You are here

Security

Observations on information security.

Example of KISS

Ok, this is a backwards observation.

One of my hot buttons is to spot "cyber security principles," that is, general but pointed observations on how to improve cyber security. 

A long-held principle is "Keep it Simple, Stupid." Thanks to Moore's Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.

Wordpress tag: 
Post category: 

Phishing email from the Adobe Compromise

Malicious email from Adobe database

This email arrived yesterday. It was sent to an address that only exists in the databases of Adobe and of my email provider. Given that Adobe's customer databases were looted earlier this fall by hackers, I suppose it was a matter of time.

For the uninitiated, I strongly warn you NOT to try to follow the link in that email. If it's only slightly malicious, then the web page will try to tease me out of personal information. After all, this is a job offer, and employers are obliged to collect SSNs and other personal information. 

If it's seriously malicious, then the web page will send me a malicious MS Word or Acrobat file, or perhaps just some web-based scripts, that poke around on my machine looking for weaknesses. 

Wordpress tag: 
Post category: 

RC4, SSL, and deck chairs on the Titanic

ChromeChrome has sensibly increased the key sizes it expects in public-key transactions (see here and here). However, Chrome still silently accepts RC4 encryption, even though RC4 has been vulnerable to attack for over a decade. 

This is like putting a heavy padlock on a cardboard box.

Even so, 7 out of the top 10 US web sites still use RC4. This includes sites with a lot to lose like Amazon and eBay as well as Google itself. The other weaklings in the Top 10 are LinkedIn, Wikipedia, Twitter, and Google's Youtube (as weak as their owner).

Wordpress tag: 
Post category: 

Internet crypto cracking is no real surprise

Old Lock LogoThe Guardian has recently published a report on how the NSA and the UK's GCHQ have been routinely cracking cryptography used on the Internet. Seriously, this is no surprise. Lots and lots of sites routinely use "RC4" encryption, whose vulnerablility has been well known for over a decade

I also hadn't realized the extent to which American citizens in general are considered "the enemy" by the NSA. Their duplicitous role in Internet standards is breathtaking. It may be the grandest example of social engineering. Ever.

Post category: 

Practical Cryptography: Science or Engineering?

There are comments flying around as to whether cryptography should be approached as a science or as engineering. It apparently started on Twitter. Bruce Schneier has weighed in and linked to an interesting essay by Colin Percival

The actual border lands might not be surveyed yet, but I believe there's a distinct field of cryptographic engineering, just as computer architecture can be independent of circuit design. In both cases we try to establish design rules so that engineers can build things with predictable properties. In both cases we can push the envelope of those rules and yield disaster. 

We establish an engineering discipline by trying to codify the design rules, teach them, build with them, and assess the results. That's what we see in security/cryptographic engineering these days. It's healthy even though we end up with occasional vulnerabilities.

Post category: 

Odd new form of malicious spam

Malicious email

 I received the email displayed at the right. While Larry Grinnell is indeed a friend of mine who sends me email, the sender's email address was not his. This is one of several emails I've received, all extremely brief, and all with the exact same, format. The Subject line contains an exclamation. The body text contains my name and a single URL. I started saving them and experimenting with the URLs.

The first URL led to a place in Russia that displayed a weight-loss ad. I used a VM running Chrome to open it. When I used the same VM to open the more recent one (shown above) the VM crashed. I expected that. What I didn't expect was for it to take my whole desktop down, too. 

Post category: 

Quantum Computations, Crypto, and Chicken Little

UCSB qbit processorYet again, the sky is falling.

Researchers at UCSB have demonstrated a "quantum processor" that correctly operates "Schor's algorithm for factoring primes" all of 48% of the time (Photo left, courtesy of UCSB). This has produced all sorts of dire predictions about existing cryptographic mechanisms. 

This is nonsense. We don't know enough about quantum computing to believe that a practical quantum computer architecture can follow Moore's law. And so-called "quantum cryptography" is not the answer.

Post category: 

Cyber Security Self Study

NSTISSI 4011 trainingI've deployed my training program at eisec.us

Students can earn CPE credits and a US Government-endorsed training certificate in information security. They study the textbook (Elementary Information Security, of course), discuss topics with me on the book's discussion forums if they want, and take on-line tests on the material. Once they pass all exams, they earn the certificate.

Post category: 

Earning IACE Certification Using a Certified Textbook

CNSS certified to conform to NSTISSI 4011The U.S. government certifies courses of study in information security under the Information Assurance Courseware Evaluation (IACE) program. If a course is certified under one of the approved standards, then students are eligible to receive a certificate that carries the seal of the U.S. Committee on National Security Systems (CNSS, left) to indicate they have completed an approved course of study.

My new textbook, Elementary Information Security, has just earned certification that it conforms fully to the CNSS national training standard for information security professionals (NSTISSI 4011).

It can be challenging for an institution to get its course of study certified. Many of the topics are obvious ones for information security training, but others are relatively obscure. Several topics, like TEMPEST, COMSEC, and transmission security, have lurked in the domain of classified documents for decades.

This new text provides a comprehensive and widely available source for all topics required for NSTISSI 4011 certification. An institution can use the textbook along with the details of its NSTISSI 4011 topic mapping to establish its own certified course of study.

Post category: 

Elementary Information Security Topic Mapping for NSTISSI 4011

Elementary Information SecurityElementary Information Security has been certified to conform fully to  to the Committee on National Security System’s national training standard for information security professionals (NSTISSI 4011). To do this, I had to map each topic required by the standard to the information as it appears in the textbook. Instructors who map their courses to the standard must map the topics to lectures, readings, or other materials used in those courses.

I have exported the textbook's mapping to an Excel spreadsheet file. Curriculum developers may use this information to develop a course of study that complies with NSTISSI 4011 and is eligible for certification. I'm describing the courseware mapping process in another post. Read that post first.

Post category: 

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer