Archiv der Kategorie: Security

Stundensatz: 22 Euro

Geschäft, Preisschild, Security, Zahlenspiele,

Praktikanten verderben die Preise und heulen herum, weil man sie wie Praktikanten behandelt. Dieser langjährige Trend macht auch vor der Sicherheitsbranche nicht Halt. Die Deutsche Post führt vor, wie man 1000 Stunden Pentest für 22.000 Euro einkauft: Statt eine Dienstleistung zu beauftragen und für die geleistete Arbeit zu vergüten, veranstaltet sie einen Wettbewerb und bezahlt nur für Ergebnisse. Und bekommt dafür nicht etwa einen Vogel gezeigt, sondern trifft auf ein williges Prekariat, dem Geld egal ist, wenn es nur was mit Medien^H^H^H^H^H^HHacking machen darf. Damit ist die Post nicht alleine, Bug-Bounty-Programme verbreiten sich rapide und tun im Prinzip dasselbe, nur kontinuierlich. Ist das gut oder schlecht?

Learning from History

Classifier Security Model, English, Hackmeck, Security, Video,

Everyone knows the story of Clifford Stoll and and West-German KGB hackers (see the video below) in the late 80s.  Does this history teach us something today? What strikes me as I watch this documentary again is the effort ratio between attackers and defenders. To fight a small adversary group, Stoll invested considerable effort, and from some point involved further people and organizations in the hunt. In effect, once they had been detected, the attackers were on their way to being overpowered and apprehended.

Today, we take more organized approaches to security management and incident response. However, at the same time we try to become more efficient: we want to believe in automated mechanisms like data leakage prevention and policy enforcement. But these mechanisms work on abstractions – they are less complicated than actual attacks. We also want to believe in preventive security design, but soon find ourselves engaged in an eternal arms race as our designs never fully anticipate how attackers adapt. Can procedures and programs be smart enough to fend off intelligent attackers, or does it still take simply more brains on the defender’s than on the attacker’s part to win?

(YouTube)

Sketchifying and the Instagram of Security Design

English, Property Degrees, Security, , , ,

About a year ago, when I received the review comments on Point-and-Shoot Security Design (discussed in this blog before), I was confronted with a question I could not answer at that time. One reviewer took my photography analogy seriously and asked:

What ist the Instagram of information security?

Tough one, the more so as I never used Instagram. But the question starts making sense in the light of an explanation that I came across recently:

»Ask any teenager if they would want to share multi-photo albums on Instagram, and they wouldn’t understand you. The special thing about Instagram is that they focus on one photo at a time. Every single photo is a piece of handcrafted excellence. When you view an Instagram photo, you know the photo is the best photo of many photos. The user chose to upload that specific photo and spent a good amount of time picking a filter and editing it.«

(The Starbucks Theory — Thoughts on creativity)

One of the points I made in my paper was that design requires design space exploration before refinement and caring about details. Even if one starts to consider security early in a development process, one may still end up bolting security on rather than designing it in if one lets non-security requirements drive the design process and simply looks for security mechanisms to add to the design. One should rather, I theorized, actively search the security design space for solution candidates and evaluate them against threat models to identify viable solutions to the security problems an operational environment will be posing. Designing a secure system is not in the first place about defining a security policy or guaranteeing certain formal, microscopic security properties. Security design is rather about shaping the behavior of adversarial actors such that the resulting incident profile becomes predictable and acceptable.

Today I came across an article by Željko Obrenović, whose work I was unaware of at the time of writing the point-and-shoot paper. In his article Software Sketchifying: Bringing Innovation into Software Development (IEEE Software 30:3 May/June 2013) he outlines the ideas behind Sketchlet, a tool to help nonengineers to try out different interaction designs. I haven’t tried Sketchlet yet, but apparently it allows interaction designers to work with technological components and services, combining and arranging them through a direct manipulation user interface. Without having to program, the designer can take building blocks and play with them to try out ideas. Designers can thus quickly discard bad ideas before taking a selection of apparently good ones into the prototyping and later, the implementation stage.

Conceptually this is pretty close to what I’d like to see for security design. There’s a catch, however: security design deals with dimensions that can’t be experienced immediately, needs to be visualized through evaluation and analysis. Design sketches need to be evaluated in a second dimension against threat models capturing and representing adversary behavior. Nevertheless, Sketchifying looks like an interesting starting point for further exploration.

Attack-as-a-Service Market Prices

English, Geschäft, Preisschild, Security, Zahlenspiele

An article in the latest issue of CACM (paywalled) quotes some prices advertised by criminals for elementary attack building blocks:

  • DoS – $50…$500 per day
  • hacking a private e-mail address – $30…$50
  • forged identity documents – <$30
  • software opening fake accounts – <$500
  • custom-made malware – $1,500 + monthly service fee

If you want to get rich, don’t waste your time on developing sophisiticated attack techniques. Look at the services available and devise a business model.

The misleading microscopic view

English, Property Degrees, Security, Vulnerability, Wahrnehmung

The Guardian lists 10 gross ingredients you didn’t know were in your food, ingredients like arsenic, hair, or silicone breast implant filler. Should we react with nausea and disgust? Of course not. Yummy food is yummy food, neither a just detectable trace of someting (arsenic) nor the source of an ingredient (hair) nor possible other uses of the same ingredient (breast implants) have any noticeble impact. That’s by definition: if a dose of anything has a proven adverse health impact, it will be banned from being used in food. The Guardian’s list is an example of microscopic properties that don’t matter macroscopically. Yummy food is yummy food.

We commit the same error when, in security, we look just at the software defects and neglect their security impact. All software has defects; we might easily assemble a list of 10, or 100, or 1000 defects you didn’t know were in your programs. This does not mean they’d all matter and need to be removed. A system is secure if it evokes a predictable and controlled incident profile over its lifetime. some software defects in some systems affect this incident profile in such a way that their removal matters. Others are just traces of poison, or issues appearing problematic by analogy. The problem is: we often don’t know which is which.

Das Angstgeschäft – ein Verriss

Angst, Bedrohung, Geschäft, Propaganda, Security, security-industrial complex, Zahlenspiele

Für den Tagesspiegel nimmt Kevin P. Hoffmann die allgegenwärtge Sicherheitspropaganda auseinander. Kostprobe:

»Gleichwohl sind Bürger heute bereit, mitunter 60 bis über 100 Euro für ein Fahrradschloss auszugeben, um damit ein Rad zu schützen, das kaum doppelt so teuer war.

Auffällig ist auch, mit welcher souveränen Arroganz Vertreter der Sicherheitsbranchen ihrer potenziellen Kundschaft entgegentreten. Bürger seien zu dumm, Gefahren richtig einzuschätzen, hört und liest man immer wieder

(Tagesspiegel: Nach den Anschlägen von Boston: Gute Geschäfte mit der Angst)

Mit Sicherheit ist kein Geschäft zu machen. Investitionen in Sicherheit sind erzwungener Konsum; wer bei Verstand ist, wird die Ausgaben für Sicherheit minimieren und allerlei Risiken einfach hinnehmen. Geschäfte macht man mit Angst, und mit Produkten, die Angst reduzieren. Auf Sicherheit kommt es dabei nicht an.

Mandatory Helmet Laws Reduce … Theft

English, Forschung, Risiko, Security, Studien, Unterwegs,

What happens when a government enacts and enforces a mandatory helmet law for motorcycle riders? According to criminologists, a reduction in motorbike theft follows. The 1989 study Motorcycle Theft, Helmet Legislation and Displacement by Mayhew et al. (paywalled, see Wikpedia summary) demonstrated this effect empirically looking at crime figures from Germany, where not wearing a helmet on a motorcycle is being fined since 1980. This lead to a 60% drop in motorcycle theft – interestingly, with limited compensation by increases in other types of vehicle theft.

The plausible explanation: motorcycle thieves incur higher risk of being caught when riding without a helmet after a spontaneous, opportunistic theft. Adaptation is possible but costly and risky, too: looking for loot with a helmet in one’s hand is more conspicious, and preparing specifically to steal bicycles reduces flexibility and narrows the range of possible targets.

Something to ponder

English, Geschäft, Security, security-industrial complex, Vulnerability, ,

Which of the following statements do you agree or disagree with, and why?

  1. If you get robbed, it’s your fault. You should have carried a gun and used it to defend yourself.
  2. If your home gets burgled, it’s your fault. Your should have secured your home properly.
  3. If you get raped, it’s your fault. Your shouldn’t have worn those sexy clothes, and hey, what were you doing in that park at night?
  4. If your computer gets hacked, it’s your fault. You should have patched the computer every day and used a better password.
  5. If you get run over by a car and injured in the accident, it’s your fault. You should have worn a helmet and a high-viz jacket.
  6. If someone bullies you on the Internet, it’s your fault. You should have used a pseudonym on Facebook.

Do you agree with all, some, or none of these statements? Please elaborate in the comments. I’m not so much interested in nitpicking about the causation of certain incidents – read »your fault« as »in part your fault« if you like so. What interests me rather is the consistency or incocnsistency in our assessment of these matters. If you happen to agree with some of the statements but disagree with others, why is that?

P.S. (2014-09-05): Samuel Liles and Eugene Spafford discuss this matter more thoroughly: What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security

Levels of Crime Opportunity

Begriffe, English, Property Degrees, Security

Just came across a crime science paper that expresses an idea similar to my security property degrees:

»In addition, for any crime, opportunities occur at several levels of aggregation. To take residential burglary as an example, a macro level, societal-level cause might be that many homes are left unguarded in the day because most people now work away from home (cf. Cohen and Felson 1979). A meso-level, neighborhood cause could be that many homes in poor public housing estates once used coin-fed fuel meters which offered tempting targets for burglars (as found in Kirkholt, Pease 1991). A micro-level level cause, determining the choices made by a burglar, could be a poorly secured door.«

(Ronald V Clarke: Opportunity makes the thief. Really? And so what?)

Clarke doesn’t elaborate any further on these macro/meso/micro levels of opportunity for crime. Maybe I’m interpreting too much into this paragraph, but in essence he seems to talk about security properties – he is discussing in his paper the proposition that opportunity is a cause of crime and reviews the literature on this subject. Opportunity means properties of places and targets.

CAST-Seminar: Sichere Software entwickeln – Erfahrungen, Methoden, Werkzeuge am 25. April 2013

Events, Security, So geht das, Unterwegs, , ,

Wir veranstalten am 25. April 2013 unter dem Dach des CAST e.V. das Seminar Sichere Software entwickeln – Erfahrungen, Methoden, Werkzeuge. Es wendet sich an Praktiker der Softwareentwicklung, die für die Sicherheit der Ergebnisse verantwortlich sind. Die Themen reichen von Werkzeugen für die Praxis über Schulung und Zertifizierung für Entwickler bis zur Architektur sicherer Software. Das Vortragsprogramm steht auf der Website des CAST e.V., dort erfolgt auch die Anmeldung.

Scamming Scientists

Bedrohung, English, Security

Now this is an interesting specialization of phishing attacks:

»The scam works like this: Someone obtains of a list of articles submitted to — and under review by — a publisher, along with the corresponding author’s contact information. Then, pretending to be the publisher, the scammers send a bogus email to the corresponding author informing him that his paper has been accepted. The email also contains article processing fee information, advising the author to wire the fee to a certain person. The problem is that it’s not the publisher sending out the acceptance emails — it’s a bad guy.«

(Scholarly Open Access: Fraud Alert: Bogus Article Acceptance Letters)

I doubt this constitutes a sustainable attack business model, but the perpetrators surely deserve credit for being adaptive and creative.

Redefining a Security Problem to Fit Mechanism Capabilities

Classifier Security Model, English, Security

Bruce Schneier dug out this little gem: Forbidden Spheres. A nuclear weapons lab, so the (apparently unconfirmed) story goes, classified all spherical objects as confidential, rather than just those related to nuclear weapons design. In the security-as-classification paradigm this makes a lot of sense. The desired security policy is to keep everything related to weapons design confidential. This includes objects that might give away information, which one will naturally find in an R&D lab. To enforce this policy, however, requires either comprehensive tracking of all objects, or complicated considerations to decide whether an object is classified as confidential under the policy or not. But a subset of the objects under consideration has a common, easy-to-detect property: they are spherical. The classification required as a prerequisite for policy enforcement becomes much simpler if one considers only this feature. The classification also becomes less perfect, there are classification errors. However, if it’s all about nuclear spheres, than the simplified classifier errs systematically towards the safe side, erroneously classifying innocuous spherical objects as confidential. As long as it doesn’t disturb the intended operations of the lab, this may well be acceptable. This approach would break down if an adversary, or an accident, could easily change relevant shapes without defeating purpose.