Save Security Today

posted Mar 21, 2016, 2:37 PM by Jer Cox   [ updated Mar 21, 2016, 2:47 PM ]

There is a lot of confusion regarding the Apple vs FBI case.  Most simply do not understand the enormous ramifications that this action will have on the future of this country, and even the future of the world.  Strong encryption is what makes the world go around.  The entire world economy depends on encryption functioning exactly as it is supposed to.  What seems to simply be a battle for one iPhone, is not all it appears.  If the FBI creates a legal precedence that it can force Apple to create a backdoor into the iPhone, it will establish a simple path to create backdoors into any technology solution available.  Including all the solutions that protect your identity, your money, and your privacy.  
The fight with Apple is the beginning.  Complete Government oversight could easily be the end.

To those of you who believe that you can trust the Government to protect your data and to protect the backdoors that will be created due to this action, you should ask the 20,000 FBI employees who lost their personal data to hackers following a breach of government systems.  If backdoors are created, the question is not if they will be released into the wild, the real question you should ask is when?

To those of you who believe that the Government will never go beyond the specific iPhone, or others like it.  I would refer you to the extensive NSA spying operation that was uncovered by Edward Snowden.  We live in a world where a little more intelligence is never quite enough.  Reminds me of a book I have read, "if you give a mouse a cookie"

Finally, if you really think that creating all these backdoors is going to help.  I would remind you that we dont own encryption, that any programmer can build an app with extensive encryption capabilities.  Ultimately the criminals, terrorists and others who want full encryption without a backdoor, will still find it.  Meaning, all we did was shoot ourself in the foot.

Unlike some people, I still believe that America is Great.  I believe that protecting everyone with strong security is the right thing to do.  Taking away strong security is like putting the whole country on house arrest because there is some idiot with a gun somewhere shooting others.  Its a extremely aggressive move, promoted entirely by fear, and in the end will really not accomplish much more than destroying the freedom of millions of people.

Let us show that America is great, that her people do care, and that we will stand up for what is right instead of succumb to fear and hatred.


Utah HB 225 Continued

posted Feb 19, 2016, 12:46 PM by Jer Cox

Lines 140-145 read (with amendments):

140 (4) A person who intentionally or knowingly, and with or without authorization,
141 interferes with or interrupts computer services to another authorized to receive the services is
142 guilty of a class A misdemeanor.
143 (5) A person who by means of a computer, computer network, computer property,
144 computer system, computer program, computer data or software intentionally or knowingly
145 interferes with or interrupts critical infrastructure is guilty of a class A misdemeanor .

There is some significant problems with the plausible interpretation of this wording.

Section 4 and 5 do not classify that such interruption have intent to commit a crime, to cause damage or to harm. This is the problem with the "with or without authorization" in section 4 and the blanket statement ignoring any authorization whatsoever in section 5.

We know that IT employees have authorization to interrupt services for maintenance purposes, and must do so in order to maintain network equipment. Since these two sections do not make allowances for said authorization, nor do they classify the action with the intent to commit a crime, to do damage or to harm, it removes the burden of proof from the state, and puts ordinary network engineers and administrators at risk of prosecution. I have found no previous section in the current bill or the current law that would lead me to believe otherwise. Since its not a subsection, I have concluded that it could be interpreted this way, even though I dont believe this was the intent.

Utah House Bill 225

posted Feb 3, 2016, 9:05 AM by Jer Cox   [ updated Feb 8, 2016, 12:15 PM ]

I have serious concerns with Utah House Bill 225. Currently as written, the bill makes standard IT procedures punishable by law. Let me explain.

A standard security practice mentioned in security models is something called Penetration Testing, also known as Red Team Exercises. Please see the SANS Critical Security Controls number 20 ( Penetration Testing is essentially hacking into a system with authorization to prove wether or not it is vulnerable. These tests intentionally cause non permanent damage to systems in a controlled environment. These methods are used to identify and eliminate risks. Penetration Testing is normal, and Washington County School District and other state entities use it to identify problems before outside data can be compromised by other actors.

HB 225's language makes these practices punishable by law. In the following section

102 (1) A person who with or without authorization gains or attempts to gain access to any
103 computer and unlawfully alters, damages, destroys, discloses, or modifies any computer,
104 computer network, computer property, computer system, computer program, or computer data
105 or software, and [thereby] as a result causes economic or property damage, or both, to another
106 person or entity, or obtains money, property, information, or a benefit for any person without
107 legal right, is guilty of:

The "with or without authorization" is where the problem is.

HB 225 addresses the use of these methods as an "affirmative defense".

146 [(5)] (6) It is an affirmative defense to Subsections (1) and (2) that a person obtained
147 access or attempted to obtain access in response to, and for the purpose of protecting against or
148 investigating, a prior attempted or successful breach of security of a computer, computer
149 network, computer property, computer system whose security the person is authorized or
150 entitled to protect, and the access attempted or obtained was no greater than reasonably
151 necessary for that purpose.

But as written I would have to defend myself after every security assessment. Any other individual with knowledge of the assessment would be required to report it. As stated in the following section:

154 Every person, except [those] a person to whom a statutory or common law privilege
155 applies, who has reason to believe that [the provisions] any provision of Section 76-6-703 [are]
156 is being or [have] has been violated shall report the suspected violation to:

I would have an "affirmative defense", but it would come at great cost to me and my employer.

I understand that the writer is concerned with disgruntled employee's who intentionally and maliciously damage systems and currently have access and authorization to use said systems.  I appreciate and applaud a law that protects organizations from disgruntled employees. But if you read the current definition of authorization it states:

44 (2) "Authorization" means having the express or implied consent or permission of the
45 owner, or of the person authorized by the owner to give consent or permission to access a
46 computer, computer system, or computer network in a manner not exceeding the consent or
47 permission.

So exceeding authorization is equivalent to having no authorization. Since such employee's have affirmatively exceeded their authorization, I dont believe this bill accomplishes anything other than creating a extremely broad legislation that can easily be twisted and used to prosecute routine IT tasks.

In addition the same "with or without authorization" language is used in the following section and also could be extremely problematic.

140 (4) A person who intentionally or knowingly, and with or without authorization,
141 interferes with or interrupts computer services to another authorized to receive the services is
142 guilty of a class A misdemeanor.

The next section is even more problematic.

143 (5) A person who by means of a computer, computer network, computer property,
144 computer system, computer program, computer data or software intentionally or knowingly
145 interferes with or interrupts critical infrastructure is guilty of a third degree felony.

Intentional interruption of services on a critical network is something that we do frequently under authorization. More often than not these interruptions are done by means of a computer, which would make me and many others guilty of a third degree felony. The interruptions Im referring to are network outages.

I have tried to work with the author of this bill, and he was somewhat responsive last week. However, I am still extremely concerned that if this bill should pass as written it would become an entrapment for myself and other network / IT security personnel.

And thats just the tip of the iceberg...

The Washington Post explains more issues here: 

Computing The Value of Trust

posted Jan 26, 2016, 7:31 PM by Jer Cox

The stability of the world's economy relies on trust.  This trust exists between consumer and supplier, business and partner, financial institution and investor, and many other relationships that exist within the ever changing economy.  Loss of trust between a significant number of entities and a business, often results in the demise of that business.  Companies live and die based on the trust that exists between them and those they provide services or products to.  Trust is the key factor and the crux.

Trust extends in to many other aspects of how we do business and how the financial system functions.  Ultimately and generally people trust the system.  They trust the system when they order a product from an online store or login to their bank account.  They trust that the process is safe, secure, and that they are communicating directly with the company with which they intend.  The system that makes all this work is TLS public / private key encryption.  TLS encryption replaced SSL as the standard method for encrypting data on the Internet.  The purpose of public / private key encryption is two fold.  One, it provides private point to point communication.  Two, it validates who you are actually communicating with.  This system of communication has created trust for communication online.  Because of that trust, the economy has shifted to a online dependent environment.  Even brick and mortar stores process transactions and run management systems through the Internet, and they use those same encryption protocols.  Without that trust in the system, individuals and businesses would change their current processes of obtaining products and services.  This change would cause disruption, chaos, and many businesses would go out of business.  Besides the obvious impact on all online stores, this would impact credit card companies and processors (which process their transactions almost exclusively via the internet), financial institutions, investment companies, and many brick and mortar stores who use the internet to manage their business.  So in essence, public / private key encryption is a critical system in today's economy.  Without encryption, communication on the internet can be intercepted and even modified mid stream.  

That all being said, lets break TLS encryption.  The first thing will happen is that the public will loose trust.  After that, roll the dice on the economy.  Plan for another depression (not just a recession).  Convert all your money to gold, and go live off the grid.

Washington, please compute the value of trust, and put that in your rubric when deciding if you want to break the underlying foundation of the economy.

The 70/30 Rule of Internet Filtering

posted Aug 18, 2015, 11:12 AM by Jer Cox   [ updated Apr 25, 2016, 7:59 AM ]

Most people believe when they purchase an enterprise grade filter that is used to protect minors from harmful content on the internet, that its going to do exactly what the label says.  They believe that the device will protect their children from the deep dark corners of the Internet.  These filters do in-fact, cost an enormous amount of money, not only for the device, but also the on-going subscription.  So they should work, shouldn't they?

Yes they do work, but not quite how you would think they work.  If you refer to my previous blog entry about the death of next generation firewalls, you will find that the Internet is embracing full encryption.  That encryption, combined with SSL pinning (effectively breaking decryption methods) should be changing how we think about filtering.

Today, a SSL secured websites and services are ether black or white.  There is no grey.  You can no longer filter a SSL service that utilizes SSL pinning by keywords, and sub pages.  You ether get it all, or you get none of it.  This is the world, in which K12 and other organizations must rely on the website or service to provide a acceptable content filter for their service.  If they do not provide a way to filter objectionable content, then you have two choices, allow all of it or allow none of it.

What does that mean?  Well, in short, you ether lock the Internet down tight like Fort Knox, making it nearly unusable.  Or you move on to a different way of thinking.  Yes, you need to change the way you think.

Filtering has never been, and never will be a 100% technological solution.  There is no possible way completely prevent filter avoidance.  And there never has been.  Ask any middle or high school student, they can not only explain how to bypass the filter in the school, they can show you.  So the only answer to this problem is the same answer we used 20 years ago: supervision. 

20 years ago, kids didn't look at pornography on the computer at school, they brought magazines.  There was no technological solution to prevent that; No way to scan them at the door for objectionable material; No way to prevent them from bringing it with them.  The only solution we had to stop it, was to supervise.  Contrary to popular belief this has not changed.  Supervision remains the only way to enforce acceptable use policies and the only way to effectively keep minors safe online.

So, why do we have filters at all?  Well, filters do a great service.  They help keep minors safe.  They are an effective measure in this process.  Essentially filters should keep minors safe from unintentional access to objectionable material (most of the time).  But they will in no way ever keep minors safe from intentional access to objectionable material.  It is simply a technological impossibility.

Because of that, K12 school and other organizations that protect minors should adopt the 70/30 Rule of Internet Filtering.  Filtering is 70% supervision, and 30% technology.  Filtering companies will continue to do all that is possible to build better filters, but in the end, the majority of the responsibility must rest on responsible adults to supervise online activities.  Any other filtering policy is a total fallacy.

YouTube Video

YouTube Video

Custom Jewelry

posted May 3, 2015, 9:16 PM by Jer Cox

Sometimes you just need to buy your wife something that nobody else has.  Something that is as unique and beautiful as she is.  Occasionally I help out this Jewelry Store in Cedar City, UT.  Having seen many jewelry stores in my day, most seem to be living in the technology dark ages.  Not this one.  Not only can you actually watch as the owner creates, or repairs your jewelry, but you can watch it on a one of two large LCD TVs.  He has a microscope, that is specifically for the customer... Just so you can see what he sees.  His work is not only fully transparent to the customer (unlike most jewelry stores) but also is incredibly detailed and fine.  If you could have a Artwork category of Jewelry, these guys would steal the prize every time.  So if you want something unique, beautiful, and high quality you ought to drop by the Custom Jewelry Gallery in Cedar City, UT.  Ask to speak with Kyler, and tell them I sent you.

The Death of Next Generation Firewalls

posted Jan 13, 2015, 10:37 AM by Jer Cox   [ updated Jan 13, 2015, 11:29 AM ]

In the last few months we have seen a major push to encrypt everything on the web.  Services like promise full TLS encryption for any Linux based web server on the internet.  These new services are fantastic for increasing the security of the net.  The argument could easily be made that several governments unintentionally forced this new direction by intercepting massive amounts of internet traffic.  The resulting concern for privacy from government dragnets has spurred an enormous amount of public concern and frustration.  Since that time, many companies have begun to encrypt traffic that previously was not.  This is a common reaction in the IT industry after a major security risk is identified and subsequently exploited.

With this major push to fully encrypt the web, also comes an unexpected challenge… 

For many years several companies have been building web filtering appliances.  Many of these appliances are used in K-12 education where filtering is mandated by federal and state laws.  These filters view and intercept traffic in real time as it passes across a network.  

In more recent years several security companies have invested enormous amounts of R&D into a new security product that combines the power of 3 mainstream security products:  Web filters, Antivirus, and Firewalls.  These products are called Next Generation Firewalls.  Next Generation Firewalls (NGFW) are able to detect more undesirable traffic on a network than any previous firewall, because of the depth at which they filter packets.  NGFWs operate on all layers of the OSI model and able to detect undesirable traffic with the use of signature based analysis.  Signature based analysis has been used for years in the detection of Viruses and Malware in Antivirus products.  The real power behind putting these processes in the firewall, is that the firewall can block a virus before it even reaches a computer on the network.  NGFWs can also use signature based traffic analysis to detect other undesirable hacking attempts and security risks before they become a problem.  

Most of the power in a NGFW is dependent on two key factors.  First, a NGFW needs to be able to see the traffic.  It needs to be able to see the actual unencrypted traffic as it passes from the client to the server.  Second, a NGFW needs to be able to compare that traffic with known signatures that can identify if that traffic is malicious.

In those two key factors, NGFWs have a real problem:  

We encrypt the web and the NGFW’s respond with a Man-in-the-middle (MITM) method of decrypting the data.  In response to MITM methods of decrypting data, companies deploy SSL/TLS Pinning.  Pinning blocks any encrypted traffic utilizing a unknown certificate, with no option to bypass.  Some may argue that adding your firewall certificate to the computer’s trusted certificates should solve that problem.  Pinning also effectively kills that technique, some browsers are ignoring system certificates for specific services, and the applications on mobile devices also tend to ignore any and all system certificates period.

For years, we in the security community have known that the Antivirus industry days are numbered.  Virus’s that mutate and encrypt themselves differently with every infection entirely defeat signature detection. These types of viruses would have a different signature with every infection, thereby eliminating the ability to detect it.  For this specific reason the industry has been moving towards ideas like Trusted Computing (TC).  Apple’s App Store, Google Play, and the Windows Store are all examples of this type of technology where the software available is controlled and distributed with care to avoid unwanted code.

Having outlined the issues, it is obvious that NGFWs are built on ideas that are quickly disappearing.  Once these things change, the capability of NGFWs will significantly diminish.  So the real question is: if Next Generation Firewall’s are on their way out, should we spend a half million to purchase a system and painfully implement a dying technology in our networks?

1-7 of 7