County Coroner in Handcuffs - Gave out his password

Dynamic Security could have easily identified that the person logging in was not the coroner, since he or she was in the wrong place at the wrong time, or there were multiple logins.

---

Trust Isn’t Security

Frank Hayes February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.

Wait, it gets scarier. According to the grand jury, the reporters said Kirchner gave them the password because he didn’t want to be bothered with their phone calls asking for details about homicides, fatal accidents and suspicious deaths.

The reporters weren’t charged with illegally accessing the Web site, because they testified under immunity from prosecution. Kirchner has denied the charges against him.

But the grand jury report quotes e-mails and computer forensic evidence that paint an ugly portrait of the coroner (who apparently ignored security policies and gave away his password within weeks of taking office in 2004) and the reporters (who ignored “authorized personnel only” warnings and accessed confidential information hundreds of times over an 18-month period).

And where was IT all this time? Not noticing, mostly. Eventually, an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office. But that was only after one reporter mentioned in a news report that some information came from the Web site, and a reporter from a competing newspaper called the county to find out why he didn’t have access.

That’s when a supervisor realized there had been a security breach, a police investigation began, logs were checked, passwords were changed, and the grand jury went to work.

Until then, everyone apparently assumed that because users were trusted with the information on the emergency 911 Web site, they could be trusted to keep it secure. Now there’s a trusting IT department.

That trust was misplaced. And not just trust in the coroner. After the reporters’ intrusion was discovered, logs were scrutinized more carefully. In 2006, four emergency responders were prosecuted for giving out their passwords, and two other people were arrested for accessing the site.

According to the grand jury report, the results of those password leaks weren’t trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn’t. “That caller’s name was made known on the streets, and the caller was severely beaten in retaliation,” the grand jury report said.

We want to trust our users. We have to trust them, mostly — we can’t afford to watch them every second. And most of them are worthy of that trust.

But some aren’t.

Trusting is nice. It’s sociable. It’s convenient.

Don’t do it.

We have the technology to control network access to confidential information. Beyond passwords, we can limit users’ access with IP address whitelists and blacklists. We can use VPNs. We can scan logs after the fact, looking for IP addresses that don’t belong. We can’t catch every breach, but we likely can discover some accounts that have been compromised — and some users who can’t be trusted.

Yes, that gets ugly and unpleasant. So does what comes after: the why, the how-bad and the what-to-do-now.

But the alternative is a lot uglier. The results could be lost business and exposed customer information.

Or — as they’re learning in Lancaster — assaults and handcuffs. Frank Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.

RSA: Microsoft pledges support for OpenID

Dynamic Security could help integrate this authentication system into your present security programs and policies.

RSA: Microsoft pledges support for OpenID

Robert McMillan

February 06, 2007 (Computerworld Hong Kong) Microsoft Corp. has thrown its weight behind OpenID, an emerging Web authentication standard.

The announcement was made today at the RSA Conference in San Francisco during a joint keynote by Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie that was long on vision and short on specifics.

Microsoft pledged to work to integrate OpenID with its CardSpace identity management software, which is now available in conjunction with Windows Vista. "The marriage of CardSpace and OpenID 2.0 is actually a giant step forward," Mundie said.

By integrating these two technologies, Microsoft expects to "eliminate the issue of the man-in-the-middle-attack," Mundie said. In these attacks, which are increasingly being used by phishers, a thief steals sensitive information by setting up a fake Web site that passes information back and forth between the victim and the legitimate Web site.

OpenID is an emerging open-source standard that simplifies the task of logging on to many different Web sites.

Gates and Mundie spent much of their keynote discussing how their company plans to simplify security and make the process of managing digital identities easier.

IT professionals could achieve both ends by getting rid of log-in passwords and replacing them with strong, certificate-based authentication techniques like smart cards, Gates said. "Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is," he said.

"We see smart cards ... [and] certificates in general as the way these things should go. You'll be presenting certificates as opposed to weak passwords," he said.

Microsoft hopes to drive the adoption of smart cards, with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. Expected to ship on May 1, this software integrates technology from Microsoft's 2005 acquisition of Alacris with the company's Identity Integration Server. The software will make it easier for users to integrate strong authentication technologies like smart cards into Microsoft networks.

Mundie suggested that in order for security to work, technology companies will need to turn their thinking upside down, to a certain extent. "Security was really a blocking thing," Mundie said. "How do you invert this ... so these security mechanisms become a thing that makes it simpler for anyone to be granted permission to get [network] access."

Microsoft plans to achieve this by switching the focus using technologies like IPsec (Internet Protocol security) and IPv6 (IP version 6), Mundie said. The company has already been using these technologies for the past two and a half years in an internal access control system that is better about granting employees and contractors access to the data and applications that they need, but keeping them away from the rest of the network, he said.

With breaches being reported every week -- often after the loss of a laptop computer -- companies need to think beyond locking down the perimeter of their networks, Mundie added. "The threat model is changing in fundamental ways. We could continue to invest in this fortress mentality of protecting everything, but I don't think that would be sufficient," he said. "Our castle is fairly porous because a lot of our assets leave the castle."

Microsoft's broad vision did not impress one attendee.

"This was the most content-free presentation I've seen at RSA in years," said Bruce Schneier, chief technology officer with BT Group PLC's Counterpane unit. "My guess is that most people in the room could have given that talk because it's where we all want to go."

The keynote, in which Gates and his successor sat side-by-side and, at times, finished each others thoughts, appeared to be a symbolic handing over of power, Schneier said.

Gates will be stepping down from his day-to-day duties in July 2008, at which point Mundie will take over Microsoft's research efforts.

But Schneier doesn't expect Gates to appear at next year's conference. "The take-away is Craig's coming back next year, but Bill isn't," he said.

Weak passwords help hackers - How to enforce Password Policy?

Dynamic security can enforce password policies.

Study: Weak passwords really do help hackers

Four computers left online for 24 days were hit by 270,000 hacking attempts

Todd R. February 06, 2007 (Computerworld) -- Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.

Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63% of the time. The word "test" was tried as a username 1.12% of the time, while "guest" was tried 0.84% of the time, according to the experiment's logs.

The dictionary script software tried 43% of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.