JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for CYBER-SOCIETY-LIVE Archives


CYBER-SOCIETY-LIVE Archives

CYBER-SOCIETY-LIVE Archives


CYBER-SOCIETY-LIVE@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

CYBER-SOCIETY-LIVE Home

CYBER-SOCIETY-LIVE Home

CYBER-SOCIETY-LIVE  2001

CYBER-SOCIETY-LIVE 2001

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

[CSL]: CRYPTO-GRAM, May 15, 2001

From:

John Armitage <[log in to unmask]>

Reply-To:

The Cyber-Society-Live mailing list is a moderated discussion list for those interested <[log in to unmask]>

Date:

Wed, 16 May 2001 06:55:11 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (1244 lines)

From: Bruce SchneierTo: [log in to unmask]
Sent: 15/05/01 19:06
Subject: CRYPTO-GRAM, May 15, 2001


                  CRYPTO-GRAM
                  May 15, 2001

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            [log in to unmask]
          <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.

Back issues are available at
<http://www.counterpane.com/crypto-gram.html>.  To subscribe or
unsubscribe, see below.


Copyright (c) 2001 by Counterpane Internet Security, Inc.


** *** ***** ******* *********** *************

In this issue:
      Defense Options: What Military History Can Teach
        Network Security, Part 2
      Crypto-Gram Reprints
      The Futility of Digital Copy Prevention
      News
      Microsoft and the Window of Vulnerability
      Counterpane Internet Security News
      Security Standards
      Safe Personal Computing
      Comments from Readers


** *** ***** ******* *********** *************

     Defense Options: What Military History
       Can Teach Network Security, Part 2



In Part I of this series, I examined the natural advantages of defense
in
military history.  I concluded that two advantages -- the ability to
shift
forces and knowledge of the terrain -- are underutilized in network
security.  I concluded that network security based on hidden attack
sensors
and rapid response would be far more effective than firewalls, IDSs, and

whatever the new new thing next new thing is.

In Part II, I want to look even more broadly at the military's notion of

defense.  In war, there are three, and only three, types of defense:
passive defense, active defense, and counterattack.

Passive defenses involve making yourself harder to attack.  Against an
air
assault, for example, this could mean building bunkers or hiding in
caves,
dispersing your forces, or covering yourself in camouflage.  All of
these
defenses have the same goal: reducing the effectiveness of the enemy's
bombs.  The important thing to note is that while passive defenses make
attacks less effective, they do nothing to the attackers themselves.

Active defenses are designed to take out the attacker.  Returning to the

incoming aircraft example, an active attack could be anti-aircraft fire
that shoots down the attacking aircraft in flight.  This is harder than
passive defense, but can be much more effective.

Counterattack means turning the tables and attacking the attacker.
Against
the air assault, it could involve attacking airfields, fuel depots, and
ammunition storage facilities.  Note that the line between defense and
offense can blur, as some counterattack targets are less clearly
associated
with a specific attack on a specific target and more geared toward
denying
the attacker the ability to wage war in general.

Warfare has taught us again and again that active defenses and
counterattacks are far more effective than passive defenses.  Look at
the
Battle of Gettysburg in the American Civil War.  Look at the Battle of
the
Bulge in World War II.  Look at Leyte, Agincourt, and almost any piece
of
military history.  Even in the animal kingdom, teeth and claws are a
better
defense than a hard shell or fast legs.

On the Internet, most people think of computer security in terms of
passive
defenses only.  They believe that if they could only make their systems
"hard" enough, they'd be safe.  Security vendors reinforce this view,
providing ever more intricate protection mechanisms for computers and
networks.  Even the work I've done, pointing out the limitations of
prevention and extolling the virtues of detection and response, are
still
centered around passive defense.  Part I of this essay was similarly
limited: the ability to shift forces and knowledge of the terrain are
both
primarily associated with passive defense.

If we're ever going to win the war against computer crime, we're going
to
have to increasingly think more in terms of active defenses, and even
counterattacks.

We've started to see some of this already.  Intrusion detection systems
and
honeypots provide alarms that can alert defenders of an attack in
progress.  Managed Security Monitoring services can filter these alarms
and
provide expert response when a network is under attack.  Vigilant,
adaptive, relentless, expert intelligent network defense is far more
effective than static security products.  I said all of this in Part I
of
this essay.

But alarm systems, no matter how effective, are still primarily
passive.  They allow a defender to better survive an attack in progress,

but they don't put the attacker in danger.  Right now, the only
counterattack we have is prosecution.  Putting criminals in jail is the
best deterrent we have, and I am happy to see more of it.  But
prosecution
can only happen after the fact.

One can imagine active defenses and counterattacks, but they are mostly
in
the realm of science fiction.  What if, when an attacker broke into a
network, his attack program were disabled?  What if he could be sent a
virus that destroys his computer?  Or, at least, what if some third
party
collected an evidentiary chain that could prove his guilt in court?

There are non-technical considerations as well.  In most countries,
active
defenses can be illegal.  Private citizens can't mine their backyards or

booby-trap their front doors.  In many countries, it is illegal for them
to
shoot a burglar breaking into their house.  Active defenses are reserved

for wartime, where there are no rules, or for the police, who have a
state-sponsored monopoly on violence.

I worry about the vigilante-style cyber-justice that could arise from
this
kind of defense, but it is certainly something we should be thinking
about.  And it is definitely something that we should be researching.

Passive defense is far from useless, but is not the only form of defense
we
can use.  In many cases, simple active defenses such as monitoring are
both
more effective and more cost effective than adding more passive
defenses.  "Fortress computer center" was a good model when every
company
had its own unconnected networks.  In today's world, where every network

must be connected to the global network, it doesn't work as well.  If we

are ever going to win the war against computer crime, we are going to
have
to emerge from our protective bunkers and actively engage the attacker.


** *** ***** ******* *********** *************

            Crypto-Gram Reprints



Computer Security: Will we Ever Learn?
<http://www.counterpane.com/crypto-gram-0005.html#ComputerSecurityWillWe
Ever
Learn>

Trusted Client Software
<http://www.counterpane.com/crypto-gram-0005.html#TrustedClientSoftware>

The IL*VEYOU Virus (Title bowdlerized to foil automatic e-mail traps.)
<http://www.counterpane.com/crypto-gram-0005.html#ilyvirus>

The Internationalization of Cryptography
<http://www.counterpane.com/crypto-gram-9905.html#international>

The British discovery of public-key cryptography
<http://www.counterpane.com/crypto-gram-9805.html#nonsecret>


** *** ***** ******* *********** *************

    The Futility of Digital Copy Prevention



Music, videos, books on the Internet!  Freely available to anyone
without
paying!  The entertainment industry sees services like Napster as the
death
of its business, and it's using every technical and legal means possible
to
prevail against them.  They want to implement widespread copy prevention
of
digital files, so that people can view or listen to content on their
computer but can't copy or distribute it.

Abstractly, it is an impossible task.  All entertainment media on the
Internet (like everything else on the Internet) is just bits: ones and
zeros.  Bits are inherently copyable, easily and repeatedly.  If you
have a
digital file -- text, music, video, or whatever -- you can make as many
copies of that file as you want, do whatever you want with the
copies.  This is a natural law of the digital world, and makes copying
on
the Internet different from copying Rolex watches or Louis Vuitton
luggage.

What the entertainment industry is trying to do is to use technology to
contradict that natural law.  They want a practical way to make copying
hard enough to save their existing business.  But they are doomed to
fail.

For these purposes, three kinds of people inhabit the Internet: average
users, hackers, and professional pirates.  Any security measure will
work
against the average users, who are at the mercy of their software.
Hackers
are more difficult to deter.  Fifteen years of software copy protection
has
taught us that, with enough motivation, any copy protection scheme --
even
those based on hardware -- can be broken.  The professional pirate is
even
harder to deter; this is someone willing to spend considerable money
breaking copy protection, cloning manuals and anti-counterfeiting tags,
even building production plants to mass-produce pirated products.  If he

can make a profit selling the hacked software or stolen music, he will
defeat the copy protection.

The entertainment industry knows all of this, and tries to build
solutions
that work against average users and most hackers.  This fails because of
a
second natural law of the digital world: the ability of software to
encapsulate skill.  A safe that can keep out 99.9% of all burglars
works,
because the safe will rarely encounter a burglar with enough skill.  But
a
copy protection scheme with similar characteristics will not, because
that
one-in-a-thousand hacker can encode his break into software and then
distribute it.  Then anyone, even an average user, can download the
software and use it to defeat the copy protection scheme.  This is what
happened to the DVD industry's Content Scrambling System (CSS).  This is

how computer games with defeated copy protection get distributed.

The entertainment industry is responding in two ways.  First, it is
trying
to control the users' computers.  CSS is an encryption scheme, and
protects
DVDs by encrypting their contents.  Breaks do not have to target the
encryption.  Since the software DVD player must decrypt the video stream
in
order to display it, the break attacked the video stream after
decryption.  This is the Achilles' heel of all content protection
schemes
based on encryption: the display device must contain the decryption key
in
order to work.

The solution is to push the decryption out of the computer and into the
video monitor and speakers.  To see how this idea helps, think of a
dedicated entertainment console: a VCR, a Sega game machine, a CD
player.  The user cannot run software on his CD player.  Hence, a copy
protection scheme built into the CD player is a lot harder to break.
The
entertainment industry is trying to turn your computer into an Internet
Entertainment Console, where they, not you, have control over your
hardware
and software.  The recently announced Copy Protection for Recordable
Media
has this as an end goal.  Unfortunately, this only makes breaking the
scheme harder, not impossible.

The industry's second response is to enlist the legal system.
Legislation,
such as the Digital Millennium Copyright Act (DMCA), made it illegal to
reverse-engineer copy protection schemes.  Programs such as the one that

broke CSS are illegal to write or distribute under the DMCA.  This is
failing because of a third natural law of the digital world: the lack of

political boundaries.  The DMCA is a U.S. law, and does not affect any
of
the hundreds of other countries on the Internet.  And while similar laws

could be passed in many countries, they would never have the global
coverage it needs to be successful.

More legal maneuvering is in the works.  The entertainment industry is
now
trying to pin liability on Internet service providers.  The next logical

step is to require all digital content to be registered, and to make
recording and playback equipment without embedded copy protection
illegal.  All in an attempt to do the impossible: to make digital
content
uncopyable.

The end result will be failure.  All digital copy protection schemes can
be
broken, and once they are, the breaks will be distributed...law or no
law.  Average users will be able to download these tools from Web sites
that the laws have no jurisdiction over.  Pirated digital content will
be
generally available on the Web.  Everyone will have access.

The industry's only solution is to accept the inevitable.  Unrestricted
distribution is a natural law of digital content, and those who figure
out
how to leverage that natural law will make money.  There are many ways
to
make money other than charging for a scarce commodity.  Radio and
television are advertiser funded; there is no attempt to charge people
for
each program they watch.  The BBC is funded by taxation.  Many art
projects
are publicly funded, or funded by patronage.  Stock data is free, but
costs
money if you want it immediately.  Open source software is given away,
but
users pay for manuals and tech support: charging for the relationship.
The
Grateful Dead became a top-grossing band by allowing people to tape
their
concerts and give away recordings; they charged for performances.  There

are models based on subscription, government licensing, marketing
tie-ins,
and product placement.

Digital files cannot be made uncopyable, any more than water can be made

not wet.  The entertainment industry's two-pronged offensive will have
far-reaching effects -- its enlistment of the legal system erodes fair
use
and necessitates increased surveillance, and its attempt to turn
computers
into an Internet Entertainment Platform destroys the very thing that
makes
computers so useful -- but will fail in its intent.  The Internet is not

the death of copyright, any more than radio and television were.  It's
just
different.  We need business models that respect the natural laws of the

digital world instead of fighting them.

Similar sentiment about the death of the PC:
<http://www.theregister.co.uk/content/2/17419.html>


** *** ***** ******* *********** *************

                     News



"Nihil tam munitum quod non expugnari pecuna possit."  So said Marcus
Tullius Cicero, a Roman poet, statesman, philosopher and writer who is
supposed to have lived 106-43 B.C.  Translation:  "No place is so
strongly
fortified that money could not capture it."  (I know this is not news,
but
it's interesting.)

A bug in commercial PGP that allows an attacker to drop files to your
disk
that may then get executed (thanks to Windows .dll loading from current
working directories).
<http://www.atstake.com/research/advisories/2001/index.html#040901-1>

An excellent article on the dangers of UCITA:
<http://www.itworld.com/Comp/2362/LWD010411vontrol2/index.html>

There is a security flaw in Alcatel DSL modems:
<http://www.pcworld.com/news/article/0,aid,47004,00.asp>
<http://www.zdnet.com/zdnn/stories/news/0,4586,5080984,00.html>
Normally, I wouldn't even bother with this story.  But Alcatel posted a
MS
Word file on their Web site about the problem and fix (which they've
since
removed).  Unfortunately, the file saved deleted changes.  The draft
document is far more interesting than the real one.  See some of the
deleted comments here:
<http://morons.org/articles/1/188>

Microsoft responded to my article on the fake certificates in the
previous
Crypto-Gram:
<http://www.microsoft.com/technet/security/verisign.asp>
Greg Guerin has rebutted Microsoft's claims better than I could:
<http://amug.org/~glguerin/opinion/revocation.html>
It turns out that the truth is way more complicated, but no more secure,

than I had originally thought.

Remember the Egghead.com break last December?  Here the CEO discusses
what
he would and wouldn't do differently if faced with the situation again:
<http://www.retailtech.com/content/coverstories/apr01.shtml>

Anti-sniffing password management software.  I'm not convinced this will

work, but at least people are thinking about the problem.  Shareware.
<http://32-bitfreeware.virtualave.net/AntiSnoop.zip>

_Body of Secrets_ by James Bamford.  This is his second book about the
NSA,
and it's really good.  I did a review for Salon:
<http://www.salon.com/books/review/2001/04/25/nsa/index.html>
Here's another review from The New York Times:
<http://www.nytimes.com/books/01/04/29/reviews/010429.29findert.html>

CERT is charging companies to get early warnings about threats and
vulnerabilities.  On the one hand, it's nice to see a little free
enterprise here.  On the other hand, isn't CERT government-funded?  But
CERT advisories often appear long after other newsgroups report on
vulnerabilities, so I don't know how valuable this service really is.
<http://www.msnbc.com/news/561513.asp>
<http://news.excite.com/news/ap/010419/20/computer-security>
<http://news.cnet.com/news/0-1003-200-5665677.html>
<http://www.theregister.co.uk/content/8/18493.html>

Giga has released a report on the Managed Security Services space.  It
says
nice things about Counterpane, but that's almost beside the point.
There
has been a lot of confusion in the security services space, and the
author
nicely segments the businesses into six categories.  He does a good job
explaining what the different managed security services are, and which
companies offer what services.
<http://www.counterpane.com/giga3.pdf>

It's hard to take this particular story seriously, but I have long
predicted that insurance companies will start differentiating premiums
based on what kind of networking hardware and software you use:
<http://www.theregister.co.uk/content/8/18324.html>

Impressive investigative work by the FBI.  This is the kind of thing I
like
to see the FBI doing, rather than mucking about with surveillance tools
like Carnivore.
<http://news.cnet.com/news/0-1007-200-5699762.html?tag=tp_pr>
<http://www.cnn.com/2001/TECH/internet/05/10/fbi.hackers.ap/index.html>
Some disagree with me:
<http://www.zdnet.com/enterprise/stories/main/0,10228,5082126,00.html>

Years ago, ftp was how you shared files between computers.  There are
still
vulnerabilities associated with this service/
<http://securityportal.com/closet/closet20010418.html>

A major legal battle is looming, as the RIAA tries to suppress Princeton

security research into its digital watermarks, citing secrecy provisions
of
the DMCA:
<http://www.zdnet.com/zdnn/stories/news/0,4586,5081595,00.html>
A preliminary version of the actual paper, and assorted correspondence:
<http://cryptome.org/sdmi-attack.htm>
The site reported over 50,000 visits to the paper within 24 hours of its

posting.
The RIAA changes its tune:
<http://riaa.com/PR_story.cfm?id=407>

Don't forget mundane security risks.  The British Ministry of Defense
has
lost 205 laptops in the past four years.
<http://www.wired.com/news/politics/0,1283,43088,00.html>

An e-mail was recently sent to Amazon associates, inviting them to visit
a
non-Amazon Web site and complete a questionnaire.  The e-mail purported
to
come from [log in to unmask], but was actually sent from an entirely
different domain <[log in to unmask]>.  When I asked Amazon whether they

were being spoofed, they told me the survey was legitimate.  Are they
trying to train their customers to respond to unverified impersonations?

Argus boasted that their secure operating system couldn't be hacked, and

sponsored a $50K contest.  It was hacked.  The story of how it happened
has
a moral for everyone: security is only as strong as the weakest link,
and
if you're not monitoring your security in real time you need to
constantly
make sure all the links are strong.
<http://www.zdnet.com/enterprise/stories/main/0,10228,2713689,00.html>
Someone else plans on a $1M hacking contest.
<http://www.theregister.co.uk/content/8/18644.html>

Gene Spafford makes much the same points I do about the future of
computer
security: it's going to get worse, not better.
<http://www.cerias.purdue.edu/homes/spaf/ncssa.html>

There have been zillions of articles on this "May Day
Cyberwar."  Supposedly, the Chinese are attacking the U.S. in
retaliation
for our lousy foreign relations policies.
<http://www.zdnet.com/enterprise/stories/main/0,10228,2714179,00.html>
I believe this is nothing but hacker fantasy and media hype.  I don't
see
hackers with political motivations taking up arms; I see hackers with no

motivations donning a cloak of politics to justify their actions.  I
also
see the media turning this into a much bigger deal than reality.
<http://www.msnbc.com/news/568036.asp?cp1=1>
<http://www.thestandard.com/article/0,1902,24202,00.html>
<http://www.wired.com/news/politics/0,1283,43520,00.html>

People are the weakest link in security:
<http://news.cnet.com/news/0-1003-200-5798589.html?tag=mn_hd>

U.S. "national security" surveillance is on the rise:
<http://www.securityfocus.com/news/201>

Cyber-thriller screenplay:
<http://www.theatlantic.com/issues/2001/05/frazier.htm>

Comments on NIST's AES FIPS are due by May 29th.  This isn't the time to

suggest alternate algorithms, but it is time to comment on the details
of
the standard.
<http://csrc.nist.gov/encryption/aes/>

The Dutch government is forcing trusted third parties to use key escrow.
<http://www.telepolis.de/english/inhalt/te/7571/1.html>

Another semantic attack.  A fake BBC Web page was circulating (without
the
caveat at the top), and the British newspapers fell for it.
<http://europe.thestandard.com/article/display/0,1151,16490,00.html>
The fake Web page (with a disclaimer on the top):
<[log in to unmask]" target="_blank">http:[log in to unmask]
tm>


** *** ***** ******* *********** *************

       Microsoft and the Window of Vulnerability



In many of my speeches, I talk about a "Window of Vulnerability."  When
a
security vulnerability exists in a product and no one knows about it,
there
is very little danger.  But this state of security is fragile.  As soon
as
someone discovers the vulnerability, the danger increases.  If we're
lucky,
the discoverer is a good guy who does not exploit the vulnerability for
personal gain.  Eventually word of the vulnerability gets out, and the
danger increases.

This sounds just like the real world, but cyberspace has a crucial
difference.  If I knew how to break into a certain kind of ATM, or
hot-wire
a certain make of car, or pick a certain model of lock, I could teach
someone.  The person I taught would then know how, and he could teach
others.  But it's a skill, and skills take time to teach.  Cyberspace is

different because skill can be encapsulated into software.  If I knew
how
to break into Microsoft's IIS 5.0, I could turn my knowledge into an
exploit and distribute it on the net.  Then, hundreds of thousands of
"script kiddies" -- with no skill whatsoever -- could use my exploit to
break into IIS 5.0.  The propagation characteristics of virtual
vulnerabilities are very different than physical vulnerabilities.

We're seeing this happen right now with an IIS 5.0 vulnerability.  It
was
discovered by a company called eEye Digital Security, which was nice
enough
to warn Microsoft and give them time to create a patch.  Then, Microsoft

and eEye announced both the vulnerability and the availability of a
patch.  A few days later, someone wrote an exploit.  As the exploit made

its way through the hacker community, and continues to do so, more and
more
IIS installations are being broken into.

The press regularly writes the story like this.  First, vulnerability
discovered and we're all in danger.  Then, vulnerability patched and
we're
all safe again.  What they forget is that patches don't work unless
they're
installed.  And more and more often, people don't install patches.  I
predict that years from now, Web sites will still be broken into because
of
this vulnerability.

So here's the million-dollar question:  Is eEye Digital Security part of

the solution, or is it part of the problem?  eEye's own legal disclaimer

implies that even they're not sure: "In no event shall the author be
liable
for any damages whatsoever arising out of or in connection with the use
or
spread of this information."

Microsoft IIS vulnerability:
<http://www.msnbc.com/news/567192.asp>
<http://www.cert.org/advisories/CA-2001-10.html>
eEye Digital Security's announcement:
<http://www.eeye.com/html/Research/Advisories/AD20010501.html>
Microsoft security advisory and patch information:
<http://www.microsoft.com/technet/security/bulletin/MS01-023.asp>
Exploit published:
<http://www.theregister.co.uk/content/4/18734.html>
<http://www.msnbc.com/news/568503.asp?0nm=T23F>
<http://www.infoworld.com/articles/hn/xml/01/05/03/010503hnattacktool.xm
l>

Schneier's essay "Closing the The Window of Exposure":
<http://www.counterpane.com/window.html>
The fallacy of installing patches:
<http://www.counterpane.com/crypto-gram-0103.html#1>


** *** ***** ******* *********** *************

       Counterpane Internet Security News



There have been an enormous number of exciting things going on at
Counterpane.  I can't talk about any of it yet, because we're still
working
on press releases.  We acquired SDII, a small consulting company.
<http://www.counterpane.com/pr-sdiacquisition.html>
More news next month.

Articles on Counterpane have appeared in The New York Times and The
Economist:
<http://www.nytimes.com/2001/04/18/technology/18SCHW.html>
<http://www.economist.com/business/displayStory.cfm?Story_ID=569825>

eWeek reported on Schneier's talk at the RSA Conference last month:
<http://www.zdnet.com/eweek/stories/general/0,11011,2705973,00.html>

Bruce Schneier is speaking at ISSA events in New York (May 17), Palo
Alto
(Jun 6), and Denver (Jun 14):
<http://www.nymissa.org/documents/ISSA_2001_F_425.pdf>
<http://www.issa.org>

Schneier is speaking at the Trema World Forum in Monaco on May 30:
<http://www.trema-world-forum.com/>

_Secrets and Lies_ won a "Jolt" award from Software Development
magazine:
<http://www.sdmagazine.com/features/jolts/>
<http://www.counterpane.com/pr-joltaward.html>

And Counterpane is still hiring:
<http://www.counterpane.com/jobs.html>


** *** ***** ******* *********** *************

               Security Standards



Andrew Tanenbaum once quipped that the great thing about standards is
that
there are so many to choose from.  Despite numerous efforts over the
years
to develop comprehensive computer security standards, it's a goal that
remains elusive at best.

It all started with the Orange Book.  As far back as 1985, the U.S.
government attempted to establish a general method for evaluating
security
requirements.  This resulted in the "Orange Book," the colloquial name
for
the U.S. Department of Defense Trusted Computer System Evaluation
Criteria.  The Orange Book gave computer manufacturers a way to measure
the
security of their systems and offered a method of classifying different
levels of computer security.

The goal was to aid government procurement, but it also held the promise
of
benefiting the entire industry as well.  That never came to pass,
primarily
because certification testing was expensive and controlled by a only few

labs, and the resulting designations weren't well-suited to the civilian

marketplace's needs.

There have been other efforts over the years to codify security, but
they
were unsuccessful.  Now, several industries are rallying around the
Common
Criteria, an ISO standard (15408, version 2.1) that provides a catalog
of
security features such as confidentiality and authentication.  Companies

and industries using this document are expected to include these
concepts
in a more specific "protection profile," which is basically a statement
of
security requirements.

Then, individual products can be tested against that profile.  For
example,
a smart card could be tested against a protection profile with such
attributes as resistance to cloning, security of protocols and
protection
against physical reverse engineering, and a firewall could have a
different
protection profile that includes attributes related to its security and
functionality.

It's a great idea, and puts more meat on the bone than past efforts.
But
don't expect it to work except in a few isolated areas.  The problem is
that these standards are too general.  They won't tell you how to
configure
your CheckPoint firewall, or what security settings to run on Windows
2000.  It's not a shortcoming in the standards; it's just not feasible
to
document an infinite number of scenarios.

Consider something truly quantitative: say, a configuration guide on the

best way to secure Red Hat Linux 6.0.  It could be an excellent
standard,
but it will probably be obsolete in a few weeks.  It will certainly have
to
be revised for version 6.1.  And it can't possibly help you configure
Solaris version 3.2, let alone Windows NT SP 4.0.

On the other hand, some standards can be too specific, making it almost
impossible to test a general system.  Remember when Windows NT received
the
Orange Book's C2 security rating?  The rating was only good for a
specific
configuration of Windows, one unconnected to the network and without any

removable media.  What about a rating for the overall security of
Windows
NT?  Forget about it!

The bottom line is that while these standards can be very useful for
certain applications, they aren't useful gauging enterprise security in
general.  The Common Criteria is a great document, and companies like
Visa
are putting a lot of effort to turn it into something that they can use
for
their own purposes.  The credit card company is currently using the
document to specify security levels of hardware and software.  But
that's
only a special case; no one else can take what Visa did and make use of
it.

I have long joked that given any general security standard, I could
design
a product that 1) met the standard, and 2) was still insecure.  Given
this
truism, it's no wonder that these standards don't find much utility in
the
commercial world.  And it's no wonder why there are so many standards to

choose from.

Common Criteria:
<http://www.commoncriteria.org>

NSA's Rainbow Series, including the Orange Book:
<http://www.radium.ncsc.mil/tpep/library/rainbow>

There are configuration guides that are designed to help you with
specific
products.  This SANS Windows NT guide is an excellent example:
<http://www.sans.org/newlook/publications/ntstep.htm>
So is Phil Cox's Windows 2000 guide:
<http://www.systemexperts.com/win2k.shtml>


** *** ***** ******* *********** *************

            Safe Personal Computing



I am regularly asked what the average Internet user can do to ensure his

security.  My first answer is usually "Nothing; you're screwed."  But
it's
really more complicated than that.

Against the government there's nothing you can do.  The power imbalance
is
just too great.  Even if you use the world's best encryption, the police

can install a keyboard sniffer while you're out.  (If you're paranoid
enough to sleep with your gun and laptop under your pillow, this article
is
not written for you.)  Even big corporations are difficult to defend
against.  If they have your credit card number, for example, there's
probably no way to make them forget it.

But there are some things you can do to increase your security on the
Internet.  None of these are perfect; none of these are foolproof.  If
the
secret police wants to target your data or your communications, none of
these will stop them.  But they're all good network hygiene, and they'll

make you a more difficult target than the computer next door.

1.  Passwords.  You can't memorize good enough passwords any more, so
don't
bother.  Create long random passwords, and write them down.  Store them
in
your wallet, or in a program like Password Safe.  Guard them as you
would
your cash.  Don't let Web browsers store passwords for you.  Don't
transmit
passwords (or PINs) in unencrypted e-mail and Web forms.  Assume that
all
PINs can be easily broken, and plan accordingly.

2.  Antivirus software.  Use it.  Download and install the updates every

two weeks, and whenever you read about a new virus in the media.  Some
antivirus products automatically check for updates.

3.  Personal firewall software.  Use it.  There's usually no reason to
allow any incoming connections from anybody.

4.  E-mail.  Delete spam without reading it.  Don't open, and
immediately
delete, messages with file attachments unless you know what they
contain.  Don't open, and immediately delete, cartoons, videos, and
similar
"good for a laugh" files forwarded by your well-meaning friends.  Turn
off
HTML mail.  Don't use Outlook or Outlook Express.  If you must use
Microsoft Office, enable macro virus protection; in Office 2000, turn
the
security level to "high" and don't trust any sources unless you have
to.  If you're using Windows, turn off the "hide file extensions for
known
file types" option; it lets Trojan horses masquerade as other types of
files.  Uninstall the Windows Scripting Host if you can get along
without
it.  If you can't, at least change your file associations so that script

files aren't automatically sent to the Scripting Host if you
double-click them.

5.  Web sites.  SSL does not provide any assurance that the vendor is
trustworthy or that their database of customer information is
secure.  Think before you do business with a Web site.  Limit financial
and
personal data you send to Web sites; don't give out information unless
you
see a value to you.  If you don't want to give out personal information,

lie.  Opt out of marketing notices.  If the Web site gives you the
option
of not storing your information for later use, take it.

6.  Browsing.  Limit use of cookies and applets to those few sites that
provide services you need.  Regularly clean out your cookie and temp
folders (I have a batch file that does this every time I boot.)  If at
all
possible, don't use Microsoft Internet Explorer.

7.  Applications.  Limit the applications on your machine.  If you don't

need it, don't install it.  If you no longer need it, uninstall it.  If
you
need it, regularly check for updates and install them.

8.  Backups.  Back up regularly.  Back up to disk, tape, or CD-ROM.
Store
at least one set of backups off-site (a safe-deposit box is a good
place)
and at least one set on-site.  Remember to destroy old backups;
physically
destroy CD-R disks.

9.  Laptop security.  Keep your laptop with you at all times when not at

home; think of it as you would a wallet or purse.  Regularly purge
unneeded
data files from your laptop.  The same goes for palm computers; people
tend
to keep even more personal data, including passwords and PINs, on them
than
on laptops.

10.  Encryption.  Install an e-mail and file encryptor (like
PGP).  Encrypting all your e-mail is unrealistic, but some mail is too
sensitive to send in the clear.  Similarly, some files on your hard
drive
are too sensitive to leave unencrypted.

11.  General.  Turn off the computer when you're not using it,
especially
if you have an "always on" Internet connection.  If possible, don't use
Microsoft Windows.

Honestly, this is hard work.  Even I can't say that I diligently follow
my
own advice.  But I do mostly, and that's probably good enough.  And
"probably good enough" is about the best you can do these days.


** *** ***** ******* *********** *************

             Comments from Readers



From: David Wallace <[log in to unmask]>
Subject:  Military History and Computer Security

I was taken aback by your assertion that a burglar alarm works because
"the
attacker doesn't know they're there."  After all, "true victory consists
of
breaking the enemy's will without fighting."  The first line of defense
is
deterrence, the number one reason for installing a burglar alarm.
Security
starts with making yourself a more difficult target.  Hence the
"Premises
protected by" stickers in windows and "Alarm" signs in front yards.
They
encourage a potential attacker to pick another, less heavily defended,
target.  In fact, the target may be completely undefended, protected
only
by signage purchased at a hardware or department store.

The Internet makes deterrence a little more dicey.  First off, the alarm
is
necessary, but the "alarm" sign is impractical.  It is a potential "red
cape" waved at a hacking "bull."  It may also tip the defender's hand by

revealing his defenses.  In the physical realm there are a wide variety
of
systems and sensors to deploy to "measure."  In the virtual, there are
fewer, they are less easily understood, and harder to install and
configure.

Once deterrence fails, detection becomes key.  In the physical world,
the
alarm system monitors a variety of metrics to evaluate defensive posture

(system armed/unarmed), readiness to respond (sensor
operational/deactivated), and violations of its sensors (heat, motion,
noise, moisture, or sensor loss).  The Internet alarm performs the same
functions, and performs them in much the same way.

The next step in deterrence is the concept of "unacceptable losses".
Here
the two worlds both converge and diverge.  They converge on the
definition
of unacceptable losses.  On both the physical and logical plane
unacceptable losses include arrest, conviction, fine, and/or
imprisonment.  They diverge in the likelihood of suffering unacceptable
losses.

As you note in _Secrets and Lies_, in physical security, the attacker
must
be physically present, rendering him not only detectable, but visible,
and
apprehend able.  The Internet removes that risk from the attacker,
allowing
him to strike remotely and in relative anonymity.

Once attacked, there are two phases to the defense: Repel and
counterattack.  In the physical world, once an attacker is repelled, you

follow up with counterattack.  Repelling the attack is accomplished by
holding ground and buying time while the resources needed to stop the
attack are marshalled and committed (amateurs debate tactics,
professional
soldiers argue logistics).

Counterattack is accomplished by understanding the attacker's objective
and
the resources he has committed to the attack.  The defender manipulates
these variables to expose vulnerabilities in the attacker's position
which
can be exploited.  These can weaken the enemy, forestall his attack, and

potentially force his retreat.  If retreat can be forced, it can be
followed up with pursuit, further weakening the attacker, deterring
future
aggression, and potentially reducing the attacker's resources below the
level necessary to support another assault.

Unfortunately, counterattack and pursuit do not transfer well to the
virtual battlefield.  About the only option is to repel.  The logical
version of counterattack is limited to prosecution, which proves
difficult
when attacks occur across state and national boundaries.  Even when
prosecution does occur, it is hampered by poor forensics, poor laws, and

general ignorance within the court system (See the judge in the Mittnick

trial).

So what can you do to defend? Roll deterrence into your
defense.  Monitor.  REVIEW THE LOGS! Have an incident response
plan.  Partner with law enforcement and a professional forensics team.
Be
prepared to go public when attacked.  Aggressively prosecute intruders
whenever possible.  Develop a reputation as a target to stay away from.


From: Henry Spencer <[log in to unmask]>
Subject:  Military History and Computer Security

I would argue that there's a third issue, more important on the military

side although it's not clear that there is any useful Internet
analogy.  Another old military axiom: "the attacker must vanquish; the
defender need only survive."

The defender's biggest advantage is that the attack has to make progress
to
succeed, and the defense doesn't.  This puts the attacker out in the
open,
moving forward, while the defender is stationary and under cover -- less

visible, better protected, and much more easily connected to
communications
and supply lines.

This shows, for example, in a traditional distinction between two types
of
hand grenades:  offensive and defensive.  An offensive grenade has a
rather
limited lethal radius, because it's meant to be used by attackers, who
may
be on the move or behind poor cover; in particular, it relies more on
blast
than on fragmentation.  A defensive grenade is designed to be lethal
over
the widest possible area, for use by people who are safely ensconced
behind
solid cover and may be (locally) badly outnumbered.  (I am not sure this

distinction is still made nowadays, since even defensive forces now tend
to
emphasize mobility, but at one time it was taken quite seriously.)


From: "Gerard Joseph" <[log in to unmask]>
Subject:  Military History and Computer Security

I keep thinking about the apportionment of blame between the innocent
defender and the guilty attacker.  Presumably, a bank robber would still
be
charged and found guilty even if one night the bank completely forgot to

lock its doors or set its alarms.  But in that case I'm sure the bank
would
be held partly responsible for the attack.  If someone takes a shot at
me
while I'm ambling on the street, then he will always be guilty, even
though
I might have been negligent in walking on that particular street at that

particular time.  It seems that in all cases there develops, over time
and
in accordance with local norms and experience, a state of equilibrium
between the rate of crime and the level of defenses that are customarily

implemented to thwart criminal acts.  Ideally, this state represents an
optimal balance between the level of crime and the cost of relevant
defensive measures.  A criminal who succeeds in spite of those defenses
is
more readily seen to be guilty, while a victim who falls short in
implementing accepted levels of defense is less readily seen to be
innocent.  But in no case does the victim's negligence excuse or justify

the crime, nor does the criminal's ability to overcome your defenses
excuse
or justify their absence.

I think as far as the Internet is concerned, we are groping towards the
defining equilibrium between crime and defense.  Right now, there is a
set
of protective measures whose omission would certainly represent
culpability
on the part of a defender, and there is a set of attacks whose
commission
would certainly represent a crime (whether legally recognized or not) on

the part of the attacker.  But in between there is a grey area of
defenses
and attacks that lack categorical classification.  To date, though, I
think
we've been too lenient on both complacent defenders and aggressive
attackers.  That must and surely will change.  A starting point would be

for the media to stop interviewing hackers as if they were just ordinary

community-minded citizens.


From: Stephen Tye <[log in to unmask]>
Subject: e-mail filter idiocy

I have read your article and I can understand your annoyance at having
your
e-mail blocked for containing the unrelated words "blow" and "job".  I
admit the sample text censor scripts that we provided in MailMarshal
version 3.3 have a couple of anomalies like this that would false
trigger.  We have done a lot of work on our sample text censor scripts
for
the next version release to improve them and minimize false triggers.

MailMarshal is a tool to allow companies to apply corporate policy to
their
e-mail.  Technically MailMarshal did exactly what it was told to do,
which
was to block e-mails with the words blow and job in them.  In this case
it
was the script that was at fault, not the product.

Depending on how the company has set up our product to match their
corporate guidelines, it is highly likely that the intended recipient of

your e-mail also received a notification e-mail informing them that your

e-mail did not arrive.   The e-mail you sent would have most likely been

quarantined and could have been easily released by the administrator.
The
line "blow and job" could have then been removed from the text censor
script and the problem would never occur again.

If it is the organization's policy to block any e-mails which contain
the
words "IL*VEYOU" in the subject, then that is their choice and
MailMarshal
will allow them to enforce that policy.  We normally only suggest using
a
text censor script in this way when there is a virus alert and you would

like implement some protection until you can get your antivirus product
updated.  Otherwise we find scanning e-mails with an antivirus product
and
implementing rules that block e-mails which contain EXE or VBS
attachments
(which normally have no business use for end users) an effective
protection
against e-mail borne viruses.

As you well know, security is process, not product.  MailMarshal is a
tool
that allows you to apply that process.  It will only action what it has
been told to do.


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.

To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or
send a
blank message to [log in to unmask]  To
unsubscribe,
visit <http://www.counterpane.com/unsubform.html>.  Back issues are
available on <http://www.counterpane.com>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will
find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long
as
it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO
of
Counterpane Internet Security Inc., the author of "Secrets and Lies" and

"Applied Cryptography," and an inventor of the Blowfish, Twofish, and
Yarrow algorithms.  He served on the board of the International
Association
for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and
lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is a venture-funded company bringing

innovative managed security solutions to the enterprise.

<http://www.counterpane.com/>

Copyright (c) 2001 by Counterpane Internet Security, Inc.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
June 2022
May 2022
March 2022
February 2022
October 2021
July 2021
June 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
July 2020
June 2020
May 2020
April 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager