Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > vulnerability
Up to Blog Posts in IT@Intel

IT@Intel Blog

3 Posts tagged with the vulnerability tag
Matthew Rosenquist
0

No.  Just the people who use them.


Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure.  Passphrases with comparable measures are equally secure.  The systems and users are currently the weakest links in the security chain.  Security Chain.jpg


The interfaces and tools which we input the passwords may be vulnerable.  This includes but is not limited to key-loggers, sniffers, input redirections, etc.  But it is the user, where the most significant weakness exists.  They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).


A recent Newsweek article covered the topic of building a better password:

"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."


The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months.   The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value. 

To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful.  All passwords can be cracked via brute force, but it takes time.   It becomes an exercise in how many attempts can be made over a given period.  The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works.  The length and possible characters determines the number of combinations.

Undermining the strength of a password is not the biggest concern.  It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.

The most significant vulnerability is with the user and systems where passwords are entered and stored.  There is no practical benefit to further abuse users with new diabolical password schemes.  We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.

0 Comments Permalink Tags: value, information_security, rosenquist, it@intel, password, optimal_security, model, risk, matthew, intel, it, threat, vulnerability, security, matthew_rosenquist
Matthew Rosenquist
0

We naturally take comfort in being able to quantify the vagueness of challenges in our existence.  This past week, I was again reminded the cup of information security is filled partially with the complexities of human perception and ambiguity of emotions weighing our mental models of judgment.  These can be misleading.

 

This is not a revelation.  I thrive in the trenches of security measures and metrics, and learned this lesson many seasons past.  But it is so easy to fall back into the comfort of measuring, calculating, estimating, and even predicting risks with first impressions, and foregoing proper data collection and dispassionate analysis.

 

It is in our very nature to apply our big cognitive brains in an attempt to make sense of something which causes concern for our minds when we encounter situations we fail to grapple.  We default to familiar structures of logic and experience to give some insight, even if it is invalid.  If we cannot grasp a cloud, it makes us feel better to at least measure it.

 

I recently travelled to the beautiful city of Shanghai.  In the sprawling city of 19 million, getting about requires the use of a local taxi.  Drivers are aggressive by American standards.  They creatively use all lanes, including those of oncoming traffic, to weave in and out between pedestrians, other vehicles, and bicycles, all at high speed.  Roadway guides such as speed signs, stoplights, and lane markers are just cosmetic.  The concept of ‘right of way’ is defined by the vehicle which gets there first.  Tens of thousands of taxi drivers vie for pole positions at every light and traffic snarl.  I counted no less than half a dozen head-on near misses the first day.

 

Not surprisingly I was a bit concerned for my safety.  But what was the actual risk?  It seemed high, with all the jockeying, speed challenges, and lurching in front of other cars at a moment’s notice.  In formal terms, the security risk calculation was off the map.  Keeping it simple, risk can be defined as equaling the (threat) x (consequence) x (vulnerability).  Threats were abundant and vectoring from every angle.  Vulnerabilities were painfully obvious as the situation was an example of near uncontrolled chaos heavily dependent upon human judgment and intervention.  Lastly, the consequences registered as likely life threatening.  Vehicle safety measures are not equal to US standards, with no airbags and rarely a functioning seatbelt.  My brain began to do the rough math and formed a mental model where the conclusion was somewhere near the “I’m screwed” end of the spectrum.

 

Over time, I started to take a different perspective.  By the end of the week, and too many close calls to count, I observed the city’s taxi’s did not show damage which would be consistent with rampant numbers of collisions.  Although chaotic and unpredictable, they found a balance in avoiding impacts.  My drivers’ never appeared nervous.  Many were happy to take calls on their cell phones while racing into oncoming traffic and weaving back into our directional flow at the last second.  Yet, they were not worried.  The pedestrians who seemed intent on walking into direct paths of vehicles always looked up at the last possible moment and jumped out of the way of an untimely demise.

 

The dangers were still there.  Nothing changed but my perception.  The risks were high, controls were low, but it was the incident rate that was the telling measure.  Lack of vehicle accidents in such a tremendous population meant they operated in an efficient manner which my brain could not comprehend as safe.  But it was.  My initial evaluation misled me to a wrong conclusion: an inaccurate determination of risk.  I felt safer than before.  To this day, I cannot comprehend how they do it.

 

In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth.  It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand.  Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

0 Comments Permalink Tags: it@intel, vulnerability, risk, threat, information_security, model, matthew_rosenquist, security, rosenquist, optimal_security, analysis, measurement, measure, openportpromo, it, intel_it
Matthew Rosenquist
3

Crazy as it may sound, digital appliances and accessories can infect your computers with viruses and worms. It is happening more and more. Although not near a tipping point, an evil cloud is rising.

 

 

 

 

 

Unlikely Threats

It is concerning enough we have to worry about USB drives, WiFi hotspots, mobile phones, PDA's, printers, email attachments, file downloads, search engines, and surfing just about any website. But now we must keep a suspicious eye on our new net-enabled refrigerator, digital picture frames, music playing sunglasses, and even the toaster.

 

 

Recent articles shows how consumer devices integrated with network enabled computers are sources for malware infections. It is not shocking software CD/DVD's, or USB Drives might have nasty code lurking. Suspicion is the norm anytime we are connecting or installing something directly to our trusty computer. In those situations, we take proper precautions. But what about media players, GPS devices, and most recently wireless digital picture frames? These devices may not directly connect via traditional cable. Does the average consumer realize when they flip the power button they may be turning on a wireless device infected with malware seeking to infect anything within range?

 

 

 

 

The toaster is out to get you!

It is not just the geek toys anymore. Not to long ago, an enterprising individual took it upon himself to hack a regular toaster, just to prove it could be a source of malware. A toaster! Very impressive, but what is next?

 

 

As computers are integrated into everything and are being upgraded with more power and connectivity, the threat landscape grows. Our cars, major appliances, personal electronics, accessories, and even clothing are potentially at risk. We are dragging these items into the digital world and in doing so, overlaying cyber risks on them.

 

 

Although not widespread, more and more stories are emerging and the list of products grows longer. At some point we will be forced to re-evaluate the standard threat categories to include some non-traditional vectors. Personally, I am waiting for shoe manufacturers to implant computers in their products so we can have "walk-by attacks". Can't wait.

 

 

 

Some news reference links:

http://www.securityfocus.com/news/11499

http://www.pcworld.com/article/id,141295-pg,1/article.html

http://www.theregister.co.uk/2008/01/14/sans_threat_list/

3 Comments 0 References Permalink Tags: optimal_security, model, risk, matthew_rosenquist, rosenquist, threat, vulnerability, security, information_security

Popular Blog Posts