Got Fear?

“One has to abandon altogether the search for security, and reach out to the risk of living with both arms. One has to embrace the world like a lover. One has to accept pain as a condition of existence. One has to court doubt and darkness as the cost of knowing. One needs a will stubborn in conflict, but apt always to total acceptance of every consequence of living and dying.” ~Morris L. West

Great quote, Mr. West, but, as it presupposes that humanity should have little regard for danger, it is also quite prophetic with respect to how danger, or the risk involved, is regarded today.

Climbing in Red Rock Canyon on the last day of DefCon - with no ropes - not a difficult pitch, but still quite risky

Many of the things we used to value, like say, privacy, have no value any more, so there is no risk losing it – or, rather, no danger from losing it. And, the “No Fear” generation showed us just how little regard there was for their own lives. Even many companies (small and large) today have a very elementary concept of what risk is, and they’ll have risk assessments done without even considering “value” in the equation.

“Risk taken” is directly proportional to the value placed on whatever it is we have to lose.

In nature, the equation is quite simple. Animals know what the value of the basics are – their lives, food sources, water sources, their offspring – all of these things are the requisites of survival.

Some of these essentials are more important than others for survival, hence an animal will “classify” them accordingly. Here’s how classification in Nature works:

Animal: “There’s that thing with the brown shaggy coat what ate my brother….I need to be careful.”

Even simpler: “It’s bigger than me….RUN!”

Or – “I know this creature wants to share my watering hole, and instead of running, I’ll fight him off.”

This simple hierarchical classification dominates nature. The “risk assessment” the animal is doing comes “after” they have already classified the value of potential loss (aside from using their intuition in encountering an unknown threat – and even then they have already classified a proper response).

While the “cost of knowing” may be obtained by “courting doubt and darkness”, it is still something that has to be classified for the next encounter.

Unfortunately, much of the business world seems to have lost sight of this basic but essential atavism. The so-called “Security Risk Assessment” is an anachronistic exercise replete with pompous or pretentious theatre. Usually, the first thing a security consultant will offer forth to evaluate your security is penetration testing of your enterprise environment.

“If we can break on through to the other side, you’re vulnerable to data loss.”

But what if your data is secure from the inside – so even if the intruders bypass the first layer of defense, they can’t access the data they’re after?

The first thing in any risk assessment is to understand the value of that which is sought after, and to classify that valuable commodity so you can further decide how it should be secured. You must classify your data based on the value of that data, before anything else you do.

Companies today have a lesser regard for all those tasks that seem to present little ROI — it doesn’t sound rewarding to the board, and has less impact on the shareholders. They underestimate the value of their own data thinking, “No one really wants this data anyway, even if they could get at it.” This order of thinking is especially prevalent in companies who are manufacturing for DoD contractors, and is precisely why Shady Rat-type exploits are so effective.

Classify (value) your data (assets), lock them down from the inside out, then do a risk evaluation.

It’s that damn simple.

Advertisements

Simple security for Windows users…

If you are a Windows user, here’s how to obtain a modicum of computer security confidence:

Do not buy antivirus products…period.

Good protection from malware should be free, and it is….

If you use Windows, you need to do 2 things first and foremost:

1. Set updates to automatic

2. Install and run MSE (Microsoft Security Essentials)

Always look before you click on links.

Don’t “friend” or “like” everything on social networks…how many friends do you really have? And, who really cares if you “like” something?

Pay for software you need…don’t try to use keygens or cracks.

Don’t use IE, period (use Firefox, Opera, etc).

Even music files and movie files can be infected…download them from legitimate sources (don’t steal them).

Stay away from subscription-based pornography websites. There is plenty of porn on safe sites (youporn.com).

Google is not always safe….make sure you are clicking on exactly what you are looking for, and the link is legitimate.

If you do get infected with something, download and run Malwarebytes (malwarebytes.org) if you can.

Finally, and ultimately….

If you really need to do any of the above don’ts, get rid of Windows and install linux.

Password management made easy… (uh huh)

And, on to managing all those passwords….

We need passwords for just about everything these days. Most of us have a tough time keeping track of all of them, and end up writing many of them down on a piece of paper that we’ll need to covet somehow from prying eyes. Writing down passwords really isn’t such a bad idea for the average computer user, as a compromise of the list means that someone has gained physical access to them in your personal space – and invasion of your personal space is probably far more disconcerting than the possible discovery of your password list (unless you are trying to hide them from those who already have access to your personal space).

There are several software applications that try to remedy this issue by creating a “vault” for you to store all of your passwords. You simply have to remember one “master” password to gain access to the vault. While this eliminates the need to write anything down, it still doesn’t address how to manage them.

But, let’s talk about so-called “password strength” for a moment. The simple reason we can’t remember all of our passwords is that we are now generally required to create a password containing a combination of of letters, numbers, and special characters to create a strong, unique password. This is due to the fact that there is a prevalence of password-cracking, brute-force dictionary attack programs that have millions of words and names in their databases, and can be tried in rapid succession. We’re told not to use common words or names, as these passwords can be cracked quite easily (in many cases, simple passwords you’ve chosen are rejected on those grounds).

A simple and easy method of creating a password that adheres to the requirements of a “combination of of letters, numbers, and special characters” is to use the first or last letter of each word in an easily remembered phrase to create the password. An example would be, “Security is mostly a superstition. It does not exist in nature” – you simply take the first (or last) letter of each word in the phrase to create the password – in this case it would be, “SIMASIDNEIN”….obviously not a word that will be found in a password-cracking dictionary. To complete the password requirements, just add a number and a special character to the new word, e.g., “4SIMASIDNEIN*”. Now you have a strong password that you can remember (if you can remember the phrase you used, and the numbers and special characters you chose). Change the case of a couple letters in the new word, and you have a very strong password (example: “4SIMAsIDNeIN*”).

So, are we to create a unique password like this for every bank account, social media site, and vendor we wish to access? That would be just messy, and very difficult to manage even if we use a password “vault” application.

Let’s check out how passwordmaker.org handles this.

“Passwordmaker” is a brilliant application that makes managing all of your passwords a nearly thoughtless task. “PasswordMaker is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there’s nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.”

Here’s how it works:

“You provide PasswordMaker two pieces of information: a “master password” — that one, single password you like (like the one we described created from a phrase above) — and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does “not reveal anything about the input that was used to generate it.” In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won’t help!”

To simplify, you create a master password, and Passwordmaker creates a unique password for every site you that you need a password for, based on your master password combined algorithmically with the address of the specific site you wish to visit. You really never need to even know the actual password for each site….just your master password.

I have no idea what any of my passwords are (for any given site that I need one for)….all I need to enter for the website is my master password, and Passwordmaker will calculate the hash of the URL and the master password to enter the real password for that site. And, I never have to remember any of my passwords. Passwordmaker computes the hash (you get to chose the algorithm of your liking) of my master password with the URL I need to access (e.g, facebook.com), and creates the password for that site.

So how secure can this be? Well, provided your master password isn’t compromised, very secure.

What if your master password is compromised?

There are ten other variables one can add that would be needed for each account you have. You need to add at least a few of these to thwart any real-world attack. They are:

* URL
* character set
* which of nine hash algorithms was used
* modifier (if any)
* username (if any)
* password length
* password prefix (if any)
* password suffix (if any)
* which of nine l33t-speak levels was used
* when l33t-speak was applied (if at all)

Probably the most interesting of these is “character set” because it gives you the flexibility to determine precisely which characters can and can’t be included in generated passwords.

Selecting a strong hash algorithm is also paramount to functionality. The hash algorithms supported by Passwordmaker are:

* MD4
* HMAC-MD4
* MD5
* MD5 (for PasswordMaker v 0.6)
* HMAC-MD5
* HMAC-MD5 (for PasswordMaker v 0.6)
* SHA-1
* HMAC-SHA-1
* SHA-256
* HMAC-SHA-256
* HMAC-SHA-256 (for PasswordMaker v 1.5.1)
* RIPEMD-160
* HMAC-RIPEMD-160

“Which hash algorithm should I use?

All of the algorithms are cryptographically strong, but of the algorithms PasswordMaker offers, many people regard SHA-256, HMAC-SHA1, HMAC-MD5 and HMAC-SHA-256 as the strongest.”

Please visit Passwordmaker.org for more details and FAQ (http://passwordmaker.org/F.A.Q.).

IMHO, this is the best password management solution available at this time. And, it is compatible with almost every system (Windows, Mac, linux, etc.) that you may be using.

~MT

Biometric Authentication is Dumb

Biometric authentication, or Biometrics in general, is a dumb idea. Biometric authentication corresponds to certain methods for uniquely identifying humans based upon physical or behavioural attributes. This unique process of authentication is not particular to humans and their computers, but also exists in a highly cultivated form in nature. A good example is a dog’s method of identity management based on olfactory sense alone (dog sniffs air….smells other dog’s butt…knows who that dog is). Humans can’t come close to a dog’s level of identity management, so we’ve fabricated several methods to distinguish one person from another. Examples include, but are not limited to fingerprints, face recognition, DNA, voice recognition, palm prints, hand geometry, and iris recognition (which has largely replaced retina, and odour/scent recognition – Good dog!).

Let’s talk about single, and two-factor authentication for a moment. Single factor authentication does in no way “identify” who you are. It consists of a user ID and password, and anyone could potentially have that information. Two-factor authentication asks for your user ID and password, and then asks for a third component (really three-factor) such as an ever-changing token number (or better still, a cell phone call that asks you to enter a PIN).  With “two-factor” authentication, you are purportedly identified by this external third component, but, this still does not genuinely “identify” who you are.

The great thing about this method of authentication is that if you forget any component of the operation, you can change it. The bad part is that there is no way to demonstrably prove that the person logging in is you.

Enter Biometrics. Now you submit your user ID and password, and add the third component such as a thumbprint (many IT novices, eyes aglow with the idea that biometric scanning is the wave of the future,  think a simple thumbprint is all that should be needed for the entire transaction). The thumbprint or iris print is specifically unique to an individual, and consequently genuinely identifies who you are.

But, there are two specific and monumental troubles with this.

We’ve all heard of the hypothetical scenario where the research scientist with access to his lab’s restricted areas by way of handprint or eyeball scan has his hand chopped off or eyeball removed by evil intruders, so they can gain access. This is a certain possibility.

But, even worse, if the handprint or eyeball data is compromised, it can’t be changed like a password or PIN can (unless you are in the movie, Minority Report). Once your biometric data is compromised, your identity as a whole is completely compromised, and you can’t change it.

Stick with something that is changeable – while it does not cleanly identify who you are, it will afford you far more security in the long run, and will never compromise your identity.

If you are a dog, please disregard this post.

Nature and the Fallacy of Idealism in Security

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.”  ~Helen Keller

I used to think this quote was spot on, and referred to it almost as security gospel. This quote came from a woman who could not see, hear, or speak. To be sure, these handicaps were the catalyst for a most honest epiphany, but the statement is at once imperfect and, possibly, because of the sensory deprivation of her handicaps, fails to address the larger picture.

Security DOES exist in nature, and we should seek to emulate her ways.

But let’s look at why we’re here.

I just got back from DEFCON 19. The DEFCON gathering, and hacking, exists solely on the fact that people are always trying to hide something from others, and that to a few others, it presents the challenge to reveal that which has been so carefully hidden away (Quod tanto impendio absconditur etiam solummodo demonstrare destruere est, [When a thing is hidden away with so much pains, merely to reveal it is to destroy it, ~Tertullian, Comte de Gabalis]). No truer words were spoken.

At DEFCON, you’ll see and hear everything from How to Pick locks, Cryptanalysis, hacking this, hacking that – anything that someone has attempted to make secure – there is a “How to” make it insecure. And rest assured, anything can be hacked.

So does that mean nothing is secure at all?

No. It doesn’t mean that perfect security will ever be achieved, but there is a way to achieve a far more inviolable defensive structure by following the ways of Nature.

From analysis of the passive security of camouflage in insects and animals (stealth) to the active security of skunk spray and bee stingers (weaponry), we can develop more strategic and effective methods which will always strive towards the equilibrium of perfection in security.

Do remember, if a Gypsy moth sitting on the bark of a tree had the ability to simply try to hide itself by scrambling all of its anatomical parts (encryption?), it would stick out like a sore thumb. A predator bird may not know it is a gypsy moth, but it will sure be curious as to what it is, and will eventually figure out it is food. Evolution of species dictates this eventuality.

But, the fact that it uses camouflage to hide itself from its predators, ensures a higher percentage of safety simply by blending in and not drawing attention to itself.

And, what if, when we were attacked by say, a TDSS rootkit, we were able to strike back?

Nature provides us with insight into how real security should be dealt with – on a global scale.

More to follow……