flight attendants karate are all examples of suggested security measures that have no effect on individual privacy or liberties…
Efforts to Limit Encryption Are Bad for Security
In the wake of the devastating attacks on New York’s World Trade Center and the Pentagon, Sen. Judd Gregg (R-N.H.), with backing from other high- ranking government officials, quickly seized the opportunity to propose limits on strong encryption and “key-escrow” systems that insure government access. This is a bad move because it will do little to thwart terrorist activities and it will also reduce the security of our critical infrastructure.
As more and more of our nation’s critical infrastructure goes digital, cryptography is more important than ever. We need all the digital security we can get; the government shouldn’t be doing things that actually reduce it. We’ve been through these arguments before, but legislators seem to have short memories. Here’s why trying to limit cryptography is bad for e-business:…
Sidebar photo of Bruce Schneier by Joe MacInnis.