Category Security

Entries 57 Total Description

Posts related to security technologies and secure software development.

Kip Hawley on Airport Security

Apr 14, ’12 3:14 PM

The Wall Street Journal has an excerpt from Kip Hawley’s upcoming book on airport security:

Any effort to rebuild TSA and get airport security right in the U.S. has to start with two basic principles:

First, the TSA’s mission is to prevent a catastrophic attack on the transportation system, not to ensure that every single passenger can avoid harm while traveling. Much of the friction in the system today results from rules that are direct responses to how we were attacked on 9/11. But it’s simply no longer the case that killing a few people on board a plane could lead to a hijacking. Never again will a terrorist be able to breach the cockpit simply with a box cutter or a knife. The cockpit doors have been reinforced, and passengers, flight crews and air marshals would intervene.

Second, the TSA’s job is to manage risk, not to enforce regulations. Terrorists are adaptive, and we need to be adaptive, too. Regulations are always playing catch-up, because terrorists design their plots around the loopholes.

The rest of the article makes for great weekend reading.

I like that Kip Hawley is so open and willing to talk about airport security issues. I enjoyed his extensive interview with Bruce Schneier back in 2007. I don’t always agree with him, but his opinion is worth reading. I’m looking forward to the book.

Comments (0)

Enigma Machine in Excel

Mar 26, ’12 9:08 AM

Believe it or not, someone has implemented an Enigma machine in an Excel spreadsheet.

You don’t have to think of yourself as a programmer to create some moderately complicated programs in Excel. Also, with modern computers available to us, cryptography is easier to play with than you might think. I hope we see more projects like this.

Comments (0)

EFF on Public Key Infrastructure

Dec 5, ’11 7:58 PM

The EFF recently proposed to fix a major problem in the Internet’s Public Key infrastructure:

One of the main problems with the current PKI model is the lack of control over CAs and their subsidiaries. There are literally hundreds of organizations spread around the world that are allowed to issue certificates for any domain name and some of them are operated by governments that practice Internet surveillance and censorship.

Worth reading.

Comments (0)

Code Signing Flaw in iOS

Nov 8, ’11 10:53 AM

My previous post about Apple security focused on an article by Wil Shipley wherein he discussed signing apps written for Mac OS X with certificates. One of Shipley’s main points was that the two primary mechanisms for enforcing security on the Mac App store (sandboxing and auditing) are fundamentally flawed. Now we have a great example of how auditing fails:

Miller, a former NSA analyst who now works as a researcher with consultancy Accuvant, created a proof-of-concept app called Instastock to show the vulnerability. The simple program appears to merely list stock tickers, but also communicates with a server in Miller’s house in St. Louis, pulling down and executing whatever new commands he wants. In the video above, he demonstrates it reading an iPhone’s files and making the phone vibrate. Miller applied for Instastock’s inclusion in the App Store and Apple approved the booby-trapped app.

The rest of that article includes more details on the code signing flaw Miller exploited, but I want to focus on a slightly different aspect of this story: responsible disclosure. Essentially, in responsible disclosure, when a researcher discovers a flaw in proprietary software, they immediately report it to the company responsible and setup a reasonable timeframe for fixing the problem before publicly disclosing the flaw.

Miller first contacted Apple about this problem on October 14th. I’m not sure that three weeks is really enough time to resolve a problem like this. I know he didn’t give all the details, and I know Apple has a reputation for not fixing security bugs until they become public (or perhaps well after they have been public for months…). Still, Miller would have a lot more sympathy with me if he reported the problem to Apple privately and gave them time to resolve the error. Another thing that would have made me a little more sympathetic is if he and Apple had agreed to a timeframe on resolving this problem prior to disclosing the flaw, though I’m not sure Apple would ever agree to something like that. Publicly acknowledging flaws of this nature isn’t really in their DNA.

Despite the flaw in Apple’s code signing, they have been able to respond by removing the exploited app from their app store and canceling Miller’s developer license. (Note: There’s some hypocrisy on Apple’s part here since canceling a developer license is a bit different from their treatment of other iOS security researchers.) Is this good enough for security? Everything in security is a tradeoff, so where does this response fall? It annoys me that there’s a bug in Apple’s code signing, but maybe the setup of the iOS App Store is enough of a response.

The original article points out that a similar issue in Android has resulted in a spate of malware for that platform. I’m not sure a similar thing will happen with iOS. Sure, Apple won’t be able to detect these apps in their review process, but they can always just remove them from the store after they’ve been found in the wild. I would probably prefer to see the code signing exception resolved, but I’m not sure what the tradeoffs really are. It’s hard to make security decisions that way.

Lastly, I should mention that this story is rather one-sided as of now. I haven’t seen anything from Apple about all of this yet. If you’ve seen something from Apple, please leave a comment.

Comments (0)

Software Security on Mac OS X

Nov 5, ’11 1:28 PM

Well-known Mac developer Wil Shipley wrote a fantastic post about software security models on Mac OS X. Essentially, his argument is that proactive solutions to software security cannot be successful on their own; they must be supplemented with a reactive approach. On the surface, this seems counter-productive: wouldn’t you rather find security problems before they compromise anything than react to them after it’s happened? In an ideal world, this would obviously be the best result, but we don’t live in an ideal world. Here’s Wil:

Entitlements are a binary solution – if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch. We call this kind of solution “brittle” – it requires everything to have been written perfectly, for every contingency, or it fails completely.

Solving security problems proactively is extremely challenging. If there’s a single hole, then all your effort is for nothing. A quick, appropriate reactive response is often the best tradeoff for security. Here’s Wil again:

Code auditing and sandboxing are non-biomimicry – nature doesn’t try to audit every line of code, she tries to fail gracefully. Certificates alone offer a graceful failover – if a developer signs up with Apple and provides false info and manages to trick people into downloading her malware, well, we can just throw a switch and she’s done.

Security shouldn’t be all-proactive, but neither should it be all-reactive. Some proactive measures are worth the tradeoff. The fact that Apple performs a baseline examination of applications sold through their Mac App Store does eliminate obvious security problems, but such an approach is never going to catch every single security problem. For that, the best solution will be reactive, and an application white list enforced with certificates is a reasonable approach.

Comments (1)

Adobe Flash Security

Oct 25, ’11 4:45 PM

Flash is almost always the #1 target for hackers. It’s nearly ubiquitous and easy to break into. The only thing that might give Flash a run for it’s money is the Java runtime environment. Still, Flash is awful.

Because there are so many stories about how bad Flash is from a security standpoint, I haven’t really spent much time linking to them. However, Steve Bellovin, a computer security pioneer and a Professor of Computer Science at Columbia, wrote a fantastic post about the security problems caused by Flash:

From a technical perspective, it’s simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe’s servers.

Definitely read the whole thing. Bellovin ends his post with this:

No wonder the NSA’s Mac OS X Security Configuration guide says to disable the camera and microphone functions, by physically removing the devices if necessary.

I’m not sure what role the operating system should play here, but it’s fascinating to think about. How should things like the camera and microphone be controlled? Webcams are clearly an important area for privacy.

Lastly, Bellovin’s post is based on research done by Feross Aboukhadijeh at Stanford, which is worth reading if only because it is a pretty compelling case of responsible disclosure.

Comments (0)

Air Travel Absurdity

Oct 11, ’11 11:47 AM

I haven’t linked to many air travel stories recently in part because there are simply so many of them that picking one to link to over the others is a challenge in and of itself. Recently, I came across an article by LZ Granderson at CNN that sort of summarizes the situation well:

Given the physical requirements and inherent importance of an exit row seat, I would feel more comfortable if I knew the person sitting there could at least do a pushup and not just be collecting a reward for being a repeat customer.

These are the kind of systematic disconnects that just crack me up.

Flight attendants tell us to turn off all electronic devices under the guise they could interfere with the plane’s navigation system, meaning that if the terrorists really wanted to cause some damage, all they had to do was read their Kindle during takeoff.

Granderson sort of implies that we should at least attempt to enjoy the absurdity as the amusement that it is. I don’t agree. Waste and inconvenience on this scale isn’t amusing. Security is a tradeoff, and I don’t think we’re making the right decisions. The risk of being the victim of a terrorist on an airplane is ridiculously low.

There are reasons we’re not making rational decisions about airport security, and most of them are probably best explained by the fact that we’re all human. Humans just don’t make rational decisions about some types of risk. Dan Ariely has basically made his entire career about irrational decisions people make. Bruce Schneier’s next book is going to focus on how people make decisions involving trust.

Still, we don’t really understand why people do are so poor at making these decisions. Worse, we don’t know how to improve this sort of decision making. The absurdity of airport security isn’t amusing; the root causes of this problem are probably one of the most important research topics for the next few decades.

Comments (0)

Paper-Based Violation of HIPAA

Sep 27, ’11 4:03 PM

If you’re going to steal large amounts of personally identifiable information, then you’re almost always better off doing so digitally rather than attempting to steal paper records. People notice when boxes and boxes of records go missing. In fact, the entire plot of The Firm hinges on a rather intricate attempt to make paper copies of records that would comparatively trivial to steal in a digital world.

Because of the problems of paper records, it’s really rare that you see huge paper-based violations of HIPAA. But apparently, it’s not impossible:

When Athens native Bobby Roberts placed a bid of more than $1,000 for the contents of a delinquent storage unit in Florence, he said he thought he was buying medical equipment and maybe old office files.

But on Sept. 10, when he opened the 20 or so boxes in the unit at Climate Guard Self Storage on Florence Boulevard, he discovered the boxes were filled with personal medical records from Digital Diagnostic Imaging Inc. Some were from as recently as 2009, while others dated to 2002.

Included on those records were not just medical details but patients’ Social Security numbers, addresses, phone numbers, insurance information and driver’s licenses.

Obviously, Roberts didn’t steal the records, but this is still a violation of HIPAA and the fault of the company that abandoned the records. Covered entities can’t just abandon paper-based records in a storage facility. It looks like Roberts is attempting to do the right thing with the records, but imagine what would have happened if someone else had won that auction.

Comments (0)

Joel Stein on Passwords

Sep 7, ’11 9:34 AM

Joel Stein writes The Awesome Column for Time Magazine. He recently wrote about passwords in a column called Pimp My Password. You have to be a Time subscriber to read the article now, but it’s worth reading if you can. His views on passwords are probably very, very close to what the average layperson thinks.

Comments (0)

Google’s Page Speed Service

Jul 28, ’11 7:37 PM

Google has recently announced a new service called Page Speed Service. Here’s TechCrunch:

Page Speed Service is the latest tool in Google’s arsenal to help speed up the web. This service is also their most ambitious yet. When you sign up and point your site’s DNS entry to Google, they’ll enable the tool which will fetch your content from your servers, rewrite your webpages, and serve them up from Google’s own servers around the world. Yes, you read all of that correctly.

So my question is this: When will Google starts using a service like this to remove common security problems like Cross Site Scripting from websites?

Comments (0)