Friday, July 23, 2010

Hard-coded default passwords? The Ostrich for the rescue!

Some days I feel the world will be a much easier place to live in if we simply adopt the ostrich approach. If something looks slightly challenging, let’s just stick our head in the ground for a while and the problem will simply go away.


Those of you who enjoy tracking threats, attacks, malware and the likes probably heard about the Stuxnet worm by now. For the rest of you it is malware targeting windows environments running Siemens software used by industrial companies. Once on systems, it uses Siemens default passwords to connect to the database and collect information.

Does not sound like a big deal. Nobody is using default passwords these days and even in case they foolishly did, just change the password and have a good night sleep, right?

ahmmm… unfortunately in that case I had to look for a different topic for my post…

Those of you who follow my blog know by now that I’m not really a security radical, but rather moderate and open minded when it comes to the way security specialist grasp the world. But I can tell you that this incident is mind boggling even for me.

Sin #1: using hard-coded passwords – happens from time to time, irresponsible behavior, slap on the wrist.

Sin #2: sin #1’s hard-coded passwords are the default ones and are similar for all customers – doh!

Sin #3: these passwords cannot be change (per Siemens) or the systems will stop working – what were these guys thinking? It is even worse than creating a system with no authentication mechanism at all, zip, open to the public, web 2.0 like... You communicate a FALSE sense of security that there are controls in place to secure usage of the system (i.e. authentication), yet the passwords are known to the public and cannot be changed?!

Top it with Siemens’ response (reportedly advised customers not to change their default passwords, arguing it “may impact plant operations.”), leaving customers out there in the cold having to choose between bad and worst…

There are many articles describing this incident, an example: http://tiny.cc/osg8q

I’m positive Siemens will snap out of their current state of mind and resolve it, but the unfortunate part is the fact that this phenomenon and state of mind is not limited to Siemens. Some still use hard-coded passwords, some still use default passwords and some don’t change passwords.

It is time to GET BACK TO THE BASICS!

1. Authentication between systems should be externalized and governed by processes/tools that can rotate and secure credentials.

2. Default passwords might be good for the initial bootstrap/setup procedure, however should be changed and should definitely be unique per customer

3. There are tools designed to address the whole privileged accounts challenge regardless whether it is performed by humans or non carbon based entities (such as application, services, or devices).

Unlike the common belief that vulnerability of internal, powerful credentials are a target for internal threat only, the reality is privileged accounts are a gem for external attackers. More frequently than you imagine external attacks target these powerful accounts, as hijacking these accounts makes external hackers’ life/job much easier.

Next week is Burton Group’s Catalyst week, stay tuned for my take-aways/insights from the conference and sunny San Diego!

Tuesday, July 20, 2010

The Jerry Maguire take on Security

I have a strong feeling this post is going to be my Jerry Maguire’s “Mission Statement”…

A couple of comments for those who have not seen the movie:
1. Keep reading as watching the movie is not a prerequisite
2. You should probably consider watching it, it has some funny quotes

A recap - Jerry Maguire is a 1996 film starring Tom Cruise about a sports agent who has a moral epiphany and is fired for expressing it, who then decides to put his new philosophy to the test as an independent with the only athlete who stays with him (Wikiquote.org - http://tiny.cc/sqj8p).

My case is obviously different: it is not so much an epiphany but rather some thoughts/insights, and the whole firing part???

Despite the many changes the security community experienced, one thing seemed to stick with us throughout the years (especially as compliance has been bolted on to security) – FEAR.

If we’ll scare them they will come!

Fear as a way of thinking about the challenges, fear as a design criteria, fear as a way to prioritize features, fear as a driver for pricing, and certainly fear as a selling tactic.

It is kind of a negative way of thinking, don’t you think?

Recently I have participated in the Enterprise 2.0 conference. Surprisingly these guys approach issues differently, on the verge of a Woodstock atmosphere. It is all about collaboration, opening up the organization, loosing controls, doing good for everyone (rainbows and violin background music…). Almost too much positive thinking for me…

In the audience I could notice quite a few CIOs, most of which participate in our (security) conferences as well. It simply mind boggling what is going through their minds when they hear both enterprise 2.0 and security pitches. The contradiction is simply amazing.

So who has it right?
Are we right and they are naïve, or they have it right and we are simply afraid?

As with most things, I believe the truth is somewhere in between.

You would rightfully say organizations spend their security budgets addressing threats. And Rod Tidwell’s immortal motto is probably correct (from the movie of course): “Show me the money!” security vendors should continue addressing these threats and fears. Hey, this is our thing and we should keep on doing it.

However I still believe there is a place for positive thinking in our domain (security). The infrastructure play and information our security systems are exposed to can be leveraged for positive spins. Topics such as increase awareness, productivity and reduce cost can all be addressed.

Just a few simple examples (I’m keeping the real interesting ones for internal usage…):
1. While monitoring usage of applications the system can recommend (potentially even automate) adding the more popular apps under the SSO umbrella.
2. As we monitor behavioral patterns for fraud detection we can contribute to optimize web applications increasing productivity and reducing cost.
3. During the access control to unstructured data we can identify usage frequency and suggest lower cost storage for hardly used documents or “cache” more frequently used data.
4. And even small frustrating thing as laptop’s startup time can be improved as application usage is monitored, we can identify hardly used apps/services and remove them from the startup sequence.

Can you imagine positive thinking can become a differentiator in the security domain?
Do you believe customers will actually be willing to spend their security $$$ on positive things?