Uncategorized

Pity the government entities that have to deal with information security.  If they get it right, no thanks will be forthcoming.  If they get it wrong, they live in fear of mortifying headlines.  What are their shrieking eels?

Government has special challenges pursuing modern information security goals.

• Confidentiality – access to information is limited to the right people.  Government doesn’t always have the latest and greatest technology, which can lead to system administrators having access to everything.
• Integrity – information is accurate.  This is tough.  Without the profit motive business has to force correction there’s only indirect feedback from citizens and self-starting conscientiousness of some government employees.
• Availability – information can be accessed reliably.  Frankly, I’m not sure why government does as well as it does on this count.  Perhaps it’s a combination of dedicated civil servants and more public visibility combined with the enabling platform of the web.

There are some across the board threats against the information security goals.
1.  Dysfunctional approval process

• Two bad things can occur.  There can be no oversight, producing insecure systems or there can be over the top oversight, which often produces no systems at all.
• ​For classified information, stringent requirements are supposed to be apply to new systems.  That sounds good, but in practice, systems are secured more by generating paper than by testing.  Industry, when it cares, cares about real world tests.
• Never done it before x 100,000.  Because shared solutions and shared standards within the government are rare, most projects have to be figured out individually, with little benefit of reuse or lessons learned.

2. Wrong Priorities

• The primary challenge in getting a new system approved is fear.  Since security folks get beaten up for failures and ignored for successes, some decide the safest approach is “no”.  This produces huge time delays and needless expense to deal with a “jump”, “how high”, “higher” cycle that ends by either wearing out the requester, the approver, or by political pressure.
• Myopic focus is on incoming email and network based threats, perhaps because the tools are fairly mature, neglecting insider threats, where big name failures have occurred and neglecting the vulnerability of data.​

3. Bad technology approaches

• Buzzwords vs. technology.  Multi-tier, Virtualized, Object Oriented, Cloud.  All of these are valuable technologies  or approaches that every government organization should care about.  Unfortunately these concepts often get treated as buzzwords, producing nothing but incomplete or unused systems.
• Kitchen Sink.  Seemingly more often than not requirements for security products consist of a compilation of the different capabilities from competing vendors.  Rather than buy the most useful option, the purchaser tries to get an all-things-to-all-men solution.  Unsurprisingly those systems either do all things poorly, or worse yet, only meet the requirements by creative interpretations.
• Let’s invent the Internet!  Closely related to the buzzword problem, some organizations get so enthused about a commercial technology that they decide to invent their own version, competing with man years of testing, development, and feedback.  Such only-a-mother-could-love solutions don’t live long.

What’s the future outlook?  Not bad, given that improving technology will eventually sweep everyone forward.

There are good reasons to dislike the push to move from perpetually licensed software to subscription software:

Does the title seem like a typo, randomly generated, a joke?

​No, it’s deliberate, thought out, and not a joke.  Run with me on this.

A friend read a story claiming the U.S. nuclear system still used archaic 8 inch floppy disks.  He didn’t want to get suckered into believing an urban legend and asked, “Can we actually take an article like this seriously?”

Unfortunately, it’s correct.  Sounds like an urban legend, doesn’t it?  CNN and NPR vouch for its truth.  Our nuclear weapons system uses 8″ floppy disks— a technology that had almost vanished before I started my career but that could easily still be in use after I retire.

This is normal for government.

• The Space Shuttle program used 386 computers to run the cockpit.
• The Secret Service uses a failing 1980’s era mainframe.
• U.S. Navy ship radar systems use 1970’s DEC PDPs.

OK, this is normal (and amusing), but is it bad?  Yes, because this is very old hardware, the parts are often only available on eBay, and to try keep these systems at high reliability we have to spend a lot of money and time.

There are many reasons why the government spends so much to get so little.

• • Single year budgets provide an agency little ability to save for big projects.
  • “Use it or lose it” government budgeting punishes severely any attempt to save.
  • The government is famous for changing requirements so many times that they burn up the budget and wind up with nothing useful.
  • There is an excellent level of testing done with critical systems, such that no one is willing to move to a new system.
  • The government isn’t short on money, it’s short on the right color of money.  In other words, maintenance funds can only be spent on maintenance, never on buying new, better, cheaper, more cost effective stuff.  While a business would usually add up the high cost of maintaining, training, & using archaic hardware then throw the money into replacing it, the government CAN’T.
  • The best way to get promoted in government is to squeak by, hiding problems, claiming success, and have any disasters occur on the next guy’s watch.  I have friends in government and they do a harder, better thing, by insisting on real progress.  Unfortunately many people succumb to temptation and go the easy way.

Oddly, the archaic hardware helps with one kind of security problem–fewer hackers are working on finding security problems with systems their grandmothers used.  That’s not the only kind of security though, and an increasing likelihood of total system failure is a huge risk to security.

We’ve only just begun, really, so come back for more problems and some choices.

Given the high number of data breaches where a merchant loses voluminous quantities of customer’s credit card numbers, what should you do?

• Don’t buy anything?
• Worry all the time?
• Get help from technology?

Virtual credit cards are available from CITI and Bank of America.

1. Tied to your normal credit card account, but use a different number.
2. Usable only by the first merchant to charge to it.
3. Good only for a period of time that you choose.
4. Good only for an amount of money that you choose.

This capability is tremendously useful for shopping on the Internet.  If virtual credit card numbers are sitting in a database and get stolen–I don’t care.  If I sign up for a short term service and forget to cancel–the card automatically expires.  If I have to give a credit card which “will not be charged to”–I can limit it to $1.  If I’m only “pretty sure” of an Internet store–my real credit card number is not at risk.

​The case against virtual credit card numbers is amazingly whiny and off base:

1. Verifying transactions is such a bother:  How, exactly, would anything be different from your normal verification of monthly charges?
2. Returns are so, like, hard:  Uh, no, you just return them normally.
3. Charges can go through after number expires:  The one surprising kernel of useful information is that an unscrupulous merchant could charge the number.  When you catch it on your statement you immediately win the dispute–no charge.
4. Only work online:  So, it “only” protects me when my information is most vulnerable?
5. No additional liability:  Huh?  Why would I need more than the $50 liability if I don’t report the card stolen and $0 if I do report it stolen before it’s used?
6. Not always convenient:  Neither is my car–get rid of it.  Neither is my bike–get rid of it.  Neither is unlocking my front door–get rid of it.

What password guidelines are you given?

1. 87 characters long
2. No words, only gobbledygook
3. Upper & lower case, numbers, symbols
4. Change it every 27 minutes
5. Don’t use symbols
6. Use a different password everywhere
7. Don’t write it down
8. and…Make it easy to remember!

Let’s look at each of these recommendations:

1. Length:  Longer is better, if you can remember it.  Passwords of 12 or more make it harder to pre-crack your password.
2. Dictionary Words:  To remember your password you’ll either have to use dictionary words (more than one so it’s not trivially easy to break), a personal algorithm (easy to remember but hard to guess), or a password manager (you can have hideously complex passwords, but not need to remember them).
3. Upper/Lower/Numbers/Symbols:  Many sites will force you to use 3 or more categories so that you can’t be easily defeated by brute force guessing.
4. Changing it:  This is a huge pain, but not much gain.  Frequent changes probably tempt you into using little yellow stickies.
5. Don’t Use Symbols:  Strange as it sounds, some financial institutions limit good passwords, often so that you can use a phone keypad to enter your password.
6. Use a different one everywhere:  Horrifying as this sounds, there are good reasons to have different passwords.  Many websites store your passwords unencrypted, and if they get hacked, you don’t want your one password to be public domain.  A personal algorithm (see above) allows you to have different passwords  AND remember them.
7. Don’t Write it Down:  What if you have 200 passwords?  If you feel you must write them down, use password reminders, not the actual password.  A password manager is a way to have your cake and eat it too.
8. Make it easy to remember:  This sounds cruel after all the other requirements thrown at you.  Once again, pass phrases and personal algorithms help a lot, and password managers mean you don’t have to remember all of them.

Common Sense Tips:

• Never use cutesie passwords such as “password”, “123456”, “letmein”, a birthday, or “porsche”.  Those are in the most common 500 passwords and are trivial to break.
• Put a password on your laptop.  If it gets stolen you don’t want the thief to own your information.  Admittedly, a tech savvy thief could steal some information anyway, but defending against 95% of thieves is still not bad.
• Have your screen saver lock automatically so the password does you some good.
• There is no perfect defense, but a little bit of work makes you much safer.

So, what do the leading presidential candidates have to offer?  How do they balance individual freedom and national security?  Do they grasp the technological concepts?  What is their reasoning process?

All good questions, but you may not like the answers.

• Donald Trump – Mr. Trump argues that we have fallen down on the job with computer security.  That appears to be true, particularly for Trump Hotels.
• Hillary Clinton – Mrs. Clinton speaks reasonably on the topic, but fails spectacularly in practice, despite having experiencing problems with email security and records requirements in the Clinton White House.  The defense offered is that it was stupid but legal, and that the problem emails weren’t marked as classified.  (What a novel approach–the violation is the defense!)
• Bernie Sanders – Like every candidate he wants to find “a balance“.  Without an explanation of what he’s balancing, and how he would seek balance, who knows?
• Ted Cruz – Emphasizes national security but seems a bit confused on the technology.
• Marco Rubio – Emphasizes national security & seems to understand the technology.

The good news is that we have good tools to protect our data.  The bad news?  That’s not our biggest problem.

Although many large corporations and the government inexplicably fail to spend a few hundred thousand to prevent losing millions in sales/fraud/bad publicity, the biggest hole in our defenses is very strange:  we freely give access to the bad guys.

We very readily give access to the wrong people if they ask nicely or cleverly.  So much of our culture depends on trust, but we have to be smart, too:

• Targeting CEOs–brilliant.  Targeting their staff–even better.  When someone says, “the boss needs this”, our brains turn off.
• Help Desk personnel don’t need or want your password.  The nice guy asking for it is actually NOT a nice guy.  He wants to rob you.
• When “Microsoft” calls about problems you didn’t know about, and asks you to install some software, it isn’t Microsoft, they want to rob you.

All the security in the world won’t help if you unlock the door for the burglar when he asks.

New tech is great, but sometimes it doesn’t get pointed in the right direction.  What about the Internet of Things?  Is this an exciting advance, a dangerous pit,  or the same old stuff repackaged?

The creativity unleashed by the ability to network devices never before networked is exhilarating.  Should we do this?  Yes!  Unfortunately, the current state of security for these devices tends to be poor.

• Household appliances – The bad guy gets to control your furnace.  Some fixes are available, but who thinks to check for furnace firmware updates?  Spamming refrigerators, anyone?
• Cars – What if someone could break into your car and install malware that would mess with the climate control, the windshield wipers, the radio, and even the steering wheel?  They can, but how likely is it you won’t notice a laptop wired into your OBDII port?  On the other hand, what if someone could override your climate control system, your radio station choice and volume, activate your wipers, deactivate your transmission, or deactivate your brakes?  What if they could do all that, and more, wirelessly from anywhere in the country?  In other words, the 2015 state-of-the-art.  On the plus side, auto manufacturers have started working together against threats.
• Medical Devices – We’ve never had to think about hackable pacemakers and hackable wireless insulin pumps before.
• Industrial Equipment – Rogue blast furnace, anyone?
• Air Traffic Control Systems – We’d better fix hackable ATC systems now, not after a disaster.

The point is not that we should run for cover, switching back to mimeographs, Franklin Stoves, buggies, and home smelting.  Given that smart cars, smart roads, and smart medical devices could save lives, we need to move forward.  We do need legislators to set basic requirements for security and updates.  Right now, it’s mostly funny stories, but we’re going to have to start caring soon.  In about 5 years we’ll have gone from today’s 2% of Internet enabled devices to 75 billion connected devices.

• In 2003 a geological statistician cracked a lottery ticket code and reported that to the lottery, but then kept finding new ways to break other lottery games.  It appears organized crime skims off winning tickets for profit and money laundering, leaving mostly the loser tickets and small winners for the public.  Anomalies in prize redemption make this seem likely.
• There is always the direct approach–hacking the lottery computers, though fortunately the perpetrator was caught.  The insider threat is hard to stop.
• All-in-all, there is a long history of hacked games of chance, and it seems extremely unlikely, that given the rewards available, the hacking will stop.