networkworld.com

Basically a technical guy – developer/sysadmin – didn’t get promoted, got mad, quit and then spent weeks hacking into his old workplace and causing trouble. Electronic version of old crimes: “break and enter” and “vandalism.”

With a robust system to control privileged access, the amount of damage he managed would have been far reduced…

So why is it, really, that we’re still using passwords? We all thought they’d go away years ago, right?

It turns out that every type of credential is some sort of compromise, so let me try to capture all in one place what’s nice and what’s not so nice about every approach (in general – I won’t pick on any products here):

wired.com

Basically a couple of guys who, in 2010, noticed that AT&T was improperly publishing e-mail addresses of customers with iPads and who (a) collected those e-mails and (b) sent the list to the press to point out AT&T’s lapse, got slapped with jail time today.

To be clear: these guys just fetched content from the web which should not have been there. They didn’t “hack” into any system, unless I misread this.

This will doubtless have a chilling effect on security research and on reporting of security problems.

Of course, the bad guys don’t care about such rulings — it just handcuffs (literally in this case) the good guys.

Scary how powerful large corporations have become in the US – it looks like they influence over both the legislative branch of government and over the judiciary.

I couldn’t have said it better myself. Why do people persist in weird and wacky date formats? What’s the point? Isn’t 2013-03-05 simply better, clearer, shorter, more sortable and basically superior in every conceivable way?

Do different cultures and locales really still need their own, weird, mutually-incomprehensible and obviously-not-as-good-as-ISO date formats? Really?

This would be a cool device to surreptitously plug into their AC and wall power:

Very slick. And very dangerous. Funny that nobody talks about these things … is it because only the low-tech, user-must-have-been-duped attacks are press-worthy?

Recently, the security firm Mandiant provided a detailed analysis of systematic, industrial-scale attacks against US and other private interests by a large, government-supported, well funded Chinese military agency. This was a wonderfully interesting read because it was full of evidence, analysis, clear links to a state actor as the aggressor, estimates of the scope and duration of attacks against private sector targets and more. Brilliant stuff.

Obviously, China denied the allegations (and why wouldn’t they?). Of course, none of that detracts from the detailed and convincing evidence, so clearly the Chinese feds are just engaged in mindless damage control and PR. No big deal – that’s the sort of stuff governments do.

Forceful public denials didn’t seem to convince anyone, though, so now they have a new tactic – complain that US hackers are attacking them instead. They claim 144,000 “attacks” per month against a couple of military-related web sites.

Call me crazy, but I’m dubious. First, no evidence was provided, so who knows if the number just came out of some marketing hack’s rear end or represents anything factual?

Second, what constitutes an attack? Our corporate web site is hit by thousands of script kiddie connection attempts daily, presumably hoping to take advantage of a buffer overflow or bug in some software or other, which isn’t even installed on our site. This sort of “attack” traffic is just a normal part of the web traffic for most sites. Should we consider these connections to be “attacks” or just random “probes?” If they come from compromised machines that happen to be in the US, does that mean that “the US is attacking us?” I hardly think so.

So clearly the Chinese government’s public relations hacks are behaving like children, as you would expect them to:

• They don’t seem to know what an “attack” is.
• They don’t seem to understand the value of “evidence.”
• They are engaging in a transparent effort to save face, after having been caught with their hand in the cookie jar.
• They cannot seem to differentiate between “state actors” and “IPs registereed in that jurisdiction.”
• Of course, they have provided no evidence that Mandiant’s report is in any way untrue. Think about it — if that report was wrong, they could just march some reporters from the BBC or CNN or something into the building where the operation is purported to be taking place and show them that there are no hackers here. Easy, case closed, Mandiant would have egg on their face. What? They haven’t done that? Surprise, surprise!

The discussion above is not meant to imply, by the way, that the US military does not engage in “cyber warfare” — just that they are much more sophisticated and effective than this silly press release suggests. Think Stuxnet, not script kiddie. I’m not sure that they target China much either. Probably not enough Chinese-speaking US hackers to do that effectively. I think they are much more concerned with military and nuclear targets in Iran than Chinese commercial interests.

• Eliminate security question enrollment and authentication using security questions from their internal, corporate password reset system.
• Instead, ask each user to enroll their personal e-mail address (i.e., @gmail.com, @yahoo.com, etc.)
• If a user forgets their corporate AD password, send a PIN to their personal e-mail address that will then be used as the sole form of authentication.

Now maybe you’ve been living under a rock, but it seems to me that a bunch of consumer-facing web sites have been hacked in the past year or two. That means that this organization would lower the security of their corporate systems and applications to the security of public e-mail systems, which are vulnerable to phishing, keylogging attacks, DNS poisoning attacks, cookie stealing attacks, PC malware and who knows what else.

In short, no security at all.

I’m amazed that any corporation would consider such a thing.

The report is here by the way — and it’s a very interesting read. Recommended.

Anyways, people are treating this as though it’s shocking new information. Really? You didn’t know that the Chinese state spies on foreign entities, principally corporations, to gain commercial advantage? I would think that’s well known and unsurprising.

At the same time, people treat this as though it’s only the Chinese doing it. One of the largest government agencies in the US is the National Security Agency (NSA). What do you imagine they do for a living?

More than that – we should think about the nature of cyber warfare. The Chinese, from recent experience, are really interested in just two things:

• Criticism of their leadership, and in particular the interesting ways in which their families accumulate extreme wealth.
• Commercial information — intellectual property, pricing information, plans for take-overs, mineral development, etc.

So what does the US focus on? It seems they’re more interested in traditional targets for spying — foreign governments and military agencies. Interestingly, the US does something in the cyber warfare space that no other government seems to do (yet?), and that is to deploy an offensive capability. Worms such as Stuxnet have been spectacularly successful at delaying Iran’s ability to refine weapons-grade uranium, and represent a capability and military policy totally unlike China’s.

So what do we take away from all this?

• Yes, just as everybody already knew, and despite the totally non-credible denials, China’s military engages in espionage on an industrial scale.
• China’s hacks are focused on fairly mundane stuff: IP theft, commercial intelligence and protecting the reputations of their leadership.
• The US, in contrast, has a conventional espionage regime, targetting governments and military agencies.
• Also unlike China, the US both possesses and has deployed an offensive cyber-warfare capability

It may only be a matter of time before other players engage in the offense or emulate China’s commercially-oriented spy tactics.

We live in interesting times.

That’s all well and good – it made perfect sense in an environment where security rights are assigned to a user persistently, without a time domain component. These days, however, we have products such as Hitachi ID Privileged Access Manager, and doubtless others. Using software in this category, it becomes possible to temporarily grant a user membership in privileged groups (e.g., Domain Administrators and the like), for just long enough to complete a task. That means that a user’s normally unprivileged account can be made privileged for a short time period. This approach has audit benefits — we can track not only who has admin rights, but when and for what purpose.

If this approach is used, going back to the notion of two accounts per user, we should ask ourselves: do IT workers such as system administrators still need that second, privileged account?

I think the answer is “no” – temporary privilege escalation is a cleaner, more transparent and easier to manage solution.

So lets stop creating these admin IDs, and instead focus on controls around and audit records of privilege escalation.

Some people seem to think that it’s password management. Some even go so far as to call this product category a “password vault.”
But what about granting someone temporary access to elevated access rights in some other way? What about temporary group membership, or temporary SSH trust relationships, for example?

A few years ago, we renamed our software in this cateogry from “Privileged Password Manager” to “Privileged Access Manager” for just this reason — because there were mechanisms at play which have nothing to do with passwords.

I’m still thinking about what it is that really defines this product category, however, and I think I’ve hit on the *one* *key* feature. That feature is granting temporary access — i.e., adding a temporal element to an access grant. If you can control *when* someone gets access to something, then you create a much more interesting audit trail and have an opportunity to generate forensic data, such as screen captures and kelogging (among many others). The key, though, is *time*. You can run these commands as root/Administrator/whatever for the next 2 hours. You can do that either because you were pre-authorized or because someone approved your workflow request, but it’s bounded in time and space.

So that’s my thought for the day. Privileged Access Management is fundamentally a problem in the time domain.

Happy Monday.