Category Archives: Information security strategy

With every BCM audit, you should pay attention to this question “Show me the contract?”

While researching on DR best practices, I uncovered a statistic from Bank of Japan 2012 survey on business continuity. When asked how many days can a bank’s power generator runs on fuel ? The answer is surprising low. Look at this chart on page 25.

 stockpiles of generator fuel

stockpiles of generator fuel

I remember in 2003 New York Blackout, I was working for a bank and their New York data centre staff was forced to drive a long distance and wait for hours to buy generator fuel. When over 40% of  from JP banks do not have fuel supply over 1 day, this number is quite worrying. Japan banks and professionals are well aware of large scale of catastrophes and yet their risk assessment/impact analysis arrive in one day fuel stockpiles.

Think deeper, there are some reasons for not able to store extra fuels. First, fire safety issues. Storage of a large amount of fuel permanently will require extra safety measures. Industrial buildings or data centre location may not allow such storage of inflammable substances. Second would be cost. What else? Third is the estimation of recovery time is not directly link to fuel supply. Within 24 hours, most people would believe they can replenish fuel with confidence. However, the 2003 large scale blackout in New York lasts for 2 days. All generators were put into use and thus supply are going to be tight, you should expecting a long queue. The assumption of continuous fuel supply when disaster or large scale blackout happened simply does not hold.

One better approach is to secure priority access to fuel supply when disaster strikes, So in your next data centre audit , you should ask “Show me the contract?” Auditor are paid to ask tough questions.

New ISO TR on Guidance on the audit of the governance of IT

In conjunction with the guidance contained in ISO/IEC 38500, ISO/IEC TR38502 ISO/IEC19011:2011: Guidelines for auditing management systems, there is a new technical report proposed on providing guidance on audits to assess whether an organization’s governance of IT is aligned with the principles for governance of IT in ISO/IEC 38500.

BSI is seeking public comments on this new TR URL:

“The primary audience for the technical report is auditors undertaking audit assessment of an organization’s governance of IT. The outcomes of such assessments will inform members of governing bodies who are responsible for the governance of IT and are accountable for the effective, efficient and acceptable use of IT within the organization; and those responsible for defining and implementing the governance framework for IT.”

IT auditor has a responsibility to help the management board to oversees complex IT environment. A governance framework defines the organisation structure, role and responsibility and accountability is important.

Cyber security info explosion

As a IT security guy, I used to read cyberattack and data breaches news, trying to learn from others missteps. However, in the past few months, it becomes impossible to keep up with those stories! There is a cyber security info explosion in mass media. Blogger, journalist, lawyers, bankers and even comedian started to comment on cyber security.

Just thinking, we may need a course to teach people how to (not to ) write about cyber attacks. Purely rely on fear factor is not helping.

Design a hack proof password storage

I like to thank Dale Johnstone and Meng-Chow Kang for their useful comments and suggestions.

Recent security breaches further confirm that a password alone is not an effective security measure. An increasing number of cyber attackers are going after the password storage, be it a file or a database. Password storage once exposed, results in an impact that has been shown to be catastrophic. Password storage facilities today need to designed on the basis that a password storage mechanism will be compromised by a malicious party who will get a copy of the password credentials. In both the Target and eBay cases, it is hacking. In other cases, it may be the result of a lost backup tape or as a result of an insider exploiting their authorised access for unauthorised purposes. Through the application of the defense in depth principle, the formulation of an additional layer of control to mitigate the risk of a compromised password storage is becoming more critical.

RSA tried to tackle this issue by using threshold cryptography, which protects through the splitting of an individual password across two servers, addressing the risk of a single point of compromise at any one server. This may be a solution to the rich man. However, I am going to suggest a DIY way for the more cost conscious and tech-savvy to implement this additional layer of defence.

A better strategy would be that we DO NOT store all input with the password hash. Making it less feasible to automate a password cracking system.  When a password is required to be retrieved through a manual process that requires human interactions, it changes the game completely by making it extremely resource intensive to scale up an attack. It is easy to add hundreds of servers while it will be cost prohibitive to recruit a hundred computer operators to perform password screening.

Best Practises of Password Storage

So what do the cyber attackers get after gaining access to your system? When a cyber attacker gains control of a system, they will likely make a copy of your security configuration files, including database files, password file, private keys and logs. From these files, a cyber attacker obtains full knowledge of :

  1. The password hash
  2. Username, email, phone number, DoB etc
  3. User login records and transaction records (like invoices)
  4. Password reset questions plus answers

With the above information, a cyber attacker could launch  Brute force attackDictionary attack and Birthday attacks. There is an excellent article on how to defend against these attacks, “How to encrypt user passwords?” provides 6 rules on how to store passwords securely as follows:

  1. Encrypt passwords using one-way techniques, this is, digests
  2. Match input and stored passwords by comparing digests, not unencrypted strings
  3. Use a salt containing at least 8 random bytes, and attach these random bytes, undigested, to the result
  4. Iterate the hash function at least 1,000 times
  5. Prior to digesting, perform string-to-byte sequence translation using a fixed encoding, preferably UTF-8
  6. Finally, apply BASE64 encoding and store the digest as an US-ASCII character string

Assume a developer follows these rules strictly and correctly, what are the risks when a cyber attacker gets a copy of the password storage and user information? The password is still safe with cryptography sound hashing, right?

No. These six rules offer good protection if the following assumptions hold:

  • The password is complex enough
  • The password is stored totally independent of the user’s personal details, like Date-of-Birth, spouse’s name, address etc

A brute force attack is still a very efficient way to uncover passwords like “123456” or “imapassword”!! If the user creates a password using a Date-of-Birth or home street name, then a cyber attacker could generate a set of possible password combinations using the user’s personal information. A dictionary attack is still a high risk. Users who create a password using personal information are the low hanging fruit. “PaulLivein_Florance” is a complex password in mathematical sense but is not complicated at all when hacking is involved.

Let us assume you are tasked to decrypt a password using the above-mentioned six rules. What will you do? Here are some examples:

1. Find the shared parameter using a few simple passwords “123456” or “abcd1234”. The shared parameters will be the hash iteration count shown above in rule 4, minimum, maximum password length.

2. Optimise the decryption mechanism with knowledge from step 1 and harvest ALL simple passwords.

3. For the remaining passwords, create hash using combinations of personal information (i.e “DoB_name”, “NameInCity” etc). Then match them with the stolen password storage.

With these three simple steps, most likely there are enough user/password pairs that will keep a cyber attacker busy for a few weeks. The cyber attacker may also possibly start profiting from it! While the cyber attacker is busy shopping using stolen information, the decryption process does not stop. It will continue to yield golden eggs everyday.

Applying defense in depth, an additional layer of defence

When password storage is compromised, our only defence boils down to protecting the secret by making it computational expensive to transform and reveal passwords in plain text. This worked in the past without cloud computing and GPU arrays. The Bitcoin gold rush has already created cloud based infrastructure for GPU mining. Relying on a computational expensive hash process alone is not the best strategy.

My suggestions will involve changing rule 3 and rule 4.

The above 6 rules focus on hashing and making it computational intensive. But these 6 rules ignore that the good guys has an advantage over the cyber attacker and do not make effective use of it. Correct password attributes give us an advantage over the cyber attacker.

For rule 3, the simple and traditional way is adding the salt and password directly. But we do not need to store the random salt side by side with the password! We store the password hash and the salt totally separate from each other in a manner where there is no logical relationship between the password hash and the salt. The good guys will associate which salt is to be used with which password hash using user input, which could be the answer to a security question or the sum of ASCII code of a user’s password.

Let me provide an example:

When user enters his password “Pass123”, these characters are converted to a number using a formula like ASCII(P)x10+ASCII(a)x100+ASCII(s)x1000+ASCII(s)x10000 etc.. which results in “566175500”. Let us call this number the salt index. Then the system will use the salt at location 566175500 as an input for the hash function.

How the formula is designed is not important. Anyone one can create one, as long as it maps the user-entered password string to a large number with few collisions. However, collisions will happen when two passwords generate the same number. Which will also mean two passwords are using the same salt. Using the above example formula, “Pass123” and “Pkrs123” both give the same salt index “566175500”. So the same salt is used for generating the password hash “Pass123” and “Pkrs123”. Collisions happen since we are using password attributes (like length, its ASCII code etc.) to generate salt index. This collision gives us another advantage over one-to-one mapping.

As the cyber attacker does not know the correct password, even the attack needs to determine the formula to generate the salt index and then spend time to cracking the passwords. The password cracking output will give multiple passwords for one user. Among this multiple possible passwords, which one is used by the user? “Paul@2014” is more likely to be a password than “Pkvl@2014”, right? To distinguish the linguistic differences and make a right guess, will require human cognitive brain. A computer program will not be able to tell immediately, without help from some linguistic algorithm. This is the game changer I mentioned earlier in the article. Making it less feasible to automate a password cracking system.  An attacker trying to retrieve password from a stolen password storage will need to go through some manual steps that requires human interactions, it changes the game completely by making it resource intensive to scale up an attack. We choose the right battlefield to setup our defense.

Another advantage is of this approach is to prevent possible spillover when users reuse password in multiple websites/applications. When eBay has a data breaches and possible user password leakage, the real risk is on users reusing same eBay password in their email account or bank account. With this suggest method, the attacker will find a list of possible password instead of one. It is less likely for the attacker to gain immediately access to other websites/applications belonging to the same user.

I have to admit the headline statement is a bit exaggerating and it is not entirely hack proof, but engineering a mechanism to pinpoint a weakness of password cracking by adding manual interpretations certainly introduces some advantages.







TLS design weakness affecting client side authentications

A team of security research discover a weakness in TLS design, quote form their website

“A is malicious, it can choose a non-prime group such that the resulting PMS is fully under its control.
if a malicious server Amounts a UKS attack to obtain two sessions (one with C and the other with S) that share the same MS, ciphersuite, and SID, it can forward the abbreviated handshake unchanged from one connection to the other
The easiest mitigation is for web browsers to refuse a change of server identity during renegotiation
Major browsers fixed this. However, there are numerous non-browser TLS clients. It will take lots effort to patch them. This type of weakness is difficult to identify and fix, as the impact is not obvious or cannot be seen by the user.
With almost 20 years passed since TCP/IP invented, most of the low hanging security issues are identified and addressed. We are going to see more occurrence of this type of fundamental and subtle design weaknesses.
The battlefield for security professional is just added another 100 miles !

Microsoft tries to address PKI issues in IE11 (SmartScreen and SNDS)

Digital certificate is widely used and the Internet cannot work without it. However, PKI (the framework digital certificates based on) has lots of issues. Last year in ISO SC27 meeting at ENISA there was a special meeting on PKI. Many issues are only raised without a conclusion, same as most issues brought international meetings.

Microsoft with a 10% – 20% footprint (depends on which report ) of browser market is taking steps in managing this madness. In a recent blog post, “A novel method in IE11 for dealing with fraudulent digital certificates” explain their strategy. I think Microsoft action is very responsible and will help to mitigate issues with fraudulent digital certificates. Certificate and its associated private key is very sensitive and must be handled with security in mind. In my over 10 years audit experiences, I had seen many engineers or administrators treated private key same as a configuration file. In most enterprise, there is general lack of documented procedures or best practises to administrate digital certificate. Malicious attackers may abuse this weakness and create fraudulent certificates.

In IE11, Microsoft uses SmartScreen Filter to detect and report high risk uses of certificate. Three scenarios are explained in the blog post:

1. A website is using a certificate that is capable of being used as a subordinate CA. This would indicate the certificate has been issued wrongly

2. If a website suddenly presents a different certificate only to a certain region where a different CA issued the certificate. This might indicate a possible MITM attack in a specific country or region

3. There was a sudden and significant change in the fields a CA includes in certificates it issues. For example, omission or change in the OCSP responder location. This would indicate a CA was either compromised, or has not followed standard operating procedures.”

There is a practicality issues with item 2 above with a 24×7 website. Suppose Apple adm update the SSL certificate on midnight, APAC region users will be the first batch of users using this updated and also different certificate. Will IE11 warn user regarding this new SSL certificate although it is updated due to normal refresh? I hope Microsoft will add intelligent to their detection algorithm and take consideration of the effective date of old SSL cert.

Another important control Microsoft implemented is ” domain registrants could be notified by email when new certificates with their domain names appear in our database. The domain registrant would have the option to report suspicious certificates to us and notify the CA to revoke the suspicious certificate.” In short, Microsoft is sharing the uses of certificate of specific domain to who claimed to the domain owner. The domain owner will need to take action accordingly. This is a responsive strategy by increasing transparency. (There is a new trend in security industry on sharing info and responding timely, in additional to defence in depth principle. Will write on this trend later when I finish reading “Responsive Security” by Meng-Chow Kang)

It is a prefect design in theory. My first question is who read such warning email! Is the email recipient understand the risks when reported by SNDS? Time will tell.





Preparations for a blended IT environment

Although the author discussed preparations for hybrid cloud, his points apply to most IT organisation now : This growth in the use of cloud services requires IT managers to re-evaluate their role.

What role? Not only as a broker but builder. For most enterprise, IT manager will not build application from scratch. Cost and time constraint require them to source cloud application while managing outsourcing risk, data privacy and security issues.

What happens without a Christmas tree

Recently, I have been involved in cloud security discussions in different occasion. As Christmas is coming, I think it is worth to repeat a point I made in 2005 via mail list and still it is valid. It regarding BS7799 and its controls. 

“Without a Christmas tree, you can still have decorations but it would be a mess. With a Christmas tree, the decorations fit into a big picture and you can see where needs what.”