Wednesday, August 16, 2017

Will Passphrases Kill the Password Managers?


I won’t keep you hanging… … … much... the answer is no! If the answer was all you needed, then thank you for visiting my blog. If you would like to know why I say “no,” then keep reading.

Just in case you do not know what a passphrase is, it is a password that uses words instead of gibberish. The words may or may not have spaces in them. “thisisapassphrase” and “this is a passphrase” are both passphrases. Do not use those two examples for your passphrases though.

The argument for passphrases is that they are easy to remember, and if they are about 20 characters long or more, they can be far stronger than something like “^T28dy2a$o,v” is. That is completely correct. I am a strong proponent of passphrases.
 
On the NPR show All Tech Considered, Paul Grassi, the Senior Standards and Technology Adviser at NIST, is quoted as saying the following concerning password managers
 
“… these apps are useful because they completely randomize the password, but he says they aren't necessary to maintain security.”
 
The new NIST guidelines concerning passwords and passphrases are widely regarded as excellent by security experts. I wholeheartedly agree with all that Paul said, except for the part about password managers, and here are the reasons why.
 
1) Some sites are not going to allow long password/passphrases. If you are limited to 15 characters or less, complexity does become far more important and password managers help with that. This also means that you have to try to remember the gibberish.

2a) Depending upon how many sites you have passphrases for, many people are not going to be able to remember all of the phrases and which sites they correspond with. This leads to 2b (for the record, “2b or not 2b” is not a good passphrase.

2b) When people get to the point that they can’t remember all of the passphrases and corresponding sites, they are likely to take shortcuts that are essentially the same as incrementing passwords or using the same passphrase at multiple sites.

Cracking passwords is not as common as obtaining passwords from a data breach or a phishing attack. This is why password reuse is so dangerous. This is also why incrementing passwords makes a complex 16 character password weak. Easily recognized patters in passwords, such as “Todayis01/10/17” make the next series of password extremely easy to guess.

If a person has 20 sites with a unique username and passphrase to remember for each site, I believe that they are likely to do something far more serious than incrementing. They may use a site identifier.

Write down 20 websites that require you to log into. The next to each one write down your user name and a unique passphrase for each of them. Just to make my point. Choose the first four words of a different sentence in this blog for each of website’s passphrase.

As soon as you are done, stop looking at them. Even if your username is the same for all of the sites, do you remember the passphrases and corresponding sites? Most people will not. You need a way to remember all of these. The trick that I envision some people using is site identifiers.

“Tractors swim in aquariums” is a great passphrase (at least it was before I published this blog).

Now to make it easy to remember which site I use each password for…

“Tractors swim in aquariums – Gmail”

Care to guess this user’s password for Facebook, LinkedIn, and the company they work for? Websites can prevent users from including the name of the site in a password, but users are clever that way. They’ll figure out something as predictable. Of course if you write it down you are a bit worse off than using a random complex password. The gibberish passwords are hard to remember. If I see your passphrase written on a piece of paper, about a second or two is all I need to see it and remember it.

Passphrases and passwords share an identical problem. You can’t remember them all. Password managers address that problem. That is why password managers are as relevant in tomorrow’s world of ubiquitous passphrases as they are in today’s world of ubiquitous passwords.

Here is my recommendation. Use an excellent passphrase for your corporate login and remember it. Use an excellent passphrase for your personal computer login. Use an insanely good passphrase for your password manager. A sentence you create that is at least 35 characters long, such as “the purple cow danced on the cheese” is insane enough. Make sure your passphrases are at least 20 characters long and not common sentences, and you’ll be good to go for almost anywhere you use a password.

In future blogs I will give more detailed guidance on how to make killer passphrases.

In a different blog I will discuss the passphrase token attack and linguistic passphrase attacks. These attacks intrigue me, but I don’t think they are anything to worry about at this point.

Randy Abrams

Independent Security Analyst (is not my passphrase)

Thursday, August 10, 2017

Evasion and Regeneration; Decoys and Deception


I recently had an interesting conversation with Alex Gounares, the CEO at Polyverse. Alex calls Polyverse’s security approach “Moving Target Defense.” Polyverse’s technology basically causes your operating system to continuously morph into something functionally the same and dynamically different, at a very high rate of speed, while replacing the container with each morph. The idea is to give attackers virtually no time to exploit a vulnerability before the vulnerability has been moved somewhere else. If malware does enter the system, the OS is replaced with a brand new, clean morphed OS almost as quickly as the malware had arrived. Full disclosure: I had been referred by a friend to Polyverse for contract work. There was not a synergy in current needs but the ensuing conversation was engaging and thought provoking. This is the “evasion and regeneration” I am talking about in the title of this blog.

One of my all-time favorite quotes goes something like this. “If you only see one solution you probably don’t understand the problem.” This sage advice that I found in the sidebar of a DIY robotics book applies to life. Sometimes when I do not like a solution. I discover I’m not actually trying to solve the real problem. Sometimes the first solution I see is the best solution. Other times I find multiple appealing solutions.  Regardless, I am always more educated by remembering to apply this principle to my life.

I really am intrigued by Alex’s classifications of defenses as “stationary” and “moving target.” The moving target defense looks to me like a novel solution. Damn. The “S” word… “solution.” “If you only see one solution…” Sigh .Now my challenge became one to see if I could find better or equally appealing solutions that use a stationary target defense. In other words “Can a stationary endpoint be defended as well as an endpoint that is moving faster than the attackers can catch and inflict damage upon?”

There are many types of stationary target defenses but for this blog I am limiting discussion to one class of stationary target defense – deception and decoy. The reason is simple. It was the first to come to mind because my friend Gadi Evron is everywhere I go. Facebook, email, countries all over the world… Gadi is everywhere. In thinking about a stationary target defense solution that might be able to provide the effectiveness of a moving target defense, I remembered Gadi telling me about how his company, Cymmetria, uses decoys and deception to keep an attacker away from a stationary target. TrapX, Attivo Networks, and CounterCraft are three other companies that use a deception and decoy strategy. Aside from any technical merits of these solutions, I absolutely love the idea of deceiving the bad guys. Digital karma. Ask me about the time I kept a PC support scammer on the line for 45 minutes. He even waited for me to “cook my breakfast.”

I have an all-time favorite example of a successful stationary target defense. The defense was called “Rope-a-dope” and it made the “Rumble in the Jungle” one of the most exciting boxing matches in history. Muhammed Ali was essentially a stationary target for almost 8 rounds. In the 8th round Ali stopped being a stationary target and destroyed George Forman in an offensive flurry lasting less than 10 seconds. Rope-a-dope worked for Ali. Although it was an offensive maneuver that ended the fight, the defense was essentially stationary. I can’t imagine that getting pummeled by George Foreman felt like an Ashiatsu massage, but I wasn’t there.
Unlike Ali’s approach, companies employing decoys and deception do not let their targets stand and take punches – no matter how hardened the target is. Different companies use different techniques, but the high level concept is to use real or virtual computers that keep attention drawn away from the target by making the decoys look like they have the Holy Grail. One of the potential weaknesses of the decoy approach is that there is still a stationary target. I’m sure that all of the companies that use this approach are aware of this and have some pretty cool counter-measures, but still, there is a stationary target. If the decoys work all of the time then the actual target does not need to move.

My favorite moving target defense analogy is the SR-71 Blackbird. This spy plane was the fastest aircraft ever to fly.  The Blackbird had vulnerabilities. The Blackbird was designed for stealth, but you don’t really fly at Mach 3+ without leaving a detectable heat signature. To add to that, the skin around parts of the fuselage could be easily damaged. How did the Blackbird defend itself?  It flew faster than the missiles could reach it, faster than any other aircraft could fly, and it moved around a lot. Stealth was still a factor too. By the time the missile got there, the Blackbird was not. It didn’t matter that the Blackbird was in plain (no pun intended) sight.

Surveillance is a critical part of moving target defenses, deception and decoy defenses, and many other security approaches. Repelling attacks is good, but not everything. You want to have a discreet, digitally intimate relationship with your attacker. You just don’t want the attacker to know they are in the relationship. This should be your relationship status

 

This is what the adversary’s relationship status should be


You want to stalk your enemy… watch them... What is my enemy after? How are they going after it? How are their tactics adapting? Who is attacking me? What am I going to do about it? And so on… Ah ha! The OODA Loop is back!

Update: Attivo Networks expressed concern that I may be making decoy and deception defense look like a passive technology. I am actually surprised that none of the other vendors raised this concern because they all fight the misconception that they are glorified honeypots.

Modern decoy and deception approaches employ algorithms that can create a series of dynamically changing decoys and potentially even dynamically changing network topologies in response to the tactics of attackers. This is active engagement with the enemy, not passive intelligence collection.

Again, I am not recommending or endorsing any specific technology or security market segment. We’re talking philosophic approaches and challenging assumptions. I can’t imagine any single tactic working through the entire kill chain.

Given multiple approaches to achieve the same goals, which strategy is best? I can’t tell you, I don’t know your problem.

If you are Schick you are defending trade secrets. Encryption, DRM and data recovery probably address the real problem. Yes indeed, defend your endpoints, but don’t lose focus on the problem. Get that IP protected, then worry about the network and endpoints.

If you are a hospital you are defending human lives first. Protecting the equipment required to maintain the physical well-being of a patient probably requires different protection technologies and/or approaches than protecting the systems remotely monitoring a pacemaker. Banking Trojans may be the biggest threat to the accounting department, where data theft is the major threat to systems holding health records.

Make sure you are clear on the problem, assess the suitability of the approach to the problem, and them compare technologies and approaches. The right technological approach for you may not have been mentioned in this blog.

I really wanted to share with you the concept of diverse philosophical approaches to security, and demonstrate what happens when I remember some of the wisest words I know - “If you only see one solution you probably don’t understand the problem”

This is the official end of the blog, but feel free to read on if you enjoy the diversions that research on the Internet results in.  As you all know, the problem with research on the internet is not attribution and not validation, it’s that you get diverted to rather irrelevant information that is too compelling to ignore. In thinking about analogies to use in this blog, holograms came to mind. I could think of analogies using holograms for either type of defense, but they fell apart the very first time an adversary tried to “touch them.”  This analogy requires a hologram that can be “touched” to really fly. With that in mind I remembered that George Washington once said “if you can dream it you can find it on the Internet.”

Research into my dream led me to a company called Ultrahaptics. Ultrahaptics is developing a holographic technology which can make it seem like you are touching a hologram. How cool is that?


Randy Abrams

Independent Security Analyst (ISA)
Fan of Historical Quotes (FHQ)
Chaser of Internet Squirrels (CIS)

Tuesday, August 1, 2017

Can Comcast/Xfinity Publish Your Trade Secrets and Letters to Grandma?

The answer looks like yes, but ask a lawyer for a legal opinion.
I have confirmation from a lawyer that I am correct.

Comcast’s most recent Terms of Service (ToS) state

“Authorization. Comcast does not claim any ownership of any material that you publish, transmit or distribute using XFINITY Internet. By using XFINITY Internet to publish, transmit, or distribute material or content, you (1) warrant that the material or content complies with the provisions of this Agreement, (2) consent to and authorize Comcast, its agents, suppliers, and affiliates to reproduce, publish, distribute, and display the content worldwide and (3) warrant that you have the right to provide this authorization. You acknowledge that material posted or transmitted using XFINITY Internet may be copied, republished or distributed by third parties, and you agree to indemnify, defend, and hold harmless Comcast, its agents, suppliers, and affiliates for any harm resulting from these actions.”

 Sending data in email clearly is transmitting material. For example, if an employee or an independent contractor who uses their Comcast account to communicate something confidential with authorized people, it appears that Comcast retains the right to publish such information  on a worldwide basis.

If a child writes an email to grandma, fair game for worldwide publication? A suicide note? Spouses exchanging love letters and/or pictures? Letters to congress people. Your attorney? The FBI?

The answer is yes.

If I am reading this wrong please let me know so I can update this blog and inform others of what it means.

Randy Abrams
Independent Security Analyst