Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: Transitive Trust: 40 million credit cards hack'd (Brian Loe)
2. RE: Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
3. RE: Transitive Trust: 40 million credit cards hack'd (Paul D. Robertson)
4. RE: Transitive Trust: 40 million credit cards hack'd (David Lang)
5. RE: Transitive Trust: 40 million credit cards hack'd (Marcus J. Ranum)
6. Equifax Canada (Paul D. Robertson)
7. Re: Equifax Canada (Adrian Grigorof)
8. RE: Equifax Canada (Monkman, Brian)
9. RE: Equifax Canada (Paul D. Robertson)
--__--__--
Message: 1
From: "Brian Loe" <knobdy@stjoelive.com>
To: "'Marcus J. Ranum'" <mjr@ranum.com>,
"'Bill Royds'" <broyds@rogers.com>,
"'George Capehart'" <capegeo@opengroup.org>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Date: Sun, 19 Jun 2005 10:44:05 -0500
trust n.
1) Firm reliance on the integrity, ability, or character of a person or
thing.
2) Custody; care.
3) Something committed into the care of another; charge.
trust.wor.thy adj.
1) Warranting trust; reliable.
This to avoid arguments on semantics. Reading these it seems that "trust" is
an absolute and "trustworthiness" is subjective.
Applying that to some of the systems I have been charged with administering
(and all thought on this subject is new too me - how unfortunate, eh?), they
considered all systems required to talk to it as trustworthy. Various
systems REQUIRED a certain level of access to do the job, so it was given.
This trustworthiness is static. If something changed on the trustworthy
system, the trusting system has no way of knowing about it and therefore it
never re-evaluated the trustworthiness - then again, it couldn't because the
decision wasn't for the system to make, but the administrator, and the
administrator's bosses. The level of trust would not change unless and if
the trustworthy system was found to be compromised, and then it would be too
late for the trusting system as well because each step required human
input/output (with all of the intangibles involved, like ego and laziness).
Aren't there already models out there that fix this? That place a stage of
authentication and verification between each, or every other, transaction?
(I'm thinking authentication is very different from verification.
Authentication = I'm the system I say I am; Verification = my code is the
code it's supposed to be. As sort of discussed in Marcus' reference.)
I'm just trying to understand all of this better.
<snip>
> Here I get to channel for Peter (since he doesn't follow this
> list) Do you mean Trust or Trustworthiness?
>
> Trust is transitive. Trustworthiness is altogether a
> different proposition.
>
<snip>
> > There has recently been
> >some theoretical work on trust algebras (see
> >http://security.polito.it/cms2003/Program/Roessler13/1Roessle
> r.pdf or
> >http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for
> >example) but little of it has filtered into actual practice.
>
> Cool.. Reading now... Looks like their perspective is that
> Trust and Trustworthiness are a matter of degree. I think
> that's a terminology issue, but I'm kinda sticking with
> "Trust" as a platonic ideal - the absolute, uber-Trust 100%
> Good Stuff. Everything else is "acceptable risk"
>
> Y'know it occurs to me that one metric by which we might be
> able to tell that "computer science" and computer security
> have matured somewhat as a field is the eventual acceptance
> of a body of classical knowledge that a practitioner must be
> familiar with, in order to avoid being laughed at. Other than
> Denning and Cheswick/Bellovin/Rubin and maybe Schneier I'm
> coming up dry. Hmmm...
<snip>
--__--__--
Message: 2
Date: Sun, 19 Jun 2005 14:46:57 -0400
To: "Brian Loe" <knobdy@stjoelive.com>,
"'Bill Royds'" <broyds@rogers.com>,
"'George Capehart'" <capegeo@opengroup.org>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Brian Loe wrote:
>Applying that to some of the systems I have been charged with administering
>(and all thought on this subject is new too me - how unfortunate, eh?), they
>considered all systems required to talk to it as trustworthy.
Right; that's one of the big mistakes in distributed computing. :( If you
are dealing with sensitive information, the system that's viewing or
accessing the sensitive information must be trustworthy. I'll give you
a fun example of this. Many many moons ago, I did some work for a
large financial processing company that moves and holds lots and
lots of people's money. At one point, I met with all the different security
guys for all the different parts of the enterprise, and a few of the security
guys from some of their partners. As the situation evolved I discovered
that:
- Business partners would telnet in to the mainframe (through
the firewall) and post significant transactions
- The mainframe administrators' view was the "security was a
handled problem" because they ran RACF and thus
everything was OK
- The business partners felt that any error in their account
would be the service providers' fault, since it was their
mainframe
- The service provider's mainframe guys felt that any error in
a transaction was (by definiton) the end users' fault
since guarding their password was their responsibility
You can see how this all ended already. The mainframe guys refused
to recognize that their security depended on the end users' networks
and platform security. The business partners refused to recognize that
if they had a problem with their firewall and one of their accounts got
compromised that it would be trivial for a hacker to post transactions
with their account - and the mainframe guys were gleefully announcing
that if that happened they'd refuse to roll the transaction back because
it wasn't their problem.
The orange/red book guys and the trusted systems guys have
understood this forever. Getting this stuff right is why multi-level
computing basically never happened; data had to be labelled
and could never move down the classification heirarchy without
a bunch of angels dancing on the head of a pin, first. If you
migrate those ideas to modern "distributed computing" the
equivalent would be to say:
"Your desktop system is not going to be allowed to make
queries of our mainframe until it satisfies our security requirements
first. AND if it's going to retain any of that data (in cache, in free
disk blocks, or a local database) it has to remain appropriately
secured for the duration."
How many of you could tell your customers *that*?! People scream
and whine over the idea of putting firewalls in (still) - now, attempting
to enforce a local policy against a business partner - that's patently
ridiculous. Right? Well, technically it's NOT ridiculous, but everyone
has basically blown it off.
>Various
>systems REQUIRED a certain level of access to do the job, so it was given.
>This trustworthiness is static. If something changed on the trustworthy
>system, the trusting system has no way of knowing about it and therefore it
>never re-evaluated the trustworthiness
Right. That's a huge problem, as you can imagine. If your desktop
accesses my mainframe and its customer database, I *should*
assume that pieces of my customer database may still be cached
on your desktop. So I *should* ask for guarantees that it's not, and
that you can't move it transitively from there.
Again - that's not gonna happen in the "real world" - which is why
we're going to continue to see massive data exposures as spyware
and malware converge. Think of all of the chumps who are
accessing critical logistical systems and payroll systems from
the same computers they use to surf the web. The same computers
that have spyware on 80% of them.
>Aren't there already models out there that fix this? That place a stage of
>authentication and verification between each, or every other, transaction?
The models that "fix" this entail a great leap away from what we're
doing today. They entail either multi-level desktops (don't go there!)
or they entail networks that are segregated by trust. Multi-level
doesn't even work (if it did work) across entities because "highly
secure" for you doesn't map reliably to "highly secure" for me and
we'd have to standardize across organizations.
I can still envision an environment in which one organization might
require: "In order to connect to our system you need to be on a network
that is not connected to any other network, and none of your machines
are allowed to move into or out of that network." I'm sure someone
will correct me if it's no longer true, but I think SWIFT terminals used
to work that way. Automatic teller machine networks used to work
that way and no longer do. Which is why the Korean automatic
teller machines (and some US ones) went down from SQL slammer.
I don't think I'm telling tales outside of school here, but the recent
attacks on the supercomputer grid were transitive-trust based. A
user account at some research center got compromised - probably
a password stolen via a user logging in to his home system using
SSH on a machine with a keylogger. The attacker got onto the
researcher's home system, exploited a vulnerability, and backdoored
sshd. A while later, he had the administrators' password. And
backdoored sshd all over that research cluster, along with all the
SSH clients. Pretty soon he had account/password pairs at other
research facilities, as the researchers used SSH to propagate
their trust boundary. Etc. We used to call this "island hopping"
but it's also a pure transitive trust exploitation - if facility A
trusts the users and software at facility B, then facility A will
eventually fall prey to any successful attacks mounted on facility
B, even if only because screen-scrapers get installed at facility
B to harvest facility A's sensitive information.
If you worry about this enough, you'll realize that eventually there
are 2 ways to address it:
- build multilevel secure computing systems (don't go there!)
- say "f*** it"
Most of the industry has chosen the second option, but didn't even
bother to think about it. :)
mjr.
--__--__--
Message: 3
Date: Sat, 18 Jun 2005 21:23:42 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: Bill Royds <broyds@rogers.com>
Cc: 'George Capehart' <capegeo@opengroup.org>,
'Firewal Wizards' <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
On Sat, 18 Jun 2005, Bill Royds wrote:
> The problem is that people have never truly analysed trust in a systematic
> mathematical way.
Sure they have- and they've analyzed security and security models that way
too- there's the issue-- it's never made it to the field outside of the
old Orange/Red book systems that nobody ever bought.
> http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but
> little of it has filtered into actual practice. Yet we are building whole
Little of anything good has filtered into actual practice except in
bite-sized chunks or esoteric systems. For instance, I really like MAC
compartments, but to date, the TrustedBSD folk haven't got their MAC stuff
up to the level of the jails FBSD already has.
> financial edifices on completely flawed understanding of how to use distributed
> trust. We need to at least develop some systems that do it right so developers
> have some way of learning how to create viable systems that can have distributed
> security.
We need to have some sort of system that ensures that folks who call
themselves "security practitioners" have at least looked at a
representative sample of "things thought through" and "things done well"
before they go read the marketing blurb for the latest "deep stateful
analytic predictive autonomous modeling prevention cure-o-matic."
I'm willing to start work on a "Good stuff 101-301" area on my Web site,
if folks want to contribute. I think these links and the stuff Marcus is
providing are good enough reading that they should go to the list. I'd
argue that most postings of useful publications should be on-list, since
there's half-a-chance that someone with a bored moment might learn
something valuable- but if folks want to send me links off-list, I'll
start on a page-o-links now and try to gather some cohesiveness over time.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 4
From: David Lang <david.lang@digitalinsight.com>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: Brian Loe <knobdy@stjoelive.com>,
'Bill Royds' <broyds@rogers.com>,
'George Capehart' <capegeo@opengroup.org>,
'Firewal Wizards' <firewall-wizards@honor.icsalabs.com>
Date: Sun, 19 Jun 2005 14:34:31 -0700 (PDT)
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
On Sun, 19 Jun 2005, Marcus J. Ranum wrote:
> If you worry about this enough, you'll realize that eventually there
> are 2 ways to address it:
> - build multilevel secure computing systems (don't go there!)
> - say "f*** it"
> Most of the industry has chosen the second option, but didn't even
> bother to think about it. :)
actually, there are two additional options.
1. don't allow the remote user excessive access to the local system
(limit the damage they can do, not the best but still far better then
your option #2)
2. require authentication that isn't fully contained on the remote system
(i.e. a token or one-time password, a digital certificate with a
passphrase is NOT good enough)
David Lang
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
Message: 5
Date: Sun, 19 Jun 2005 17:39:47 -0400
To: David Lang <david.lang@digitalinsight.com>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: Brian Loe <knobdy@stjoelive.com>,
'Bill Royds' <broyds@rogers.com>,
'George Capehart' <capegeo@opengroup.org>,
'Firewal Wizards' <firewall-wizards@honor.icsalabs.com>
David Lang wrote:
> 2. require authentication that isn't fully contained on the remote system (i.e. a token or one-time password, a digital certificate with a passphrase is NOT good enough)
That doesn't work, either. If you assume that the endpoint is insecure
(and it is, so that's a safe assumption) the 2 factor authentication works
only because it's harder to bypass than a password. If everyone was
using 2 factor authentication, you can bet hacker toolkits would be
full of nasty rootkits and malware that stole live sessions, or typed
keystrokes into live sessions once they came up (transparently, of course)
mjr.
--__--__--
Message: 6
Date: Sun, 19 Jun 2005 21:33:04 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Equifax Canada
"For the second time in about a year, the credit reporting company Equifax
Canada Inc. has suffered a security breach that has given criminals access
to personal financial information of hundreds of Canadians.
The latest case came to Equifax Canada's attention several months ago, but
was made public only yesterday.
Criminals that breached the firewall gained access to 605 consumer files,
which contain personal information ranging from names and addresses to
type of bank loans and credit cards, payment obligations and social
insurance numbers."
605 Canadians, that's like 300 Americans, right? ;)
Sounds like someone needs remedial INFOSEC training- sheesh 2nd time in a
year?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 7
From: "Adrian Grigorof" <adi@grigorof.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] Equifax Canada
Date: Mon, 20 Jun 2005 00:27:43 -0400
Apparently this was caused by "improper use of a customer's access codes and
security password". Can Equifax force its customers (basically all the
credit institutions and many others) to use a method of authentication
stronger than a user id/password combination? To quote a recent post from
Marcus J. Ranum:
> How many of you could tell your customers *that*?! People scream
> and whine over the idea of putting firewalls in (still) - now, attempting
> to enforce a local policy against a business partner - that's patently
> ridiculous. Right? Well, technically it's NOT ridiculous, but everyone
> has basically blown it off.
It is surely cheaper to call 600 customers once a year (ok, make that twice
a year) than enforcing an expensive authentication infrastructure. Is it not
a basic principle in IT security that the cost of securing same data should
be less than what that data is worth? It is true, they loose some
credibility but since they have almost monopoly on the credit checking
business (there is only one other company) that's still cheaper than
changing the authentication process. Some heads will probably roll but I
doubt there will be any major changes and I expect they will be in the news
again sometime in the future... Besides, compared to 40 million credit
cards, 600 credit reports are not that bad, eh? Go Canada ;)
If I am not mistaken, the previous incident (March 2004) was a case of
"criminals masquerading as credit grantors" but I bet the firewall guy(s)
were again the scapegoats:(
Regards,
Adrian Grigorof
www.firegen.com
----- Original Message -----
From: "Paul D. Robertson" <paul@compuwar.net>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Sunday, June 19, 2005 9:33 PM
Subject: [fw-wiz] Equifax Canada
> "For the second time in about a year, the credit reporting company Equifax
> Canada Inc. has suffered a security breach that has given criminals access
> to personal financial information of hundreds of Canadians.
> The latest case came to Equifax Canada's attention several months ago, but
> was made public only yesterday.
> Criminals that breached the firewall gained access to 605 consumer files,
> which contain personal information ranging from names and addresses to
> type of bank loans and credit cards, payment obligations and social
> insurance numbers."
>
> 605 Canadians, that's like 300 Americans, right? ;)
>
> Sounds like someone needs remedial INFOSEC training- sheesh 2nd time in a
> year?
>
> Paul
> --------------------------------------------------------------------------
---
> Paul D. Robertson "My statements in this message are personal
opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 8
Subject: RE: [fw-wiz] Equifax Canada
Date: Mon, 20 Jun 2005 07:58:14 -0400
From: "Monkman, Brian" <bmonkman@icsalabs.com>
To: <firewall-wizards@honor.icsalabs.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>
You actually got the ratio reversed Paul. :-)=20
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul D.
Robertson
Sent: Sunday, June 19, 2005 9:33 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Equifax Canada
"For the second time in about a year, the credit reporting company
Equifax Canada Inc. has suffered a security breach that has given
criminals access to personal financial information of hundreds of
Canadians.
The latest case came to Equifax Canada's attention several months ago,
but was made public only yesterday.
Criminals that breached the firewall gained access to 605 consumer
files, which contain personal information ranging from names and
addresses to type of bank loans and credit cards, payment obligations
and social insurance numbers."
605 Canadians, that's like 300 Americans, right? ;)
Sounds like someone needs remedial INFOSEC training- sheesh 2nd time in
a year?
Paul
------------------------------------------------------------------------
-----
Paul D. Robertson "My statements in this message are personal
opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 9
Date: Mon, 20 Jun 2005 08:37:12 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: "Monkman, Brian" <bmonkman@icsalabs.com>
Cc: firewall-wizards@icsalabs.com
Subject: RE: [fw-wiz] Equifax Canada
On Mon, 20 Jun 2005, Monkman, Brian wrote:
> Date: Mon, 20 Jun 2005 07:58:14 -0400
> From: "Monkman, Brian" <bmonkman@icsalabs.com>
> To: firewall-wizards@icsalabs.com
> Cc: Paul D. Robertson <paul@compuwar.net>
> Subject: RE: [fw-wiz] Equifax Canada
>
> You actually got the ratio reversed Paul. :-)
Nah, the exchange rate is about right- I'm pretty sure if we both stepped
on a scale, it'd be in the ballpark ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment