Thursday, October 31, 2019

On "Patching"

IT projects are historically, not to say always, late.  There are a number of reasons for this.  We prioritize schedule before quality; it is part of our culture.  We think that schedule is easy to measure. We think that we are on schedule until late in the effort, when quality jumps up and bites us in the ass.  Another reason that we are late is that we fix things in the order of their discovery rather than in the order of their importance.

This is a way of behaving that we replicate in Cybersecurity.  Not only do we fix things in the order of their discovery but we fix them in the order that someone else discovers them.  Microsoft announces forty vulnerabilities, ten critical, on "patch Tuesday."  We drop anything else we might be doing to apply the patches.  

Microsoft was shamed into publishing one or more of the patches.  Google Project Zero discovered the vulnerability and generously gave Microsoft ninety days to fix it under the threat of a public shaming if they failed.  

Ninety days is arbitrary.  It is not based on the ease of exploiting the vulnerability, how wide spread it is, how costly it is to fix, what the fix might break, or what other vulnerabilities Microsoft may have on its plate.  It is one size fits all.  Sometimes Microsoft even chooses the shaming, in part because of what it knows that Google does not and cannot know.  We often patch without even considering whether or not the vulnerability represents a risk to us.  

Again, it is part of our culture.  Of course, as a result of this automatic, Lemming like, behavior, we may all be at greater risk than we need to be.  

Whatever our vendors or our peers may be doing, we need to fix things in order of their risk to our enterprise.  We need to resist letting others allocate our scarce resources into "unplanned activity."  We need to put aside fear generated by the breach of our neighbor because of an unapplied patch.  

Know your risk tolerance.  Identify your risks.  Mitigate, accept, and assign them in the order of that risk.  Document risk acceptance.  Plan your work and work your plan.  Prefer mitigation measures that are broad over those that are merely most effective.  Keep in mind that hiding vulnerabilities, for example behind firewalls, is often more efficient than patching them.  At least the mistakes you make will be your own.

Wednesday, October 23, 2019

FBI Recommends Use of Biometrics

In its Private Industry Notification, 17 September 2019 PIN Number 20190917-001, the FBI encourages the use of biometrics to resist what they see as the limitations of strong authentication.  In fact what they have observed is effective social engineering attacks necessitated by effectiveness of one-time passwords.  Other strong authentication, which might include biometrics, is the solution that I would recommend.

Consider my financial services firm.  They offer me strong authentication based upon a software token installed on my mobile computer.  I downloaded the token from the App Store and gave its identity, 4 letters and 8 digits, to my financial services firm and they associated that token with my account.  When I logon with my UID and password, I am prompted for a one-time password, six digits, generated by that token, with a life of sixty seconds, and expected by a server used by my financial services firm.  

Now, suppose I were to lose the mobile.  I would have to get a new mobile and download a new token.  I would have to associate the replacement token with my account.  In the capability to do that lies a potential vulnerability.  If an attacker were successful in convincing my financial services firm to associate his token with my account, then he might be able to defeat the strong authentication.  Therefore, my financial services firm must be able to resist this "social engineering" attack.  This is where biometrics can play a useful role.

When I call my financial services firm to replace my lost token, or for any other purpose, they may recognize me from my "calling number ID."  They authenticate me by my voice, a biometric, something that only I can do, one that works over the phone.  Yep, they really do; they tell me that that is what they are doing.  While I am a stranger to the agent, the computer recognizes my voice as the one to expect for my phone number.  The agent also asks me for another piece of shared information, a challenge and response, a second factor.  Only then will they honor my request to replace the lost token ID with the the new one.  I think that this is an instance of the use of biometrics that would meet the expectation of the FBI.  

Of course, the process does not end there.  My firm e-mails me, out-of-band confirmation, that they have changed the token associated with my account.  This gives me the opportunity to recognize a fraudulent change to my token ID.  

Now the link above not only points to my blog entry on limitations of one-time passwords but also to the limitations of biometrics.  One needs to understand those limitations in order to use biometrics effectively.  I like the voice implementation used by my financial services firm because it is dynamic and resists replay attacks; replay attacks are one of the limitations of biometrics.  Along with facial recognition, voice is one of two biometrics that both people and machines can reconcile reliably.  

(I am sure that you have heard of static facial recognition being duped by a photograph, a limitation, but fooling a four year old child in dynamic facial recognition, for example, over Skype or FaceTime, as to the identity of her grandmother might be more difficult.)

While there are alternatives to the use of biometrics, the FBI and I agree that they can be both convenient and secure in some applications and environments.  The FBI recommends them to resist what they see as limitations of multi-factor authentication.  I recommend them as effective and efficient measures for resisting one form of "social engineering."

Sunday, October 20, 2019

EBA Relaxes Requirements for Strong Authentication

"The European Banking Authority (EBA) has issued a new Opinion that provides the European payments industry with an EU-wide additional 15 months to comply with strong customer authentication (SCA) requirements for online ecommerce transactions."

Since there are banks that are already in compliance, the solution for consumers is to do business only with those banks.  

While there is no international law on this, there is good banking practice that is universal.  All banks have an obligation to "know their customers," and to ensure that "transactions are properly authorized."  Passwords that are vulnerable to fraudulent reuse do not meet these standards of good practice.  

In an era when most customers have e-mail, mobile computers, or both, strong authentication is not sufficiently difficult to implement to justify an extension.  This is an example of "regulatory capture."  The authority is derelict.  It is serving banks rather than customers.  Shame.  

Friday, September 20, 2019

Do not Rely Solely...

I often tell small children that "in the future most of your toys will talk and listen and generally tell the truth; when in doubt ask Dad."

However, this is the age of disinformation, "fake news," and state propaganda.  Our children will confront errors and deliberate lies.  At some level, we all know that Fox, CNN, and MSNBC have agendas, biases, that make them less than totally reliable.  We need to equip our children to recognize and cope.  

I like Wikipedia, I think that it is one of humanity's greatest achievements, in part because it relies for its authority on its users.  Teachers question the authority of Wikipedia: they prefer the Britannica, in part because it relies for its authority on scholars like themselves.  They prefer it even though it is only one-sixth the size of Wikipedia and much more difficult to use.  However every night when I go to bed, I give thanks that Wikipedia is a little better than it was when I got up in the morning while the Britannica is just as bad.  Wikipedia is self correcting.  

The net is that we want our children to think critically, to be skeptical, to be able to separate facts from opinion, what is important from that which is trivial, to prefer primary sources, to prefer neutral sources, PBS and C-SPAN before Fox or MSNBC.  Perhaps the single most important tool that we can teach them is to check multiple sources.  

Security by Obscurity

According to Wikipedia, "Security through obscurity is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."  Labeling the other guy's security strategy as "security by obscurity" is how we disparage it.  

However, looked at another way, all information security is about secrecy, if not obscurity.  What we think of as security can be seen as the collection of mechanisms that we use to reduce the size and number of the secrets that we must keep. 

Encrypting an object reduces the problem of hiding the file to one of hiding only the key.  Access control may reduce the problem of hiding user capabilities and privileges to one of hiding the user password.  

Wednesday, September 18, 2019

Out of Band Confirmation

This morning I sent a gift via PayPal to a family member, one to whom I had never sent one in the past.  The transaction was initiated using the PayPal iOS app.  It included an out of band one time password and was from a device that PayPal recognized.  Almost immediately, I got an e-mail confirming the transaction.  About an hour later, I received an SMS message from PayPal asking me to confirm that I had initiated the transaction.    When the charge hits my little four branch community bank, I will receive another e-mail and another SMS from them.  Incidentally, I also got a "thank you" e-mail from the family member.

If I had used a new device to initiate my transaction, the web instead of the app, or changed my e-mail, cell number, or bank accounts, PayPal would have confirmed those activities.  For changes to my e-mail or cell number in my PayPal profile, PayPal would confirm those changes to the other address and for the address changed to both the new and the old addresses.   So will, for example, American Express, Fidelity, BoA, and Chase.

How much of this is by design, I do not know.  What I do know is that, if my transaction was not properly authorized, PayPal, my bank, and I would have ample opportunity to learn about it on a timely basis.  

Having two or more addresses for our customers, two ways to get a message to a device carried in one's hand, pocket, or purse, makes this control more effective than ever.  The cheap and fast communication provided by the modern public networks makes them so efficient that it could be considered negligent, even reckless, not to use them.  

What continues to concern me is that when I go to fraud conferences, I may be the only one to talk about "out of band confirmations," perhaps the single most powerful fraud detection mechanism that we have.  

Please put this tool in your kit.  Promote it every chance you get.  Ensure that it is included in all your applications.  Confirm all transactions and new or changed user profile data.  Confirm to every address that you have.  Confirm address changes, postal, e-mail, phone numbers, and device identities, to both the old and the new address.

Monday, September 9, 2019

Apple Titanium Card

I have been waiting for the delivery of my Titanium Card to be delivered to write this evaluation.  Read it in the context of my last post.  

The card is delivered via FedEx in a large envelope.  There is a return address but it does not say "Apple."  This resists theft of the card in transit.

Inside the FedEx envelope is a tamper evident 4.5" x 6.25" x 0.25" corrugated cardboard package containing the card.  This protects against tampering with or skimming the card in transit.  

While a signature is not required for delivery, one gets a notification of delivery.  This may narrow the window of opportunity for theft from the doorstep.  

Only after receipt does one see the button in the Wallet App to "activate" the card.  This resists any use of the card prior to receipt by the legitimate owner.  

While the owner's name is on the face of the card, the card number, expiration date, and the CVV are not.  While the number is on the magnetic strip, unlike with all other cards, it is different from the number that one would use at an e-commerce site.  Thus, the only way that one might monetize knowledge of the number would be to use it to counterfeit a card.  

Note that any fraudulent use of the number on the stripe will show up immediately on the owner's iPhone so that the transaction can be reported as fraudulent and the number can be reported as compromised.  Skimming the number and counterfeiting a card for one or two uses is a high hurdle.  

The value on the magnetic stripe, provided for backwards compatibility, on a card which will be used sparingly, is a limited vulnerability.  From a security perspective, consumers should prefer Apple Pay (using iPhone of Apple Watch), EMV, manual entry of the number (from the iPhone Wallet App), and swiping the magnetic stripe in that order.  While the magnetic stripe is more convenient than manual entry, many users may never have to use either.  As point of sale devices are modernized, the requirement for any alternative to contactless or "chip" will decline.  

Finally, in the app, one can disable and enable the card.  Thus one can carry the card while mitigating the risk of fraudulent use should it be lost or stolen.  Since I expect the use of the Titanium card to be sparse, mine remains disabled by default.  Others may choose to leave it enabled by default, disabling it only should it be lost or stolen.

The vulnerability of the number on the magnetic stripe is not limited to the Titanium card; so far it is not possible to get any other credit card without this vulnerability.  On the other hand, the Titanium card does not have the vulnerability of having the primary account number, the expiration date, and the CVV on the face.  Therefore, if one is going to carry a credit of debit card with a number in the clear on the magnetic stripe, the Titanium card is the clear favorite.  

(Incidentally, I convinced myself.  I got the Titanium card, intending to put it in the drawer and never carry it.)