[ISN] CRYPTO-GRAM, May 15, 2001

From: InfoSec News (isnat_private)
Date: Wed May 16 2001 - 18:24:18 PDT

  • Next message: InfoSec News: "[ISN] An Outlook worm to jam NSA's Echelon"

    Forwarded by: Bruce Schneier <schneierat_private>
    
                      CRYPTO-GRAM
    
                      May 15, 2001
    
                   by Bruce Schneier
                    Founder and CTO
           Counterpane Internet Security, Inc.
                schneierat_private
              <http://www.counterpane.com>
    
    
    A free monthly newsletter providing summaries, analyses, insights, and
    commentaries on computer security and cryptography.
    
    Back issues are available at 
    <http://www.counterpane.com/crypto-gram.html>.  To subscribe or 
    unsubscribe, see below.
    
    Copyright (c) 2001 by Counterpane Internet Security, Inc.
    
    
    ** *** ***** ******* *********** *************
    
    In this issue:
          Defense Options: What Military History Can Teach
            Network Security, Part 2
          Crypto-Gram Reprints
          The Futility of Digital Copy Prevention
          News
          Microsoft and the Window of Vulnerability
          Counterpane Internet Security News
          Security Standards
          Safe Personal Computing
          Comments from Readers
    
    
    ** *** ***** ******* *********** *************
    
         Defense Options: What Military History
           Can Teach Network Security, Part 2
    
    
    
    In Part I of this series, I examined the natural advantages of defense
    in military history.  I concluded that two advantages -- the ability
    to shift forces and knowledge of the terrain -- are underutilized in
    network security.  I concluded that network security based on hidden
    attack sensors and rapid response would be far more effective than
    firewalls, IDSs, and whatever the new new thing next new thing is.
    
    In Part II, I want to look even more broadly at the military's notion
    of defense.  In war, there are three, and only three, types of
    defense:  passive defense, active defense, and counterattack.
    
    Passive defenses involve making yourself harder to attack.  Against an
    air assault, for example, this could mean building bunkers or hiding
    in caves, dispersing your forces, or covering yourself in camouflage.  
    All of these defenses have the same goal: reducing the effectiveness
    of the enemy's bombs.  The important thing to note is that while
    passive defenses make attacks less effective, they do nothing to the
    attackers themselves.
    
    Active defenses are designed to take out the attacker.  Returning to
    the incoming aircraft example, an active attack could be anti-aircraft
    fire that shoots down the attacking aircraft in flight.  This is
    harder than passive defense, but can be much more effective.
    
    Counterattack means turning the tables and attacking the attacker.  
    Against the air assault, it could involve attacking airfields, fuel
    depots, and ammunition storage facilities.  Note that the line between
    defense and offense can blur, as some counterattack targets are less
    clearly associated with a specific attack on a specific target and
    more geared toward denying the attacker the ability to wage war in
    general.
    
    Warfare has taught us again and again that active defenses and
    counterattacks are far more effective than passive defenses.  Look at
    the Battle of Gettysburg in the American Civil War.  Look at the
    Battle of the Bulge in World War II.  Look at Leyte, Agincourt, and
    almost any piece of military history.  Even in the animal kingdom,
    teeth and claws are a better defense than a hard shell or fast legs.
    
    On the Internet, most people think of computer security in terms of
    passive defenses only.  They believe that if they could only make
    their systems "hard" enough, they'd be safe.  Security vendors
    reinforce this view, providing ever more intricate protection
    mechanisms for computers and networks.  Even the work I've done,
    pointing out the limitations of prevention and extolling the virtues
    of detection and response, are still centered around passive defense.  
    Part I of this essay was similarly limited: the ability to shift
    forces and knowledge of the terrain are both primarily associated with
    passive defense.
    
    If we're ever going to win the war against computer crime, we're going
    to have to increasingly think more in terms of active defenses, and
    even counterattacks.
    
    We've started to see some of this already.  Intrusion detection
    systems and honeypots provide alarms that can alert defenders of an
    attack in progress.  Managed Security Monitoring services can filter
    these alarms and provide expert response when a network is under
    attack.  Vigilant, adaptive, relentless, expert intelligent network
    defense is far more effective than static security products.  I said
    all of this in Part I of this essay.
    
    But alarm systems, no matter how effective, are still primarily
    passive.  They allow a defender to better survive an attack in
    progress, but they don't put the attacker in danger.  Right now, the
    only counterattack we have is prosecution.  Putting criminals in jail
    is the best deterrent we have, and I am happy to see more of it.  But
    prosecution can only happen after the fact.
    
    One can imagine active defenses and counterattacks, but they are
    mostly in the realm of science fiction.  What if, when an attacker
    broke into a network, his attack program were disabled?  What if he
    could be sent a virus that destroys his computer?  Or, at least, what
    if some third party collected an evidentiary chain that could prove
    his guilt in court?
    
    There are non-technical considerations as well.  In most countries,
    active defenses can be illegal.  Private citizens can't mine their
    backyards or booby-trap their front doors.  In many countries, it is
    illegal for them to shoot a burglar breaking into their house.  
    Active defenses are reserved for wartime, where there are no rules, or
    for the police, who have a state-sponsored monopoly on violence.
    
    I worry about the vigilante-style cyber-justice that could arise from
    this kind of defense, but it is certainly something we should be
    thinking about.  And it is definitely something that we should be
    researching.
    
    Passive defense is far from useless, but is not the only form of
    defense we can use.  In many cases, simple active defenses such as
    monitoring are both more effective and more cost effective than adding
    more passive defenses.  "Fortress computer center" was a good model
    when every company had its own unconnected networks.  In today's
    world, where every network must be connected to the global network, it
    doesn't work as well.  If we are ever going to win the war against
    computer crime, we are going to have to emerge from our protective
    bunkers and actively engage the attacker.
    
    
    ** *** ***** ******* *********** *************
    
                Crypto-Gram Reprints
    
    
    
    Computer Security: Will we Ever Learn?
    <http://www.counterpane.com/crypto-gram-0005.html#ComputerSecurityWillWeEver 
    Learn>
    
    Trusted Client Software
    <http://www.counterpane.com/crypto-gram-0005.html#TrustedClientSoftware>
    
    The IL*VEYOU Virus (Title bowdlerized to foil automatic e-mail traps.)
    <http://www.counterpane.com/crypto-gram-0005.html#ilyvirus>
    
    The Internationalization of Cryptography
    <http://www.counterpane.com/crypto-gram-9905.html#international>
    
    The British discovery of public-key cryptography
    <http://www.counterpane.com/crypto-gram-9805.html#nonsecret>
    
    
    ** *** ***** ******* *********** *************
    
        The Futility of Digital Copy Prevention
    
    
    
    Music, videos, books on the Internet!  Freely available to anyone
    without paying!  The entertainment industry sees services like Napster
    as the death of its business, and it's using every technical and legal
    means possible to prevail against them.  They want to implement
    widespread copy prevention of digital files, so that people can view
    or listen to content on their computer but can't copy or distribute
    it.
    
    Abstractly, it is an impossible task.  All entertainment media on the
    Internet (like everything else on the Internet) is just bits: ones and
    zeros.  Bits are inherently copyable, easily and repeatedly.  If you
    have a digital file -- text, music, video, or whatever -- you can make
    as many copies of that file as you want, do whatever you want with the
    copies.  This is a natural law of the digital world, and makes copying
    on the Internet different from copying Rolex watches or Louis Vuitton
    luggage.
    
    What the entertainment industry is trying to do is to use technology
    to contradict that natural law.  They want a practical way to make
    copying hard enough to save their existing business.  But they are
    doomed to fail.
    
    For these purposes, three kinds of people inhabit the Internet:
    average users, hackers, and professional pirates.  Any security
    measure will work against the average users, who are at the mercy of
    their software.  Hackers are more difficult to deter.  Fifteen years
    of software copy protection has taught us that, with enough
    motivation, any copy protection scheme -- even those based on hardware
    -- can be broken.  The professional pirate is even harder to deter;
    this is someone willing to spend considerable money breaking copy
    protection, cloning manuals and anti-counterfeiting tags, even
    building production plants to mass-produce pirated products.  If he
    can make a profit selling the hacked software or stolen music, he will
    defeat the copy protection.
    
    The entertainment industry knows all of this, and tries to build
    solutions that work against average users and most hackers.  This
    fails because of a second natural law of the digital world: the
    ability of software to encapsulate skill.  A safe that can keep out
    99.9% of all burglars works, because the safe will rarely encounter a
    burglar with enough skill.  But a copy protection scheme with similar
    characteristics will not, because that one-in-a-thousand hacker can
    encode his break into software and then distribute it.  Then anyone,
    even an average user, can download the software and use it to defeat
    the copy protection scheme.  This is what happened to the DVD
    industry's Content Scrambling System (CSS).  This is how computer
    games with defeated copy protection get distributed.
    
    The entertainment industry is responding in two ways.  First, it is
    trying to control the users' computers.  CSS is an encryption scheme,
    and protects DVDs by encrypting their contents.  Breaks do not have to
    target the encryption.  Since the software DVD player must decrypt the
    video stream in order to display it, the break attacked the video
    stream after decryption.  This is the Achilles' heel of all content
    protection schemes based on encryption: the display device must
    contain the decryption key in order to work.
    
    The solution is to push the decryption out of the computer and into
    the video monitor and speakers.  To see how this idea helps, think of
    a dedicated entertainment console: a VCR, a Sega game machine, a CD
    player.  The user cannot run software on his CD player.  Hence, a copy
    protection scheme built into the CD player is a lot harder to break.  
    The entertainment industry is trying to turn your computer into an
    Internet Entertainment Console, where they, not you, have control over
    your hardware and software.  The recently announced Copy Protection
    for Recordable Media has this as an end goal.  Unfortunately, this
    only makes breaking the scheme harder, not impossible.
    
    The industry's second response is to enlist the legal system.  
    Legislation, such as the Digital Millennium Copyright Act (DMCA), made
    it illegal to reverse-engineer copy protection schemes.  Programs such
    as the one that broke CSS are illegal to write or distribute under the
    DMCA.  This is failing because of a third natural law of the digital
    world: the lack of political boundaries.  The DMCA is a U.S. law, and
    does not affect any of the hundreds of other countries on the
    Internet.  And while similar laws could be passed in many countries,
    they would never have the global coverage it needs to be successful.
    
    More legal maneuvering is in the works.  The entertainment industry is
    now trying to pin liability on Internet service providers.  The next
    logical step is to require all digital content to be registered, and
    to make recording and playback equipment without embedded copy
    protection illegal.  All in an attempt to do the impossible: to make
    digital content uncopyable.
    
    The end result will be failure.  All digital copy protection schemes
    can be broken, and once they are, the breaks will be distributed...law
    or no law.  Average users will be able to download these tools from
    Web sites that the laws have no jurisdiction over.  Pirated digital
    content will be generally available on the Web.  Everyone will have
    access.
    
    The industry's only solution is to accept the inevitable.  
    Unrestricted distribution is a natural law of digital content, and
    those who figure out how to leverage that natural law will make money.  
    There are many ways to make money other than charging for a scarce
    commodity.  Radio and television are advertiser funded; there is no
    attempt to charge people for each program they watch.  The BBC is
    funded by taxation.  Many art projects are publicly funded, or funded
    by patronage.  Stock data is free, but costs money if you want it
    immediately.  Open source software is given away, but users pay for
    manuals and tech support: charging for the relationship.  The Grateful
    Dead became a top-grossing band by allowing people to tape their
    concerts and give away recordings; they charged for performances.  
    There are models based on subscription, government licensing,
    marketing tie-ins, and product placement.
    
    Digital files cannot be made uncopyable, any more than water can be
    made not wet.  The entertainment industry's two-pronged offensive will
    have far-reaching effects -- its enlistment of the legal system erodes
    fair use and necessitates increased surveillance, and its attempt to
    turn computers into an Internet Entertainment Platform destroys the
    very thing that makes computers so useful -- but will fail in its
    intent.  The Internet is not the death of copyright, any more than
    radio and television were.  It's just different.  We need business
    models that respect the natural laws of the digital world instead of
    fighting them.
    
    Similar sentiment about the death of the PC:
    <http://www.theregister.co.uk/content/2/17419.html>
    
    
    ** *** ***** ******* *********** *************
    
                         News
    
    
    
    "Nihil tam munitum quod non expugnari pecuna possit."  So said Marcus
    Tullius Cicero, a Roman poet, statesman, philosopher and writer who is
    supposed to have lived 106-43 B.C.  Translation:  "No place is so
    strongly fortified that money could not capture it."  (I know this is
    not news, but it's interesting.)
    
    A bug in commercial PGP that allows an attacker to drop files to your disk 
    that may then get executed (thanks to Windows .dll loading from current 
    working directories).
    <http://www.atstake.com/research/advisories/2001/index.html#040901-1>
    
    An excellent article on the dangers of UCITA:
    <http://www.itworld.com/Comp/2362/LWD010411vontrol2/index.html>
    
    There is a security flaw in Alcatel DSL modems:
    <http://www.pcworld.com/news/article/0,aid,47004,00.asp>
    <http://www.zdnet.com/zdnn/stories/news/0,4586,5080984,00.html>
    Normally, I wouldn't even bother with this story.  But Alcatel posted a MS 
    Word file on their Web site about the problem and fix (which they've since 
    removed).  Unfortunately, the file saved deleted changes.  The draft 
    document is far more interesting than the real one.  See some of the 
    deleted comments here:
    <http://morons.org/articles/1/188>
    
    Microsoft responded to my article on the fake certificates in the previous 
    Crypto-Gram:
    <http://www.microsoft.com/technet/security/verisign.asp>
    Greg Guerin has rebutted Microsoft's claims better than I could:
    <http://amug.org/~glguerin/opinion/revocation.html>
    It turns out that the truth is way more complicated, but no more secure, 
    than I had originally thought.
    
    Remember the Egghead.com break last December?  Here the CEO discusses what 
    he would and wouldn't do differently if faced with the situation again:
    <http://www.retailtech.com/content/coverstories/apr01.shtml>
    
    Anti-sniffing password management software.  I'm not convinced this will 
    work, but at least people are thinking about the problem.  Shareware.
    <http://32-bitfreeware.virtualave.net/AntiSnoop.zip>
    
    _Body of Secrets_ by James Bamford.  This is his second book about the NSA, 
    and it's really good.  I did a review for Salon:
    <http://www.salon.com/books/review/2001/04/25/nsa/index.html>
    Here's another review from The New York Times:
    <http://www.nytimes.com/books/01/04/29/reviews/010429.29findert.html>
    
    CERT is charging companies to get early warnings about threats and 
    vulnerabilities.  On the one hand, it's nice to see a little free 
    enterprise here.  On the other hand, isn't CERT government-funded?  But 
    CERT advisories often appear long after other newsgroups report on 
    vulnerabilities, so I don't know how valuable this service really is.
    <http://www.msnbc.com/news/561513.asp>
    <http://news.excite.com/news/ap/010419/20/computer-security>
    <http://news.cnet.com/news/0-1003-200-5665677.html>
    <http://www.theregister.co.uk/content/8/18493.html>
    
    Giga has released a report on the Managed Security Services space.  It says 
    nice things about Counterpane, but that's almost beside the point.  There 
    has been a lot of confusion in the security services space, and the author 
    nicely segments the businesses into six categories.  He does a good job 
    explaining what the different managed security services are, and which 
    companies offer what services.
    <http://www.counterpane.com/giga3.pdf>
    
    It's hard to take this particular story seriously, but I have long 
    predicted that insurance companies will start differentiating premiums 
    based on what kind of networking hardware and software you use:
    <http://www.theregister.co.uk/content/8/18324.html>
    
    Impressive investigative work by the FBI.  This is the kind of thing I like 
    to see the FBI doing, rather than mucking about with surveillance tools 
    like Carnivore.
    <http://news.cnet.com/news/0-1007-200-5699762.html?tag=tp_pr>
    <http://www.cnn.com/2001/TECH/internet/05/10/fbi.hackers.ap/index.html>
    Some disagree with me:
    <http://www.zdnet.com/enterprise/stories/main/0,10228,5082126,00.html>
    
    Years ago, ftp was how you shared files between computers.  There are still 
    vulnerabilities associated with this service/
    <http://securityportal.com/closet/closet20010418.html>
    
    A major legal battle is looming, as the RIAA tries to suppress Princeton 
    security research into its digital watermarks, citing secrecy provisions of 
    the DMCA:
    <http://www.zdnet.com/zdnn/stories/news/0,4586,5081595,00.html>
    A preliminary version of the actual paper, and assorted correspondence:
    <http://cryptome.org/sdmi-attack.htm>
    The site reported over 50,000 visits to the paper within 24 hours of its 
    posting.
    The RIAA changes its tune:
    <http://riaa.com/PR_story.cfm?id=407>
    
    Don't forget mundane security risks.  The British Ministry of Defense has 
    lost 205 laptops in the past four years.
    <http://www.wired.com/news/politics/0,1283,43088,00.html>
    
    An e-mail was recently sent to Amazon associates, inviting them to visit a 
    non-Amazon Web site and complete a questionnaire.  The e-mail purported to 
    come from associatesat_private, but was actually sent from an entirely 
    different domain <jamiat_private>.  When I asked Amazon whether they 
    were being spoofed, they told me the survey was legitimate.  Are they 
    trying to train their customers to respond to unverified impersonations?
    
    Argus boasted that their secure operating system couldn't be hacked, and 
    sponsored a $50K contest.  It was hacked.  The story of how it happened has 
    a moral for everyone: security is only as strong as the weakest link, and 
    if you're not monitoring your security in real time you need to constantly 
    make sure all the links are strong.
    <http://www.zdnet.com/enterprise/stories/main/0,10228,2713689,00.html>
    Someone else plans on a $1M hacking contest.
    <http://www.theregister.co.uk/content/8/18644.html>
    
    Gene Spafford makes much the same points I do about the future of computer 
    security: it's going to get worse, not better.
    <http://www.cerias.purdue.edu/homes/spaf/ncssa.html>
    
    There have been zillions of articles on this "May Day 
    Cyberwar."  Supposedly, the Chinese are attacking the U.S. in retaliation 
    for our lousy foreign relations policies.
    <http://www.zdnet.com/enterprise/stories/main/0,10228,2714179,00.html>
    I believe this is nothing but hacker fantasy and media hype.  I don't see 
    hackers with political motivations taking up arms; I see hackers with no 
    motivations donning a cloak of politics to justify their actions.  I also 
    see the media turning this into a much bigger deal than reality.
    <http://www.msnbc.com/news/568036.asp?cp1=1>
    <http://www.thestandard.com/article/0,1902,24202,00.html>
    <http://www.wired.com/news/politics/0,1283,43520,00.html>
    
    People are the weakest link in security:
    <http://news.cnet.com/news/0-1003-200-5798589.html?tag=mn_hd>
    
    U.S. "national security" surveillance is on the rise:
    <http://www.securityfocus.com/news/201>
    
    Cyber-thriller screenplay:
    <http://www.theatlantic.com/issues/2001/05/frazier.htm>
    
    Comments on NIST's AES FIPS are due by May 29th.  This isn't the time to 
    suggest alternate algorithms, but it is time to comment on the details of 
    the standard.
    <http://csrc.nist.gov/encryption/aes/>
    
    The Dutch government is forcing trusted third parties to use key escrow.
    <http://www.telepolis.de/english/inhalt/te/7571/1.html>
    
    Another semantic attack.  A fake BBC Web page was circulating (without the 
    caveat at the top), and the British newspapers fell for it.
    <http://europe.thestandard.com/article/display/0,1151,16490,00.html>
    The fake Web page (with a disclaimer on the top):
    <http://news.bbc.co.uk!articles@3276960428/hi/english/uk/newsid/123456.htm>
    
    
    ** *** ***** ******* *********** *************
    
           Microsoft and the Window of Vulnerability
    
    
    
    In many of my speeches, I talk about a "Window of Vulnerability."  
    When a security vulnerability exists in a product and no one knows
    about it, there is very little danger.  But this state of security is
    fragile.  As soon as someone discovers the vulnerability, the danger
    increases.  If we're lucky, the discoverer is a good guy who does not
    exploit the vulnerability for personal gain.  Eventually word of the
    vulnerability gets out, and the danger increases.
    
    This sounds just like the real world, but cyberspace has a crucial
    difference.  If I knew how to break into a certain kind of ATM, or
    hot-wire a certain make of car, or pick a certain model of lock, I
    could teach someone.  The person I taught would then know how, and he
    could teach others.  But it's a skill, and skills take time to teach.  
    Cyberspace is different because skill can be encapsulated into
    software.  If I knew how to break into Microsoft's IIS 5.0, I could
    turn my knowledge into an exploit and distribute it on the net.  
    Then, hundreds of thousands of "script kiddies" -- with no skill
    whatsoever -- could use my exploit to break into IIS 5.0.  The
    propagation characteristics of virtual vulnerabilities are very
    different than physical vulnerabilities.
    
    We're seeing this happen right now with an IIS 5.0 vulnerability.  It
    was discovered by a company called eEye Digital Security, which was
    nice enough to warn Microsoft and give them time to create a patch.  
    Then, Microsoft and eEye announced both the vulnerability and the
    availability of a patch.  A few days later, someone wrote an exploit.  
    As the exploit made its way through the hacker community, and
    continues to do so, more and more IIS installations are being broken
    into.
    
    The press regularly writes the story like this.  First, vulnerability
    discovered and we're all in danger.  Then, vulnerability patched and
    we're all safe again.  What they forget is that patches don't work
    unless they're installed.  And more and more often, people don't
    install patches.  I predict that years from now, Web sites will still
    be broken into because of this vulnerability.
    
    So here's the million-dollar question:  Is eEye Digital Security part
    of the solution, or is it part of the problem?  eEye's own legal
    disclaimer implies that even they're not sure: "In no event shall the
    author be liable for any damages whatsoever arising out of or in
    connection with the use or spread of this information."
    
    Microsoft IIS vulnerability:
    <http://www.msnbc.com/news/567192.asp>
    <http://www.cert.org/advisories/CA-2001-10.html>
    eEye Digital Security's announcement:
    <http://www.eeye.com/html/Research/Advisories/AD20010501.html>
    Microsoft security advisory and patch information:
    <http://www.microsoft.com/technet/security/bulletin/MS01-023.asp>
    Exploit published:
    <http://www.theregister.co.uk/content/4/18734.html>
    <http://www.msnbc.com/news/568503.asp?0nm=T23F>
    <http://www.infoworld.com/articles/hn/xml/01/05/03/010503hnattacktool.xml>
    
    Schneier's essay "Closing the The Window of Exposure":
    <http://www.counterpane.com/window.html>
    The fallacy of installing patches:
    <http://www.counterpane.com/crypto-gram-0103.html#1>
    
    
    ** *** ***** ******* *********** *************
    
           Counterpane Internet Security News
    
    
    
    There have been an enormous number of exciting things going on at 
    Counterpane.  I can't talk about any of it yet, because we're still working 
    on press releases.  We acquired SDII, a small consulting company.
    <http://www.counterpane.com/pr-sdiacquisition.html>
    More news next month.
    
    Articles on Counterpane have appeared in The New York Times and The Economist:
    <http://www.nytimes.com/2001/04/18/technology/18SCHW.html>
    <http://www.economist.com/business/displayStory.cfm?Story_ID=569825>
    
    eWeek reported on Schneier's talk at the RSA Conference last month:
    <http://www.zdnet.com/eweek/stories/general/0,11011,2705973,00.html>
    
    Bruce Schneier is speaking at ISSA events in New York (May 17), Palo Alto 
    (Jun 6), and Denver (Jun 14):
    <http://www.nymissa.org/documents/ISSA_2001_F_425.pdf>
    <http://www.issa.org>
    
    Schneier is speaking at the Trema World Forum in Monaco on May 30:
    <http://www.trema-world-forum.com/>
    
    _Secrets and Lies_ won a "Jolt" award from Software Development magazine:
    <http://www.sdmagazine.com/features/jolts/>
    <http://www.counterpane.com/pr-joltaward.html>
    
    And Counterpane is still hiring:
    <http://www.counterpane.com/jobs.html>
    
    
    ** *** ***** ******* *********** *************
    
                   Security Standards
    
    
    
    Andrew Tanenbaum once quipped that the great thing about standards is
    that there are so many to choose from.  Despite numerous efforts over
    the years to develop comprehensive computer security standards, it's a
    goal that remains elusive at best.
    
    It all started with the Orange Book.  As far back as 1985, the U.S.  
    government attempted to establish a general method for evaluating
    security requirements.  This resulted in the "Orange Book," the
    colloquial name for the U.S. Department of Defense Trusted Computer
    System Evaluation Criteria.  The Orange Book gave computer
    manufacturers a way to measure the security of their systems and
    offered a method of classifying different levels of computer security.
    
    The goal was to aid government procurement, but it also held the
    promise of benefiting the entire industry as well.  That never came to
    pass, primarily because certification testing was expensive and
    controlled by a only few labs, and the resulting designations weren't
    well-suited to the civilian marketplace's needs.
    
    There have been other efforts over the years to codify security, but
    they were unsuccessful.  Now, several industries are rallying around
    the Common Criteria, an ISO standard (15408, version 2.1) that
    provides a catalog of security features such as confidentiality and
    authentication.  Companies and industries using this document are
    expected to include these concepts in a more specific "protection
    profile," which is basically a statement of security requirements.
    
    Then, individual products can be tested against that profile.  For
    example, a smart card could be tested against a protection profile
    with such attributes as resistance to cloning, security of protocols
    and protection against physical reverse engineering, and a firewall
    could have a different protection profile that includes attributes
    related to its security and functionality.
    
    It's a great idea, and puts more meat on the bone than past efforts.  
    But don't expect it to work except in a few isolated areas.  The
    problem is that these standards are too general.  They won't tell you
    how to configure your CheckPoint firewall, or what security settings
    to run on Windows 2000.  It's not a shortcoming in the standards; it's
    just not feasible to document an infinite number of scenarios.
    
    Consider something truly quantitative: say, a configuration guide on
    the best way to secure Red Hat Linux 6.0.  It could be an excellent
    standard, but it will probably be obsolete in a few weeks.  It will
    certainly have to be revised for version 6.1.  And it can't possibly
    help you configure Solaris version 3.2, let alone Windows NT SP 4.0.
    
    On the other hand, some standards can be too specific, making it
    almost impossible to test a general system.  Remember when Windows NT
    received the Orange Book's C2 security rating?  The rating was only
    good for a specific configuration of Windows, one unconnected to the
    network and without any removable media.  What about a rating for the
    overall security of Windows NT?  Forget about it!
    
    The bottom line is that while these standards can be very useful for
    certain applications, they aren't useful gauging enterprise security
    in general.  The Common Criteria is a great document, and companies
    like Visa are putting a lot of effort to turn it into something that
    they can use for their own purposes.  The credit card company is
    currently using the document to specify security levels of hardware
    and software.  But that's only a special case; no one else can take
    what Visa did and make use of it.
    
    I have long joked that given any general security standard, I could
    design a product that 1) met the standard, and 2) was still insecure.  
    Given this truism, it's no wonder that these standards don't find much
    utility in the commercial world.  And it's no wonder why there are so
    many standards to choose from.
    
    Common Criteria:
    <http://www.commoncriteria.org>
    
    NSA's Rainbow Series, including the Orange Book:
    <http://www.radium.ncsc.mil/tpep/library/rainbow>
    
    There are configuration guides that are designed to help you with specific 
    products.  This SANS Windows NT guide is an excellent example:
    <http://www.sans.org/newlook/publications/ntstep.htm>
    So is Phil Cox's Windows 2000 guide:
    <http://www.systemexperts.com/win2k.shtml>
    
    
    ** *** ***** ******* *********** *************
    
                Safe Personal Computing
    
    
    
    I am regularly asked what the average Internet user can do to ensure
    his security.  My first answer is usually "Nothing; you're screwed."  
    But it's really more complicated than that.
    
    Against the government there's nothing you can do.  The power
    imbalance is just too great.  Even if you use the world's best
    encryption, the police can install a keyboard sniffer while you're
    out.  (If you're paranoid enough to sleep with your gun and laptop
    under your pillow, this article is not written for you.)  Even big
    corporations are difficult to defend against.  If they have your
    credit card number, for example, there's probably no way to make them
    forget it.
    
    But there are some things you can do to increase your security on the
    Internet.  None of these are perfect; none of these are foolproof.  
    If the secret police wants to target your data or your communications,
    none of these will stop them.  But they're all good network hygiene,
    and they'll make you a more difficult target than the computer next
    door.
    
    1.  Passwords.  You can't memorize good enough passwords any more, so
    don't bother.  Create long random passwords, and write them down.  
    Store them in your wallet, or in a program like Password Safe.  Guard
    them as you would your cash.  Don't let Web browsers store passwords
    for you.  Don't transmit passwords (or PINs) in unencrypted e-mail and
    Web forms.  Assume that all PINs can be easily broken, and plan
    accordingly.
    
    2.  Antivirus software.  Use it.  Download and install the updates
    every two weeks, and whenever you read about a new virus in the media.  
    Some antivirus products automatically check for updates.
    
    3.  Personal firewall software.  Use it.  There's usually no reason to
    allow any incoming connections from anybody.
    
    4.  E-mail.  Delete spam without reading it.  Don't open, and
    immediately delete, messages with file attachments unless you know
    what they contain.  Don't open, and immediately delete, cartoons,
    videos, and similar "good for a laugh" files forwarded by your
    well-meaning friends.  Turn off HTML mail.  Don't use Outlook or
    Outlook Express.  If you must use Microsoft Office, enable macro virus
    protection; in Office 2000, turn the security level to "high" and
    don't trust any sources unless you have to.  If you're using Windows,
    turn off the "hide file extensions for known file types" option; it
    lets Trojan horses masquerade as other types of files.  Uninstall the
    Windows Scripting Host if you can get along without it.  If you can't,
    at least change your file associations so that script files aren't
    automatically sent to the Scripting Host if you double-click them.
    
    5.  Web sites.  SSL does not provide any assurance that the vendor is
    trustworthy or that their database of customer information is secure.  
    Think before you do business with a Web site.  Limit financial and
    personal data you send to Web sites; don't give out information unless
    you see a value to you.  If you don't want to give out personal
    information, lie.  Opt out of marketing notices.  If the Web site
    gives you the option of not storing your information for later use,
    take it.
    
    6.  Browsing.  Limit use of cookies and applets to those few sites
    that provide services you need.  Regularly clean out your cookie and
    temp folders (I have a batch file that does this every time I boot.)  
    If at all possible, don't use Microsoft Internet Explorer.
    
    7.  Applications.  Limit the applications on your machine.  If you
    don't need it, don't install it.  If you no longer need it, uninstall
    it.  If you need it, regularly check for updates and install them.
    
    8.  Backups.  Back up regularly.  Back up to disk, tape, or CD-ROM.  
    Store at least one set of backups off-site (a safe-deposit box is a
    good place)  and at least one set on-site.  Remember to destroy old
    backups; physically destroy CD-R disks.
    
    9.  Laptop security.  Keep your laptop with you at all times when not
    at home; think of it as you would a wallet or purse.  Regularly purge
    unneeded data files from your laptop.  The same goes for palm
    computers; people tend to keep even more personal data, including
    passwords and PINs, on them than on laptops.
    
    10.  Encryption.  Install an e-mail and file encryptor (like PGP).  
    Encrypting all your e-mail is unrealistic, but some mail is too
    sensitive to send in the clear.  Similarly, some files on your hard
    drive are too sensitive to leave unencrypted.
    
    11.  General.  Turn off the computer when you're not using it,
    especially if you have an "always on" Internet connection.  If
    possible, don't use Microsoft Windows.
    
    Honestly, this is hard work.  Even I can't say that I diligently
    follow my own advice.  But I do mostly, and that's probably good
    enough.  And "probably good enough" is about the best you can do these
    days.
    
    
    ** *** ***** ******* *********** *************
    
                 Comments from Readers
    
    
    
    From: David Wallace <david.wallaceat_private>
    Subject:  Military History and Computer Security
    
    I was taken aback by your assertion that a burglar alarm works because
    "the attacker doesn't know they're there."  After all, "true victory
    consists of breaking the enemy's will without fighting."  The first
    line of defense is deterrence, the number one reason for installing a
    burglar alarm.  Security starts with making yourself a more difficult
    target.  Hence the "Premises protected by" stickers in windows and
    "Alarm" signs in front yards.  They encourage a potential attacker to
    pick another, less heavily defended, target.  In fact, the target may
    be completely undefended, protected only by signage purchased at a
    hardware or department store.
    
    The Internet makes deterrence a little more dicey.  First off, the
    alarm is necessary, but the "alarm" sign is impractical.  It is a
    potential "red cape" waved at a hacking "bull."  It may also tip the
    defender's hand by revealing his defenses.  In the physical realm
    there are a wide variety of systems and sensors to deploy to
    "measure."  In the virtual, there are fewer, they are less easily
    understood, and harder to install and configure.
    
    Once deterrence fails, detection becomes key.  In the physical world,
    the alarm system monitors a variety of metrics to evaluate defensive
    posture (system armed/unarmed), readiness to respond (sensor
    operational/deactivated), and violations of its sensors (heat, motion,
    noise, moisture, or sensor loss).  The Internet alarm performs the
    same functions, and performs them in much the same way.
    
    The next step in deterrence is the concept of "unacceptable losses".  
    Here the two worlds both converge and diverge.  They converge on the
    definition of unacceptable losses.  On both the physical and logical
    plane unacceptable losses include arrest, conviction, fine, and/or
    imprisonment.  They diverge in the likelihood of suffering
    unacceptable losses.
    
    As you note in _Secrets and Lies_, in physical security, the attacker
    must be physically present, rendering him not only detectable, but
    visible, and apprehend able.  The Internet removes that risk from the
    attacker, allowing him to strike remotely and in relative anonymity.
    
    Once attacked, there are two phases to the defense: Repel and
    counterattack.  In the physical world, once an attacker is repelled,
    you follow up with counterattack.  Repelling the attack is
    accomplished by holding ground and buying time while the resources
    needed to stop the attack are marshalled and committed (amateurs
    debate tactics, professional soldiers argue logistics).
    
    Counterattack is accomplished by understanding the attacker's
    objective and the resources he has committed to the attack.  The
    defender manipulates these variables to expose vulnerabilities in the
    attacker's position which can be exploited.  These can weaken the
    enemy, forestall his attack, and potentially force his retreat.  If
    retreat can be forced, it can be followed up with pursuit, further
    weakening the attacker, deterring future aggression, and potentially
    reducing the attacker's resources below the level necessary to support
    another assault.
    
    Unfortunately, counterattack and pursuit do not transfer well to the
    virtual battlefield.  About the only option is to repel.  The logical
    version of counterattack is limited to prosecution, which proves
    difficult when attacks occur across state and national boundaries.  
    Even when prosecution does occur, it is hampered by poor forensics,
    poor laws, and general ignorance within the court system (See the
    judge in the Mittnick trial).
    
    So what can you do to defend? Roll deterrence into your defense.  
    Monitor.  REVIEW THE LOGS! Have an incident response plan.  Partner
    with law enforcement and a professional forensics team.  Be prepared
    to go public when attacked.  Aggressively prosecute intruders whenever
    possible.  Develop a reputation as a target to stay away from.
    
    
    From: Henry Spencer <henryat_private>
    Subject:  Military History and Computer Security
    
    I would argue that there's a third issue, more important on the
    military side although it's not clear that there is any useful
    Internet analogy.  Another old military axiom: "the attacker must
    vanquish; the defender need only survive."
    
    The defender's biggest advantage is that the attack has to make
    progress to succeed, and the defense doesn't.  This puts the attacker
    out in the open, moving forward, while the defender is stationary and
    under cover -- less visible, better protected, and much more easily
    connected to communications and supply lines.
    
    This shows, for example, in a traditional distinction between two
    types of hand grenades:  offensive and defensive.  An offensive
    grenade has a rather limited lethal radius, because it's meant to be
    used by attackers, who may be on the move or behind poor cover; in
    particular, it relies more on blast than on fragmentation.  A
    defensive grenade is designed to be lethal over the widest possible
    area, for use by people who are safely ensconced behind solid cover
    and may be (locally) badly outnumbered.  (I am not sure this
    distinction is still made nowadays, since even defensive forces now
    tend to emphasize mobility, but at one time it was taken quite
    seriously.)
    
    
    From: "Gerard Joseph" <gerardat_private> 
    Subject: Military History and Computer Security
    
    I keep thinking about the apportionment of blame between the innocent
    defender and the guilty attacker.  Presumably, a bank robber would
    still be charged and found guilty even if one night the bank
    completely forgot to lock its doors or set its alarms.  But in that
    case I'm sure the bank would be held partly responsible for the
    attack.  If someone takes a shot at me while I'm ambling on the
    street, then he will always be guilty, even though I might have been
    negligent in walking on that particular street at that particular
    time.  It seems that in all cases there develops, over time and in
    accordance with local norms and experience, a state of equilibrium
    between the rate of crime and the level of defenses that are
    customarily implemented to thwart criminal acts.  Ideally, this state
    represents an optimal balance between the level of crime and the cost
    of relevant defensive measures.  A criminal who succeeds in spite of
    those defenses is more readily seen to be guilty, while a victim who
    falls short in implementing accepted levels of defense is less readily
    seen to be innocent.  But in no case does the victim's negligence
    excuse or justify the crime, nor does the criminal's ability to
    overcome your defenses excuse or justify their absence.
    
    I think as far as the Internet is concerned, we are groping towards
    the defining equilibrium between crime and defense.  Right now, there
    is a set of protective measures whose omission would certainly
    represent culpability on the part of a defender, and there is a set of
    attacks whose commission would certainly represent a crime (whether
    legally recognized or not) on the part of the attacker.  But in
    between there is a grey area of defenses and attacks that lack
    categorical classification.  To date, though, I think we've been too
    lenient on both complacent defenders and aggressive attackers.  That
    must and surely will change.  A starting point would be for the media
    to stop interviewing hackers as if they were just ordinary
    community-minded citizens.
    
    
    From: Stephen Tye <StephenTat_private>
    Subject: e-mail filter idiocy
    
    I have read your article and I can understand your annoyance at having
    your e-mail blocked for containing the unrelated words "blow" and
    "job".  I admit the sample text censor scripts that we provided in
    MailMarshal version 3.3 have a couple of anomalies like this that
    would false trigger.  We have done a lot of work on our sample text
    censor scripts for the next version release to improve them and
    minimize false triggers.
    
    MailMarshal is a tool to allow companies to apply corporate policy to
    their e-mail.  Technically MailMarshal did exactly what it was told to
    do, which was to block e-mails with the words blow and job in them.  
    In this case it was the script that was at fault, not the product.
    
    Depending on how the company has set up our product to match their
    corporate guidelines, it is highly likely that the intended recipient
    of your e-mail also received a notification e-mail informing them that
    your e-mail did not arrive.  The e-mail you sent would have most
    likely been quarantined and could have been easily released by the
    administrator.  The line "blow and job" could have then been removed
    from the text censor script and the problem would never occur again.
    
    If it is the organization's policy to block any e-mails which contain
    the words "IL*VEYOU" in the subject, then that is their choice and
    MailMarshal will allow them to enforce that policy.  We normally only
    suggest using a text censor script in this way when there is a virus
    alert and you would like implement some protection until you can get
    your antivirus product updated.  Otherwise we find scanning e-mails
    with an antivirus product and implementing rules that block e-mails
    which contain EXE or VBS attachments (which normally have no business
    use for end users) an effective protection against e-mail borne
    viruses.
    
    As you well know, security is process, not product.  MailMarshal is a tool 
    that allows you to apply that process.  It will only action what it has 
    been told to do.
    
    
    ** *** ***** ******* *********** *************
    
    CRYPTO-GRAM is a free monthly newsletter providing summaries,
    analyses, insights, and commentaries on computer security and
    cryptography.
    
    To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or
    send a blank message to crypto-gram-subscribeat_private  To
    unsubscribe, visit <http://www.counterpane.com/unsubform.html>.  Back
    issues are available on <http://www.counterpane.com>.
    
    Please feel free to forward CRYPTO-GRAM to colleagues and friends who
    will find it valuable.  Permission is granted to reprint CRYPTO-GRAM,
    as long as it is reprinted in its entirety.
    
    CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO
    of Counterpane Internet Security Inc., the author of "Secrets and
    Lies" and "Applied Cryptography," and an inventor of the Blowfish,
    Twofish, and Yarrow algorithms.  He served on the board of the
    International Association for Cryptologic Research, EPIC, and VTW.  
    He is a frequent writer and lecturer on computer security and
    cryptography.
    
    Counterpane Internet Security, Inc. is a venture-funded company
    bringing innovative managed security solutions to the enterprise.
    
    <http://www.counterpane.com/>
    
    Copyright (c) 2001 by Counterpane Internet Security, Inc.
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 03:35:39 PDT