How will my loved ones break my password?

Just a few days ago I posted about a new Swiss web service from DataInherit to manage the life cycle of your sensitive data and credentials. Coincidentally Cory Doctorow has an article in the Guardian this week on the same topic, fretting about passwords being carried off with loved ones into the next life. While creating a will with his wife Doctorow was stumped by how to deal with his data, and specifically the secrets that protect that data. His various hard disks are protected by AES-128 bit encryption and a passphrase that is unlikely to succumb to anything less than quantum leaps in quantum computing. So while Doctorow feels safe against theft of or attacks on his data, he wonders about the following scenario:

But what if I were killed or incapacitated before I managed to hand the passphrase over to an executor or solicitor who could use them to unlock all this stuff that will be critical to winding down my affairs – or keeping them going, in the event that I'm incapacitated?

After considering several technical and non-technical approached he finally decided on the following solution

I'd split the passphrase in two, and give half of it to my wife, and the other half to my parents' lawyer in Toronto. The lawyer is out of reach of a British court order, and my wife's half of the passphrase is useless without the lawyer's half (and she's out of reach of a Canadian court order).

Doctorow remarks that the surprising outcome of this process was the realisation that we are missing a well-known service for handling key escrow in the era of military grade encryption in the hands of professionals and home users. He concludes that “you need to figure this stuff out, before you get hit by a bus and doom your digital life to crypto oblivion”. I think that DataInherit will be giving him a call.

Excellent Awareness talk from British Airways

There were several great talks at the recent ENISA conference on raising IT Security Awareness. I would like to mention one here from Robert Hadfield of British Airways called “Silver Bullets, Kangaroos and Speed Cameras”, which is embedded below from Scribd.

Hadfield began by reporting on an experiment where 100 identical emails with an executable attachment were sent to employees marked as urgent. The result was that 84 people opened the email, and 69 also executed the attachment. So he said we have a problem with people. To justify a security awareness program he gave the following very wise reasons

1. Simple human error, ignorance or omission is most commonly at the root of any security breach
2. We need to enable employees to acquire security knowledge by using there own reason, intuition and perception. We must seek long term behavioural change.
3. Pound for pound, raising awareness will improve security far more effectively than any technical solution can ever hope to achieve.

He also noted that since the average cost of a security breach is about £50,000 then awareness programs can pay for themselves if they can prevent one or two of these incidents per year. Even so, how do you effect change on a group of 45,000 mostly disinterested employees? Hadfield found great success in meet-the-people workshops & roadshows, which were reported as a very effective awareness mechanism by other speakers and the ENISA workshop as well, and also the main conclusion from an ENISA survey conducted by PwC last year. Hadfield reports that over 200 workshops have been undertaken this year resulting in over 2000 people being trained. BA also uses other channels besides workshops, and one of their clever posters is shown below - a reminder to users to lock their desktops when wandering off for a coffee.

I am leaving out many clever observation and graphics so please take a look at the presentation for yourself.

IT Security Awareness presentation from British Airways, June 2009

The DataInherit Service – Swiss Secure Internet Escrow

I would like to announce the availability of a new secure internet storage service called DataInherit, co-founded by one of my former Swiss colleagues Tobias Christen. DataInherit is more than secure storage – it is a service for keeping sensitive data and credentials in trusted escrow for defined beneficiaries. This is an implementation of digital inheritance, supporting the ongoing life cycle of digital data. The DataInherit site contains a good explanation of their vision, and you can read more about the DataInherit security architecture on Scribd (document embedded below).

Digital Inheritance

The Risk of Degradation to GPS

In April the Government Accountability Office (GAO), the audit and investigative arm of the US Congress, announced the results of their study on sustaining the current GPS service. The main finding was that the GPS service is likely to degrade over the next few years, both in terms of coverage and accuracy, due a decrease in the number of operational satellites. Using data provided by the US Department of Defense (DoD), the GAO ran simulations to determine the likelihood that GPS can be maintained at its agreed performance level of 24 satellites operating at 95% availability. The graph below (double-click to enlarge) shows a 24-strong GPS constellation dipping below 95% availability in the 2010 fiscal year, and dropping as low as 80% before recovering in 2014. The jittery sawtooth nature of the graph is derived from the tussle between the failure of existing satellites and the launching of replacements, with the failure rate dominating for the next few years.

Needless to say the GAO findings have been widely discussed, and were further publicised in a recent televised congressional hearing. The US Air Force, who runs the GPS program for the DoD, has had to assure its military peers, various congressmen and an anxious public that the GPS service is in fact not on the brink of failure – a scenario not even considered by the GAO report. Articles in the popular press such as Worldwide GPS may die in 2010, say US gov from the Register are not helping matters. So how did the GPS service end up in this predicament? According to GAO, the culprit is poor risk management in the execution of the GPS modernisation program.

GPS is a critical service, particularly for the military, as it provides information for the calculation of position, velocity and time. As noted in the GAO report, “GPS has become a ubiquitous infrastructure underpinning major sections of the economy, including telecommunications, electrical power distribution, banking and finance, transportation, environmental and natural resources management, agriculture, and emergency services in addition to the array of military operations it services”. Specifically, GPS is used to guide bombs and missiles to their targets – and we don’t want inaccuracy in those calculations!

There are currently 31 operational satellites, orbiting 12,600 miles (20,200 kilometres) above the Earth, a seemingly safe margin over the required 24. The constellation has grown to this size as the current roster of satellites have performed far beyond their expected operational lifetimes. Even so, according to a DoD report issued last October, 20 satellites are past their design life, and 19 are without redundancy in critical hardware components.

The main threat scenario is that a substantial number of satellites will reach their operational end-of-life before they can be replaced, thus reducing the size of the constellation. Or simply put, the satellite failure rate may exceed the refresh rate. This is not really a question of whether GPS will become extinct (all satellites fail) since GPS will become ineffective long before the number of satellites gets anywhere near zero.

What is the impact of a degraded GPS service? Well the first point is that GPS currently delivers a much better service than committed to, due to the additional satellites above the required 24. So the service impact when dropping below 24 satellites will be quite noticeable. The accuracy of GPS-guided missiles and bombs will decrease, therefore increasing the risk of collateral damage. This leads to a viscous circle where even more missiles or bombs will be required to take out a given target.

Since the current generation of satellites have lasted so long, and GPS still remains at threat from dropping below 24-strong constellation, then there must be some problems with the rate at which the constellation is being replenished. And according to the GAO report, there have indeed been severe problems in executing the GPS program as planned. The current GPS program has experienced cost increases and schedule delays. The launch of the first new satellite is almost 3 years late and the cost to complete the new program will be $870 million over the original estimate.

GAO cites a multitude of reasons for this predicament including multiple contractor mergers, moves and acquisitions, technology over-reach (a common malady for military projects), the short tenure of program leaders, and general “diffuse leadership” (no one group or person is really in charge).

GAO strongly recommends an improved risk management process. In a recent post The Risk Analysis of Risk Analysis I reviewed an article on when to apply a sophisticated risk methodology called Probabilistic Risk Assessment (PRA). The conclusion was that the difficulty, expense and potential inaccuracy of PRA can only be justified when projects are on a grand scale, and the multi-billion dollar GPS program certainly qualifies. And here the risk equation is not merely about technicalities and project management (hard as they are). There is also an overarching directive from the US government to be the premier global provider of GPS services. Europe, Russia and China are creating their own constellations, but relying on these “foreign” constellations does not seem to be an option.

Various representatives from the DoD have responded to the GAO report, stating that action must and will be taken to improve the current GPS constellation. It is likely that the service will experience degradation over the next 5 years, but the DoD claims it be managed and predicted (you can calculate when and where there will be gaps). Let’s hope they’re right.

Spike in ToR Clients from Iran

ToR (The Onion Router) is a well-known public anonymity service that obscures routing information through encryption and packet path randomization. I posted about the basics of ToR last year in Anonymity at the Edge, concerning an incident where a 21-year old Swedish computer security consultant ran afoul of various authorities for his involvement in the exposure of account details harvested from ToR.

As a by-product of the current turmoil in Iran and the censorship on Internet connections, there has been a dramatic increase in the number of ToR clients (connection points into the ToR network) created from Iran. Tim O'Brien at O'Reilly Radar spoke to Andrew Lewman, the Executive Directory of the Tor Project, and Lewman stated that

New client connections from within Iran have increased nearly 10x over the past 5 days. Overall, Tor client usage seems to have increased 3x over the past 5 days. There are a lot of rough numbers in these statements, and they are very conservative.

You can find some additional technical details from Lewman's own post on the topic, including this graphic


Lastly, I recently recommended the Compass site for a good collection of technical documents on security, and you can find their description of an attack on ToR here.