10 Essential Security Checks

English, IT, Security, Zwischenruf,

[Get only posts in English]

A few days ago Oliver presented his 10 essential Web site checks. Except for a few very basic things I didn’t see security on his list, so here are a few essential security checks for your Web site. You will have to scale them to your needs; the Web site of your local juggling club won’t need the same level of security as an Internet business built around a Web application.

  1. Understand your threat profile
    Understand who might be your enemy and what would be the impact on your Web site and the users of your Web site if an attack succeeds. Don’t be overly paranoid but be honest to yourself.
  2. Use SSL
    Although it has its limitations, SSL is a standard security mechanism today and there is almost no excuse for not offering it to your users. It won’t solve all your security problems but it is useful.
  3. Have a person in charge of security
    Security requires continuous attention throughout the life cycle of your site. Somebody should be responsible for security, and this person must have sufficient authority to be more than a fig leaf.
  4. Baseline protection
    Don’t forget the simple things: backup, patches, secure configuration, etc. Be aware, however, that baseline protection will not make your applications and your own code any more secure.
  5. Build security in
    If your Web site serves more than a set of static pages, you must build secure software. Security is not a box in your architecture diagram, it is a set of rules and best practices for software development.
  6. Test early and often
    Everybody makes mistakes, and so will you. Have somebody to point out those mistakes to you before the bad guys find and exploit them. Do not rely on automated scanners too much. They are useful but limited.
  7. Be hacker-friendly
    The best security testers you can get are white-hat hackers who happen to find issues on your site. Be accessible, properly credit those who helped you, and don’t sue the messenger. Don’t be too proud of not having been hacked, though.
  8. Don’t annoy your users
    The point of security measures is to make attacks hard. Their point is not to make legitimate use of the site hard. Putting unnecessary burdens upon your users will likely reduce your security—and the number of users.
  9. Plan ahead for failures and disasters
    They are out to get you and eventually they will. Know what to do if your security failed despite all your efforts. Have plans for incident handling, business continuity and disaster recovery.
  10. Compliance is just that
    Do not assume that compliance with whichever standard or regulation would be a replacement for actual security.

Homework assignment: pick one item and expand it into another list of 10.

Wo Geld ist, da ist auch Gefahr

Forschung, Geschäft, Nebenwirkung, Propaganda, Risiko

»Falls ich übrigens morgen ein Institut zur Bekämpfung der öffentlichen Gesundheitsgefährdung durch Igelbisse gründe und dieses Institut mit zehn Planstellen ausrüste, dann werde ich jedes Jahr eine Studie bekommen, die vor der wachsenden Gefahr durch aggressive Igel warnt. Alles andere wäre ja auch ziemlich dumm von den Mitarbeitern des Institutes.«

(Harald Martenstein im Zeit-Magazin)

How much security do we gain from Trusted Computing?

English, Forschung, IT, Security, Testlabor, Trusted Computing, , , , , , ,

My colleague Jan is going to present our paper Attacking the BitLocker Boot Process at Trust 2009 (Oxford, 6th – 8th April). The paper is an improved version of the draft we presented at ETISS.

BitLocker is the volume encryption function built into recent versions of MS Windows. It is capable of using a Trusted Platform Module if the PC has one. Our paper describes five attack scenarios that using the TPM does not prevent from succeeding. Some are based on particular features of BitLocker while others rely on the implementation of authenticated booting that is currently used in Trusted Computing.

All five scenarios seem suitable for targeted attacks and require that the attacker can access the target system twice. Executing such attacks is thus roughly as complex as installing a hardware keylogger in the system and returning later to retrieve the sniffed password along with the encrypted data – or just the machine in a condition that permits decrypting the data on disk.

What makes our attacks interesting is the fact that they can be implemented in software. Ideally, Trusted Computing should reliably prevent such attacks from succeeding. However, a TPM does not prevent software from being modified. The TPM only compares measured states with stored reference data. This leaves several holes. For instance one can temporarily modify software and later restore the reference state, or modify boot components before the reference state is determined and stored inside the TPM. While such actions are useless in an opportunisitc attack where the attacker just grabs an unattended machine unprepared, a dedicated attacker might take advantage of them.

Update 2009-12-03: There is a more comprehensive explanation in a later post.

Lant*

Begriffe, English, Geschäft, Propaganda, Security, , , , ,

[Get only posts in English]

My dear fellow attention whores,

Can we please stop inventing new bullshit terms for each and every variant of a variant of an attack scenario? Sure, at times we need new terms naming new concepts. Spam is an example, phishing is another. I don’t complain about these. What bothers me is our tendency to modify these general terms every time some slight modification of the concept appears: from spam to spit, from phishing to pharming, hishing, sishing, or wishing. Other than the useful terms for generic concepts, these creations make our lives harder, not easier. They are confusing us and others.

Why this rant? I got a call this morning from a journalist. She wanted to know everything about whaling. WTF? It turned out she really wanted to know everything about GhostNet and the security issues and attack strategies involved. But she didn’t say so and she seemed fixated upon whaling, which, I have to admit, sounds sort of cool and interesting. However, it lead to a failure in communication. She failed to get across her actual need for information, confusing me with a meaningless term that she had picked up somewhere. I failed to get across to her that I do know my share of computer security and that I might actually be able to answer some of her questions.

Coining new terms isn’t wrong per se. But names are like money. Producing too many makes them all worthless.

Yours sincerely,

Sven

*) Letter-style rant. 😛

Wahlcomputer und die behauptete Fälschung

IT, Nebenwirkung, Security, Vertrauen, Wahlcomputer, , ,

Kürzlich deutete ich in ein paar Nebensätzen die Möglichkeit an, Computerwahlen nicht tatsächlich zu fälschen, sondern eine Fälschung lediglich zu behaupten. Die Intransparenz wesentlicher Abläufe würde dafür sorgen, dass solche Anschuldigungen zwar nicht per se glaubwürdiger, aber schwerer zu widerlegen wären. Nun tut die CIA genau dies für einige der üblichen Verdächtigen, darunter zum Beispiel Venezuela. Kann ja sein, dass die Berichte alle korrekt sind, aber wenn ein Geheimdienst etwas verbreitet, weiß man nie so genau, was die Ziele sind und wieviel vom Gesagten wahr ist.

Unterschätzte Risiken: Killerkurznachrichten

Angst, Unterschätzte Risiken, , , , , ,

Angst vor Händistrahlung war gestern. Heute fürchten wir uns vor der Killerkurznachricht:

»Laut den Mobilfunknutzern würden von Unbekannten massenhaft SMS-Meldungen versendet, die angeblich starke Kopfschmerzen auslösten, denen eine Hirnblutung und der Tod folgten. In Ägypten und Saudi-Arabien seien bereits mehrere Menschen mit derartigen Symptomen in Krankenhäuser eingeliefert worden, heißt es.«

(RIA Novosti: Ägyptische Behörden dementieren Gerüchte über lebensgefährliche SMS-Meldungen)

Verschwörungstheoretiker werden am Dementi der ägyptischen Behörden Gefallen finden, denn wer etwas dementiert, der hat ja sicher einen Grund dazu, und den denkt sich der Verschwörungstheoretiker aus.

Frau Orwell

Fundbüro, Zeitmaschine, , ,

Corpus Delicti, so heißt das neue Buch von Juli Zeh, und es spielt in einer Zukunft, in der die Gesundheitsdiktatur regiert. Gelesen habe ich es noch nicht, deswegen kann ich zum Buch nichts sagen, was andere nicht schon gesagt hätten. Überraschend ist die erste Reaktion aufs Buch, die mir in die Hände fiel: ausgerechnet in der der Zeit plädiert Harro Albrecht Für ein bisschen Diktatur und meint es anscheinend auch so.

Ergänzung: Auf stern.de gibt’s ein Interview zum Thema.

Security Annoyances

English, IT, Risiko, Security

[Get only posts in English]

Stuart King has blogged a list of his top 5 information security annoyances:

  1. Security awareness programs
  2. Compliance = security
  3. Risk modelling
  4. Where are all the analysts
  5. It’s not my fault

By and large I agree with his list, not least because he seems to have annoyed a few of those who are overconfident about risk trivia and business school quadrant diagrams.

I’d like to add to the list two of my own favorite annoyances:

  1. Just make it hard – for the legitimate users and uses of a system. Attempts to improve information security often make it harder for the users of a system, for the employees of an organization to do their legitimate jobs. Sometimes this is unavoidable, we all know there is often a tradeoff betwen usability and security. The tradeoff turns into a fallacy where the primary impact of security measures is reduced usability while actual security remains more or less the same.
  2. Alice’n’Bob thinking. Academic researchers might be particularly prone to this: thinking and arguing in the Alice’n’Bob world of security textbooks as if it was a suitable model of the real world and the real security issues. It isn’t, which we somethimes forget when we name abstract entities after humans.

Die PrivacyBox

Datenschutz, Freundlich zum Nutzer, Security, Vertrauen, , , ,

Kryptologie-Nerds mit ausgeprägter Paranoia dürfte die Lösung nicht überzeugen, weil sie grundsätzlich niemandem trauen und jeder hinter ihnen her ist, aber die Idee ist trotzdem gut:

»Die PrivacyBox soll es in erster Linie Journalisten, Bloggern und anderen Publizierenden ermöglichen, eine vorratsdatenfreie (und auch anonyme) Kontaktmöglichkeit für Informanten anzubieten. Sie steht aber auch weiteren Interessierten offen.«

Die PrivacyBox stellt als Grundfunktion gerichtete anonyme Kommunikation über ein Web-Interface zur Verfügung. Der Empfänger ist nur durch ein Pseudonym gekennzeichnet, der Sender liefert seine Nachricht über ein Web-Formular ab. Krypto-Voodoo mit TOR und PGP ist optional möglich, wird aber nicht erzwungen. Das ist Sicherheit für normale Menschen. Wir brauchen mehr davon.

Sechs Jahre Zeckenalarm

Propaganda, Risiko, Zeitmaschine, , ,

Wenn eine Risikosau durchs Dorf getrieben wird, lehnt man sich am besten erst mal zurück, wartet ab und beobachtet, wie sich die Sache entwickelt. Das hat hockeystick im Blog Stationäre Aufnahme getan und sich die alljährlich wiederholten Zeckenwarnungen – die regelmäßig in eine Impfempfehlung gegen seltene Erkrankungen münden – vorgenommen. Ergebnis: nach milden Wintern gibt es Zeckenalarm. Nach kalten auch.

Dieses Blog wird übrigens in einem sogenannten Hochrisikogebiet betrieben.