Thursday, July 30, 2009

Banning P2P? Can you say Antitrust?

I decided to take a break from cyber geek stuff and spend a little time talking about the RIAA/MPAA's efforts to cure the illegal movie/music downloads by forcing sites to ban P2P or they'll get sued.

I play in a band that's won a number of awards and nominations for most of our 9 CDs. We were an early adopter of the www. We were signed to an independent music label and since then have our own label. We market our stuff on a variety of online venues like CDBaby and have the prerequisite Facebook, MySpace, etc. sites.

I was asked for my opinion of the Napster lawsuit a bunch of years ago. I made a few observations that I'd like to share here.

1. I FULLY agree that it's illegal to download any form of entertainment in violation of the established copyright laws. However......

2. What if the copyright owner allows free and unlimited distribution of their music, for example. P2P provides an efficient way to distribute that material to potentially a worldwide audience. My band and its record label own the copyrights to our original material and we typically include public domain music on our CDs. We want to market our product and one way to get word out is through the P2P process.

3. So, I wonder if the RIAA/MPAA's efforts to force sites to ban P2P constitutes some sort of antitrust type violation against independent music labels or bands like ours. A P2P ban would hurt our business. We'd be frozen out of potential markets and thereby incur potential loss of income. Again, we are granting permission to distribute some of our materials using P2P. There is NO copyright violation in our case.

4. Public institutions may distribute their own video and audio material via P2P. VA Tech is a land grant institution and its extension service regularly creates videos on a wide variety of agricultural processes. A favorite delivery method is P2P. If a site has to ban P2P for fear of an RIAA/MPAA lawsuit, doesn't that impact their overall ability to get timely information for their site?

More on this later.....

Tuesday, July 28, 2009

Account Sharing - What's the Real Purpose?

IMHO, items listed in a IT security, data security or IT acceptable use policy must be enforceable. The "stick" might be another organizational policy, local, state, or federal laws. If a policy item isn't enforceable, then the policy is worthless.

This brings my discussion to a common policy item: account/credential sharing. Just about every acceptable use policy or standard has a line item that says something like "user accounts must not be shared". The reason for this is primarily to ensure accountability. We want to know WHO was using the account or credential. This makes perfect sense from just about any standpoint.

The first problem is that given most of the technologies that we have in place, we can't really enforce this. Suppose you come to me and say "we want to sanction this person for sharing their account". What evidence can we collect to support the allegation?
  1. account login logs - this item tells us which account was used, when and IP address of the connecting machine.
  2. video logs, room access logs, etc. - these items tell us if the person was physically present at the machine.
  3. personal testimony - These are statements made by eyewitnesses, the accused individual or other individuals related to the case.
The problem with item #1 is that it only tells us what account was used not who used it. The problem with item #2 is that it can only identify who had physical access but not remote access to the target machine. Item #3 depends on someone actually observing the login by another person. Even two factor authentication methods can't give us the "who" part of the puzzle. If I lent you my ATM card (this is a theoretical discussion :-)) and gave you my PIN, the bank just knows that the account was accessed. Their control to gain additional info on the "who" is the video camera at the ATM.

The second problem is that most IT sysadmin staffs violate this policy when it comes to Administrator or root access. Most IT shops have primary and backup sysadmins. They both know the Administrator or root passwords. Best practice dictates that you don't log into directly as "root", rather, you log in under your own userid and then "su" to root. This provides an extra layer of accountability. Remote "root" access is strongly discouraged because we don't know if the primary or secondary admin logged in as "root". We would expect to see a similar strategy employed in the Windows world although I suspect not.

So, as I've mentioned in previous posts, let's try and figure exactly why someone would share their account. Some possible reasons include:
  1. The IT environment doesn't provide a mechanism for a particular business process (see an earlier blog entry). For example, an email system may not have the ability to share an email folder between a dept head and their assistants. The dept head is out of the office and gives the assistants the email password so they can read any important email sent. Another example might be the network doesn't have a mechanism to provide guest access to the net. A visitor needs access to the net and the person logs in under their userid.
  2. The person just wants to let a buddy or family member get online.
Reason #2 seems to be the easiest to claim it's a violation. Reason #1 is a little harder to quantify. I've said before that the business process trumps security. Failure to support a business process will cause people to bypass a control in order to get the job done.

Yes, there are sectors (military, defense contractor, sensitive business, financial) where you can just terminate an employee for account sharing but care needs to be taken to ensure a "wrongful termination" suit can't be filed against you. Military and defense contractors have the easier time with this issue.

What's an enforceable item that will be effective and hopefully accomplish the original goal? A policy/standard statement that says "you are responsible for whatever originates from your account, system." is enforceable. In my previous ATM example, I'm responsible for the disposition of my ATM account.

Policy wonks want to have that "no account sharing" clause in a standard. You should have one to emphasize the spirit of proper account usage. You need to include an enforceable item in your policy that will be the "stick" used in a disciplinary hearing. User reponsibility for their account usage is the way to enforce the "principle" of not sharing accounts.

If our IT procedures can't support a business process, then we may create a situation where users have to share accounts in order to get their job done. Ultimately, this makes us more vulnerable.

Thursday, July 23, 2009

Account Lockout - Has Time Passed It By?

When I first got into the cybersecurity arena, I read all the books that I could find on the subject. There weren't many back then in 1991. A number of the books dealt with securing Unix systems and they all had a section on Account Lockouts. Fast forward to the present and I'm finding myself at odds with the "standard" audit checklist requirement that says you must enable account lockouts. When I teach a SANS class and we touch on this subject, I like to ask my students a couple of questions:
  1. How many of you enable account lockouts?
  2. What's the purpose of the lockout?
  3. Do you have strong password strength rules that are enforced?
  4. What's the purpose of the strong password strength rules?
  5. Do you monitor login fail/succeed entries?
  6. What's the purpose of monitoring login attempts?
  7. Do you notify an offending site that they're attacking you?
  8. How long is the lockout period? Minutes? Days?
  9. How long does it take to reset the account?
Almost everyone said they enable account lockouts and the purpose of the lockout was to prevent brute force password attacks. 90% of the students replied that they have strong password strength rules (and they enforce them :-)) and the purpose of the rules is to prevent brute force password attacks. Surprisingly, about 40-50% say they monitor login failures and/or successes. Those that do say they do this to detect brute force password attacks. 20-25% said they notify an offending site that some host in their domain is attacking them. I found this stat a little disturbing but that's a subject of another post. The account lockout period ranged from 1 minute to "forever". The reset time had pretty much the same time range as the account lockout period.

So, what's the problem? Suppose my attack is simply to lock out all of the accounts on the target. In the Unix world, a good sysadmin would prevent remote root logins and use the su and sudo commands to switch into root mode. An account lockout on their account would force them to drive to their operations center and physically walk up to the server to log in as root. An attacker could take advantage of this time delay to launch their attack. This happened to me back in 1997.

Back in the old days of Unix (late 80's-early 90's), Unix did not have password strength controls built into the OS. There were tools like npasswd, passwd+ that allowed such control but you had to build the commands manually. The absence of such controls left account lockouts as the only viable defense against a brute force password attack.

Nowadays, password strength rules enforcement is built into the OS usually in the form of PAM modules. The admin has a wide variety of builtin tools to mitigate brute force password attacks.

One of the things I always ask my admins is "does the security control introduce a worse problem than what we're trying to solve?" I believe account lockouts do just that. A massive DOS attack against your user base is worse than someone brute forcing their way into an account. Your password strength rules, log monitoring, notifying remote sites provide adequate defenses against a brute force attack. IMHO, account lockouts are an archaic solution to the problem. It's what I call an "inherited security solution". It was in an 1st edition security book and left in there with each new security book without realizing other controls are better.

IT Audit checklist will usually flag the lack of a lockout strategy as an audit item. It's time to update those checklists.

Tuesday, July 21, 2009

Security and the Business Practice

We're often asked to provide an opinion on the security of a software product. We do a preliminary analysis of the software for common software vulnerabilities and hopefully, we don't find any. However, there have been cases when we do find one. Does that mean the business unit shouldn't use the software? Well, we ask a couple of followup questions: 1) is this software needed to run your business operations? 2) Is there another software product that does the same thing but has no software vulnerabilities. Obviously, if the answer to question 2 is "Yes", then we'd recommend purchasing that product. The worrisome situation (from a security standpoint) is when the answer to question 1 is "Yes" and the answer to question 2 is "No". One of our security paradigms is that the user be aware of any security vulnerabilities and accept the risks of using such a product. So, what does "accept the risk" mean? Well, the first thing is that the business users determine the software product is "essential" to their business process and they are aware of a potential security issue with the product. The second thing is that they devise additional procedures to compensate for the weakness. For example, a laser printer that has no access control features might require the purchase of a hardware firewall that will provide access control. The third thing is that the business process owners acknowledge they are willing to assume the risk of using such a product.

We find IT sysadmins focus more on protecting the IT asset rather than protecting the business process that uses the asset. Years ago, a friend of mine got one of the first Macs in her office. After I gushed about how cool it was, she calmly told me that "as far as I'm concerned, that Mac is a stapler. It just helps me do my job. If it weren't here, I'd still have to do my job."

That explains the dilemma that IT sysadmins are in every day. Account lockouts are an example of how protecting the IT asset conflicts with the business process. This is the process where an account is locked out when a user fails to give the correct password after 3-5 attempts. The obvious attack is to simply lock out all of the accounts at once. Why lock the account? It's the easiest thing to do from a sysadmin standpoint. Another example is the practice of restricting where people can go on the web. Presumably, it's to prevent misuse but accessing the web freely is a necessary thing for business use in most university business processes. The way to prevent misuse is to simply enforce the Acceptable Use Policy. Hold people accountable for misuse and we reduce its occurrence. IT staff shortages force sysadmins to make choices that could interrupt the business process. When that happens, people will circumvent the security process because they have a job to do and the security process gets in the way. This circumvention reduces the overall security of the business unit.

So, it comes back to accountability and the willingness of the business to enforce it. Military and high security businesses have it easy. Violate the rules and you're out. It's not so easy in the civilian world and it takes time to find that balance.

The one thing we don't want is for the IT sysadmins to cause a worse security level because of a seemingly draconian security best practice that forces users to go "underground".

Thursday, July 16, 2009


Just letting you know that I'll be posting my thoughts on various cybersecurity, music and volleyball issues in this blog. More later.