A spring cleaning for security

The state of the security union

This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources and how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.

Get smarter

Progress happens -- though sometimes in slow motion. In response to last week's column about phishing within organizations, Rex Warren, a colleague and partner at Leviathan Security, responded with a related experience where people in big organizations sometimes forget that sometimes they need to prove their identity. He received a call recently that went something like this:

Caller: "You owe money, I'll take your account number."

Rex: "How do I know you're not a criminal?"

Caller: "I'm not a criminal."

Rex: "A good criminal wouldn't acknowledge being a criminal. In fact a dumb one wouldn't either."

Caller: "I know your 'secret' authentication information."

Rex: "That proves it's me not you; How do I know you didn't steal that information?"

Caller: I'm not a criminal.

Rex: We've been over that.

How would you make that system work, exactly? Think less tech and more do-unto-others. While generally impressed with my own credit union's variable risk-based identification and authentication processes -- this past year they started asking more authentication questions for transfers than for lower-risk balance inquires, for example -- it would be nice to receive a periodic mailing with a list of authenticators or secret questions I could ask them . This would be useful in the unusual case where they contact me about errors, suspected fraud or other problems. The technology is available; maybe we'll see more implementation next year.

Continuing the thinking-trumps-technology theme, more and more enlightened managers and educators realized over the past year that filtering software pushed by the likes of SurfControl and Websense doesn't work. It's not because the technology can't pick out words or URLs, but because employees and children intent on pursuing blocked content usually can find a way to retrieve it.

For example, Google arguably performs the foremost and broadest research into filtering. Yet the flexibility provided by search and proxy tools to bypass other filtering systems easily surpasses the sophistication of their own "SafeSearch" technology. Technology doesn't fix social and behavior problems, and filtering is eventually destined to head the way of prohibition, dance-hall bans, and the V-Chip.

Social education taking the place of mindless tools in both the workplace and schools? That's a positive development. Just as the Ron Popeil "set-it-and-forget-it" approach doesn't provide gourmet meals, the path to professionalism at work and critical thinking in school is best served by clear rules, trust and reasonable monitoring -- not roadblocks. The recent Virginia state foray into meaningful Net education still smacks of 50's educational films on the dangers of social diseases and fast driving, but helping the kids think is a giant step in the right direction.

Page Break

Same security problems, different day

Pity the trend toward intelligence isn't sweeping the entire security sphere. The problem with tracking stupid information-security tricks is that they're legion -- and boringly repetitive. From recent news on background checks that rely on hocus-pocus truth meters to on-the-ground realities of client security software that can't even function properly, we keep revisiting essentially the same ground.

It's no news that anti-virus software vendors can't keep their reactive tools effective against the onslaught of new threats, and that the effectiveness of preventive tools suffers because under-informed users will connect to any available networks and click "Allow" whenever they can.

The good news on the desktop, however, is that Microsoft may put a lot of security snake-oil vendors out of business by doing what Apple did a few years ago: performing a ground-up rewrite of the flagship operating system in a far more secure manner, and box the old sickly insecure stuff in a virtual machine.

There might be a temptation to follow the lead of the "Wine Is Not an Emulator" (WINE) project on Linux -- re-implementing the Windows API in a way that performs well yet simply doesn't support most virus and Trojan vectors -- but with Microsoft's historical drive for features over security, it's doubtful they could pull it off. On the other hand, it's a safe bet that Redmond egos will prevent any attempt to duplicate WINE. If they can't overcome the usual features bias, skipping the effort altogether would be wisest.

On the other hand, some entities still don't get it -- the Recording Industry Association of America (RIAA), for instance. RIAA continues to try to prop up a dying business model and backfill the lost security control from failed Digital Rights Management technologies in the courts, serving blanket "John Doe" subpoenas to universities and suing unemployed single parents and the homeless. Even if some of the cases have merit -- surely some of those people actually were sharing music files without permission of the copyright owners -- the legal maneuvering only hardens whatever public sympathy is left for those in the non-creative areas of the music industry.

Many have long held that the RIAA's legal tactics regarding intellectual property settlement demands were thoroughly immoral if not illegal. Recent legal protests and reasonable-sounding countersuits assert that RIAA maybe violating the federal Racketeer Influenced and Corrupt Organizations (RICO) Act by crossing the line into extortion and fraud.

Given enough subpoena attempts, the RIAA is bound to encounter someone like Kurt Denke from Blue Jean Cables. Denke received a cease-and-desist letter recently from Monster Cables -- known for sending out such messages rather promiscuously and settling with the panicked recipients -- and responded with a 3,275-word salvo as only a former lawyer can: "Not only am I unintimidated by litigation; I sometimes rather miss it." While Monster Cables is no RIAA, their freewheeling intimidation using the court system appears to be backfiring in glorious fashion. Maybe next year RIAA will pick on a Kurt instead of a Jammie Thomas.

Page Break

Good, bad and uglier

Looking forward, we're likely to see good news in the form of more corporate standardization on protocols rather than on particular products. In tandem, OS X and Linux are making good inroads into home and business markets. Together these have two notable security effects. First, the more heterogeneous a given computing environment, the less likely single platform-specific security flaws will propagate and completely cripple an organization. Second, the less focus is given to platform-specific development shortcuts, the more likely it is that decent coding practices and transaction validation will reduce the attack surface of networked applications for all involved. IBM's recent foray into heterogeneous work environments was reported as a Mac-centric news item, but it's the protocol and standards focus that makes a difference in security.

Of course, the bad news is that there's more bad news. Not only are the attacks coming faster, but they're increasingly targeted (note the recent rise in spearphishing) and effective. In the coming year we will likely see the twisted love child of yesteryear's CoolWebSearch (a difficult-to-remove piece of spyware that became legend when new variants started appearing every day). Based on recent research at Carnegie-Mellon, we can expect automated and even-faster production of such security exploits based on automated analysis of just-issued security patches. With an increasingly well-run business model behind spyware and spam, there's tremendous financial motivation for those who would, and probably will, make it happen.

The truly ugly stuff this year, however, is likely to appear in the political arena (as if it hasn't already). As the US stares down another election season with the same shoddy voting technology that threw past contests into turmoil, we find more misuse of security technology for domestic spying on citizens. Privacy's under attack, too, and we'll see more officials who want information privacy rights abrogated laying a snow job on congress.

However, if the maxim holds that "it's not who votes that counts, it's who counts the votes," then the first order of business is to ensure there's some confidence in the system before trying to correct the course of security and privacy laws. It's good that some sense is being injected into the process as states decertify machines that can't be shown to count reliably. What would be nice to see, however, is an even clearer return in political technology to the basic security principle of integrity, not just confidentiality and access control. To that end, my wish for the rest of this year is to see a state or federal statute that quite simply says " It shall be illegal to tally votes by hidden means ." That would be real progress.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blase, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major non-governmental organization, and continues to have his advice ignored by CEOs, auditors and sysadmins alike.