Slashdot Mirror
Trust Is For Suckers: Lessons From the RSA Breach
wiredmikey writes "Andrew Jaquith has written a great analysis of lessons learned from the recent RSA Cyber Attack, from a customer's perspective. According to Jaquith, in the security industry, 'trust' is a somewhat slippery concept, defined in terms ranging from the cryptographic to the contractual. Bob Blakley, a Gartner analyst and former chief scientist of Tivoli, once infamously wrote that 'Trust is for Suckers.' What he meant is that trust is an emotional thing, a fragile bond whose value transcends prime number multiplication, tokens, drug tests or signatures — and that it is foolish to rely too much on it. Jaquith observed three things about the RSA incident: (1) even the most trusted technologies fail; (2) the incident illustrates what 'risk management' is all about; and (3) customers should always come first."
The problem is that trust is also required to have a functioning society. The higher the trust, the better a society can function. The lower the overall trust (More corruption) the less effective it is. I think "Trust but verify" is the best.
It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.
RSA was hacked, ultimately, because of short-term MBA thinking (I have one, so I know the type). If there's only a 10% chance of a serious security breach, then 90% of the time you can scrimp on security, and you won't merely get away with it, you'll be rewarded for "doing more with less". This same dynamic is often seen in both Wall Street and Washington.
I really wish we were required to read Nassim Nicholas Taleb's "Fooled by Randomness" and "Black Swan" in school, instead of Thomas Friedman's dreck. At least they couldn't say they weren't forewarned.
Of the people who I've talked to with RSA tokens, most have said they're now actively planning a migration off of RSA tokens.
It isn't that they were hacked. Shit happens, even to the best of them. It was the lack of information and lack of transparency by RSA (EMC) on the whole event. Trust has been lost.
I'm not talking about public statements or mea culpas. I'm talking about why they weren't 100% open and upfront with existing customers right away. It gives the impression that EMC's execs were hoping no one would get hacked and it would all fade away over time. That they could just ride this out and weren't going to have to fork over a boatload of cash to replace everyone's tokens, thus not taking a hit on their stock or bonuses.
They were wrong, and now the price they are going to pay is not only replacing everyone's tokens, but a loss of trust and hence future business.
Learning HOW to think is more important than learning WHAT to think.
Speaking of trust issues, quoting a Gartner analyst?
Anyway, back to the matter at hand: This article seems like a particularly bad situation for the two sharply different definitions of "trusted" to come into collision without very, very careful elucidation.
On the one hand, you have the usual social usage of "trust": more or less "the belief that a person or device will do what it says/act in good faith/do what it says on the tin/etc."
On the other, you have the paranoid security wonk definition of "trusted": "the state of being a component of the security system whose overall integrity depends on your integrity as a component."
The two could really hardly be more different while still occupying the same word. The former is socially valuable, and societies become dystopian hellholes without it; but it is a very poor ingredient upon which to build technologically secure systems. The second is an unfortunate necessity; but it is one of the marks of a good security system that it knows exactly what parts of the system are 'trusted' and what parts need not be.(a second, and important, mark of a good security system is that the set of 'trusted' systems has been culled as much as possible, and that no 'trusted' systems remain that you do not have good reason to 'trust' in the usual social sense.)
In the case of RSA, you really had a massive failure on both counts: In the social sense of "trust", RSA arguably oversold the security of their solution, was intensely cagey about the break-in until breaches at major defense contractors forced their hands, and generally fucked around as though they were trying to burn social trust. In the infosec sense, the fuckup was that(by retaining all token seed keys, RSA made themselves a 'trusted' component of every customer's security infrastructure. It is an architectural limitation of the RSA system that there must be a trusted system, with access to the seeds and an RTC, in order to perform authentication attempt validations. However, it is Not a requirement that there be other online seed stores out of the customers' control. By making themselves an extraneous, excess, trusted system, RSA weakened all their customers' security. Now that they are a 'trusted' component that no sensible people have social trust in, they are finding themselves written out of a fair few security architectures...
That is the real crux of the matter. From what I've heard(both public-ally and informally from friends working in IT at largish RSA customers) the hack was some seriously sophisticated work, rather than somebody walking in through an unlocked door. However, it barely matters how tough their security is; because they never should have set themselves up as part of their customers' systems in the first place. Had the customers done the keyfill for the tokens, it wouldn't have mattered whether they had been hacked or not.
I agree mostly with that - but not in full extent. I've lost faith in this company quite some time ago once I've seen their Authentication Management product (software required to authenticate against tokens). It is clearly a crap-quality product made by MBAs for MBAs. It looks like it's been severely crippled by some cheap outsourced programmers (typical corporate attitude - "cuting costs"). This particular breach mainly confirmed my earlier opinion about RSA.
Losing reputation also takes quite a long time - some MBAs worked hard to turn their products into a very expensive crap. These "5 minutes" is an instant where everybody realizes it.
A one page article. Ahhh relief.
From my understanding, the RSA breach basically broke into the database that ties serial numbers to the internal "secret" that's used to generate OTP's. So go back to before the breach, and assume you're an RSA customer. To be their customer, you have to trust them. You can trust them to:
Note that options 1 and 3 are mutually exclusive. Now, it would be nice to be able to choose your level of risk tolerance yourself and decide on #1 vs #2 + #3, but there are a reasonable number of customers who actively dislike being forced to make choices. And there would be a whole lot of customers who would be really mad if, after losing their database, were told by RSA "Sorry, all of your tokens are now useless keyrings. No choice but to replace them all"
To me it's like the evolution of passwords. In the beginning, if you forgot your password, your admin could tell you what it was. Then passwords got hashed, and your admin couldn't tell you what it was, but could reset it for you, and security was enhanced. Then passwords were used as encryption keys, and now your admin couldn't tell you what it was or reset it. If you forgot it, your data was gone. Once again, a security enhancement, but now a greater danger of data loss through forgetfulness.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
It's a decade and a half since I studied a security masters, but I seem to recall Someone Who Knew saying approximately this: in the vast sweep of history, it hasn't tended to be the technology that's failed (unless it's laughably weak in the first place), but the humans handling the technology. If we assume the worst case about the RSA hack, that a big file full of token serial numbers, shared secrets and end-customer details went missing, then this is a human failing. That is, some dumbass probably left that lot online and connected to the network rather than offline. Agree with other commentary too, that their handing of the entire incident has been shocking. If you say nothing, people assume the worst. If you tell people that it's happened, how is this different, aside from demonstrating that customers' interests come first? Duh.
RSA _was_ trusted by the suckers. Come again, what is a "most trusted" service?
"(1) even the most trusted technologies fail;"
Uh, dudes.
THE INTERNET IS NOT SECURE
If you hooked your database up to the Internet, then you are the fail.
I keep saying that "I don't get paid to trust people", here at work ~ most of my job is to find bugs and squash them, whether in the code or in the model files. Some days it's the model, some days it's the software, some days it's the user. Then I talked to my neighbor and learned about his soon-to-be-ex wife problems. That simply reinforced the point that I don't get paid to trust people. Then RSA, Sony, and everyone else got hacked. That really reinforced the point. So hey, don't trust people. Trust the facts instead.
Yubikey has secure tokens that you can "seed" yourself, for use with your own authentication servers. The scam is that RSA made some idiots think think there was no way to do this without their auth servers; Thereby fooling fools into using a less secure system with a mandatory recurring payment for RSA (to access the auth servers).
Additionally, I prefer the model that has RFID for physical access.
Relying on an outside source to have our cryptokeys is just adding another point of failure. EVERYONE relying on them is just creating THE BIGGEST point of failure possible... Every time I talked to security minded folks that used RSA tokens, I asked them, "So. How secure are RSAs severs? You do any security audits on them lately?" The blank expressions were priceless.
I think it's actually a bad platitude, because "verify" is always implemented as a nested trust, and that trust often turns out to be serial but the platitude glosses over that.
It goes like this: Is this person authorized to enter the building? Yes, probably, or else why would he be at the door? Well, let's verify: does he have a keycard? Yes, he has a keycard, and we trust the keycard. Why do we trust the keycard? Because only party X has the secret number hidden within it. How do we know that? Because they say so.
If any one of those things that you trust goes wrong, you lose. Not that "trust but verify" is really wrong but it isn't explicit about what "verify" really means, so you can follow the "trust but verify" rule of thumb and still screw up.
I think "Require an amazing conspiracy" is best. That makes what you really need more clear. You want several failure probabilities to get multiplied to determine the probability of the system failing. That's where multi-factor authentication comes in, the concept of "require 3 moderately trusted certs" OpenPGP default comes from, etc.
And almost all of these ideas are ignored in most mainstream "security." *sigh* We use complete reliance on any single CA in https, for example. https, one of the most important things for commerce on the net, and we get it totally wrong. Lame. I can't help but thinking, though, that the dumbfuck who thought it up believed he was doing "trust but verify."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Cally: My people have a saying: "A man who trusts can never be betrayed, only mistaken."
Avon: Life expectancy must be fairly short among your people.
Avon: Cally was murdered. So were most of her people.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
They almost all lie. One of the jobs of a legal department in a large company is to ensure the marketing scum can promise you the moon and the stars and that when you find out what you actually got, you have no legal recourse.
The only way to deal with this is to a) have enough competence yourself to get suspicious early and b) hire independent, competent outside experts than cannot easily be bought or intimidated to evaluate the product. The amount of lying going on in the security industry is staggering.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If the guy's third point wasn't so blindingly obvious to him it makes me question his qualifications as a whole.
how is babby formed?
Sure, we'll buy your security solution. We'll just need a contract, an SLA, and your first born son and heir. No, you can't have mine - he's currently living with our biggest customer.
I think we'd see a bit more spending on the quality assurance department then, don't you?
If you were blocking sigs, you wouldn't have to read this.
Trust is not something you gain by marketing or fancy words - it is defined by what you do consistently. Trust takes a long time to be built, but can be lost in an instant.
Insert
Harvard Professor Robert Putnam's study showed that the more racially diverse a society is, the lower the levels of trust.
http://www.boston.com/news/globe/ideas/articles/2007/08/05/the_downside_of_diversity/
JUNE 28th, 2011 SOLVANG, California—iMagic Software, Inc, developer of Trustable Passwords, has retained investment banking firm, Nations Media Partners, to coordinate a potential sale of the company. iMagic Software has developed a patented software technology and algorithm that authenticates a user uniquely by the way they type a password. iMagic holds the only fundamental patent for typing recognition authentication. This methodology offers a high accuracy, equal to hardware biometrics, of authentication without a hardware solution. “ Trustable Passwords allows a user to create a profile used to authenticate by only seven typing samples and can be completed in 15 – 20 seconds. ," Phil Boortz, President of iMagic Software, said in a statement. “The solution is easy to install on most existing web browsers, simply replacing your existing Username/Login.”.
“The potential application for this fully developed and tested software can be defined as anyone who uses a password and wants increased protection from unauthorized use”, said Paul Spurgeon, President of Nations Media. “Content Companies that sell a subscription service that wish to prevent sharing of subscriptions and passwords will use this software to prevent loss of revenue”. “Online Financial services companies such as banks, credit card companies and other online payment agencies as well as educational testing companies can safely authenticate a user without cumbersome hardware add-ons such as fingerprint recognition hardware”.
No footprint is left behind by Trustable Passwords , meaning the authentication mechanism can not be compromised by stealing a user’s PC, phone or something else.
.
The software is fully developed and has been fully tested with selected clients over the past two years. Since the passing of the founder and developer of this software, Steven Bender, in 2010, the board has decided to explore a sale in 2011, the company stated.
This sale offers a unique opportunity for a purchaser to license the software over a myriad of categories or as a simple solution to internal and external authentication needs.
To view the Offering Memorandum of this Company, please contact Paul Spurgeon or Kevin Hancock with Nations Media Partners at paul@nationsmedia.com or kevin@nationsmedia.com. Principals only.
ABOUT NATIONS MEDIA PARTNERS: Nations Media Partners is a boutique investment banking firm specializing in the divestiture, acquisition and financing for media and technology companies. The Kansas City based firm has completed over $2.7 billion in transactions since 1996.
For Further information, please contact:
Kevin Hancock, Director
Nations Media Partners
208 W. 19th
Kansas City, MO 64108
816-979-1712
kevin@nationsmedia.com