“The New York Times is reporting that a number of Imax theatres are passing on science-themed films that might provoke controversy among a handful of religious fundamentalists.”

God help us all.

At a business lunch yesterday I was talking to one of our product vendors about various topics, and although we were in the non-smoking section, everyone in our area was being hit with waves of smoke while waiting for our food. The ensuing discussion led to him mentioning that R.J. Reynolds was a customer of his as well, and he went on to describe the environment there. It’s so bizzare I just had to blog it.

First off, he has to bring massive allergy medication just to do onsite visits there. Why? Well, all employees are allowed to smoke right in their cubes. Not only in their cubes, but anywhere in the building. People were actually puffing away while he was doing his initial product presentation. He described the conference room he was in as having a giant ashtray in the middle of the room full of butts. He said the walls were even yellow in many places. But that’s not the crazy part:

Every day, around the same time, someone brings a cart by to everyone’s cube and from that cart each employee can select a pack of cigarettes of their choice — free of charge.

Free. A pack a day. Distributed by the company.

Wow.

I wonder what their health insurance package looks like…

A buddy of mine has posted a key exchange issue he’s having; it’s worth taking a look at if you are into this sort of thing.

One of the comments “How To Fix The Internet” article that’s circulating is the notion of a central organization (like the BBB) maintaining a database of information that sites would presumably dish out to users upon them requesting a page for the first time.

Well, how about a standalone security tool to do this?

This tool would have a couple parts:

1. A list of attributes with associated risks (think Bayesian adjustment of a risk level) e.g.: -Hosted in Russia / China -IP address for a URL -Immediately redirects you to somewhere else -Cert doesn’t match DNS -Webserver outdated (versions vulnerable to known exploits) -Recent bad activity for this site ** Assigns a score to the site

2. A client for the user’s system (to pull updates) and a plugin for their browser -Pulls down updates, checks visited sites vs. information

–

So here’s the idea — we create this system and serve the constantly updated data out to whoever wants it. They could pull it down weekly/daily/hourly or whatever (depending on how often there are updates).

From there, when they go to a website it checks the current “risk level” of the site against their current security settings. So, if it’s between 6 and 7, don’t run ActiveX on the site. If it’s between 1-4, don’t even load it — etc.

The key here is customizing the local security settings according to a semi-dynamic repository of information hosted by security enthusiasts. We don’t need the BBB for this.

This is very early thinking, and it could be utterly lame to me in 10 minutes, but it sounds good in my head right now.

Thoughts?

Bruce Schneier has come out with what I believe to be a major piece that speaks against the ability of two-factor authentication systems to stop phishing and other types of online fraud.

His main argument seems to be that two new types of active attack make it possible to capture even the dynamic passwords of common two-factor authentication systems. For example, if a user sends a password via a phishing exploit, and the attacker is able to capture it and use it at the bank site within the one minute window, then the fact that the authentication was two factor didn’t help anything. In his other point, an active trojan on the user’s machine could allow an attacker to piggyback on a legitimate transaction and transfer funds or whatever.

His final findings are that two-factor authentication is not a major, long-term solution to remote authentication over the Internet, and that in the long run it will have little effect on fraud and identity theft.

I disagree.

First off, the amount of automation for these password harvesting systems needs to be taken into account. For current systems, you send out an email and soon you have a massive list of valid usernames and passwords that you can use within a huge window of opportunity. This wouldn’t be the case anymore with a two-factor system. Using a system like that, you’d have to go through quite a bit of trouble to get the usernames and passwords entered within less than a minute of receiving them. This sort of thing could be automated obviously, but it actually requires that a live application live on the other end and take action immediately rather than being able to collect credentials and use them (and sell them) over time. This alone is a major hurdle, and will drive the cost of phishing up while driving the profitability of it down.

Secondly, having an attacker monitor a trojan and “actively” use it to hijack an online banking session has one major flaw: there aren’t enough skilled crackers to go around. If each case of fraud requires 1) an active, working trojan on the user’s machine, and 2) a willing and able human on the other end who happens to be there when the user logs into their banking site, then the number of possible attacks gets hamstrung pretty quickly.

Granted, the methods he mentioned are certainly threats, but to argue that they will be so effective as to return us to our current level of risk is not a tenable argument in my opinion.

Scott Berinato has written an article commenting on Professor Hari’s predictions of the Internet’s demise. Most interestingly, he gathered the opinions of some people in the industry on the topic of “how to save the Internet”.

I’d like to comment on a few of the ideas:

Create a giant Manhattan Project style think tank. I like this, but it’s easy to get into the trend of having meetings about meetings and/or coming up with lofty policy ideas that have zero chance of being implemented.

Have a security czar. This too, is a good idea, but it’d have to be a very powerful position rather than some political figurehead with no teeth. They’d have to have enough authority to really do some major shaking up.

Treat users like dummies. While that may not be the best way to put it, I’d have to agree on this one to some extent. Unfortuntately, the degree to which admins lock down what users can do is directly related to the size of the staff needed in the user support department. Developers often code for “admin needed” (since it’s easier), and that would have to be looked at if changes were to be made in this area without having a major cost impact.

Eliminate coding errors in 2 years. The two years part belongs on theonion.com somewhere…that’s just crazy. And as for eliminating errors, that’s a tall order in ANY timeframe. To me it’s more interesting and efficient to address the ability to limit what can happen to a system even if the errors exist. In other words, rather than trying to eliminate errors, make systems more resistant to them.

Require licenses on systems that can be programmed on. This seems a bit extreme. First of all, in order to be useful in any way, computers have to be able to have software loaded onto them. From there, being able to say “everything’s ok, except stuff that you can write code in” is not trivial by any means. I mean, you can write code in notepad, compile it in a PuTTY window, and then download it to the local system again; I don’t see anything realistic coming out of this one.

Create a Cyber Police force. This seems logical. All it would really be, however, is a focused area of existing law enforcement agencies, and I think this is well on the way.

Site data via XML, i.e. you go to a site and you get transparently handed down security information about it — which your browser or other application could then take action based on. This is very interesting, but I see obcious problems. First off, getting this information to be current, accurate, and un-biased would be nearly impossible. Secondly, how do you get sites to include information that users’ browsers will respond negatively towards on their own sites? So if I am wearebadpeople.com and the open-metainfo-group’s info says my site is bad (and Internet Explorer 9 might block it by default), then why am I going to include that data on my server? I’d have to be forced to do so, which is more red tape.

The creation of a newer, more secure Internet that we’d move to eventually. Uh, no. Our physical connections aren’t what make the current Internet insecure — it’s the stuff connected to it. If you move that stuff to a new network, you now have a new, insecure network.

All in all, though, I like this sort of brainstorming and I hope it continues.:

All GIAC certification holders just received an email stating that practical assignments will no longer be required to attain SANS/GIAC certifications.

As someone who just went through the original (with paper) process, I am a bit upset about this. To me, the paper was the biggest thing that set this certifcation organization apart from all the others. Taking that away from the process takes away what made their certs stand out.

They claim it was because not enough people were able to spend the time necessary to do the practicals. My answer to that is that not many have the time to get PhD’s either — perhaps that’s what makes them valuable.

I can’t help but think this is driven by money and money alone. If people are too scared to attempt the certification because they fear the paper, SANS doesn’t make much money. If it’s “just an online test”, many more will pay the $800 fee to challenge for the cert.

It’s a sad day for infosec certifications.

Edit: One interesting note here: SANS itself, in the email that was sent out notifying current cert holders of the change, said that a different logo would be available for those who got the “more prestigious” credentials, i.e. those who acheived it when the paper was required. Here’s my question: if SANS itself calls the certifications that required the paper “more prestigious”, then why (other than money) would they drop the practical as a requirement?

This is a big moment for Chess. He’s a legend, and he’ll be missed.

Bruce Schneier is reporting that the Israeli Military is refusing to give out their highest security clearances to those who have played D&D. Too funny.

I’m getting so tired of sites that don’t allow for the use of long, complex passwords. Actually, to put a point on it, it’s the sites that let me put in the long, complex password, but then don’t let me log in with it.

That really irks me. If the password’s so f%@&*)! horrible, why’d you let me enter it with no warning?

Why not tell me up front if the password is possibly too long (if the maximum length is reached, display a warning that says anything over that will be ignored)? How about telling me I can’t use special characters? I have been to dozens of sites that let me create my account with a 16 character, upper and lower case, special-character having password — and then proceed to not let me login using it.

Lame. Just lame. I think all sites that do this should be required to show a logo next to their username and password fields. It could be a big orange “G” - for “gimpy”, or “M” for “mouthbreather”. Either way, it’ll say to the user of the resource that they should be sure to enter something short, simple, and easy to guess for a password — since that’s their standard.