Passwords, Dinosaurs, and 8-Track Tapes

What do passwords dinosaurs and 8 track tapes all have in common? Pretty soon they will all be in the same category: things of the past! It’s not just a matter of people using short, simple, “stupid” passwords any more. With advances in easily available and cheap computing power such as advanced graphics processors and solid state drives (SSDs), even long and complex passwords can be cracked in seconds! Not to mention the fact that if you get hacked and someone installs a keylogging Trojan on your machine, it doesn’t matter how long and complex a password you use; it’s game over!

There are always big concerns about the “exploit du jour” in the information security field. SQL injection, application hacks, XSS, Bots – you name it! But ever since the start the number one way computers get hacked is because of password problems. It’s still going on today! No matter what system one tests, it seems someone has a password of “password” or “admin” or something dumb like that. Or someone forgets to change a blank SA password or forgets to change the default password in some application. Then, of course, there are the system admins who use the same passwords for their user and admin accounts. Instant privilege elevation is given to domain admin and, once again, game over! This is really just a problem of human nature. We all have ambitions to follow the password policies exactly, to use strong passwords all the time, use different passwords for every account, change them on a regular basis, and never reuse the same ones twice, etc. But we all get lazy, or complacent or busy or forget or just screw up! Like I say – human nature.

What is the upshot of all this? Passwords alone as a security measure are hopelessly inadequate. And they always have been! So what is the answer? Well, obviously, we need to use something in addition to passwords. Ideally it would be preferable to use all three of the possible authentication techniques: something we know, something we have and something we are. But it’s hard enough to get people and organizations to consider even two of the three. There is TREMENDOUS resistance against insisting that everyone use tokens for example. And I can understand that. They cost money, you always have to remember to have them with you, they might break at the most awkward of moments, they can be stolen or they can be lost. Same thing with biometrics. They are expensive, they are not always reliable, they can be often be circumvented and they may leave you open to personal attack or even kidnapping! These are all real issues that need to be addressed and, what’s more, gotten used to. People are just going to eventually come to the realization that one or more of these techniques MUST be used. Until now, though, people have been willing to accept the consequences rather than bite the bullet and put up with the hassles and expense. The tipping point has yet to be reached. But, with identity theft, cyber crime and the increasing ease with which passwords can be stolen or broken that point is now very close indeed!

In the mean time, we all should REALLY do a much better job in using strong passwords. The new MINIMUM standard for passwords should be 12 characters and they should use at least three of the four possible character types. And that’s just for normal folks. For system admins and other high value access passwords alone should never be enough. These folks should surely be using multi-part authentication techniques no matter what the expense or hassle. After all, they DO hold the keys to the kingdom for all of us!

Another Good Reason to Increase Internal Security

Well, the much anticipated 2010 Verizon Data Breach Investigations Report is out, and once again it is an eye-opener! Let me say what a boon these reports are to the infosec community! Verizon and their team are to be praised and congratulated for all their hard work. These reports really help us keep current so we can protect our information from the right threats in the right ways. I know it’s not a large scale study, but I do feel it gives us good indications of trends and threats in the industry.

This particular threat report mainly gives us the data breach picture for 2009. It was compiled from nearly 900 actual incidents and includes a lot of input from the U. S. Secret Service this year. One of the surprising results of this particular report was the 26% increase in data breaches from insiders. It seems that organized cybercriminals are promising money to insiders with access to administrator level credentials. Unfortunately for these naïve inside individuals, it is proving very easy for the authorities to catch them. Also, it seems, the cybercriminals are usually not even paying them as promised! Despite these facts, it is evidently fairly easy to find plenty of insiders that are willing to sell their credentials. Go figure!

There are several ways to help counter the insider threat. The easiest thing you can do right off the bat is to ensure that those with high level access to the system don’t use the same credentials for their administrator and user accounts. You’d be amazed at what a common practice this is! All cybercriminals have to do is bust a few user level accounts and there is a VERY good chance that they will then be able to gain administrator level access. Administrator level passwords should be long, strong and ONLY used for administration purposes.

Another very effective method to counter the insider threat is to use true multi-part authentication mechanisms for administrative level access to the system; especially with very effective mechanisms such as tokens. Employing this practice means that cyber criminals not only have to steal credentials, they also have to get their hands on a token. And even if they do, it only gives them a short time to act; admin tokens are usually missed very quickly. There is also the option to employ biometrics. These can be problematic, but are improving all the time. And effective and reliable biometrics are even harder to overcome than token use.

You might say that good passwords, biometrics, and tokens won’t keep actual system and database administrators from selling out to the bad guys, which is true. However, there are other mechanisms available that can prevent lone bad-actors from compromising the system. One effective practice is management monitoring of high level access. If, every day, managers are looking at who accesses what and when, then the difficulty of stealing or corrupting data goes WAY up! Also, there are applications out there that can send out alerts when high level access is underway.

Another method, and a tried and true one, is the use of dual controls. If it takes two individuals to access systems, then cybercriminals have to corrupt two individuals and it becomes even easier for the authorities to figure out who the rats are. I don’t recommend this control except for very high value assets. The downside is that it’s a hassle to implement. There ALWAYS has to be at least two individuals available at all times or access becomes impossible. There are vacations, lunches and breaks to consider, and what happens in true emergencies such as floods, snow storms and the like? But this is a control that has been in use since long before computer systems were in place and it has proven to be very reliable.

These certainly aren’t all of the controls available to help counter the inside threat. I’m sure that you can come up with some others if you give it a little thought. But used individually, or even better, in combinations, should go a long way in protecting your data from the bad guys within!

Tips for Input Validation

Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done incorrectly, they end up bringing little more than a false sense of security. The bad news is that input validation is difficult. “White listing,” or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications. “Black listing,” that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings, can be challenging as well. Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.

Over the last few years, a single source has emerged for best practices around input validation and other web security issues. The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products. Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.

While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.