Systemic flaws and a rapidly shifting threatscape spell doom for many of
today’s trusted security technologies
Perhaps nothing, not even the weather, changes as fast as computer technology.
With that brisk pace of progress comes a grave responsibility: securing it.
Every wave of new tech, no matter how small or esoteric, brings with it new
threats. The security community slaves to keep up and, all things considered,
does a pretty good job against hackers, who shift technologies and methodologies
rapidly, leaving last year’s well-recognized attacks to the dustbin.
Have you had to enable the write-protect notch on your floppy disk lately to
prevent boot viruses or malicious overwriting? Have you had to turn off your
modem to prevent hackers from dialing it at night? Have you had to unload your
ansi.sys driver to prevent malicious text files from remapping your keyboard to
make your next keystroke reformat your hard drive? Did you review your
autoexec.bat and config.sys files to make sure no malicious entries were
inserted to autostart malware?
Not so much these days -- hackers have moved on, and the technology made to
prevent older hacks like these is no longer top of mind. Sometimes we defenders
have done such a good job that the attackers decided to move on to more fruitful
options. Sometimes a particular defensive feature gets removed because the good
guys determined it didn't protect that well in the first place or had unexpected
weaknesses.
If you, like me, have been in the computer security world long enough, you’ve
seen a lot of security tech come and go. It’s almost to the point where you can
start to predict what will stick and be improved and what will sooner or later
become obsolete. The pace of change in attacks and technology alike mean that
even so-called cutting-edge defenses, like biometric authentication and advanced
firewalls, will eventually fail and go away. Surveying today's defense
technologies, here's what I think is destined for the history books.
Biometric authentication is tantalizing cure-all for log-on security. After all,
using your face, fingerprint, DNA, or some other biometric marker seems like the
perfect log-on credential -- to someone who doesn't specialize in log-on
authentication. As far as those experts are concerned, it’s not so much that
biometric methods are rarely as accurate as most people think; it's more that,
once stolen, your biometric markers can't be changed.
Take your fingerprints. Most people have only 10. Anytime your fingerprints are
used as a biometric logon, those fingerprints -- or, more accurately, the
digital representations of those fingerprints -- must be stored for future
log-on comparison. Unfortunately, log-on credentials are far too often
compromised or stolen. If the bad guy steals the digital representation of your
fingerprints, how could any system tell the difference between your real
fingerprints and their previously accepted digital representations?
In that case, the only solution might be to tell every system in the world that
might rely on your fingerprints to not rely on your fingerprints, if that were
even possible. The same is true for any other biometric marker. You'll have a
hard time repudiating your real DNA, face, retina scan, and so on if a bad
player gets their hands on the digital representation of those biometric
markers.
That doesn’t even take into account issues around systems that only allow you to
logon if you use, say, your fingerprint when you can no longer reliably use your
fingerprint. What then?
Biometric markers used in conjunction with a secret only you know (password,
PIN, and so on) are one way to defeat hackers that have your biometric logon
marker. Of course mental secrets can be captured as well, as happens often with
nonbiometric two-factor log-on credentials like smartcards and USB key fobs. In
those instances, admins can easily issue you a new physical factor and you can
pick a new PIN or password. That isn't the case when one of the factors is your
body.
While biometric logons are fast becoming a trendy security feature, there's a
reason they aren’t -- and won't ever be -- ubiquitous. Once people realize that
biometric logons aren't what they pretend to be, they will lose popularity and
either disappear, always require a second form of authentication, or only be
used when high-assurance identification is not needed.
Doomed security technology No. 2: SSL
Secure Socket Layer was invented by long-gone Netscape in 1995. For two decades
it served us adequately. But if you haven't heard, it is irrevocably broken and
can't be repaired, thanks to the Poodle attack. SSL’s replacement, TLS
(Transport Layer Security), is slightly better. Of all the doomed security tech
discussed in this article, SSL is the closest to be being replaced, as it should
no longer be used.
The problem? Hundreds of thousands of websites rely on or allow SSL. If you
disable all SSL -- a common default in the latest versions of popular browsers
-- all sorts of websites don't work. Or they will work, but only because the
browser or application accepts "downleveling" to SSL. If it's not websites and
browsers, then it's the millions of old SSH servers out there.
OpenSSH is seemingly constantly being hacked these days. While it’s true that
about half of OpenSSH hacks have nothing to do with SSL, SSL vulnerabilities
account for the other half. Millions of SSH/OpenSSH sites still use SSL even
though they shouldn't.
Worse, terminology among tech pros is contributing to the problem, as nearly
everyone in the computer security industry calls TLS digital certificates "SSL
certs" though they don't use SSL. It's like calling a copy machine a Xerox when
it's not that brand. If we’re going to hasten the world off SSL, we need to
start calling TLS certs "TLS certs.
Make a vow today: Don't use SSL ever, and call Web server certs TLS certs.
That's what they are or should be. The sooner we get rid of the word "SSL," the
sooner it will be relegated to history's dustbin.
Doomed security technology No. 3: Public key encryption
This may surprise some people, but most of the public key encryption we use
today -- RSA, Diffie-Hellman, and so on -- is predicted to be readable as soon
as quantum computing and cryptography are figured out. Many, including this
author, have been long (and incorrectly) predicting that usable quantum
computing was mere years away. But when researchers finally get it working, most
known public encryption ciphers, including the popular ones, will be readily
broken. Spy agencies around the world have been saving encrypted secrets for
years waiting for the big breakthrough -- or, if you believe some rumors, they
already have solved the problem and are reading all our secrets.
Some crypto experts, like Bruce Schneier, have long been dubious about the
promise of quantum cryptography. But even the critics can't dismiss the
likelihood that, once it's figured out, any secret encrypted by RSA,
Diffie-Hellman, and even ECC are immediately readable.
That's not to say there aren't quantum-resistant cipher algorithms. There are a
few, including lattice-based cryptography and Supersingular Isogeny Key
Exchange. But if your public cipher isn't one of those, you're out of luck if
and when quantum computing becomes widespread.
Doomed security technology No. 4: IPsec
When enabled, IPsec allows all network traffic between two or more points to
be cryptographically protected for packet integrity and privacy, aka encrypted.
Invented in 1993 and made an open standard in 1995, IPsec is widely supported by
hundreds of vendors and used on millions of enterprise computers.
Unlike most of the doomed security defenses discussed in this article, IPsec
works and works great. But its problems are two-fold.
First, although widely used and deployed, it has never reached the critical mass
necessary to keep it in use for much longer. Plus, IPsec is complex and isn't
supported by all vendors. Worse, it can often be defeated by only one device in
between the source and destination that does not support it -- such as a gateway
or load balancer. At many companies, the number of computers that get IPsec
exceptions is greater than the number of computers forced to use it.
IPsec's complexity also creates performance issues. When enabled, it can
significantly slow down every connection using it, unless you deploy specialized
IPsec-enabled hardware on both sides of the tunnel. Thus, high-volume
transaction servers such as databases and most Web servers simply can’t afford
to employ it. And those two types of servers are precisely where most important
data resides. If you can't protect most data, what good is it?
Plus, despite being a "common" open standard, IPsec implementations don't
typically work between vendors, another factor that has slowed down or prevented
widespread adoption of IPsec.
But the death knell for IPsec is the ubiquity of HTTPS. When you have HTTPS
enabled, you don't need IPsec. It's an either/or decision, and the world has
spoken. HTTPS has won. As long as you have a valid TLS digital certificate and a
compatible client, it works: no interoperability problems, low complexity. There
is some performance impact, but it’s not noticeable to most users. The world is
quickly becoming a default world of HTTPS. As that progresses, IPsec dies.
Doomed security technology No. 5: Firewalls
The ubiquity of HTTPS essentially spells the doom of the traditional firewall. I
wrote about this in 2012, creating a mini-firestorm that won me invites to speak
at conferences all over the world.
Some people would say I was wrong. Three years later, firewalls are still
everywhere. True, but most aren't configured and almost all don't have the
"least permissive, block-by-default" rules that make a firewall valuable in the
first place. Most firewalls I come across have overly permissive rules. I often
see "Allow All ANY ANY" rules, which essentially means the firewall is worse
than useless. It's doing nothing but slowing down network connections.
Anyway you define a firewall, it must include some portion that allows only
specific, predefined ports in order to be useful. As the world moves to
HTTPS-only network connections, all firewalls will eventually have only a few
rules -- HTTP/HTTPS and maybe DNS. Other protocols, such ads DNS, DHCP, and so
on, will likely start using HTTPS-only too. In fact, I can't imagine a future
that doesn't end up HTTPS-only. When that happens, what of the firewall?
The main protection firewalls offer is to secure against a remote attack on a
vulnerable service. Remotely vulnerable services, usually exploited by
one-touch, remotely exploitable buffer overflows, used to be among the most
common attacks. Look at the Robert Morris Internet worm, Code Red, Blaster, and
SQL Slammer. But when's the last time you heard of a global, fast-acting buffer
overflow worm? Probably not since the early 2000s, and none of those were as bad
as the worms from the 1980s and 1990s. Essentially, if you don't have an
unpatched, vulnerable listening service, then you don't need a traditional
firewall -- and right now you don't. Yep, you heard me right. You don't need a
firewall.
Firewall vendors often write to tell me that their "advanced" firewall has
features beyond the traditional firewall that makes theirs worth buying. Well,
I've been waiting for more than two decades for "advanced firewalls" to save the
day. It turns out they don't. If they perform "deep packet inspection" or
signature scanning, it either slows down network traffic too much, is rife with
false positives, or scans for only a small subset of attacks. Most "advanced"
firewalls scan for a few dozen to a few hundred attacks. These days, more than
390,000 new malware programs are registered every day, not including all the
hacker attacks that are indistinguishable from legitimate activity.
Even when firewalls do a perfect job at preventing what they say they prevent,
they don't really work, given that they don't stop the two biggest malicious
attacks most organizations face on a daily basis: unpatched software and social
engineering.
Put it this way: Every customer and person I know currently running a firewall
is as hacked as someone who doesn't. I don't fault firewalls. Perhaps they
worked so well back in the day that hackers moved on to other sorts of attacks.
For whatever reason, firewalls are nearly useless today and have been trending
in that direction for more than a decade.
Doomed security technology No. 6: Antivirus scanners
Depending on whose statistics you believe, malware programs currently number in
the tens to hundreds of millions -- an overwhelming fact that has rendered
antivirus scanners nearly useless.
Not entirely useless, because they stop 80 to 99.9 percent of attacks against
the average user. But the average user is exposed to hundreds of malicious
programs every year; even with the best odds, the bad guy wins every once in a
while. If you keep your PC free from malware for more than a year, you've done
something special.
That isn’t to say we shouldn’t applaud antivirus vendors. They've done a
tremendous job against astronomical odds. I can't think of any sector that has
had to adjust to the kinds of overwhelming progressive numbers and advances in
technology since the late 1980s, when there were only a few dozen viruses to
detect.
But what will really kill antivirus scanners isn't this glut of malware. It's
whitelisting. Right now the average computer will run any program you install.
That's why malware is everywhere. But computer and operating system
manufacturers are beginning to reset the "run anything" paradigm for the safety
of their customers -- a movement that is antithetical to antivirus programs,
which allow everything to run unimpeded except for programs that contain one of
the more than 500 million known antivirus signatures. “Run by default, block by
exception” is giving way to “block by default, allow by exception.”
Of course, computers have long had whitelisting programs, aka application
control programs. I reviewed some of the more popular products back in 2009. The
problem: Most people don't use whitelisting, even when it’s built in. The
biggest roadblock? The fear of what users will do if they can't install
everything they want willy-nilly or the big management headache of having to
approve every program that can be run on a user’s system.
But malware and hackers are getting more pervasive and worse, and vendors are
responding by enabling whitelisting by default. Apple's OS X introduced a near
version of default whitelisting three years ago with Gatekeeper. iOS devices
have had near-whitelisting for much longer in that they can run only approved
applications from the App Store (unless the device is jailbroken). Some
malicious programs have slipped by Apple, but the process has been incredibly
successful at stopping the huge influx that normally follows popular OSes and
programs.
Microsoft has long had a similar mechanism, through Software Restriction
Policies and AppLocker, but an even stronger push is coming in Windows 10 with
DeviceGuard. Microsoft’s Windows Store also offers the same protections as
Apple's App Store. While Microsoft won't be enabling DeviceGuard or Windows
Store-only applications by default, the features are there and are easier to use
than before.
Once whitelisting becomes the default on most popular operating systems, it's
game over for malware and, subsequently, for antivirus scanners. I can't say
I'll miss either.
Doomed security technology No. 7: Antispam filters
Spam still makes up more than half of the Internet's email. You might not notice
this anymore, thanks to antispam filters, which have reached levels of accuracy
that antivirus vendors can only claim to deliver. Yet spammers keep spitting out
billions of unwanted messages each day. In the end, only two things will ever
stop them: universal, pervasive, high-assurance authentication and more cohesive
international laws.
Spammers still exist mainly because we can't easily catch them. But as the
Internet matures, pervasive anonymity will be replaced by pervasive
high-assurance identities. At that point, when someone sends you a message
claiming to have a bag of money to mail you, you will be assured they are who
they say they are.
High-assurance identities can only be established when all users are required to
adopt two-factor (or higher) authentication to verify their identity, followed
by identity-assured computers and networks. Every cog in between the sender and
the receiver will have a higher level of reliability. Part of that reliability
will be provided by pervasive HTTPS (discussed above), but it will ultimately
require additional mechanisms at every stage of authentication to assure that
when I say I'm someone, I really am that someone.
Today, almost anyone can claim to be anyone else, and there's no universal way
to verify that person's claim. This will change. Almost every other critical
infrastructure we rely on -- transportation, power, and so on -- requires this
assurance. The Internet may be the Wild West right now, but the increasingly
essential nature of the Internet as infrastructure virtually ensures that it
will eventually move in the direction of identity assurance.
Meanwhile, the international border problem that permeates nearly every
online-criminal prosecution is likely to be resolved in the near future. Right
now, many major countries do not accept evidence or warrants issued by other
countries, which makes arresting spammers (and other malicious actors) nearly
impossible. You can collect all the evidence you like, but if the attacker’s
home country won't enforce the warrant, your case is toast.
As the Internet matures, however, countries that don't help ferret out the
Internet's biggest criminals will be penalized. They may be placed on a
blacklist. In fact, some already are. For example, many companies and websites
reject all traffic originating from China, whether it's legitimate or not. Once
we can identify criminals and their home countries beyond repudiation, as
outlined above, those home countries will be forced to respond or suffer
penalties.
The heyday of the spammers where most of their crap reached your inbox is
already over. Pervasive identities and international law changes will close the
coffin lid on spam -- and the security tech necessary to combat it.
Doomed security technology No. 8: Anti-DoS protections
Thankfully, the same pervasive identity protections mentioned above will be the
death knell for denial-of-service (DoS) attacks and the technologies that have
arisen to quell them.
These days, anyone can launch free Internet tools to overwhelm websites with
billions of packets. Most operating systems have built-in anti-DoS attack
protections, and more than a dozen vendors can protect your websites even when
being hit by extraordinary amounts of bogus traffic. But the loss of pervasive
anonymity will stop all malicious senders of DoS traffic. Once we can identify
them, we can arrest them.
Think of it this way: Back in the 1920s there were a lot of rich and famous bank
robbers. Banks finally beefed up their protection, and cops got better at
identifying and arresting them. Robbers still hit banks, but they rarely get
rich, and they almost always get caught, especially when they persist in robbing
more banks. The same will happen to DoS senders. As soon as we can quickly
identify them, the sooner they will disappear as the bothersome elements of
society that they are.
Doomed security technology No. 9: Huge event logs
Computer security event monitoring and alerting is difficult. Every computer is
easily capable of generating tens of thousands of events on its own each day.
Collect them to a centralized logging database and pretty soon you're talking
petabytes of needed storage. Today's event log management systems are often
lauded for the vast size of their disk storage arrays.
The only problem: This sort of event logging doesn't work. When nearly every
collected event packet is worthless and goes unread, and the cumulative effect
of all the worthless unread events is a huge storage cost, something has to
give. Soon enough admins will require application and operating system vendors
to give them more signal and less noise, by passing along useful events without
the mundane log clutter. In other words, event log vendors will soon be bragging
about how little space they take rather than how much.
Doomed security technology No. 10: Anonymity tools (not to mention anonymity and
privacy)
Lastly, any mistaken vestige of anonymity and privacy will be completely wiped
away. We already really don't have it. The best book I can recommend on the
subject is Bruce Schneier's "Data and Goliath." A quick read will scare you to
death if you didn't already realize how little privacy and anonymity you truly
have.
Even hackers who think that hiding on Tor and other "darknets" give them some
semblance of anonymity must understand how quickly the cops are arresting people
doing bad things on those networks. Anonymous kingpin after anonymous kingpin
ends up being arrested, identified in court, and serving real jail sentences
with real jail numbers attached to their real identity.
The truth is, anonymity tools don't work. Many companies, and certainly law
enforcement, already know who you are. The only difference is that, in the
future, everyone will know the score and stop pretending they are staying hidden
and anonymous online.
I would love for a consumer's bill of rights guaranteeing privacy to be created
and passed, but past experience teaches me that too many citizens are more than
willing to give up their right to privacy in return for supposed protection. How
do I know? Because it's already the standard everywhere but the Internet. You
can bet the Internet is next.
