Bad password advice

In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell - ‘Assessing password guidance and enforcement on leading websites’ - presents some fascinating original research into the password practices of various leading websites - and also paints a somewhat worrying picture.

In the article, Prof Furnell, of the University of Plymouth, follows up on earlier research looking at how well (or otherwise) websites guide their users when picking passwords. Do they provide decent advice on what constitutes a strong password? And just how clever are those password strength meters?

It’s not pretty.

It’s not just that many of these websites continue to allow the selection of very weak passwords: there’s also the problem of inconsistency. One of the things I took away from this article is that password meters - those little graphic devices that purportedly show you how strong or how weak your chosen password is - are pretty meaningless. Every site uses different criteria for rating the password strength, so a word deemed ‘weak’ on one site might be hailed as ‘strong’ on another.

Even within a single website, the strength criteria seem inconsistent and weird. Passwords we, as infosecurity specialists, know to be weak are deemed acceptable. For example, WordPress rates ‘qw12’ as ‘Good’. Oh really? And even when sites deem a password as feeble, some of them will still let you use it - Furnell discovered that Twitter, Windows Live and Yahoo fall into this camp.

There are widely accepted criteria for determining the strength of a password - a mix of upper- and lowercase, the inclusion of numbers and special characters, the avoidance of dictionary words and length (because size does matter). But it seems that some websites will allow users to go against their own best interests by selecting weak passwords. Why?

One useful thing that hacktivist group LulzSec did for us is make available a number of databases containing real-world user login credentials. Trawling through these databases is enough to make an infosecurity specialist weep. Yes, ‘password’ really is still used as a password - a lot. The same goes for ‘qwerty’, ‘123456’ and all the other classics.

Organisations such as SANS have formulated password policies that provide useful guidance. In fact, you can find any number of policies online, developed by organisations for their own use and offered to others as a template. But is it time to collate password best practices into a formal standard that website operators might actually accept and implement - and perhaps even mandate its use on any website that holds personal data?

Of course, there is a danger inherent in standards - that they become outdated too quickly. Remember when we used to think that six-character passwords were acceptable? (According to Furnell’s research, some websites still think this.) Now that hackers can buy multiple GPUs in the cloud to run password crackers, an eight-character password is now too feeble. The other problem with standards is that, during their formulation, they are beaten to a pulp by committees and self-interested parties until they represent only a lowest common denominator.

But a standard accepted across the industry would at least be a starting point. And it should address not just what is an acceptable password (or, better, passphrase), but also what advice is given to users when choosing passwords. Again, Furnell’s research found that this is highly inconsistent and usually inadequate.

There have been too many breaches for us to regard website security a trivial matter. For example, we’ve witnessed a long litany of hijacked accounts on Twitter, whose primary advice on password choice seems to be limited to ‘make it tricky’, whatever that’s supposed to mean. Those strength meters may help give you a feeling of confidence, but because they give no clue as to why a password is considered strong, they don’t actually help users understand the principles at work. Smarter registration procedures would explain why dictionary words are bad, why you should a mix of character types. And sites should also encourage periodical password changes - not a single site I’m registered with does that.

Users are stupid

At the recent RSA Europe conference in London, security consultant Ira Winkler said something we’re not supposed to utter. To paraphrase, he said: “Users are stupid”.

We all know that computer users do stupid things. Infosecurity professionals within organisations must despair every time they hear, “Well, I clicked on the link because…” or “I gave him my password because…” followed by any one of a score of lame excuses.

Winkler was talking in the context of social engineering, which he believes is too broadly defined. True social engineering, he says, involves interaction between attacker and victim. Something like a phishing attack, or an email with a malicious payload, does not count. Talking about the infamous I Love You virus, Winkler said: “Nobody wants to say, ‘well it’s not really social engineering because you’re not interacting with the person, it’s just stupidity. But oh no, you can’t blame the user and call them stupid.’ Yes, you can blame the users and call them stupid.”

We all know that even the best security technologies, processes and policies can be undermined by people doing things they shouldn’t. Yet, except in cases of egregious lapses, or the clear and wilful breaking of the rules, we’re not meant to point the finger at user stupidity.

Infosecurity specialists and departments are meant to provide the infrastructure and training to protect the organisation, and this shouldn’t be dependent on the intelligence of end users. Similarly, security vendors are selling the technology and services, and aren’t about to accuse their customers of being staffed by morons. Even pen-testers can’t say users are stupid because no client wants to hear, “well your security systems are fine: the problem is that you hired idiots”.

Of course, none of this is meant to suggest that ALL users are stupid – not even most of them. But even smart people do dumb things from time to time and you only need one moment of weakness to open a security vulnerability. Just ask RSA.

So perhaps it’s a matter of degree. Winkler’s issue with the vagueness of the term ‘social engineering’ is that it makes it difficult to combat. You can’t form any sensible or effective countermeasures against something so amorphous. “If you overly define stupidity as [a reason for] being a victim of social engineering,” he said, “you’re not going to stop social engineering.”

So maybe we need to break this down a tad, to differentiate between actions that might be excused because the person was a victim of a genuinely skilled social engineering attack – such as we’re seeing as part of Advanced Persistent Threats (APTs) – and behaviour that simply shouldn’t be tolerated because it is plainly idiotic.

Winkler relates the story of a senior exec at a bank, responsible for millions of dollars in trades, who had written down his password on a sticky note attached to his monitor. What Winkler found particularly stupid, however, was that the password was a reference to an obscure fact in an obscure episode of Star Trek. The exec was able to remember that fact, but wasn’t able to remember that he’d made it his password.

To be fair, what constitutes ‘plain stupid’ will be different for the general public or ordinary members of staff than it is for security professionals. We’d like to think that writing your password on a sticky note is self-evidently wrong. The same goes for opening dubious files attached to dodgy emails. But if experience teaches us anything it’s that people are easily fooled.

This is where training comes in, backed up by policies. At the same time, perhaps it’s time to stop being so polite and, where appropriate, start labelling certain behaviours as clearly ‘stupid’.

[This post is a version of the editorial in the November issue of Computer Fraud & Security]

Dropbox security

A backlash against Dropbox shows just how little people understand security.

It seems that some people actually fell for Dropbox’s early assertions that files stored on the system might be more secure than those on your hard disk (ignoring the fact that these files are actually stored in both locations). No-one, but no-one, has access to your files, claimed the company.

Later, Dropbox realised that it’s subject to the same laws as any other US organisation and was obliged to change its terms of service to admit that it would have to co-operate with US law enforcement. Indeed, the forces of law and order have acquired a new forensic tool specifically for examining Dropbox accounts - Dropbox Reader.

This evidently provoked fury among some users who feel they were duped. There were threats of defections.

The image of Dropbox as a safe haven hasn’t been helped, either, by its recent screw-up in which accounts were left unprotected for a few hours, no password required.

But here’s the thing: Dropbox is a cloud service. Why would you imagine the cloud is automatically secure?

Yes, I know, people are not properly informed about this stuff and can only make decisions based on what they’re told. So Dropbox should carry a good portion of the blame for this. But there’s also an element of common sense here.

I don’t care what promises a cloud supplier makes, I work by a simple rule: if the data is the slightest bit sensitive, it gets encrypted before it hits the net. And I don’t just mean I use SSL for the connection. Any sensitive files we store on Dropbox are either encrypted individually or stored inside a PGP-encrypted virtual disk.

That means employing data classification of some kind, but for us that’s not nearly as complicated as it seems. It’s a simple question with a yes/no answer: could this file be of use to someone with malicious intentions? If the answer’s ‘yes’, into the encrypted drive it goes. No data of the slightest value leaves our home network without being encrypted first. And our threshold for what’s considered sensitive is very low.

So here’s a handy motto: Encryption - don’t leave home without it.

Nice try, Sophos

Stop using that iPad now! That’s the warning from Sophos for those of you who: a) are concerned about data theft; and b) don’t know what day it is. Here’s the press release:

Sophos warns: iPad 2 and other mobile devices vulnerable to proximity theft

Aptly-named “substrate hack” could steal data from uncovered devices - but metallic crisp packets can provide temporary “polar foil” fix

IT security and control firm Sophos is warning users of smartphones and tablet computers - including the popular Apple iPad and iPad 2 - to temporarily refrain from using the devices following the discovery that data can be stolen from unprotected devices through a surprisingly simple proximity attack dubbed a “substrate hack” by SophosLabs.

The attack - the exact details of which are not being released to the public to prevent the exploit being used by cybercriminals - involves data leaking through the substrate itself - the hybrid metal/plastic container - of devices that are left uncovered.

“It’s scary to think that all those many millions of smartphones and tablets out there are susceptible to a relatively simple attack through the substrate in which the devices themselves are packaged,” said a spokesperson for Sophos Naked Security.

“One reliable countermeasure, evaluated in tests at SophosLabs, is to keep your tablet-type device or phone wrapped in plasticated aluminum, like the material used in crisp packets.  Of course, this removes the ability to make calls or access the internet, but keeps your data much safer, both when you are using the device and when it is at rest.”

Until a patch has been issued by device manufacturers, concerned members of the public can reduce the risk of a substrate attack by shielding their devices with lightweight metallised plastic or cardboard. Crisp packets are ideal. This sort of shield forms a “polar foil” around the device and greatly reduces the risk of data theft.

However, SophosLabs researchers warn that cylindrical shields, such as Pringles cans, should not be used.  Despite their metallic coating and obvious benefits over crisp packets in sturdiness, durability and hygiene, Pringles cans - as WiFi hackers know only too well - act as antennas, boosting rather than attenuating any putative data leakage signal.

For more information, including images, please visit the Sophos Naked Security site: http://nakedsecurity.sophos.com/2011/04/01/apple-ipad-vulnerable-to-data-loss-through-substrate-hack/

It doesn’t say if a tin-foil hat will work as well as a crisp packet…

The biggest security threat - money

This is hardly news, but some chats I had at the recent NetEvents EMEA Press Summit underlined for me that network security will never be rid of its most pernicious vulnerability - budgets.

Security costs money, there’s simply no getting around that. The problem is, while an organisation’s defences are subject to budget constraints and the need - as with any IT infrastructure - to sweat assets, the attackers face no such restrictions.

In the security arms race, the defenders are always hobbled - not necessarily by simple lack of money, but by refresh cycles.

The threats to corporate security evolve constantly. The rise of Advanced Persistent Threats (APTs) is especially worrying for those targeted. Now we’re seeing the increased potential for ‘hacktivism’ with firms being singled out for DDoS assaults. The world of malware sees constant innovation. And now your staff are bringing threats through the corporate defences with their use of social media. It’s a wild ride.

While both the volume and sophistication of threats are on the rise, the defences that firms could deploy to protect themselves are sometimes unavailable - not because security vendors aren’t producing them, but simply because those tasked with security can’t justify the expense of replacing kit that hasn’t reached the end of its life.

In most areas of IT, this isn’t a huge issue. If your employees are using office software that’s one generation old, or are chugging along on slightly less than the latest generation PCs, you might find that their performance is 1.53% below optimum (and good luck with measuring that).

But when it comes to security, the potential cost of not having the best is much higher. It could cost you your business. And change in this area is dictated largely by the bad guys. Not keeping up is risky, though I doubt that there are many firms that do continuous risk assessment weighing the ever-changing threat landscape against the organisation’s current security capabilities.

Speaking to a couple of firewall vendors, the term ‘rip and replace’ came up, umprompted, several times. Of course, this was generally as a result of them telling me that their solutions will make this unnecessary. For example, SourceFire’s vision of the ‘next-generation’ firewall (what ever you want that phrase to mean) is a modular one. The firm is building on its Intrusion Prevention System (IPS) technology: it has already added some degree of applicaiton and user awareness and firewall capabilities are coming next. The idea, the firm says, is that you deploy the capabilities you need at the time and add others as they become necessary. No need for wholesale replacement.

There is another angle to this, however. Some are claiming that our entire approach is wrong. Nir Zuk, founder of Palo Alto Networks, is fond of claiming that - in terms of protection - most of today’s firewalls are about as much use as a length of Cat 5 cable. He presents an energetic case for why we need to scrap our ‘port and protocol’ approach to firewalls and adopt an entirely app-centric model capable of analysing not just which apps someone is using, but what they are doing with them.

It’s fair to say that not everyone is convinced by this argument. Yet even if you agree, there may be not much you can do about it until your firewalls come up for their next refresh — which could be years away. In the meantime, cyber-criminals are coming up with ever more entertaining ways of taking your money or your reputation.

In the past week, Cisco and SonicWall have announced new products or technologies in the next-generation firewall market. The technology to combat today’s threats is out there, the necessary innovations are happening, but many organisations will remain vulnerable simply because they are locked into corporate spending cycles that don’t have the flexibility to respond to the threats.

Brits in two minds about data security

Some 80% of people in the UK are “concerned about protecting their personal information online”, says the Information Commissioner’s Office (ICO). An even bigger proportion (96%) feels that organisations are not to be trusted with this information, because they’re not up to the job of keeping it safe.

Not much grey area there, then. Brits are clearly worried about what happens to personal information. Except that they’re not.

What they’re really worried about is what other people are doing with their data. When it comes to taking responsibility for controlling that data, most ordinary citizens seem to think it’s someone else’s job to sort it out. And so they carry on happily spewing private information onto Facebook and via Twitter with little apparent regard for how it might be exploited - all the while moaning that “something must be done”.

The obvious suspicions about organisations’ inability to keep data safe is perfectly reasonable. The ICO has the task of punishing companies that suffer data leaks, but it catches only a tiny proportion of leaky firms.

Yet you could argue that it’s the organisations themselves that are at the greatest risk - specifically, the employers of these same hand-wringing, concerned citizens. And the reason for this is that people bring this schizophrenic attitude into work. They know that data is sensitive, yet continue to place it in plain view on the Internet.

Today, people are in the habit of sharing. It’s almost as if any event in their lives hasn’t really happened until it’s on Facebook, Twitter or Flickr, or that they haven’t really arrived at a place until they’ve checked in on Foursquare. And they take this reflexive habit of sharing into the workplace, where what they’re sharing might be sensitive company information or IP.

Significantly, the ICO survey found that 60% of people “believe that they have lost control of the way their personal information is collected and processed”. That’s a lower figure than the others quoted, so perhaps there’s a minority that has a sneaking suspicion it could do something about the problem itself.

Nevertheless, nearly two-thirds of the respondents clearly feel that there’s nothing to be done, it’s SNAFU and you might as well carry on feeding companies (and, if they did but know it, cyber-criminals) with the kind of personal data that’s invaluable for marketing and identity theft.

The point of the ICO’s survey is to launch a campaign to raise awareness of how to stay safe on the Internet. Most infosecurity professionals will tell you that education is the toughest part of the job. But, as I said, something must be done, and the ICO’s Personal Information Toolkit might be one small step towards helping people realise that they - and not leaky organisations - are the problem.

Facebook SSL security upgrade: why?

Facebook is now making it possible for users to access the site via SSL (ie, using ‘https’ rather than ‘http’). But is the timing significant?

Two things suggest it might be. The first is the hijacking of Facebook logins by the Tunisian Government. But the cynic in me says that a more likely reason is the ‘hacking’ of Mark Zuckerberg’s own Facebook page.

Facebook and Twitter are important tools for those organising protests against the Tunisian Government - protests that have already led to the former President, Zine al-Abidine Ben Ali, fleeing the country (although many of his cronies are still in place). The Tunisian Government maintains a firewall controlling all Internet connections to other countries. It has been intercepting Facebook logins, presenting a spoof login page that captures users’ account credentials.

In addition to the SSL option, Facebook has switched on Captcha authentication for all Tunisia-based users. Normally, this is used only when there has been some suspicious activity on the account, or it hasn’t been used for a while.

The SSL option is being rolled out globally but it’s being made ‘opt-in’. How typical of Facebook: when it comes to limiting the sharing of your personal data, it’s always ‘opt-out’, but when it’s a matter of tightening security, you have to make the effort yourself. This may be because the SSL option is reportedly incompatible with some applications (most of which - even seemingly innocuous and trivial games - exist to plunder your data).

Switching on SSL will be an option in your settings: US users apparently already have this. Those of us outside the US will have to wait a while longer, however you can try using ‘https’ instead of ‘http’ in URLs right now - it appears to work for me.

The year ahead

At the turn of the year, it’s practically a tradition that security and anti-malware vendors make their prognostications for what lies ahead for us over the next 12 months. Most of the predictions are, as it were, predictable. More malware, more Stuxnet-like cyberwar disguised as malware, more targeted phishing and a greater focus on mobile and Apple platforms as they become increasingly pervasive.

Don’t ask anyone to put numbers against these predictions – that would be too hard. But it seems they are on fairly safe ground.

The Apple angle is interesting in light of the firm’s newly launched Mac App Store for OS X and the immediate backlash it seems to have provoked. More than one security researcher has warned that the Digital Rights Management (DRM) capabilities of the App Store are flawed, and a group calling itself Hackulous claims to have a tool – Kickback – that breaks the DRM protections.

In theory, when you obtain a program from the new App Store, it is registered to the machine you used to download it. You can run it on other machines, but only by registering those machines for use with the app with your App Store login details. But some apps haven’t properly implemented these ‘receipt’ protections, Apple seems to have forgotten to apply it to some and they can be subverted on others. This means apps can be pirated – which returns us to the situation existing before the advent of the App Store. I mean, pirated software isn’t exactly new, is it? One researcher warned that such pirated software might contain malware, which is true. In fact, this has happened in the past with software shared via Bittorrent. So that’s not exactly new, either.

At least Apple is making some effort to ensure that the software people buy is trustworthy. The new App Store is modelled on the one that Apple uses for distributing iPhone and iPad apps. All apps in that store must be digitally signed by the developer and Apple. On iOS platforms, the only simple way to be infected with a rogue app is to jailbreak your device.

Apple is often criticised for its tight (some say oppressive) control over what gets distributed through the iOS App Store. But compare this with what’s happening on Android. Even before it overtook iOS in the smartphone popularity stakes, it was being hit with more malware threats and vulnerabilities than ever plagued the iPhone. Part of the reason is lack of control over software distribution. There are devices out there from multiple vendors, with several versions of the OS in use at any one time and numerous sources of software. Amazon is just the latest entry into the Android app store market.

Android is becoming sophisticated, too. The Geinimi trojan – found in some Chinese games – not only steals personal data but is also capable of responding to command and control channels. This botnet-like behaviour could be used, for example, to download more malware on to the device.

It seems that 2011 will be the year of the tablet wars. The iPad has created a market that most pundits said didn’t exist. Now every electronic device vendor in the world, it seems, is pushing a tablet device on to the market. A minority will be Windows-based but the vast majority will be built around mobile platforms – iOS and Android. And with the smartphone market so huge now, it seems a given that malware writers will have these platforms in their sights over the coming year. You don’t need to be clairvoyant to see that.

[This is the editorial from the January 2011 issue of Computer Fraud & Security]

A positive approach to the social media problem

Like it or not, social networking is a part of your organisation. Facebook, LinkedIn, Twitter and all those other time-wasting pastimes — or effective communications channels, if you prefer — are occupying at least a part of your workers’ time.

The dangers are familiar, including data leaks and reputational damage. And the countermeasures are equally varied, including banning the use of social media entirely. Indeed, most responses to the dangers are negative, based around restricting what people do and attempting to close stable doors. At least one person, however, thinks we should have a more positive attitude.

“Social networking is one of the biggest social experiments we’ve ever undertaken,” explained Adrian Davis of the Information Security Forum (ISF), when we took tea in London recently.

Many big companies have now appointed social media executives in an attempt to manage their organisations’ public image via these channels: something like 200 out of the Fortune 500 firms now have such executives. But, says Davis: “Most companies are still at the ‘whoah! what do we do?’ stage.”

What they should be doing, he adds, is finding ways of using social media to make their processes better.

“What are you trying to achieve?” he asks. “Do you just want to be part of it, project your arguments or generate sales? If you’re doing it for the sake of doing it, that’s where you start losing control.”

Perhaps one of the key issues is that attitudes to social media have been formed outside of the workplace. Indeed, people are more accustomed to using social networking services at home and, now that these same services are being adopted, or at least tolerated, at work, people are bringing their personal habits into the workplace.

Davis puts it more succinctly: “People assume it’s okay to post stuff online.”

Quite. People — and especially young people — have an expectation that they can communicate — and a desire to do so. But a tweet-everything, information-wants-to-be-free philosophy does not translate well into the workplace. While, in theory, this enthusiasm to share can be harnessed for the good of the organisation, getting this right involves some work if you are to head off what Davis sees as some of the biggest threats to the organisation — leakage of intellectual property and privacy issues (ie, embarrassing and potentially damaging data leaks).

“The big issue,” says Davis, “is, where is my information and who can look at it?”

So a good start is to implement proper data classification. Done properly, this will automatically define what information can and can’t go public. It has to be carried out in depth and with sufficient detail because the social media environment has a habit of blurring information classification boundaries. There is often no clear indication whether a piece of information, which may be relatively informal (“hey, we’ve just won a new contract!”), can go public. This is even more difficult when the information has a personal relevance and doesn’t immediately appear to be sensitive. “I’m joining the new team in Swansea” might seem an innocuous piece of personal gossip, unless the new team is meant to be a secret — from competitors, journalists or colleagues.

Where data classification systems end, education begins. Typically, educating your staff about social media has meant telling them what they’re not allowed to do. Davis, on the other hand, emphasises the benefits of being positive.

“Tell people what they can do,” he says.

He suggests giving staff three golden rules that define the limits of what’s acceptable, but in a positive way, saying not just what’s allowed but how they (and the company) might benefit.

“The trick,” he says, “is making it relevant.”