Enterprise security Gattaca style

Its good to know that Microsoft is addressing the security issues posed by USB key drives at work by giving IT admin the ability to prevent their connection to work PCs. Unfortunately that wont be available until the 2006 Longhorn release of Windows, which means in reality that it probably wont be widely available until 2007. Given the glacial rate of turnover for office PCs, especially the lowly ones given to "non-essential" staff i.e. everyone except the sales force (smirk), then perhaps by 2010 maybe 50% of all office PCs will be secure. Until then darlings, gather ye corporate secrets while ye may.

Of course the big issue with such problems is that no one at Microsoft appears to have even considered it as an issue until years after USB connectors started appearing on PCs. I mean, come on guys - you put a very high speed connection to the PC bus exposed on the outside of the box and let any user - even a "Guest" account user plug in device and start copying at will. Doh. How about locking down the CD and DVD burner that is becoming standard on all new PCs? And what about the VPN connected remote user who is copy and pasting your secrets onto his home machine? Really, the VPN is a huge security whole waiting to happen.

And when all conventional holes are plugged up I have a few unconventional ones - how about running a little program on your PC that converts all your company secrets to a convetional audio stream and then plugging in a recording device to the PCs audio jack? Old-timers will know such a tape based scheme could easily acheive oh, at least 1200 baud, with modern digital recording I'm sure it could manage much, much higher rates.

So then the audio jack is removed from your PC - after all the bosses don't want to listening to music at work. Then what? Well how about a little program that takes over a small piece of your screen and digitizes the company secrets to a rapidly changing 2D barcode pattern. Place a small optical scanner up to the screen and just suck the secrets in that way. Synced with the screens 60+ Hz refresh rate one could easily imagine ripping up to a megabit per second of data that way.

Or how about this - use steganographic techniques to add little extra pixels of information to convential text print outs. Anyone inspecting such printouts will see just plain old text totally unrelated to the actual subject matter encoded within it. A 100 page printout could easily conceal a few million bits of information.

Well, those maybe far fetched, but really I'm just trying to say, where there is a will there is a way and those intent to steal the company secrets will eventually find and exploit it.

But for convential information leakage it seems like new ways to leak information are sprining up as fast as companies like Microsoft try to lock them down. Real data security needs to go much deeper right down to the OS, device and hardware level. That is what Microsoft is trying to do with some of its much rumoured Longhorn and post-Longhorn technologies. So may be, just maybe, the worlds supposedly #1 supplier of operating systems to businesses users might catch up with the casual disgruntled employee who the day he is laid off wants to rip off the source code for the companies entire product line - just because he can.

If the logical progression toward fear and paranoia continues to evolve in the workplace then perhaps by about 2050 the workplace will start to resemble that from the 1997 movie "Gattaca". In Gattaca workers file in past a blood based DNA identification, and onto their identical workstations arranged like a 1950s typing pool with just a keboard and monitor exposed on each desk. Each keystroke is monitored and the boss wanders around menacingly, checking over the shoulders of his minions lest they pause for a minute to contemplate their lot. Just to keep them on their toes random urine and blood based DNA and drug checks are held.

If I was designing the Gattaca secure work place somewhat I'd improve things somewhat by building a tiny DNS sensing vacuum right into the keyboard so as human detritis flakes from the hapless workers fingersthey are continuous monitored to ensure they user is supposed to be. Infact you might just as well plumb the worked directly into the computer intravenously and continuously monitor his blood...

Fingerprints

Okay I swear it was pure coincidence that today Microsoft launched a new standalone fingerprint scanner and a keyboard with integrated scanner in it. Part of the reason that fingerprints have any security associated with them at all is because they are rare at the moment. When fingerprint scanners become ubiquitous and widely accepted as "secure" any percieved security will go out of the window. Just go search Google for "gummy fingers" or read this article on how to make them.

Remember that when ever you offer up your finger to be scanned whoever is scanning the finger can then print and make a copy of your finger. Trojan horse scanners will be able to collect scads of prints, as will anyone with ready access to freshly printed materials. So the next time you're in Starbucks surfing the web by WiFi make sure you wipe down that coffee cup before its taken away. And you'd better clean off your cutlery at the local web cafe before it goes back to the kitchen - the manager or bus boy might just be making a nice big collection of prints to use for his retirement. This would be especially true if you're someone famous - such prints will soon become widely collected and disseminated.

Also remember that if you've ever entered this country on a visa waiver, have a green card, hold a drivers license in some states, or have ever gone "down town" for whatever reason, then your fingerprint is most definitely in the hands of the authorities. Believe me, if you PC is using a fingerprint scanner it will make hacking into it a whole lot easier when they come to install monitor software on it...

Finally, for those who might be going off to buy that nighty USB key that stores all your passwords, think about this: just be sure that every computer you ever plug it into has never been compromised. If not it may just be sucking every password off that device as soon as you plug it in - along with your master password. Oh sure you trust your computers, and your friends, and the web cafe. Really? Have you never suffered from a computer virus or adware? Do you know ever piece of software on your system and that it has no backdoors, intentional or otherwise in it? An what about the operating system? Does it really have no bugs that would let someone grab passwords as they are typed or feed to your browser?

I didn't think so.

Caveat emptor!

Passwords

Unlike many people I know, and indeed by all accounts "the average computer user", I actually utilize a lot of different passwords. I know passwords are a pain to remember especially when not used very often, indeed until recently I could barely remember my home phone number because I really don't use it that often. In todays web world even average surfers find themselves interacting with dozens of websites and applications that require a both a username and password. Even if you can figure out a secure and memorable password there is never any guarantee that the same username you want to use can be used at any given site.

The reason I don't use a single username and password combination is that personally I really don't trust websites to manage the security of my password. Ask yourself, does every website pay full attention to the security of its network, machines and vet all of its staff for suitability to manage your password infomation? If you use the same username and password at every site then it doesn't matter what the site is, your username and password is blown once someone at that site, or some external attacker hacks their way into the system. The attacker extracts the username and passwords from the database and then they can be tried out at dozens of online banks, brokerages and online shopping websites. Eventually they will try the username and password at your bank, your brokerage and your favorite shopping store - they rest, as they say, is history.

Personally I try to maintain tiers of passwords. I have one reasonably simple password for sites that I don't really care if the account is compromised. For sites that I do trust but do care if they are hacked I have several different very secure passwords. For systems that might give access to my home network or its resources (mail accounts) I have different high security passwords, and for internal passwords I maintain medium security ones except for administrator accounts.

The big problem is I end up with reams of passwords and if its not a site I use all the time then it becomes very easy to forget them. The solution I use the freeware application PINS which securely stores all my passwords. It uses 448-bit Blowfish encoding, has password generators, keypad snopping defeat alogorithms, and does its best to minimize the time that cleartext passwords are actually in memory or on the screen. Assuming your passwords are cut-and-pasted directly into a trusted browser and then sent into an SSL connection its about the best you can do.

Yes I agree its better to just remember all your passwords, but the reality is that when forced to do so most people will end up compromising password length, complexity and hence security. Or they may even do something dumb like writing all their passwords down on a piece of paper in their wallet or in the top drawer at work. Isn't that the way it always is in the movies? Personally I'd rather take a calculated risk with the passwords being stored on my own system where I know a lot more about its security than use weak ones or a single password and put all my trust in other peoples sites.

Products like the M500 from MetaPass may be a good solution for some people but if they are carrying around all their passwords on their keychain lets hope they choose a really good master password to lock all the other passwords and that they really can memorize it. Another problem with this product is it assumes that you can get to the USB port of all machines you want to access - what if you're in a web cafe and want to do some online banking and there is no accessible USB port? That's quite often the case because an open USB port is an easy way for errant users to plug in a rogue device and hack your machine, or damage it electrically.

If you can carry your own device around with you at all times then that offers better security. I have a friend who just got a Fujitsu Lifebook with built in thumbprint scanner and very nice it is too. The thumbprint scanner seems to work well enough and is integrated with the web browser and OS so it can fill out passwords for him at the swipe of his right digit. Brilliant. But what if his thumbprint is compromised? If there was something really important on that laptop then any co-worker could use well published techniques to lift a print from a coffee mug, car door, even toilet seat... Lets face it people leave fingerprints all over the place! Once lifted the hacked can then create a replica of the print on a dummy finger that will fool the scanner because it can't tell a real fingerprint from a copy - its the print its looking at. Even systems that attempt to determine if a real finger is in use can be fooled. Now granted it takes more effort to do this than furtively look over someones shoulder while they type a password, or rifle through their files or draws looking for password clues or lists... However it is really not that hard to do and easily within the reach of an average criminal, spouse, co-worker who goes looking for the information and tries it.

Once your fingerprint is compromised then what do you do? Get a new hand grafted on? This is why I'm not particularly in favour of such bio-metric identification becoming common place in the everyday world. People will just put too much trust in it and it will become too attractive as a single point of attack. Lets face it, if a bunch of hackers on the web can lift and fake fingerprints and fool standard scanners then really should you trust your bank account, medical records, credit card info and life to such a technology? I didn't think so.

From my own point of view I would be willing to place a high degree of trust in some bio-metric system if it was associated with something that is guaranteed to be with the real me, and only with me. At the moment I've yet to hear what that is other than a secret memory that I've never shared with anyone, never written down and never spoken. And if I never share it with anyone then how is that going to be useful a password? Quite simply it isn't. Until someone finds the equivalent of public-private key based encryption built into a human then it seems that there will alsways be many, many compromises associated with security. In the mean time people can live with compromises - just think of our dependence of simple pieces of metal that are easily copied by relatively unskilled persons, easily lost, and work with a lock that is in any case also relatively easily defeated or "worked around" forcibly if necessary. Its all a matter of the right amount of security applied appropriately to meet the expected level of risk.

New URL, same old long dark tech-time

As of today this blog now has a new URL: www.longdarktechtime.com. The old URL will continue to work for the forseeable future, at least until all the major search engines have re-indexed it with the new URL. For now all requests to the old URL will be redirected to the new one. If you link to this blog please update your links to use www.longdarktechtime.com