How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers.

No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary.

It’s always nice to see clear reminders that the way to get people excited about a breach is to dribble out the information. For what little the public knows, to help Brian Krebs piece together the story and decide how the public will come to understand it because Visa and Mastercard aren’t talking, see MasterCard, VISA Warn of Processor Breach.

Doctors Make Mistakes. Can we talk about that?

That’s the title of this TED Talk, “Doctors Make Mistakes. Can we talk about that?

When was the last time you heard somebody talk about failure after failure after failure? Oh yeah, you go to a cocktail party and you might hear about some other doctor, but you’re not going to hear somebody talking about their own mistakes. If I were to walk into a room filled with my colleages and ask for their support right now and start to tell what I’ve just told you right now, I probably wouldn’t get through two of those stories before they would start to get really uncomfortable, somebody would crack a joke, they’d change the subject and we would move on. And in fact, if I knew and my colleagues knew that one of my orthopedic colleagues took off the wrong leg in my hospital, believe me, I’d have trouble making eye contact with that person.

That’s the system that we have. It’s a complete denial of mistakes. It’s a system in which there are two kinds of positions — those who make mistakes and those who don’t, those who can’t handle sleep deprivation and those who can, those who have lousy outcomes and those who have great outcomes. And it’s almost like an ideological reaction, like the antibodies begin to attack that person. And we have this idea that if we drive the people who make mistakes out of medicine, what will we be left with, but a safe system.

But there are two problems with that…

I’ll just say, security professionals make mistakes, too.

Can we talk about that?

Edited Twitter Weekly Updates for 2012-03-25

I’m continuing to tweak in the hopes of balancing useful & overwhelming. This week I’m not only cutting down the chaos a bit, but adding the emergent categories. Also, my tweets precede the Re-Tweets. Comments welcome.

  • Where can I send people new to infosec for security mentoring, confident that they'll get broad, data-centered advice? (#newschool) #
  • Just got entranced by http://t.co/tjGKyYj8 (by @infobeautiful?) #
  • RT @alexhutton I wonder how much ISACA spends in SEO. Because unless @adamshostack is spending something, this is funny http://t.co/yp3SmIbk #
  • RT @bittman Yeh, exactly, by @tlaskawy. ‘Pink slime’ is the tip of the iceberg: http://t.co/7fPrAsaT #
  • RT @OSVDB 3 new IBM CTSS vulns from 1962 (x2) and 1965 added. http://t.co/FS5kn3xi << I forgot to ask, do you have working PoC code? #
  • RT @bobblakley Moving on: after 5 great years at Burton & Gartner, I'm moving to Citigroup to become Head of Info Sec Innovation < Congrats! #
  • Hey, Verizon’s DBIR 2012 is now out and available!:

  • RT @wadebaker We're happy to announce that the 2012 #DBIR is out. Hope you enjoy it and find it useful. http://t.co/6xcILGom #
  • "RT" @rmogull "Here's my guide to how to read the Verizon DBIR" https://t.co/0DTyJ19d #
  • Security and People:

  • The New York Times encourages readers to submit the answers to their password recovery questions. http://t.co/TKSah0sO #
  • Fascinating SE technique http://t.co/wxe41Qn3 Where does the dialog get the "Software Update" name? (cc IntegoSecurity) #
  • RT @Beaker Seriously. It's 2012 & banks are STILL using full SSN as USERNAMES!? WTF. Looking @ you, BofA << you'd prefer it as password? 😉 #
  • RT @arstechnica Facebook says it may sue employers who demand job applicants' passwords: http://t.co/bIeqSwOg by @JBrodkin #
  • RT @sambowne: 2-factor auth via cell phone is bad b/c SMS often takes 6 hours to arrive –Facebook Security #hnpworkshops2012 < Details pls? #
  • TSA:

  • RT @mtyka Congress Wants Your TSA Stories @slashdot http://t.co/lNQOpdQP #
  • RT @GreatDismal Above the head of every TSA line, beyond the scanners: the ghostly, smug, perpetually gratified eyes of OBL. #
  • Other jerks: Sqoot.com special edition:

  • Women as a "perk" for a programming event is super-lame. https://t.co/NJi52LUZ #
  • RT @window RT @shanley Copy for @sqoot hackathon: "Women: Need another beer? Let one of our friendly (female) event staff get that for you." #
  • Powered by Twitter Tools

BSides Las Vegas 2012 Contest

BSides LV 2012 tickets sold out in under 30 hours last week. I have acquired five tickets to give away. More details later, but the tickets will go to the person or people who have the best story of how they applied the principles of the New School in a real life situation. Start planning those responses folks!

Does 1Password Store Passwords Securely?

In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that program:

However, because PKCS7 padding is used when encrypting database encryption key, it is possible to verify password just by computing KEK (using MD5 hash function), decrypting last block of encrypted database key, and checking if it equals to 16 bytes with value 0x10 (this will be the PKCS7-compliant padding when encrypting data whose length is exactly N blocks of underlying cipher). Thus, very fast password recovery attack is possible, requiring one MD5 computation and one AES trial decryption per password.

As a result of this design issue, password guessing against passwords [stored by 1Password for iPhone] is estimated (by Belenko and Sklyarov) as 15 Million per second. This is the 3rd worst performance out of a group of 11, and 3,000-fold worse than the best performer in the table (Strip Lite Password Manager, at 5,000 per second).

The folks at Agile Bits, makers of 1Password took the time to blog about the paper, and accept the implications of the work in “Strong Security Requires Strong Passwords.”

However, I think they misunderstand the paper and the issue when they write:

The main reason the password can be determined so quickly is because 6 characters provide relatively few possible password combinations.

I believe the main reason for the issue is because of the way in which 1Password has chosen to store passwords. They alude to this further down in the post when they write:

With that said, as Dmitry and Andrey point out, 1Password could do more to slow the password discovery process, thereby making it take even longer. For example, on the desktop (both Windows and Mac), 1Password uses PBKDF2 to significantly slow down attackers. Currently this is not available on iOS as we needed to support older devices. The next major release of 1Password will only support iOS 5 and at that time we will be incorporating these additional defences.

I still don’t think that’s an adequate response. Several of their competitors on iOS use their own implementation of PBKDF2. Now that’s a risky thing to do, and I’m aware that it might be expensive to implement and test, and the impact of a bug in such code might reasonably be pretty high. So it’s not a slam dunk to do so, in the general case. But in this case, it appears that Apple ships an open source version of PBKDF2: http://opensource.apple.com/source/CommonCrypto/CommonCrypto-55010/Source/API/CommonKeyDerivation.c. So the risk is far lower than creating a new implementation. Therefore, I think Agile Bits should change the way it validates passwords, and incorporate PBKDF2 into all versions of 1Password soon.

They also state:

1Password for iPhone will no longer allow items to be protected by just the PIN code. The PIN code was meant for less sensitive items and we always expected the Master Password protection to be enabled on important items. To simplify things, all items will be protected with the Master Password, just like on iPad, Mac, and Windows.

I understand the choice to do this, and move to stronger protection for all items. At the same time, I like the PIN-only protection for my low-value password. Entering passwords on a phone is a pain. It’s not an easy trade-off, and a 4-digit PIN is always going to be easy to brute force with modern CPUs, however much salting and stretching is applied. I’m capable of making a risk management decisions, but I also understand that many people may feel that Agile Bits wouldn’t offer the choice if it wasn’t secure. I respect the choice that Agile Bits is making to force stronger protection on all their customers.

In summary, 1Password is not storing passwords as securely as they could, and if your phone is stolen, or your phone backups are accessed, those choices leave your passwords at more risk than competing products. I don’t think the fixes to this require iOS5. I think the right thing for Agile Bits to do is to ship an update with better protection against brute force attacks for all their customers, and to do so soon.

[Update 3 (April 10) Agile Bits has released an update which implements 10K PBKDF2 iterations.]

[Update 2: 1Password has now stated that they will do this, adding PBKDF2 to all versions for iOS, which had been the only platform impacted by these issues. They have a hard balance of speed versus security to make, and I encourage them to think it through and test appropriately, rather than rushing a bad fix. ]

[Updated to clarify that this applies only to the iPhone version of 1Password.]

Edited Tweets for 2012-03-18

  • RT @curphey amazing how many serial entrepreneurs, visionaries & thought leaders in security are wanting to contract @ $75/hour #
  • MT @GammaCounter Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p via @adam_orbit #
  • I really want @robinsage to RT this: Chinese spies impersonated US Navy admiral on Facebook, friended NATO officials: http://t.co/FFnpdJ9p #
  • Britannica to cease publishing physical edition after 244 years: http://t.co/QtHZDNRG #
  • Writing your paper with absolute & % valuations: about .5 €. Not having every story say privacy is worth 50 cents: priceless. #
  • RT @spacerog "Why Aren't There More Women in Tech? I'll Tell You Why I'm Not http://t.co/tTbSRP0u <- the tragedy of most formal education" #
  • RT @alexhutton Measuring the OODA loop of security thinking: Can you say firewalls & SSL? http://t.co/siThqbbZ < Not a loop without feedback #
  • There's a stack of things I'm looking at today where I have exactly the same reaction: "Evidence? Alternate hypotheses?" #
  • An old co-worker of mine is competing to get his product "Zoo Poo" in retail channels. It's entertaining, please vote http://t.co/5MlXNUSK #
  • And they say kids today don't care about privacy: http://t.co/kN8AryXy #
  • RT @RSAConference @neiljrubenking discusses why it’s time to reevaluate your phone’s password manager http://t.co/g5TtvSb8 < cc @1password #
  • RT @teacup Survey Foreign travelers were more afraid of United States immigration officials than of terrorism or crime http://t.co/oaD8b8Ya #
  • RT @blowdart Honestly I am always worried every time I land, visa or not. << I wish the way we treated visitors got more attention #
  • RT @jmason @adamshostack @teacup "2/3rds feared being detained for 'minor mistakes or misstatements'." +1, it's happened to me #
  • RT @dlitchfield This is the St Paddy Day Irish Twitter worm: I need your help to spread so please re-tweet 🙂 #
  • I think @dlitchfield just 0day'd my twitter client. #
  • If a picture is worth 1000 words, does that mean I'm 2376 words into this chapter? #

Powered by Twitter Tools

Feelings! Nothing but feelings!

At BSides San Francisco, I met David Sparks, whose blog post on 25 security professionals admit their mistakes I commented on here. And in the department of putting my money where my mouth is, I talked him through the story on camera. The video is here: “Security Guru Tells Tale of How His Blog Became a Botnet Server

It felt weird. It really did. I’m glad I did it. I want to continue to be able to talk about owning up to mistakes, and a big part of that is how we feel about talking about it. It’s all to easy to talk about something else, and not learn from it.

On which, kudos to Chris Hoff for talking about his story in “A Funny Thing Happened On My Way To Malware Removal….” Kudos to Jeremiah Grossman for owning up to being “Terrified” before getting on stage. And kudos to Bill Brenner for writing his OCD Diaries.

Despite our aspirations, we’re not computers. We’re not fully rational beings. We’re collections of tiny advantages collected in an expressed genome. We are products of our experiences through life. Pretending it’s all about the technology hasn’t worked.

I’m eager to learn from my mistakes and share the lessons, but I don’t always see those lessons myself. So sharing the stories and learning from each other will give us advantages, let us become products of not only our experiences, but those of others, and drive our ability to make information security a lot more fun.

Seeing more than the technology is one of the key themes that Andrew and I wrote about in the New School, and I think it deserves more attention.

We’re not going to be all about feelings here, but we’re going to talk more about the human side of security.

Entice, Don't Scold

I really like what Adrian Lane had to say about the cars at RSA:

I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering.

Ferrari -- Nice!

Nice, huh?

It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space.

It can sometimes feel like security experts spend their lives failing to empathize with the fellow who wants to look at the cool car. Rather, we scold and declare everything a large risk. What a pain! We need to understand the people who we’re there to protect, and treat them as human beings.

We need to entice them to do what we want. The bad guys know this. We scold people about clicking on dancing pigs, all the while understanding that dancing pigs are fun. There are bad guys who that know dancing pigs are fun, so they wrap their sploits in promises of dancing pigs.

There’s all sorts of ways to entice. Some of them, like scantily clad women, will irk some of your audience. Some of them, like a car, are expensive. Some of them, I hope, find a good spot of inexpensive, approachable, and enticing.

That’s really what Elevation of Privilege is all about. Enticing busy people into the craft of threat modeling. And into our trade show booth. (That’s how we get budget to keep giving away copies. See? It’s a virtuous circle of enticements, all wrapped up in cellophane a pretty box!)

I didn’t realize that when I made it. I thought it was about flow (see my 2010 short BlackHat talk, “The Easy Way To Get Started Threat Modeling“) but as I started talking to more people, the stories that came back were about something else. The stories came back about people stopping at a desk to look at it. About people newly willing to take meetings with security teams. About young kids enthralled by the graphics. Because they wanted to learn more.

There’s a lot of unexplored territory in enticing people into security. Why not give it a try?