Captain Kirk Fails at Computer Security!

I have been reviewing Star Trek The Original Series (TOS) and have been focusing on the computer security that existed (or did not exist) within the Enterprise.

I just randomly took some episodes and just from the 4 or 5 I reviewed this is what I found:

  1.  Captain Kirk gave access to a human from the past based on the fact that he stated he “used to be an engineer.”  Based on those specifications, he was able to commandeer the ship and almost kill the bridge crew.
  2. Captain Kirk gave access (again!) to a crew member that was under the influence of alien powers, and this (again!) led to the commandeering of the ship and the possible destruction of the ship and crew.
  3. Captain Kirk gave access to medical personnel for the transporter room, which led to the unauthorized transport of one medical person down to a planet’s surface, consequently leading to the changing of the entire time space continuum (the medical person also stole a phaser while on his way to transport himself down)
  4. Captain Kirk, in another dimension, gave access to a computer security application that can silently kill other crew members to a crew member he was “friendly” with at the time.  Don’t give friends more access than they are authorized!

These are just some of the issues in these episodes.  Sure, it makes good entertainment, but really, it is not something that we, as computer security professionals, would want to emulate.

What type of advice would we, as security evangelists, propose to correct these problems?

  1.  Have a full-time cyber security team on the crew of the Enterprise that could do “pen tests” and security reviews with all crew members and bridge crew, along with checking passwords and other access controls
  2. Ensure that weekly security reviews with the Captain are completed with a non-attribution focus so that the Captain can be aware of problems and help correct them
  3. Establish good solid computer policies that are done with each crew member and understand authorized vs unauthorized access
  4. Establish key card access (or biometric) to certain areas (such as the transporter room) that only certain crew members are authorized to obtain
  5. All crew quarter computers are immediately locked down upon exit of the crew member and are blocked from view of other crew members when activated
  6. Ensure all passwords are stronger than “A1-B2-C3” for destruction sequences.  Even voice commands can be counterfeited.
  7. Phasers are not to be issued without access and authorization and biometrically controlled for access to fire

Just a few suggestions.

More on this in the next few articles.

Live Long and Prosper

Advertisements

Credit Card Chips Do Not Replace Common Sense

I heard for the 900th time today (that is a hyperbole, actually I heard it for the 800th time today) about how the credit card chips are such an improvement over the previous credit card swiping procedure.

The bottom line is that credit card chips do not replace common sense when it comes to credit cards (or debit cards).  Here are some basic tips that will help keep your credit cards safe (please pay attention to the first one)

  1.  Check to ensure you have your credit card periodically.  That means when you leave a restaurant, when you leave a gas station, when you leave anywhere where you had to display or use the card and then (maybe, possibly) left it somewhere.  It is better to check one more time than get all the way home and realize it is gone.
  2. For those that carry a purse, ensure the zippers are zipped, the clasps are clasped and you hold the purse securely.  Be aware of where your purse (or wallet) is at all times.  Keep your wallet in your front pocket and your purse within site.
  3. Check your credit card bills at least once weekly and mark any expenditures with which you are not immediately familiar.  If you do not check it, small charges can build up and this can lead to penny theft which is common in the credit card theft business.  In order to eliminate suspicion, thieves make small credit card charges that are not suspicious and, before you know it, they are stealing you blind.
  4. Credit card chips are NOT biometrics, so you still need to protect your credit card and your account.  That means STRONG passwords on the on-line account to help protect that account.  Once that is gone, your card is as worthless as the plastic it is on.

Are these exhaustive hints?  Absolutely not!  They are just prompts so that people can understand that chips don’t protect your card as well as YOU can protect it.  What the chips do is reduce the amount of counterfeiting that goes on with cards and they are not an assurance that your card is protected.  My main goal in all cybersecurity is for people to understand that the USER is the center of the cybersecurity assurance, not technology.  Technology does not mean you can be complacent or transfer responsibility or accountability.  It is up to you to maintain security on your personal accounts and this includes credit cards.

Okay, so now people are saying that biometrics are coming to credit cards and that will solve the problem of credit card theft.  But it is already known that hand lotions will interfere with biometrics, so what happens if you apply your antibacterial lotion prior to using the biometrics?  Chances are you will not get that charge to go through.  Even the most secure technological innovation is sometimes defeated by the simplest method.  In the Vietnam War, one of our most advance jets – supersonic, terrain following radar, adjustable geometric wings, etc., was defeated by the enemy using cheap weather balloons and wires to bring those planes down.  The same is true by the technology of today.  In the Star Trek movie “The Search For Spock” Mr Scott said (after he had completely disabled another star ship) – “The more thought they put into the plumbing, the easier it is to stop up the drain.”  Something to take note for the future.

You Are the Weakest Link – Something You Are

I just received news that a company received the OK from the UK to govern their government verification.  I read the article and am both impressed and relieved that there are entities out there that seem to be thinking out of the conventional security box to provide a more secure way to get into government sites.  The thing that scares me the most is that Estonia had a very large and expansive tech system to access government associated information and services was hacked, with the consequences being a large segment of the population not being able to conduct business until the recovery was complete.  I have not heard anything more about this (it happened years ago) so I am sure that the country has put into place a more secure method of access.  The elements that I just read about the UK seem promising, but I still think that the most important weakness that exists is something that no technology can defeat – the innate laziness of the user.

I am lazy, I admit it.  I want to access information with the simplest method possible.  However, I try to do the most secure method possible also, which sometimes is counter-intuitive.  I am concerned that giving the ability for people to develop their own security is one that has it downsides more than its upsides.  For computer security people, we lover to develop our own security since it gives us control.  Unfortunately, others that are not reading computer security flaws, fixes, and failures do not stay awake at night wondering if their bank account will be there in the morning.

The first flaw I see is the self-assigning of the PIN that many security applications are using, especially if it is under 8-12 characters.  If I were a hacker, I would check FACEBOOK or another social site, find the birthday and try that first, then any phone number that the user might have (especially if it is a seven or 10 number PIN), along with any other birthday I can find.  I would also see if I could access anything with a Social Security Number and try that, and then their address if it had a number.  After that, if I do not get the “three strikes you’re out” I would close my browser and try again, especially if I know that there will be no email sent to the real user that says someone is trying different PINs and “we suggest that you change yours.”   The reason I picked the 8-12 number is the “Shannon’s Entropy” theory and application to making the PIN as difficult as possible to guess.  Claude Shannon understood the complexity of information security and the theory is still used today in some US government circles.

The second flaw I see if the “verification” of the “verification.”  What happens if the person forgets their PIN?  I understand the “something you know” can be misplaced, but how do you verify that information?  If there are security questions, those have to be stored somewhere, taking up capacity, and those have to be kept somewhere in the system.

The final flaw I see is the “something you have” and the “something you are” not taking up separate space.  Some companies are using a downloaded token as part of the “something you have” and having the downloaded token on a home PC or laptop to cover the “something you are.”  Unless those hardware devices are chained to you, they will become misplaced and now the hacker has access to your site, guessing the PIN to be your birthday and they are in!

This article is not meant to be negative at all, believe it or not.  I see great strides in the security of people’s information considering the many on-line services available today.  I also see young people who are trusting of others to the point where they share security information with their “best friends” (that could change every hour).  What type of recommendations would I make?  Probably those that are already in the works, including more biometrics that are not invasive but extremely different such as EKG or EEG which can be baselined and used as a “something you are.”  No one has to remember their EKGs or EEGs and there are interfaces that can be pattern checked against these indicators.  Another recommendation would be that the verification questions be used from a credit bureau’s own database, which could help eliminate saving them on the access server.  I am very impressed with these credit check questions since they are something that I would remember, even if the data is 10 years old.

The bottom line in this article is that I applaud the efforts of public service security efforts.  After working for the Federal Government in a variety of capacities, I am very pleased that there are companies that are taking this security aspect very seriously.  Please keep up the good work!

PS  I kept the company’s name out of this article for anonymity purposes.  Hey, at least they are trying folks!

 

 

Environmental Force Effect Analysis (EFEA), CyberSecurity, Project Management – Part 2

During Part 1 of this article we discussed EFEA from a theoretical point of view.  For this segment, we will do some application of that theory to drive home some factors about how environmental forces are present and how we can counter them.  Let’s start with a step-by-step sequence to apply this concept.

  1. List the factors that are present that could affect the project
  2. Quantify the factors through direction and speed
  3. Establish tactics to counter those factors

The first step is relatively straightforward and can be accomplished by a meeting with some brainstorming tools.  The main question to ask is: What will affect the project or goal?

From this question, you can list a variety of factors and then refine them, but you will be surprised as the list will undoubtedly be extensive, especially if you make the question above include any strategic considerations.  For instance, one person may say “stock market changes” and, although you may want to discard this one, it may actually be a big consideration demanding some research to ensure you consider the stock market factor completely.  An example of this was a map I saw in a conference that showed the US states and the color of each state changed throughout the years from blue to red.  The presenter explained that the color indicated the state budget condition, with blue being a good state budget, red meaning the state was in debt.  I noticed that one of the states remained blue while the others were red.  Others noticed it too.  It turned out that this state established rules for mortgages that no other state had in place.  When the mortgages plummeted, this state remained solvent.  They ensured that environmental factor did not affect them with some planning.  The same is true with stock market changes.

Once you have the different factors listed and refined, then you must quantify those factors.  This is done by using a compass heading to denote the direction of force.  The “course” of the individual or company would always be 0 degrees (due north) and the direction of the vector would always be in a clockwise direction at 0, 45, 90, 135, 180, 225, 270, or 315 degrees (mostly for simplicity sake).  The 0 degrees would be “full headwind” which means the force presents something that is having a great effect on your course, while the 180 degrees would be a tailwind which would help your course.  The 90, and 270 degrees would be cross-wind effects (to the right or left respectively) for which you would have to adjust your course pretty drastically in order to overcome.

At this point we have identified and refined the forces and developed the direction of the force (again a brainstorming session would be fine for this step).  Now comes the challenging part – the amount of force or the “speed of the wind” either for or against you in the situation.  This can be accomplished by estimated the amount of revenue the force will cost you (worst case basis) using the amount of revenue per month, per year, or whatever other measurement that you wanted to use.  Just ensure it is consistent with the estimate of the force, otherwise the result will be severely skewed.

Let’s take an example to illustrate this concept.  The numbers are fictional in order to make the example as straightforward as possible.

Company X makes wooden toys and they make $100,000 a year in revenues.  In one year, the wood supply is critical and they lose the ability to make as many wooden toys, but they decide to expand into a more synthetic method to make the toys which mandates them spending on machine to manufacture the material to make the toys.

The force against the company is coming from the 45 degree angle since it is not really a headwind (0 degrees) but it does exert a force that has a great effect on the company.  The hard part, as I said before, is the speed of the force against the company.  In this case, let’s assume that the lack of wood will cost the company 50% of its revenue for the next year.  If the revenue stays consistent (100,000), that means that the lack of wood would cost the company $50,000.

To summarize the numbers, they are as follows:

Direction of Vector:  45 degrees  (the same as saying “the wind is from 45 degrees – northeast)

Speed of Vector:  50 (we will remove the three trailing zeroes to make 50)

Speed of Course (Called Airspeed):  100 (again removing the three trailing zeroes)

Direction of Course:  0 degrees (due north)

There are formulas for this is something like the following (thanks to answers.com for this)

Wind Direction Adjustment (WindDir) = WindDirection +180°

Wind To Track Angle (WTAngle) = DesiredCourse – WindDir

Wind Correction Angle
(SinWca) =windspeed*sin(WTAngle)/Airspeed;
(WCA) =arcSin(sinwca);

Heading:=DesiredCourse+WCA;

Groundspeed = airspeed*cosine (WCA) + windspeed*cos(WTAngle)

Or, more simply, you can use the following website to make your calculations – http://www.csgnetwork.com/e6bcalc.html

When I plugged in the Wind Direction (45), the Wind Speed (50), the Airspeed (100), and the Course (0) into the section that had text boxes for these figures I came up with the following:

Heading (change in company course into the wind): 21 degrees

Ground Speed (revenue as a result of the force): 58

This would mean that you would have to turn into the wind 21 degrees which would lower your speed about 40% from the original speed.  What this means for the company is that it will cost them about 40% of their revenues.  However, this also means that, if the company expands its products to other materials besides wood, it could counter this force and actually move the force into a tailwind, which would increase their revenue.  A company actually did this and grew while other companies were downsizing.

This model is not actual science, but it does give the company quantification of forces that would otherwise be recognized but not realized.  I am refining this method to make it more adaptable to other industries, but just to make an example of cybersecurity industry you could use malware as a force against the company with the loss of revenue being loss of reputation (which could lead to a loss of revenue) and show that loss with the force direction and speed.  There is nothing like showing how a headwind can force a change of course much like it changes course in an airplane.

I share this because my company philosophy is Learn, Offer, Value, and Educate (LOVE) (please see my website http://www.grectech.com).  I am hoping that this theory energizes someone’s thought processes to refine and use this model.  I am using something like to in a paper on MegaProjects for the Project Management Journal, which I will complete in a few weeks.  If there are any comments, please let me know.