On Monday, 23.02.2015, as part of the AComIn project at the Institute of Information and Communication Techologies, BAS we had a wonderful lecture by Prof. Dr. Otto Spaniol from RWTH Aachen University on the subject of Security in Communication Networks: Technical and Nontechnical Issues.
In his talk, Prof. Spaniol has separated the topic in two parts: technical and non-technical issues. Researchers today mainly consider the technical issues like cryptography, DDOS, authentication, anonymity, etc., for they can be quantified, measured and analyzed. The opposite is true for the non-technical issues, and today they cost significantly more to every organization.
In the beginning of his talk, prof. Spaniol offered his “CIA” critera for security in the communication process. And no, it does not mean the Central Intelligence Agency. Instead the acronym stands for:
- Confidentiality – the content of the communication should be available only to the participants, third parties should be unable to observe the communication, sender and receiver should be able to remain anonymous and last but not least – no one should be able to locate mobile stations.
- Integrity – we should be able to tell when the message has been tampered with and prevent it. Additionally, we should be able to establish whether a message has been really sent and rightfully received.
- Availability – there should be availability for access to the communication network if all parties want to communicate and should be able to legally do so.
After establishing his criteria for the communication process, the lecturer introduced us to common technical issues – attacks on stand-alone computer systems, network computers, wiretapping and traffic analysis attacks, as well as NAT tables modification, data units tampering, DDOS, etc. Basically, every person dealing with networks had to deal with, at one point in her/his professional life.
No talk about security can go without mentioning trust in the communication and encryption. Prof. Spaniol did go into some details about the shared-key encryption with questions arising about the transportation of the key over unsecured network, as well as some authentication problems in identification of the sender.
He shared some detail on the cryptographic hash function:
It is required that it is practically impossible to construct two messages m and m‘ (where m ≠ m‘) such that H(m) = H(m‘).
Of course that scenario has already happened when message digest algorithms were developed. Worth mentioning was his slides on digital signature.
While all those technical issues are very well known and extensively researched, the field of non-technical issues is more blurry. We know that insufficient security might be due to negligence, pure stupidity, criminal intention, cost cutting, etc. Those who have been sys admins understand this even without seeing it on a slide. How many times I’ve told people about the proper way to create a password – that no personal names, birthdays, “genius” passwords like “password” or “12345” are recommended – but people put them anyway. And when I enforce strict rules for password creation – I cannot stop hearing complains about how hard it is to remember them. Yes, but we are protecting valuable information, correct.
Many of you had to deal with situations when people know they have viruses on their flash drives and nevertheless insert them in their work computers, creating work, headache and general desire to off them.
Sure, those are some of the problems all of us in the IT sector face constantly, but another important problem is the cost cutting – just because management does not appreciate the importance of the IT department and thinks that by putting us in the basement and with minimal funds – all is well in the world, because for them providing almost unlimited funds for the legal department is crucial. Let me tell you – nowadays IT is more important than legal or almost any other department. After all, if you don’t have working computers, network infrastructure and data management, you can stay all day long in the legal department and it will be all for naught.
But I am digressing here. Last year we all remember the huge fiasco of the Heartbleed attack, right? And while I am not going to go into detail what the Heartbeat protocol was missing, from the non-technical side it boiled down to:
- The code was not checked for validation, thus providing a buffer over-read – allowing for the indicated length of the data part to be bigger than the real data in the Heatbeat implementation. And this can be repeated as often as needed/wanted by the attacker. The code was developed by a student with no check control.
- The entire OpenSSL core team consisted of only ONE person – and one person being responsible for incredibly important infrastructure is bound to bring a disaster.
Due to time constraints, this presentation did not even scratched the surface on social engineering, data leakage, BYOD hurdles, etc. Those are issues that need to be taken into account as well.
Looking at all these examples, as well as countless others, we need constant education of the non-technical staff. System administrators need the support of the management to enforce strict procedures for data management, protection, and network infrastructure usage. On the personal side, we need to be able to remain anonymous online in order to preserve our ability to freely associate with others – be for reading books, religion, protests or any other form of activity known in our democracy.
I want to remain optimist and say that while we will always have technical issues to deal with, we can educate the population to deal with the non-technical issues – simultaneously I know this is impossible – most people hate to think most of the time, thus creating countless non-technical problems for the IT in regards to technology.