Ranum's Rants

Afterbytes with Marcus Ranum - Using A Dedicated PC For Online Banking

by Marcus J. Ranum
January 13, 2010

ABA Recommends Using Dedicated PC for Online Banking

Date: January 1 & 4, 2010

Synopsis: The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions.

Sources: Online banking warning surprises some experts, Businesses warned about online banking

This particular bit of news seems to have gotten disproportionate attention. On one hand, people see it as "ABA tells home users to use a dedicated PC!" and on the other it's business as usual.

But, it's not business as usual - what ABA is doing is recommending a specific response to a deeper problem. The problem is not "online banking" or anything like it; what we're seeing here is an implicit statement that endpoint trust is finally beginning to matter, as cybercriminals are increasingly attacking the shoddy operating systems that everyone seems to use for general purposes.

Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication

by Paul Asadoorian
December 17, 2009

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Marcus Ranum Presents "Internet Nails" at TED

by Paul Asadoorian
November 11, 2009

Marcus presents an awesome story about the Internet, software, and security. Watch as he goes into detail on how protocols work, problems with FTP, HTTP, and much more! The purpose was to show how small mistakes made in the design of software and the Internet have shaped the security industry. You can watch the full version of the talk below:

Logs of Our Fathers

by Marcus J. Ranum
September 22, 2009

At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it here, on the TED site. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.

November, 1951

Machine Log #1

This Is Going To Get Interesting

by Marcus J. Ranum
July 27, 2009

In past columns here and elsewhere, I've been pretty derisive of the notions of "cyberterror" and "cyberwar." Most particularly, I think cyberwar is probably not a useful adjunct to the toolbox of statecraft. But, in discussions about cyberterror, I've always admitted that I'm puzzled by how little creativity has been shown in that arena. That may be about to change, and for the weirdest of reasons.

AfterBites: Wake Me Up When The "Cyberwar" Is Over...

by Marcus J. Ranum
July 10, 2009

The Story:

--US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)
A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers.
Updated_MyDoom_responsible_for_DDOS_attacks_says_AhnLab?taxonomyId=17 ...

Once again, we have a "cyberwar" that only registers as a blip on the radar screen for most of us. Other than that, it's an inconvenience for government or commercial sites that didn't think about capacity when they built out their internet connections. It's far from a disaster; in fact, it's hardly news-worthy. It's only remotely interesting because, once again, the cyberwar pundits attempted to link the attacks to state sponsorship. Like with the attacks on Estonia in 2007, ("Russia accused of unleashing cyberwar against Estonia") will it turn out to be a few civilians operating under their own initiative? Another way of phrasing that question is "is the North Korean intelligence service a bunch of wimps?"

AfterBites: More on Espionage

by Marcus J. Ranum
May 15, 2009

The Story:

--Pentagon Official Charged with Espionage Conspiracy
(May 13 & 14, 2009)
A Pentagon official has been charged with espionage conspiracy for
allegedly leaking confidential documents to a Chinese government
operative. James Wilbur Fondren Jr. has been on administrative leave
from his job as Deputy Director, Washington Liaison Office, US Pacific
Command (PACOM) since February 2008. Fondren was allegedly able to
access the sensitive information through his security clearance. If he
is convicted of the charges against him, he could face five years in
prison and a fine of US $250,000.
[Editor's Note (Northcutt): Limiting access rights based on roles is essential.]

My comment on this (which didn't get posted along with Northcutt's) was: "

Is this where I get to say "I told you so"??

AfterBites: Expanding Consumer Protection Laws to Software

by Marcus J. Ranum
May 13, 2009

The Story:

EU Commissioners Call For Expanding Consumer Protection Laws to Software

(May 9, 2009) - European Union Commissioners Viviane Reding and Meglena Kuneva have proposed that the EU Sales and Guarantee Directive, which applies tophysical products, be extended "to cover licensing agreements of products like software" as well. The directive requires that products carry a two-year guarantee. Kuneva said that the change would give customers a broader choice and software companies would be held to a higher standard of accountability. Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance disagreed, saying that it would in fact limit consumers' choices. He said that "creators of digital goods cannot predict with a high degree of certainty both the product's anticipated uses and its potentialperformance," and that it could lead to decreased interoperability between products if manufacturers decide to limit how much of their code could be accessible to third-party developers.

Source: http://news.cnet.com/8301-1001_3-10237212-92.html

This has been tried before and - it should come as no surprise to anyone - the software industry has some mighty powerful lobbyists. Indeed, some of them speak out in this little tidbit. I think it would have been more honest if Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance had said "Good luck, bwaaaahaaahaaahaaaa!" instead of hewing the ridiculous party line that the software industry has been spouting for decades. I like intellectual honesty when I encounter it.

AfterBites: Joint Strike Fighter Plan Compromise

by Marcus J. Ranum
April 27, 2009

The story:

Spies Penetrate Pentagon's Joint Fighter-Jet Project (April 21, 2009)
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar."

I've touched before on the topic of data leakage and national security; now it seems that the national security establishment is banging the same drum, albeit louder than I ever could. Such an embarrassing "slip" would normally be deeply buried - the fact that it's being outed by the  "U.S. Counterintelligence Chief" ought to tell you something: this is part and parcel of the government's new "yellow terror" cybersecurity red scare. I don't know about you, but I'm on the fence about this - part of me wants to be happy that cybersecurity is being taken seriously, whereas the other part of me remembers the disastrous Department of Homeland Security and War On Terror. I detect a distressing pattern of our government saying "be afraid, be very afraid. and, oh, yeah, pull out your wallet."