Research

Even in my drug-addled state last week it was hard to miss the cold boot encryption attack released by Ed Felten and the Princeton Center for Information Technology Policy. This is some seriously impressive work with major implications, but despite all the articles I’ve seen there has been little information on how to evaluate and mitigate your personal or organizational risk. That’s where I come in. I’m not going to assume you know a lot about file and media encryption, so we’ll start with en explanation of how, and why, the attack works. Then we’ll evaluate the risk and discuss mitigation strategies. I’ll close with some suggestions for vendors to close out this vulnerability. And yes, this works on a Mac with FileVault. What is the cold boot attack and how does it work? All encryption systems need access to a key to encrypt and decrypt data. It doesn’t matter what you’re encrypting- a hard drive, file, database, or whatever, you need a key. When encrypting and decrypting data, because of how computer systems are designed, the key always passes through memory at some point. For smaller content this is a transient process and the key is only in memory for a short time (assuming the software is designed properly), but when you need constant access to data the key is kept in memory. This is nearly ubiquitous for full-disk encryption or file encryption systems that leave files open for read/write operations. It’s not something we worried about, because when you turn a computer off the RAM (memory for the non geeks) loses power and anything stored is lost. Thus we would password protect our encrypted systems so that even if they wake up from sleep mode, an attacker would have to reboot the system unless they had the key, confident this process would erase the key from memory and keep the data secure. What the Princeton researchers demonstrated is that modern RAM doesn’t degrade immediately after power is removed. The contents of memory can persist from seconds to minutes, and that time extends when cold is applied to the memory. An easy way to do this is to just use a can of dust off spray. That’s the first part of the attack- keeping the contents in memory after the system is shut down. For the second part of the attack they use a special tool, which they haven’t made public, to recover memory contents from RAM. In the demo this tool is on a bootable USB drive, so merely rebooting the computer from this USB stick, ignoring the host operating system of the computer, allows them to scan memory and recover the encryption key. Additional work allowed them to recover a full key even if a few bits were lost as the memory degraded. To execute the attack, the attacker opens the computer, sprays the memory with an upside-down can of dust off to cool it, then reboots off the USB device with their software for key recovery on it, thus recovering the keys and gaining access to the data. If you use a boot password or something similar they perform the same attack, but remove the memory and place it into a different system for key recovery. Thanks to the cold spray you have more than enough time to pull this off. Evaluating the Risk There are no public tools for this attack but it’s only a matter of time. Your immediate risk is low, but don’t be surprised if tools appear reasonably soon. This is a serious vulnerability, with a probability of attack that only increases over time. In other words, don’t panic, but keep your eyes open. Once a public tool appears it’s time to be more concerned. The researchers outline how most current protection techniques only partially, if at all, mitigate this flaw. Since memory can be removed, BIOS locks and other restrictions are ineffective. You are only at risk when your computer is powered on or in sleep mode and you lose physical control of it. Powering off your system begins the memory degradation process and you are safe within a few minutes. Reducing Your Risk The most effective method is to power off your system completely (not sleep or hibernate mode) when it’s at risk of physical loss. This is inconvenient, but I’m going to start powering off when I’m in higher risk areas (like airport security) and can’t maintain physical control of the system. Which brings recommendation number 2- don’t let someone steal your computer. I personally maintain physical control over my system nearly all the time when it’s out of my home (and I have a pretty good security system there). At hotels is the greatest risk, and I do tend to power off when I’m out of the room. You sales guys should start getting into the habit of not using sleep mode when you leave your computer locked in a rental car. At least until the encryption and laptop vendors come up with alternative protections. For those of you with very sensitive information, combine file and folder encryption for sensitive files with your whole disk encryption. A few vendors offer this (feel free to brag in the comments guys). Just close those sensitive files or images before entering sleep mode, and make sure they are password protected and not linked to your normal login credentials. Also consider an encryption system that supports storing the keys on a smart card (not in memory). I don’t believe there are many practical options today, but expect to see them crop up thanks to this paper. Finally, ask your vendor their plans to manage this risk. Today it’s not a big deal, but we don’t know if it will be 2 weeks, 2 months, or two years before public tools appear (and it’s safe to assume some governments have this by now – or more accurately, it would be unsafe and foolish to assume any government does note have this capability by

Just a quick update to say all is well, if a bit painful. On Monday I had shoulder surgery to repair a moderate tear to my cartilage in the shoulder (the superior labrum, to be specific). Turns out the tear was a series of tears and I also managed to injure my rotator cuff. The 20 minute procedure took about an hour (still minor in the scheme of things) and my recovery will take a little longer than expected. The worst part is this week as I get past the initial pain, after that everything should be on track. I want to thank Chris Pepper (who starts a new job in a couple of days) and Dave Mortman for keeping an eye on the blog and contributing new content. Hopefully I’ll be able to convince Dave to keep contributing after I’m back full time. Dave is one of those rare individuals who can combine the practical and the theoretical in security, and has held the management positions to actually execute his theories. I’ll be taking it easy for another couple of days, but I’m past the hump and have a full schedule next week. Thanks for all the support, and we’ll be back to encryption, DAM, and all your favorite acronyms before you can say “Vicodin”. Share:

It’s Wednesday, and if my doctor’s predictions are correct I might be in front of the keyboard for an hour at a time today. Odds are I’m now in a recliner, watching bad TV, staring wistfully at my Guitar Hero Les Paul leaning against the entertainment center. You may think you’ve won Slash, but once my recovery is complete I’ll be more powerful than you can possibly imagine. And I’m not even on the meds yet. Yesterday Mike and I talked about his 2008 predictions around network security. Today we’ll talk about my favorite area, information-centric security, and educating consumers. This brings us to another step-child of the security world, Data Loss Prevention (DLP). You’re predicting a stall, although I’d argue it’s been stalled for years with only about $70M in revenue in 2007. What’s your unva ished opinion of DLP- do you think it provides value other than preventing those accidental emails? What if we include content discovery? You could probably make a case that the DLP business never even got started. The fact is it had the law of small numbers working in its favor. The entire market could grow at 80-100% when it was small. Now it’s a bit bigger and it’ll be a lot harder to show accelerating growth. Also combine that with the number of deals we saw last year and the fact that it does take time for small nimble start-ups to find their sea legs in the morass of a big security or storage player, and things look pretty dark for DLP in 2008. Your second question is a bit more interesting. I do believe that there is value in the promise of DLP. We need to start thinking about the data and how it’s used and where it goes. I just don’t think the current deployment models really reflect the answer to the customer problem. Sure, if you are worried about an account number or a SS# being sent out, the existing products work fine. But they don’t give you persistent control of your data assets, and I think that’s really the problem that customers need to address. Unfortunately this may be the biggest problem in all of IT. There are no simple answers to solve that one. DLP is one of the few tools that focus on data security, or “information-centric” security, depending on who you talk to. You do predict greater focus on database security in 2008, but what’s your opinion for the long haul? Will we migrate away from networks and hosts as the focus of security? Or is there too much momentum with too many big companies tied to our current model to expect changes anytime within the next 3-5 years? Database security is a feature. If the databases weren’t so security tone-deaf, there wouldn’t be a need for this technology at all. But they are, so there is. Over time, a portion of the functions get subsumed into the DBMS, a portion into the security management platform (log analysis and monitoring) and some into the network (intelligently blocking direct database attacks). Though that is truly a long term vision. 5-7 years, best case. The existing database security market has a lot of running room as these other things fall into place. I don’t think we’ll ever be able to neglect network and host security. A layered security model is really the only way to protect yourself from attacks we can’t even envision. That being said, we need to do a lot better job securing the data. The fundamental element of data, in terms of how it’s used and where it goes. As I mentioned before, that is a really big problem. Looking at the database traffic is a start. It’s not the long term answer, but it adds another layer of protection. Last year you published the Pragmatic CSO. I think one thing that’s always made you stand out as an analyst is this focus on practicalities. I find myself recommending the book to someone almost weekly since there are so few just-get-it-done approaches to security. Why do you think we make our lives so much more complicated than they need to be, and what inspired you to finally write the P-CSO? I wrote the P-CSO because I was frustrated. Security folks just don’t understand basic business realities and practices and it is hurting them. They can’t relay the value of what security does and they don’t understand how to play the game to get things done. If anything, I’ve screwed up a lot of things in business and I thought I could provide some perspective that someone who spent their entire career managing firewall rules could appreciate. Especially as they are about to get in front of the Board of Directors and tell them why they aren’t going to be the next TJX. That’s the thing about the P-CSO. It’s not a technology book. It’s a philosophy book. How security professionals need to think about the business of security moving forward. I really believe it’s the difference between success and failure. You’re trying to do something similar for consumers with Security Mike; how’s that project going? Security Mike is going well, but I haven’t put the cycles behind it that it deserves. I’ll be spending a lot more time with that project throughout this year. Security Mike is a big idea. If we can train the consumers out there to protect themselves more effectively, we cut off the oxygen that the hackers breathe. Yes, that’s a long term goal, but you have to start somewhere. The first hundred, then the next thousand, then ten thousand. If we can remove the low hanging fruit, the economic model of Internet fraud changes. The bad guys need to work a lot harder to make the same income. That’s the vision. Thanks a lot for your time today. One last question, is it true someone sent you a holiday card addressed to “Mike Rothman and The Boss”? How did THAT

One of the big issues facing companies these days is compliance – Sarbanes-Oxley, GLBA, PCI, and there will undoubtedly be more in the coming years. As a result, vendors are pushing all sorts of products that purport to help solve the compliance problem. However, compliance is not a technology problem – it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations. Business processes tie together the people and technology that comprise a company’s operational environment. Roughly equivalent in function to ligaments and tendons in physical performance, poor business processes weaken a company’s fiscal performance. An ineffective sales tracking system, for example, will cause major problems in terms of production schedules, order fulfillment, and customer satisfaction. On the regulatory side, such an ineffective system will negatively impact a Sarbanes-Oxley (SOX) audit, since control of both quotes and orders is necessary to know and validate a company’s financial standing. Consistent, repeatable processes should be the goal of every company to ensure sustainability. They are also the cornerstone of many different compliance frameworks, including: SOX, the Payment Card Industry (PCI), ISO 17799/27001, Common Criteria (ISO/IEC 15408), and GLBA; not to mention other local and international standards. I’ve outlined three steps below for designing business processes that, when well executed, will not only improve a company’s operations, but will also ease the workload related to proving compliance. Those steps are: Separation of duties: Create a simple system of checks and balances, for example by investing expenditure approval authority and check writing authority in two different entities or individuals. A basic principle set out famously in the US Constitution, this is simple and reduces the opportunity for embezzlement, for inappropriate procurement awards, and even for stock manipulation. In a high-risk environment, a company may rotate duties to prevent collusion. For instance, the Federal Reserve Board requires authorization by individuals from at least three different groups to move gold from one vault to another; designated representatives from each of these groups are rotated regularly as well. Need to know: Limit access to critical information to those few people who have a true need to know. Establish a process for regular review of these access lists. Quarterly or semi-annual review is fairly standard for sensitive applications, augmented by additional reviews triggered when an employee changes job roles to ensure that privileges are not kept by default beyond their relevance to actual job requirements. In the case of access to all corporate financials, a few key executives and auditors should be sufficient. Regardless of the mandates of PCI, the most prudent course is to encrypt the numbers for all credit card information that is handled and to minimize the number of people who have the ability to decrypt the data. People who don’t have access to data can neither lose nor steal it. Scrutinize the use of credit card information to verify consistency with company privacy and confidentiality policies. Never use real credit card data for test systems. Monitoring tools can also help identify vulnerabilities in this access control system. This general principle aligns with auditing requirements for both SOX and PCI compliance. Change management: Establish the framework for change – and, ironically, business continuity – by fully describing the system that exists. Often perceived as tedious, with burdensome documentation requirements, change management is a key control mechanism for managing and securing financial systems. Auditors appreciate the value of solid change management practices; companies should appreciate spending less time and money on audits.An effective change management process is methodical and simple. Document all system configurations or implement an automated tool to discover system configurations and record them by date. Detail the steps required for user moves, adds, and changes, and establish an audit trail. Record proactive security events, such as patch applications and anti-virus (AV) updates. Assign to each process business owners who are responsible for maintaining and documenting the process. Record all changes manually or automatically. When anomalies are observed or something “breaks,” consult the change log for clues about the likely origin for the malfunction. The documentation serves the additional purposes of increasing uptime, improving reliability, and speeding mean time to recovery. It forms the basis for a business systems resiliency or disaster recovery plan, especially when enhanced by including key contact and license/registration information. For multi-owner processes, assign responsibility for prioritizing and approving changes to a change management committee or board. This board, especially on the applications side, should have the ability to understand the dynamics of conflicting business requirements (internal and external), regulatory requirements (external), and the risk potential inherent in changes requested from different groups. A review board with a holistic view of the system for which change is contemplated will be able to identify hazards, negotiate details, and explain and “market” prioritizations to their individual work groups. If a business process needs to be changed, change it. I have laid out three key elements to consider when designing a business process or when revamping a business process in response to new or existing compliance, security, or environmental needs. Those elements are separation of duties, need to know, and change management. The benefits are lower cost and more reliable operations, less time and money spent on audits, and greater peace of mind for the organization.Business drives changes in process. Technology may enable – or inhibit – change, but it does not drive change. Consistent communications must exist, however, between functional areas (e.g., information technology) and lines of business (e.g., product engineering or consumer loans). Such communication facilitates incremental adjustments in technology deployment that must be recorded in system configuration documents, process updates, and business continuity plans. The continuous realignment of IT and business practice is comparable to the quality movements in manufacturing processes. Technology reinforces and supports changes in process. Tools should not determine the nature of change, nor how change is implemented. Leverage the existing change management

For all of you who are curious, Rich is back home and “All is good.” Share:

Right now I’m probably lying in bed with some weird motorized ice pack strapped to my shoulder, and (hopefully) some pain meds running amok in my system. I suspect most of you are a little more comfortable at the moment, but hopefully on fewer drugs. Before diving under the knife, Mike Rothman agreed to an email interview. I’ve known Mike for something like 5-6 years now (I think). If you read this blog, the odds are pretty darn high you also read Mike’s Security Incite. It’s the best nearly-daily analysis of what’s going on in the security world. Rather than providing a simple list of links, Mike includes his own analysis on 3-4 news stories and 3-4 blog entries a day. Mike is also author of the Pragmatic CSO– a must-read for every aspiring security manager. He’s also the crazy SOB that convinced me you can make it as an independent, so I might be a little biased in his favor. Here’s the first half of the interview, and we’ll finish it off tomorrow… Thanks for joining me today, Mike, especially since it’s actually a week before today, and right now I’m probably drugged up with my arm in a sling, sitting on the couch watching Knight Rider. Who knew that the Rich Mogull has a time machine? If you patented that you really would be a Mogull. Anyhow, I hope you are feeling better and on your way to a speedy recovery. [It seems Mike doesn’t realize Knight Rider is coming back. What’s old is new, Mike.] Rather than having you talk about your past, I’d rather use this time to talk about some of your predictions for the future. Every year you publish your “Security Incites”, a mixed bag of predictions for the coming year. Some of them seem very specific and measurable, while others are, shall we say, a little fluffier. Is there a method to the madness? In fact there is. I’m constantly synthesizing information. From everything I read, every question I get, every conversation I have. Through the year I am assessing and re-assessing my positions. I go back and revisit the Incites in July and December, and by February I have a pretty good idea how they should evolve for the next year. Then I sit in a dark room, meditate for a while, and the Incites just come to me. The reality is that some of the Incites lend themselves to firm, quantifiable predictions and others not so much. Some I use to make a specific point that I think is important. Let’s talk about a few of the predictions that really stand out (for me at least). You’re predicting that 2008 will be the year network security crosses the line and finally becomes just part of the network fabric. A lot of pundits have been predicting this one for years now- what’s going to make 2008 so special? I believe that customers are voting with their dollars. They don’t want overlay solutions for network security anymore. They want their networking provider to get it right, and with the macro-economic headwinds a lot of folks expect, these customers are in no rush to roll out the technology. They have been willing to wait thus far and sooner or later the products from Big Networkers won’t totally suck. If anything, those folks are persistent and they throw a ton of money at it. They will get it right and I think 2008 is the year the security capabilities built into switches are good enough to meet most of the customer requirement. In that same prediction you bring up Network Access Control, the red headed step-child of network security. You’ve been one of the more lukewarm voices on NAC; is it a failure of the technology? Or just the market reality that big vendors see this as a way for greater lock in? To be clear, I don’t have anything against red-heads. 🙂 NAC’s issues in the market stem from two issues. First, it doesn’t solve a problem that customers think is important or urgent enough to solve. The big NAC vendors are talking about having maybe 1500 customers or something like that. And they are probably lying about that. Let’s take a market like anti-spam – which was a REAL problem – Barracuda sold to 30,000 companies in two years. If it was that big of a problem, more customers would be buying the solutions. It’s as simple as that. The second issue has to do with expectations. The NAC vendors did themselves a huge disservice by promising the world to customers. They set an expectation they couldn’t possibly meet and now you’ve got customers that are disappointed and they are telling their friends to hold off until the technology matures. Who knows when that is going to happen? So, will any NAC vendors survive on their own over the next, say, 3 years? The NAC business will suffer a severe shake-out. Quite a few will get bought, with maybe the first 1 or 2 selling for a big multiple. And no, I don’t know which 1 or 2 that will be. We will see a lot more like Caymas, just going away. Or Vernier, which got out of the NAC business altogether. That’s life in the big city. Come back tomorrow to hear Mike’s views on DLP, consumer security, and holiday card pranks. Share:

So somehow Rich has managed to hurt his shoulder. He swears that it happened while helping blind nuns cross the street in an ice storm, but I don’t believe it. As he mentioned on Friday, he’s having surgery this morning to have it fixed, so everyone think happy thoughts towards Phoenix. Since he’s going to be out of commission for a while, he’s asked me and a few others to jump in and post while he’s on the mend. If I’m lucky, he’ll even forget to change the password once he’s recovered and I’ll keep on posting. For those of you who don’t know me already, I’m the CSO-in-Residence for Echelon One, where I run the research and analysis program and before that I was the CISO at Siebel Systems. Best of luck to Rich and hopefully he’ll be back to posting before you know it. Share:

This is very amusing. Everything you need to know about negotiating with Microsoft for $44B. I’m off for the weekend and in surgery on Monday (a minor shoulder thing). I have some guests on the site next week and some other surprises to keep the content running. Have a great weekend… Share:

A strange thing happened Tuesday night. Martin and I logged into Skype for our regular podcast recording session and we noticed two different, but familiar, voices on the line babbling about being Still Secure After All These Years. Yes folks, we combined SSAATY and the Network Security Podcast. I couldn’t tell if Alan and Mitchell crashed our party, or if we crashed theirs, not that it matters. We spent a fair amount of time talking about the privacy issues related to Facebook and other online sites. From employment issues to the political process, it’s clear that having your… youthful indiscretions saved for posterity on a search engine may cause some changes in how society views these things. We also discussed HP’s ridiculous claim that they employ 9 of the world’s 11 best hackers, and talked about the new Adobe exploits. Overall a fun time for all, and sorry about some of the audio issues. These 4 way calls are always a little more challenging. As always, the episode is available at netsecpodcast.com. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Network Security Podcast Share:

I have a moderately complex network at home, with multiple WiFi base stations (running at 5 GHz and 2.4 GHz), a hacked WRT54G gateway router for firewall/VPN, and a couple of AirPort Express units for music streaming. Starting a couple of weeks ago I started having all sorts of erratic behavior with the AirPorts, which was extremely annoying since I was trying to evaluate Airfoil, an audio streaming application, for TidBITS. Lost connections, disappearing access points, and other nonsense. It hit the point yesterday afternoon where I reconfigured my entire network, yanked out the VPN, and, in the process, killed everything. Waking up with a little 4 am insomnia I tries a quick fix I’d forgotten about- changing WiFi channels. A couple of years ago I had similar problems and after doing a site survey with Kismet I realized my access point was on the same channel as a neighbor. This time I skipped Kismet and just swapped channels on my 2.4 GHz (802.11g) access point. All is good. I’m going to bed now. One of our new neighbors must have been on channel 8, and everything is happily connected on channel 7 now. If you find yourself dropping connections or having other weirdness, just go into your access point configuration panel and hard code different channels until things start working better. < p style=”text-align:right;font-size:10px;”>Technorati Tags: WiFi Share: