![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Bruce Schneier <schneier@counterpane.com>
To: crypto-gram@chaparraltree.com
Subject: CRYPTO-GRAM, June 15, 2001
Date: Fri, 15 Jun 2001 00:56:08 -0500
CRYPTO-GRAM
June 15, 2001
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at
<http://www.counterpane.com/crypto-gram.html>. To subscribe or
unsubscribe, see below.
Copyright (c) 2001 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Honeypots and the Honeynet Project
Crypto-Gram Reprints
News
Counterpane Internet Security News
Invicta Networks
DDOS Attacks Against grc.com
Comments from Readers
** *** ***** ******* *********** *************
Honeypots and the Honeynet Project
In warfare, information is power. The better you understand your enemy,
the more able you are to defeat him. In the war against malicious hackers,
network intruders, and the other black-hat denizens of cyberspace, the good
guys have suprisingly little information. Most security professionals,
even those designing security products, are ignorant of the tools, tactics,
and motivations of the enemy. And this state of affairs is to the enemy's
advantage.
The Honeynet Project was initiated to shine a light into this
darkness. This team of researchers has built an entire computer network
and completely wired it with sensors. Then it put the network up on the
Internet, giving it a suitably enticing name and content, and recorded what
happened. (The actual IP address is not published, and changes
regularly.) Hackers' actions are recorded as they happen: how they try to
break in, when they are successful, what they do when they succeed.
The results are fascinating. A random computer on the Internet is scanned
dozens of times a day. The life expectancy of a default installation of
Red Hat 6.2 server, or the time before someone successfully hacks it, is
less than 72 hours. A common home user setup, with Windows 98 and file
sharing enabled, was hacked five times in four days. Systems are subjected
to NetBIOS scans an average of 17 times a day. And the fastest time for a
server being hacked: 15 minutes after plugging it into the network.
The moral of all of this is that there are a staggering number of people
out there trying to break into *your* computer network, every day of the
year, and that they succeed surprisingly often. It's a hostile jungle out
there, and network administrators that don't take drastic measures to
protect themselves are toast.
The Honeynet Project is more than a decoy network of computers; it is an
ongoing research project into the modus operandi of predatory hackers. The
project currently has about half a dozen honeynets in operation. Want to
try this in your own network? Several companies sell commercial versions,
much simpler, of what the Honeynet Project is doing. Called "honeypots,"
they are designed to be installed on an organization's network as a
decoy. In theory, hackers find the honeypot and waste their time with it,
leaving the real network alone.
I am not sold on this as a commercial product. Honeynets and honeypots
need to be tended; they're not the kind of product you can expect to work
out of the box. Commercial honeypots only mimic an operating system or
computer network; they're hard to install correctly and much easier to
detect than the Honeynet Project's creations. And what's the point? You'd
be smarter to monitor activity on your real network and leave off the
honeypot. If you're interested in learning about hackers and how they
work, by all means purchase a honeypot and take the time to use it
properly. But if you're just interested in protecting your own network,
you'd be better off spending the time on other things.
The Honeynet Project, on the other hand, is pure research. And I am a
major fan. The stuff they produce is invaluable, and there's no other
practical way to get it. When an airplane falls out of the sky, everyone
knows about it. There is a very public investigation, and any airline
manufacturer can visit the National Traffic Safety Board and read the
multi-hundred-page reports on all recent airline crashes. And any airline
can use that information to design better aircraft. When a network is
hacked, it almost always remains a secret. More often than not, the victim
has no idea he's been hacked. If he does know, there is enormous market
pressure on him not to go public with the fact. And if he does go public,
he almost never releases detailed information about how the hack happened
and what the results were.
This paucity of real information makes it much harder to design good
security products. The Honeynet Project team is working to change that. I
urge everyone involved in computer security to visit their Web site. Great
stuff, and it's all real.
<http://project.honeynet.org>
The "Know Your Enemy" series of essays:
<http://project.honeynet.org/papers/>
Articles:
<http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html>
<http://news.cnet.com/news/0-1014-201-5784065-0.html>
<http://www.linuxsecurity.com/feature_stories/feature_story-84.html>
<http://www.computerworld.com/rckey73/story/0,1199,NAV63_STO59072,00.html>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Timing attacks, power analysis, and other "side-channel" attacks against
cryptosystems:
<http://www.counterpane.com/crypto-gram-9806.html#side>
The internationalization of cryptography policy:
<http://www.counterpane.com/crypto-gram-9906.html#policy>
and products:
<http://www.counterpane.com/crypto-gram-9906.html#products>
The new breeds of viruses, worms, and other malware:
<http://www.counterpane.com/crypto-gram-9906.html#viruses>
Microsoft SOAP:
<http://www.counterpane.com/crypto-gram-0006.html#SOAP>
The Data Encryption Standard (DES):
<http://www.counterpane.com/crypto-gram-0006.html#DES>
** *** ***** ******* *********** *************
News
Newly declassified documents about the 1993 Clipper program. More reasons
not to trust key escrow:
<http://www.newsmax.com/archives/articles/2001/5/14/203404.shtml>
Nasty semantic attack -- a new worm disguises itself as a virus alert from
Symantec.
<http://news.cnet.com/news/0-1003-200-5933461.html?tag=mn_hd>
The problems with security benchmarks:
<http://www.computerworld.com/cwi/stories/0%2c1199%2cNAV47-68-84-91_STO60526
,00.html>
In "Secrets and Lies," I wrote about phone-system hacking to reroute phone
calls from one number to another. It looks like a big problem in Las Vegas:
<http://www.securityfocus.com/news/205>
The European Parliament recommends that people should use encryption to
protect themselves from Echelon:
<http://news.bbc.co.uk/hi/english/world/europe/newsid_1357000/1357264.stm>
<http://www.it-analysis.com/article.asp?id=1252>
There's been a lot going on at NIST. You can read about the latest AES
standard comments here:
<http://www.nist.gov/aes>
Here is a draft of the revised Secure Hash Standard (FIPS 180-2); comments
due the end of August.
<http://www.nist.gov/sha>
You can read comments on the HMAC standard here:
<http://www.nist.gov/hmac>
And NIST is hosting a second Key Management Workshop on 1-2 November:
<http://www.nist.gov/kms>
The FBI's National Information Protection Center isn't as good as you might
think, according to a GAO report:
<http://dailynews.yahoo.com/h/nm/20010523/tc/tech_fbi_dc_2.html>
<http://www.theregister.co.uk/content/8/19153.html>
The GAO report:
<http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?IPaddress=162.140.64.21&;
filename=d01323.txt&directory=/diskb/wais/data/gao>
McDonald's is testing a form of electronic cash. I predict this will be
successfully hacked within months, if not weeks. After all, there's real
money to be made here:
<http://www.usatoday.com/life/cyber/tech/2001-05-29-mcdonalds-e-payments.htm>
An example of a "benevolent" virus: the Cheese worm. Ask any network
administrator what he thinks of something sneaking into his network and
making changes without telling anyone.
<http://cgi.zdnet.com/slink?100889:8469234>
Here's another "benevolent" virus; this one attacks child pornography:
<http://www.zdnet.com/zdnn/stories/news/0,4586,2766314,00.html>
I've already written about why this is a bad idea:
<http://www.thestandard.com/article/0,1902,18348,00.html>
This is a pure semantic attack. It's a virus warning that tells you to
delete a "dangerous" file from your computer, a file that is in fact an
important file. There's no malicious code, no attachment, no nothing. The
victim does the damage to himself, simply because he believes the e-mail.
<http://www.msnbc.com/news/580455.asp>
But there's a variant of this e-mail that actually contains a virus:
<http://www.vnunet.com/News/1122482>
Two good stories about insider attacks and the damage they can cause:
<http://news.cnet.com/news/0-1003-200-6175709.html>
<http://www.techtv.com/cybercrime/internetfraud/story/0,23008,3013872,00.html>
Attrition.org will no longer mirror hacked Web sites:
<http://www.attrition.org/news/content/01-05-21.001.html>
A really good source for information on different election systems:
<http://www.aceproject.org/main/english/>
Another reason that documenting security is no longer optional:
<http://www.computerworld.com/cwi/story/0,1199,NAV47_STO60729,00.html>
This cell phone offers strong end-to-end encryption. Near as I can tell,
it's not yet available in the U.S.
<http://news.cnet.com/news/0-1004-200-6186906.html>
Ed Felten, with the help of the Electronic Frontier Foundation, sues the
recording industry over his research on their digital copyright
schemes. This is a big deal. There's lots of information at the EFF Web
site for the case:
<http://www.eff.org/Legal/Cases/Felten_v_RIAA/>
I have written a brief that will be filed a few days after this issue of
Crypto-Gram is published. Look for the link on the EFF Web site.
News reports:
<http://www.wired.com/news/mp3/0,1285,44344,00.html>
<http://news.cnet.com/news/0-1005-200-6205709.html>
Someone in Ottawa set up a scanner to eavesdrop on cell phone calls, and
then made the results available on the Internet in streaming MP3
format. Near as anyone can tell, this is perfectly legal.
<http://www.canoe.ca/OttawaNews/OS.OS-06-07-0003.html>
The biggest misconception in the article is the notion that digital
cellular is inherently more secure. I remember when analog cell phones
were new. The industry argued that strong security was not necessary
because scanners were expensive and rare. Now scanners are cheap and
plentiful. Today the industry argues -- like they do in the article above
-- that strong digital cell phone security is not required because digital
scanners are expensive and rare. They are, but how soon before they are
cheap and plentiful?
** *** ***** ******* *********** *************
Counterpane Internet Security News
Counterpane has announced a reseller agreement with Exodus Networks:
<http://www.counterpane.com/pr-exodus.html>
Schneier has written a new white paper on Counterpane's Managed Security
Monitoring service. You can download a copy at:
<http://www.counterpane.com/msm.html>
Schneier is speaking at the Black Hat Briefings in Las Vegas this July:
<http://www.blackhat.com/html/bh-usa-01/bh-usa-01-index.html>
Lately I've been getting sloppy at crediting and thanking other people for
their help and contributions to Crypto-Gram. In the May issue, much of the
essay "Defense Options: What Military History Can Teach Network Security,
Part 2" was sent to me in a commentary e-mail by Anna Slomovic. And many
of the points in "Safe Personal Computing" were originally made in an
e-mail from Eric Scace. Both of those people deserve a special
apology. Additionally, I regularly ask various people to comment on drafts
of my essays, and their words sometimes end up in the final copy. People
who come to mind include Ross Anderson, Steve Bellovin, Niels Ferguson,
Greg Guerin, John Kelsey, Peter Neumann, Marcus Ranum, Mike Stay, David
Wagner, and Elizabeth Zwicky, although there are certainly others. And
many, many people send me news items for inclusion in Crypto-Gram; thank
you to those people as well.
** *** ***** ******* *********** *************
Invicta Networks
Invicta Networks announced a new security product. Normally, the
announcement would drown in the sea of other random security announcements,
but Invicta has a lot of star power behind it. The head of the company,
Victor Sheymov, is a former KGB agent who defected. R. James Woolsey,
former head of the CIA, is on the board. The insurance giant AIG is
involved. So it got some major press attention that it doesn't yet deserve.
There is very little technical information available about Invicta's
technology. The Web site is useless. I tried contacting the company, and
was told that they are still filing patents and technical details are only
available under NDA. I received a single four-page white paper that was
long on hyperbole and short on details.
Actually, the white paper contained enough snake-oil talk to make me
suspicious. "Invicta's patent-pending technology makes the network it
protects invisible to hackers. This technique provides unbreakable
security against internal and external hacking, denial-of-service attacks,
and instructive viruses...." "...a fundamentally new way of protecting
private networks." "...a powerful conceptual shift in cyber
security...." If there's any real science here, the marketing people have
obliterated it.
There are some hints as to what they're doing. Near as I can tell,
Invicta's "Variable Cyber Coordinates system" is a hardware security
product that constantly changes the IP addresses of computers on a
network. The idea is that if hackers want to target your company, they
won't be able to attack the machines because they don't know their addresses.
Not a bad idea, actually. It could even provide some security. It won't
solve everything; remember that many huge security vulnerabilities come
from all those network services you want to make available to the world
(e.g., Web servers), and these have to have public IP addresses. And
adding a hardware card to every one of a network's computers won't be
cheap, and I wouldn't throw away any other security measures just yet. I
certainly wouldn't echo Woolsey's characterization as an "absolutely
remarkable intellectual achievement." Or Sheymov's assertion that it "will
start a new chapter in Internet history."
I also wouldn't agree that it's "a completely different direction than
anybody else." In another newsletter, Crispin Cowan wrote: "DARPA (Defense
Advanced Research Projects Agency) explored this idea in a red team
experiment several years ago. The defenders employed the randomized
address technique, without the attacker's knowledge. The technique
significantly slowed the attackers, until they figured out what was going
on, at which point effectiveness diminished. Problem: the effective random
search space (the size of your subnet) is small." I received another
e-mail saying that the Invicta system is similar to something called
NetEraser from SAIC. Note to the U.S. Patent Office: please look at the
prior art before you issue Invicta a patent.
One interesting footnote to this whole story is that a major insurance
company is willing to give a 10% discount to people using this system. I
have two reactions to this. The cynical one: it's a PR ploy, they would
give a 10% discount to any reluctant customer who asked for one. The
idealistic one: this is another step forward to the time when the insurance
industry drives the computer security industry.
Company Web site, with a tiny amount of information:
<http://www.invictanetworks.com>
News article:
<http://www.msnbc.com/news/576522.asp?0nm=T25B>
** *** ***** ******* *********** *************
DDOS Attacks Against grc.com
Steve Gibson has written a fascinating and entertaining essay about his
experiences with a distributed denial-of-service attack against his Web
server. It had good analysis, conversations with teenage hackers, and
general predictions for the future. I strongly urge everyone to read it.
<http://grc.com/dos/grcdos.htm>
Go on...I'll wait.
Okay. Now read his "Open Letter to the Internet's Hackers":
<http://grc.com/dos/openletter.htm>
Ignore the details of the attack, and his arguments that Windows XP will
make the situation much worse. Concentrate on the big picture. I think
this story has an enormous lesson for all.
Here's a guy who is reasonably knowledgeable in computer security. He's a
computer consultant, with a Web site that is integral to his
livelihood. He has had this Web site attacked, repeatedly, simply because
he was *rumored* to have said something mildly disparaging about hackers
*in general*. He spent a lot of effort defending himself, even to the
point of trying to engage his attackers. Yet in the end, he realized that
there was no defense, and he surrendered unconditionally.
To a 13-year-old!
Imagine if that happened in the real world. Imagine that you were
prevented from entering your home--that some random teenagers piled junked
cars at the end of your block--because they incorrectly believed that you
used a phrase like "typical irresponsible teenagers." Furthermore, imagine
that your attempts at removing the cars and returning home were constantly
thwarted (more cars were being deposited every minute), that the police
could do nothing, and that these random interruptions continued to
occur. In the end, imagine that you had to surrender your ability to
access your own home to these random attackers.
The ordinary citizens of the digital world are in thrall to teenage
terrorists, and nobody seems to be paying attention. How long will it take
before some of these guys figure out they can extort money or other
valuable goods with their ambushes? This situation is not going to
magically get better. There is no technology waiting in the wings that is
going to solve this problem. And as Steve Gibson said in his essay: "We
can not have a stable Internet economy while 13-year-old children are free
to deny arbitrary Internet services with impunity."
I'm not suprised that Gibson could not defend himself. DDOS attacks are a
network problem, not a computer problem. Most so-called "network security
problems" are nothing of the sort; they're host security problems, with the
network as the conduit. DDOS is a network security problem; it's the
network's resources that are being abused. Gibson couldn't prevent the
attacks because the problem wasn't in anything under his control. It's up
to the ISPs to figure out how to stop such things.
Unfortunately, most of the press about this escapade has centered around
Gibson's accusations against Microsoft. He claims that Windows XP will
make this much worse, and Microsoft has responded with its typical press
propaganda. That's a pity, though, because I think Microsoft is mostly
right here. It's just not true that you can't spoof Internet packets with
current versions of Windows. It's not easy, but it's not impossible. Yes,
Windows XP will make it worse. But as Gibson points out, it's amazingly
bad right now.
The fundamental problem is that the user does not have control over his
desktop -- not the details of the operating system. It's certainly true
that Microsoft makes it easier for viruses, worms, and Trojans to spread
and do damage -- we've seen that with all of these viruses that can
automatically spread with Outlook but not with Eudora -- but we can never
fix the problem until we can secure the desktop.
This won't solve the DDOS problem, but it will at least make it harder to
recruit zombies.
News articles:
<http://cgi.zdnet.com/slink?106463:8469234>
<http://www.theregister.co.uk/content/8/19425.html>
<http://www.theregister.co.uk/content/8/19507.html>
<http://www.theregister.co.uk/content/8/19469.html>
<http://www.nytimes.com/2001/06/04/technology/04FLAW.html>
** *** ***** ******* *********** *************
Comments from Readers
From: Richard Howard <racebannon@worldnet.att.net>
Subject: Military History and Computer Security
I am a network manager in the Army, and have been struggling with the
question of network defense for the past ten years. I am presenting a
paper in June at the 2nd Annual IEEE Systems, Man, and Cybernetics
Information Assurance Workshop on this very subject.
<http://home.att.net/~racebannon/information_operations.htm>
I think defending the network and defending the hilltop are exactly the
same. Just look at your examples. The attacker of a hilltop can choose
when and how to attack. He generally knows the capabilities of his enemy
and which weapon systems to anticipate. The longer a defender stays in one
location, he constantly upgrades his position. He starts with putting men
on the ground. As time permits, they dig foxholes, then fill sandbags for
overhead cover, etc., etc. And, the defender can still get whacked if he
overlooked something like a key piece of terrain or an obscure avenue of
approach.
I completely agree with the notion of outsourcing security. It is not that
I don't want to do security, I never have enough people to get there. And,
in order to do it right, the security people have to know it all from
operating systems to networks to programming to web. I usually have to
devote these smart people to other problems that occur day-to-day and
handle security as time permits. Unfortunately, contracting out to a
commercial security firm like yours is not really an option for the
military especially in times of war. And, if we go to war, my bosses are
going to want all of this security stuff and will be ill-prepared to deal
with it.
From: Scott Tousley <stousley@genuity.net>
Subject: Military History and Computer Security
I think you need to consider the lessons of Vietnam, the Balkans and now
Palestine. Your cited examples are largely "clean" military fights,
whereas I think the network security problem is how to deal with the small
percentage of malicious activity in a sea of legitimate traffic,
configuration problems and smorgasbord software. How do we handle network
security as guerilla warfare, which requires thoughtful defense, focused
attack on known targets, and a long-term top level coherence imposed on a
society living with low-level warfare alongside normal economic and social
activity.
From: Dan Cieslak <danC@ubid.com>
Subject: Military History and Computer Security
I believe that your analogy is flawed. In conventional military defense
the defender generally knows against whom to defend and the likely nature
of the attack method. Network security is more like defending against
guerilla warfare -- the attackers look much like the civilians, are
decentralized and whose main objective is creating havoc and chaos, rather
than taking a particular position. While I am no military history buff, I
would argue that using conventional defenses against a guerilla offense
does not work (witness Vietnam). Thus, the current situation with network
defenses modeling conventional passive defenses is ultimately flawed.
From: Mathias Dybvik <md@tmdybvik.com>
Subject: Military History and Computer Security
> Warfare has taught us again and again that active defenses and
> counterattacks are far more effective than passive defenses.
This is not correct. The most effective defense is *not being
attacked*. This can be achieved by not being seen, (or in the high tech
era, "sensed"). It can also, as David Wallace pointed out, be accomplished
by deterrence. The second most effective defense is, in general, to be
"untouchable." This can be achieved through rapid movement, difficult
terrain, thick bunker walls, or by seeking cover in a cave. Or through
keeping a critical corporate LAN separated from the Internet.
> Look at the Battle of Gettysburg in the American Civil War.
> Look at the Battle of the Bulge in World War II. Look at Leyte,
> Agincourt, and almost any piece of military history.
Very little war history is written about sucessful passive defenses. There
simply isn't anything interesting to write about if you can't reach, or
harm, the enemy! Nor are there many interesting news articles written
about corporate networks that aren't attacked.
The interesting stuff, the pivotal points in history, typically comes as a
result of counterattacks. Counterattacks play a crucial strategic role,
and they are the only means we can employ to turn the situation
around. They are also incredibly costly, so we would want to employ such
tactics under favorable circumstances; that is, we would like to have such
confrontations take place when we are ready for them.
However, in order to be able to stay alive long enough to accomplish such
feats, most of us would rely on passive defenses. We carry our gas masks,
we move in the dark and we encrypt our communications. We also keep those
firewalls configured to reveal the minimum amount of information about our
networks.
> Even in the animal kingdom, teeth and claws are a better
> defense than a hard shell or fast legs.
If you looked at the number of animals that (successfully) rely on not
being seen, heard or caught by predators, vs. the number that attempt to
kill their attackers, I think you might be surprised.
But is there anything military history can teach Network Security? Lots!
1. Fight only the battles you can win. Don't expose parts of the network
that you can't protect. Don't wage a war using flawed algorithms or
inferior technology. (MPAA take note.)
2. Try to be invisible. It's extremely hard to attack something you don't
know about.
3. Even if you think you are invisible, you aren't. Always act as if you
aren't. Encrypt internal traffic.
4. Seconds count. Your ability to respond to a change in the situation can
be crucial. Reconnaissance (or a network monitoring system) can give you
the information you need to respond, but it's up to you to act on it. If
you are not comfortable with this, then consider paying someone who is.
5. Technology inevitably fails, prepare for it. Always wear belt *and*
suspenders. It's a little known fact, but your firewall was actually made
by the lowest bidder, and the software completed at 03:30AM by a
caffeine-crazed intern.
6. Friendly fire hurts. Both you and the enemy are human. Live with
it. People in both camps will do things that are radically unexpected. Is
your technology prepared for an attack (malicious or accidental) from the
inside?
From: Daniel Cvrcek <dcvrcek@vabo.cz>
Subject: Military History and Computer Security
The reading of your article made me think about some issues related to
computer crime. I am from the Czech Republic and there has been passed the
Personal Information Security Act. I suppose that it is a well-written
law, although some mistakes have been made. What I want to mention is the
existence of a team consisting of nine persons that are allowed to visit
and control facilities of any subject processing personal
information. They do not need any court order nor search warrant as the
police needs.
Some people do not like it, saying that a police state is returning. I do
not agree with the statement and believe that this is part of a general
movement necessary to prosecute computer crime in the future. I mean that
without special teams with very strong authority able to act very fast it
will be very hard to suppress computer crime performed by (semi) professionals.
I see the reverse side of this also. It is impossible to control such
teams and there must be put a strong confidence on them. But is there
another way? It seems to me that active defense and counterattacks follow
the same idea -- fast response to attacks, automatic when possible. And
strong confidence in the instruments and people doing the work. Maybe,
there will be certified software for the purpose in a several years.
From: Anonymous
Subject: FBI Tactics
> Impressive investigative work by the FBI. This is the kind of
> thing I like to see the FBI doing, rather than mucking about
> with surveillance tools like Carnivore.
> <http://news.cnet.com/news/0-1007-200-5699762.html?tag=tp_pr>
> <http://www.cnn.com/2001/TECH/internet/05/10/fbi.hackers.ap/index.html>
Impressive? Hmmm... it sounded awfully close to the U.S. Government
applying domestic laws extra-nationally. How would you like Russian laws
applied to your conduct while in the U.S.?
I also recall that the U.S. Government described the holding of the EP3
personnel as "kidnapping". It would be interesting to hear how they'd
describe U.S. nationals being knowingly and deliberately lured and then
arrested by a foreign government, as happened in this case. Sure sounds
like kidnapping to me.
From: Wouter Slegers <wouter@yourcreativesolutions.nl>
Subject: The Dutch Government and Key Escrow
> The Dutch government is forcing trusted third parties
> to use key escrow.
> <http://www.telepolis.de/english/inhalt/te/7571/1.html>
This is not correct. The leaked internal draft of the TTP chamber referred
to states that the law enforcement agencies should have the same access to
encryption managed by TTPs as with any other provider of telecommunication
infrastructure. Under the new Dutch telecommunications law, any provider
of general telecommunication infrastructure (telephone companies, ISP et
al), when served with a wiretap order, must provide the traffic of the
specified customer as readable as possible. This includes providing the
encryption keys used for that traffic iff the provider has access to them
(or providing the plain text communication). A TTP storing or providing
keys directly used for encryption is no different.
However this is *only* relevant for TTPs that hold the keys needed to
decrypt your traffic. In most setups TTPs simply do not hold these keys
and can therefore not be forced to give them. And no, this does not mean
the TTPs are forced to implement key escrow if they didn't already provide it.
From: Ken Ayer <kayer@visa.com>
Subject: Common Criteria
There is a discussion underway amongst those trying to work with the Common
Criteria as to whether it can be applied to an entire system and whether it
can be applied to a process (such as personalizing a smart card). That
discussion has not yet reached an agreed upon conclusion. However, there
is considerable agreement on its ability to usefully test the security of a
component of a system, such as a smart card. Knowing the security of a
smart card that is part of a system is a very useful step, just as knowing
how strong a padlock is helps in securing a building. A strong padlock
alone doesn't mean that the building is secure, but it should mean that a
thief is going to have to expend a knowable amount of effort to defeat
it. Knowing that, we can turn our attention to the door itself -- a great
padlock on a half-inch plywood door doesn't make much sense, but neither
does a weak padlock on a bullet-proof door. The Common Criteria at least
provides a possible way of rating the security of parts of a system.
Some kind of testing system is needed if you're going to compare padlocks
or smart cards, which is also a task we need to do. Every vendor (whether
of a chip, card, lab or consulting service) says it's the best, but we need
a way to compare these claims. The Common Criteria provides a way to
compare products and services against a common standard. The Protection
Profile mechanism provides a way for users to specify their requirements
and is open to refinement by users. Users can write new components
(requirements) in to their Profile, which gives this system more
flexibility than has been available in the past.
What Visa has done with the Common Criteria is to start a dialogue on how
to clearly express security requirements, how to show that a product meets
those requirements, and how to test whether the product does in fact meet
them. Other payment systems, vendors, associations and government bodies
have joined the dialogue, which has not been a Visa only effort for the
past two years. We are making progress, though there remains work to be
done. There is nothing that prevents anyone else from using the Common
Criteria in the same way for their own needs. It doesn't offer easy
solutions, but it does offer a framework that can be tailored to many
different needs. The only question is whether people are willing to make
the effort it takes to make it work. The alternative is to continue with
everyone claiming that they're the best and only solution and no way to
compare or sort out the claims. That doesn't give better security, it just
reduces it to who can shout the loudest.
From: rrobles2@csc.com
Subject: Common Criteria
You mentioned a few things about the Common Criteria that fall short of its
process. While it's true that the Common Criteria offers evaluation based
on Protection Profiles, these evaluations don't necessarily need to claim
compliance to any Protection Profile. Evaluation can also be based solely
on a Security Target Document. This document is specific to the evaluated
product.
You also stated that these evaluations "won't tell you how to configure
your CheckPoint firewall, or what security settings to run on Windows
2000." This is not really true. According to the Common Criteria, the
Security Target, which will contain a definition of the Target of the
Evaluation, is publicly released. The Security Target Document also
contains the key security features examined in that evaluation.
The Common Criteria is basically governed by the specific Schemes in each
country. In the U.S., that is (NIAP). Requests are pasted to product
developers by the procurement offices. These developers then contact a
Certified laboratory to conduct the evaluation and coordinate the
acquisition of a certificate upon successful completion of the evaluation.
The Common Criteria process is a very young process and if it is to have
any longevity it will require that people be fully aware of its scope. I'm
not really sure if you were aware of these things about the Common Criteria.
From: Paul Kocher <paul@cryptography.com>
Subject: Digital Content Protection
I enjoyed reading the analysis of copy protection in the May 15, 2001
Crypto-Gram. While I agree that many existing copy protection systems are
badly flawed, I don't think that anti-piracy efforts or copy protection are
fundamentally doomed for technical reasons.
Even though content can always be pirated with enough effort, this doesn't
make content protection a failed concept. Pirates have many inherent
disadvantages. For example, they can't build infrastructure or large
organizations without being sued or prosecuted. Similarly, their customers
generally don't trust them because they are criminals.
Furthermore, copy protection systems don't need to last forever to be
worthwhile. The value of most content falls rapidly after it is
released. Anti-piracy systems that are effective for even short periods of
time can protect most of the business value of content, provided that they
can be renewed so that new content is not vulnerable to old attacks. In
general, anti-piracy technologies can be effective if they degrade the user
experience of pirates' customers or reduce piracy to manageable levels.
While it is futile to try to totally eliminate risks, it is possible to
manage them. The fact that CSS and other copy protection systems are badly
designed and insecure doesn't mean that systems with secure revocation,
tracing of pirated content, risk management of output ports, and good
renewability won't prove effective. For this reason, I disagree with the
assertion that "unrestricted distribution is a natural law of digital
content" -- I don't see piracy as the result of a natural law any more than
stealing, cheating, and eavesdropping are.
From: Mitch Wagner <mwagner@world.std.com>
Subject: Digital Content Protection
Let's accept for the sake of discussion that copyright is unenforceable for
digital media. I'm not convinced that's the case, but let's assume it to
be true for the moment.
How else do we ensure that novelists get paid if they can't sell copies of
their novels? If we rely on advertising, corporate sponsorship, or
patronage, then the advertisers, corporate sponsors and wealthy patrons,
who now indirectly control what gets published because they own the
distribution mechanisms, will be able to directly control it. Subscription
won't work in the copyright-free future, because for a subscription to
work, the distributors need to control the distribution mechanism, which
won't be true in our hypothetical digital future. Paying writers for
public appearances, or other incidentals, isn't paying them to write --
it's paying them to stand up in front of a room and talk INSTEAD OF writing.
The neat thing about copyright as it stands today is that, imperfect as it
is, it is a means of paying people to create by paying for the
creations. Yes, copyright is now the subject of grotesque abuses by big
companies, and these abuses are literally almost as bad from a societal
perspective as no copyright at all. But abolishing copyright is worse.
From: David Gibson <david@gibson.dropbear.id.au>
Subject: Digital Content Protection
As well as the fundamental problems with "digital content protection" there
are also likely to be some more superficial but nonetheless significant
problems, which may well bring down such systems before the fundamental
problems do.
In particular, the fact that many of these schemes are exceedingly
complicated and are likely to complexify hardware and firmware implementing
them by at least an order of magnitude. Those who have written hardware
device drivers will know that even for relatively simple devices such as
network cards, as often as not firmware (and even hardware) contain
numerous significant flaws. Mostly these are worked around in the drivers,
but at the cost of considerable extra complexity there. Moreover, these
schemes, unlike most firmwares, are designed to prevent software or drivers
from doing things, which will limit the ability to make workarounds in
software. The chances of there being widespread non-buggy implementations
of these vastly more complex content protection schemes are
negligible. This has two effects:
First, some of the flaws in some of the implementations are likely to
compromise the system's security. This will first of all allow people to
bypass the scheme on the flawed device, and second it is likely to greatly
assist in deciphering and comprehensively breaking the system even for
non-buggy implementations. This is pretty much what occurred with CSS: one
DVD player manufacturer's oversight in obscuring the decryption code
greatly expedited the creation of DeCSS.
Secondly, it means that devices using these schemes will be just plain
flaky. Which in turn means that they are likely to face considerable
resistance in the marketplace, even from users who have no interest in
bypassing the content protection system.
From: Richard Straub <richard.straub@mediacrypt.com>
Subject: Digital Content Protection
Preventing unauthorized people from copying or distributing intellectual
property is a natural law of this world, whether it is a digital or
physical product. It is just illegal in most if not all countries. That
is a fact. Whether it is an impossible task -- that is another issue. The
entertainment industry is indeed trying to protect their property. That is
natural and their right -- and not against natural law. They are looking
at technology to help them. I agree that this alone is certainly not
sufficient, and doomed to fail.
No security system is 100% sure. We all agree. Even the knowledge on how
to crack a safe can be distributed to average users and make them
"professionals" -- similar to the software cracking. Skills can be copied.
It is not unusual for an industry to protect/control an end-user
device. There are many existing examples. Take the energy meters in your
home, the taxation system built into European trucks when passing customs,
the "black boxes" built in airplanes, the phones in Europe (in the
monopolistic days) etc. So, what's wrong with controlling the display
device at home IF it protects your property. It might not be the way into
the future, I agree.
Legal protection is an additional tool and a solution to the problem of
protecting property -- whether intellectual or natural property. This will
not change. International legislation is certainly the key. In some
countries the distribution of alcohol is under strict control -- in some it
is not.
I strongly agree that new business models in combination with technology
and legal protection AND a thorough understanding what users want and how
they want it will be the way to go for protecting the content owners
property and assure them a revenue stream. Without revenue, Hollywood will
no longer be able to produce movies. Those who will figure out how to
leverage what you call "natural law" will make the money. Totally agreed.
Bottom line: The digital world is not so different than the existing world
for natural products. Protection of property IS a natural law.
A way to look at things differently or at a paradigm shift in an
example: In Amsterdam, the tram system (street cars) works as
follows. The tram rolls into the tram station. You enter the tram at the
back door; the front doors are exit only. Entering the back door you are
faced with a ticket officer, selling you the ticket for your ride. This
way it is basically guaranteed that there is no free ride; everybody
entering pays. You could also call this the principle of "we believe
everybody is inherently trying to hitch a free ride or tends to cheating."
This system was in use in Zurich, probably more than ten years ago. Today,
the tram system in Zurich is based on the principal "the majority does not
cheat or does not break the law." So, the tram rolls into the station. You
can board at any door. There's no ticket officer on the tram. No, it is
not a free systems. You are supposed to purchase the ticket at a ticket
dispenser at the tram station BEFORE you enter the tram. Are there people
cheating? Of course. How do you prevent the majority from cheating? By
imposing a high fine.
This works pretty well to the benefit of all parties: Flexibility and ease
of doing business for the customers (apart from the feeling "they trust
me"), reduced cost (personnel), and bigger throughput (no jam at the back
door). Does this principle work everywhere? Not necessarily. Culture is
another element to count. Some cultures see cheating as a sport, and some
as a strict crime.
From: Marco Rooney <m.j.Rooney@wbmt.tudelft.nl>
Subject: Semantic Attacks using HTTP address
Interesting story about the fake BBC page. I am currently using the Opera
browser. When I tried to access the page it asked me if I realized that I
was not contacting the BBC page, but another page with the BBC address as
username. It explicitly warns me that this methods is used to mislead
people. Very nice feature to prevent these uncomfortable
situations. Should be a standard on any browser, really.
From: bryk@software.org
Subject: A Cyber UL
I wish to present a short counter-argument to your article about a cyber
Underwriter's Laboratory. You focused on a UL for computer networks, in
part as a response to the newly-formed Center for Internet Security. While
I tend to agree with many of the points you make in the article, you didn't
explore any scenarios in which a cyber-UL would make sense.
It seems to me that industry (and government) is in need of some mechanism
(not necessarily a cyber-UL) that satisfies three key needs that
organizations have: 1) A set of best practices, 2) A means for charting an
improvement path, and 3) A measurement capability to assess/evaluate
progress/status on the improvement path.
A number of efforts have tried (and IMHO, failed) to satisfy all three
needs (e.g., ISO 17700, SSE-CMM). Some industries have "rolled their own"
mechanisms with varying degrees of success. Others have focused on a
single need and done much better (e.g., the SANS Top 10 Security
Vulnerabilities is a reasonable tool). Your oft-repeated argument that
security technology (e.g., CheckPoint firewall settings) changes too fast
to allow standards is counter to your "Security is a process, not a
product" mantra in your S&L book.
Industry needs a process-based standard that does a good job of addressing
the needs above. It is easy to criticize poor standards or poor types of
standards, but what is needed is thinking about what kinds of standards
could be useful (and then how to go about creating them). Once a
satisfactory mechanism to satisfy all three needs is available, the process
of information security will transition from an ad hoc, reactive field to a
more systematic field. Risks will still abound, but industry resources
attacking the problem will be spent more efficiently.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit <http://www.counterpane.com/unsubform.html>. Back issues are
available on <http://www.counterpane.com>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Secrets and Lies" and
"Applied Cryptography," and an inventor of the Blowfish, Twofish, and
Yarrow algorithms. He served on the board of the International Association
for Cryptologic Research, EPIC, and VTW. He is a frequent writer and
lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed Security
Monitoring. Counterpane's expert security analysts protect networks for
Fortune 2000 companies world-wide.
<http://www.counterpane.com/>
Copyright (c) 2001 by Counterpane Internet Security, Inc.