Slashdot Mirror
Real Security?
An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"
Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.
Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"
As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Too much security isn't the issue here at all. It's improperly implemented security. Yes, more passwords can be more secure. But only if the passwords themselves are secure. Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that. But simply assigning strange passwords to people is not the answer. And not having the secure passwords at all is definitely not the answer.
In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.
So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.
so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.
For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.
So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.
I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.
:)
I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.
I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?
Sorry for the long rant, but I felt the need to get all this off my chest
----
Squirrel
There was a time when I was upset by the fact that Linux accepts very strange characters in the passwords (the arrow keys for instance) that couldn't be typed into most GUI password fields. Now I realize that that's not a bug, it's an accidental feature. Effectively, root can't log in on a GUI (including gksu), on a machine so configured, which adds to the security of the system. Fake login screens are foiled by that trick.
(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?
-3Suns
~~~~
The Revolution will be Slashdotted
Does enforcement matter? I'd be lying if I said it didn't. However, the means in which it is dispensed is the issue. No one enforces a security policy? Don't be surprised when a stranger walks in the door. People enforce security like a police state? Don't be surprised when people in power abuse their abilities and allow their friends to skate around issues. Then, of course, there is the typical knee-jerk reaction when an event happens and everything is locked down to only be forgotten about two months later.
Use common sense, as it isn't common to most people. Tailor the security to the individual company; a meat processor protects their beef, Lockheed Martin protects missile technology--each is deadly in different ways.
--Chag
The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.
My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.
TW
The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.
And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".
sPh
I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.
When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.
After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:
Security training is useless if the user ignores it.
I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.
After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
Except that security measures necessarily are a human factor. Human nature cannot become the bottleneck in a system designed to work with / thwart human nature. You might as well say that all passwords should be 1MB of random binary culled from decaying atoms, or a 1GB flash disk welded to the spine of the user.
People have a limited memory. They generally remember three or four passwords. Deal with it. Either use biometrics, or a password culled from a sentence (as another poster suggested). Or do a dictionary attack on all user's passwords at signup time, and refuse anything in the OED. Or use one of those nifty word verification challenge-response things that are all the rage in web-facing pages.
People don't change their passwords. Deal with it. Either they're going to write them all down somewhere, or they're going to memorize them. If they write them down, they're succeptable to attack. If you force them to change their passwords, they can't be memorized. But if they are memorized, they can't be compromised with any method that would otherwise catch any login.
And yes, any network can be compromised. You have to reduce the risk, but you also have to work with the way that people work. I worked at a place with randomly generated 8 character ascii passwords. For security's sake, the password system was case-sensitive. For simplicity's sake, the passwords generated were all upper-case. Invariably, new hires were given the password as lower-case (which makes sense to us humans), and then wondered for weeks why it wasn't working yet.
I use a password storage system with 256 blowfish encryption, but the idea that I have to store passwords in a password-protected system is a little scary.
Security is the human factor. How do you give access to one person and not another? How do you verify identity? What can't be faked and / or given away? If by social engineering you mean sneaking into someone's job pretending to be the plant waterer, then stealing the password they have taped to their monitor, then yes, social engineering is part of being a l33t h4x0r. Mitnick's greatest exploits generally involved pretending to be one person to gain enough access to pretend to be another.
The ______ Agenda
I did some work for an internationally renowned company. Their IT department was (with good reason) obsessive about security.
To get your login, a representative of the IT department gave you a sealed envelope in person. Your manager was not allowed to receive it on your behalf under any circumstances.
To reset your password to the current day of the week, however, all you had to do was ring the helpdesk and say "I've forgotten my password, and my name is..."
There's resistence to changing this approach 'cos the complex password requirement and the enforced 30 day password expiration result in multiple daily requests for this.
Nicely illustrates the point, I think.
--- These are not words: wierd, genious, rediculous
As a security feature at work, we've started switching our more important boxes to key-only login. I've done the same to my boxes at home, for good measure. Now, I have 2 keys. One that lives on my box at home, and one at work. They don't exist anywhere else (other than a USB pen drive for backup), and will never be copied off of these drives. I use a relatively long passphrase (19 chars), but since I use ssh agents (and agent forwarding when it's safe enough to do so), I only ever have to type the passphrase once per day (the machine is set to forget the passphrase when I leave work).
Now if only all of those ecommerce type places would work with my public keys...
Do you really need reason for beer? Wingman Brewers
I had a similar experience at the Community College where I teach. After the Sobig, Blaster, etc. attacks of a few months ago, they (Information Technology) installed a McAfee program called "Stinger", which runs every time a user logs into the network, and (apparently) scans the hard drive for virus infected files.
Takes 10-12 minutes to run.
Classes are 50 minutes long.
Stinger responds to the STOP button
---> Illusion of Security!!!
Looking for a decent password?
"apt-get install pwgen" for a program that can produce (among other things) pronouncable passwords.
Or grab some dice and go to: Diceware.
(Posting as AC to prevent someone from guessing my real algorithm.)
I'd like to suggest a method for creating passwords for sites; I'm sure it's not unique to me, but it's effective, more secure than sticky notes, and not very time-consuming.
The technique is to use a simple algorithm to create the password, seeding it with a unique identifier from the location where the password is to be used. This way, you can remember the algorithm (even write most of it down if you like) and yet the password for each site is unique, and if stolen doesn't give the intruder access to any other site. (If your algorithm is good, it would make it hard for someone given 2 or 3 of your passwords to figure it out.)
For example with a site named "acmewidgets.com" my algorithm (modified) is:
My actual algorithm makes it a little harder to see english words in the final, but like the above produces a 8-character password (often one of the boundaries for password limits, e.g. 2-8 characters or 8-15 characters) with both mixed case and digits. It is almost always valid for password security checkers, and (in my opinion) is reasonably secure. And yet I never have to remember my password for various sites, I just recreate it on the fly.
And almost always, if a site is used often, even the complex-looking password it creates is not hard to memorize through the use of mnemonics. (The human mind is a wonderful thing.)
The above algorithm doesn't allow variations for more/less secure sites, or backups when passwords expire. (I hate expiring passwords. If the account is compromised, it's compromised...expiring the account every 6 weeks doesn't undo the damage.)
Anyone remember this? "My voice is my passport. Verify me."
Security is like Oxygen.
Some is better than none.
Too much and things tend to go up in flames.
Enough security that users do their best to ignore/circumvent it is counter productive
Most people forget CryptoGnomes "Golden Rules of Security":
One day, your security will be compromised.
More than likely, sooner than you think.
Almost certainly in some way you did not (perhaps even could not, reasonably) have expected.
What will you do then?
I'm sure you've all heard it said before security is a process, not a goal. The best you can ever hope to do, is make it harder for someone to breach your security than they think it's worth, and to have a plan for when someone comes along who thinks no effort is too much.
Either that or drop all your computers and networks into a large vat of suitably potent acid, and take up a new career; like basket-weaving.
Visit CryptoGnome in his home.
I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.
The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.
The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).
Passwords are nice and all -- hell, mine come from pwgen -s -- but you need to be thinking HIGHER. Access control, executable space protection, OS fingerprint protection, and functional security to make programs generally behave. Look at GRSecurity. That in itself speaks volumes. I will illustrate this thread, and then go on through grsec:
Passwords:
- Passwords and password rule circumvention
This is where we seem to be stuck. What about the following:
PaX:
- Total of 1-2% performance overhead
- Enforce non-executable pages to block security exploits in programs
- Enforce non-writable executable pages to block security exploits
- Address Space Layout Randomization to increase difficulty of actually activating security exploits
- Privilaged IO blocking to avoid altering the kernel
- Blocking of direct writes to ram and kernel memory to avoid altering the running kernel and getting around security systems or inserting malicious code
- Hiding of memory mappings to avoid information leaking which would negate the ASLR advantages
Grsecurity:
- Includes PaX
- Blocks many operations from happening inside a chroot() jail, thus increasing security by disallowing programs to try to gain access to devices, processes, and filesystem data that they aren't supposed to access
- Imposes an Access Control List system to extend control of file and device access
- Hinders OS fingerprinting with several network protections that randomize various ID numbers in various types of packets
- Allows user auditing and signal logging to detect attacks
How much crap did I list besides password issues? Quite a bit. There's more to consider than "Is root's password 'secure1'?" How about "Can I cause SSH to overflow before I log in, clearing root's password out so I can log in as root and take over the system?"
Support my political activism on Patreon.
Bleh. Are his articles all like this? He has some anecdotes about bad security, with a "D'oh!" in between practically every paragraph---though that slows down after he gets tired of it, a page or two in. Then there's a story about a program called "Tresor" and some guy who had a weird problem with bundles acting like folders instead of application files. The assertion is made point-blank that this is an Apple bug, not a Tresor bug.
:-)
OK. Has this been reported or observed anywhere else? I've never heard of it, or seen it myself, though I've only been using OSX for a little under a year. If anyone can point me to a reference, I'd appreciate it. The article doesn't give any refs. I don't understand how he's so sure it's an Apple bug, unless it's so well-known that, gosh, everyone knows it's an Apple bug without even needing a link to, like, a Knowledge Base article or anything... but if it were that well-known, I hope I would know about it. So I have my doubts about this. If anyone knows one way or the other, I'd like to hear about it.
But really that's not the main point of the article, right? It's just one security flaw in a fairly specific situation. So the article, as far as I can tell, is a few anecdotes and a bunch of "D'oh!"s. Oh yeah, plus some insults and derision for all the programmers and the university professors who taught them. Thanks a lot, Tog.
His thesis---that security needs to be designed to actually make things secure, not theoretically securable---is, well, it's OK I guess. For one thing, he doesn't really argue for it---just provides anecdotes. That's not a coherent logical argument. Worse, it barely even ties in with the anecdotes anyway. So the hospital requires TOO MANY passwords. That does **not** make it theoretically securable, OK? (I can require 200 passwords, but it's not theoretically securable if the computer and fax machine are in the hallway.) He's right that security systems have to aim for real security, but he's wrong in saying that the problem is that people aim for "theoretical securability". Am I wrong here? Is there ANY theory of anything under which these systems are considered theoretically securable?
The only common thread I can think of, apart from inadequate security in general, is that the people who designed the security had an incomplete approach to security; they secured one part of the system (e.g., getting in with a password) way too much, and other parts (e.g., physical security of the fax machine) not enough. Or, they were unnecessarily protective, at the cost of user convenience (as in the VW radio example).
If I'm criticizing the article, maybe I should try to be constructive about it, right? I guess the anecdotes really point towards the two different themes in the previous paragraph: security model should be "complete", and there should be some kind of a balance between security and usability.
I may be wrong about my interpretation of his article. If there's a better way to read this article as it's written, please tell me. I suspect not, but hey. Or just call me a monkey, that's cool too.
Well, to wrap it up, he has a good point, basically, but no argument for it. Just a few isolated anecdotes, not all of which I believe. This is not high-quality writing. Sorry, Tog. I've read of few of your user-interface-design columns, and I liked them a little better. This one just didn't do it for me, I guess.
zach