Welcome to Volume 2, Issue 24 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this final issue of Y2K, Dr. Bill Hancock regales us with another whimsical look at security. If you've ever been responsible for prescribing, defining, implementing or maintaining security for an organization, I'm certain you'll simultaneously empathize and laugh at Dr. Bill's "Security Resolutions".
By the way, are we obliged to refer to year 2001 algebraically as Y2K+1?
On behalf of everyone at TISC and the terrific folks who comprise our faculty, I want to wish you a safe and joyous holiday season and much success in the new year. We look forward to serving you again in 2001!
By Dr. Bill Hancock
It is always good at the beginning of a new year to look back on the failures and triumphs of the previous year, take pause and resolve to do better in the future. Or at least try to keep from grabbing the air sickness bag whenever thinking about security challenges in 2001...
In any event, these are my security resolutions for 2001, listed in no particular order:
Resolution #1: Print User Passwords on Laser Printable Post-It's
I have come to the conclusion that trying to get users to stop writing down passwords on desks, tables, computer monitors--and Post It's--is futile. Since Avery Dennison and 3M now offer Post It's that can be run through my laser printer, I resolve to pre-print user passwords on such Post It's and hand them out when I change passwords on a quarterly basis. While some may resist this resolution due to poor security, I look at it as buying into the system instead of trying to fix it. By offering passwords on pre-printed Post It's, I can
Furthermore, the color of the Post It will allow the help desk staff to determine if the proper quarterly password is being used (Pink = Q1, pale green = Q2, powder blue = Q3 and yellow = Q4).
Resolution #2: Remove the Firewalls
I have determined that I spend between 10 and 20 hours a week dealing with firewall hassles. Granted, I have 2200 of them to worry about, but that's not the point. Most of them involve delay, as in "my connection's too slow". My support desk statistics show that 85% of the reported problems with the firewalls were not firewall (security) related at all. In fact, most were IP addressing problems or some other networking issue. Therefore, to make my life less stressful and to alleviate the load on the helpdesk, I am considering reversing my decision to use firewalls, and will remandthem to their vendors. According to all the users, who are the experts (just ask them),
Eliminating firewalls is obviously the way to go to create a smoother operating environment and happier users. After all, statistics are never wrong. As the newspeople during the last election cycle how reliable their statistics were...
Resolution #3: Set up Corporate Information Directory Web Site for Hackers
Rather than repel invaders, a new way to look at the problem might be to invite them in. After all, if an interloper knew where to go to get the good stuff, they wouldn't have to spend so much time messing with systems looking for what they are after. Think about it: if you knew where to go to get what you were after, then you would not need to mess around with other systems. I think that a good solution would be an LDAP-enabled web site that has active pages which show what information is located on which machine, color coded by sensitivity and profitability (for the industrial spies). This would benefit a company in multiple ways:
To assist in this, I may write a Java applet that hooks into LDAP to make it easier for newbie hackers. I will need to think about that - you don't want to make it too easy. Absent a challenge, the interesting hackers might stay away...
Resolution #4: Free SPAM Relays and Addictive-User Interaction with SPAMmers
Since SPAM is a way of life, why fight it? I am thinking about setting up specific SMTP servers for SPAMmers that would have a specific domain name that is easily recognized for SPAM activities. This way those who didn't want to deal with SPAM could filter it out on their mail servers. For people who enjoy SPAM because of loneliness or lack of social contact--members of the American Society for E-Mail Addiction 12-steppers, for example--you could forward directed SPAM for your e-mail server to these other candidate locations who would appreciate it and actually respond to them. My theory is that if you get SPAMmers connected up with e-mail addicts, the SPAMmers are contacting people who will read their SPAM and the e-mail addicts will get more messages to answer, which satisfies their addiction. By providing free SPAM relay servers, then you reduce the criminal acts of SPAMmers who use legitimate corporate e-mail servers to send their messages. This has multiple benefits to many different constituencies. There's a winner here somewhere...
Resolution #5: Keyserver Addressing for Business Cards
First, the business card had your name and company information on it. Later, addresses and telephone numbers were added. Then, fax numbers. This was followed by mobile phone and then cell phone numbers. The last few years have seen e-mail addresses and for the custom few, URLs for their personal web pages. I believe the next add-on to business cards will be security-related: where your keyserver is located that contains your public key information. For instance, if you are a PGP user, rather than use the crusty old servers at MIT and CERT/CMU, it will be fashionable to have your own keyserver address. It worked for domain names, so why not keyrings?
Resolution #6: Certification for Industrial Spies
With certification methods running rampant in the security industry, perhaps it's time to have industrial spy certifications. Different levels of certifications for people who contract themselves out as industrial spies so that consumers know how capable a particular spy might be. Who wants to hire a level 2 certified spy for a level 5 job? This way the consumer would know in advance what skillset they are buying based upon the type of information they need to have stolen. Kind of an Underwriter's Laboratories (UL) rating scheme for industrial spies.
[Ed: How about the Certificate of Internet Krackers, International (CIKIs, pronounced "sickies".]
Resolution #7: Corporate Manager Security Type Rating Scheme
One idea that just begs to be implemented is a permanent rating scheme for corporate management types on their attitudes and support of security initiatives, products, services and maintenance. The idea is that security professionals would rate each manager in a company according to their personal attitudes and efforts towards security. These ratings would be recorded in an Internet-based central database. As the manager moves from company to company, a hiring company could look up their manager security rating prior to hiring and compare to corporate needs inventory for security. Shame that monster.com is taken...
For instance, if security is not really high on the corporate needs assessment for a new hire, perhaps the lowest rating of "security wuss" would be sufficient for the position. In cases where serious security might be needed, the top rating of "security Arnold" (as in Schwartzenegger) would be the desired trait. In some cases, as they become enlightened, the rating might be upgraded for some managers. In other cases, as they show proclivity for being wimpy in sponsoring security initiatives, the rating might be lowered (for instance, a "security Arnold" might be downgraded to "security Rambo" when careless and shoot-from-the-hip security efforts are seen).
Resolution #8: Use Subliminal Security Messaging Pop-Up Boxes for User Security Awareness
One way to get people properly conditioned for specific responses is to use scientific methods such as subliminal messaging. One resolution would be to insert subliminal messages in pop-up display windows ("boxes") when users do things that are dumb, security-wise. To ensure they are being scanned long enough to get a subliminal graphic or message read in the displayed box, the overt message might be embedded in a popular PC-based game. For instance, how about different subliminal security messages in each card of a Solitaire game? It's a natural! The game is on every Windows box, and everybody plays it. Each card could be used to transmit a different security message to the consumer: "security is good," "security people like cookies," "invite your security staff to lunch," "OS/2 security is the only bad security," "PKI is really not confusing," "cryptography is really data compression with keys," and so on.
Resolution #9: "Aware" Security Token Hardware
One resolution that needs to be considered is the use of "aware" security tokens. These might be smart cards or other types of hardware token authentication cards, preferably with a audio generation capability. By making the card "aware" of a specific security use, the card could respond with a proper level of audio information (in the case of AARP members who are a little confused with all the new-fangled security gizmos) or abuse (in the case of a user who should know better than to use a security token where a proximity card is necessary). In the case of the senior citizen, a kindly voice from the card would provide guidance on its use. In the case of the idiotic user, a Gilbert Gottfried-like voice would administer the proper verbal abuse and where to shove the card when the operation is complete. If the audio replay is loud enough for bystanders to hear, only a few abusive episodes would be necessary to reinforce proper security behavior.
Resolution #10: Security Alarms that Sound Like HAL.
Since it's the year 2001, it's time to reinforce the use of the voice of HAL from the move, 2001, A Space Odyssey. Perhaps the use of the HAL voice when a token card is inserted into a reader ("I can feel it, Dave."). Maybe HAL expressing joy at a successful user login ("I have the greatest enthusiasm for the mission"). The opportunities are endless.
Parting thought for 2000
These are my resolutions. Of course, you may have your own which are probably a bit more docile than mine (I have never been accused of being half-way about much of anything). In any case, have a great 2001. Learn a lot, share a lot, think a little, smile a little...
and remember that it's always the firewall's fault...
© 2000 - 2006 Core Competence & Mactivity, Inc.