Tag: infosec Page 2 of 4

Biometrics Are NOT Passwords, Dammit!

Today in Stupid Extensions of Biometric Authentication: this item from Sophos.  Brainprints will apparently be the new fingerprints.

Here is what the press (and from the looks of it, half the security industry) seems unable or unwilling to get: you cannot change your biometrics.  You cannot ever change your fingerprints.  Nor can you ever change your iris, your retina, your “brainprint,” or any of the other too-clever-by-half schemes researchers may yet dream up for biometric authentication.

In fact, the whole idea of two-factor authentication has traditionally been based on “Something you know, something you have, something you are… pick two.”  We need to drop the last, and go with “Something you know and something you have” – period.

Fingerprints are already easier to steal than a password ever was.  Digital photography is probably good enough by now that iris patterns are equally easy, and retinal scans from afar cannot be that far behind.  What was that twinkle?  Oops, too late.  Once the “brainprint” technology is usable, its targets will be equally pilferable.

Just because it looked cool in 1970’s SciFi does not mean it’s truly going to be valuable in this century.

Warrant Canaries

When the FBI or some other government agency comes a-calling at any custodian of your private information, from Google or Yahoo! to the local public library, they bring something called a National Security Letter (NSL).  This not only serves as a warrant for the information they seek, but it also includes a gag order — the institution is not permitted to disclose that they have been served, or what information they handed over.

But companies are fighting back, in a passive-aggressive way (don’t worry, this time it’s a good thing).  As detailed in this article on ZDNet, companies have realized that post-Snowden, customer trust in protection of their data is quite important.  And so many of them are implementing what is called a “warrant canary.”  The name derives from the old practice of taking a canary down with coal miners, so that if gases start to accumulate the more-sensitive canary would die and hopefully give the miners sufficient warning to escape the local buildup of carbon monoxide or similar.

Low-tech warrant canary

A warrant canary is a statement that a company makes proactively that they have not received a demand for data — and silence — bundled into a NSL.  Then, we in the public watch for the statement to go away.  It can be a line in the text of a webpage, or a periodic statement perhaps in a quarterly report for a public corporation.  It can also be a sign on a bulletin board as in the picture to the left.

Legal scholars wonder whether the NSL’s gag order can also be interpreted to require the subject organization to actively lie to the public, and continue to say, “no, they have not been here.”  Moxie Marlinspike has stated his opinion that removing a warrant canary would “likely have the same legal consequences as simply posting something that explicitly says you’ve received something.”

But the Electronic Frontier Foundation (EFF) believes that a law specifically outlawing this practice would be required, and there is no such thing on the books as of now.  So they have established a website, Canary Watch, that maintains a list of existing canaries and monitors them for changes.  

ZDNet quotes EFF staff attorney Mark Rumold as saying, “No court has ever publicly addressed the issue,” and that it would be “unprecedented”  for the government to force a company to keep that warrant canary in place. “I’m skeptical it would ever happen….”

Once a company has been served with a gag order, though, it’s too late.  Verizon was forced to comply with a Section 215 order for phone records data of every one of its customers.  And Twitter is suing with the Justice Department aiming to settle whether or not warrant canaries are protected under the First Amendment right to free speech.

Visit Canary Watch for more on this.  I check it a couple times a week.

Exam Time!

If you’re a student and you’re reading this, I just made you clench a little with that title, didn’t I?  Well, here’s some news you can use: it never really goes away.

Ten years ago next month, I sat for the CISSP exam.  Being a bit underemployed at the time, I had done little the preceding six weeks but study for it.  I had to travel to NYC for the exam, which was a non-trivial financial risk, but lack of confidence has never been my issue. Even the night before in the hotel, though, I sat doing flash cards of the Legal & Regulatory elements, which was the one area I felt needed boosting.  I could never get the hang of this due to its utter lack of internal logic or consistency.  This is what keeps the courts in business, I suppose.

I went into the exam with a strategy of sorts.  I was planning to give my brain “breaks” by doing 25 questions at a time, then reviewing those before moving on.  I was never worried about the time limits.  Right or wrong, I do these things quickly.  I have yet to hear the words “pencils down” in a test, and that goes all the way back to the PSATs in 1972.

So there I was doing this answer 25, check 25 routine… and I started to notice something.  The text of questions in the second half of the test started giving me clues to some answers I had not been so sure about in the first half.  I know for a fact that there are at least three questions I would have had dead wrong on my test that I was able to fix, thanks to clues in the “givens” of later questions.

The only time-related distress I’ve experienced in a test was on the CISM exam.  At that one, there’s one other CISM candidate among a gaggle of would-be CISA.  For no discernible reason, the proctor seats us next to each other.  We start the test at 9:00.  At about 10:10, I’m on question maybe 110 of 200… and doesn’t she close her book, go up front, hand in her paper and leave?!  This freaks me out in no small measure.  But to this day, I have no idea if she scored 100% or “no better than random”.  I just figure it has to be one of those two extremes.

This comes to mind because I have now started to hear the siren song of yet another certification exam, the CCSP.  It takes the same body of knowledge from the Cloud Security Alliance that went into the CCSK exam and adds continuing CPE requirements and renewal.  I have a feeling it will be better-recognized.  And hey, one thing I appear to be able to do well is take multiple-choice tests, so… why not?

Security is a Pain

I set out this weekend to figure out how to get PRTG Network Monitor to tell me the Internet bandwidth being used by our various machines, and where on the internet all that data is coming from or going to.  In order to get that level of detail, I have to enable SNMP and then tack a bandwidth monitor sensor to each device.

SNMP gets a pretty bad rap in the security world.  It’s host to its share of vulnerabilities, and the default credential (community string, in SNMP parlance) of “public” makes it obvious it gives up too much info too easily.  Every best-practices benchmark or manual will tell you to turn that off or reconfigure it so none of the defaults are taken.  More to the point, most modern OS distributions no longer enable it at all by default, and you have to explicitly enable it.

Enabling SNMP with all non-default settings turns out to be a very finicky process.  Unless an IT shop is operating at a scale where everything will be built from “golden images,” it is easier to understand why security inspections often find defaults taken.  Even though this flies in the face of best practices, the defaults on SNMP agents match the defaults on SNMP sensors.  How incredibly tempting to IT managers with thinly-stretched staffs to take zero over the double work of setting sensors and agents up non-default and then testing to make sure they set the exact same non-defaults on both sides?

This doesn’t make it right, but it sure makes it understandable.  Any security manager needs to show some empathy when finding things like this in the environment.

The Painful Joys of Learning a New Technology

I decided a while ago that I wanted to try a next-gen firewall.  So I recently acquired a small ARM-based PC with dual LAN interfaces, installed a disk in it and set to work getting Sophos Home UTM running.

An old friend and co-worker of mine once pointed out that we programmers and other IT types often find ourselves working at a tough problem or bug for hours or even days.  Then we hit upon the solution.  Now at this point, in the popular imagination, we erupt in celebratory exclamations along the lines of, “Eureka!”  Any of us who have been through the process, however, know that what is vastly more likely is that we erupt in vicious, self-directed insults along the lines of “Idiot!”

I have had my share so far of “Idiot!” moments.  Let me share them with you.

By the way: my only justification for being such a moron in the vignettes that follow is, this is my hobby and even though it is frustrating at times, I am having fun.

I got the software and tried several different utilities to make a bootable USB stick from the ISO.  A Linux utility called “USB Image Writer” quickly proved itself nigh-on useless.  Unetbootin works well for Windows or Ubuntu, not so much for anything else.  I discovered that there is one of this scruffy class of programs that actually works well, including adjusting the varieties of the output USB stick formats to how the ISO it’s laying down is set up, and that is Rufus.

Now, with a USB stick in hand that would boot the installer and begin, I quickly encountered an error message during the formatting of the disk, “install.tar not found”.  I probably could have resorted more quickly to the “just google the error message verbatim” strategy and saved myself a lot of time on this one, so that will count as my first “Idiot!” moment.  It turns out that you have to work around the fact that the Sophos ISO is designed to lay down a CD image with links to files as well as files, and this is not well-replicated on the USB version.  Also, for reasons not clear to me, the installer dismounts the install medium during the disk formatting process.  So you need some redundancy that the Rufus utility will not create.  I found this sequence of commands, which worked well:

Start the Installer, then

1. On the First Screen, hit Alt-F2. [gets a command prompt]
2. bash-3.2# mount /dev/sdb1 /mnt [mounting your install USB]
3. bash-3.2# cd /install
4. bash-3.2# mkdir install
5. bash-3.2# cd install
6. bash-3.2# cp -a /mnt/install/* .
7. bash-3.2# cd ..
8. bash-3.2# cp -a /mnt/* .
9. bash-3.2# cd /
10. Hit Alt-F1  [returns to main installer]
11. Finish the Installation, Reboot.

OK, now with this scriptlet, I can get the install to run to completion.  Along the way it takes a default for its static IP, which occasioned my “Idiot!” moment #2, by just clicking past that.  Oh, it also takes a default for the netmask, so my “Idiot!” moment #3 followed #2 pretty quickly.  I hear you objecting that we can change these after install with ifconfig.  It’s true, yes… but are you willing to assume that the installation of all that other firewall functionality did not record those bad defaults somewhere your after-the-fact change will not reach?

Let’s just say, I got good at that command sequence above.

Last but not least, after getting it working to the point of being able to put it on the bench and do as much pre-configuration work as possible prior to setting it inline and trying it out… I made the one mistake that should really have me considering a second career in pottery.  I created a new admin account with a complex password that I recorded in my password manager… and then deleted the default admin account… and then discovered that the new admin password was mistranscribed and therefore useless.  After a break, I get to practice that command sequence again.

And yet, I know how this movie ends.  My persistence at these things is close to boundless, and I will have a functional installation at the end.  And a newly deepened respect for sysadmin and netadmin types who do this for a living.

Page 2 of 4