A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.

I went to a medical school graduation last night, and the keynote speaker gave a speech wherein he pointed to three things that were changing the way medicine is practiced. The first was the sequencing of the human genome, the second was the IT revolution, and the third was the fact that medicine is now being treated as a market commodity. While all are interesting, it was his comments on the first factor (the human genome) that bear some commonality with information security professionals. For millenia medicine has been a reactive science. Someone gets sick, so doctors try to find a cure. Although the human genome is clearly not the only think to bring about a change in the way medicine is practiced, it was pointed to as a major landmark in the shift of medicine from reactive to proactive. Doctors can now know ahead of time if someone is at high risk for certain conditions, and begin treatment before a patient actually exhibits symptoms. (I know this is an oversimplification, but it’s the principle that matters).

Information security has been struggling with a similar transformation for several years now. Everyone seems to realize that reactive information security is not the way to go in the long run, yet not many people can figure out how to get away from it. We’re still stuck in our test-patch-repeat mindset. Maybe we need something similar – something like the sequencing of the human genome – to shake things up.

For those of us who like to be able to represent everything graphically, this is what a botnet looks like. Researcher David Vorel mapped interconnected, bot-infected IP addresses and created this geometric representation. If you’re at all interested, it’s a very good way to understand the command and control structure of a botnet.

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.

When dealing with any kind of security, whether physical or electronic, there are two kinds of attacks to worry about – those that are picking their targets based on opportunity, and those that are picking their targets based on intent. To borrow a common example, a target of opportunity is simply walking down the street trying to door handle on every car looking for one that is unlocked, while a target of intent is trying to steal a specific car. When it comes to the internet, many large entities (especially government organizations) are regular targets of intent. On the other hand things like viruses and worms that scan indiscriminately for unpatched systems are perfect examples of targets of opportunity.

Most internet organizations currently consider both lines of attack when designing a security plan, although this may start to change if IPv6 ever becomes a full fledged reality. (Whether or not IPV6 ever does gain wide acceptance is not a matter I care to speculate on). Since IPv6 uses 128 bit IP addresses, (IPv4 uses 32 bit addresses), there will be approximately 3.4×10³⁸ total IP addresses. Even small organizations could have IP spaces that dwarf the entire IPv4 address space. Scanning random IPv6 addresses looking for targets will likely become an exercise in futility. One way attackers will have to adapt in an all IPv6 world is to spend much more time footprinting their targets – trying to find specific system’s through publicly available information sources before attacking them. Parts of this process can clearly be automated by opportunists. For example, an attacker could use Google to find web servers at random and then check them for web specific flaws. However, this will likely deter several common methods of finding targets of opportunity. The danger to this of course is that internet organizations will get lazy and assume that if they can simply hide something in the larger IP space it will never be found. As well know, difficult does not mean impossible.

Several news outlets are reporting that TippingPoint researchers have cracked the “kracken” botnet and have actually been able to commandeer at least a part of it. The researchers are now faced with an ethical dilemma – whether or not to use their control ability to automatically fix the infected computers. This is by no means the first time someone has had to make this decision, and it’s not the first time that they’ve reluctantly found themselves faced with almost this exact argument against doing so:

The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone’s life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it’s running and carrying out the rest of it’s functionality.

Now the life support issue is a bit sensationalist, but it can be treated as simply a way of demonstrating his argument – that making an unauthorized change to someone else’s machine, no matter how well intentioned, has it’s risks and therefore should not be done. I also have a hunch, which has been confirmed by quotes in computerworld, that it is not so much the moral distaste for changing someone else’s machine as much as the legal liability which has scared of management. (As a parenthetical note, I would like to take a moment to lament the sad state we find ourselves in here in America where the word legal has almost universally replaced the word ethical).

While I don’t think that legal liability should trump all other concerns in matters such as this, it certainly plays a part. For that reason, automatically cleansing the machines may be impractical since I’m sure TippingPoint wants to stay on the right side of the law. However, if I’ve learned anything about engineering ethics, it’s to always try and find a technical method of avoiding the ethical dilemma in the first place. In this case, how about using the control they have to simply direct all the infected computers to a webpage which explains (in the simplest terms possible) that the person is infected and how to clean their machine, as well as a link to the MS patch which would prevent reinfection. That should satisfy all parties.