Thursday, March 7, 2024

Prefer eSIMs

The SIM (Subscriber Identity Module) is a finger nail sized integrated circuit (IC) that fits into a slot on your wireless phone.  It stores a number called the International Mobile Subscriber Identity (IMSI) and its related key.  

The IMSI is what associates your mobile phone with your telephone number and your mobile service provider.  It is "provisioned" by your service provider when you open your account and place it in your phone.  If you get a new phone all you need to do is move the SIM to the new phone in order for your number to ring on the new phone. Your number travels with the SIM.

Your phone also has a unique identifier, the International Mobile Equipment Identity, or IMEI.  When you make a call, the system sees both the SIM and the IMEI.

Your service provider also has an account number for you that they use to record all the information about your plan, your charges, payments, and balance or credits due.  This number is unique and binds you and your carrier.  It remains the same across phones, phone numbers, and SIMs.  

Many of us use our phones as evidence of our identity in systems of strong authentication (at least two kinds of evidence, at least one of which is resistant to replay).  This takes two forms.  We may have a "soft token" (e.g., Google Authenticator, Microsoft OKTA, Symantec VIP Access) on our phone. This is an app that generates a one time password every minute.  The app is synchronized with a server in the Internet.  Another app, for example for your bank account or other business application, may prompt for the OTP at logon time.  It will submit the number you supply to the server to ensure that you have the soft token.  Possession of the phone, "something you have" and can use, as one form of evidence in a system of strong authentication.

Alternatively, you may register your phone number with an application provider.  At logon time, the provider may send a OTP message (SMS) to your phone which you can copy and paste into a prompt at logon time.  Only someone receiving the text, that is can receive text at that phone number, can successfully logon to the application.  This is marginally more convenient than the soft token; it is also marginally less secure.  It depends upon the application provider having the right phone number associated with your account, and your wireless service provider having your phone number associated with your phone.  

Herein lies the limitation of this measure.  If an attacker can dupe your wireless service provider into re-assigning your number to his device, then he can receive the OTP message.  Because this attack usually involves the wireless service provider also giving the attacker a new SIM, this attack is known as "SIM swapping."  A similar attack involves duping the application provider into  changing the wireless phone number associated with your account to that of the attacker.  Both of these attacks require duping support personnel.  (See also "port-out" attacks.)

Note that support personnel are trained and motivated to be supportive.  If they think that they are talking to you, they will do whatever they are asked.  Of course, they are also trained and motivated to be sure its you but there are lots of them and their training may be spotty.

This is where the eSIM comes in.  Instead of storing the IMSI on an IC, in late model phones it can be stored in a High Security Module (HSM) on the phone.  Instead of being provisioned by support personnel at your wireless provider, it is provisioned by you either by running an app on your phone or scanning a QR code.  

The app comes from a network service provider (e.g., AT&T, Verizon, T-Mobile) or a contractor (e.g., Consumer Cellular, AARP, Mint Mobile, Nomad) with those that do.  It is to be hoped that you are a little more concerned with your identity than any of these service providers.  These contractor service providers, that do not operate their own networks, may compete on the basis of price, coverage, data plan, or a combination of these.  While some may provide a SIM card for old phones, for late model phones they use eSIMs.

In any event, if your phone suddenly stops working, you may be the victim of a SIM swap.  Contact your service provider immediately.  Do not hesitate.

Monday, February 12, 2024

Surveillance, Legal and Otherwise

 A New Jersey Court recently held that a "communication data warrant" was insufficient to compel Facebook to hand over a user's posts.  Rather, under New Jersey's Wiretap and Electronic Surveillance Control Act, they would require a "wiretap" order.  While both orders are "warrants" as required by the Fourth Amendment to the US Constitution, under NJ law the standards and permissions are different for the two orders.  Said another way, it is the intention of the New Jersey legislature that surveillance in (near) real-time is more intrusive than a mere search warrant and must be more limited.  The intent of the law is to resist abuse, not only by NJ investigators but also by the federal government.

While the US Code contains no such explicit distinction, both law and precedent require that warrants be explicit as to what methods may be employed and what evidence is sought.  A warrant is not a carte blanche, a license to do anything the officer wants.  In practice judges expect law enforcement to use the "least intrusive means" to investigate.  

Governments around the globe, and law enforcement in particular, employ surveillance to detect and investigate communications that they wish to discourage.  Some, like ours, recognize the potential for abuse and seek to resist it.  None absolutely eschew its use. In some authoritarian states it is routine, a means of exercising power and control over the populous.  

The most frequent justifications for surveillance are crime, specifically CSAM and terrorism.  The rules are often "collect everything, forget nothing, admit nothing."  Data collected for legitimate purposes constitutes a temptation, not to say an invitation, to other uses.  

While the US Constitution requires probable cause for both searches and seizures, in practice seizures are routine and warrants are required only for searches.  While under the Constitution the test is "reasonableness," in practice and precedent the threshold for requiring a warrant has become whether or not the subject has an "expectation of privacy;" reasonableness is no longer even considered.  

In the US the requirement for a warrant is routinely bypassed by purchasing "surveillance as a service" in the open market.  Investigators simply pay a small fee to so called data brokers.  This is much more efficient than creating a government database.  

In summary the protection against unreasonable search and seizure guaranteed in the Fourth Amendment to the US Constitution have been whittled away.  While there is little evidence that the current administration is engaged in massive surveillance, it happened under the GWB administration.  There is little left to protect us against abuse by future administrations.   

The Role of the Chief Information Security Officer (CISO)

There is a great deal of discussion of late about the liability of the Chief Information Security Officer for security breaches.  Seems to me that the biggest problem with CISO is a misunderstanding of the role.  CISOs are staff, not line.  They are not responsible for security, line managers are.  They are not responsible for preventing breaches, line managers are.

They are responsible for recommending the expression of enterprise risk tolerance and security policy but not for setting them; that is a governance decision to be made by the board of directors.  They are responsible for articulating strategy but not for adopting or implementing it.  They are responsible for coordinating implementation of strategy across functions and departments. They are responsible for recommending essential and efficient security measures but not for implementing them.  They are responsible for recommending standards, for measuring against them and reporting on them but not for complying with them.  They are responsible for measuring enterprise IT risk and for reporting on it to general management. 

The wise CISO negotiates his success before taking the job.  When his recommendations are not adopted, he documents the risk, asks the responsible line manager to sign the risk acceptance document, records the risk acceptance, and asks that the decision be revisited annually or when there is a change in responsible management.  

Monday, November 6, 2023

Artificial Intelligence

Artificial intelligence, AI, is a new user interface to the computer.  Large language models (LLMs) make the computer easier to use.  They permit us to describe the result that we want in natural language. improving productivity and enabling new applications.  AI will improve intellectual productivity as much as the internal combustion did for manual productivity.  In response to internal combustion, and more specifically the tractor,  we shortened the work week from 72 hours to 44 and invented vacations and retirement.  In the process, we killed off two generations of young men and still suffered 25% unemployment.  Said another way, increases in productivity are disruptive.  

The computer, with or without AI, is a tool.  Tools vary in quality, utility, usability, and use.  The user is responsible for the selection of the tool, the purpose to which it is put, and for all the properties of the result.  This is true whether the user is an individual or a group.  An enterprise must be responsible and accountable for everything that results from its application of this powerful technology. We call this security and we forget any part of it at our peril. We must not impute authority or autonomy to the tool; we must not anthropomorphize the tool.  "The craftsman does not blame his tools."  We must hold people accountable for how we use this powerful new tool.  

In the near term we should focus on embedded application specific implementations of AI.  We should follow the example of IBM, a pioneer in the field.  IBM trains the engine, think Watson, on application specific curated data; they build in governance and transparency from the ground up.

Public policy must soften the impact of the disruption.  This will include shortening the work week to spread the work and the leisure.  It should include a guaranteed minimum income to ease transition from old jobs and skills to new ones.  Finally, it should include changes in tax policy from labor to capital, people to robots, and production to consumption, to more securely and equitably finance the social safety net.  

Monday, July 10, 2023

Common System Design Flaws

I recently came upon It was written as a chapter of the Handbook of Information Security 2001.  I offer the link to any who would like to see the whole paper but recap the flaws and the recommendations for avoiding them here.

The flaws covered by name are:

• Complexity

• Incomplete Parameter Checking

• Incomplete Error Handling

• Ineffective Binding

• Inadequate Granularity of Controls

• Gratuitous Functionality

• Escape Mechanisms

• Excessive Privilege

• Failure to a Privileged State

• Unsafe Defaults

• Excessive Reliance on Application Controls

• Others

Examples and illustrations of these common flaws are discussed at length in the paper.  

The following recommendation should be considered when crafting and staging applications. By adhering to these recommendations the programmer and the application manager may avoid many of the errors outlined in this chapter.

• Enforce all restrictions upon which you rely. 

• Check and restrict all input parameters to the intended length and code type. 

• Prefer short and simple programs and program modules. 

• Prefer programs with only one entry point at the top or beginning and only one exit at the bottom or end. 

• Prefer reliance upon well-tested common routines for both parameter checking and error correction. Consider the use of routines supplied with the database client. Parameter checking and error correcting code is difficult to design, write, and test. It is best assigned to master programmers. 

• Fail applications to the safest possible state. Prefer failing multi-user applications to a halt or to logon rather than to a new instance of the application or the environment (e.g., operating system). 

• Limit applications to the least possible privileges. Prefer the privileges of the user. Otherwise, use a limited profile created and used only for the purpose. Never grant an application system-wide privileges. (Since the programmer cannot anticipate the environment in which the application may run 

and the system manager may not understand the risks, exceptions to this rule are extremely dangerous.)

• Bind applications end-to-end to resist control bypass. Prefer trusted single system environment. Otherwise use a trusted path (e.g., dedicated local connection, end-to-end encryption, or a carefully crafted combination of the two).  Include in an application user’s privileges only that functionality that is essential to their use of the application. Consider dividing the application into multiple objects requiring separate authorization so as to facilitate involving multiple users in sensitive duties.

• Controls should default to safe settings. Where the controls are complex or interact in subtle ways, provide scripts (“wizards”), or profiles.

• Prefer localized controls close to the data, e.g., prefer file system to application, database manager to file system.  Prefer authentication of users (or using processes) close to the user (e.g., on the mobile client.)

• Use cryptographic techniques (e.g.,digital signatures) to verify the integrity of the code and to resist bypass of the controls. 

• Prefer applications and other programs from known and trusted sources in tamper-evident packaging. 

Monday, May 15, 2023

Cyber Resilience

Mr. Basu's observations are at odds with mine.   If enterprise was more focused on prevention, than for example on insurance, we would not have the successful extortion industry that we see today.  

In the early days of IT we called the security measure of last resort, "backup and recovery."  It focused primarily on human error and disasters, limited to a data center or an enterprise.  As the technology matured and we became increasingly dependent on IT, we called it "business continuity."  It focused on running the business in the face of both natural and man-made risks.  

Today, when our entire infrastructure is dependent upon vulnerable, not to say fragile, interconnected systems of energy, communication, and finance, we call it "resilience."  It focuses on "Black Sky" events.  The risk is to "national security," not to say survival.  

While I grant Mr. Basu the importance of resilience, I suggest that the most efficient way to achieve it is by prevention, by dramatically improving the quality and robustness of our systems.  We need to increase their resistance to both natural events and malicious attacks by a decimal order of magnitude.  Fortunately for us, doing so, both individually and collectively, is efficient.   

We know what to do:

  • Strong Authentication
  • Least Privilege Access Control
  • Process-to-Process Isolation, logging, and authentication
  • Structured Network
  • Application Layer End-to-End Encryption
  • Privileged Access Management
  • Redundancy
  • Data, Application, System, Network, and Enterprise Persistence, Continuity, and Recovery
  • Law Enforcement
  • Other
We lack the vision, the intention, and the will.



Tuesday, April 4, 2023

Digital Credentials

The Organization for Economic Co-operation and Development (OECD) is seeking feedback on a recently published draft of guidelines for digital credentials.  The guidelines are intended to make digital credentials widely acceptable and accepted, even across national borders, for example a digital passport.

Let me start by noting that this is not a proposal for a single or national credential.  I have always feared such a credential because it could be used by an authoritarian regime to control, or even restrict, rights to, for example, work, travel, healthcare, education, or food, clothing, and shelter.  Rather, I have always preferred a pluralistic system with multiple issuing authorities, granting different, if limited, privileges and employing different criteria for the granting of the credential.  

In today's world, if one wants to recognize and authenticate a stranger, one might well use a drivers license, issued by the state in which the person resides and including an image, date of birth, and a name and address, and a credit card issued by a bank.  Two credentials issued by different authorities in the same name.  Similarly, one might use drivers license and a passport.  

For example, in my Apple digital wallet I have ten different credentials issued by ten different authorities.  Most are merely digital copies of physical credentials. All of these can be identified visually, though some relevant information may be hidden for reasons of security and privacy.  For example, on debit and credit cards, part of the Primary Account Number (PAN) may be hidden.  Most can be read digitally by means of NFC and/or QR tags.  

At the time of this writing, residents of three states can include their drivers license in their Apple Wallet.  Three more states issue their own electronic licenses.  Note that a policeman presented with an electronic license will be able to automatically verify it, check its currency, and check for any outstanding "wants or warrants," in real time.  

In a different "wallet app" I have nine digital images, front and back, of card credentials only one of which is also in my Apple Wallet.  These credentials can only be read visually but nothing is hidden.  

In a folder in DropBox I have digital images of twenty credential documents issued to me by various authorities beginning with my birth certificate, and including my social security card, my high school diploma, my college degree, my record of military service, and my passport.  While any one of these might be a forgery or fraudulently obtained, collectively they reliably document everything significant about my identity.  Of course, the only identifying information that all these documents share in common is my name.

These documents are recorded in the Portable Document Format, that is as PDFs.  A PDF file, I.S.O. Standard 32000, preserves text, fonts, format, vector graphics, raster images, color, and even discoloration, all properties of the original useful in authenticating the copy and resisting forgery,  Even the Internal Revenue Service (IRS) accepts PDFs as authentic.  

Which brings up the issue of a unique identifier.   A few of us enjoy a unique name, one that we share with no one else, but most of us share even our full name with others.  This is the problem which the Social Security Number solved.  Modern information technology does not need it to uniquely identify us but it remains useful as tie breaker when other identifiers result in a collision.  

What and how much information does it take to uniquely identify us.  First our name, place of birth, and date of birth, uniquely identifies us.  No one else born on your birthday in the same place as you were was given the same name as you.  Similarly, name and address are unique; no one else with your full name lives where you do.  While there were a few errors of assignment in the early days, the ten digits of the SSN are sufficient, not only to give one to each of  us but also to include a little information about where it was assigned.  Though collisions are possible, it is likely that there is no one else living in your postal code with the same birth date as you.  Similarly the last four digits of your SSN will distinguish you from all those others that might share your name.  

Now if you clicked on the link at the start of this post, you know the properties of electronic credentials that the OECD thinks are valuable.  I have a different list.  By definition they are for paperless credentials.  

One starts with wanting the credentials to be readable, first visually but also electronically.  Visually because that is how we have always reconciled credentials and electronically for convenience in exchange with those who wish to rely on or verify the credential.  Most mobile computers, i.e., phones, can read a QR tag.  A tag might contain the unique number of the credential, for example a license number or account number, or it might contain a link (URL) to a copy of the credential.  

One would want the credential to be portable across wallets or devices.  This might be by means of purpose built apps or by more general and flexible capabilities such as URLs, SMS or e-mail.  Many digital objects have a "share" button to make portability both convenient and flexible. One might want a copy on paper, a desktop or laptop, a digital wallet, "wearables" like watches or rings, or in the cloud.  Similarly one would like the credential to be authentic and easily verified.  Note that one accepting a digital credential may be interested in both its currency as well as authenticity; online realtime access to the issuers database will always be useful and in some applications necessary.  

We are very close.  Form, use, and acceptance are becoming routine.  I have paid for dinner with my American Express Card by clicking on a QR tag on the check.  I have also paid with the image of my card in the wallet on my iPhone, giving the iPhone to the waiter just as I would have given the physical card.  The image of the card was accepted without question or comment.  Similarly, I voted using the image of my drivers license, again accepted without question or comment.  I recently boarded a train using an electronic ticket.  The ticket included a QR tag to be read by the conductor's mobile.  It demonstrated that I had a reservation and had paid for a particular seat on a specific train.  While I might have printed out a paper copy, and some travelers were using one, the conductor checked all using the QR tag, paper or digital.  

The key to all of this is reliable, routine, convenient, and universal acceptance.  Note that in the example scenarios above, one might have been embarrassed if the digital credential had not been accepted.  We need maturity and standards, to include those that we already have like PDF, QR, NCF, and SMS, as well as such as those proposed by the OECD.

Finally, a word about privacy and security.  Trust and acceptance will rely at least in part upon those mechanisms that resist both forgery and misuse as well as those that resist application fraud.  

While the PDF standard preserves many of the properties that resisted forgery in the traditional credentials, they do not preserve them all.  For example, it does not preserve texture and materials such as we use to resist counterfeit currency.  On the other hand, digital implementations give us the ability to use cryptographic mechanisms such as hashes and digital signatures.  We already have experience using these mechanisms in such applications as code signing and digital currency.  While in the early applications, so far we have not seen instances of forgery, we know how to address them should the properties preserved by the PDF standard prove inadequate.  

We will resist misuse by controlling access to the credentials using secure digital wallets, strong authentication, and biometrics.  To misuse the copies of my American Express one must first possess the copies and meet any conditions for their use such as biometrics or PINs implemented in the device in which they are stored, e.g., mobile phone or cloud storage.  We can also lock the credential to the device so as to resist "screen scraping."  

Finally, trust in credentials, digital or otherwise, will depend in part upon the issuing authority, representations made by the authority, and the rigor with which the authority issues the credential.  Having already told you more about this subject than you likely wanted to know and more than I intended when I began to write, I will defer that discussion to a later post.