Monday, February 15, 2010

the true nature of security

what is security

security can mean many things to many different people. have you ever wondered why that is? do we examine what security is and what the nature of it's relationship is to other supposedly related topics or do we simply build upon a foundation of an instinctual gut level feeling about what is and isn't secure? for me (and others like me) it has traditionally been the latter, but i'm about to do the former and take you, the reader, with me.

i'm going to try and lead the thinking a little bit. try to complete these sentences:
i don't feel _________ online without an anti-virus.
i don't feel _________ online without a firewall.
i don't feel _________ doing online banking without SSL.
now if you're reading this blog there's a good chance you see the world through security-coloured glasses and likely answered "secure" for all 3 questions. unfortunately, while seeing the world through security-coloured glasses has no doubt served you well over the years (i know it certainly has for me) the fact is that it's still a distortion of reality (regardless of how useful it may be). i want you to think about basic human needs. i want you to think about someone who isn't as security conscious as you are - in fact someone who isn't even technologically sophisticated. think about someone who's afraid to go online and tell me how you think they would complete this sentence:
i don't feel ________ online.
if you guessed safe then you get a gold star.

so to start things off, security is related to safety. this is demonstrated by what i consider to be the best answer to the "are mac's more secure" question - that being they're safer but not necessarily more secure. clearly we're expecting security to help us meet our basic need for safety. there is a school of thought that says everything we do represents a strategy for meeting our basic needs (even altruism is said to come from a need to contribute). therefore it can be said that security is a set of strategies for meeting our basic human need for safety. notice, however, that i did not say it was the set of strategies for meeting that need - as the answer to the "are mac's more secure" question indicates there is more than one path to safety.

i'm going to make an aside here and address something that may be a sticking point for some people. when i talk of strategy here, i'm not talking about the kind of stuff sun tzu would dream up. there's an entire spectrum of strategies, going from the primitive all the way up to the complex. the kinds of strategies people employ day to day are often not arrived at through deep thought, but through trial and error, growing organically as the need arises. that being said, sun tzu does have a lot of wisdom that can be applied to the analysis and formulation of strategies once one undertakes to purposefully modify their strategies.

regulation vs. privacy

two other topics that seem to often be associated with security are regulations and privacy. in fact i recently came across the unusual juxtaposition of "regulation vs. privacy". why do i think that's unusual? well look at it this way - both seem to be related to security so it stands to reason that they are both approaches to meeting our need for safety - so why should 2 things that are meant for the same purpose be at odds with one another? to understand that i think we need to delve deeper into what they are and how they fit together with security.


at a basic level, what are regulations? they're really just rules that individuals or groups are expected to follow. they don't really do much for us all by themselves, though, do they. i could make a rule that says everyone must wear a green shirt but it would be meaningless. i have no way to enforce it. even if i found a way to enforce it, i wouldn't have the moral authority to do so. there we have the key to understanding regulation. it's one part of a bigger whole. you can't just have rule makers, you need enforcement as well, and the authority to do so or society will rebel against you. the most straight forward examples of rules and enforcement are laws and police. together we generally consider the lawmakers and police to be the authorities and as such we can say that in security circles when we talk of regulation what we're really talking about is a class of strategies for meeting our need for safety called authority.


so is privacy also part of a duality like the regulation/enforcement example above? if it is i can't really see it, but i can see how it represents something more general. in fact, using a mac (or any other alternative platform) for improved safety is also an example of the same thing. think about what you're doing when you're keeping something private - you're hiding it from the public, you're obscuring it from vision. now think about what you're doing when you use an alternative platform like the mac, or alternative browsers or other software - rather than using the most popular thing, you're using something that's more obscure. thus it can be said that obscurity is another class of strategies for meeting our need for safety.

putting the pieces together

now that we have a few pieces, let's see if we can put them together into something coherent. coming from a strategic point of view, when we're trying to maintain our safety while dealing with an opponent there are a few broad categories of things we can do.
  1. first and foremost we can neutralize the opponent before s/he can attack us. this is the role that authority plays. we make rules of conduct (either formal or informal) intended to maintain our safety, identify those who violate those rules (to determine who our opponent is), and then try to sanction them in some way to keep them from violating those rules in the future (neutralize them before they can attack again).
  2. next we can harden ourselves against attack, make ourselves invulnerable or at least minimize the impact of an attack that is launched against us. this is the role that security plays. we set up roadblocks, we try to identify where our vulnerabilities are and fix or cover them, and generally try to shield ourselves.
  3. finally we can run and hide. as much as we may dislike the notion, sometimes our other efforts aren't good/effective enough. this is the role that obscurity plays. by making ourselves more difficult to target we in effect make ourselves less likely to be attacked.
at this point it seems that not only do authority, security, and obscurity fit together rather nicely, there also doesn't appear to be room for anything more; with the exception, perhaps, of recovery for when everything else fails. but recovery doesn't preserve safety, it doesn't keep you safe from harm and so is not really related in that sense.

for the 6 year olds

a quote often attributed to einstein goes as follows:
if you can't explain it to a six year old, you don't understand it yourself.
i happen to think that's a pretty good yardstick for measuring understanding so how can we explain this in terms a six year old can understand? my tendency is to relate it back to antiquity, to a fanciful time that most children (in the western world at least) are familiar with and probably fantasize about to some extent. i would say that authority is like the sword we use to strike down our opponents with before they can strike us down, security is like the shield or armour that keeps us from harm when our opponent does strike us, and obscurity is like the hiding place we use when the sword isn't sharp enough and the shield isn't strong enough.

one other thing i would do, of course, is use pictures.

regulation vs. privacy revisited

getting back to that question of why these two different things that are supposed to be for the same goal are at odds with one another, i think there are two main reasons for this. the first is the obvious; our opponents have the same basic human need for safety as we do so our respective efforts will certainly clash to some extent. the second reason is more subtle. notice that when we speak of regulation we're addressing only one half of authority - rule making. i think we take enforcement for granted. i think we focus too much on the making of rules and so when authority fails we think we need to make new rules (not unlike the old saying "when all you have is a hammer, everything looks like a nail"). what happens next is that those new rules often confer greater powers onto enforcers, and that opens the door to abuse. this single-minded focus on regulation over application is dysfunctional and can hurt us just as easily as it can help us. greater powers, like the sword of damocles, loom over all our heads not just those of our opponents.

information security

if you've had a growing sense that something was wrong, that all of this seems to not quite fit with the notion of information security somehow, then you'd be right. after all, information is just ones and zeros, bits and bytes. you can hide a bit you can't harden a bit against attack - and for that matter, attackers don't generally attack information, they steal it.

so what's going on? well, what do attackers attack in order to steal information? the systems which store, transmit, and control access to that information. in other words, information systems. what these systems do is obscure information, but the systems themselves can be secured in their own right. strategies need not be used in isolation from one another and this is an example where both obscurity and security are combined. indeed, both are generally considered to be within the realm of self-defense and so can be practiced by the widest array of individuals and organizations. we call it information security, i suspect, for much the same reason you likely answered "secure, secure, secure" to the questions at the beginning of this post - because we look at the world through security-coloured glasses. data security is a further bastardized version of this.

security folks don't like obscurity very much, they often say that there's no security through obscurity and even in this framework they'd be correct - but there is safety through obscurity. we can tag data, make it self-describing, etc. but it can never defend itself because data is not an actor. systems through which it is accessed may defend it based on whatever protection-specific information is present, but that's the system doing the defending, not the data itself. encryption probably comes closest to securing data in the sense of hardening it (because it does seem like we're doing something to the information itself), but still the data is just inside an encrypted envelope and the only security present is in keeping the decryption key secret (hidden/obscured).

the true nature

so it seems that i've gone through all this just to say that security is one of 3 different classes of strategies (along with authority and obscurity) for meeting our basic human need for safety in some fashion or another. that presents us with an interesting opportunity to talk about the state of security because in this context what we'd really be talking about is how effective our strategies are. if we find them wanting, that further begs the question how can we improve them, and then we're in the realm of purposefully modifying our strategies to achieve something closer to the optimum state. we should also be better able to recognize now the roles of authority and obscurity and how those strategies too can be put to use for our real goal of safety.

Thursday, February 11, 2010

update on possible user database breach at instructables

i have good news for users. i've been in contact with Eric Wilhelm, CEO of Instructables, who was able to get to the bottom of the issue i previously blogged about in short order and it turns out to have not been a breach of their database after all.

Instructables uses a 3rd party service to handle their newsletters. in the past they used a company called iContact, but they switched to Streamsend 2 years ago. it appears that iContact recently had a breach of their systems which you can read more about on the iContact blog.

as such it seems likely that it was only email addresses (not other, potentially more sensitive information like credentials) that were leaked since that's the data iContact would have needed access to. further, anyone who joined Instructables after the switchover to Streamsend would not have had their email address compromised by this event. this should still serve as a reminder, however, of how important it is not to re-use your passwords as, had it actually been a breach of the Instructables user database, it wouldn't have just been your Instructables account that the attackers got access to, but also every other account where you used the same username and password.

finally, there will undoubtedly be those who question why iContact still had Instructables data after 2 years. while Mr. Wilhelm expressed regret for not insisting that data be purged, i can only imagine why iContact was holding onto data it couldn't (or rather shouldn't) use for such a long time.

user database breach at instructables?

many have at least heard the advice to use unique passwords at every site they visit. well i go a few steps beyond that. not only do i use unique randomly generated passwords at every site, i use unique randomly generated email addresses at each site too.

that probably sounds like overkill, but consequence for me (besides knowing exactly which sites are spammy) is that the older identities collectively form a kind of honeypot for detecting user database breaches.

it was as a result of my address for receiving spam that i realized (and later verified) that something untoward had happened there and so it is that today i'm going to come out and say that something fishy is going on over at

a unique, randomly generated email address (basically a secret shared between only myself and instructables) that is unguessable (there are approximately 4.7x10^18 possible values so the chance of them guessing one of my 200 or so addresses is so small that if they guessed 1 million times a second it would still take on average 375 years before they got one) should only be usable by those who know it, so the fact that i'm receiving drug spam at this email address tells me that somehow the user information they had in their database for my account has been leaked.

*update*: it appears i miscounted the number of characters in the email address and thus my probability calculations are off. there's only 1x10^14 combinations, which means that at a million guesses a second someone could get expect to guess one of mine in (on average) about 3 days. i'm not convinced that sort of brute forcing operation is going on, however (it seems like it would be too much work for too little benefit).

Tuesday, February 09, 2010

2nd annual security blogger summit

last week i attended the 2nd annual security blogger summit put on by panda security in madrid, spain and i figure i ought to share my experience for the benefit of those who may wind up going next year. a handful of people may be aware that this is not the first time a vendor has offered to fly me somewhere for some event they're putting on, and some might wonder why i agreed this time when the last time i refused on the grounds of maintaining my rabid independence. the answer is pretty straight-forward - at the security blogger summit you are actively chastised for mentioning any vendor by name, and nobody would argue that the attendees of the previous one (such as bruce schneier or andy willingham, for example) are in any way in panda's pocket. also, opportunity rarely knocks twice. at any rate, on with my story.

my flight was to leave pearson international airport in toronto at around 7pm on tuesday, february 2, so i arrived at the airport at 4pm (i like to arrive early because you never know what's going to happen). at the very entrance of the passage way to the gates (before getting to security at all) there was a guy basically reminding people of security restrictions and asking everyone who passed whether they were carrying any liquids, gels, or pastes. i had toothpaste with me and apparently this was a problem because in spite of the fact that the tube was nearly empty and obviously flattened all the way down to the cap this security guard was more interested in the original capacity of the container because he thought it might be too big. thankfully he found the label that said 90ml and that was an acceptable size, but i still needed to put it in a clear plastic bag.

next up was the actual security checkpoint. i learned some valuable lessons here, like taking off my boots before going through the metal detector. unfortunately my boots weren't the only thing to set off the metal detector, the zipper of my pants did too. even the security guard's wand was set off by my zipper (just a standard zipper on a normal pair of jeans by the way, nothing fancy or unusual). this was the only airport i went through on the entire trip where the equipment was so sensitive that it was set off by my zipper so (thankfully) it was the only time i got a pat-down on the front of my pants (yes, i'm aware that sounds a lot like i got groped by airport security - perhaps it even qualifies as precisely that).

following that was the big wait, because in spite of the trouble i had getting through security, my early arrival meant i still had plenty of time. more time than i had even banked on, apparently, because the plane was 15 minutes late. that shouldn't be a problem except i don't have a direct flight to my final destination. it still shouldn't be a problem because there's supposed to be an hour between the arrival of the first plane and the departure of the second, and even with that 15 minutes removed that still leaves 45 minutes so i wasn't worried and i enjoyed watching movies on the 7 hour flight to paris. as an aside, this had been the first time in 7 years that i'd been on a plane so the tiny screens in the back of the seats was quite a novelty. unfortunately, when we landed, i was informed by the flight crew that i had missed my connection and would have to see customer support to get the next flight. so i wait in line, and wait, and wait some more, only to be told that no, the flight hadn't left yet and if i hurried i might catch it (this is 2-3am my time by the way). so i hurried along until i was stopped at an access control point and asked what flight i was trying to get to and then informed that it really had left and so i went to the customer service desk conveniently located right there and got my boarding pass for the next flight.

that next flight was to be 3 hours later, a little after 12 noon, paris time (which made it after 6am my time). the gate, however, was a bus terminal - i'm now familiar with boarding a plane by bus, but that was the first time i'd heard about such things so in my sleep deprived mind i was rather confused. at any rate, i struggled to stay awake so that i wouldn't miss my bus and eventually it arrived and took us to our plane where we waited for takeoff. and we waited, and waited, and waited some more until the voice over the intercom informed us that the flight wouldn't be leaving as planned because the brakes were broken (of all the things that could break, it was the brakes). so we waited and waited and waited some more when the voice apologized for the delay and said they were still trying to figure out where the bus was to take us to another plane. eventually that bus arrived and we boarded it and headed off to the next plane but what struck me as curious was that that bus was being followed by another bus that displayed the flight information not for the flight i was on but for the subsequent flight to the same destination. that's right, i missed not one but two flights to spain and now they were going to try to squeeze 2 flights onto the same plane. thankfully that worked and i finally arrived in madrid, spain 5 hours later than my originally scheduled arrival time.

with that out of the way, i got offered a cab ride to my hotel (or what i thought was a cab, but not having seen spanish taxis yet i didn't realize that it was a more expensive option - and if their are any spanish cab drivers reading this, please make sure to print the cost clearly on the receipt rather than scribbling it so that i can actually read it and avoid you trying to explain that it's 79 euros without being able to say 79 in my language). once there i checked in, familiarized myself with the room, cleaned myself up and waited for the scheduled 9pm dinner with the others (there wasn't time for sleeping, at least not the kind of sleeping i needed after being awake for nearly 2 days). at 9 i wandered down to the lobby and had a nice meal with luis corrons, brian krebs, sean-paul correll and his girlfriend (whose name i can't recall - sorry), and josu franco; and we stayed in the hotel restaurant eating and talking until long after all the other hotel guests had left. i have no idea what time it was when that ended but i do know that when i finally got to bed i fell asleep immediately.

as hard as it was to pull that all-nighter, though, it worked perfectly because i had no trouble adjusting to the 6 hour time difference the following day. that's a good thing too, because that was the day of the main event, as well as a press conference in the morning. now those of you who are going to subsequent security blogger summits and who like to be surprised, you may want to skip the rest of this paragraph and the one following it because i'm going to share some of the surprises i experienced as the agenda for the event was a little vague about certain things. first the press conference: we had been told it was really more of a breakfast with journalists - well, ok, i've never been to either a press conference or a breakfast with journalists so from my perspective it was more a case of 3 of the english speaking panelists (brian krebs, joseph menn, and myself) presenting a synopsis of what we intended to talk about at the main event, while eating cookies and pastries. everything we said was then translated by our excellent translator matilda (sp?) and then the journalists asked questions which we answered and those answers were also translated back for the journalists. following that was a filmed Q&A with each of the 3 of us individually. following that was long lunch (they seem to like late, long lunches in spain) with most of the english and spanish panelists and after that was the main event, the summit itself.

i'm going to be brutally honest about this part - i was disappointed in my performance at the summit. i was too quiet. i have to admit, i was actually holding my tongue, even though i knew i should have been speaking more, but let me explain why. what neither the agenda for the event, nor the videos from last year's event hinted at was that the panel discussion was to be a 3 minute explanation of each panelists view of the state of security (i was thinking of going with the true nature of security and the security user conversion problem, but 3 minutes? oh, and hey i haven't even settled on a solution to the conversion problem yet) followed by a debate where each panelist with something to say had to get in line and wait their turn. and what a debate that turned out to be. everyone had their own opinion, the queue of people waiting to say their peace was never wanting for more bodies, and every time someone opened their mouth the direction of the discussion changed. that was a completely new experience for me and i'm afraid i was not able to adapt quickly enough. every time someone said something i thought i could comment on, my instincts told me i couldn't because by the time my turn in the queue would come the direction of the debate would have changed 3, 4, or even 5 times. in retrospect i realize that i should have ignored that instinct, that i wouldn't be doing anything worse to the continuity of the discussion than everyone else was already doing. unfortunately i realized that too late and i feel bad that i wound up not contributing as much to the discussion as i could have.

if you're at all curious how a discussion with people speaking different languages works from a logistical point of view, panda had apparently hired a team of translators to translate in (near) real-time over some headphones that were provided. there were translators for both languages so everyone got the full content of the discussion (though there were subtle things like "final user" instead of "end user" that make me wonder if, had engaged in a semantic debate over some point, i might be arguing over a minor mistranslation). it worked really well, although when yago jesus (who sat on my left) was speaking i found myself wishing the volume on my headphones went up to 11. following the debate was a Q&A with the audience, but that was pretty straight-forward, as was the networking following that.

the following day (friday) was a day-trip to bilbao to visit panda's lab. luis corrons and pedro bustamante gave brian krebs, joseph menn, and i 2 brief presentations about malware and cybercrime and then showed us around the lab, giving us brief demos of the internal tools and techniques used in the lab. now this was my first time in a virus lab (my first reaction was, wow this looks just like work only bigger) but after seeing what goes on there (there were a lot of familiar concepts in play) and thinking back to some of the things i written on my blog about what av vendors do, i can see how someone might get the impression that i've spent time in such a lab before. i haven't, of course - most of what i know is gathered from years of interacting with various anti-malware luminaries and the rest actually from university (for example, classifying something based on it's similarity to other already classified things - a malware lab does this with malware samples, but in school we did it with natural language text). because we weren't the normal sorts of people they do presentations for in the lab and actually already knew a fair bit about the subject the visit was much shorter than it might otherwise be and we had time to see some sights in bilbao with luis corrons, sean-paul correll, and javier merchan, and finally to have a late lunch on what was without question the best steak i've ever had. one of the others said that steak was ruined for them now but i take it as more of a challenge, i have something to aim for now. at any rate, once we flew back to madrid and i was back in my room i decided to do a bit of brainstorming and apparently lost all track of time because the next thing i knew it was after 11pm and i had been pacing my room for several hours (still trying to solve the security user conversion problem). i think the others had planned on doing something that evening but i missed it - oops.

saturday was a free day, nothing was planned, nobody was coming around to check up on us or anything like that. we were free do as we pleased, and so i wandered around madrid for 5 hours, getting lost then found then lost again in the big city. i would have stayed out longer but after the walking from the previous day, the pacing the previous night, and then 5 more hours of walking my legs were getting sore. i rested up a bit, let my legs start approaching normal again and then headed out to the prado national museum (of fine art, apparently). i had passed by it earlier in the day and someone told me it would be free from 6-8pm so i figured i should take a look inside. well, it turns out what i'd always figured was true - i'm a philistine. nothing really grabbed my attention for more than a few moments so i wound up seeing quite a bit of the inside of the place, zipping around from room to room, until i realized i was bored and headed back to the hotel early. there i called it quits because my legs were well and truly done by that point.

finally, sunday was the day to head back home. i opted for the subway as my transportation to the airport and i'm glad i did - 2 euros to go back as opposed to the 79 to get to the hotel in the first place. the trip home was basically uneventful, but i realized that in the 5-6 days i'd been traveling for the security blogger summit i had doubled the number of planes i'd ever been on in my entire life. i had a great time though, and panda showed us some amazing hospitality and took really good care of us. if i had it all to do over again i would. there's a couple of things i'd do differently, of course, but i'd definitely go.