Risk Appetite Generator

One of the first questions to ask a client when starting a risk journey with them is to ask what their Risk Appetite is. Sometimes this is an organisational question and sometimes it is a system based one. But always it is a problem.

These appetites are usually six or so discrete statements which fit onto an intuitive scale. Yeah, right.

Recently a client showed me their risk appetite statements and the thing that immediately stood out was that they had one of the appetites at ‘minimal’ and yet it was not the lowest possible setting. I must admit, I wasn’t expecting to hit a Rule 1 violation with a single word statement, and so the pointlessness of the scale gave us comedy gold.

So, the Risk Appetite Generator was born.  As with many of my generators, you can add ?help to find out what settings you can muck about with.

Before you ask, the risk appetites of that client are in the generator.

And Dumb Security Company of the day goes to…..

Argh, dammit, I can’t tell you.  But the imaginary conversation goes like this.

Me: “Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?”

Dumb Security Company (DSC) “Yes, can I tell you about it, its great – it has elements that …”

Me: “No, no, please stop.  Anyway, the client tells me that your security products runs on Windows”

DSC: “Yes, that’s right we have a strategic relationship with Mi…”

Me: “Woah, thanks, got that, so my client needs to apply patches to the server that you run your product on?”

DSC: “Very good, patching is an important cyb….”

Me : “Gonna have to stop you again. But in this case your support people have told their support people that they must not install the critical OS patches or bad things might happen?”

DSC: “So stability is of para….”

Me: “Easy there tiger. So just to calibrate my BS detectors – You produce an enterprise grade security product that runs on a version of windows that you insist cannot be patched – in this case for more than a year?”

DSC: “…”

Me: “You, a SECURITY company make a SECURITY PRODUCT and then insist that the platform is NEVER PATCHED?

DSC: “…”

Me: “Do you KNOW how many critical issues there are for the platform that your system runs on?”

DSC: “…”

Me “Great, nice talking to you”.

And the lesson of the day is that just because patching is hard does not mean that it does not need to be done.  Yes, you will need to regression test your product.  Get on with it.  Make fixes not excuses.

New Password Hashing Method

Dammit, Bruce Schneier had a link this month to a password hashing competition, but I was too slow.  the link is here: https://password-hashing.net/

In the meantime it occurs that one way to try and defeat GPU based cracking is to increase the complexity of the hashing process so that it's harder to pipeline the functions on the GPU.

One way to do that would be to have per user based iteration counts where the actual number of iterations is decided within the hashing process itself, by using different hashing algorithms and by re-introducing the salt at various points in the iteration process.

The hashing version would define the total iteration count and each of two hashing algorithms. V1 would use an iteration count i of 100000, SHA-512 and Whirlpool-512.

  • Take the Password 'p', generate a random salt, 'r'
  • concatenate p and r.
  • iterate pr through Algorithm 1 for 1000 iterations to arrive at h incrementing i each time
  • take the last byte of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • iterate hs for x iterations through Algorithm 2 increming i each time
  • take the last bye of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • go back to Algorithm 1 unless the i is exceeded in which case h is the output hash

As part of the password test, the user has required to transmit the password.  This would be a great time to change the salt!  Yes, I mean it, so at the same time as we test the password, we also make a new hash from a new random salt.  if the password test succeeded, we store the new salt and hash.

WTF?  Why are we doing that?  If attackers have regular access to our user table the passwords all change a LOT more frequently, so it's harder to tell who has really changed their password. The disbenefit is that users that log in rarely will be plainly obvious.  An additional benefit if that if there is a need to move from V1 to V2, this will be done magically at next login.

Each concatentaion is a string function converting the 512 bit hash to a string and then adding another string to it.

 

Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above.  Just like all most great ideas – someone has had it already!  If you use firefox, go grab the plugin.

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?

PS3 Root Key Broken

News just in is that the Root Keys used to sign content for the PS3 has been broken by ~geohot:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

This is big news as it seems that this key is built into the hardware and can’t be changed.

More info on this issue at Kotaku.

How many 27001 standards?

Please wait for a site operator to respond. You are number 1 in the queue. Your wait time will be approximately 0 minute(s) and 30 second(s).
You are now chatting with ‘Tim’
Your Issue ID for this chat is LTK16502038781X
Tim: Welcome to our Live Chat service.  How can I help you?  Are you or your company an ANSI Member?
you: Hi there Tim. I’m looking to buy PDF versions of ISO27001 and ISO27002 but am a bit confused.
you: there seems to be quite a few versions of both starting at $30 and rising to a few hundred on your ANSI website

you: so for example there is BS ISO/IEC 27001:2005/BS 7799-2:2005 for $144

you: and INCITS/ISO/IEC 27001-2005 for $30
you: and Information Security Package 27001 for $50
you: so I’m somewhat confused.
Tim: There are many adoptions of these standards by other standard developing organizations.  The original standards have the following designations:  ISO/IEC 27001:2005 for $129 and the ISO/IEC 27002:2005 for $206.  Or, you could purchase the two original documents together in the “ISO/IEC 27001 and 27002 IT Security Techniques Package” at a discounted price of $295. 
you: um, so what is the $30 version?
Tim: The $30 version is the INCITS adoption of the ISO/IEC 27001 and ISO/IEC 27002 standards. 
you: and will be completly different?
you: or the words are the same and the header is different
Tim: We can’t say that there hasn’t been changes made to the orginal document.  You will need to contact INCITS for clarification.  
you: but how can it be ISO27001 if they have changed anything?
Tim: That is an agreement between ISO and INCITS.  ANSI does not review the adoptions for changes.  If you’re unsure of the adopted standards, we recommend purchasing the originals by ISO.  
you: but on the INCITS Website it says that the INCITS version is ANSI approved. Thats’ you?
Tim: It has been ANSI approved as an adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: so that must mean that its an acceptable document
you: i.e. ANSI considered it to be not different to the ISO version?
you: I’m just trying to work out if I’m paying $99 more for the same thing.
Tim: You will need to contact INCITS to determine if any changes have been made.  ANSI does not review the body of the standard when it is adopted.   
you: that does not make any sense. you are saying that ANSI adopts a version of a document that might be completely different to the thing it purports to be?
Tim: ANSI does not adopt standards.  INCITS adopted the ISO/IEC original document.  ANSI approved the adoption but did nto review if any changes were made to the document.  ANSI is not the copright holder of the document.  You will need to contact INCITS if you want to find out if changes were made to the document by INCITS.  
you: okay. It soundss really odd to me that from you I can buy about 5 different versions of 27001 and you don’t know whats in any of them except the ISO version.
you: I will indeed contact INCITS
Tim: Thank you.  I’m sure INCITS will be able to answer your questions regarding their adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: thanks Tim. This has been my weirdest conversation for many weeks!