We all have pet theories and a side effect of these is that we often look at information in such a way that it can be made to fit with our pre-concieved ideas. It is simply called bias and is the bane of scientific experiments. Scientists go to great lengths to design experiments which reduce the possible bias to a minimum.
Security is not immune from it either as the latest issue of Crypto-Gram seems to indicate.
While reading the section on wiretaps and encryption I thought that something was not quite right.
If you read it carefully you will notice that there are fundamentally two points being made:
1) Only about 1% of wiretapped phone lines used encryption,
2) The quality of the encryption was so bad that it did not pose a problem.
At first glance that is perfectly correct but as a matter of fact it is carrying the author's bias. Quite rightly Bruce Schneier thinks that one of the banes of modern security is snakeoil encryption and "closed" products like encryption devices for phones are part of this category.
The problem with the above is that it is not necessarily true that the trivially wiretapped encrypted phone lines had anything to do with encryption devices for phones.
If we consider mobile phones, in particular GSM phones, their transmissions are encrypted while in transit over the airwaves. The algorithm itself, A5, is not particularly secure but still a worthy challenge. There is one small catch: the moment the call reaches a base station it is no longer encrypted.
So strictly speaking a GSM mobile phone call is encrypted and might well fall in the 1% of calls which carried encryption. At the same time you don't actually wiretap the airwaves, you stick your tap at the base station where the traffic has already been decrypted for you.
By applying a more skeptical bias we have actually found a situation in which it is not the snakeoil encryption which is to blame but the lack of end-to-end encryption which is making wiretapping easy.
Both fit the information presented but the GSM mobile phone theory does not fit the "all encryption products are snakeoil" rant.
What happens when the market leader in Intrusion Detection finds its website defaced? Well, the first thing that normally happens is that the owners of the website admit that their security practices have been lax and apologies while looking red-faced for a few days.
Not so in this latest event: with an amount of lateral thinking worthy of Edward De Bono they claimed that the website was nothing other than a honeypot.
But of course! How could we ever possibly have thought otherwise?
History is not on the side of these claims. A rather well-respected security training organisation had their website defaced and the reaction was along the lines of "Oh dear, that is really rather embarassing" followed by a complete redesign of the website.
Why had it happened? Simply because the website had been allowed to grow well beyond its initial remit without a suitable security review. The reasons for this are to be found in the usual enemy of security: time and personnel.
What should have been learned from this incident? Well, the key lesson is one of humility. It does occasionally happen that even the very best amongst us make mistakes. Admitting them is a show of strength but of course this is often too much to ask from companies driven by their marketing departments.
So what will happen next? All the competitors will happily mention this event to their customers, the company will continue claiming that it was a particularly smart honeypot design and life will go on. The only loser: the security industry, yet another blow to its already feeble credibility.
For those interested in seeing defacements there is an archive of the sorry-looking site.
Having been to RSA Security it was time to spread the word in the Old World. Hence time to board a Czech Airlines flight to Prague and then off to Brno for SPI2003, a NATO-sponsored conference.
I was invited to speak on IDS and IPv6 and it is difficult to describe what a welcome change it was from RSA Security 2003. Brno is the capital of Moravia and site of their world-famous bike racing track but also the home to particularly hospitable and friendly people. The conference was very well organised including a first for me: simultaneous translation into Czech!
The conference was divided into three days, one each on Network Security, PKI and Cryptography with fascinating papers delivered on each day. Sadly a couple of apparently interesting papers from China were not given as their authors were stuck home due to SARS.
Unfortunately I missed the first invited paper by Eric Vyncke on Introduction and Security Perspective of Peer To Peer Protocols but I managed to speak to the author nonetheless. Despite the clear lack of security in current P2P networks they have an amazing potential to deliver relient network services as data is transparently duplicated all over the place. Although one could argue that this is an inefficient backup strategy there is undoubtedly space for a discussion of the role of P2P in "serious" networks (please allow me to disregard MP3 sharing as a "serious" application in the context of this conference).
The second day was much more dense and both the invited papers are worthy of mention. The first on protection of NATO information was interesting both from the point of view of a citizen wanting to know what exactly was done to protect sensitive data and from the point of view of the security practitioner wondering what was happening in the military world. Well, fortunately a lack of surprises but a lot of insight in to how deploying PKI even in a military infrastructure is far from trivial.
The second paper on e-Government was amazing from the point of view of a layman in the subject (i.e. myself): the austrian government is seriously deploying PKI in an attempt to simplify life. How would it be simplified? Well, the logic was that if less government employees have to spend time answering the same questions at booths perhaps they could do something more productive with their time. Similarly the average citizen wouldn't spend hours in a queue to ask a simple question. Now, the catch comes in the deployment of PKI at a nationwide level: it simply isn't trivial! Read all about it in his paper.
Finally the third and last day. A bright and early start with Mike Bond telling us how to break the cryptographic APIs used by banks. A somewhat mathematical talk but full of interesting information, for example on how PINs are generated: did you know that they start off in hex but then since they can't type A-F on a keyboard at the ATM they remap A-F into 0-9 in some way? I didn't and of course this "decimalisation" process, as it is known in the industry, is rife with attacks. The other papers which were definitely worth listening to were those by Vlastimil Klíma on Side Channel Attacks on CBC Encrypted Messages in The PKCS#7 Format and the one by Bohuslav Rudolf on Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AES where I learned more about the AES ciphers than I had ever before.
The proceedings should shortly be available on the web at the conference website.
It has been a rather long time since something was posted here. There is actually a good reason: I was off travelling all over the place and had little time to sit down and write my thoughts.
First stop, RSA Security 2003 in San Francisco.
The RSA Security show has always been run by RSA Security Inc. a company with a rather varied pedigree which includes people like Ron Rivest, technology like SecurID and used to hold the now-expired patent on the RSA algorithm.
What did I bring back from the conference? Well, as goodies go the illuminated pen from BlueFire was pretty (they do a host-based IDS for iPAQs). As technical stuff goes it was rather sad. What was sad? Well, let a photo of myself at the conference set the tone.
Having seen the picture you might be inclined to think that this is going to be yet another bashing session but the simple truth is that marketing had taken over big time. There were enough identically different SSL accelerators that had it not been for the bezel you could have swapped them around overnight and nobody would have noticed.
There was something worthwhile: a naval Enigma at the booth of the bright people of Cryptography Research complete of rotors and in perfect working order and its US counterpart (an M209) not to mention a particularly polite lady at the NSA booth who was in fact the curator of their historical museum with yet another Enigma.
From a technology point of view by far the best demo must be the one on the HP booth on wireless hacking. You might think that RSA Security 2003 would not have open WLANs, well, think again. Michael Gough had a converted chips tin connected to his iPaq and was happily walking around scanning the show floor. Of course, it is nothing new, but it was definitely quite a sight with his presentation filling up the corridors around the HP booth.
So what was the overall climate? There is definitely interest in security, the conference alone pulled over eleven thousand people but frankly nobody really wants to buy much. It seems to be all very much "in house" at the moment and people wanting to be clear as to what the market offers. Where is the world moving to? The biggest announcement was certainly the Symantec-PWC tie-up to provide a complete MSS, if I was Counterpane I'd be rather worried myself. They hope to attract customers by showing them their "manual", i.e. a procedures guide for absolutely everything ranging from anti-virus to incident response. Is it any good? I don't know as I was not allowed to read it but it is clear that outsourcing is still seen as "the way to go", even more so than previously perhaps.
