Josh Corman from ISS/IBM is ready for change. He lays out a call to action over on fudsec.com. Lots of good comments over there. Here is my contribution:

I agree wholeheartedly that we need to consider evolution and that our profession is reticent to do so. Compliance slows things down even more. We have plenty of opportunities for re-architecting security as the components are already there. Consider taking deperimeterization to its logical conclusion. Or integrating obfuscation, transformation, tracers, and tethers into an architecture.

I wrote a column for ISSA Journal a while back with some ideas for security evolution:

1. Conscientious software
2. Remote attestation
3. Microsecurity
4. Contextual mapping
5. Hyperdynamic processing

(see http://spiresecurity.com/?p=208 for more information).

The cool thing is that this is about evolution and not revolution – the roots of capabilities like trusted computing, for example, are well-defined and simply need to be applied to today’s architectures.

I think virtualization and cloud computing have really exposed internal computing components in ways that make evolution discussions very timely.

1) Users read way too much into its functional value.

2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case.

3) If you are going to compromise some device, you might as well compromised the host and not some intermediate device.

4) The bad guys are now leveraging SSL more and more to shield their activities from good guy sniffers.

Sure, it is needed nowadays for basic authentication protection, but we really shouldn’t be using userid/password pairs in clear text anyway.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Litan said in an accompanying statement. "Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach," she added.

This is useful stuff, but I can’t quite agree with Perilocity’s conclusion:

So if you split the difference and spend $10/customer on security as prevention, that stitch in time really does save nine stitches fixing it later. Prevention is good risk management.

This only works if you can either predict which of your laptops are going to be compromised, or you assume that more than 1 in 9 of your total laptops will be compromised.

Chris Walsh at Emergent Chaos has good details.

Update: I just realized that I’ve been assuming "laptops" all along, since the Gartner estimates initially made the news when Gartner testified before Congress about the VA debacle. The key denominator here is the customer account, and the security costs discussed are server-side costs. Obviously, my assumption is quite different from the scenario in the Gartner report. From what I can tell, the Gartner estimates don’t even include client-side security (encryption and/or HIPS), which means that the VA (or anyone compromised) would have spent the money for prevention against the wrong attack, then would have incurred the costs of the breach as well.

]]> http://spiresecurity.com/?feed=rss2&p=407 0 http://spiresecurity.com/?p=459 http://spiresecurity.com/?p=459#comments Sat, 18 Feb 2006 04:10:26 +0000 Pete Lindstrom http://spiresecurity.com/blog/?p=459 Read more →

"it looks like Eckworth used a Diffie-Hellman encryption code…basically impossible to crack" on the password for his second screen name.

Hmm, even I may be able to help the FBI on this one:  The "technical expert" who reported those details is colluding with the bad guys! Don’t listen to her and arrest her immediately! (Man, my Encyclopedia Brown days are rushing at me on this one).

I know there have been many references to crypto and other security tools in television and movies that are amusing. Please feel free to leave your favorite reference in the comments section (or a link if somebody is doing this already). (I think The Net with Sandra Bullock had an IP address in the 500 range…)

"We use SSL encryption, so your information is secure."

This is a circa-1997 security logic failure.

Phil Zimmermann criticizes existing VoIP cryptographic solutions for relying on PKI.  Given the fact that Zimmermann’s PGP technology has always been an alternative to PKI based technologies, one can expect a bit of a natural bias against PKI-based solutions.  Just about every other PKI-alternative cryptography company has gone as far as declaring PKI dead even tough PKI has been thriving for the last decade with E-Commerce leading the charge in a massive global PKI implementation.  I’ve personally designed and deployed many PKI solutions for large corporations for all sorts of security applications ranging from remote VPN access to wireless LAN security, and I can attest that the technology is simple, scalable, and reliable.  It’s an undeniable fact that any solution that promises to bypass PKI always end up being more trouble than it’s worth.

While there does seem to be growing evidence of PKI "winning" the war of trust, this is likely not a zero-sum game – the two can coexist easily. In fact, Zimmermann highlights the real difference quite clearly – either a hierarchical, organized key management system (PKI) is useful within your enterprise, or it’s not (PGP). And if you have both, you build a bridge.

It is surprising to read Ou criticizing Zimmermann’s bias without addressing his own (as a "personal designer and deployer of many PKI systems"). What’s more, to suggest there is such thing as an "undeniable fact" within the confines of his argument is outright laughable and stoops to the kind of rhetoric people use to support a weak argument. I am not sure why he chose to use this kind of "chump change" in an argument that I believe is fairly strong to begin with.

As with all technology, PKI is always evolving. What may have been true 7 or 8 years ago isn’t necessarily true today. Key management and identity validation have always been the strong points of a PKI, and always will be, but there are many, many hybrid solutions (Certificate Management Solutions?) out there that are good enough for whatever problem they are trying to solve.

Anyway, Anderson’s big concern was lock-in – the idea that with NGSCB, Microsoft could lock-in its customers with Microsoft Office because the file creator held the key. Certainly, lock-in exists everywhere – why do you think we have so many different battery sizes? An attempt at lock-in that never really worked. Even train tracks and paper form printers were manufactured for lock-in. And yes, every morning the razor you use is likely to be an attempt at lockin.

So, Anderson has written things like:

"The main effect of Trusted Computing may be to increase the lock-in of users of products such as Microsoft Office, and thus in the medium term raise the prices that can be charged for them. "

and

"Locking competitors out of application file formats was one of the motivations for TC: see a post by Lucky Green, and go to his talk at Def Con to hear more. It’s a tactic that’s spreading beyond the computer world. Congress is getting upset at carmakers using data format lockout to stop their customers getting repairs done at independent dealers. And the Microsoft folk say they want TC everywhere, even in your watch. The economic consequences could be globally significant. "

Now Microsoft has gone and ruined everything by announcing that the next generation of Office will use XML as its primary file format.

USA Today even goes so far as to say:

The new format will make it easier for other programs to read Office documents, an improvement the software titan says is aimed at boosting workers’ productivity.

Could be a big snow job by Microsoft, and certainly it is possible to maintain lock-in simply using DRM rather than file formats. But it doesn’t seem likely that either NGSCB or Office will be promoting any lock-in that is insurmountable.

I wonder if Ross Anderson will modify his opinion on NGSCB.

Here’s what I don’t get – why don’t people rip on Apple or Sun or Sony, too? Even Adobe gets barely a ripple of backlash… Apple is my biggest kick because there is a company that plays hard and tough with intellectual property.