Tamper resistant =/= Tamper proof

Ross Anderson's team at Cambridge University has demonstrated physical security vulnerabilities in two of the devices commonly used to validate chin-and-PIN cards in the UK. The vulnerabilities would enable an attacker with sufficient physical access to the devices and some manual dexterity with a needle or bent paper clip to hack them, exposing PIN codes. With PIN codes plus data from the magnetic stripes, card hackers could create fake cloned cards that work in non chip-and-PIN validators (which are becoming uncommon in the UK now, but less so abroad), or in chip-and-PIN validators that fallback to the magstrips if card chips don't work.

This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usability etc., including the decision to retain magstripes on chipped-cards (as the team puts it, "Essentially, the vulnerabilities we exploit are not just a matter of hardware design, but also of the options many banks chose as they implemented EMV"). Hackers, as a breed, feed on such security compromises. There is no shortage of fodder. We've already seen miniature CCTV cameras plus magstripe readers used in the wild to capture PINs and card data on ATM skimmers, and chip-n-PIN device tampering in frauds at Shell service stations in the UK in 2006.

The team draws out some general lessons in the paper, aspects such as:
- the complexity of the EMV specifications (leading to local interpretations and the introduction of further unintended flaws)
- obvious conflicts of interest that result from equipment vendors selecting and paying security labs to assess their products against Common Criteria - something economists call "moral hazard" apparently - plus the commercial pressure on labs to issue pass slips like confetti (same with ISO/IEC 27001 certifications!)
- further issues that arise when product assessments and certifications are clouded in secrecy, thanks to the whole banking industry closing ranks and lax controls by the UK's Common Criteria certification body (apparently, anyone can claim to have had their product Common Criterial Evaluated, whereas they must have actually passed the tests to claim Common Criteria Certified ...)
- the potential applicability of this kind of hack to other tamper-resistant mechanisms such as on electronic voting terminals. The same class of attack would probably succeed against devices using biometric mechanisms (fingerprints, iris scans, whatever) for user validation: if the codes sent by a biometric reader can be captured in the clear en route to the encryption/validation guts, they can probably be replayed or used for other attacks. Blog-reading designers of dual-interlock atomic missile launch fire biometric authorization mechanisms please take note. Tamper resistance has its limits.

The paper is well written and thought provoking for hackers and security professionals alike, even those with only fleeting interest in chip-n-PIN while paying for stuff.

Does your DCP cover frozen hydrazine tanks crash-landing?

A US spy satellite "the size of a bus" (the SI unit of satellite size) that went out of control shortly after being launched a year ago, has been blasted by a US missile over the Pacific Ocean. They aimed (literally) to blow the satellite to smithereens (the SI unit of satellite size following missile impact), ostensibly to prevent the frozen hydrazine fuel tank smashing to Earth and giving someone a nasty surprise. Any secret weaponry allegedly on board would also, presumably, have been destroyed.

What if the missile had missed its target or they had not been able to fire the missile for fear of creating an international security incident amid fears of the Star Wars initiative? And what if the spy satellite had landed, intact, on your data center? What if the missile landed on your data center? What if ...?

Now I don't expect your contingency plans to mention falling spy satellites, frozen hydrazine or missiles explicitly, but that's really not the point. The point is that your plans perhaps ought to mention and should definitely cover commonplace and credible disaster scenarios, but should also cover the more extreme, outlandish and incredible incidents too, the nature of which is presently unknown and, in fact, unknowable. That is the essence of true contingency planning: "We don't know exactly what might happen but we are as ready as we can ever be to cope with any disaster that comes our way."

The US military's contingency plan for the spy satellite going out of control presumably reads:
- Have large missiles available in strategic locations worldwide
- Launch large missile at satellite
- Handle PR nightmare as well as can be expected given circumstances
- Reassure Chinese and Russians that WW3 is not declared
- Fire designers and builders of out of control spy satellite

For you and me, a specific contingency plan to cover the spy satellite scenario might read something like:
- See flaming ball of fire approaching at 22,000 mph
- Take cover under large immovable object, quickly
- Hear flaming ball of fire explode, releasing no-longer-frozen hydrazine gas
- Hold breath
- Crawl out from under large hot immovable object
- Staunch bleeding, dampen fires
- Seek fresh air
- Call insurer to make incredible claim

A more general plan might read:
- Have large immovable object or similar, under which to take cover
- Have first aid kit with all essentials
- Have disaster survival kit with all essentials
- Have insurance policy
- Watch for news of imminent disasters, Google "hydrazine" and refine/enact plan accordingly

Don't forget to lock the office ...

... especialy if you are a banker.

A 5 year old boy who discovered that his local bank branch was closed but unlocked was awarded a paltry £10 (US$20) by HSBC, one of the world's largest banks that makes obscenely large annual profits, for letting them know. HSBC say the electronic door lock system failed. I presume bank staff neglected to check the lock, in other words the bank's security procedures also failed.

Do your contingency plans cover mice and snakes?

Physical security incidents are one class of incident that virtually all contingency plans cover, but are your plans broad enough to cater for the full range of potential physical security incidents? Here are some classic photographs of actual incidents that might make you re-think your approach:
- Mice nesting inside a system, using a handy computer manual as nesting material
- A snake living inside a nice warm system box
- Lightning/storm damage to electronics
- Inept maintenance and repairs
- Equipment overheating

There are more photos of this nature at the Microwave Mortuary if you need something to spice up your awareness program.

New IT security standards for US electricity industry

FERC, the Federal Energy Regulatory Commission, has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation, covering:
- Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets;
- Security management controls (CIP-003) - security policy and management structure, exceptions process etc.;
- Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness;
- Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks;
- Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc.;
- Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I note, minimum 6 alphanumeric+punctuation character passwords with a lifetime of up to one year (!);
- Incident reporting and response planning (CIP-008) - an annually-reviewed incident response plan; and
- Recovery plans for critical cyber assets (CIP-009) - DR plans with at least annual exercises.

For completeness, CIP-001 covers sabotage reporting, the critical infrastructure equivalent of SB-1386 and similar requirements to report unauthorized credit card or personal data disclosures.

FERC's IT security standards are stronger that mere recommendations and will probably become fully mandatory when get-out clauses relating to business judgement are removed. In-scope companies should all have started work on this by now and have to be fully compliant by mid-2008 or mid-2009 depending on the type of company and the specific standards.

FERC did not go as far as to mandate NIST's SP800-series security standards, however, excellent though they are, nor indeed international standards such as ISO/IEC 27002. The stated reason was not to delay implementation. While I applaud their haste to beef up infrastructure security, it's a shame to ignore the large existing body of work on information security from the likes of NIST, ANSI, BSI, ISO, IEC and others. Arguably there is a need for specific security standards covering SCADA (Supervisory Controls And Data Acquisition) systems, but the electricity industry is not pure SCADA by a long shot: there are conventional systems, many running Microsoft Windows and various UNIX/Linux variants, and TCP/IP networks all over the place, and security architecture, operations and management issues are basically the same as for any other industry. [I guess adopting existing standards would put a posse of electricity industry security consultants out of jobs but IMHO they are better deployed implementing security standards than creating new ones.]

Looking over the lit of bullets above, it is not hard to align FERC's advice with ISO/IEC 27002 ... whereupon gaps such as compliance stand out. FERC evidently intends to assess or audit the utilities' security against the standards but there's more to compliance than formal assessments/audits. Electricity companies should have suitable governance structures and processes in place to ensure compliance with their internal security requirements (policies, standards, guidelines and procedures) and with legal obligations unrelated to FERC (e.g. software license compliance plus other intellectual property issues, SOX and protection of Personally Identifiable Information) along with compliance by their suppliers and business partners. There are solid commercial drivers for information security in the electricity industry, quite separate from the critical infrastructure protection angle. Surely FERC could leverage this to their advantage?

The standard on DR is also notable for the absence of any advice on contingency planning and business continuity. I would have thought that 'keeping the light on' is absolutely number 1 top priority for the electricity industry, therefore resilience is more important than recovery. Perhaps this is so ingrained that it is taken as read but I'm surprised by the omission.

By the way, I also couldn't help but notice that "Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission" are explicitly excluded from the scope of the standards. I trust the nukes have their own, strong, rigorous, comprehensive cyber security standards ... they do, don't they?

When losing the office key codes makes headline news

When a vehicle maintenance contractor's car was stolen, thieves removed a clipboard with a sheet of paper listing access codes for pushbutton locks on 73 Police station yards in West London. The contractor disclosed the loss and all the numbers were changed within 11 hours, but this was yet another embarrassing security blunder for HM Government. Questions have been posed about why a civilian had access to such sensitive information and why he failed adequately to secure it. The relatively poor security afforded by mechanical pushbutton locks would be another concern although thankfully Police stations have multiple overlapping layers of physical security.

EPO incident

If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest:

"A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said.

The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid vulnerable to shortages, Matthew St. Amant, a California Highway Patrol officer assigned to an FBI task force, wrote in an affidavit. No blackout occurred because the incident - which cost $14,000 for 20 computer specialists to repair - happened on a Sunday, investigators said. Denison was identified by surveillance-tape footage and his security-access code, the affidavit said. He pleaded guilty to attempted damage of an energy facility, a felony. He is to be sentenced Feb. 29 by U.S. District Judge Garland Burrell."

If you don't already subscribe to RISKS, it's highly recommended.

Social engineers steal $4m IT equipment

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story:

"The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt."

This was clearly a social engineering incident.

Chicago data center robbed, again

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.

Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).

Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?

Iron Mountain security failures continue

Iron Mountain Inc. is back in the headlines again - this time a customer's storage media went missing from an Iron Mountain truck when the driver "did not follow established company procedures when loading the container onto his vehicle".

The backup device belonging to the Louisiana Office of Student Financial Assistance (LOFSA) contained thousands of names, birth dates and Social Security numbers. It was unencrypted - evidently LOFSA is "working on a plan to encrypt all backup data stored off site". It was also "in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan".

Yet another redaction failure

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs.

Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible.

Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé.

The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen -> scan -> load' method.

UPDATE: a man has been arrested in Bangkok following release of the unredacted photo.

Automated field gun kills 9

This tragic story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun during a live-firing military exercise, the gun turned to the left and fired a rapid burst of ½kg cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all.

According to news reports, "Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an inquiry.

Don't the procurers of such automated weaponry specify mechanical safety interlocks capable of physically preventing the turret from turning beyond set azimuth (and perhaps elevation) limits?

Tips for physically securing your IT equipment

A page from the University of Bristol's new security awareness site, aimed at students, offers some worthwhile advice on avoiding physical damage or loss to your IT equipment, things like:
- Don't cover the PC or monitor with anything (fire risk)
- Don't drink near the system (water damage risk)
- Don't be in a rush (a common explanation for why laptops etc. get left on public transport is that the owner was in a hurry ... I suspect asking students to get out of bed 5 minutes earlier is a bit of a tall order).

The rest of the site is straightforward enough - basic advice on antivirus, firewalls, patching, backups and so on. Not a bad start.

Who owns what you throw away?

An interesting angle on the dumpster-diving craze comes from Singapore. A judge has previously ruled that confidential information discovered in the trash cannot be used against someone, but the issue is to go to appeal.

It seems to me the burden is and should be on the person discarding information to take care to make it unreadable, for example by cross-cut shredding and burning. It seems fair to me that it's their fault if they fail to take sufficient physical security measures to protect the information.

Tips for your next black bag run

Rebecca Herold lists some 18 common security breaches to look out for when undertaking an office physical security review out of hours (also known as a black bag run when the reviewer/auditor collects up and quarantines sensitive/valuable materials left on desks).

We'll be looking at office information security specifically in January's NoticeBored Classic awareness module but Rebecca's list is an excellent starting point. It's hard to think of other breaches.

Secure disk erasure how-to

Anyone who sells a used hard drive, or a system containing one, should follow the step-by-step guide to using DBAN (Darik's Boot And Nuke), a great free program to securely erase everything, BEFORE packaging and sending the goods to an anonymous eBay or car boot sale buyer.

DBAN does a good job but overwriting the entire disk surface several times with random data is not a quick five-minute-or-less job - it may literally take hours to do thoroughly. Don't leave it to the last minute and don't cut it short if there is anything vaguely incriminating on the disk.

Oh and don't try this on any disk drive whose contents you actually still might need (doh!).

Physical security podcasts

Podcasts at SecurityInfoWatch cover topics such as voice recognition biometrics, CCTV camera technologies, terrorist threats and more. They are mostly interviews with representatives of companies selling associated products and services (i.e. advertorials or infomercials) but still the information content may be just what you need.

Top secret NSA data lost on thumb drive

It's not A Good Idea to lose a USB memory stick containing top secret data from the NSA, even if you are a foreign citizen working at the Hague in Holland.

Similarly, it's not A Good Idea to shred your top secret papers with a plain cut shredder and hand the shreddings to an untrustworthy Taiwanese courier.

Security camera security

If your CCTV security camera system uses IP transport to cut costs, don't forget to factor the cost of network and device security into the mix. It has long been known that many IP-enabled CCTV cameras are pumping live video onto the Web with no encryption or access control. It now appears that exploiting security vulnerabilities in the camera controllers may allow hackers (or bank robbers) to manipulate the video stream, for example replacing it with a 'blank scene' while they crack the vault.

Password protected =/= Hacker proof?

Gosh: another stolen laptop contains personal data. But it's OK, we're told, because the laptop is "password protected".

"Password protected" could mean a BIOS boot password, a hard drive access password, a Windows/UNIX user login password, or a data encryption key. Using hacker or forensics techniques, all but the latter control can be broken, and even encryption can often be brute-forced given enough time and a weak pass phrase. If the laptop's data or entire hard drive had been strongly encrypted, we'd presumably have been told so and the people whose personal data are on the stolen laptop could sleep easier.

Call me paranoid but "password protected" sounds very much like "insecure" to me.

At least the Gap company 'fessed up that their stolen laptop was unencrypted.

UPDATE Dec 9th 2007: after a laptop was stolen from a Citizens' Advice Bureau employee's car, the CAB confirmed that it was protected with "a high level of encryption". Presumably 'high level' means strong encryption using a current encryption algorithm (such as AES) with a long key length (at least 128 bits, ideally 256 or more) and a strong password/passphrase policy, ruthlessly enforced (long non-dictionary phrases). Anyway, if it were my personal data on the laptop, the fact that the PR people specifically state that the laptop was encrypted would give me a lot more confidence than the usual mention of "password protection".

This is doubly important if you are, say, a government that regularly loses hundreds of laptops and desktops per year.

Data recovery from 'erased' CD-RWs

Picking up on a technique used to retrieve MP3s from an 'erased' CD-RW disk, a forensic investigator has succeeded in retrieving incriminating data from 'erased' CD-RWs, sufficient to secure the defendant's prosecution in a child abuse case.

The news article barely outlines the method: it appears to involve writing a new file to the 'erased' CD-RW but interrupting the write process. I presume the first part of the write creates the 'lead-in' file system synchronization and identification data. If interrupted soo after, the PC can presumably be fooled into reading the rest of the disk.

Presumably, also, if 'erasing' a CD-RW only involves wiping the disk sync and ID part leaving all the data intact just waiting to be overwritten by the next write operation (rather like deleting the directory on a hard drive), then surely it ought to be possible to manufacture forensic CD/DVD software or drives that sync directly to the data tracks to make their bitwise copies, all without having to overwrite the lead-in part of the (evidential) disk? Indeed, a very quick Google query reveals that one can buy data recovery software for damaged CDs. I wonder if the 'clever officer' in the news story tried such an approach?

Anyway, the take-home-message is not to discard even 'erased' CD-RWs that might contain valuable or sensitive data. Shredding/grinding/physical disintegration and burning remains the safest option.

Information Asset Protection guideline

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Physical & information security convergence

A security page at the ISACA website links to three resources on convergence between physical and information security:

1. A survey by Deloitte & Touche addresses the value of security as part of enterprise risk management and the benefit of a converged view of security in managing enterprise risk. Security executives provided insight into the general state of security convergence, integration of converged security as part of ERM, the role of risk councils and the benefit that a strategy for converged risk management plays in breaking down communications barriers.

2. Convergent Security Risks in Physical Security Systems and IT Infrastructures describes how enterprises are facing the risks that arise when physical and IT security risks collide.

3. Convergence of Enterprise Security Organizations is a Booz-Allen-Hamilton study examining how enterprises are addressing the converged issues surrounding their security.