Bruce Schneier's Speech at OWASP

Security guru, Bruce Schneier, spoke last week at the University of Minnesota’s Bell Museum at a local OWASP meeting about The Economics of Internet Security.

I had a chance to attend and jot down the following notes during his presentation.

1. Economic Value of Information – For the most part, there is no longer a need to open physical mail that arrives at your house. Only salable asset of some companies like Pets.com was their database.

2. Network as Critical Infrastructure – lots of industries rely on the web for just in time info. The Northeast Aug 2003 blackout was more damaging than power blackout. Ancillary systems fail, such as reservations systems.

3. 3rd Parties controlling information – We have less control over our own stuff. Security is out of our hands. Government doesn’t have to bother us for our records since we don’t have them anyway.

It doesn’t matter how good we are at securing information if 3rd parties don’t.

The market can’t solve this problem since we don’t have a direct relationship with many companies that host our information like Choicepoint.

4. Ever-increasing complexity – complex systems are harder to secure. Non-linear tightly coupled systems. There are more potential problems with accidents and malice.

We like complexity, but it comes with increased insecurity. Technology makes things better. Shouldn’t security be getting better? It is, but complexity grows faster.

5. Criminals thriving on the Internet – Hacker threats used to mean defacing webpages. Now botnets, spam, and criminal activities are the worry. “There is more money in identity theft than drugs.”

Must understand the attacker right to get the security right.

6. Sophistication of automatic worms – Worms are getting better. Better written, stealthier. Better written & quieter. Mostly lay dormant gathering intelligence.

7. Slower patching and faster exploits – An impossible problem. Has to work perfectly in every software configuration. And be released fast. Can’t do both. People became resistant to patches due to unreliability. Now patching is more regular and stable. Hackers releasing malware for day after fresh patches released from companies like Microsoft so they can exploit the month before the next patch release.

Best systems provide security even when unpatched. Patched systems never reach 100%.

8. Untrustworthiness of the endpoints – We use a WWII Communications model. SSL, SSH, PGP. Data is most vulnerable at the endpoints before or after encryption/decryption. Example: Keyloggers.

Credit cards aren’t stolen one at a time. They’re stolen in blocks of millions.

9. Regulatory pressure – Computer security is hard to sell. It must be done based on greed or fear. An insurance problem. Biggest motivator is regulation. Companies are motivated by compliance. Sticks like Sarbanes-Oxley gives IT departments the tool they need to get more money for security investments. Companies don’t want to fail an audit.

10. Outsourcing – Really important for security going forward. “The reason there is a security industry is because the software you buy sucks.” Security will become bundled with the products. Air bags are an example of this. Security is built into the car rather than sold after-market.

Computer security will be bundled with the outsourcing vendors contractually. Shouldn’t be an end-user problem. Software as service. Google has to solve security problems rather than businesses using Gmail.

Externalities: things people don’t care about security exploitations that don’t directly effect them, like buggy software or virus laden computers. If your mom can check her email, she doesn’t care if her computer is also a spam-bot. Regulation or liabilities make people care about externalities like this.

You can find out more about Bruce on his blog where he recently stirred things up by explaining that he doesn’t secure his home’s WiFi network.

My Password Has Been Compromised

This annoys me: I found a site with my favorite password on it.

This is a problem since the combination of letters and numbers is absolutely unique. The only way it would show up on the web is if I put it there or a site’s security was breached.

In this case, it looks like the latter since the Chinese site displaying it has a long list of terms that are clearly passwords ranging from things that are extremely obvious to rather complex terms.

One thing I noticed was that many passwords seem to be simple variations on what’s presumably the username. For example, a password like johndoe1 could probably be tied to a username “johndoe.” That’s still pretty vague, but it’s not nearly so vague when the password + 1 is a much less common name.

To me, this marks a good time to switch up passwords. Nothing that I’m aware of has been compromised, but why wait for that, eh?

In case you’re wondering, my new password will not be edkohler1.

Chase’s Privacy Protection Lacking

I used to work at a bank where I had to seal and initial the bag of trash at my desk every day at the end of the day before it was stored for a few weeks to make sure nothing went missing. On the other end of the spectrum, we have this video from Chase showing loan applications with customer’s complete application information thrown away in trash put out to the street:

[kml_flashembed movie=”http://www.youtube.com/v/G_8xRnzQqME” width=”500″ height=”375″/]

Of all the ways your privacy could be stolen, you’d hope it wasn’t due to your bank’s incompetence at protecting the information you share with them.

Irrational Child Security Priorities

Bruce Schneier found a great article on the resources put into protecting children from crimes of incredibly horrible odds, while at the same time stuffing their children with crappy food what WILL take years of their lives:

Meanwhile, as rates of child abduction and abuse move down, rates of Type II diabetes, hypertension and other obesity-related ailments in children move up. That means not all the candy is coming from strangers. Which scenario should provoke more panic: the possibility that your child might become one of the approximately 100 children who are kidnapped by strangers each year, or one of the country’s 58 million overweight adults?

At least they’re “safe” at home in front of the TV or computer with a can of Mountain Dew in one hand and a bag of Doritos within reach.

Obesity kills. Here’s a BMI calculator. Try it.

MSP Observation Deck

MSP Observation Deck, originally uploaded by s4xton.

Aaron offers a great reminder about the coolness of the MSP observation deck along with this hilarious nugget from his observing from the observation deck:

Two of them were fully uniformed TSA agents making out.

Uniformed make out sessions? Wow.