Baa Baa BlacksheepBy Mike Rothman
Action and reaction. They have been the way of the world since olden times, and it looks like they will continue ad infinitum. Certainly they are the way of information security practice. We all make our living from the action/reaction cycle, so I guess I shouldn’t bitch too much. But it’s just wrong, though we seem powerless to stop it.
Two weeks ago at Toorcon, Firesheep was introduced, making crystal clear what happens to unsecured sessions to popular social networking sites such as Facebook and Twitter. We covered it a bit in last week’s Incite, and highlighted Rich’s TidBITS article and George Ou’s great analysis of which sites were exposed by Firesheep. Action.
Then today the folks at Zscaler introduced a tool called Blacksheep, a Firefox plug-in to detect Firesheep being used on a network you’ve connected to. It lets you know when someone is using Firesheep and thus could presumably make you think twice about connecting to social networking sites from that public network, right? Reaction.
Folks, this little cycle represents everything that is wrong with information security and many things wrong with the world in general. The clear and obvious step forward is to look at the root cause – not some ridiculous CYA response from Facebook about how one-time passwords and anti-spam are good security protections – but instead the industry spat up yet another band-aid. I’m not sure how we even walk anymore, we are so wrapped head to toe in band-aids. It’s like a bad 1930’s horror film, and we all get to play the mummy. But this is real. Very real.
I don’t have an issue with Zscaler because they are just playing the game. It’s a game we created. New attack vector (or in this case, stark realization of an attack vector that’s been around for years) triggers a bonanza of announcements, spin, and shiny objects from vendors trying to get some PR.
Here’s the reality. Our entire business is about chasing our own tails. We can’t get the funding or the support to make the necessary changes. But that’s just half of the issue – a lot of our stuff is increasingly moving to services hosted outside our direct control. The folks building these services couldn’t give less of a rat’s ass about fixing our issues. And users continue about their ‘business’, blissfully unaware that their information is compromised again and again and again. Our banks continue to deal with 1-2% ‘shrinkage’, mostly by pushing the costs onto merchants. Wash, rinse, and repeat.
Yes, I’m a bit frustrated, which happens sometimes. The fix isn’t difficult. We’ve been talking about it for years. Key websites that access private information should fully encrypt all sessions (not just authentication). Google went all SSL for Gmail a while ago, and their world didn’t end and their profits didn’t take a hit either. Remote users should be running their traffic through a VPN. It’s not hard. Although perhaps it is, because few companies actually do it right.
But again, I should stop bitching. This ongoing stupidity keeps me (and probably most of you) employed.
Andre has it half right. The other half is that “free Wi-Fi” doesn’t mean the internet doesn’t cost anything. It’s going to take a billion dollars worth of servers and circuit costs and a million sysadmin and developer hours to convert all those websites to SSL/TLS.
It’s easy to say “just design security in from the start”. Nobody, but nobody knows how to create software that is free of security defects. There are lots of techniques to do better that “code first, design later”, but none of them are perfect and measurement of quality itself is hard. And nobody, but nobody knows any principled way to put a monetary value on the security of any information other than the value of the deposits in a bank account.
This is not some game where people made a few stupid choices. Security is a truly difficult problem. And if you don’t understand this, I pity the people who are foolish enough to hire you as a consultant.
Netscape invented and provided implementations for SSL and secure cookies 14 years ago, “to prevent eavesdropping, tampering, or message forgery”.
You know that every architect and every sysadmin at every one of those organizations that are targeted by Firesheep have been hounding their management to provide SSL/TLS and secure cookies for all session management since the apps were initially architected, designed, and implemented—every step of the way.
You know that everyone “in the know” who was a user of those apps hounded their sysadmin, neteng, and security friends at those orgs to implement SSL/TLS with secure cookies for the session management.
You know that the managers, who had their bonuses tied to ROA, said no during the decision-making. You know that the C-levels, who had their bonuses tied to ROE and customer feedback, should have listened—but they did not because they wanted to see their managers happy and “if it’s not broke, don’t fix it”.
This is the exact reality for all security. Regulations don’t even change this—they just get managers and C-levels to spend more of their time trying to skate the regs.
By Andre Gironda
If you want to blog about every technology “advance” which more or less ignored security, you would have time for little else.
Put another way, name one technology advance which had excellent built in security.
By Bill Frank
Firesheep is not the attack; it’s the messenger.
Keep bitching Mike! It makes for good reading and also reminds me I’m not the only one who’s stuck in a world of stupidity. If nothing else, at least I’m not alone.
By Tim Wagner