Saturday, June 11, 2005

Gartner Over Hypes Insecure Technologies

The latest news is that the renowned pundits, the Gartner Group, believe that the security community has "over hyped" several security threats. The fear of security risks, in Gartner's opinion, is causing companies to avoid deploying technologies with clear business benefits.

Quoting from the SC Magazine article (http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=549bd799-f520-4ee1-a411-bcb45b81620f&newsType=Latest%20News):

Unsafe Internet Protocol (IP) telephony, dangerous mobile malware, "Warhol worms", regulatory compliance and unsafe wireless hot spots were named by the company as the security threats that caused users most problems, because vendors exaggerate the dangers.

In most cases, Gartner argued that the benefits of adopting new technologies, such as IP telephony, far outweighed the actual dangers.


Gartner then goes on to say these technologies can be properly secured and, if so, businesses can realize the benefits without taking undue risks. Well, duh, properly secured of course these technologies are likely not to present any unusual risks. I remember a comic making a point about ads claiming certain dessert products were delicious with strawberries and cream. Replied the comic, "Even old mattress tacking would taste good with strawberries and cream".

The problem is that companies implementing these technologies are not properly securing them, that efforts of information security professionals to enforce proper security are ignored, stonewalled, or overridden by management. By downplaying security concerns, Gartner is effectively encouraging company management to continue implementing these technologies with inadequate protection.

I will look at the specific examples of wireless 802.11 LANs (“wireless fidelity” known as Wi-Fi) and of Voice Over IP (VoIP).

Running Wi-Fi with IPSec has always been considered secure, as far as eavesdropping and traffic modification goes. Actually setting up and managing IPSec can be difficult, it and certainly requires some technical background in the subject. The reality of organizational Wi-Fi deployment suggests most installations are blindly ignoring security practices. Most new Wi-Fi deployments are maverick installations, where someone just goes to Best Buy, gets an access point, sets it up on their desktop computer, and hopes nobody from IT notices. No WEP, default SSID, etc. - perfect for war drivers. Even when deployed by IT, configuring IPSec (or other secure transports) can be difficult, and is often skipped in the interests of getting it running. Management wants their laptops to work in conference rooms without cumbersome wires, and they want it NOW!

I am very concerned about Gartner's dismissal of wiretapping concerns with VoIP. Tools for re-assembling this traffic and creating audio files are out there (one with the appealing name of "VoMIT" is part of standard BSD port trees). Putting voice traffic in its own VLAN is an obstacle to eavesdropping but not a protection measure. VLANs can be compromised and their misconfiguration can expose VoIP traffic without an actual attack. VLANS were meant to separate traffic for collision management purposes. VLANs were never intended to be a primary security protection measure. FYI, a good paper from Cisco on VLAN security best practices may be found at http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf.

There are secondary concerns with VoIP that must be addressed in terms of the authenticity of calls, and the extent everyday business trusts certain types of phone communication. Thanks to VoIP, anyone with a DSL line and a bit of Linux expertise can set up a PBX, spoof caller ID information, and generally have a lot of fun with call routing functions. I suspect we are on the verge of a new phishing epidemic, where social engineering attacks are supported by sophisticated telecom technology. All the old 1970's phone phreaking tricks may suddenly become popular again. An article in New Scientist (March 5, 2005, http://www.newscientist.com/channel/info-tech/electronic-threats/dn7136) addresses these issues.

Security problem with new technologies often do not manifest themselves until many years after the technology has been adopted. The prototype of the information gathering Trojan horse program was demonstrated by the German Chaos Computer Club in 1996 (see http://www.iks-jena.de/mitarb/lutz/security/activex.pe.clari.html). Using a rogue ActiveX program, they were able to devise a Web site that would steal end user information from Quicken. The theoretical danger from this program was well demonstrated. It took a few years until these malicious programs became a serious concern. Any new technology requires a certain critical level of installed base before mass exploitation becomes feasible. Until then, it looks like security concerns are over hyped.

New technologies are often the ones that organizations have the most difficulty in securing. There is an urgency to deploying new technologies that counters the thoughtful, deliberate approach necessary for good security. New "must have" technologies are often driven by non-technical business groups, who are motivated to downplay threats. Even where an IT group is implementing the technology, proper security requires "out of box" thinking that is rare to find. A voice telecom group familiar with traditional PBX technology likely is not familiar with the security threats in an IP-based VoIP product that uses shared media.

By calling security concerns "hype", Gartner is doing a dis-service to legitimate security concerns.

0 Comments:

Post a Comment

<< Home