Beruflich Dokumente
Kultur Dokumente
Biometrics
Tips to defeat DDoS Biometrics: the eye of the storm 11
2
Network Security April 2005
NEWS
3
April 2005 Network Security
DEPERIMETERISATION
4
Network Security April 2005
DEPERIMETERISATION
happening by default in many organisa- once more. Our responsibility is to The decision should be based upon
tions, who now wish to take control and make sure that everyone is aware of the another fundamental tenet of good secu-
effectively manage the multitude of ven- risks and can make informed decisions. rity practice: thorough assessment of
dors, applications, devices and docu- After that, it’s about putting adequate risk. That customer database from three
ments that are springing up throughout controls in place. This shift in thinking years ago may be of limited value now,
the company. offers us a real possibility that security, but if the contents are leaked, the conse-
The second driver is cost. Accessing indeed IT as a whole, can be brought in quences could be disastrous.
applications through a broadband from the cold and get a much-needed Although policy control and manage-
enabled device, using XML or Web ser- voice at board level. ment has always been a fundamental fac-
vices, reduces the costs associated with tor in any security measures, it will take
connectivity and maintenance of leased a far more central role than it has
lines, private exchanges and even VPNs. Some of the companies that enjoyed so far. Federated security, gran-
At the same time it increases availability, are breaking down the ulated access and rotating users all
through the ‘always on’ connection, and barriers as members of the demand close control. Updates to policy
so flexibility. Jericho Forum: that reflect both changes within the
Finally, there is a need for approved • Boeing
third parties to gain access. In the digi- • British Broadcasting
tal networked economy, collaborative Corporation
working models with partners, joint ven-
tures, outsourcers or suppliers require
secure access to data in real time – which
• Deutsche Bank
• Lockheed Martin
• Pfizer
“ Firewalls will
no longer be at
cannot be achieved with a tough impen- • Reuters
etrable network boundary. • Unilever the edge of the
If we look at the oil and gas indus-
tries, which have been early adopters of
de-perimiterisation – or ‘radical exter-
Back to basics
network
”
nalisation’ as it is known in BP – we
can see clear examples of all of these But before we tear down the firewalls
and abandon ourselves to every virus organisation and to its immediate envi-
drivers. Significant numbers of workers ronment, will be required on a more reg-
are on the road or in remote locations infestation out there, let’s take a look at
what ‘inside out’ security really involves. ular basis than ever before.
at any given time. Companies tend to We also need to make sure that we still
make a great deal of use of outsourcers De-perimiterisation is actually some-
thing of a misnomer. It’s not about get- get the basics right. For example, viruses
and contractors, and undertake joint
ting rid of boundaries altogether. Rather are not going to go away: there will
ventures with other firms who are part-
it’s a question of re-aligning and refocus- always be new variants and new vulnera-
ners in one region but competitors in
ing them. So instead of a single hard bilities. The 2004 edition of the DTI
another. As a result they have long
shell round a soft centre, an organisation information breaches survey shows that a
recognised the need to let partners
has a more granular approach with inter- massive 74% of all companies suffered a
have access to one part of the system,
nal partitions and boundaries protecting security incident in the previous year,
while keeping the doors firmly barred
core functions and processes – hence the and 63% had a serious incident. Viruses
on others.
inside out approach. Typically the hard still counted for 70% of these, which
In fact around 10% of BP’s staff now
controls around the DMZ (demilitarised seems to indicate that despite their
access the company’s business applica-
zone) will move to sit between the red prevalence, there is still a lack of maturi-
tions through the public Internet, rather
and amber areas, rather than the amber ty in incident management procedures.
than through a secure VPN. This is the
and green. Firewall vendors don’t need to panic
first step in a move towards simplifica-
This takes us back to some basic prin- just yet – there is still going to be a need
tion of the network and enabling access
cipals of security management: deciding for their products in a deperimiterised
for up to 90,000 of the oil company’s
what bits of your systems and accompa- system. The difference is these will no
third party businesses.
nying business processes are key and longer sit at the very edge of the network,
This picture of a flexible, cost effec-
focusing on their security. Rather than but will be strategically placed inside it,
tive, and adaptable business is, not sur-
prisingly, very attractive. And not just to taking a ‘one size fits all’ approach, at device, data or even application level.
those in hydrocarbons. But efforts to inside out security requires us to look at
achieve it can be hampered by current protecting our information assets from Identity management
security thinking. As experts, we need to the perspective of what needs to be While firewalls may sort the ‘good’
reverse this, and be seen as an enabler secured and at what level. HTTP traffic from the bad, they cannot
5
April 2005 Network Security
DEPERIMETERISATION
6
Network Security April 2005
VULNERABILITIES
7
April 2005 Network Security
VULNERABILITIES
increase the quality of data at a higher An advantage here is that it is a rela- did not require a roll-out of host-based
layer. These approaches have spawned tively straightforward task for a software agents. With the now widespread use
new categories of security product, such agent running on a host to determine of agent-based patch management
as “Enterprise Security Management” the host’s patch level. A network vulner- technologies, this barrier has been
(ESM), “Security Information ability scanner has to attempt to remote- overcome.
Management” (SIM), and ly infer that same information, and this Given the advantages in using a host-
“Vulnerability Management”. task is made more difficult if the vulner- based model to gather patch status infor-
But rather than add layers of abstrac- ability scanner has no credentials for the mation, do network vulnerability assess-
tion (and products to buy), the solution target host. ment tools still have a role to play? In
would logically lie in not gathering so Another advantage to using a host- discovering new vulnerabilities, or for
much data in the first place. This has based model for gathering patch data is discovering vulnerabilities in bespoke
now become a viable strategy, because that with an ever-increasing set of vul- applications (such as Web applications),
of the capabilities provided by modern nerability checks being built into net- network vulnerability assessment tools
patch management technologies. work vulnerability assessment tools, the clearly add value. But this is somewhat
probability increases that a check might of a niche market. These are not activi-
adversely affect a network service on a
The rise of patch box. The result might be that the scan
ties that businesses typically wish to per-
form against every device within their
management causes services to crash, restart, or oth- network environment, or on a regular
The widely felt impact of Internet erwise misbehave. The days when port basis. (Scanning a DHCP allocated net-
worms has opened the eyes of businesses scanning would crash the simplistic net- work range provides little value if the
to the importance of patching systems. work stack within printers and other DHCP lease time is short, just as one
Host-based patch management products such devices are probably behind us, example.)
such as Microsoft's SMS (Systems but a business might rightly question
Management Server) and SUS (Software the use of increasingly complex vulnera-
Update Services) are now in wide bility checks to interrogate production
A modern approach
deployment, as are other commercial It is a widely held belief amongst securi-
systems.
and freeware tools on a variety of plat- ty practitioners that the majority of
With an ever-increasing number of
forms. See for example, PM (2005) and security break-ins take advantage of
checks, the impact on network band-
Chan (2004). known vulnerabilities. While there is
width when a network vulnerability
In many respects, this increased focus assessment tool is run also climbs. no concrete evidence for this claim, on
on patch management has diminished (Rate-limited and distributed scanning an intuitive basis it is probably correct.
the traditional role of network vulnera- can help here, but these involve addi- In most cases, the patch for a known
bility assessment tools. If the delta tional complexity.) vulnerability already exists, or the ven-
between current patch status and the There are disadvantages to employing dor affected is in the process of creating
known set of vulnerabilities is already a host-based model, however. Products the patch. (In that latter scenario, the
being directly determined on each indi- which require that an agent be installed version numbers of the particular oper-
vidual host, then there is less need to use on hosts have usually been seen as ating systems or applications that are
a network vulnerability assessment tool time-consuming to deploy and known to be vulnerable are usually
to attempt to collect that same informa- complex to manage. Indeed, the value known, even if the patch itself is
tion (and to do so across the network proposition of network vulnerability not yet available.)
and en masse). assessment tools was, in part, that they A patch management solution can
determine the presence or absence of
patches on hosts, and can also identify
service count
the current version number of operating
telnet 20
systems and installed applications. A
ssh 79
rlogin 3 patch management solution can there-
http 52 fore be used to determine vulnerability
https 26 status. The depth of reporting that
ldap 8 modern patch management tools pro-
vnc 9 vide in this area has in many respects
ms-term-serv 30 already surpassed the capabilities of
pcanywheredata 2
conventional network vulnerability
irc 1
assessment tools. This is possible
Table 1: Display of services running on hosts
because of the advantages inherent in a
host-based model.
8
Network Security April 2005
VULNERABILITIES
“ what data is
still valuable to
analysis, in contrast to having to wade
through hundreds of pages of vulnerabil-
ity assessment report. If a patch man-
Conclusions
Patch management technologies and
processes now deliver to businesses
agement solution is being used to detect the core capability of traditional net-
gather across weaknesses in the patch status of hosts, work vulnerability assessment
the network?
” then this is the type of data that it is
valuable to collect across the network.
This is not traditional vulnerability
tools; namely, the identification of vul-
nerabilities that are present due to miss-
ing patches. Patch management
assessment data, but rather foundational solutions can be used to accomplish
data about the network. this task by identifying the delta
(Fyodor, 1997, 1998). These techniques Table 2 shows data on the number between the set of patches for
do not require a constant research effort of operating system types found known vulnerabilities and the current
to develop new vulnerability checks. within a particular network. Again, patch status of hosts within the
A port scanner written in 1990 could this data was collected using simple environment.
still be used today, whereas a vulnerabili- network information gathering For network-wide vulnerability assess-
ty scanner from the same year would techniques. ment, the question that businesses need
be considered woefully inadequate This network employs both Linux and to ask is: what data is it still valuable to
because it has no knowledge of modern Windows machines as its corporate stan- gather across the network? There is
vulnerabilities. dard. We can therefore say that the little value in employing a noisy, band-
The information that can be gathered detection of a device running OpenBSD width-consuming network vulnerability
using these relatively simple techniques warrants investigation. Similarly, it scan to interrogate production
has enormous utility for security. would be valuable from a security per- systems with an ever-increasing
Consider Table 1, which displays data spective to investigate the two devices for number of vulnerability checks, when
9
April 2005 Network Security
CRYPTOGRAPHY
patch status data is already being About the author Fyodor (1997), “The Art of Port
collected through patch management Andrew Stewart is a Senior Consultant with Scanning”, Phrack Magazine, Volume 7,
activities. No. 51, September 01, 1997.
a professional services firm based in Atlanta,
Employing simple network
Georgia.
information gathering techniques in Fyodor (1998), “Remote OS detection
this supplementary role is easier, takes via TCP/IP Stack FingerPrinting”,
less time, has less impact on network References Phrack Magazine, Volume 9, No. 54,
bandwidth, does not require a Chan (2004), “Essentials of Patch 25th December, 1998.
constantly updated set of vulnerability Management Policy and Practice”,
“checks”, and provides more intuitive Available: http://www.patchmanage- PM (2005), Mailing list archive at
results. ment.org/pmessentials.asp http://www.patchmanagement.org
mathematical Shelf-life
infinity "Now there is no doubt that we need a
new hash function," says Mette
Vesterager, chief executive officer at
Sarah Hilley Sarah Hilley
Cryptico. Vesterager says a competition
will probably be launched to get a new
A newly emergent country has begun to set the pace for
cryptographic mathematicians…
Chinese infosec research efforts are fixat- Even more proof of the hive of crypto
ed on cryptography and researchers are
already producing breakthroughs. A
group of researchers from Shandong
activity in China is that 72% of all cryp-
tography papers submitted to the
Elsevier journal, Computers & Security
“ It is a race
between
University in China stunned the estab- last year hailed from China and Taiwan.
lished crypto community at the RSA And cryptography papers accounted for mathematicians
conference in February by breaking the one third of all the IT security research
integral SHA-1 algorithm used widely in submitted to the journal. and
digital signatures. This SHA algorithm
was conceived deep within the womb of
The Chinese are determined to get
into the subject, says Mike Walker,
head of Research & Development at
computers
”
Vodafone, who studied cryptography at
Royal Holloway College, London. "If replacement for SHA-1. Such a competi-
10
Network Security April 2005
BIOMETRICS
addition the Chinese attack has reper- This is thanks to cryptographers practical. The British famously cracked
cussions on other hash algorithms such thinking in a different time, a time that the German Enigma code in World War
as MD5 and MD4. is set by the power of computation. II. And American Navy cryptanalysts
This power isn't here yet to make the managed to crack the Japanese code,
Down to earth crack of SHA-1 realistic outside a Purple, in 1940. What governments can
The breakage of SHA-1 is not so dra- research environment. and can't break these days, though, is
matic in the humdrum application of As cryptography is used in one and a very much unknown.
real-life security through, however. On a half billion GSM phones in the world, "The AES algorithm is unbreakable
practical level, Kaliski rates it at a two and it authenticates countless computer with today's technology as far as I'm
out of 10 for impact, even through it is users, devices, transactions, applications, aware," says Royal Holloway's Piper. So
widely used. But cryptographers have to servers and so on, this is good news. It far NIST hasn't even allocated a 'best
think ahead in colossal numbers to keep means that we don't have to worry before' date for the decease of AES. The
up with the leaps in computing power. about underlying algorithms being AES 128 bit key length gives a total of
According to Moore's law, computers attacked routinely like software vulnera- an astronomical 3.4 x (10^38) possible
keep getting faster at a factor of 2 every bilities, for example. The dangers are keys. But if law enforcement can't break
18 months. much more distant. However side chan- keys to fight against terrorism, intelli-
Cryptographers deal with theoretical nel attacks must be watched out for, gence is lost, warns Piper. However, peo-
danger. They bend and stretch the warns Kaliski, which target the imple- ple wonder 'what can the NSA do?', says
realms of mathematics and strive to cre- mentation of cryptography. Piper recom- Vesterager, and 'how big are their com-
ate algorithms that outlive computing mends that keys have to be managed puters?' But the general opinion is that
power and time. It is a race - a race properly to guard against such loopholes AES was not chosen because it could be
between mathematicians and computers. in implementation. broken. Time will show, however, she
Fortunately the crack of algorithms like adds.
SHA-1 doesn't yet affect us mere mor- Big computers And with China pouring large
tals, who unknowingly avail of crypto to Governments have historically been amounts of energy into studying the lan-
withdraw money from the ATM on a embroiled in mathematical gymnastics guage of codes and ciphers, the NSA
Saturday night. even before cryptography became so may want even bigger computers.
11
April 2005 Network Security
BIOMETRICS
a password), something the user has (e.g. National security agencies in various Space invaders
a token), and something the user is countries, led by the US immigration Some forms of biometrics are obviously
(biometrics). authorities, are also seeking reliable more invasive of one’s personal ‘space’
As has been widely discussed , unique authentication systems as part of than others. Fingerprinting, for instance,
although popular, password authentica- the ‘war on terror’. Biometrics is the as- has negative connotations because of its
tion is often associated with poor pass- yet unfulfilled promise of the third pillar use in criminal detection. As such, some
word policies, and management strate- of authentication mechanisms. biometrics may well meet with user resis-
gies that don’t work. Many network At the network level, biometrics may tance that company security officers will
administrators have wrestled with bal- well enable network administrators to need to both understand and overcome.
ancing password authentication and increase the security of their network In 2005, London’s Heathrow airport
password policies against account user environments. There are a number of introduced plans to conduct retinal scans
needs or demands. Too many know how implementation and security issues that in a bid to increase security, and increase
far they have had to compromise security are often overlooked in the push towards the efficiency of boarding gates. At pre-
in order to service users. new methods of authentication. sent there are no figures on user accep-
tance of the scheme, which is currently
Token of affection? Methods of biometric voluntary. However, as retinal scans are
The use of token-based technologies such among the most invasive of biometric
access technologies it would be surprising if the
as SecureID tokens, smart cards and digi- As has been outlined earlier, biometrics
tal certificates is becoming widely accept- voluntary acceptance rate is high enough
is a means of authenticating an
ed, not only in the workplace, but out- to justify either the expense or efficiency
individual's identity using a unique
side as well. Beginning in October 2003 improvement of the solution.
personal identifier. It is a highly
the UK commenced a roll out of Chip sophisticated technology based on
and PIN authentication methods for scanning, pattern recognition and pat- Print sprint
transactions based on bank and credit tern matching. At present it remains Traditionally biometrics is commonly
cards. The primary aim was to combat one of the most costly methods of associated with physical security.
the growing rate of card fraud based on authentication available. However there is a growing shift
the manipulation of magnetic strips or Several different technologies exist towards adopting biometrics as a mech-
signature fraud. So far over 78 million based on retinal scans, iris scans, facial anism to secure authentication across a
Chip and Pin cards are in common use mapping (face recognition using visible network. A number of fingerprint read-
in the UK, more than one for every man, or infrared light, referred to as facial ers are currently available that can be
woman and child on the island. thermography), fingerprinting (including deployed for input to the authentica-
Token-based authentication is not hand or finger geometry), handwriting tion system. These are now cheap and
without its downside, however. In fact, it (signature recognition), and voice reliable enough for IBM to include one
is far from a panacea with regards the (speaker recognition). in some of its latest laptop computers as
security of networks, or indeed one’s per- For biometrics to be effective, the the primary user authentication device.
sonal finances. A number of attack vec- measuring characteristics must be pre- There is also on-going research to
tors exist for both the use of SecureIDs cise, and the false positives and false neg- reduce the cost and improve both the
and the like. Certainly, the number and atives minimised. accuracy and security other biometric
value of card-based frauds appears to When a biometric authentication sys- methods such as facial maps and iris or
have risen since Chip & PIN was intro- tem rejects an authorised individual this retinal scans. Judging by the develop-
duced. Recent research, still ongoing, is is referred to a Type 1 error; a Type 2 ments in the field of biometrics in the last
expected to expose a number of flaws error occurs when the system accepts an 15 years it can only be a matter of time
within the use of Chip and PIN authen- impostor. The effectiveness of a biomet- before everyone can afford the hardware
tication mechanisms in a variety of com- ric solution can be seen in the Crossover for biometric network authentication.
mon environments. Exchange Rate (CER). This is a per-
centile figure that represents the point at Accuracy and security?
PIN-pushers which the curve for false acceptance rates As has already been discussed the bio-
The push towards biometrics comes crosses over the curve for false rejection metrics approach to network authentica-
from a variety of sources. The financial rates. Depending upon the implementa- tion has much promise; however, it is an
industry in particular is resolved to tion of the chosen biometric technology, as yet unrealised potential. One reason is
reduce fraud based on stolen identities, this CER can be so high as to make that it is laden with a variety of short-
which, according to Accenture, the man- some forms unusable for an organisation comings that need to be fixed prior to its
agement consultancy, now costs con- that wishes to adopt or retain an aggres- widespread adoption as an authentica-
sumers and banks $2 trillion a year. sive security posture. tion mechanism.
12
Network Security April 2005
BIOMETRICS
One of the touted benefits of biomet- researcher Tsutomo Matsumoto was able degree of external coercion, such as a
rics is that biometric data is unique, and to fool 11 biometric fingerprint readers change in the legislation.
this uniqueness makes it difficult to steal 80% of the time using 'gummy fingers'.
or imitate. One often-overlooked prob- Worse news came in 2004, when Goodbye to passwords?
lem with the biometric approach is that, researchers revealed that some finger- Biometric technologies have the poten-
unlike other forms of authentication, print readers could be bypassed merely tial to revolutionise mechanisms of net-
they are anything but discreet. Unlike by blowing gently on them, forcing the work authentication. They have several
the traditional password-based model, or system to read in an earlier latent print advantages, such as users never need to
even the token-based approach (e.g. from a genuine user. remember a password, and more
Chip and PIN) no biometric approach Attacks are not limited only to finger- resilience against automated attacks and
relies upon something the user holds as print readers (as found in the current conventional social engineering attacks.
secret. Indeed in all the biometric tech- range of network access devices); both However, the market for such devices is
nologies currently available potential face and iris scanners can be spoofed so new, and the amount of clear statisti-
attackers can see exactly what is going successfully. In the case of the former, a cal research data as to its cost and bene-
on. Obviously, this makes them poten- substitute photograph or video of a fits is Spartan.
tially vulnerable. legitimate user may be able to bypass Most large companies can probably
systems; with regards to iris scanners, a afford to implement them. But doing so
Attack vectors photograph of the iris taken under dif- may have the undesirable side effect of
When evaluating biometrics network fused lighting and with a hole cut for actually increasing their exposure to risk.
administrators should consider possible the pupil can make for an effective In particular, the lack of standardisation
attack vectors. These fall into two dis- spoofing stratagem. and quality control remains a serious
tinct classes, namely: If compromised biometric devices are and grave concern.
a conduit into a network, it may be pos- In the coming years, biometrics may
• Physical spoofing, which relies on sible to manipulate stored data, thus improve as an authentication technolo-
attacks that present the biometric effectively bypassing all security policies gy, if only because politicians and fraud-
sensor (of whatever type) with an and procedures that are in place. sters are currently driving the need for
image of a legitimate user. improvements. At the present level of
• Digital spoofing, which transmits Attack on all sides technical understanding and standardisa-
data that mimics that of a legitimate As has been outlined, biometric technolo- tion, and many signs of user resistance,
user. This approach is similar to gies are far from risk-free. Many (if not network administrators who voluntarily
the password sniffing and replay all) are susceptible to both physical and introduce the technology may find
attacks that are well known and are logical digital attack vectors. The reasons themselves on the bleeding edge, rather
incorporated in the repertoire of for these shortcomings are many, includ- than the leading edge.
many network attackers. ing a potential ignorance about security Network administrators need to ques-
concerns on the manufacturer's part, a tion closely not only the need for bio-
In 2003, two German hackers, lack of quality control, and little or no metrics as a network authentication and
Starbug and Lisa, demonstrated a range standardisation of the technologies in use. access mechanism, but also the levels of
of biometric physical spoofing attacks at There is also the sometimes onerous risk they currently pose to the enter-
the Chaos Computer Camp event. Their and problematic process of registering prise. For most, the answer will be to
attacks relied upon the adaptation of a users who may not embrace the use of wait and see.
technique that has long been known to biometrics, and who may start quoting
many biometrics vendors. In the original passages from the Human Rights Act. About the author
attack vector an attacker could dust a When you think about implementing Michael Kemp is an experienced technical
fingerprint sensor with graphite powder, biometric technologies remember that author and consultant specialising in the
lift the fingerprint, and then subsequent- they do not yet measure perfectly, and information security arena. He is a widely
ly use it to gain entry. many operational and security chal- published author and has prepared numer-
The 2003 attack showed it could cre- lenges can cause them to fail, or be ous courses, articles and papers for a
ate a 'gummy finger' using a combina- bypassed by attackers. Presently there is diverse range of IT related companies and
tion of latex, photo imaging software not enough hard evidence that shows periodicals. Currently, he is employed by
and graphite powder. Although this the real levels of failure and risk associ- NGS Software Ltd where he has been
method may seem somewhat far- ated with the use of biometric authenti- involved in a range of security and d ocu-
fetched, it can be used to bypass a num- cation technologies. It would be a brave mentation projects. He holds a degree in
ber of available fingerprint biometric administrator indeed that chose to Information and Communications and is
devices. Indeed, in 2002, Japanese embrace them blindly and without a currently studying for CISSP certification.
13
April 2005 Network Security
PROACTIVE SECURITY
“ Proactive
security has
might appear disjointed when taken
together, but they have in common the
necessary objective of moving beyond
code practically impossible, so that
hackers are unlikely to try. Of course
the risk then becomes of the source
reaction, which is no longer tenable in
code itself being stolen, but that is
to be the modern security climate. The crucial
another matter.
question is whether these initiatives real-
automatic
” ly deliver what enterprises need, which is
affordable pre-emptive protection. If the
solutions extract too great a toll on
Sharing private keys
The principle of ducking and weaving
internal resources through need for con- to evade hackers can also be extended
lower level of cryptography and digital tinual reconfiguration and endless analy- to cryptography. The public key system
signatures, while Microsoft has been sis of reports containing too many false is widely used both to encrypt session
working with a company called positives, then they are unworkable. keys and also for digital signatures.
PreEmptive Solutions to make its code Proactive security has to be as far as pos- The latter has become a target for
harder for hackers to reverse engineer sible automatic. financial fraudsters because if they steal
14
Network Security April 2005
PROACTIVE SECURITY
someone’s private key they can write Internet Security Systems, was quick some cases now it takes just a week or
that person’s digital signature, thereby off the mark, and in September 2002 two, so the processes of developing and
effecting identify theft. But here too distributed an update that provided distributing patches need to be speeded
risks can be greatly reduced through protection. Then in January 2003 came up. Ideally service providers should
pro-activity. An idea being developed by the infamous Slammer Worm exploiting implement or distribute such protection
IBM involves distributing private keys this loophole, breaking new ground automatically.
among a number of computers rather through its rapid propagation, doubling
the infected population every 9 seconds
than just one. Then the secret key can Conclusion
only be invoked, whether for a digital at its height. The case highlighted
Proactive security also needs to be flexi-
signature or to decrypt a message, with the potential for pre-emptive action,
ble, adapting to the changing threat
but also the scale of the task in distrib-
landscape. A good example is the case of
uting the protection throughout the
two-factor security, in which static pass-
Internet.
words are reinforced by tokens generat-
“ Many suppliers
hide issues
Open disclosure
Another problem is that some software
ing dynamic keys on the fly. This has
been the gold standard for controlling
internal access to computer systems
vendors fail to disclose vulnerabities within the finance sector for well over a
from users
” when they do occur, through fear of
adverse publicity. This leads to delay in
identifying the risks, making it even
decade, but recently there have been
moves to extend it to consumer Internet
banking. But some experts reckon this is
harder to be proactive. It makes sense a waste of money because it fails to
therefore for enterprises to buy software
the participation of a number of com- only where possible from vendors that
puters. This makes it harder to steal the practice an open disclosure policy. Many
key because all the computers involved
have to be compromised rather than
just one. In practice it is likely that at
such disclosures can be found on the
BUGTRAQ mailing list, but a number
of vendors, and in some cases even sup-
“ There have
been moves
least one of the computers will be pliers of free software when there would
secure at any one time – at least such is seem nothing to gain by it, hide issues to extend
the theory. This development comes at from their users. There is however a
a time of increasing online fraud and counter argument in that public dissemi- two- factor
mounting concerns over the security of nation of vulnerabilities actually helps
digital signatures. and encourages potential hackers. But authentication
there is the feeling now that in general
the benefits of full disclosure outweigh to Internet
Buglife
There is also scope for being proactive
when it comes to known bugs or vul-
nerabilities in software. One of the
the risks.
Patch it
banking
”
most celebrated examples came in July Be that as it may the greatest challenge
2002 when Microsoft reported vulnera- for proactive security lies in responding address the different threats posed by
bility in its SQL Server 2000 and distributing patches or updates to Internet fraudsters. These include man
Resolution Service, designed to allow plug vulnerabilities within ever decreas- in the middle attacks which capture the
multiple databases to run on a single ing time windows. As we just saw the one time key as well as the static pass-
machine. There was the potential to Slammer worm took six months arrive, words and replay both to the online
launch a buffer overflow attack, in and the same was true for Nimda. This bank. So it may be that while two-factor
which a hacker invokes execution of left plenty of time to create patches and security will reduce fraud through guess-
code such as a worm by overwriting warn the public, which did reduce the ing or stealing static passwords, the cost
legitimate pointers within an applica- impact. But the window has since of implementing it across a customer
tion. This can be prevented by code shortened significantly – a study by base will outweigh the benefits, given
that prohibits any such overwriting, but Qualys, which provides on-demand vul- that vulnerabilities remain. But nobody
Microsoft had neglected to do so within nerability management solutions, is suggesting that proactive security
Resolution Service. However Microsoft reported in July 2004 that 80% of avoids hard decisions balancing
did spot the vulnerability and reported exploits were enacted within 60 days of solutions against threats and cost of
it in July 2002. One security vendor, a vulnerability’s announcement. In implementation.
15
April 2005 Network Security
PKI
16
Network Security April 2005
RFID
public and private keys known as and/or encryption intact. However, it with different types of confidentiality
domain certificates to encrypt and sign cannot currently sign or encrypt mail such as MS/Word, MS/Excel and the
messages that pass between domains. that is sent to a user in a domain that Adobe Family. Another collection is rep-
They have the same format as those used does not have an S/MIME gateway. resented by file compressing tools. These
in desktop-to-desktop S/MIME message allocate the smallest possible storage area
encryption, except that the certificates Pretty Good Privacy (PGP) for any number of files gathered, and are
are issued to domains, not individual The OpenPGP and PGP/MIME proto- often equipped with advanced encryp-
users. Messages are signed and encrypted cols are based on PGP and rely on tion capability. For example, the latest
only while in transit between the MIME for message structure. Today, a version of WinZip is supplied with 256
S/MIME gateways. specialised S/MIME client can’t normal- bit AES encryption.
ly communicate with a PGP client, There are some limitations with com-
although that may change. PGP has pression tools, in the area of secure mes-
been described as a good example of saging. Key handling is cumbersome and
if used extensively it may cause trouble.
“ A major criti-
cism of PKI is
what PKI is; but it enables the user to
scale the PKI implementation from indi-
viduals up to several thousand users. It
Also, compression tools can’t normally
protect the actual message, just the
attached file(s); and the password must
comprises a number of products that
can be implemented incrementally be delivered to the recipient separately –
the overheads preferably by phone. File compression is
according to requirement. With PGP
there is no reason to hesitate to imple- therefore a temporary or special solu-
ment and make use of secure messaging tion, to be used with discernment.
An S/MIME gateway can co-exist with capability because of cost or complexity:
unencrypted SMTP messages and with it’s perfectly possible for the small to More information
end-to-end S/MIME encryption; it can medium sized company ) to create an More information can be found in the
send and receive unencrypted and environment which is functional, inex- full report available from EEMA, a large
unsigned messages to/from any e-mail pensive and easy to manage. multi-national user organization.
domain; and it can receive messages EEMA is exhibiting at Infosecurity
signed or encrypted with conventional, Europe 2005, which is held on the 26th
desktop-to-desktop S/MIME. It will not Attachment, encryption – 28th April 2005 in the Grand Hall,
decrypt the message or verify the signa- and compression Olympia in London.
ture, and it will deliver the message to A number of products for document More details:
the recipient's mailbox with the signature storage and communication are supplied www.infosec.co.uk
RFID Basics
RFID: misunderstood or RFID (Radio Frequency IDentification)
has been around for decades. Initially
untrustworthy? used for proximity access control,
RFID has evolved over the years to be
Bruce Potter used in supply chain tracking, toll bar-
rier control, and even protecting auto-
It seems that everywhere you look, wireless security is in the news. mobiles. The cost of the chips used for
WiFi networks are being deployed in homes and businesses at an RFID are now as low as 0.20USD with
astounding rate. Bluetooth is being in integrated into all manner of readers costing as little as 30USD,
device from cell phone to laptop to automobile. And now RFID tags making large scale deployments more
are starting to show up in some retail stores and gaining acceptance cost effective.
in for use in supply chain management. There are several types of RFID tag.
But of these three technologies, RFID are worried that the current state of The most common and simple is a pas-
is probably the least understood and the technology is not sufficient to sive tag. Passive RFID tags receive their
most feared by the public at large. keep hackers at bay. Ultimately, RFID energy from a remote RFID reader. The
Consumers are afraid of their buying has the capability to change the face tag is able to focus the radio frequency
habits being tracked. Travellers are of supply chain management and energy from the transmitting reader and
concerned about the privacy issues inventory control and we need to be uses the generated electrical impulse to
of RFID in passports. And businesses prepared for that. power the onboard chip.
17
April 2005 Network Security
RFID
These RFID chips are very simple and read at 1 foot, an attacker may be able to idea is the RFID information can no
may have as few as 400 logic gates in be 100 ft away and still interact with it. longer be tied to a value in the database.
them; they can basically be thought as a RFID tags typically only contain a The problem with this method is that
simple memory chip. The chip then unique number that is useless on its there is still an RFID chip active in the
responds with a short burst of informa- own. The idea is that the reader inter- item, even if the data on the chip is ran-
tion (typically an ID unique to the chip) faces with some backend system and dom. An attacker is still able to physi-
that is transmitted by the antenna on the database for all transactions. The data- cally track the tag, and even store data
RFID tag. The reader receives this base stores the information that ties the on it if they so desired. So some tags
information and can then act upon it. unique ID to something of interest. For also have the concept of a KILL com-
Passive tags can be manufactured thinner instance, the database knows that ID mand. When a tag receives a KILL
than a piece of paper and have been 1234 is attached to a bar of soap. An command, it ceases to respond to
integrated into everything from shipping attacker reading RFID’s would not requests from RFID readers. A KILL
labels to clothing. know, without access to the database, command actually terminates the RF
The other types of RFID involve using what ID 1234 is. capability of the chip.
a battery for some part of the RFID Unfortunately, we cannot always While this is good from a privacy per-
transaction. Semi-passive tags use a assume that an attacker will not have spective, it poses a massive security risk.
small onboard battery to power the chip, access to the backend database. As the The KILL command is protected by a
but rely on the energy from the reader last decades of network security have password on the chip. Unfortunately,
for powering the tag’s antenna for trans- demonstrated, backend systems are often RFID chips are very primitive. So many
mission. Semi-active tags turn this con- all too easy a target for an attacker. And enterprises have all their RFID chips cre-
cept around. These tags use the battery once the database tying the unique ID’s ated with the same KILL password.
for powering the antenna but the chip to physical items has been compromised, Further, there is no capability to change
relies on the RF energy from the reader. it would be nearly impossible to retag all the KILL password once a chip has been
An Active tag uses a battery for both the items in response. fabricated. An attacker with knowledge
chip and the transmission of data on the The vast majority of RFID tags on the of an enterprise’s KILL password can
antenna. While the amount of memory market require no authentication to read potentially terminate all the RFID’s they
in the non-active tags is limited to gener- the information on them. This allows are within range of. In a short period of
ally a few hundred bytes (if that), an active anyone, an attacker or even just a com- time, an attacker can render hundreds of
tag can have kilobytes (if not megabytes) petitor, to read the data on an RFID thousands of tags completely useless.
of memory. The drawback of any of the chip. Further, many tags have the capa-
powered tags is that eventually the battery bility to write information to the chip Parting shot
dies and the tag becomes useless. without authentication. This is especial- As RFID tags get cheaper, they will be
ly troubling for enterprises relying on integrated into more and more systems.
Security concerns RFID for things like supply chain man- While an incredible tool for supply chain
There are a wide variety of security con- agement. An attacker could theoretically management and asset tracking, RFID
cerns with RFID tags. One concern of overwrite values on the RFID tags used tags have more in common with 20 year
interest is the ability to track the location by the enterprise, thereby wreaking old memory card technologies than con-
of a person or asset by an unintended havoc with their RFID system. temporary wireless systems. Unlike old
actor. While the RFID specifications memory cards, RFID tags are accessible
generally deal with short ranges (a few Killing a tag from a great distance given advanced
inches to a few feet) between the readers One of the primary privacy concerns wireless equipment. Attacks against
and the tags, specialized equipment can regarding RFID is the ability for a con- RFID tags are trivial and privacy con-
pick up a signal from an RFID tag much sumer to be tracked once they have cerns are everywhere. To date, these con-
farther away. bought an item that contains an RFID cerns have not outweighed the advantages
This is a similar problem to that with tag. To overcome this fear, vendors and to businesses in need of RFID technology
wireless LAN’s. Normally a WLAN is enterprises have devised various ways to and the rate of adoption is accelerating.
only effective for a user within 100m or attempt to terminate the tag. Until new standards and more advanced
so. But an attacker with powerful anten- One method of terminating a tag used chips can be made, RFID tags will
nas can be more than 10km away and for retail sales is to simply change the remain easy targets for attackers deter-
still access the network. RFID tags fall info on the tag to random data when the mined to cause havoc or commit crimes.
prey to the same problem; an attacker can item is sold. That way a store’s security
be two orders of magnitude farther away system knows the item has been sold and About the author
than intended and still read data. For does not sound an alarm when the item Bruce Potter is currently a senior security
instance, if an RFID tag is designed to be leaves. Further, with random data, the consultant at Booz Allen Hamilton.
18
Network Security April 2005
SNORT
19
April 2005 Network Security
SNORT
the vast majority of the network security This study seems to suggest that this IDScenter, which includes ACID but
managers who use Snort use it on a category of add-ons is not nearly as popu- only operates on Windows OS.
Linux platform (78.3%). lar as the first category. In this study The addition of a GUI interface such
Of those security managers who do 79.2% of all network security managers as ACID, or any of the other add-ons
not use Snort, they gave the following who use Snort use one or more of the mentioned in this study, has been
reasons why: report/trend analysis add-ons (category 1) shown in numerous other studies to
• Don't use any IDS system (44.8%). while only 25.0% of the network security improve operator efficiency (Mann &
• Snort is not as useful as a commercial managers who use snort use one or more Schnetzler, 1986; Pulat & Nwankwo,
IDS product (24.1%). of the configuration add-ons (category2). 1987) and few will deny that the addi-
• Don't use open source (6.9%). tion of GUI front-ends and report gen-
• Snort installation/setup procedure • IDScenter -available free at: erators have made Snort a more viable
too complicated (6.9%). http://www.engagesecurity.com - product for a larger target audience
• Did not have time to install/setup 16.7% of all network security man- since the interfaces make the product
Snort (6.9%). agers who use Snort use and/or have more usable (Redmond-Pyle & Moore,
• Snort not robust enough (3.4%). tried IDScenter. 1995). In addition to more user-friend-
• Use IPS instead (10.3%). • SnortCenter - available at http:// ly interfaces many of the developer sites
users.pandora.be/larc/index.html - are also now offering installation assis-
Interfaces for organizing Snort's Only 8.3% of the network security tance for Snort.
output managers who use Snort say they also But the development of the variety of
It is not surprising that the vast majority use SnortCenter. GUI front ends described in this article
of the front-end interfaces for Snort are • Hen Wen (MAC OSX) - 8.2% of and the added usability they present,
designed to help users organize and dis- the responding network managers mean security administrators now pos-
play Snort's voluminous output into who use Snort both use and have sess a much wider choice for how they
coherent reports. Even on a small to tried Hen Wen. might want to deploy Snort-based sen-
medium-sized network or network seg- sors on their networks. Since an IDS is a
ment it is not unusual for Snort to gener-
ate between 15 and 20 thousand legiti-
Conclusion passive device with low CPU overhead,
In this study it appears that as network security managers are not limited or
mate alerts each month. Examples of restricted to the choice and number of
size increases network security managers
interfaces are as follows: front-end products they can deploy and
appear much more likely to make the
decision to include an IDS such as can place any number of Snort sensors
• Analysis Console for Intrusion on their network in any combination of
Snort in their security arsenals as sug-
Databases (ACID) - the front-end products previously listed.
gested by security best practices (Allen,
http://www.cert.org/kb/acid- 66.7%
2001). Among the security managers
of all network security managers who References:
who reported using Snort, 87.5%
use Snort say they also use ACID Northcutt, S., & Novak, J. (2001).
administer large networks (>1000 work-
• PureSecure - http://www.demarc. Network Intrusion Detection: An Analyst's
stations and/or host computers) and
com None of the surveyed network Handbook. Indianapolis: New Riders
12.5% administer small networks
security managers use it DataNerds http://www.datanerds.net
(<1000 workstations and/or host com-
• SnortFE - Not used by any survey /~mike/short.html
puters). This study also shows that the
respondents. Preece, J., Rogers, Y., & Sharp, H. (2002).
decision to use Snort as their IDS of
• Snortsnarf - http://www.siliconde- Interaction Design: Beyond Human
choice also includes the choice of which
fense.com. 12.5% of network securi- Computer Interaction. Hoboken, N.J.:
GUI front-end to use and overwhelm-
ty managers use it. John Wiley & Sons, Inc.
ingly the network security managers
• Razorback - http://www.intersectal- Allen, J. (2001) CERT Guide to System
represented in this study chose ACID.
liance.com/index.html - not used by and Network Security Practices.
This choice of Snort add-ons also sug-
survey respondents. Indianapolis: Addison-Wesley Pearson
gests that most security administrators
are using Snort more as an attack trend Education.
Interfaces for configuring Snort analysis tool rather than as a real-time Redmond-Pyle, D., & Moore, A. (1995).
Some Snort developers have concentrat- Graphical User Interface Design and
intrusion indicator. This study also
ed on developing an easier to use Snort Evaluation. London: Prentice Hall
shows that network security administra-
configuration environment for configur-
tors also strongly favor the Snort/ACID
ing Snort's network settings, preproces-
combination in operation on a Linux Note:
sor controls, output plug-ins and updat-
platform (78.3%). This could possibly [1]There is also a port of Snort for the
ing Snort's rules files.
explain the poor showing of the use of Mac OS called Hen Wen
20
Network Security April 2005