Slashdot Mirror
NYT Magazine Says No Network Is Secure
bw writes "The NYTimes magazine explains why there is no such thing as a secure network. Along the way, it compares the attacks of script kiddies to a million monkeys firing catapults at random -- some attacks are bound to succeed. Also, Eugene Spafford thinks that after Y2K suits dwindle away, hungry lawyers will start looking at how the promiscuous connectivity of modern office apps can have dangerous side effects (think Melissa with a payload). " A truly excellent article! It's quite long, but worth the reading time, and if you don't have a (free) NYT login yet, this is the time to get it.
One serious issue of user convenience vs. network security is passwords. People have to know so many of them that duplicate passwords and/or easily accessible lists of them tend to proliferate. Furthermore, large numbers of passwords discourage changing them regularly. Currently I have six system passwords at work, one for my email software, and one for my phone. Outside of work I have an ATM PIN, PINs for several credit cards and two passwords for my home Linux box, and a password for my ISP. I also still have an account on a machine where I went to school. This is why I'm an AC, I've drawn the line at learning passwords for web sites.
What's worse is that for better system security, passwords should be hard to guess which, unfortunately, makes them hard to remember. Over a dozen different hard to remember passwords that should be changed every couple of months is near impossible to manage.
We need a better solution.
Will
How about '--verbose'? :)
WWJD? JWRTFM!!!
The problem with pervasive networking and content enriched email is that it turns every old application into a security-critical application.
Not so long ago it seemed that you could get away with not auditing the many large applications which are not set[ug]id and do not directly process data from the network.
Nowadays even the most innocuous tool is going to have malicious data piped through it sooner or later - ghostscript, libjpeg, your cddb-enabled CD applet.
While an attacker may not crack root directly through such attackes, it still let them use your account - i.e you email, PGP keys and personal files. They may still crack root later using keystoke sniffers, careless passwords or bugs in local setuid apps.
The solution? We can start by making sure that all developers understand that security is a basic requirement for all software - you would think that this is a given, but alas security is usually an afterthought (if it is considered at all). Compliers like stackguard-gcc and languages with built-in security like Java will help, as will fast virtual machines that we can use to imprision suspicious code.
That's a good point. The problem is the asymetry in the process. You can get into a lot of trouble for failing to classify a document that needs to be, but no trouble for classifying a document that doesn't need it. Also, it's easy to get a document classified, but an extensive review is required to de-classify it. That's why we still have classified military secrets from WWI.
Just imagine the harm if a terrorist group knew how many Sopwith Camels we have stationed around the country!
An important point made in the article is that overly paranoid security causes users to bypass ALL of the security. If you make users accept new randomly generated passwords each week, they will write them down. If you allow your audit procedures to take years, they will quietly install unapproved soft/hardware.
The two most ignored aspects of security are determining what level of security is actually required in the first place, and minimizing the burden of the security on being productive.
Of course, even when that's all taken care of, there will still be cases where truly paranoid security actually IS called for. At that point, the problem becomes one of employee education, and an HR issue. You can't have a secure system if your employees won't respect that security need, or if they are black hats. Especially in the latter case, security flaws are not the system admin's fault.
The most major problem is that no mater what biometric you choose, there are people who lack that biometric (handprint scans are useless to someone missing that hand, for example). To reduce the number of people who can't theoretically use a biometric system, you have to use multiple biometrics, any one of which grants access. This, however, increases the possibility for error. Furthermore, there is only one biometric which everyone is guaranteed to have, namely DNA, however this one has two severe problems: privacy concerns and the fact that identical twins (and clones) have the same DNA, so the biometric is not totally unique.
The other problem comes with theft. Nowadays, people will shoulder-surf or guess your password, or steal your token; eiother way you're rarely hurt. But I don't want to think of what they'd do to get my handprint or retinas.
I'm glad to have seen it called out in print.
This phenomenon points up the fact that most of the security functionality being implemented is aftermarket layers upon software systems which are inherenltly not secure, and not impedance-matched across platforms. Until information systems are designed from the bare-metal up with sound, standardized information security practices in mind, this phenomenon will persist.
A successful attempt to subvert the security of a system should render it inoperable (like a dead man switch) and the data effectively lost to the author of the subversion and every one else until an authorized principal intervenes.
The system also needs to distinguish sensitive data and non-sensitive data, secure conduits and insecure conduits--somewhat like Perl's taint mechanism. If inconveniences are only assiciated with sensitive operations, the users are less likely to revolt.
--Jim
Suppose that all systems were open, then:
1. no one would hack any system, most files on most systems are not very interesting and if there were no challange in cracking them no one would bother.
If you actualy read the artivle, you would know that attacks come from 'scrit kiddies' There is no challange for them now. They would continue to attach networks for fun.
2. Sysadmins would have time for more interesting things than building barricades around the systems. more work would get done.
Sysadmins would spend 100% of there time fighting fires from the lack of security, and no work would get done. Even if the network is never attacked, they still would be fixing probem caused by lack of security. Another reason for security is to pervent internal users from donig what thet shouldnt. Imagine if everyone could 'rm -rf /'
3. if someone really needed to get access to some machine he wouldn't be stop by security measures (I have some files on that machine but I don't have access anymore and all my important work has to wait until tomorrow when the sysadmin comes bck in)
Did you not read about grey networks? Secure data will migrate to insecure networks. Secure work will be done on grey boxes. And you seem to be implying that the sysadmin has supreme access to both networks. In anything but a day old unix box, sysadmin provilages aer fragmented and customized to individule admins. Its hard to do this with the default security model on unix or NT. Thats what NDS is for. unix is a all or nothing with suid's hacked in on top, NT by default grants everyone all access, and you havwe to expilicity deny rights. Only NDS on netware (or solaris, nt or cladara (?)) works sainly with ACL's and stuff.
There are three forms of authentication. Something you have, something you know, and something you are. The first is something like a key, or a (magnetic stripe on a) credit card. You use a key to authenticate yourself to a door, or the ignition on your car. You might use a mag stripe to do the same, open a door.
Something you know, is a password, or a pin, simple enough.
Something you are is biometrics. Fingerprint scans, retina scans, facial recognition, DNA, etc.
Good authentication requires two of these, preferably one being biometrics. Toe get money out of a ATM you need to have a bank card, and you need to know your PIN. To enter a secure room you may need all three, a PIN, a mag card, and a guard to match your face to the picture on your ID badge.
Since remembering a password is hard (*cough*) people given the choice will choose easy passwords, or not, write it down and tape it to there monitors. Either method doesn't help security at all. If logins in requires a fingerprint scan instead of a password, then your double better. Finger print scans are more secure to break then good passwords and you can't tape your finger to your monitor.
Its not impossible to make a system that is both easy to use and secure. Unfortunately systems are never both because sysadmins and developers don't realize that users will subvert security if its hard to use.
The problem is that it doesn't matter how hard you work to secure your network,
,it's his fault.
if your user will tell his password to someone else, your work is in vain.
Melissa, ExploreZip, and Happy99 are good examples of this.
You try to build a good secure system for your users,
which in fact are smart enough not to tell anyone their passwords.
But the users did the mistake of having friends with Outlook...
(they are smart enough not to run exe files they get by mail)
Bam! Your mailserver is flooded.
(I think a solution would be to discard messages with "X-Mailer: Microsoft Outlook"
and tell the sender about security problems with it)
What you can do is to revoke access for "security hazards".
If a user is too dumb to tell his password, tell him not to do so,
and tell him that if people do "bad things" to his data
If the user has access to important things, revoke his access.
Disallow insecure software, etc.
Also, use SATAN-alike tools (NESSUS is quite nice).
Bottom line:
A wall is as strong as its weakest brick,
so instead of trying to make a strong brick stronger,
try to take care of the weak ones.
---
The day Microsoft makes something that doesn't suck,
---
I'm going to live forever, or die in the attempt.
Don't get me wrong, security is definately important. But as this article points out, it's really the users that are insecure, more than anything else.
Obviously there's only so much you can do to secure machines and networks, but if you don't have educated users, then you may as well leave the whole system open. ;-)
I was only complaining because it's frustrating to know you can't access your own machine via ssh from elsewhere because the sys-admin has deemed ssh to be 'too insecure' for use on the network, despite the fact that the only people who would want to use it are those who are probably quite aware of security issues already.
- Problems from my old job? The usage of sniffers, since everything was on hubs.
- Unix machines used from inside the network that is not secure.
- Access from anywhere for ftp without restriction other than username and password
- Age of oldest backups, 2 weeks. Hard drives also quadrupled the space of the tape drives.
- Bad backup schemes: if you can't fit all of it one one tape, do a full backup for a fraction on different days, otherwise use an incremental for that day. I don't feel like sorting through 25 tapes if a system goes down.
- Bad passwords galore
Its too bad one can talk, but no one listens.-
ping -f 255.255.255.255 # if only
I think this quote from Michael J. Miller, editor-in-chief of PC Magazine is appropriate (from his opinion column of May 25, 1999). He is speaking about the Melissa virus:
Certainly Windows 9x and other consumer-level products from Microsoft leave much to be desired in the way of security. In fact, the first time I discovered you could bypass the Windows 95 "login" by pressing Cancel, I nearly blew a gasket laughing.
Microsoft does user interfaces probably better than anyone. But despite what many consider to be a superior "look and feel", I won't use Internet Explorer because I don't like the inherent security risk associated with ActiveX components. Similarly, though it might be more convenient, I won't turn on embedded macros in any Office product because it's not worth the risk.
The great benefit of the Melissa virus for me is that the wipespread coverage got my students asking me about the virus. I was able to take a day explaining the nature of macros and why the fundamental design of Microsoft Office puts them at risk. Now at least those that paid attention are more cognizant of the security issues with the systems they use every day.
Graham "Teach" Mitchell, computer science teacher, Leander HS
This was an outstanding article for the mainstream press that covered a number of key security issues that are fairly subtle to those who do not work in security (it even gets the "cracker"/"hacker" dichotomy right).
It also makes an interesting point, one that I've had to deal with for a long time, and most security folks have as well: One of the difficulties in securing information is that these measures many times make life difficult for the users, and when those users are technically skilled themselves, life gets that much more difficult.
The problem lies at the very essence of security. A secure system restricts the flow of information contained within it, but this is counterproductive to what users are trying to accomplish. Unfortunately for the users, sometimes it's more important to have secure information than ease of use. And as long as malicious individuals exist, this will be a "necessary evil".
"You can never have too many elephants on your team."
I like this article. Its clueful, balanced, has the requisite number of quotes. There is the seminal quote by Spaf "...locked in a safe, surrounded by armed guards, and even then I wouldn't bet on it".
It goes just deep enough to clarify a bunch of issues for those who have only seen the knee-jerk reactionary articles of the overworked sensationalist press. It does leave a few questions unanswered, and although I would like to see the answers, this article is right in not including them.
So the FBI caught a teen aged hacker who stole a password and got into a bunch of sensitive computers at SFI, LANL, LLNL, and a few others, and they didn't call in a swat team lead by Janet Reno. That in itself is a revelation. The press hungry FBI actually did their jobs instead of sucking some columnists dick? Stop the presses! Makes you wonder what they did to the stupid guy who mailed his only password to all his cow-orkers where any script kiddie could pick it up. Did the FBI come down on him like a ton of bricks? Did he get a 5-10 year sentence for aiding and abetting a felony involving national security? Probably not.
There is also a great section on connecting two secure networks together with an encrypted line, and then having one of the nets get compromised. It doesn't matter how strong the encryption is, the end systems are still the weak link in the chain.
I'm going to have to get reprint permission for this article, third generation photocopies won't do it justice.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
So how do you do this on a weekly basis? Host based scanning, or network scanning?
:-)
This is just out of curiosity, since I've been recently involved (actively avoiding) a discussion about which is better, host or net scanning. My position is that both are needed. An unpopular answer because that costs more money
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Recently attended a big sales pitch on the new generation of home cable and DSL boxes. Idea is that a consumer can just buy one of these things, take it home and plug it into a cable TV system and be up and running.
There was some technical details about how all unregistered boxes would always be directed to a sign in page, so the consumer would just have to enter a credit card number and the box would then reboot with a real IP address. Then the consumer could start surfing the web within minutes.
Great idea, but I asked about setting passwords on the modems or the PCs. The horror and shock was obvious. Seems they did some studies, and found that if an average consumer has to enter a password to secure their system, they prefer not to buy or use the product. But the legal department had forced them to design their web site so the consumer would have to scroll through three pages of smallest type legalese, pressing accept at the bottom of each page. Buried in all that was a warning to set passwords. That was acceptable, but forcing it was not.
So afterwards got a tour of the demo network, with some sample set top boxes and PCs. Whipped out the portable hacking/cracking laptop, and within a few minutes had control of every modem and PC. The big company is going back to the drawing board for the rollout plans, maybe to get each customer to set a line noise type password on their modems, and force them to write it down as part of the login process for the first day or two.
People never learn, which is why crackers have life so easy.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I expect the legal language behind the shrink wrap on your new copy of windows 2000 is getting slowly but surely beefed up as we speak.
The NY times article had the amusing quote about cars: sure they would cost a penny, and do 400 miles an hour etc (the old analogy), but what if every day, someone on the other side of the world caused the car to explode, killing its occupants and several bystanders.
What if when we buy a car, there is this piece of paper stuck behind the drivers glass, saying, "by opening this door, you agree not to hold Ford motor company liable for any drawbacks in the design of this car, and for any damages, monetary or otherwise, that you or your family should suffer through use of this car. We do not warrant this cars fitness for any purpose".
Like it or not, we are moving to a virtual world, our assets are becoming digital not physical, and along with that comes the fruits of bad design: damages, responsibility, lawyers and so on, just like there is in the physical world. Microsoft, and every vendor better grasp that, and either hide behind a barricade of legalese (not a sustainable strategy), or behave as if they were making X-ray machines, cars, industrial saws, and other potentially deadly gadgets.
So I agree. Although picking on microsoft isnt the whole issue, you can equally well pick on ebay, oracle, sun, HP, IBM and all of them. But microsoft does have the most arrogant attitude so by all means lets kick them first.
I have a test page that invites people to queue up their beloved home PC to get checked from "outside", and to have a few pings of death thrown at them. (www.dslreports.com/r3/dsl/secureme).
You wouldnt believe what I find.. or maybe you would. many PCs have readable netbios usernames, back orifice was found twice out of 100 machines. Cisco 675 home DSL router/modems with NO password and NO enable password, open shares with guest logins, socks servers, firewalls with web configuration ports visible on the wrong side (my side), web servers meant for internal use with convenient displays of the internal network on them, visible from outside.
And of course machines that blue screen after they get pinged with one of the many packets that cause Bills code to scribble where it shouldnt, but cant blame people for that.
The current incidents reported of breakins to home PCs on fulltime net access, also in the NY times, (with a Linux box partially comprised through imapd I believe), could be reduced with some very basic external checking... Something ISPs should provide as a free service.
Right now it would be trivial to construct with a bit of perl and a bad attitude, a sweeper that found enough PCs on DSL or cable to get straight to the top of the seti@home charts, or launch an attack against something harder, all from the bedrooms of guys who uses there PC to balance his checkbook.
The far worse risk here:.. imagine somebody has VPN to their super secure office network, and its via internet DSL, and they are lax in security. How long before somebody writes a VPN scanner that finds insecure fulltime connected PCs and gets onto them to see if there is a VPN to a corporation that can be snooped/cracked/hijacked/watched. Companies think an end-to-end encrypted VPN is secure, but they dont think enough that the end of their tunnel is managed by an employee with little knowledge on security, and on a windows PC with a config that is by default insecure.
-Justin
IMHO, the risk of hungry lawyers turning to security-related lawsuits once the Y2K issues are over seems high. Menacingly high, in fact.
Lawyers have this ability to turn simple things into gigantic monsters. Put a lawyer to start working on security-related cases and one of them will likely make all of us look like the Devil incarnate through misunderstanding of the difference between Hacker and Cracker.
But what can we do? I think we need to keep working hard at plugging the difference between Hacker and Cracker into the public awareness.
If we don't do this job well enough, we might end up seeing unfortunate cases of public-opinion turning against us. Since I aspire to be a representative of Better_Operating_Systems.org and a member of the Open Source movement, I don't like that idea...
Has anyone any idea just how well the public understands the Hacker/Cracker difference? How much work do we have in this field? Perhaps we can harness the Net itself to find out. Maybe a poll in the right place, or a letter to everyone you know asking them to ask their family and neighbors to see if they understand the difference...
We ought to get started.