Security Blog

The company that I founded many years ago in California became famous for creating data security tools. Later on, I helped to create one of the most widely distributed biometric security standards in the world, and since then I have continued to work in the field of information security. In these posts I will focus on the theme of "security," not only in the limited sense of contemporary IT security, but as part of a broader concept of risk management that is visible throughout history and across the natural world.

Weak signals or willful failure to perceive them?

The following is a speech I gave at this years World Economic Forum in Davos, Switzerland. The theme for this years Davos was “Resilient Dynamism” and I thought it worked well with the topic “Weak Signals” that I was about to discuss.

Actually, in a perfect world, the following was supposed to be the speech I was supposed to give, however, I wasn’t allowed to use notes or a teleprompter, so the actual presentation turned out to be what I remembered of the text below:

Reducing loss from natural disasters – Weak signals or willful failure to perceive them?

I’d like to challenge the proposition that the notion of “weak signals” assumes that the signal which predicts an event is “weak.” Because recent experience has shown me that the real weakness is our willful collective failure to perceive signals that become blindingly obvious in hindsight aka “The Neon Swan”.

Recently, I’ve spent a lot of time reflecting on the causes of Japan’s nuclear power plant accident. In fact, I was closely involved in the accident investigation commissioned by Japan’s national legislature. The Fukushima accident is profoundly disturbing… not simply because 250,000 residents will not be able to return for decades to an area the size of Luxembourg. It’s disturbing because it forces us to ask…

… If the Japanese, with their legendary engineering prowess and their diligent adherence to process, can’t be relied on to run a nuclear power plant… then who can?

The plant’s operator tried to maintain that the “signals were weak” – that the tsunami exceeded all their models. But there are written records of massive tsunami on that coast as far back as Europe’s Dark Ages. So how could some of the world’s brightest engineers imagine it was OK to put back-up generators in a floodable basement?

Why did no one speak up?

In certain respects, Japanese culture was the culprit. As mentioned in the final report: “our reflexive obedience; our reluctance to question authority; our devotion to ‘sticking with the program’; our groupism; and our insularity.”

I’m actually doing research into “groupthink” and I don’t think Japan can claim copyright on all those traits. Japanese may take them to the limit, but they are universal.

After almost every disaster, no matter where, newspaper readers with the benefit of hindsight shake their heads and ask, “Anyone could’ve spotted that; how could they have been so stupid?.”

I think the answer lies in the word anyone.

As individuals, we have highly evolved (and continue to learn) senses that allow us to perceive danger: for example, the pain your finger instantly reports to your brain when you stick it in a flame. Or the gag reflex that alerts you when you swallow sour milk.

Unfortunately, in groups and groupthink, we tend to lose this ability to perceive vital signals. And I think it’s fair to say, the larger the group becomes, the more perception we lose.

There are several key mechanisms to this.

One is the tendency of groups to seek homogeneity as they expand. It’s why companies usually want to hire like-minded people… people who will fit in… people who share the same perspective.

In effect, what you have is a willful effort to filter out divergent views and perspectives. So you end up with 20,000 people who can’t even spot obvious signals because they share a single set of eyes and ears.

Another mechanism has to do with hierarchy. In your body, even your little toe has the freedom to send your brain a signal it can’t ignore. And it doesn’t care if you are busy giving a speech to the World Economic Forum. If it itches, it’s going to let you know.

By contrast, rightly fearing immediate amputation… the little toe in a giant corporation would never dream of disturbing the CEO while he’s at a podium in Davos.

Similarly you get the lookout on an ocean liner who’s afraid to disturb the captain’s dinner by reporting an iceberg off the bow; or Challenger, Lehman or Sandy; and finally, you get employees at a nuclear power plant who assume it must be OK to have back-up generators in the basement.

That’s why… I feel that the… inability to perceive weak signals is about the willful failure of human groups to strive for the evolutionary sophistication of the human body.

In groups, we actively work to eliminate the diversity needed to broaden our perspective. And we deliberately inhibit the free flow of information from the extremities to the brain.

To better perceive signalsweak or otherwise – we need to embrace diversity: diverse perspectives and diverse identities, in terms of gender, ethnicity, age, and education. And we need to evolve better protocols to transmit information throughout our organizations; a resilient dynamism; especially in an increasingly complex and interconnected, multi stakeholder world.

Neon Swanhttp://saitohome.com/wp-content/uploads/2013/03/BF-AB262_INVEST_D_20110722223113-210x139.jpg 210w" sizes="(max-width: 262px) 100vw, 262px" />

March 6th, 2013 10:01 PM

Authentication

In 1993, there was a famous New Yorker cartoon that showed a dog telling another, “On the Internet, nobody knows you’re a dog.” While the artist Peter Steiner didn’t give the quote much thought when he wrote it, he unwittingly focused on the key strength and weakness of the Internet. Privacy and anonymity may allow for social and business well-being, yet authentication is essential in a digital world.

Authentication is about the continuity of relationships. It helps us to determine who to trust and who not to trust. In fact, in our everyday lives, people authenticate dozens of times a day in the same way animals, plants and even viruses (the virus has a specially-shaped “key” that will fit only into a particular “lock” – the receptor) have been doing it for millions of years, using sight, smell, sound and touch. By the time we wake up in the morning and are on our way to work, we have probably “authenticated” several times. Whether its smelling the carton of milk before we drink it (authenticating to see that its still milk or soured milk), getting the phone call from your sister (authenticating her voice to distinguish it is her and not your mother-in-law) and opening the door to receive a UPS delivery (authenticating that it’s really the UPS driver and not a sales person).

Unfortunately, to translate these everyday actions into something that is as transparent and automatic is incredibly hard to replicate in the digital world. To authenticate in today’s world, there are four major authentication types:

Characteristics Credentials Significance
Something you know Password, PIN Shared, compromised or forgotten
Something you have Key, ID card, Token Lost or forgotten
Somewhere you are GPS, Phone Confirms credentials by location
Something you are or do Biometrics Unique identifier but not secret

Unfortunately, the method we are most familiar with is based on something we know. In this case, we often use passwords and PINs to conduct many of our daily modern authentication needs. To make things worse, many systems rely on user-generated/remembered secrets, which inevitably leads to people using the same passwords/PINs for multiple sites, since human memory thrives on redundancy. Why don’t passwords work so well? Humans cannot remember good secrets where short-term capacity is around 7 ± 2 letters. With today’s computing technology, something that size can be broken into in a few seconds.

To briefly outline some of the problems with passwords, I’ve summarized 11 of the most common issues with this method:

  1. Forgetfulness from time, length or quantity
  2. Access to user passwords by system administrators
  3. Risk of undetected theft
  4. Risk of observation
  5. Risk of undetected duplication/sharing
  6. Risk of weakest link (depends on neighbor)
  7. Risk of guessing
  8. Risk of dictionary/brute force attack
  9. Risk of password replay
  10. Risk of server spoofing
  11. Risk of reuse
So what are our alternatives? Or more importantly, what should we be looking for when we want to have better security? First of all, to be used for authentication, the password should be unique and personal and not one that can be forgeable or copiable. While it can be stolen (meaning, the system shouldn’t fail just because something is stolen, because invariably it will be), most importantly, the owner should know when it is stolen (preferably as soon as possible). Finally, it needs the ability to invalidate/revoke the old one.
Some alternative authentication methods available today include:
  • Biometrics – both physiological (i.e., fingerprint) and behavioral (i.e., signature) based
  • Cards – including contactless and smart cards
  • Tokens – including one time pads
  • PKI – including digital certificates in combination with smart cards above

For designers of products, whether they are websites, software applications or even consumer electronics, the authentication needs in the digital world also have certain unique requirements not found in their analogue counterparts. These include:

  • Strength – An authentication scheme that is weak will serve little purpose. Mother’s maiden names and birthdays are examples which are increasingly risky in the age of Google.
  • Usability – People should be able to use it, and not write it down like passwords.
  • Manageability – Some authentication methods may involve more work to support, setup and provide training. Revocation is also becoming an issue. While it’s easier to change a digital key than a stolen master key, managing the whole assortment of issued keys may become confusing.
  • Scalability – A large system should scale well. It’s one thing to control access to a server, but completely different where a server serves millions of people who have different access requirements.
  • Capabilities – In a distributed environment, authentication schemes need to support delegation and impersonation. In corporate environments, this is especially true when you have secretaries, assistants and team members.

Your comments are always welcome.

June 11th, 2010 09:49 AM

Information security threats

This page includes various examples of PC and not-so-obvious non-PC based attacks that have actually happened recently around the world. Computers now pervade every facet of our lives. Sometimes people forget that many daily appliances (i.e., refrigerator) and consumer electronics (i.e., TV) now contain very sophisticated computers that can be compromised.

Please revisit this page from time-to-time as I will continue to update it with other interesting examples.

First of all, security threats can be broken down into three general categories, and products designed to be “secure” need to be able to address and cope with each of these situations.

  • Physical threats – natural disasters, such as “acts of god,” including flood, fire, earthquakes, etc.
  • Logical threats – bugs in hardware, MTBF and power failures
  • Human threats – non-malicious and malicious threats, such as disgruntled employees and hackers

The following examples touch upon just the sub-category of malicious human threats.

PC based security issues – These are problems that affect working with a personal computer. Unlike traditional virus and malware attacks, here are some different attack vectors and methods:

  • Personal computer based
    • Ship with virus pre-installed via third-party software
      • Many consumers end up downloading “antivirus” software that are actually viruses themselves
    • Hard disk, USB and SD flash memory come pre-infected with viruses, Trojan horses and botnet software
    • Built-in cameras and microphones (especially laptops) can be turned on remotely and monitored
    • Digital photo frames, music players and other PC connectable peripherals can be pre-infected
    • Common attachments, such as PDFs, Word files, PowerPoint and Flash, can be exploited to attack a computer
  • USB flash memory
    • Supposedly “secure USB memory,” which is actually not secure because it uses a master unlock code that can be discovered
    • USB flash memory (and CD-ROMs – especially the kind that they give away at tradeshows) can have secret partitions with Trojan horse software installed
    • USB devices that look like ordinary memory devices which can automatically find, capture and copy all the stored passwords (i.e., login, web, VPN, etc.), web surfing history and other data from a target PC in a few seconds just by inserting it into the USB port
  • Other PC based peripherals
    • Small USB devices that can automatically and discretely capture keyboard input (including passwords) called keyloggers (which can also be software based)
    • Capturing transmitted keystrokes from a wireless keyboard from several meters away
    • USB based battery charger where the USB monitoring software application contains a virus
    • Web/internet camera with backdoor to allow remote viewing and access by unauthorized people from anywhere on the internet
      • Links to such cameras are easy to find with Google
      • These cameras typically run small web servers, which are also prone to attacks
    • Unencrypted backup tapes that include the most sensitive data (which is why they are backed up) and stolen by “cleaning crews”
    • Network interface cards (NIC) have complex firmware that can be hacked or modified to reroute network traffic or even read the main/write computer memory without the user’s knowledge
  • Open source software vulnerabilities
    • Android/Linux OS with backdoors written into the source code and compiled/used inadvertently in various consumer products
      • Software that runs servers, phones, routers, security appliances and access points could be affected
  • Cloud computing and storage
    • Computing and storage of sensitive data on numerous remote computers creates additional security risks
    • Ironically, today’s botnets are creating huge cloud computing platforms to carry out attacks from everyone’s PC and using the storage to hide illicit information

Non-PC based security issues – These are problems that are not necessarily personal computer-centric yet could potentially affect anyone and everyone:

  • Copy machines
    • Stealing internal hard disks that contain days of copied and scanned information
    • Trojan horse in the printer device driver
    • Implant program to bypass firewalls on the copier operating system
    • Installing watermarks so that printouts can be tracked
  • Cellular phones
    • Remotely activating microphones on cell phones even when the power is off
    • Ability to eavesdrop on calls made via a rogue femtocell station
  • VoIP based phones
    • The ability to record conversations between VoIP connections
  • Electric smart meters that record electricity consumption in real time can be remotely hacked to turn off power to a home, inflate usage or even detect when someone is not home

Other security examples – The following are just some examples of daily activities that affect (or are affected by) information security:

  • Smokers – People who go on smoking breaks outside statistically increase the number of attackers entering from the outside
  • Non-English based DNS names – For example, Cyrillic DNS names that look like common US based websites but go to completely different addresses
  • Common PIN numbers – A case where the PIN numbers for a locker system at a golf clubhouse was hacked and all the wallets had their cash withdrawn using the same PIN used to lock the locker
    • ATM card skimmers – Sophisticated card skimming hardware that is placed right on top of a card slot on a bank ATM machine, store credit card terminal or a gas station pump. These devices not only capture your magnetic stripe on the back of your card, but record your PIN numbers. That is why most ATM cash withdrawal thefts occur 5 minutes before and after midnight—to take advantage of two days of withdrawal limits.
  • GPS jammers – Car thieves use devices that emit at the same frequency as a GPS receiver, thus confusing the auto theft tracking system built into newer cars
  • Identity theft – Automobile and home titles are transfered by someone pretending to be the owner and quickly sold for cash
  • Denial of service (DoS) – Prior to 2003, most were always non-financial crimes. Today, most attacks are extortion attempts with regard to keeping sites up at critical times (e.g., illegal betting sites right before the Super Bowl)
  • Wireless access points – Thieves intercepting store transactions where networked cash registers and card terminals transmit customer credit card information over insecure wireless transmissions
  • Hotels – Most hotels use a shared network media where passwords, e-mail (SMTP, POP, IMAP) messages and other data can be captured in the room next door. This includes wireless connections from laptops in the conference room.
  • Deleting data – Most people know that when you delete data from your computer desktop, all you are really doing is deleting the index to that data. The data is still usually recoverable by simple tools; however, to truly erase data on today’s storage mediums, it is becoming increasingly difficult. Hard disks that are hundreds of gigabytes take hours to fully write over, and flash memory uses techniques called “write wear leveling” to “hide” data from the system to even out wear-and-tear. To really delete data on today’s modern storage mediums, you really need to physically destroy (not an endorsement) them. Here is a helpful resource if you are really paranoid: http://www.nsa.gov/ia/guidance/media_destruction_guidance/
  • High-end 3D graphics cards – The parallel processors found in high-end 3D graphics cards typically used for games and CAD are very well suited to solve brute-force security problems. The parallel computing architecture found in the boards are perfect for this type of “problem solving.”

Types of security threats – Today, security threats come in many forms. The following are three types of methods used by criminals to gain access:

  • Software: Some of the examples listed above are malicious software applications installed or embedded in software, or a product running software. These threats can still be found through their use of space (both physical and memory) and subsequently removed.
  • Hackers/Network Attacks: These are examples where an external threat gains access over the network. These threats usually require some sort of communication channel in order to communicate with the hacker and a remote target; therefore, the communication medium can be interrupted, protected or disconnected.
  • Hardware: These are examples where the actual backdoor, or vulnerability, is actually designed/built into the chip during the design and/or manufacturing of the semiconductor itself. These threats are extremely hard to detect given that they can completely control the environment and hide their logic of a few thousand transistors amongst several other logic gates numbering in the tens-of-millions.

Your comments are always welcome.

April 4th, 2010 07:19 AM

Security Blog

Due to popular demand, I have broken out the security portion of my blog and created a separate dedicated site: http://security./.

I hope to create a repository of information security tidbits so that people can have a better understanding of how difficult “real security” is.  This blog/repository will be a place where I add things from my experience in information security and hope, over time, it will become a reference for those who don’t want to repeat common mistakes.

Obviously, I welcome all comments and would like to improve the content through interactive dialog.

March 31st, 2010 05:11 PM
Author whsaito
Comments 4 Comments

Hacker sentenced to 20-years

It used to be that when a hacker stole money from a bank via the internet and got caught, the sentence was a lot less than a robber going into a physical bank and holding it up.  The sentencing of computer hackers have finally caught up with the modern era.

As I have mentioned in a recent blog, online thefts have doubled in the last year to over half-a-billion dollars.  During the same period, bank robberies (the physical kind) only took in $9.5 million or about 1/50th.  However, the sentencing for hackers (considered a white-collar crime) was only a few years (if any) while bank robbers usually got over five.  Granted, many bank robbers used guns (but I assume you kind of have to) so the sentencing guidelines change accordingly.  However, the average take from these robberies is “only” around $5,000.

In the case of the hacker in question, Mr. Albert Gonzalez (28 years old), the scale was something else.  Apparently, he stole over 90 million credit card numbers equaling over 80 gigabytes of data.  The main victim, TJX, apparently suffered close to $200 million in damages.  For this, Mr. Gonzalez will now spend 20 years in jail.  A good article on the complicated case can be found at Wired.

For more entries on security, I have created a new blog section at: http://security./

March 27th, 2010 04:27 PM
Author whsaito
Category Hacker, security
Comments No Comments

Top corporate security threats

  1. External hackers attacking your systems’ availability
  2. Security defects/vulnerabilities in hardware and software
  3. External hackers attacking your corporate information
  4. Employee errors in software and computer use
  5. Employee actions that are intentionally harmful
  6. Natural disasters
  7. Theft of physical assets
  8. Unauthorized wireless network access
  9. Terrorism

(N=294 / Source: Gartner 2005)

02:56 PM
Author whsaito
Comments No Comments

The future of security

As the original designer/developer of the internet, the U.S. Department of Defense is on the cutting edge of ICT. Many of these connected systems will require greater security protocols. Eventually, these technologies will trickle down into commercial implementations. The following examples would be the latest evolution in communications and information security.

My friend, Mark Anderson, also publishes a popular newsletter called the Strategic News Service, which caters to the technology and ICT community. He was recently interviewed on NPR on how the scary future of security is here: http://www.publicbroadcasting.net/kplu/news.newsmain?action=article&ARTICLE_ID=1629038

02:55 PM
Author whsaito
Category DoD, future, NSA, security
Comments No Comments

Dilbert on security

I’ve always been a fan of Dilbert. Scott Adams actually does a really good job of portraying real world security in the workplace.

March 1st, 2010 02:58 PM
Author whsaito
Comments No Comments