The past 10 years have been the best in the country’s aviation history with 153 fatalities. That’s two deaths for every 100 million passengers on commercial flights, according to an Associated Press analysis of government accident data.

The improvement is remarkable. Just a decade earlier, at the time the safest, passengers were 10 times as likely to die when flying on an American plane. The risk of death was even greater during the start of the jet age, with 1,696 people dying — 133 out of every 100 million passengers — from 1962 to 1971. The figures exclude acts of terrorism.

…
There are a number of reasons for the improvements.

• The industry has learned from the past. New planes and engines are designed with prior mistakes in mind. Investigations of accidents have led to changes in procedures to ensure the same missteps don’t occur again.
• Better sharing of information. New databases allow pilots, airlines, plane manufactures and regulators to track incidents and near misses. Computers pick up subtle trends. For instance, a particular runway might have a higher rate of aborted landings when there is fog. Regulators noticing this could improve lighting and add more time between landings.

(“It’s never been safer to fly; deaths at record low“, AP, link to Seattle PI version.)

Well, it seems there’s nothing for information security to learn here. Move along.

]]> http://newschoolsecurity.com/2012/01/aviation-safety/feed/ 0 http://newschoolsecurity.com/2012/01/new-school-approaches-to-passwords/ http://newschoolsecurity.com/2012/01/new-school-approaches-to-passwords/#comments Tue, 10 Jan 2012 17:06:20 +0000 adam http://newschoolsecurity.com/?p=2444 Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question:

Passwords suck when they’re not properly cared for. We know this. Any other known form of
authentication we have is difficult because of the infrastructure required to pull it off. That
sucks too. Does this leave us at a stalemate where we need to get people to care about their
passwords?

I think the answer is “almost.” We need to agree that passwords suck when they’re not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users. We tell them to memorize 100 or more unique passwords, and then “security experts” abuse them for re-use or using a password management tool.

Cormac Herley has claimed that the password has a set of properties including being subject to memorization that make it impossible to replace, and we should accept that and start engineering for it. (“A Research Agenda Acknowledging the Persistence of Passwords” and “Passwords: If We’re So Smart Why Are We Still Using Them?“)

Similarly, Nate Lawson posted “On the evolving security of password schemes” which closes “most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker’s guess rate and implementing responses to limit their access when they do get a hit.” Indeed.

We need to observe the world, and ask how we can work within the constraints it presents regardless of if those constraints are economic, sociological or evolutionary.

]]> http://newschoolsecurity.com/2012/01/new-school-approaches-to-passwords/feed/ 1 http://newschoolsecurity.com/2011/12/paper-the-future-of-work-is-play/ http://newschoolsecurity.com/2011/12/paper-the-future-of-work-is-play/#comments Thu, 01 Dec 2011 17:42:55 +0000 adam http://newschoolsecurity.com/?p=2349 My colleague Ross Smith has just presented an important new paper, “The Future of Work is Play” at the IEEE International Games Innovation Conference. There’s a couple of very useful lessons in this paper. One is the title, and the mega-trends driving games into the workplace. Another is Ross’s lessons of when games work:

Over the last several years, Microsoft has employed dozens of games and game mechanics in its software development process. Forrester, Forbes and others have covered this work. Table 1 illustrates the areas where productivity games can be the most impactful. Focusing on either expanding skills in rile or “organizational citizenship behaviors” that require core skills &emdash; is the best way to ensure the success of a productivity game. Player motivations is a key component of the success of a productivity game.

	Core	Unique	expanding skills
In role behavior			Most Impact
Organizational Citizenship Behavior	Most Impact

What this means is that if you try to produce a game that replicates or intrudes on either core work (say, writing code) or unique skills that someone already has (say, threat modeling) the game is likely to be less successful. But if you make a game to help people expand their skill (say, in threat modeling), it will be more impactful and accepted. Similarly, if you’re trying to get thousands of people to help check user interface translations for Windows, it helps to use a core skill, like reading another language, rather than a unique skill (again, let’s say threat modeling) that only a few people have.

This table is really useful guidance if you’re thinking of making a game.

Games, by the way, are tremendously New School. Games are New School because they’re a way to address the real human desires to do something (anything) more fun than deal with security stuff. By making it fun, we can entice people into enjoying the things we need them to do. You should consider if a game can address a problem you deal with, and if it’s in the area of expanding skills in a role or organizational citizenship behaviors that rely on core skills, you’re more likely to succeed.

(I’d link to the paper, but unfortunately, IEEE continues to lock up the scientific literature and impede the flow of progress, rather than charge a few dollars more for each conference to cover the costs of serving up the scientific literature.)

]]> http://newschoolsecurity.com/2011/12/paper-the-future-of-work-is-play/feed/ 0 http://newschoolsecurity.com/2011/11/att-hack-attempt/ http://newschoolsecurity.com/2011/11/att-hack-attempt/#comments Tue, 22 Nov 2011 17:41:04 +0000 adam http://newschoolsecurity.com/?p=2331 First, good on AT&T for telling people that there’s been an attempt to hack their account. (My copy of the letter that was sent is after the break.) I’m curious what we can learn by discussing the attack.

An AT&T spokesperson told Fox News that “Fewer than 1 percent of customers were targeted.”

I’m currently aware of 3 other folks in the security industry who’ve gotten these. Can someone recommend a good embeddable polling software that I might use to see what the prevalence is on the biased audience that reads this blog?

Dear ADAM SHOSTACK:

In our ongoing effort to provide you with the best privacy protections possible, AT&T regularly monitors the security of our online services such as MyATT online account management. The purpose of this letter is to advise you that we recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours. We have not yet determined the source or intent of the attempt to gather information, but we are continuing to investigate.

We do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account. Use of your mobile device or other AT&T services has not been affected by this incident.

Customer privacy and data security are top priorities for AT&T. Because there may be an increased risk of fraudulent attempts to access your account information, you should be cautious about efforts to obtain sensitive information through email (“phishing”) or text messages (“smishing”). You can find out more about phishing, smishing, and protecting your online account information below, and at att.com/safety.

We appreciate having you as a customer and if you have questions or you need assistance, please contact AT&T Customer Care by dialing 611 on your AT&T wireless device or calling 1.800.331.0500.

Sincerely,

AT&T Online Services

Ref Code: F3221

Measures available to you to help ensure that all of your online accounts
and your Internet access devices are better protected.

Be aware of the risks to any online account and the steps you can take to reduce your exposure to them. “Phishing,” also known as “brand spoofing” or “carding,” is a trick used to gather financial information and password data using fake emails and websites. Scammers using phishing techniques send consumers email messages that appear to be from well-known companies. These messages usually contain links to web pages that have been disguised to look nearly identical to legitimate companies’ sites and request customers to enter sensitive information including financial and password data. “Smishing” is a technique similar to phishing; it uses cell phone text messages to get customers to divulge personal information. Scammers using smishing techniques may send a text message with a link to a website which requests sensitive information. More commonly, “smishers” will include a phone number in the text message that connects to an automated voice response system to capture sensitive information.

Some of the measures you can take online and on your Internet access device to help protect yourself include:

• Be aware that email and text message headers can be easily forged, so the posing sender may not be the real sender.

• Avoid providing or filling out forms via email because the data is likely to be unsecured.

• Realize that Internet scammers can create realistic forgeries of websites, so avoid clicking on links in an unsolicited email or text message. If appropriate, go directly to the company’s website to investigate the validity of the communication.

Additional recommended measures to protect your Internet access devices include:

• Scan all computers with an up-to-date anti-virus program.

• Use an up-to-date anti-spyware (anti-malware) application, as some malware is not detected by anti-virus scans.

• Ensure your operating system has been updated with all the recommended security updates from the operating system provider.

• Check all your online accounts regularly for unauthorized activity.

• Review trusted online sources for information on protecting your computer and mobile devices.

If you have any questions about how AT&T collects, uses and protects your personal information as a customer, please visit our Privacy Policy.

© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.

And fortunately, Maria Klawe (President of Harvey Mudd College, ACM Fellow, Microsoft board member) has some answers, which are subtle, simple, and likely incredibly difficult to implement:

Via “Harvey Mudd President Klawe on Women in Technology “

Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you might not think of as startups. In fact, he thinks that startups are everywhere, even inside of large businesses. You can agree or not, but suspend skepticism for a moment. He also says that startups are really about management and good decision making under conditions of high uncertainty.

He tells the story of IMVU, a startup he founded to make 3d avatars as a plugin instant messenger systems. He walked through a bunch of why they’d made the decisions they had, and then said every single thing he’d said was wrong. He said that the key was to learn the lessons faster to focus in on the right thing–that in that case, they could have saved 6 months by just putting up a download page and seeing if anyone wants to download the client. They wouldn’t have even needed a 404 page, because no one ever clicked the download button.

The key lesson he takes from that is to look for ways to learn faster, and to focus on pivoting towards good business choices. Ries defines a pivot as one turn through a cycle of “build, measure, learn:”

Ries jokes about how we talk about “learning a lot” when we fail. But we usually fail to structure our activities so that we’ll learn useful things. And so under conditions of high uncertainty, we should do things that we think will succeed, but if they don’t, we can learn from them. And we should do them as quickly as possible, so if we learn we’re not successful, we can try something else. We can pivot.

I want to focus on how that might apply to information security. In security, we have lots of ideas, and we’ve built lots of things. We start to hit a wall when we get to measurement. How much of what we built changed things (I’m jumping to the assumption that someone wanted what you built enough to deploy it. That’s a risky assumption and one Ries pushes against with good reason.) When we get to measuring, we want data on how much your widget changed things. And that’s hard. The threat environment changes over time. Maybe all the APTs were on vacation last week. Maybe all your protestors were off Occupying Wall Street. Maybe you deployed the technology in a week when someone dropped 34 0days on your SCADA system. There are a lot of external factors that can be hard to see, and so the data can be thin.

That thin data is something that can be addressed. When doctors study new drugs, there’s likely going to be variation in how people eat, how they exercise, how well they sleep, and all sorts of things. So they study lots of people, and can learn by comparing one group to another group. The bigger the study, the less likely that some strange property of the participants is changing the outcome.

But in information security, we keep our activities and our outcomes secret. We could tell you, but first we’d have to spout cliches. We can’t possibly tell you what brand of firewall we have, it might help attackers who don’t know how to use netcat. And we certainly can’t tell you how attackers got in, we have to wait for them to tell you on Pastebin.

And so we don’t learn. We don’t pivot. What can we do about that?

We can look at the many, many people who have announced breaches, and see that they didn’t really suffer. We can look at work like Sensepost has offered up at BlackHat, showing that our technology deployments can be discovered by participation on tech support forums.

We can look to measure our current activities, and see if we can test them or learn from them.

Or we can keep doing what we’re doing, and hope our best practices make themselves better.

As a result, lots of people are quoting a number of “300,000″.

Cem Paya has a good analysis of what the OCSP numbers mean, what biases might be introduced at “DigiNotar: surveying the damage with OCSP.”

To their credit, FoxIt tried to investigate the extent of the damage by monitoring OCSP logs for users checking on the status of the forged Google certificate. There is a neat YouTube video showing the geographic distribution of locations around the world over time. Unfortunately while this half-baked attempt at forensics makes for great visualization, it presents a very limited picture of impacted users.

Digitar and Fox-IT released enough that a dedicated secondary analyst like Cem can see methodological flaws in what they did. What else could we learn if we had more of the raw observations? When I read the report, I noticed the claim “A number of malicious/hacker software tools was found. These vary from commonly used tools such a the famous Cain & Abel tool to tailor made software.” This claim mixes analysis and observation. The observation is that there was software with which the analyst was not familiar. It may be that it was a perl script or other code that can be easily skimmed to see that it was “tailor made.” It may be that it was just something re-compiled to not match a hash. We don’t know. Similarly, the report claims (4.1) “In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011.” Really? On purpose? Perhaps the fingerprints were inserted as a matter of dis-information. Perhaps the Fox-IT analyst called the intruder on the phone, and he owned up to it. We don’t know.

I want to be clear that I don’t mean to be picking on Fox-IT here. My understanding is that the report they prepped came out incredibly quickly, and kudos to them for that. I’ve cherry picked two areas where I can ask for better editing, but I’m very aware that that editing comes at a cost in timeliness.

Cem’s article is very much worth reading, as is the Fox-IT report. But Cem’s analysis helps illustrate a theme of the New School, which is that we need diverse perspectives and analysis brought to bear on each report. The more data we see, the more we can learn from it. No single analysis will tell us everything we might learn. (I made a similar point here.)

I am left with a question for Cem, which I would have added to his post, but couldn’t comment there. My question is, having given all that thought to all the biases, what do you think is the probably true number (or range) of affected people?

]]> http://newschoolsecurity.com/2011/09/diginotar-quantitative-analysis-black-tulip/feed/ 0 http://newschoolsecurity.com/2011/09/the-rules-of-breach-disclosure/ http://newschoolsecurity.com/2011/09/the-rules-of-breach-disclosure/#comments Wed, 07 Sep 2011 15:50:49 +0000 adam http://newschoolsecurity.com/?p=2270 There’s an interesting article over at CIO Insight:

The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss of fairly innocuous data. This change in practice has the potential to affect every CIO who collects “contact” information from consumers, maybe even from employees in an otherwise purely commercial context. (“Breach Notification: Time for a Wake Up Call“, Mark McCreary of Fox Rothschild LLP)

My perspective is that breach disclosure now hurts far less than it did a mere five years ago, and spending substantial time on analysis of “do we disclose” is returning less and less value. As companies disclose, we’re getting more and more data that CIOs can use to improve IT operations. We can, in a very real way, start to learn from each other’s mistakes.

Over the next few years, this perspective will trickle both upwards and downwards. CEOs will be confused by the desire to hide a breach, knowing that the coverup can be worse than the crime. And security professionals will be less and less able to keep saying that one breach can destroy your company in the face of overwhelming evidence to the contrary.

As the understanding spreads, so will data. We’ll see an explosion of ways to talk about issues, ways to report on them and analyze them. In a few years, we’ll see an article titled “Breach Analysis: Read it with your coffee” because daily analysis of breaches will be part of a CIO’s job.

Thanks to the Office of Inadequate Security for the pointer.

[Edit -- fixed my mispelling of company name.  D'oh!]

I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose lives are endangered from fringe elements, women who have tried to escape abusive spouses, porn actors whose families may be harassed by the publication of their names and addresses, confidential informants and law enforcement officers, and immigrants whose personal information was illegally revealed to law enforcement and to media by the actions of Utah state employees. All of those people have been put at risk of physical harm as a result of data breaches.

To date, what we know was taken from Arizona’s (apparently) insufficiently secured systems was names and addresses of people who have good reason to think they’re in danger from the release of that information.

I want to talk about four major risks here: The risk of harm, the risk of attributing all that risk to Lulzsec, the incentive to cover-up, and the risk of believing our analyses are complete.

The first risk, the risk of harm, Pogo covers fairly well. I have a cousin who works in a correctional facility. Their house, their phone, their cable, all these things are listed in the wife’s name, and I understand the fear of knowing that a real criminal thinks you’re at fault and knows where your family lives. I bring this up because it’s my family too, and that’s important because I’m about to discuss the apportionment of blame, and want to be clear that I’m doing so with some skin in the game.

The second risk is the risk of attributing all of the responsibility to Lulzsec. Some of the fault here is that of the State of Arizona Department of Public Safety (AZDPS). AZDPS made a decision to collect information. They had a responsibility to protect it. AZDPS also made a decision to store that information in electronic form. AZDPS made a decision to store that electronic information in an internet accessible fashion. AZDPS made decisions about computer security which, in hindsight, may be being reconsidered. However elite the ninjas of Lulzsec may or may not have been, however many lazer-eyed sharks they might have employed, if the information was only stored on paper in a locked room in Arizona, it would have been far more secure. And if Lulzsec could break in, potentially others have already broken in and stolen the data for purposes far more dangerous than embarrassing AZDPS. AZDPS is not unique in this set of choices. The organization reaps lots of benefits in putting the data online. Many of those benefits, such as speed and efficiency, are probably shared with employees, customers or citizens. All that said, Lulzsec did increase the risk by making the data widely available to anyone. (They also marginally decreased the risk by making people aware it’s out there, but the net risk is still increased.)

The third risk is the risk of cover-up. AZDPS is one of many organizations that collects information today. Like most of those organizations, AZDPS makes some investments in security to protect the data. I suspect that they make more investments than many others, since they know about the sensitivity of it and the many motivated attackers. Interestingly, their policy states that “Security methods and measures have been integrated into the design, implementation and day-to-day practices of the entire Azdps.gov web portal.” (AZDPS Privacy Policy (as of January 4, 2010, via the WayBack Machine)) which strikes me as a mature statement compared to the common “we follow industry-leading best practices in buying a firewall.” Most organizations that are hacked are not hacked by Lulzsec, and so may choose to cover up. AZDPS should investigate what went wrong, and share their analysis so others can learn from them.

The final risk is the risk of believing our analysis is complete. Much like I pointed out in “How the Epsilon Breach Hurts Consumers,” it’s easy to come to an analysis which misses important elements because the investigators have a defined scope. They are more likely to talk to those close to the system, and thus will be influenced by their perspectives and orientation. By sharing information about the breaches, different perspectives can emerge from a chaotic discussion. This is a perspective deeply influenced by Hayek. Unlike markets, information security lacks a pricing mechanism to help us bring all of the perspectives into a single sharp focus. It’s hard to add security to see what people will pay, and we lack good information about the inputs that led to breaches or other outcomes. Without that information, it’s hard to know what security is cost-effective, or appropriate in light of the duties that an information collector takes on by collecting data.

So to bring this together around those risks, the people whose data was exposed (first risk) were exposed in part because most organizations never issue a good report on what went wrong (the third risk) and so the choices made in collecting and storing data are made in an information vacuum (the second risk).

And so the Arizona DPS should take seriously their public safety mission. They should perform a deep investigation of what went wrong, and they should share it with the citizens of Arizona and people around the world. If they do so, and their counterparts do so, we’ll all be able to learn from each other’s mistakes, and we’ll all be able to, in that hated phrase “do more with less.”

That’s how public entities, operating with data about citizens, should be operating, and in my personal opinion, ought to be required to operate.

]]> http://newschoolsecurity.com/2011/06/breach-harm-should-arizona-be-required-to-notify/feed/ 0