Category Security

Entries 57 Total Description

Posts related to security technologies and secure software development.

Software Security Rating Systems

Jul 8, ’11 4:05 PM

In my last post, I talked about the inherent challenges in evaluating software for security flaws. One approach to this problem is to rate products on a vastly simplified scale using a rough checklist of the most egregious errors. The DHS and Mitre Corp. have built just such a system:

The Homeland Security Department and consulting firm Mitre Corp. on Monday unveiled a system for rating the protection of software products to help agencies, contractors and consumers ensure they are buying safe technology, in the same way the Energy Star labeling program helps guarantee eco-friendly purchases, DHS officials said.

The scoring reflects the degree to which software offerings defend against the most common programming flaws — which are widespread in agency systems as noted by a recent audit of Internal Revenue Service databases. Last week, the Treasury Department inspector general released a report that found software housing taxpayer information is not always protected against attacks.

I’m not convinced that programs like this will be successful at doing anything other than eliminating the obviously deficient. There’s some real value in eliminating the obviously deficient, but software security rating systems almost always imply that if a product has achieved the ‘best’ rating, then it’s ‘secure.’

Establishing that something is 100% secure is extremely difficult because of the nature of security, and any software security rating system needs to be clear about its limitations. This proposed system provides a metric-based rating from one to 100, which looks too much like a ‘percentage’ for security to me. I would prefer something different, perhaps even a binary rating to indicate that a product either has known security concerns or doesn’t have them.

Despite all their potential pitfalls, I suspect that software security ratings systems are the closest thing we’re likely to see as a way to quickly evaluate whether a product has serious security concerns.

Comments (0)

Liability and Software Security

Jul 3, ’11 6:04 PM

Tim Lee has a great article up on Ars Technica about liability and software security:

If your code gets hacked, are you the one on the hook? In the early decades of the software industry, the answer was usually “no.” Software licenses routinely disclaimed liability, and until recently, security flaws were considered to be just another fact of life. When problems were discovered, companies were expected to fix them quickly, but they were rarely on the hook for the resulting damage.

That’s changing rapidly. Recently, Sony faced a class action lawsuit for losing the private information of millions of users. And this week, it was reported that Dropbox is already being sued for a recent security breach of its own.

Read the whole thing; it’s not long.

I do want to pick a nit with part of the interview with Professor Alex Halderman of the University of Michigan:

Ars asked Alex Halderman, a computer science professor at the University of Michigan, to help us evaluate these options. He argued that consumer choice by itself is unlikely to produce secure software. Most consumers aren’t equipped to tell whether a company’s security claims are “snake oil or actually have some meat behind them.” Security problems therefore tend not to become evident until it’s too late.

I don’t disagree with the conclusion, but I do disagree with the rationale. (Yeah, I’m really picking a nit here…) It’s true that most consumers aren’t equipped to tell wether a company’s security claims are snake oil or not, but that doesn’t necessarily mean that a consumer choice approach is doomed to fail. The fact of the matter is that most consumers aren’t equipped to differentiate a high quality product from a low quality one in any field. The difference is that for most products we can effectively rely on the few consumers who are able to make that differentiation. I don’t know a thing about the best window treatment for a house, but with just a little digging I can find some reliably good advice one way or the other about a given product. Unfortunately, security is one of those products for which even experts are unable to provide reliable advice. It’s just inherently challenging to evaluate the security of a product. (Halderman talks about this later in the interview.)

If you’re interested in more information on these topics, I recommend Bruce Schneier’s extensive writings about both the challenge of evaluating security and the value of liability as a motivator for companies providing products that should be secured. Liability is one of the first things he mentions in his book Secrets and Lies: Digital Security in a Networked World. Perhaps the best summary of his views for the uninitiated is his recent TED talk.

Comments (1)

A Detailed Guide to Creating Passwords

Jun 29, ’11 7:07 AM

Given some of my comments about passwords in my recent post on best practices for a secure cloud, I feel compelled to pass along this great guide to creating strong passwords put together by the folks at AgileBits, the makers of 1Password. They even talk about Diceware:

If people are so predictable, how can we create memorable passwords that aren’t predictable? It turns out that Arnold Reinhold published a solution to this back in 1995 to help people create strong and memorable pass phrases for PGP. It’s called Diceware.

I first heard about Diceware a while ago when one of my friends showed it to me. He took it seriously enough to purchase a set of casino dice to ensure he was getting truly random dice rolls. Even if you feel like you have a strong procedure for generating passwords, you might want to check out Diceware. It’s pretty impressive.

(via Practically Efficient)

Comments (0)

Best Practices for a Secure Cloud

Jun 24, ’11 10:02 AM

In light of the Dropbox password snafu and the recent Sony data breach, David Sparks, of MacSparky, offers these best practices for protecting yourself on the cloud:

One thing is for certain, the stakes are only going up as The Cloud (and iCloud) goes mainstream. So does this change the way I am going to use web based storage? Not really. The huge benefits I receive from cloud syncing make it worth the risk. Nevertheless, there are a few things you can do to protect yourself:

  1. Lock up those online accounts with a strong password, not pencil;
  2. Change your online passwords. I change mine every time the clocks change;
  3. Don’t be stupid about what you store up there. Database of 1970’s baseball cards = Yes. Scanned tax returns = no.
  4. If you upload anything sensitive, encrypt it yourself first on your Mac. I wrote about it in the book and there are a lot of online tutorials out there explaining how to do it.

So in response to this latest problem am I going to run out and cancel my Dropbox account? No. I think Dropbox learned its lesson. (At least this lesson). I still think, however, we are not far from The Big One.

I believe the majority of tech-savvy people would agree with this list, but unfortunately, it perpetuates a security myth that can be quite harmful: changing your passwords regularly can be quite detrimental to your overall security. As Bruce Schneier says:

The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-to-remember — and easy-to-guess — passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.

Two things are far more important than changing your passwords regularly:

  1. Choosing a really strong password, which Sparks mentions.
  2. Not re-using that password at numerous locations.

Any policy on changing your passwords regularly conflicts with these two, more important, goals.

It might seem like a great idea to just choose a simple password, use it everywhere, and then change it regularly. After all, if you choose strong passwords and use a different one for every site you visit, then you’re going to have trouble remembering them. At least with a simple, easy-to-remember password that’s changing regularly the attackers would have to keep breaking it over and over again to have sustained access, right?

The problem is that attackers don’t necessarily want sustained access; they could just as easily be looking for a big one-time score. For example, it would be easier to get away with downloading every document you store in Dropbox and analyzing them later than it would be to sustain access to a Dropbox account for a year. Besides, how often does your sensitive information really change? Social Security Numbers almost never change.

When defending against a one-time score, using a simple password and changing it regularly is a system that fails ugly. The more stuff you ‘secure’ on the cloud using the same password, the more stuff could potentially be accessed in a short period of time based on a single incident at any one provider. Dropbox and Sony are just the recent examples, and they won’t be the last. I’ve written about this before, and I’m sure this post won’t be the last either.

Comments (1)

The Continuing Saga of Dropbox

Jun 21, ’11 10:18 AM

Dropbox had another security snafu:

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.

I agree with Ben Brooks:

This is a big deal and if you read through the comments on that post it is littered with pissed off customers, many claiming they won’t be using the service anymore. The smart move at this point is not to keep anything sensitive in Dropbox until Dropbox proves competent at security.

I’ve written about Dropbox a couple times recently. It’s not my intention to turn this into a blog about Dropbox’s problems. However, Dropbox is particularly interesting to me because they are the quintessential cloud computing service. It’s super basic: you’re just storing files that are accessible anywhere.

Dropbox should be an outstanding example of the benefits and disadvantages of cloud computing, but even seemingly simple operations aren’t all that simple in the cloud. As codebutler pointed out on Twitter, deleting a file might not mean that it’s really gone. Here’s a statement from Dropbox’s help:

Once you find the file/folder you’d like to permanently delete, click on the arrow that appears to the right of the file for a drop-down menu. Choose Permanently delete from the list of choices.

Permanently deleted files can’t be recovered by the user. Maybe now your aunt’s fruitcake recipe can rest in peace.

Note the phrase “can’t be recovered by the user.” Because Dropbox uses Amazon’s S3 service, ultimately even Dropbox can’t guarantee that deleted Dropbox files are truly unrecoverable. This is probably great if all you’re really concerned about using Dropbox for is your aunt’s fruitcake recipe, but I wouldn’t use Dropbox for anything seriously important without first encrypting that document manually with a key that only I can control. I hope this isn’t the future of cloud computing.

[Update: Just to be more clear about the nature of the security problem Dropbox recently experienced: for about four hours, it was possible to log in to any Dropbox account with any password. That's a serious problem.]

Comments (1)

Complaint to FTC about Dropbox

May 17, ’11 5:42 PM

Last month, I wrote about Christopher Soghoian’s blog post on Dropbox encryption. This month, Ryan Singel, of Wired.com, has a summary of Soghoian’s complaint to the FTC about Dropbox:

Dropbox, the wildly popular online storage system, deceived users about the security and encryption of its services, putting it at a competitive advantage, according to an FTC complaint filed Thursday by a prominent security researcher.

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

Soghoian, who spent a year working at the FTC, charges that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,” which amounts to a deceptive trade practice that can be investigated by the FTC.

Definitely check out the rest of the article, but don’t be skip the actual complaint. It’s shorter than it looks and pretty easy to read.

Comments (1)

Connecting the Dots

May 13, ’11 11:27 PM

The U.S. government continues to develop data mining tools to identify terrorists:

Federal intelligence agencies are developing new software that can analyze the communications networks and travel activities of terrorists to help discover relationships between them.

The software being developed by the National Counterterrorism Center (NCTC), called DataSphere, is just one of several projects intelligence agencies developed in 2010 to aid in retrieval and analysis of intelligence information, according to the Office of the Director of National Intelligence’s (ODNI’s) 2010 Data Mining Report.

The subtitle of that article is “Report details data analysis software developed by intelligence agencies to connect the dots between suspected terrorists,” so it fits pretty well with this article from Bruce Schneier in 2006:

In the post 9/11 world, there’s much focus on connecting the dots. Many believe that data mining is the crystal ball that will enable us to uncover future terrorist plots. But even in the most wildly optimistic projections, data mining isn’t tenable for that purpose. We’re not trading privacy for security; we’re giving up privacy and getting no security in return.

Read the whole article. Schneier has written about this subject for years, and this is a great example of his argument. Data mining is a useful technology for some problems, but terrorism just isn’t one of them.

Comments (0)

Hard Drive Steganography

Apr 25, ’11 1:41 PM

New Scientist wrote about a recent paper on using hard drive fragmentation to hide information. You can find the paper through its DOI: 10.1016/j.cose.2010.10.005.

Hard drive fragmentation occurs when the 1′s and 0′s that make up a file cannot be stored next to one another physically on a hard drive. We may often think about digital information as completely non-physical, but that’s just an abstraction. In reality, there is a physical medium for each 1 and each 0 somewhere.

This paper describes a technique of hiding a message (also composed of 1′s and 0′s) by fragmenting a hard drive according to a code. Here’s how their technique is described by New Scientist:

The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0. The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.

Hiding messages like this is called steganography, and it can be a useful security technique. Again, as New Scientist describes:

Encryption should sometimes be avoided, says Hassan Khan at the University of Southern California in Los Angeles, because the gobbledegook it creates is a dead giveaway: it shows someone might have something to hide. That could spell disaster for someone trying to smuggle information out of a repressive country.

Definitely read the article, and if you can skim their paper online. It’s worth a read.

Comments (0)

Schneier’s Law

Apr 15, ’11 4:21 PM

Bruce Schneier has a great short post on what has become known as Schneier’s Law:

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.

This is a fundamental concept to cryptography in particular and to security in general. It’s worth knowing where it comes from if you’re going to cite it appropriately.

Comments (0)

Dropbox Encryption

Apr 13, ’11 12:18 PM

Yesterday, Christopher Soghoian, a security and privacy research with a growing reputation for finding serious practical threats in major online services, announced another such threat with the encryption scheme Dropbox uses for all of their user’s files:

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it “uses the same secure methods as banks and the military to send and store your data” and that “[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” However, the company does in fact have access to the unencrypted data (if it didn’t, it wouldn’t be able to detect duplicate data across different accounts).

Read the whole post. It’s excellently written, and it explains the problems in detail. If you’re curious, here’s a section of Dropbox’s recently updated privacy policy:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

In short, U.S. law enforcement can read your personal files stored on Dropbox without a warrant.

In some ways, this ‘new’ threat isn’t really all that new. Jim Harper identified the basic privacy problems with Dropbox way back in December 2009:

I homed right in on their “Policies” page, looking for assurance that they would protect the legal rights of users to control information placed in the care of their service. There’s precious little to be found.

There’s no promise that they would limit information they share with authorities to what is required by valid legal process. There’s no promise that they would notify users of a warrant or subpoena. They do reserve the right to monitor access and use of their site “to comply with applicable law or the order or requirement of a court, administrative agency or other governmental body.”

Is there protection in the fact that files are stored encrypted on their service? The site—though not the terms of service—says “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Not if Dropbox is willing to monitor the use of the site on behalf of law enforcement. They can simply gather your password and hand it over.

Ideally, Dropbox would build this into their service. If users had the option of locally encrypting files, either individually or in a particular folder, prior to uploading them to Dropbox and without allowing Dropbox access to their encryption keys, this would be a much less pressing concern. This could even be a feature only available to paying customers. Certainly, the inability to deduplicate data would be an added expense for Dropbox.

However, as it stands, encryption must be done manually to ensure your data is protected. If you use Dropbox for anything remotely serious, such as business-critical documents, diaries, sensitive contact information, or calendars, then you should independently encrypt those files prior to uploading them to Dropbox. Some applications are designed to store data directly to Dropbox folders. These applications could actually encrypt that data and store the encryption keys locally. I strongly recommend that developers of such applications consider protecting their users by building in strong encryption.

Comments (3)