zondag 8 december 2013

Stepping up cybersecurity

We love hypes and in our profession cybersecurity is a hype that doesn't stop to be a hype. The #ditchcyber campaign is started to help busting the hype. Well, allright, let's just add to the hype.

Here are some links to documents that may help you deal with cybersecurity.

Confused? Just pick the 9 steps ebook (by Dejan Kosutic). He clearly shows that cybersecurity is just a subset of Information security.


donderdag 14 november 2013

Adobe lesson learned: do not use complex passwords!

By now we all learned about yet another password leak, this time at Adobe. Not just some incident, no, it's a big one, with some 130 million passwords in the open. A big scandal too. And of course we are amazed at the large number of too obvious passwords chosen by the Adobe customers. Passwords like '123456' and 'secret' are amongst the most frequently chosen passwords. Are we really surprised? No of course not. We already knew that people are not very aware about the security risks involved.

Who are those customers? They are people like you and me, consuming services anywhere on the internet, Services like those offered by Adobe. And for most of those services the provider wants to know who you are by asking you to register an account. So, many of us did.


Let me tell you about the way I create accounts. In order to protect my privacy I have to protect both my identity and my behavior. So I try to separate my digital life from my real life as much as possible. And I bet that I'm not alone in this. My preferred method is to create an account using an alias. And since providers want to reach my alias, I need to provide an email address. If possible I use a disposable, or a fake email address. Next I have to pick a password. '123456' will do just fine. Why?
This password is not there to authenticate, it's there because the provider wants me to provide a password to ensure my permission to use a service. But I didn't use a real digital identity, I just claimed some capacity to download whatever I want from the provider. I don't care about protecting it, because in real life it just doesn't exist, and in all fairness, it's worthless. In fact I may have created an Adobe account a long time ago, but I don’t even remember it. And if I don't care, it's just not relevant how secure it is or how complex the password is. The only thing that I need to take care of is to NOT use one of my regular identities and passwords.

That's my real protection. As long as a provider or a hacker for that matter, cannot link the non-existing identity with a real identity, there is no danger for my real privacy if the provider or hackers publish '123456'. I couldn't care less. So, lousy providers like Adobe are not really a risk for me. I was right in not trusting them.
A far better way for providers to connect to customers would be to let them use an external identity, that way you don't need to register an account with the provider and the provider doesn’t need to protect it, there is no password... If you are free to pick an external identity like facebook, Twitter or LinkedIn, then the risks of data leakage are far less. There's another privacy issue, because those identity providers know your interests because of the federation stuff. I will not elaborate on this issue, but if you have enough digital identities, every identity provider only knows part of your interests, part of your activities and thus part of your identity. Divide et Impera.


The Adobe leak led to a lot of noise in the security community. There were two main comments: Adobe is stupid by not enforcing better security, I agree. And: users are stupid for using simple passwords, well, I don't fully agree. And I will explain this:
Account and identity management is tricky. There are two risks:
1) Someone knows you and tries to steal your identity.
2) Someone knows your password and your login name and tries to find out your real identity and reuse that information

The first risk can be real, but it need not be that big, provided that you think about a few best practices. Protect your behavior. If someone doesn't know to relate your real identity to a digital identity, not a lot of harm can be done in the digital world, in Cyberspace.

As I mentioned, the second risk can be neglected as well, if you understand it and act upon it. I hope/believe that most of the Adobe top 20 passwords are used by people who knew this. In my opinion most of the accounts used are disposable accounts. And preferably accounts that cannot be linked to real identities.

Password complexity

Both reactions to the Adobe leak came down to one issue: password complexity. Fact was that Adobe didn't enforce password complexity, not in the user space, not by using good practices for cryptography. Second fact: lots of users didn't use complex passwords.

Password complexity is difficult. A password needs to be complex for a few reasons:
- You don't want it to be easily guessed by someone who knows your digital identity.
- You don't want it to be easily cracked by someone who has access to your encrypted password.
Yet at the same time you want it to be easily remembered, by yourself.

The first risk is in fact the risk that we need to manage to mitigate the threat of someone who knows you to steal your digital identity, that's the first identity risk. It's the risk of someone retrieving an identity => password combination based on known identity information.

The second risk is more difficult to manage. The enormous amounts of processing power makes this risk hard to mitigate, password cracking isn't that hard to do anymore. This risk works the other way around: someone tries to retrieve a password => account combination based on known password information. Encryption of the password in transit and in storage does help safeguarding the password information, but it will probably only help temporarily. So we are trying to use one measure, password complexity, to tackle different risks. This may seem efficient, but in fact it's not what we need to do.

In order to prevent identity => password retrieval, we need password complexity. No one should be able to retrieve a password based on identity knowledge alone.
One example is Phishing: an attacker tries to retrieve secret information from a known identity. That means that the real, or physical identity => digital identity => password trail needs to be protected. And since the password is the valuable item, the password needs to be secured. That means using complex passwords (and to fight phishing: educate users to not hand over secret information!).

To prevent retrieval of a valuable identity based on a found password, another mechanism is required. If someone retrieved a password, he may be able to retrieve the digital identity, but he should not be able to retrieve the real identity behind the digital identity. Why?
This might lead to misuse of the identity => password risk!

If the password => identity trail can be found, an attacker might gain knowledge to intercept other identity => password combinations. The identity is the valuable resource, so you need to protect your identity. And the best way is to use disposable identities or external identities in those cases that you have to trust providers.

This leads to an interesting conclusion

Adobe user accounts with complex passwords, may well be more at risk than accounts with easy to guess passwords: customers using a complex password may well have used a valuable identity, expecting the complex password to protect it. How about that?

In my next post I will introduce a real simple complex password method.

vrijdag 4 oktober 2013

What US-Cert should have said about the Adobe hack

This is what US-Cert said in a rather pointless advise: "US-CERT advises that Adobe customers be aware of possible fraudulent account activity."
What US-Cert should have said instead: Advise for Adobe customers: If you have an account at Adobe: Change your password.

But that's not all: If your Adove account has a username/password combination and/or emailaddress that you use for other websites services as well, change your password on all the other sites too.

And perhaps, if US-Cert could spare some time and effort (thank you #shutdown) they could have added this:
Advise for all service providers: Get rid of password management by moving to federation protocols like OAuth or OpenID Connect. If you don't store passwords, you can't lose them.
And an advise for Adobe and all other providers: Please don't ignore secure programming guidelines.

dinsdag 1 oktober 2013

Get your #ditchcyber #wegmetcyber certification

You may have read my rant about the misuse of the word cyber, but I am not the first nor the only person to condemn the cyber misuse. Chris Baraniuk posted an interesting article about the history of the misuse of Cyber. Recommended! And of course, as mentioned in Chris' article not every use of Cyber is bad. Cyberspace, cybercafé, cybersex, cyberpunk, I don't mind you using those combinations. Trouble starts when politicians use the term without a knowledge about or vision towards security. In those cases the purpose of using cyber is to create FUD, fear, uncertainty and doubt. It's also a great recipe for really saying nothing: "Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool -- and therefore strange, spooky. ["New York" magazine, Dec. 23, 1996]" (source).
I call onto the responsible politicians, military and police officials to not use the word cyber anymore. You should address the risks that you can ifdentify. If you can't identify a risk or a threat it's just not there. And if you live by fearing the unknown, you will be a threat to others. As we witness everyday.
If you feel the same, join the #ditchcyber or #wegmetcyber campaign. It looks like the blog entry that I posted earlier last week had an interesting spin-off. The post is now being used a manifesto for the @cyberxpert community. This new Twitter account is the official speaking voice of cyber experts who support the #ditchcyber (or #wegmetcyber in Dutch) campaign. In a few days the @cyberxpert Twitter account attracted several dozens of followers. Nothing special perhaps, that happens a lot these days. But these followers are allowed to add one of the @cyberxpert titles to their Twitter handle to show that they are the real cyber experts. We use 2 different titles: people can add RCX and/or CCX to their name. RCX is the abbreviation of Registered CyberXpert, CCX means Certified CyberXpert. One can use the title only by following the @cyberxpert twitter account and by supporting the #ditchcyber or #wegmetcyber campaign. So join the #ditchcyber campaign, follow @cyberxpert and show your support!

donderdag 29 augustus 2013

Ditch Cyber campaign

A few weeks ago I started my #ditchcyber campaign, or #wegmetcyber in Dutch. The reason for doing this is that in my opinion the word cyber is misused a lot. Right now cyber is connected to almost every event that is happening on the internet, in the cloud, in datacenters, at home and in the office. In many cases cyber, followed by another term, has a very negative meaning, if someone uses the word Cyber it's about trouble. War, crime and we need cyber security, a cyber army and cyber police to help us against these cyber threats.
And now this means that the audience only knows about cyber where it has this special negative meaning. Cyber requires special cyber forces to guard us from risk.

And what is really the case? It's about information security. It's about professionalism. It's nothing more than managing bits and bytes. But we are just too lazy to do it right, or we just spend too little money to make it secure. And then when something bad happens, a data leak, or a ddos attack, or whatever crosses your mind, then there is the big CYBER excuse.

Well excuse me, you don't hide stupidity in empty words.

I don't want to be rude, but most incidents are of our own doing, they are human errors. Nothing new. Data leakage, like Manning's, happen because of lousy access control and bad logging. Hack attempts because of lacking configuration and patch management. Ddos because of bad architecture. Priviliged account misuse because of social engineering. Identity theft because of lacking awareness. Fraud because of lacking segregation of duties, lack of governance. Foreign intelligence acting hostile? Because of our own lacking governance and our being pennywise.

Did I mention cyber? Sorry, no way. Nothing new, just the same old errors. But since we call everything Cyber, we obfuscate our own lack of responsibility and lack of accountability. Makes it so easy...

So here I am, a lonely cyber warrior, ditching cyber. Feel free to join the campaign.

And please lookup the real meaning of cyber everything on wikipedia.

#ditchcyber (@alcyonsecurity came up with this translation, thanks!)

zaterdag 30 maart 2013

Identity Fusion, a study from 2009

For the Identity.Next advisory board we are studying several new topics that may be of interest for the identity management community. Somehow my name popped up for the topic Identity Fusion. I must have mentioned it some day, but I really forgot about it.
It seemed that this subject has been studied before, or at least the title Identity Fusion was defined in 2009, although in a different context than our regular identity management topics.
The abstract of the article by William B. Swann, Jr, D. Conor Seyle, Ángel Gómez J. Francisco Morales and Carmen Huici states:

The authors propose that when people become fused with a group, their personal and social identities become functionally equivalent. Two hypotheses follow from this proposition. First, activating either personal or social identities of fused persons should increase their willingness to endorse extreme behaviors on behalf of the group. Second, because personal as well as social identities support group-related behaviors of fused persons, the 2 forms of identity may combine synergistically, fostering exceptionally high levels of extreme behavior. Support for these hypotheses came from 5 preliminary studies and 3 experiments. In particular, fused persons were more willing to fight or die for the group than nonfused persons, especially when their personal or social identities had been activated. The authors conclude that among fused persons, both the personal and social self may energize and direct grouprelated behavior. Implications for related theoretical approaches and for conceptualizing the relationship
between personal identities, social identities, and group processes are discussed.

Here is the link to the full article.

donderdag 31 januari 2013

Lessons from the Diginotar drama: We need Trust Governance

In the summer of 2011 the Dutch Certificate Service Provider Diginotar collapsed due to a hack of the back-end systems by an Iranian hacker. Since then many analysis were published. Most indicating plenty problems at Diginotar or about the inadequacies of PKI as we know it. But in my opinion the problems are more severe than just technical issues.
In 2012 the Dutch Magazine Informatiebeveiliging published my analysis (I should mention that I am one of the editors of the magazine, so there is no full independency there...). By request I translated the article.

You can find the English language version of article via this link.

(I wish to thank Jacoba for reviewing the translation)

Feel free to react.

vrijdag 11 januari 2013

Responsible Disclosure

These days in The Netherlands several initiatives pop-up around the issues of ethical hacking and Responsible Disclosure.

What's all the fuss about?
Last year a hacker reported a vulnerability and a data leak in a back-up server of a Dutch hospital. He claimed that he found a lot of confidential information on a server that was readily accessible from the internet. The report was made through a Dutch journalist, +Brenno de Winter.
After publishing the incident we learned that the hospital sued the hacker and for us, the security community, this was unheard of: why sue someone who reports a vulnerability? Who are the amateurs responsible for this leak and do they really think they can get away by suing a security researcher?

In the mean time the minister of Internal Affairs published his guidelines for ethical hacking. And in those guidelines a hacker might be exempt from prosecurtion if he acted conform.

So, we, the Dutch security community, were puzzled. Then rumors came in that the hacker had installed malware on the hospital's server. Sentiment changed, but despite the new guidelines, trust of the hacker community in the authorities, like the DA responsible for cyber crime, vanished. Trust was gone and so was the willingness to co-operate. And right after, some critics of the official guidelines raised their voices and it looked like the guidelines were no longer valid for the people that were addressed in the guidelines.

At this moment this is the status:

And that's not all, there is at least one more initiative, but that's not yet ready for prime time yet.

Anyway a lot of activity in interesting times. Please have a look at Floor's site and feel free to react!

I will try to publish some more about all activity and invite you to join the discussion.