Phillip Hallam-Baker's Web Security Blog

So yet again we have a round of press concern about the security of the Internet infrastructure. This time the concern is BGP.

And yet again the press is asking why nobody knew about it &ct. &ct. And yet again the answer is that this problem was known and work has been underway to fix it for a very long time. I discuss the problem of fixing BGP security in my book The dotCrime Manifesto. I have been in meetings discussing BGP security at the IETF and elsewhere over the past four years.

As with the DNS security issue, there is a real vulnerability that we need to fix, but the significance of the vulnerability is much less than is being made out. The criminals have also known about the vulnerability and have found it less profitable than other techniques.

The biggest risk from a network layer attack is that the perpetrator would redirect traffic going to a bank site or an online store to their own site. This particular risk was addressed in 1995 when SSL was introduced. We knew then that the DNS and the BGP layers might be compromised and SSL security was designed to be secure even if an attacker had complete control over those layers. Public key cryptography is a very powerful tool, we do not have to secure the lower network layers in order to achieve security at the application level.

There is a residual risk from a network layer attack, while banks and online stores are usually protected by SSL, many popular sites are not. If an attacker redirects one of those sites they could drop malware such as a keystroke logger onto incorrectly configured machines attempting to visit the site.

What is to be done? Well in the first place, people must take care to only accept requests to install software on a machine if the code is signed by a trustworthy provider. And if you are running Windows, upgrade to Vista and take advantage of the six years of extra effort Microsoft have put into security design since XP. The Vista code base is much more robust than XP in my experience: I have run it for over a year now and the only issues I have had have been caused by faulty hardware.

Posted by Phillip Hallam-Baker at 6:09 AM | Permalink | Comments (0)

With best intentions I set up a demonstrator for a development project on my Windows Home Server (WHS). After a small amount of difficulty that turned out to be due to the version of .NET running on WHS being behind the version I used for development everything was running.

For a while.

After the system works fine at home, I try to demonstrate the system at a conference a few weeks later and the site no longer works. When I get back home I discover that the event log is indicating that the IIS installation does not have the correct access permissions to the directory any more.

Or rather, the event log contains a series of cryptic and peculiar messages from which I am led to deduce that the application failled because it did not have the right access permissions. Granting full access to every authenticated user makes the problem go away.

According to the principle of least privillege this is of course very bad. I should fine tune the system so that only the minimum level of access necessary is granted. But this is simply impossible with the tools provided. The error log does not tell me the user account that made the failed access attempt, not do I know which file it attempted to access. I am left to guess.

The first time around I did the job right and worked out exactly which process I had to give the access to. Since then the WHS has installed a patch that has performed some sort of reset on the security configuration of the server and it no longer works. And so the only way to make sure that the system works in future is to use the big hammer and grant full access to everyone.

As it happens the security exposure in this case is small, only three people have accounts on the machine. But the same sort of thing happens repeatedly with other security configurations. Thus Hallam-Baker's first law of security configuration:

Making the system work will always take priority over making it work securely.

Too many systems are designed to make it possible to configure the system securely rather than making it easy to configure the system securely. For some reason Operating System designers are particularly incapable of designing systems that provide the operator with the information that they need to know to do their job.

Posted by Phillip Hallam-Baker at 5:46 PM | Permalink | Comments (1)

Nick Szabo is usually worth reading, his take on Coase's theorem is quite entertaining (H/t Michael Froomkin].

Given good will and a reasonable set of circumstances the economists might be right and the world might indeed fit into their nice neat little theories. According to this world view it does not matter whether the railroad has the duty to suppress sparks its engines might emit or whether the farmer is responsible for ensuring that he does not plan crops too close to the track: with frictionless capitalism and goodwill the parties will come to the most economically efficient outcome through good faith negotiations. Thus every situation can be reduced to contract law.

Yes I simplify the argument, but not half so much, methinks as the economists simplify the world in their attempt to make it fit their theories.

Then comes along Nick Szabo who points out that the railroad may not be a good faith actor. Far from it, the railroad might deliberately create the sparks, or why not go further and deliberately torch the farmer's field with a flamethrower? Contrawise the farner might sabotage the tracks and derail the train.

Once it is admitted that the actors may act in extreme bad faith the comfortable little academic theory starts flying apart.

Didn't something rather similar happen to the Internet?

Posted by Phillip Hallam-Baker at 9:25 AM | Permalink | Comments (0)

Thirty years ago, James Burke made a highly acclaimed television series on the impact of technology on our lives and the factors that brought that technology into being. Watching Connections at 12 made me realize that engineering was more than just a job, it was a career that could have an impact on society that was more direct and longer lasting than politics.

Rewatching the opening of Connections is disconcerting for many reasons. What passed for high technology in 1978 looks distinctly anachronistic to modern eyes. And one of the vignettes in the opening sequence shows a passenger on an airplane extinguishing a cigarette as a normal preparation for landing. Nobody is carrying an iPod of course, but there are no Sony Walkmans either, that did not appear until 1979.

Technology has moved on apace since, but Burke's central theme in his opening episode is the extent to which whe have become dependent on modern technology. If we were dependent in 1978, how much more dependent are we today?

In the rest of the program Burke demonstrates that we have been dependent on technology for survival for the past 5000 years or so. But that does not change the fact that many of the systems we depend on today are considerably more fragile than 30 years ago. Burke uses an elevator to illustrate the complex technology behind an apparently simple press of a button. As Burke rises to the 110th floor we see levers, pulleys and relays springing to action. Given time and a small number of simple tools, I could fix that system if it broke down. Today the control system would be integrated circuits that must be replaced rather than repaired.

But the most disconcerting aspect of the program is that Burke uses New York City to ilustrate his point and in 1978 the obvious place to view New York City was the top of the World Trade Center.

Not only do we have a critical reliance on a fragile infrastructure, we have people whose objective is to attack it.

Posted by Phillip Hallam-Baker at 11:39 AM | Permalink | Comments (0)

John Quiggin on crooked timber:

"#72 I just use my son's names as passwords for ease of memorization. But for security we call him r!t45Lpg Hbn6@34 8Hrtöes and we change his name every 60 days."

Posted by Phillip Hallam-Baker at 6:10 AM | Permalink | Comments (0)

Several blogs are alight with speculation about the recruitment of bots ahead of the South Ossettia crisis. According to some of these stories there was a massive recruitment of bots on 4/5 August ahead of the Georgian action on the 7th and Russian Response on the 8th.

While it is highly likely that we will increasingly see cyber-attacks used in conjunction with conventional attacks as a force multiplier I have a very hard time believing that any military would ever want to engage the Internet criminal underground ahead of a military strike. Even more so if doing so might reveal the fact that the party had advance knowledge of an attack by the other side.

So is this just coincidence? Possibly, but another possibility is that both events have a common cause. The Olympics began on the 8th of August and it is quite possible that the Georgian action was timed to occur just before and create a fait acompli ahead of the traditional Olympic Truce.

Recruitment of large botnets ahead of major sporting events is hardly unexpected. Bookmakers stand to make huge sums taking bets on the Olympics, but only if their site is up to take the bets before the event. DDoS attacks before a major event are a regular occurrence.

Posted by Phillip Hallam-Baker at 6:50 PM | Permalink | Comments (2)

Readers of this blog are probably aware that lawyers for the MBTA recently obtained an injunction to prevent two MIT students presenting a security analysis of the MBTA 'Charlie Card' payment scheme at Black Hat.

The security community will do what it usually does in this situation: we rally to protect our own when they are under attack. That's why we are called a community: One for all and all for one.

But the case really illustrates a clash of civilizations and different views on how to achieve security. The term 'hacker' comes from MIT and the MIT hacker culture has more than a century of tradition behind it. When I first arrived at MIT as a research scientist there was a police car parked on the top of the MIT dome by student hackers. I don't think the MBTA does that sort of thing on a regular basis.

But there is a big difference between the MIT hacker culture and the subsequent hacker-vandal culture that misappropriated the name. According to the reports, the students did the responsible thing and explained the flaws they had discovered to the MBTA. If the thanks responsible researchers receive is a lawsuit, advance warning is going to quickly become extinct.

But lawyers are not trained to consider such issues, their training is to only consider the narrow interests of the client and frequently only in the case at hand.

Whatever the legal merits, bringing a lawsuit against MIT to suppress research performed by MIT students is poor public relations.

Update: Submitting the information you are attempting to suppress to the court without asking it to be sealed is likely to be counterproductive.

Posted by Phillip Hallam-Baker at 11:04 AM | Permalink | Comments (0)

Guiness is more than just a drink, it is a brand. More precisely it is the first modern global brand. Arthur Guiness was selling his Foreign Stout to remote corners of the British Empire long before the Madison Avenue got started. And he did it so successfully that Guiness and stout became synonymous, the first category killer.

So when the 72nd IETF was held in Dublin, the Guiness St James Brewery was the obvious place to hold the social event (courtesy of Alcatel-Lucent). I took the above picture using my iPhone 3G on the way over.

The power of brands is undisputed. Think 'Guiness' and you immediately think 'Ireland', and in many cases the other way round. Its not the beer, its the brand.

So why don't we start to use the power of the brand to enable usable security? When a customer visits their bank branch the bank's brand is on every ATM, every leaflet, every poster, every card they issue and its on a huge sign on the front of the building. The brand is what the consumer trusts, not the bank.

The criminals know this and they use the fact to hjack the bank brand. This is one of the reasons many mail clients and webmail services do not display images from untrusted sources. But shouldn't we be leveraging the power of the brand in SSL, S/MIME and DKIM to establish a positive security indicator that is not just trusted but trustworthy?

Posted by Phillip Hallam-Baker at 5:56 AM | Permalink | Comments (0)

When I saw the claim that a new, cheap means of energy storage had been found, my first response was 'says who'.

Then I discover that the claim comes from MIT, which makes something of a difference. Claims of this sort tend to fall short of reality. When the claim comes from the MIT press office it is rather more credible than when it comes from Fred Blogs working out of his garden shed.

While I was at Oxford the 'discovery' of cold fusion was the daily topic of conversation in the Nuclear Physics Lab coffee room for months as news came in from the nearby Rutherford labs attempts to duplicate the result.

The first computer security related angle to the story is: provenance matters, especially on the Internet where anyone can join the conversation.

But the second angle is that energy management is trickiest problems in data center design. In the case of a mission critical data center, energy security is part of the total security consideration. As a well known security expert put it to me, the electricity grid is the ultimate 'just in time' system. There is very little storage in the system and what little there is tends to be far from the places where it is used.

Posted by Phillip Hallam-Baker at 3:02 PM | Permalink | Comments (0)