CERT (yes them) now has a blog.

Far too much time is spent worrying whether passwords are strong or not. The main weakness passwords encounter though is not the string that defines them, but the human being that remembers them. In short, all passwords are weak, and it has nothing to do with string length, complexity, or password change rules.

Recently I got an email from someone I am close to which included his new password. It was not accidental or coerced – he simply mentioned it in his email (which went to about 5 or 6 people, myself included), as part of a funny anecdote. Now this person is not stupid. He is a practicing lawyer who works for the state government and has argued several times in front of his state supreme court. As a security professional I felt it my duty to inform him of the necessity of protecting passwords, but I know that it did no good. He reacted nonchalantly and simply did not seem to care. (It is also clear that he is not alone).

IT folks have a tendency to blame the employee who gave out (or wrote down) their password, but the truth is the fault cannot ultimately lie with them. Competent clerks, secretaries, lawyers, doctors, and others who were born a generation prior to the explosion of the internet cannot be expected to be an expert in IT security, or even to understand anything about IT. The fault belongs to the people who architected the system and placed everyday users in the frontline position against attackers. I hate to harp on a single topic, but security systems must be transparent to be effective. The frontline defense against attacks should not be the users – it should be the trained security professionals. Making the least qualified people the first line of defense against attackers will always be a losing position.

Why am I only finding out about this now (also reported by wired)?

Oleksandr Dorozhko hacked a system containing information on IMS health that would negatively affect their stock price. (Or, possibly, someone else hacked the system and gave him the information). He invested in puts and netted himself about $300,000 in one day. The SEC noticed and tried to block it, but the court has ruled that a hacker is not an insider, and therefore insider trading does not apply. Mr. Dorozhko gets to keep every cent of his admittedly ill-gotten gains.

I remember back in “the good old days” people would laugh at web defacements. It might be a way for a hacker to prove themselves or gain their fifteen minutes of fame on 2600, but it was not a gateway to sensitive or important information. The web was, after all, nothing more than an advertisement – a billboard on the information superhighway. Organizations had important information on computers, but none of it was on web servers. Web page defacements were akin to graffiti, not corporate espionage.

Fast forward to today, and it’s remarkable how everything has changed. The web has begun supplanting the other 65535 ports on the internet. Although e-commerce was the first thing to change the web from a static billboard to a method of transmitting sensitive data, it is web applications which have done the most recently. Now everything occurs over the web – companies use SOAP to transmit sensitive information between them, and back-end databases frequently hold incredibly important data. Even services which were originally designed to function over other protocols, such as remote administration, email, and file transfer, have now begun to migrate to the web. The bottom line is that the web matters. There are still the electronic graffiti artists who want nothing more than their 15 minutes of fame on zone-h.org, but serious hackers are eying the web too.

I remember some time ago I got into a long discussion with someone at work that at its essence revolved around the question of whether or not the web mattered. I essentially argues my old position, more out of habit than anything else, while he argues that the web was of paramount importance (although admittedly he had other ulterior motives for taking that position). I was ultimately proven right only because the case we were dealing with turned out to be nothing more than a simple electronic graffiti artist. Despite being right in that single instance, I am being forced to change my overall position.

In terms of practical application, it means people can no longer blithely allow in traffic to their web servers on ports 80 and 443. Traffic must be examined, either by an intermediate network device or the web server itself to ensure safety. Web applications need to be coded securely, and web servers should in general not be trusted. (Don’t run the process as root, perform system calls in a sandbox, etc.)

I know that many people have done many bad things on the internet, just as many people have done many bad things off of the internet, but this still surprises me.

Internet griefers descended on an epilepsy support message board last weekend and used JavaScript code and flashing computer animation to trigger migraine headaches and seizures in some users.

The attackers turned to a more effective tactic on Sunday, injecting JavaScript into some posts that redirected users’ browsers to a page with a more complex image designed to trigger seizures in both photosensitive and pattern-sensitive epileptics.

Although I had never heard of a Griefer before, I find this activity remarkable in it’s crude indifference to other human beings. Even stealing money from people’s bank accounts makes more sense – at least there human greed can be used as a motive. In this instance, there is no possible benefit to the attacker from causing physical harm to anonymous epilepsy sufferers, and there can be no motive other than the most malicious and reprehensible form of Schadenfreude.

People frequently wonder what makes a good security system. One of the frequently overlooked aspects is transparency. Simply put, the more transparent a system is, the less it will be noticed by the users. The reason for this is simple – users are frequently the most vulnerable link in the security chain. Worse than that, if users perceive a security control to be an inconvenience, they will actively work to circumvent it.

I’ll take a simple example from my own life. The corporate laptop I use came with antivirus software installed. The software kept picking up a password cracking tool I was trying to use as a virus. (As a security analyst a password cracking tool is a legitimate part of my job). I tried to write an exception into the AV software, but I didn’t have the appropriate permissions. Eventually I had no choice but to simply disable the antivirus software entirely. There are thousands of similar stories – employees propping doors open because there is no way to re-enter through a back door, sending sensitive information in the clear when a secure method of transmission can’t be located quickly, setting up rogue wireless access points, or a programmer writing a script which contains all of his or her login information to various internal systems. The bottom line is that security which is invisible is far less likely to be circumvented by frustrated users.

I’m a little behind on my reading, so I only just got to the January issue of the ISSA journal. In it was one of the best articles I’ve read on social engineering. The problem with most articles (or at least the ones I read), is that they approach social engineering from a technical perspective. However, far from what the name implies, social engineering is not in any way related to any of the engineering disciplines. SE is nothing more than a fancy name for a scam that happens to involve a computer. Rather than treat the SE threat as a technological threat, we should be treating it the same way we treat all scams – as a purely human threat and not a technological one. We should be turning to psychologists for help in tackling the problem, not networking experts.

In this article Dan Timko reports on research done by Robert Cialdini on the psychology of influence. Cialdini enumerates 6 basic methods people use to influence others. They are:

• Reciprocation
• Commitment and Consistency
• Social Proof
• Authority
• Liking
• Scarcity

I’m not going to go in depth into each of these, but if you’re interested, here is a good summary of each. Suffice it to say that these methods are by no means limited to marketers – scam artists (sorry,”social engineers”) use all 6 without even necessarily knowing it.

The solution to scam of all sorts, just like the threat, should be based on social science and human behavior, not technical countermeasures (although they do certainly have their place). While Dan recognizes and says this, he does not stick true to those principles, concluding only that the best defense against social engineering is a strong security policy, user education, and the rest of the things ISSA members have been preaching for ages. If you ask me the solution (if there really is one) to social engineering will not come from someone with a CISSP, CISM, or CISA, but from someone with a PhD in psychology. The quicker we realize that, the quicker we can come to a real solution.