Risk Homeostasis as Applied to Information Security.

I recently came across the term “risk homeostasis,”which is in a nut shell people have a certain risk tolerance and efforts to reduce risk in one area will increase risk in other areas. A well sighted example of this was a  study of taxi cab drivers in Munich Germany. The study equipped half of the cabs with ABS (anti-lock braking system) and the other half without them. As ABS is designed to reduce the risk of an accident during sudden braking, you would think the net effects of installing ABS would be a reduction of accidents in cars with ABS. However the opposite is true, Cab drivers with ABS equipped cars increased accident risk by modifying other behaviors such as speeding and more sudden breaking as they assumed ABS would take care of them. But it doesn't.

As I think of this concept and how it effects the information security industry I would like to offer my observations in the following example.

A/V and the user:

Since the early years of the PC, viruses have become a dominate force in the computing landscape, spawning a multi-billion dollar industry. It is a common belief having anti-virus software much like ABS for cars  will protect your computer from contracting a computer virus, and if users stick to word processing, exercise caution in email, and are vigilant about updating their software this might be true. However, users know they A/V software they expect it to protect them so they modify their behavior. Computer users become lax about updating their software, download music, movies, games etc.. from file sharing applications, they disregard what they have been told about safe email practices and consequently they have accidents their computer become infected.

As a collective we think of A/V software working in much the same way as getting a vaccination for small pox, we get the vaccination plus any required buster shots and we don't get small pox, end of story. Except while A/V software is designed to work in the same way it doesn't. A/V software as an industry catches 80% to 90% of know viruses which is fairly good odds unless your particular software doesn't catch the one you come down with. However, virus writers have figured out they can mutate the virus code and make it less detectable leaving the industry in my experience catching 60%-70% of mutated viruses. Now if A/V software is presented with a truly novel virus the odds of successfully detecting the virus with A/V software in my experience plummet somewhere south of 10%. This is the part end users and many IT folks fail to grasp, their odds of coming across a novel or mutated virus is a 1000 times more likely.

Don't get me wrong I am not saying A/V software is useless, I actually do highly recommend it. What I am saying is, in assuming A/V software will protect us from viruses we have failed to recognize and appreciate the willingness of users to modify expected behavior and take on more risk based on faulty assumptions. 

I've seen the Vulnerability...and it is us!!!!

Hi, while I was in San Francisco at the RSA conference, and while attending a lot of sessions I have begun to develop many thoughts that apply to my day job and can be abstracted further and applied to Information Security so here is the first.

I've seen the vulnerability in the system and it is us.

What do I mean by this? Simply Our own internal divisions, politics, agenda's, and Silo's create a vast and gaping vulnerability that can be and is being exploited or used against us. These divisions create gaps and blind spots that we either can't see or choose not to see common vulnerabilities that surround us.

Introduction:

We have all seen them, you know the password strength meter. These meters let users determine what a quality password is; however they can be misleading. Most of these tools assess the strength of a password when attacked by one specific attack, the brute force attack. For instance this one,

(http://howsecureismypassword.net/

 ) featured in a recent post on lifehacker.com.

  The featured strength meter implemented in JavaScript does not send data back to a server so I thought why not try it. I started by entering some variations of passwords I have used and confirmed they are indeed strong. After a little tinkering I thought “you know this is not very realistic” they are only calculating strength against a brute force attack. If I were trying to crack passwords, the very last type of attack I would use would be a brute force attack.

Why? Because there are many other ways to crack passwords in a fraction of the time.

I decided to set up a test. I selected 12 variations of the word password which research shows is among the top twenty most commonly used passwords. As you would expect the strength meter indicated it would be cracked almost instantly. I quickly learned this particular strength meter places a premium on password length and the use of special characters even if the password is a variation of a common password. The 12^th password I used was “P@ssw0rd1234” given the use of special characters and a length of 13 characters the strength meter felt it would take about 100 million years for this particular password to be cracked leaving the user with the impression that “P@ssw0rd1234” is indeed a good password to use. Let me be clear here “P@ssw0rd1234” is not a good password to use because it is a variation of a very commonly used password or dictionary word.

Analysis:

I used two common methods for cracking passwords the first is a standard dictionary attack and the second cryptographic analysis. Dictionary attacks are just that they take a word list and present each word in the list as a password. A good dictionary attack tool will append each word with numbers and replace letters with commonly used symbols such as @ for a and ! for i. The second type of technique is called cryptographic analysis based upon the mathematic concept of time memory tradeoffs. These are commonly called rainbow tables. The basic theory here is if we pre-compute chains of password hashes then in a relatively short period of time we can load the chains in memory and do comparisons (this type of attack is very common and very successful against windows passwords). In table 1 you will notice no matter what the projected time to complete cracking the password using either attack method it took less than a minute to crack each of them, and when attacked as a lot all 12 passwords were cracked in less than 5 minutes. You will see cryptographic attacks take a little longer than dictionary attacks, but still contain many advantages when assessing non-dictionary passwords.

Username	Password	Estimated time for a desktop PC to crack	Actual crack time	Type of attack
G1	password	common (It would be cracked almost instantly)	32 sec	Cryptographic analysis
G2	Password	common (It would be cracked almost instantly)	7 sec	Dictionary Attack
G3	password1	About 117 days	7 sec	Dictionary Attack
G4	password12	About 11 years	7 sec	Dictionary Attack
G5	password123	About 417 years	22 sec	Cryptographic analysis
G6	password1234	About 15 thousand years	26 sec	Cryptographic analysis
G7	p@ssword	About 6 days	7 sec	Dictionary Attack
G8	P@ssw0rd	About 3 years	67 sec	Cryptographic analysis
G9	P@ssw0rd1	About 237 years	7 sec	Dictionary Attack
G10	P@ssw0rd12	About 17 thousand years	7 sec	Dictionary Attack
G11	P@ssw0rd123	About a million years	7 sec	Dictionary Attack
G12	P@ssw0rd1234	About 100 million years	7 sec	Dictionary Attack

Conclusion:

In reality if an attacker is going to crack passwords using only a brute force attack then long passwords (12+ characters) with the use of special characters(?@#$#&*) would suffice. This is also a good technique to use against cryptographic analysis only I would recommend a 15+-character password, but in any case, I would forget the use of dictionary based words. The problem with these recommendations is, either the user will use one “complex” password or they will write them down on paper in word documents etc… My recommendation is to do just that write them down only in a secure place like a password safe and use one long and complex password that you can remember to access the rest of them. Password safes have auto generate functions, which allow for the creation of long complex non-dictionary passwords automatically and better yet, you will never have to remember them.

Network Printers

February 13, 2009

Hewlett Packard recently released a new security patch to fix an authentication bypass vulnerability in specific network printers. This write up is to serve as a reminder of the importance of securing network printers in general. Network printers are frequently overlooked when securing office networks; sometimes left with default configurations and not patched, they represent a risk to the office network environment.

Network based printers are much more than just a print device. They typically have full operating systems, hard drives, and a full complement of communication services. Built-in services such as ftp, tftp, e-mail, web server, and snmp are increasingly the target of choice for hackers wanting to remain undetected and to gain a foothold in the office network. Because network printer devices are frequently left unsecured with default passwords and utilizing factory default settings they are easy targets.

Example attacks against printers include bridging between networks (i.e wireless to LAN or vice-versa), sniffing network traffic to steal sensitive data, redirection and spoofing of network traffic, malware distribution and email spam generation.

Applicable Devices:

All network printing devices, multifunction copiers, and network based fax machines.

Recommendations:

The following are some basic recommendations for printer security in all environments.

· Keep printers up-to-date with latest firmware releases

· Change the default passwords and settings

· Turn off unnecessary services and features

· Consider requiring authentication to print and to use other services (particularly with multifunction devices)

· If available, encrypt the printer’s hard disk

· Include printers in periodic vulnerability assessments of office networks

· Use appropriate network segmentation, ensuring that printers are separated from networks with critical services

· Use printer accounting features and review logs regularly

· When disposing of printers wipe the hard disk drive

References:

It's Not Exciting, but Neglecting Printer Security is Dangerous:

http://www.itbusinessedge.com/cm/blogs/weinschenk/its-not-exciting-but-neglecting-printer-security-is-dangerous/?cs=13617

Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files:
http://h20000.www2hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4419

Highlighting Printer Security Issues:
http://www.itworld.com/071101networking

Widley used open source incident response and forensic tool goes comercial

One of the live CD incident response and forensic tools which is widely used in the Information Security Industry and one that I have been using for quite some time has gone commercial. Helix from e-fence has been an open source platform since it inception, however, they have announced a new model where by users subscribe to their forum for $14.95 /month for their base model.

A little digging has uncovered a site that is still distributing Helix2008 R1 get it while you can there most certainly will be no more public releases of this platform. The Forensics and Incident response communities do have other viable options but, none to date have been maintained as well or as robust in their tool sets for tasks related to forensics and incident response.

Time is Approaching

I've been spending some time lately preparing for my upcoming presentation on Dec. 17. my presentation title "Is Your Data Exposed". Items I'll be discussing include: do your business needs create liabilities/vulnerabilities/opportunities, Change and Configuration management, when security products fail you, and of course a few demonstrations. There will be a lot to get in in such a short time.

Who:
IIA (Institute of Internal Auditors - Salem Chapter)

What:
"Is Your Data Exposed"

When:
Wed. Dec 17 11:30am - 1pm

Where:
J James (Salem, OR)


For E-Discovery, Forensic Analysis, Vulnerability Assessment, or Incident Response Services in Salem, Corvallis, or Albany Oregon Check out my website: www.infosecuritypro.com

Presentation

I have been asked by the "The Institute of Internal Auditors" to give a presentation on Information Security. The Tittle of my presentation "Is Your Data Exposed" will focus on ways in which data is quickly compromised through outdated methodologies and antiquated protections. The date is Wednesday, Dec 17, 2008, 11:45 - 1:00pm. Save the date.