Security Curve Weblog

Musings on DITSCAP, FIPS, and the TCSEC

I came across this article this morning. For those of you who don't feel like reading it, basically it says that RedHat and SE (Security Enhanced) Linux are going through common criteria certification so that it can be used in the US government. Good news, right? On the surface, it would seem so - but I think it points out a problem inherent in the process. First of all, non-certified products are in use already (meaning compliance is selective anyway) and certification isn't "good news" - particularly when it comes to a "release early, release often" product like Linux.

First of all, we know it's already in use. For example, check out this article from Groklaw. Seriously, when has the fact that a platform is not EAL certified stopped it from being used by the government? After all, Mac OSX is on the federal reference architecture. The reality is: the whole EAL process (and the TCSEC process before that) is broken. As is FIPS 140. Here's why:

The DITSCAP relies on accredidation personnel within an initiative to ensure that these standards are followed. If an accreditor is not clued in to the fact that this type of certification is a requirement, they won't enforce the reg. End result: incentive for PO's to "dumb down" accreditation personnel. In point of fact, it's less expensive to have accreditors that will let something "slip by" than having accreditors that enforce. Problem #1.

Problem #2 is that these regs all but ensure that federal systems have less security than commercial systems. How is that, you ask? Specifically, a certification is invalid as soon as the product changes significantly. For example, there could be a case whereby a patch that is required to fix a security issue cannot be applied because it will invalidate the FIPS 140 or EAL cert. You disagree? Look at the list. The last version of Oracle that's certified is Oracle 9.2.0.1.0. What's the current version? How about 10g Release 2... Wow, that's a major revision. I wonder what type of security bugs have been fixed in the meantime... The same is true of FIPS 140-2. Certification trumps vulnerability fixes in every case; it also trumps common sense.

Let me tell you a little story. Back in the day, when I was working in the federal sector, the time came to deploy Citrix. This was before the CSG (Citrix Secure Gateway) used FIPS 140-2 approved cryptography. I, as the security engineer, indicated that it would be good to have cryptography on the channel due to the untrustworthiness of the network the traffic passed through. However, turning on cryptography meant that it would be a non-FIPS device; keeping it off meant it wasn't a cryptographic device and therefore FIPS 140 didn't apply. The decision? Keep cryptography off, and thereby decrease the security of the system in order to comply with the reg. In other words, don't think, just comply.

Here's my point: I think the purpose of FIPS 140 and the EAL is to keep "snake oil" out of the federal government. That's a great goal. However, in practice, I think these regs need to be applied with intelligence. Taking away the ability of security folks to use their intelligence decreases the security of the systems involved and is not a good thing.

Ellison Hands-Down Lies to Customers

According to Larry Ellison, it's been 15 years since anybody broke into an Oracle database. Oh, I'm quite serious. It would be laughable if it wasn't so sad.

Actually, to put the quote in context, he pointed out the contrast between Oracle and Microsoft - he claimed that while Oracle has had 15 years since it was broken and Microsoft was broken into 45 minutes ago. Not only is this data is obviously fabricated, but it's downright insulting to the security community. How can we be expected to believe that Oracle is immune to common database attacks or that hackers are stymied by Oracle's advanced technology. Give me a break.

Here's what gets me. Back in the day, the major gripe against Microsoft from the security community was that Microsoft did not take steps to acknowledge security problems in their software. Does that standard not apply equally to Oracle? Mark my words, between their "Unbreakable" campaign and this type of raw falsehood from Oracle, it's only a matter of time before Oracle becomes the new pariah of the security industry.

Cardsystems

First, CyberSource to buy CardSystems. Did I not prophesy that it was only a matter of time before CardSystems hit the mat? Well, there it is...

In other news, some judge decided to once again make disclosure of credit card data volountary in California.

DHS Announces "Top Priority" (and it's not what you think it is)

So, the DHS (via the FBI) announced that cracking down on obscenity on the Internet will be "one of the top priorities" going forward. To tackle this top-priority initiative, they've got a dumptruck full of funding, at least 10 headcount, and a mandate from the top.

That's right, you heard it here - on the top of the DHS priority list is... porno. Just to be clear, we're not talking child porn, we're not talking about non-consentual sex, we're not talking about illegal sex acts. Nope, those things are already on the FBI radar. This new squad is only concerned with censoring media associated with consenting sex between adults...

The agents aren't happy about it - according to them the department is a "running joke". Here's my question: why are our tax dollars funding a "running joke"? What about fixing the significant disaster recovery issues highlighted by Katrina or fixing the continued failure of DHS to complete their required auditing measures?

Shouldn't we wait until the terrorists are behind bars and the DHS works its grades up to something like a D (or better still a C-) before we start funneling money into anti-smut campaigns? Seems to me that loss of life (terrorism, katrina, etc) trump dirty old men in almost every case. Granted that the FBI still claims terrorism is a "higher" priority than the war on pr0n, but - each agent working the "red light detail" is an agent not looking for terrorists and each FBI web search looking for porn is a web search that could have been looking for terrorist groups... When is the DHS going to get a clue?

Thanks for Alan for passing this along...

Korean banks now eat hacking-related damages

ouch. If this sets a trend, the world of financial services as we know it will change permanently. If it does not and just impacts Korea, expect things to shake up anyway for anybody doing business internationally.

Still makes me laugh

You know what still makes me laugh? The picture of that crazy dude that got past DHS with the heads in the bag. Thanks to Adam Shostack for referencing it in his blog today.

SYMC blames open source for worms

Wow. Symantec puts a stake in the ground saying open source is part of the reason for slower patches. That's not going to engender any popularity... let the ranting begin.

CNL Deploys Decru

The good news: CNL Financial Group deploys the Decru backup encryption solution for protection of backed-up data. The bad news: they no longer have to report lost or stolen data due to special dispensation for encrypted data under privacy disclosure laws (e.g. SB1386.) Hmmm...

Gartner Wows with Stunning Revelation!

Gartner's stunning news: personal mobile devices put the enterprise at risk. Thanks to Gartner for keeping us in the loop (can you taste the sarcasm?)

Yay! Do the Entrust Wave!

How much do I love the Token Revolt website? I'm not sure I buy Entrust's premise that we should replace every dongle out there with a plastic card (actually that sounds expensive and not that valuable) but I do think the videos are funny. The one where they're using the fobs as table leg supports - pure hilarity.

Thanks to D for passing on the link.

What happened to the website yesterday

Some people couldn't get to the Security Curve website yesterday. That's because an electrician somewhere in LA cut the wrong line. Aside from being a bit irked by the circumstances, I'm actually glad it happened. Glad because being able to cut power to a whole city for 3-4 hours by cutting one line seems like a weak point to me. Time to fix the critical infrastructure.

DHS continues to live up to my expectations

According to DHS CTO Lee "trying not to be a scapegoat" Holcomb, the DHS stinks on ice. Alright, he didn't actually say "stinks on ice", but he did say what we all already know in a shameless "don't crucify me" dance more embarrassing than Ashley Simpson's lip-synch jig on Saturday Night Live. He said specifically:

- "...we are not really that well prepared, and history will show that that is actually the case."
- "I think we witnessed a failure in that [disaster preparedness] plan over the last week."
- "The consequences ... have been disastrous..."
- "... a major problem ..."
- etc, etc, etc.

Here's my question to Lee: why is it that this is such a surprise? Seems to me like this is your job and that you've had three years go by with this stuff as your priority. Remember in 2003 when you said, "We got the lowest grade from the federal government in the recent [security] scorecard, and we're going to change that"? That report included disaster recovery - how come you didn't change it like you said? How is it that three years later after being given an F - for flunking by not "... [having] inventories of their critical information technology assets; identified critical infrastructure and systems; implemented strong incident reporting procedures..." - are you here saying "news to me - I think maybe we've got some problems identifying our critical assets and implementing strong reporting procedures."

Let me put it another way. Remember when Chairman Putnam said, "We expect significant improvement from Homeland Security next year, they should be leaders in improving their computer networks." I'm pretty sure that he had in mind those goals that DHS flunked and that you're so vocal about. Oh yeah, and remember that mandatory risk assessment that the Homeland Security Act requires and that DHS testified saying would be done in 2003 - it probably would have helped make your organization more effective if you had actually done it.

Last, but not least, you have a problem with the wired and wireless comingling? Didn't you build that?

SC "Awards" - When the "Best" Isn't

Hey, did you know it's time for the SC Magazine 2006 Product Awards (Yay!) It's like the Oscars: the paparazzi snap photos while Susan Thunder, like Joan Rivers, comments on hacker style and fashion. Well, alright - none of that really happens, but Susan does kinda look like Joan Rivers.

There's something else different too: Oscar nominees get a gift bag filled with electronics and jewelry... SC nominees get an invoice. 175 bucks per nominee.

Chump change or Trump Change? Well, there are 2 top level categories. There are 8 categories that are Asia/Pacific only. There are the main 46 product categories, divided into two groups: the EU and the US. That's a total of 102 categories. Assuming an average of ten nominees per category - which jives with their data from last year (they're press release for this years contest cites "over one thousand product and service nominations" from 2005.) Wait, is that a cash register I hear? (chaching)... Fat Albert says, "Hey Hey Hey - that's 200K."

Let me be clear - SC has a right to make a profit. I'm all for them making money off the contest. But here's my beef - the way the contest is marketed, one would think that the "best IDS" award would go to the IDS that's "the best"... The methodology precludes any assurances about this. For example, if I enter my super-elite NIDS product:

# snoop | grep -e patterns.txt

and my higly-effective antivirus product:

# grep -r -e patterns.txt /

and nobody else gets off their lazy duff and enters, does that mean that I beat out Snort, Symantec, McAfee, and all the rest of them? I don't think that's right, do you? Not to mention that it creates "false nominees" - even if my super-slick product (grep) doesn't win, I can still put out the marketing message "Ed IDS nominated for best IDS product by SC Magazine."

Wait, you don't think that's realistic? Take a look at PKWare. Does the statement, "SecureZIP for Windows has been nominated by SC Magazine as best product of the year in two categories – best email security product and best file encryption product" get put in a different light now that you know the only judgement criteria was three and a half Franklins?

Maybe I should enter one of the family dogs in the "best intrusion prevention" category and see how far they let it go.

More on Spriggans

OK, in case you missed my comments about this before, Lawrence Watt-Evans, seriously cool fantasy author, is in the middle of an experiment he calls The Spriggan Experiment. Spriggans are harmless semi-intelligent frog-like creatures that crawl out of an enchanted mirror located in the mountains of the small kingdoms - you see, when Tobas found the castle outside the world... well, I won't spoil it.

Anyway, Spriggans do more than chase wizards, look cute, and get underfoot. They also tell us something about copyright. Wait, what? It's true... You see, Lawrence is using Schneier's Street Perfomer Protocol to publish the book - and it's working, sort of. Because Lawrence is cool as hell, he agreed to answer a few of my questions about the experiment. I'm going to try to ping him again for some info once the experiment is done, but in the meantime, a quick paraphrase of his impressions (I didn't explicitly say I would quote him anywhere, so I'm not going to directly do so without his OK.) This is the first time that SPP has been used for an artistic work (please spare me the comments about how Blender was an artistic work) so it's pretty exciting. Security community suspicions confirmed:

- It will likely make quite a bit less money than the traditional publishing model (I think we all knew that would happen.) The experiment's not done yet, so hopefully he'll tell us more about that once everything is put to bed.
- There is some evidence that it is driving interest in his previously published books

Suspicions contradicted:

- Overhead from maintaining the distribution channel is minimal
- Not having an editorial staff does not have a deliterous impact on the timeline

Anyway, I continue to be really excited abut this experiment.

Comments are going, going, gone...

Some administratrivia before I get into this morning's ranting... Any past entry that had comments turned on no longer does. Sorry about that to legitimate commenters, but they had to go. Why, you ask? Because I've just experienced the festival of pain asosciated with a comment-allowed post hitting google. My question is - does it really increase the efficacy of the message to put more than one "GIVE THE GIFT OF CIALIS SOFT TABS" or "EAZY VICADIN 4U" comment in the same blog entry?

Hackerwhacker? Are they serious?

Ever been to hackerwhacker.com? A security professional sent me this link (not kidding, no names.) Check out the FUD mongery from the front page:

"Has your competition hired hackers to take you out?
Could a disgruntled employee wipe out your network?
Is your job on the line for corporate security?
Are you sure your firewall settings are accurate?
Could hackers get you hit with a multimillion dollar cyber lawsuit?..." (etc)

My personal favorite is the part about hackers and the lawsuit; I'm not sure if this means that the hackers will actually sue you or if something they do would make someone else sue you. Either way is funny, but I like the first one better. I can imagine the landmark precident-setting case now - "M1n10nz of H3ll vs. citicorp".

Surprisingly, I don't hate this

I came across the article, The truth about security this morning. I followed the link expecting (based on the title and the opening paragraph) to get "fired up" about yet another yahoo telling me how to do my job. However, I was completely wrong about this one. This a lucid and balanced look at disclosure, vendor responsiblity, and legislation of software security. Two thumbs up on being fair - no thumbs up on suggested alternatives to the current process though.