Thursday, September 30, 2010

Risk Homeostasis as Applied to Information Security.

I recently came across the term risk homeostasis,which is in a nut shell people have a certain risk tolerance and efforts to reduce risk in one area will increase risk in other areas. A well sighted example of this was a  study of taxi cab drivers in Munich Germany. The study equipped half of the cabs with ABS (anti-lock braking system) and the other half without them. As ABS is designed to reduce the risk of an accident during sudden braking, you would think the net effects of installing ABS would be a reduction of accidents in cars with ABS. However the opposite is true, Cab drivers with ABS equipped cars increased accident risk by modifying other behaviors such as speeding and more sudden breaking as they assumed ABS would take care of them. But it doesn't.

As I think of this concept and how it effects the information security industry I would like to offer my observations in the following example.

A/V and the user:

Since the early years of the PC, viruses have become a dominate force in the computing landscape, spawning a multi-billion dollar industry. It is a common belief having anti-virus software much like ABS for cars  will protect your computer from contracting a computer virus, and if users stick to word processing, exercise caution in email, and are vigilant about updating their software this might be true. However, users know they A/V software they expect it to protect them so they modify their behavior. Computer users become lax about updating their software, download music, movies, games etc.. from file sharing applications, they disregard what they have been told about safe email practices and consequently they have accidents their computer become infected.

As a collective we think of A/V software working in much the same way as getting a vaccination for small pox, we get the vaccination plus any required buster shots and we don't get small pox, end of story. Except while A/V software is designed to work in the same way it doesn't. A/V software as an industry catches 80% to 90% of know viruses which is fairly good odds unless your particular software doesn't catch the one you come down with. However, virus writers have figured out they can mutate the virus code and make it less detectable leaving the industry in my experience catching 60%-70% of mutated viruses. Now if A/V software is presented with a truly novel virus the odds of successfully detecting the virus with A/V software in my experience plummet somewhere south of 10%. This is the part end users and many IT folks fail to grasp, their odds of coming across a novel or mutated virus is a 1000 times more likely.

Don't get me wrong I am not saying A/V software is useless, I actually do highly recommend it. What I am saying is, in assuming A/V software will protect us from viruses we have failed to recognize and appreciate the willingness of users to modify expected behavior and take on more risk based on faulty assumptions. 

Wednesday, September 15, 2010

I've seen the Vulnerability...and it is us!!!!

Hi, while I was in San Francisco at the RSA conference, and while attending a lot of sessions I have begun to develop many thoughts that apply to my day job and can be abstracted further and applied to Information Security so here is the first.

I've seen the vulnerability in the system and it is us.

What do I mean by this? Simply Our own internal divisions, politics, agenda's, and Silo's create a vast and gaping vulnerability that can be and is being exploited or used against us. These divisions create gaps and blind spots that we either can't see or choose not to see common vulnerabilities that surround us.

Tuesday, August 31, 2010

We have all seen them, you know the password strength meter. These meters let users determine what a quality password is; however they can be misleading. Most of these tools assess the strength of a password when attacked by one specific attack, the brute force attack. For instance this one,
 ) featured in a recent post on
  The featured strength meter implemented in JavaScript does not send data back to a server so I thought why not try it. I started by entering some variations of passwords I have used and confirmed they are indeed strong. After a little tinkering I thought “you know this is not very realistic” they are only calculating strength against a brute force attack. If I were trying to crack passwords, the very last type of attack I would use would be a brute force attack.
Why? Because there are many other ways to crack passwords in a fraction of the time.
I decided to set up a test. I selected 12 variations of the word password which research shows is among the top twenty most commonly used passwords. As you would expect the strength meter indicated it would be cracked almost instantly. I quickly learned this particular strength meter places a premium on password length and the use of special characters even if the password is a variation of a common password. The 12th password I used was “P@ssw0rd1234” given the use of special characters and a length of 13 characters the strength meter felt it would take about 100 million years for this particular password to be cracked leaving the user with the impression that “P@ssw0rd1234” is indeed a good password to use. Let me be clear here “P@ssw0rd1234” is not a good password to use because it is a variation of a very commonly used password or dictionary word.
I used two common methods for cracking passwords the first is a standard dictionary attack and the second cryptographic analysis. Dictionary attacks are just that they take a word list and present each word in the list as a password. A good dictionary attack tool will append each word with numbers and replace letters with commonly used symbols such as @ for a and ! for i. The second type of technique is called cryptographic analysis based upon the mathematic concept of time memory tradeoffs. These are commonly called rainbow tables. The basic theory here is if we pre-compute chains of password hashes then in a relatively short period of time we can load the chains in memory and do comparisons (this type of attack is very common and very successful against windows passwords). In table 1 you will notice no matter what the projected time to complete cracking the password using either attack method it took less than a minute to crack each of them, and when attacked as a lot all 12 passwords were cracked in less than 5 minutes. You will see cryptographic attacks take a little longer than dictionary attacks, but still contain many advantages when assessing non-dictionary passwords.

Estimated time for a desktop PC to crack
Actual crack time
Type of attack
common (It would be cracked almost instantly)
32 sec
Cryptographic analysis
common (It would be cracked almost instantly)
7 sec
Dictionary Attack
About 117 days
7 sec
Dictionary Attack
About 11 years
7 sec
Dictionary Attack
About 417 years
22 sec
Cryptographic analysis
About 15 thousand years
26 sec
Cryptographic analysis
About 6 days
7 sec
Dictionary Attack
About 3 years
67 sec
Cryptographic analysis
About 237 years
7 sec
Dictionary Attack
About 17 thousand years
7 sec
Dictionary Attack
About a million years
7 sec
Dictionary Attack
About 100 million years
7 sec
Dictionary Attack

In reality if an attacker is going to crack passwords using only a brute force attack then long passwords (12+ characters) with the use of special characters(?@#$#&*) would suffice. This is also a good technique to use against cryptographic analysis only I would recommend a 15+-character password, but in any case, I would forget the use of dictionary based words. The problem with these recommendations is, either the user will use one “complex” password or they will write them down on paper in word documents etc… My recommendation is to do just that write them down only in a secure place like a password safe and use one long and complex password that you can remember to access the rest of them. Password safes have auto generate functions, which allow for the creation of long complex non-dictionary passwords automatically and better yet, you will never have to remember them.