Wednesday, June 29, 2016

The Role of Risk Assessment in Digital Security

The very idea of Risk Assessment has always been controversial.  I have been engaged in the controversy for fifty years. My ideas on the subject are well considered if otherwise no better than anyone else's.  I record them here.

I attribute the application of this idea to what was then called Computer Security to my mentors, later colleagues, Robert H. Courtney, Jr. and Robert V. Jacobson.  They did it in an attempt to rationalize decision making, more specifically the allocation of scarce security resources, to the then nascent field.  They did it in response to their observation that many, not to say most, security decisions were being made based upon the intuition of the decision maker and their belief, and a tenet of this blog, that security is a space in which intuition does not serve us well.  They wanted to bring a little reason to the process.

They could not possibly have known that in a mere fifty years that the resources applied to this effort would grow to the tens to hundreds of billions of dollars, that the safety and liberty of the individual, the health of public and private enterprise, the efficiency and resilience of our economy, and the security of the nations would turn on how effectively and efficiently we used those resources.  

So, at its core risk assessment is a decision making tool.  It is a tool that we use to answer the question "where to spend the next dollar of our limited resources?"  Courtney's Second Law says one should "Never spend more mitigating a risk than tolerating it will cost you." We will, do, make this decision, with or without tools.  We make it intuitively or we make it rationally but we do make it.  

At its most elaborate risk assessment is a very expensive tool requiring significant knowledge, skill, ability, and experience to use, more than most of us enjoy.  It should be used only for expensive decisions, decisions that are expensive to reverse if we get them wrong.  At its simplest, it protects us from making decisions based solely upon the threat, attack, vulnerability, or consequence de jour.  It protects us from intuition, from fear.

All that said, few of us are confronting expensive or difficult decisions, decisions requiring sophisticated decision making tools, risk assessment or otherwise..  We have yet to implement all those measures that we know to be so effective and efficient as to require no further justification.  They are what Peter Tippett calls essential practices.  Anyone can do them, with available resources, they are about 0.8 effective but work synergistically to achieve an arbitrary level of security. They fall in that category that we call "no brainers."  All we need is the will.  

Monday, April 25, 2016

Compromise of Credit Card Numbers

Recently FireEye published an intelligence report stating that a previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million on the "cybercrime" black market.

To a near approximation, all credit card numbers more than a few months old are public. The market price has dropped to pennies. We are all equally targets of opportunity. That any one of us has not been a victim of fraud is mere chance. They have so many that they simply cannot get to us all.

The brands are at fault for marketing a broken system, one that relies upon the secrecy of credit card numbers but which passes them around and stores them in the clear. Their business model is at risk. They have technology, EMV, tokenization, and checkout proxies, but the first is too slow for many applications and they are not promoting the other two to merchants or consumers.

Issuers take much of the fraud risk. They are attempting, with some short run success, to push this to the merchants.  However, with merchants and consumers, they share in the risk of our broken system.

As the referenced report suggests, bricks and mortar merchants, particularly "big box" retailers and hospitality,  are finding that both issuers and consumers are blaming them for the disclosure of the numbers. Issuers are charging back fraudulent transactions. and suing merchants for the expense of issuing new cards after a breach. Their systems are being penetrated and numbers ex-filtrated wholesale. Point of sale devices are being compromised, or even replaced, to capture debit card numbers and PINs. These are used to produce counterfeit cards.  Some of these are used to,purchase gift cards or get cash at ATMs. Merchant brands have been badly damaged by bad publicity surrounding breaches. While most of these merchants can resist compromise, there are more than enough to guarantee that some will fall. Merchants can reduce fraudulent transactions by preferring mobile, EMV cards, and by checking cards, signatures, and IDs but all but the first slow the transaction and inconvenience the customer.

Online merchants are the target of all kinds of "card not present" scams and take the full cost of the fraud. While it will not stop the fraud, the online merchants can both protect themselves and speed up the transaction by not accepting credit cards and using only proxies like PayPal, Visa Checkout, Apple Pay, and Amazon.

While, at least by default, consumers are protected from financial loss from credit card fraud, the system relies heavily upon them to be embarrassed by it.  At least on court has agreed to hear evidence as to whether or not consumers as a class are otherwise damaged when their card numbers are leaked to the black market.

All this is by way of saying that as long as anyone accepts credit card numbers in the clear, we will be vulnerable to their fraudulent use. There are now alternatives and we need to promote them, not simply tolerate them. Think numberless, card-less, and contact-less.

Monday, February 29, 2016

Encryption and National Security versus Liberty

In the 1990s, in what might be called the first battle of the Crypto War, the government classified encryption as a munition and restricted its export.  While opposing export in general, the government was licensing the export of implementations that were restricted to a forty bit key.  Of course, 56 bit was then the norm and, at the time, expensive for the NSA to crack.  

IBM had just purchased Lotus Notes and wanted to,export it.  In order to get a license, they negotiated an agreement under which they would encrypt 16 bits of the 56 bit message key under a public key provided by the government and attach it to the message or object.  This would mean that while the work factor anyone else would be 56 bits, for the government it would be only 40 bits.

Viewed today, 40 bit encryption is trivial; twenty years ago it was strong enough that, while the government could read any message that it wanted to, it could not read every message that it wanted to.  Said another way, it would be able to do intelligence, or even investigation, but it still would not be able to engage in mass surveillance.  

Moreover, we believed that the NSA only collected,traffic that crossed our borders, that it could not be used against citizens.  We believed that the government could keep,their private key secure. Of course, post "warrant-less surveillance," the routine breaches of government computers, including those of the NSA,and the exponential growth of computing power over a generation, this all seems very naive.  

However, I like,to think that it illustrates that it is possible to craft solutions that grant authorized access to the government, with a work factor measured in weeks to months per message, file, device or key, while presenting all,others with a cost of attack measured in decades or even centuries.   

It also illustrates the fundamental, application, and implementation-induced limitations of any such scheme, limitations that would have to be compensated for.  No such scheme will be fool-proof, nor need it be.  Like our other institutions and tools, it need only work well enough for each intended application and environment. 

Monday, February 22, 2016

US v. Apple

SUNDAY: Comey tries to downplay the dispute, arguing in his new statement that no precedent would be set if Apple would just go along.
"I hope folks will take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other," he said.
"Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure — privacy and safety," he said, adding:
"We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly."
This sounds like capitulation to me. If this is now about the "victims," then the government made a serious mis-step in attacking Apple in the first place. However, the government's current position does not support a charge of "government over reach."
The issue of how far the government may go in coercing the unwilling and the un-involved to assist them in recovering evidence that they are otherwise entitled to is important and needs to be litigated. We should be glad that Apple is prepared to fight it. Perhaps not since Runnymede has the King had a more formidable adversary. However, this is not the right case to fight it on.
There is ample precedent for un-involved citizens to voluntarily assist the government. It would not be precedent setting for Apple to voluntarily assist with this one mobile in this one case. Apple should "declare victory and go home." It should do here what it can do and fight the government over reach issue when the government is more certainly guilty of it.

Monday, November 23, 2015

  • Recently the media has reported that, as the result of a gross failure of security at the U.S.  Office of Personnel Management, the service and security records of twenty-seven million Americans have been compromised, likely by a foreign power. The compromise of these records has broken faith with these brave Americans and put them at risk of every thing from credit fraud to coercion, blackmail, and extortion, More recently the reports have noted that these records include the fingerprints of the subjects of the compromised records and have speculated wildly about the risk that result from that.  

  • The real risk here is not that these fingerprint records can be used for impersonation but that they might be used for identification (for example of covert operatives) (from latent prints). Impersonating someone from a picture of their fingerprints is similar to impersonating them from a photo,of their face. Possession of such an image is useful but far from sufficient. 

      • The real risk here is not that these fingerprint records can be used for impersonation but that they might be used for identification (for example of covert operatives) (from latent prints). Impersonating someone from a picture of their fingerprints is similar to impersonating them from a photo,of their face. Possession of such an image is useful but far from sufficient.

          • We use four kinds of evidence to authenticate a claim of identity, something only one person knows, e.g., pass-phrase, is, e.g., visage, fingerprint, has i.e., custody, e.g., unique keys, tokens, or can do, e.g. speech, signature dynamics. Since all of these have fundamental limitations, we use them in combination such that one compensates for the limitations of another
        • We use four kinof evidence to authenticate a claim of identity, something only one person knows, e.g., pass-phrase, is, e.g., visage, fingerprint, has i.e., custody, e.g., unique keys, tokens, or can do, e.g. speech, signature dynamics. Since all of these have fundamental limitations, we use them in combination such that one compensates for the limitations of another.While it is somewhat counter-intuitive, biometrics are no less limited than the the other three Their fundamental limitation is that they can be copied and fraudulently re-used. We use them more for convenience than security. We use them in combination with other mechanisms in systems of strong authentication.
          Such demonstrations, in and of themselves, do not represent a risk. I am confident that no one is using such an attack against my mobile because I have custody of it. Touch ID, much like the PIN for which it may substitute, is used to resist the fraudulent use of the lost or stolen mobile only for,the short time until its loss is noticed and the phone disabled.
          Note that an attacker only gets five chances to spoof Touch ID and ten to,guess the PIN. Then my mobile erases,itself

        • For example, while the ability to spoof Touch ID might be useful in gaining access to,the content and capabilities of my mobile, it is far from sufficient. First one must have the phone. While there have been demonstrations of retrieving latent prints using gelatin and using them to fool biometric system, that is an easier problem than trying to go from a paper record.

        On Resisting Payment Fraud

        A recent report suggested that credit card numbers captured by malware installed on point of sale devices at hospitality sites, including twenty at  Starwood Property Group hotels, are being used in fraudulent transactions.  The Verizon Data Breach Incident Report (DBIR) confirms that point of sale devices at hospitality sites frequently leak credit card numbers.

        But there is no shortage of compromised credit card numbers; their street price is approaching a dime a dozen. It is too late to address fraud by  keeping credit card numbers secret. We need a new strategy, similar to those being promoted by American Express and described by Ken Chenault at President Obama's Conference at Stanford University.

        Chenault told the conference that by confirming every card transaction to the customer's mobile, they are able to detect fraudulent transactions within sixty seconds. This is just one example of how we can use the mobile to resist fraud.

        American Express also confirms transactions by e-mall. In order not to overwhelm the mailbox, the customer can set thresholds. One switch is the "card not present" switch. If as expected mobile transactions and EMV cards drive fraud to CNP then the ability to detect fraud early, for example, before goods are shipped, will be key to,resisting fraud.

        We need a strategy that relies not on secrecy but on feedback. The default should be that the subject of a record be notified of any change or query to that record, that the owner of every account be notified of every transaction. The digital,networks not only make this possible but cheap enough to be efficient.

        Needless to say, the lobby of the credit reporting industry that is empowered by law to charge the consumer for telling him about the content of and activity to,his record will resist this strategy. Legislation will be required to change this but it is essential to to resisting application fraud.

        On the other hand, American Express and its competitors are embracing it. Even bankers are embracing it. My little three branch community bank uses SMS to notify me intra-day of all large (as defined by me) transactions to my account.

        Eventually competition and efficiency will force most enterprises to adopt these tactics. You can make it strategic rather than merely tactical

        Monday, November 16, 2015

        Lessons From the J P Morgan Chase Breach

        A recent report suggested that the J P Morgan Chase breach teaches us the importance of encryption.

        We know that information was recovered in the clear. What we do not know is whether encryption would have been effective in protecting it or even whether it was used but was not effective.

        What we do know is that the credentials of authorized users were compromised and used to access the data. Authorization to the data includes the ability to see it in clear text even though it might be stored in encrypted form.

        Encryption is not magic. It is a tool. Government propaganda to the contrary not withstanding, it is no more perfect security for the bank, than it is for the criminal.

        Encryption is used to restrict access to data at rest, for example on file servers, from those who do not have credentials to access the server. It is used to protect data in transit, for example user credentials, as they cross networks. Properly used, it is very powerful. It is not effective against those with the credentials, the authorization, whether legitimate or otherwise, to access the data.

        Are there many banks that are storing information in the clear that should be encrypted? Yes. Was JPMorganChase one of these? We do not know; that information has not been disclosed. Should all banks take to heart the lesson that they should be using encryption to protect data at rest? Yes. Does that lesson flow from the "breach" of JPMorganChase? No, but it does flow from the "attacks."

        What we do know is that of the thousands of applications and servers at JPMorganChase, fewer than a hundred were compromised and none of those were using strong authentication. So, the first lesson that I want banks to take from the JPMorganChase breach is to use strong authentication, particularly for privileged users of applications, databases, and servers. Without this, encryption is not likely to be effective.

        Strong authentication is policy at JPMorganChase and appears to have been effective where used.