« February 2005 | Main | April 2005 »

March 29, 2005

Two-factor authentication is a necessary step in the arms race

Well, I'm a bit slow off the mark responding here, but a couple of weeks ago well-known security expert Bruce Schneier (BS) published a blog entry about the failure of two-factor authentication (2FA). BS argues that in the long run 2FA will not improve security at all because of two attack vectors: Trojans and man-in-the-middle (MiM) attacks.

While it's quite true that these attacks pose problems for 2FA, it is a little shortsighted to say that 2FA will serve no useful purpose in improving security. BS makes the assumption that the Trojan problem and the MiM problem will not go away, and hence will become the main avenues of attack.

But what if we can solve the Trojan and MiM problems? Then 2FA is very useful indeed, because, as BS points out in his blog, it solves a whole host of weaknesses with traditional, one-factor passwords:

"Two-factor authentication mitigates this problem. If your password includes a number that changes every minute, or a unique reply to a random challenge, then it's harder for someone else to intercept. You can't write down the ever-changing part. An intercepted password won't be good the next time it's needed. And a two-factor password is harder to guess."

Furthermore, even if we don't solve the Trojan and MiM problems, 2FA still makes exploitation harder for the attacker, because the attacker must act when the victim logs in, and cannot delay the attack. Without 2FA, a Trojan can garner sensitive information such as passwords and use that information at any time in the future. This allows an attacker to do things like sell that information to third parties. But with 2FA, this is no longer possible, because the password information will be useless from one moment to the next. Hence the attacker is constrained to act before the user logs out. Of course, the attacker can still do a lot of damage, but my point is simply that it raises the bar.

In summary, let's not dismiss 2FA just yet! Security, as we all know, is an arms race, and 2FA is definitely a move forward by the defenders. Just because it's not infallible and there are currently ways around it, doesn't mean that it's useless. It reduces the attack surface, and that's a lot of what this game is all about. I predict that we're going to see widespread usage of it, and it will make a tremendous difference.

Posted by sana at 02:10 PM | Comments (0)

Why would anyone attack me?

After hearing yet another person say that he was not too concerned about security because he had nothing he cared about the confidentiality of, I felt I should post briefly the answers I have given so many times to those sorts of remarks. For those readers who know anything about security, there is nothing new here.

You should always be concerned about security because you will always be a target. Even if a home computer that has no confidential information on it will likely be targeted, for several reasons.

1. Automated threats such as worms and viruses don't care what they infect, they infect whatever they can, generally indiscriminately.

2. Your computer represents computing resources. It probably has a lot of processing power that you rarely use, and a lot of unused disk space. The perfect place for storing hacker warez or pornography, and if you're on a broadband link, the perfect system for using to launch a denial-of-service attack, or as a file server. The fact that you are an unimportant, obscure user only makes it more appealing, because the attacker is less likely to be found out.

3. You represent an interesting target for advertisers and spammers. Hence the proliferation of spyware and adware - as long as you are surfing, you are a reasonable target to such dirty tricks.

You should care about this, because if your computer gets hacked and malware gets on it, it can at best ruin your computing experience by grossly slowing down your machine and making it crash, and at worst it can make your computer party to a crime such as serving child porn or participating in extortion attacks.

March 28, 2005

Malware on every device

The Register has an amusing article on exploiting cell phones. We are seeing these kinds of stories with increasing frequency of late. For example, there is a recent article on a Sybian trojan that is attacking AV. But cell phones are not the only devices that are at risk of being targeted by attackers. As devices with increased computing power proliferate, so more and more of them are going to be vulnerable.

This will extend to all sorts of devices. For example, there was the rumor about a virus in Lexus car onboard computers - which was unfounded, but none-the-less points the way to the future, since such a virus is feasible. Other devices include things such as home entertainment systems, home control systems, even toasters!

The implications of this proliferation of devices for security are huge. We can no longer rely on the old antivirus model of updating signatures to take care of the problem. Signatures are too slow, too reactive and too costly. Furthermore, devices will be vulnerable immediately they are shipped, and signature-based AV is not going to help, because by the time the user gets the device, the signatures will already be out of date, and many people won't be able to or want to keep those signatures up-to-date: according to a NCSA/AOL survey in October of last year, two-thirds of PC users do not have up to date AV.

Think about it: would you want to pay for signature updates for your TV, your car, your computer, your cellphone, your ...?

March 10, 2005

Where have all the worms gone?

We haven't seen a serious network worm in what appears to be ages. People are beginning to forget about the devastation wreaked by Slammer, Blaster and all the others, especially in the light of other pressing problems such as phishing and spyware.

But why haven't we seen a virulent, destructive network worm? I've heard several different theories and predictions:

1. All the worm writers are just dumb kids who have got scared because they've seen other worm writers put behind bars. This strikes me as a specious argument: I suspect that the testosterone-rich environment of young worm writers who are doing it for the glory is not dissimilar to that around extreme sports such as urban-assault biking or extreme snowboarding, and in those sports, the element of danger adds to the thrill - if one person gets seriously injured, it often doesn't put everyone else off, it just ups the ante.

2. All the worm writers are now in the employ of evil geniuses who are focused on profits and world domination. Hence they are doing more subtle and lucrative things, are too busy for writing worms, and are no longer interested in them either. I don't buy this one either: it doesn't take long to write a worm on the side, and we have no evidence that those people who used to write worms are now employed by crime syndicates. In fact, if worm writers traditionally did it for the glory, they might be the ones least likely to be employed by organized crime, because they can't be trusted to be stealthy. Furthermore, what better a way to phish than getting a trojan on a victim, and what better way to get the trojan there than through a worm? And if you want to own a large number of computers for launching denial-of-service attacks as part of an extortion racket, what better way to get those computers than via a worm?

3. Networks are getting more secure and hence there is less ability for worms to wreak havoc, so worm writers have not bothered writing new worms. This is patently untrue: for example, a recent vulnerability reported on February 8th is a buffer overflow in SMB that affects all Microsoft platforms, including servers and desktops/laptops. It's a prime candidate for a worm because exploiting it can give ring 0 privileges, and it affects so many systems. In fact, Jose Nazario of Arbor Networks has tried to formalize this notion with his concept of "wormability", which refers to how suitable a vulnerability is for use by a worm. He shows that in 2004 there were 11 highly wormable vulnerabilities, only one of which actually had a worm exploit it.

4. Another one I heard recently is a comment by Charles Ahn in which he says that 2005 will be a big worm year, because worms come in two year cycles. To justify this claim, he refers to the fact that 2001 was a big worm year, with Ramen, Nimda and Code Red, 2002 was quiet, 2003 was big again with Slammer and Blaster, and 2004 was quiet. Such reasoning would be considered laughable by anyone with a decent knowledge of statistics: to predict a trend based on what is essentially two data points is rather a wild leap.

Any other ideas out there? Let me know. Personally, I'd be willing to attribute it purely to the vagaries of chance - I don't see any pattern here. The issue is that the impact of one nasty worm can be enormous, but it just takes one twisted individual (and not even a hugely skilled one at that) to write a worm. And the impact is out of all proportion to the occurence. There may be many wormable vulnerabilities, but predicting the occurence of a worm, when so very few of them do occur, is akin to predicting the behavior of a few isolated individuals out of millions. We may have the ability to predict human behavior in some circumstances in large groups, but in this case, I suspect we have no predictability whatsoever.

But then again, perhaps we have already had a few large-scale worms in 2004 and never noticed them. A theoretical possibility is a worm that spreads slowly and surreptitiously, and upon infiltrating a host, installs a kernel rootkit and leaves itself completely untraceable. And perhaps, even when the rootkit is detected, no one realizes that it was deposited via a worm; perhaps, we think, it was merely deposited via a spyware download. In fact, how do we know for sure that amongst the plethora of spyware and trojans on the typical machine, nothing was deposited via a worm?

In conclusion, I believe that the network worm is not dead, just in abeyance, and all hell could break loose at any time, depending on the whims of a few individuals.

March 04, 2005

Network access control: a folorn attempt to rebuild the perimeter

Let's face it, the perimeter is moribund, and no amount of desperate longing is going to bring it back. Certain segments of the industry recognize this and embrace the power and flexibility it gives business. For example, the Jericho Forum talks enthusiastically about "de-perimeterisation". They discuss the enormous savings they foresee in both cost and manpower, and the increased flexibility achieved by moving away from the definite perimeter.

But not all are happy with the loss of the perimeter. In particular, some industry giants seem to regard the perimeter as the only way to truly secure systems. For instance, Cisco is touting Network Admission Control (CNAC) as a way of protecting the computing devices on the network by only allowing those mobile devices that are "sufficiently secure" to connect to the network, for some definition of "sufficiently secure". This is clearly an attempt to return to the perimeter, because NAC is intended to once again create a notion of a secure "inside" versus an insecure "outside": everything verified by NAC is safely on the "inside".

Unfortunately, NAC is based on the assumption that you only really care what happens to devices on the "inside" - it offers no protection for those many mobile computing devices on the "outside". But the problem is that as workforces become more mobile, what happens "outside" matters just as much as what happens "inside", if not more. If the CEO's laptop is compromised "outside" the network, it could be an absolute disaster. It seems to me that as the workforce becomes increasingly mobile, any NAC system will end up protecting a diminishing core of computing resources, with increasing numbers of computing devices existing permanently outside of the protection scheme.

Even assuming that you only care about what happens "inside", there are other problems with proposed NAC protocols. Industry expert Richard Stiennon has grave doubts about NAC. In his blog he discusses why he believes NAC will "never work". Most striking is his notion that network administators will never tolerate the addition of extra overhead when trying to connect to the network.

Another problem was pointed out by Vlad Gorelik, CTO of Sana Security. All NAC protocols are designed to quarantine a computing device if its signatures and/or patches are not current. Quarantined computing devices require remediation in the form of downloading patches and signatures to update the device, and only allow full access once the device is in compliance. But there is a conceptual flaw that revolves around bringing the computing device into compliance. It may be a simple and rapid matter to update the patches and signatures on the device, but that is no guarantee that the device has not already been compromised, and doesn't harbor a nasty trojan. The only way to ensure that the system is not compromised is to do a comprehensive system scan, and that could take hours - if you've ever done a full system scan looking for spyware, you'll know what I mean. And considering the high likelihood of not keeping a mobile system up to date, many devices will require such scanning, which will cripple business operations. But the alternative of just doing a superficial scan is pointless because it negates the whole idea behind the NAC - that of only allowing "clean" devices to connect. A condundrum indeed!

Even if we step away from enforcing signatures and updates using NAC, there are still problems. NAC could be used to ensure that mobile devices are running other security systems that don't rely on signatures and updates, such as behavioral antivirus. Although apparently a good idea, NAC really is superfluous in this situation: if every device "inside" is already protected, then those devices are not under threat from infected machines, so why worry? And if the local security system on those devices is not proof against unprotected "Typhoid Marys", then having an operative security system as a price of admission is not sufficient to protect devices on the "inside".

I believe that the danger of NAC is that it could make people feel safe: it could lull them into a false sense of security and encourage them to live in the past and believe that once "inside", you can be open and relaxed; behind the fortress walls, you can let down your guard. That is a highly dangerous notion indeed: I'm worried that NAC is the placebo that encourages enterprises to ignore the very real danger that modern attack techniques pose in today's dynamic and distributed business environment.