August 18, 2005

Security Systems that fall in a heap if actually challenged...

Over on EmergentChaos, there are two security systems that failed dismally when a slight attack is launched. In building real security systems, we try and analyse everyone else's attempts and especially the reasons for failure.

One is brought about by news of the London shooting of an electrician who was falsely tracked as a suicide bomber. Reading through the case (at least to the extent of the newspaper coverage there) the victim lived in an address named by past bombers, and was spotted leaving before the police were ready to take the building in a SWAT raid.

High level instructions were that he was not to enter the tube, and that the "all clear" had been given. Of course, he's in London so he's heading for the tube to go to his job. The "potential suicide bomber entering the tube" procedure is to isolate and shoot in the head, as far as I can tell, and this is carried out more or less adequately. The procedure is fatally brutal so as to not let the bomber detonate when he knows he is discovered.

The procedure as presented is "technically valid" although questionable at many reliability and ethical levels. The real underlying failure here was that the British Police just (successfully) hit their first false positive, and now they have to wrestle with the implications of the statistical unreliability of detecting bombers in advance. How many bombers and innocents do you trade for real victims of a real bomber?

The next observation is that this is what is known in the trade as an "own goal." Anti-terrorist operations have a particular strategy which is trying to force the bomber to make mistakes and thus take themselves out, a tactic that apparently came out of the Northern Ireland troubles. But it is by no means limited to the good guys; as things get more complex, more mistakes are made.

The question then is, how complex do you want to make "defence of the homeland?" It should be remembered that KISS - keep it simple, stupid - came out of the military where mistakes cost lives and lose objectives.

The third observation is that everything written about looks easy to defeat. Expect the next wave of suicide bombers to have addressed it. Which feeds into the complexity argument in both of the above directions.

Fourthly, if you are going to have a special weapons procedure for dealing with these extreme events, then do what the Brits do - make that a specially trained team, and only they get to do it. That part they got right, although the newspapers look to make it look like a schmozzle. Shoot to kill is not the sort of thing you want every policeman doing, that's the sort of thing that *has* to be handed over to the specialists, in order to preserve the integrity of ... well just about everything. But obviously handover of the task needs to be done very well, and it was botched in this case.

Fifthly and finally, there are several more victims here other than the direct victim. One is the notion of being able to catch the tube and do so with rights and so forth. And another is the policeman who followed the procedure and killed an innocent. And finally, faith in the British Police is likely to take a beating. The chilling effect alone may well be worse than a few bombs.

My prediction then is the shoot to kill policy will be drastically curtailed as it is too unreliable, and the damage it does is likely worse than the benefit it might bring.

Addendum. In a curious post, EC points to reports that a someone was apprehended trying to smuggle a bomb onto a plane in the US. Obscurely, because the authorities decided he wasn't a terrorist, nobody made a big deal. Isn't that curious evidence of a security system out of control?

In the second system, which is posting comments on the EmergentChaos blog which I can no longer do as my content is considered "questionable." It seems that the effort to stop spammers has stopped commentary, or at least mine. Some will find that amusing! This is a fairly simple case of the security being worse than no security at all, at least for this customer.

In the discussion about the apparently new epidemic of phishing, all the simple ideas have come out, such as the bank not sending out bad emails, and the users not clicking on bad emails. Also, the notion of a bank and a user sharing a special picture. Here's what I would have said if the anti-spamming protection hadn't stopped me (which entres the third security system that fell in a heap when challenged):

Sharing stuff with the bank is a dumb idea. Phishing is an MITM that allows the phisher to share his version of the website with the user ... and the bank if so desired. That is, models like Passmark and SecureId tokens fall to a simple MITM, at least in theory. We haven't seen any of these attacks as yet because the basic MITM of phishing still seems to be working (read: steals lots of money) and the rollout of the dynamic checking models isn't that far advanced, I guess.

To paraphrase Lynn, "there was this little thing called SSL." It had certificates. They were supposed to stop MITMs by means of checking for spoofing against the identity of the site.

Wish to stop phishing? Stop the spoofing of the domain ... where the spoofing protection was built in the first place. (But as I mentioned, even that won't stop the rot at this stage because the attacks have jumped to the user's node.)

Asking users and banks to do the right thing is just like asking your politician to "do something." For more proactive work on fixing the technology to help the users and banks, have a look at the Anti Fraud Coffee Room.

Addendum: for those wondering what the pictures are, someone who might or might not be a nym sent me this:

Thursday morning at 7 am, the neighbor's wife called me. She wanted me to kill a cougar that their doberman had treed in the front yard. (her husband is out of town)

I talked her out of it. Cat just got scared of the dog. 95% of the cougar do no harm their entire lives except to the turkeys and deer.

Took some pictures and put the dog in the kennel. Told the lady to stay indoors and not scare the cougar. It came down several hours later and left. (I wasn't there when it came down.)

I'll take that as evidence of a better security policy - think before you shoot. Thanks :-)

Posted by iang at August 18, 2005 09:19 AM | TrackBack

We think we found a bad regex, and you should be able to post again.

Posted by: Adam Shostack at August 18, 2005 08:19 AM

As far as I can tell, the single biggest mistake in the London shooting was that the guys with a license to kill didn't wear police uniforms, so for the victim they just looked like bad guys out to get him.
Moscow had its own series of underground blasts (the first one detonated in 1977 by Armenian separatists) some of them carried out by suicide bombers (the first one in August 1999 by Chechen separatists), so they have installed armed guards with a license to kill long time ago. But these are visibly armed with Kalashnikovs (welded stuck to semi-auto mode) and wear a distinct metro-police uniform with body armor. They are easily recognizable, and noone in their right mind would run from them, if ordered to halt.
They appeared in St. Petersburg in 2003 to protect the large number of visitors that came for the tricentennial anniversary celebrations and did a remarkably good job. Basayev repeatedly threatened to carry out attacks in St. Petersburg that year, but nothing materialized. Proabably, the security measures were extremely expensive and not sustainable in the long run (St. Petersburg being the home-town of the president, I'd imagine that there was a lot of external funding for that year's security), but they apparently worked at that time of (real or perceived) danger.

Posted by: Daniel A. Nagy at August 18, 2005 01:42 PM

"The third observation is that everything written about looks easy to defeat. Expect the next wave of suicide bombers to have addressed it. Which feeds into the complexity argument in both of the above directions."

I would expect the *current* wave of bombers to have addressed it - the obvious is a (in this case literal) dead man's switch, which the bomber need only release without first disarming the bomb. To put 7 bullets into the head of a suspected terrorist without any obvious means to conceal a bomb, AFTER you have him physically restrained, is a procedure that seems so wrong for so many reasons I have trouble finding what is *right* with it....

Posted by: Dave Howe at August 18, 2005 10:21 PM

Ian, before designing countermeasures for phishing, have a look at the PWSteal/Bancos/ASH malware. I'm not sure how much of the U.S. phishing loss is actually due to trojanized end user machines, but once you've got rather strong protection against MITM attacks (microbrands, one-time passwords), I'm sure you'll see them in the U.S. as well. The attack technology is already there, so better deploy something which defeats it.

Posted by: Florian Weimer at August 19, 2005 01:55 AM

Dave, yes, that's a possibility, although I'm not so sure. The complexities of using it while approaching the target zone will likely result in a lot of premature detonations. Another alternative is the booby trap. Personally, I'd attempt to work the team in pairs, and have an override with the other guy, using a low powered 802 device.

Is the procedure wrong? It looks wrong, and bone-headed but we have to be careful that the press writeup isn't going to be fair. From a military perspective, it looks like a very tough problem, and that looks like "one way" to address it. Also, if it came from the Israelis, then that gives it some pedigree.

That's as a procedure. What my concern is even if it does result in some sort of success rate, the shift in balance of society's rights and expectations is so severe that the result will do more harm than good. That is, people walking down the street will know that they are now potentially in a "friendly fire" zone as well as a terrorism zone. Londoners are used to bombs, but this is something new.

Posted by: Iang at August 19, 2005 02:16 AM

Florian, yes, this is the vulnerable underbelly of the whole game. Even if MITM was sorted out, it will in the short term shift straight to attacking the microsoft platform.

How to deal with this? I don't think it is fair to let Microsoft blaim phishing on browser problems and I don't think it fair to let browser people blame it on the Microsoft OS weakness. They should both be fixed, and they should both be held accountable.

Posted by: Iang at August 19, 2005 02:19 AM

Daniel, troops on the streets would be to paramilitarise, and I agree that's something of a cost which only works if there is a high value target. It's easy to find some place where the troops aren't patrolling.

Also, paramilitaries alert the enemy, and this was meant to be an undercover operation. If the bomber knows a heavy dude with weaponry is ordering him to freeze, he can generally get the trigger pulled.

Posted by: Iang at August 19, 2005 02:34 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.