Friday, December 4, 2009

Computer Weakness

Another issue that warrants some discussion is the issue of computer weakness, which is very similar to vulnerability, so much so that they often get confused. A vulnerability always has resolution, where a weakness might never have one. Sometime I may catalog a collection of weaknesses, or even build a weakness taxonomy, but for now I'd like to demonstrate example of weakness that I've uncovered in order to add additional clarification.

As it has been said that a "chain is only as strong as its weakest link", many very strong elements in computer security may be easily bypassed by foolish decision making. Many other elements may degrade over time, simply because the technology used to defeat it improves. Common examples of security critical elements that suffer from weakness are:

• Security through Obscurity

• Encryption

• Password Security

• Secure Hashes

• Aged Software (in general)

• Aged Hardware (in general)

• People

Each of these elements will slowly degrade over time, although they can be upgraded to correct the problem. To give an analogy: computers aren't like fine wines, they don't get better with age -- they are vinegar before you know it.

Security through Obscurity

As time elapses, the age-old concept of "security through obscurity", or to paraphrase, keeping how the security of the host works a secret, always degrades. Simply put, as people research the situation, eventually they can learn how it operates, making it less obscure. Tested and failed on a day to day basis, security through obscurity is merely an added deterrent to security measures, and should NEVER be relied upon. However, adding this to a system should be considered added security with a weakness, instead of simply added security.

Encryption

Being able to encrypt information has been proven time and time again one of the best methods of improving computer security, so the fact that all encryption falls under weakness probably seems like a paradox. However, encryption is merely an added security feature with multiple weaknesses that can be addressed. Yes, it is better to have encryption than to be without it, but ignoring the weaknesses will court disaster. All encryption techniques are subject to the possibility of three possible flaws:

Cryptographic Short Cuts

Speed of Computer

Lack of a Sufficiently Random Key

These flaws keep all encryption from becoming an absolute, although the degree of weakness can be lessened as a result.

Cryptographic Short Cuts

Many types of encryption can be weakened by optimization and short cuts to the operation which yield faster speed. Cryptography is a different form of computing which works against the grain of the teachings a typical computer programmer would receive: slower is better. By attempting more possibilities in a duration of time, a slower cryptographic process will yield less attempts at breaking it than a method that is considerably faster. More attempts to break in equate to a better chance of guessing the key.

Some methods of cryptography have been bypassed ENTIRELY, allowing a straight conversion. In these cases, classified as vulnerabilities of the Read Restricted severity, the encrypted information can easily be converted to plaintext as if there was no encryption.

Speed of Computer

Cryptography typically was made for the time it was created. If the encryption takes too long to compute, it won't work with most applications. As one of the "original" benchmarks, DES (Digital Encryption Standard) was expected to perform a single "hash" taking a single full second to validate a user's password on a PDP-11 computer in the late 1970s. The PDP-11 was considered one of the fastest computers of its time. Nowadays, a reasonably priced personal computer can perform 15,000 of these comparisons in the same second.

Lack of a Sufficiently Random Key

Although the variety of life and vastness of the universe seem to imply extreme chaos, when it comes to seeking out chaos that can be relied upon, cryptographers have come up short. Either users whom have failed to pick bad passwords, or simply because its easy to trace the steps how a random number was reached, if a key is easily guessed, the entire encryption fails.

Password Security

Talked about in "Lack of a Sufficiently Random Key" above, Password Security is one of the biggest choke points in security. Virtually every form of security tends to rely on a password of some form.

There are significant numbers of password articles published in magazines, trade journals, and book publications that explain the problem of poorly picked passwords. From personal experience, no site I have examined has had less than 35% breakable passwords, and have had up to 88% breakable passwords. At this point, even if the encryption method were perfectly solid, there would be a 35% chance it could be broken anyway.

Secure Hashes

A secure hash is a value that is returned after feeding the algorithm a series of information. This isn't (or shouldn't be) reversible. The idea is that each value should be close to unique, but doesn't have to be. An application for this would be to make a "fingerprint" of a file, for example. Many passwords are also stored in the form of a hash, in order to obscure the actual password.

The weakness of secure hashes is that they to suffer from aging issues and possible short cuts. A hash that may have been hard to break with the CPU power of the day may be insufficient after ten years.

Aged Software and Hardware

Computer software and hardware over time become very well studied and have had time to have problems discovered which may be detrimental to security. Although it doesn't guarantee a break-in, older computer components have a tendency to become susceptible to modern vulnerabilities. This problem can be combated by upgrading components but is a flaw inherent in any unit.

My experience with operating systems has shown they develop its first publicly known vulnerability within a month from being released to the public. The operating systems that have the closest scrutiny (Windows NT, Solaris, HP-UX, Irix, and Linux) have generated between 15 and 50 vulnerabilities per year for each of them between 1995 and 1998!

People

Computer security can't live with them, and can't live without them. Simply put, it is best to have a security policy in place at a company and make sure that employees must abide by them. There are so many things that can go wrong in this area alone:

• The more people on any given host will definitely weaken its security in general

• People demand convenience, which often conflicts with security interests

• People can be coaxed out of important information by Social Engineering

• Failure to properly protect their passwords

• Failure to properly protect access to their computer console

• Sabotage

• Corruption

It is the duty of the person administrating computer security to protect against these problems, they are the ones educated enough to understand what may happen. Yes, I have seen people put posted guards at computers with firearms. People have actually put guards on automated telephone equipment to prevent abuse. No, I couldn't figure out exactly how they were protecting it. Likewise, I don't think they knew what they were protecting it from.

No comments:

Post a Comment