Re: what are realistic threats?

• To: dmk@allegra.att.com (Dave Kristol)
• Subject: Re: what are realistic threats?
• From: shirey@mitre.org (Robert W. Shirey)
• Date: Mon, 26 Sep 94 13:40:46 EDT
• Cc: www-buyinfo@allegra.att.com, www-security@ns1.rutgers.edu
• Reply-To: shirey@mitre.org (Robert W. Shirey)

At 10:30 AM 9/26/94 -0400, Dave Kristol wrote:
. . .
> . . . I know it's theoretically possible to intercept
>and change messages, or to inject new ones, but I think to do so
>requires a level of sophistication and access that is unavailable to
>all but a very small number of people.

Consider the following (from a document in draft):

"1.5.4.3  Magnification of Threats"

"The Internet magnifies threats to itself, because it helps attackers in
two important ways.  First, the Internet enables attackers to share
information that reduces the technical effort and skill needed to make an
attack.  Thus, all aspiring attackers do not need to be equally smart.  For
example, some vulnerabilities can be exploited automatically by attack
software running on an inexpensive host.  For such a vulnerability, attack
software might be developed and perfected by a single clever amateur who
enjoys this kind of intellectual challenge.  Some skilled amateurs also
enjoy the notoriety gained from telling others how to make attacks.  These
experts can make their software easily available -- through the Internet,
through other public and commercial networks, and through underground
computer bulletin boards -- to a wide range of less skilled attackers,
including professionals who might use it for profit.  Thus, the level of
skill needed to make an attack can be much lower than that needed to find a
vulnerability, design an attack, or build an attack mechanism."

"Second, the Internet provides access to make attacks and shields the
attacker.  The Internet has international geographic reach and great
topological complexity, and Internet access in many cases is not directly
billed to users.  Some sites actually provide free and anonymous access,
and there are important reasons why this is not likely to change.  For one,
Internet access is becoming similar to access to public libraries, and
anonymous access to libraries is desirable in a democracy.  On the other
hand, the Internet may be compared to the public phone system, which
provides accountable access via most personal and business phones, but
anonymous access via pay phones.  Both systems have numerous points of
unauthenticated access with almost no ability to trace back to identify the
user.  This makes attacks possible from a great distance, with small chance
of detection, and at small cost to the attacker.  It also presents great
obstacles to legal prosecution should the attacker be identified.  The
ability to carry out attacks with presumed anonymity and impunity, and
potentially small cost to the attacker, encourages attacks, especially by
amateur pranksters."

. . .

>My point:  while we can (attempt to) design spook-proof security schemes,
>I think we can achieve a hugh part of what we really seek with relatively
>simple, low-cost technology.

I'm all for simple and low-cost, but consider this:

"1.6.3.1  High Quality in Security Designs"

"Ideally, Internet security should be perfectly invulnerable, but that
would require perfect designs, perfect implementations, and perfect
operation.  In reality, imperfect implementation and imperfect operational
management are expected, but the designs still should be as good as
possible.  Internet protocols should not adopt technology that offers only
marginal benefits and addresses only limited threats in exchange for other
advantages, such as perceived simplicity or ease of deployment.  In the
long run, low-quality security might be worse than none at all."

"There are three main reasons for insisting on high-quality designs.
First, low-quality technology gives users a false sense of security.  Aside
>From being unfair to users, this may cause them to rebel against other,
perfectly good security measures when a something-is-better-than-nothing
measure fails.  For example, to block unauthorized logins from password
guessing, one might adopt a policy of requiring long, pseudo-random
passwords.  However, as shown by recent use of "sniffer" programs, any
static password scheme is vulnerable to passive wiretapping and should be
avoided whenever the network path may be vulnerable to such attacks."

"Second, implementation of low-quality security might discourage later
deployment of better security because of repeated costs of implementation,
installation, and education.  For example, if a homeowner takes the trouble
to have new locks installed, it might be a mistake to install easily picked
locks.  Switching to better locks at a later point in time would incur a
locksmith's labor charges again, plus require distribution of new keys to
family members and trusted neighbors."

"Third, low-quality security might increase vulnerability because of
unforeseen technical or administrative problems.  Some clever attacker will
eventually exploit the flaws in any low-quality measure, distribute the
attack tools on the Internet, and make worthless the entire investment in
the measure.  For example, it was suggested that a public key exchange
(Diffie-Hellman) be offered as an option in the TCP connection
establishment procedure.  However, because of a size limitation imposed on
TCP options, the key (modulus) size that could be employed would be rather
small and thus subject to attacks that are well within the current
capability of crackers with appropriate cryptanalytic software."

Regards, -Rob-    Robert W. Shirey  SHIREY@MITRE.ORG
tel 703.883.7210, sec 703.883.5749, fax 703.883.1397
Info. Security Div., The MITRE Corp., Mail Stop Z231
7525 Colshire Drive, McLean, Virginia 22102-3481 USA

• Previous: Re: An IETF working group for HTTP?
• Next: Re: what are realistic threats?
• Index(es):
  • Index
  • Thread