Enterprise Software

What were they thinking? Security design without the user in mind

What responsibility do security vendors and government agencies have to deliver or mandate secure products and services? I found myself asking this question repeatedly last week, as two incidents occurred which prompted a 'what were they thinking' response.

What responsibility do security vendors and government agencies have to deliver or mandate secure products and services?  I found myself asking this question repeatedly last week, as two incidents occurred which prompted a ‘what were they thinking’ response.

Early in the week, I opened a device sent to me by a vendor.  They had asked me to review it.  It allows a user to securely store login IDs and passwords on a device a little larger than a credit card.  Conceptually, it’s a good idea.  However, it has some major flaws.

First, the device uses a membrane keypad laid out like a standard cell phone, with multiple letters on each button.  And like a cell phone, it typically requires multiple presses of a key to get to the letter you want.  This might not be so bad except that the key pad frequently doesn’t respond or responds too quickly.  It took far too long, and caused far too much frustration, to enter login information this way. 

It would be much easier to manage my account information on my PC, and then upload it to the device.  But that is not an option.  No USB port or any other interface exists to connect the device to a PC.  Not only does this prevent easy management of information, it also prevents me from copying my device-stored information to my PC as a backup.  If I lost the device, and I hadn’t updated both the device and my PC repository when I added or changed an account or password, I’d just be out of luck.

Finally, I called the vendor rep to ask how the data was encrypted on the device.  I thought this was a pretty simple question, but I received back a request for clarification.  So I sent a final request in which I wrote, “All I need to know is how the data is actually encrypted on the on-board storage.”  I didn’t think this question was too technical for a vendor rep marketing a security device.  But the response I got back caused me to throw up my hands and toss the whole thing: “I'm sorry but that strikes me as a very general question and I don't know how to answer it. Could you frame it more specifically or give me an example of what you mean?”

The problems with this $29.95 product are in the design.  The difficulty in using it encourages users to assign short passwords and then never change them.  At least, that would be my approach if I was a regular user.  Instead, I simply threw the device in a box with other stuff I’ll never use. 

Later in the week, I attended a meeting to discuss security challenges surrounding a new requirement imposed on health care companies by CMS (Centers for Medicate and Medicaid Services, reporting to the U.S. Department of Health and Human Services). 

Before continuing this tale, it’s important to understand that CMS is responsible for ensuring covered entities (e.g., health insurance companies and health care providers) protect electronic protected health information (ePHI) in accordance with the HIPAA (Health Insurance Portability and Accountability Act).

In the past, long term health care providers could submit patient MDSs (minimum data sheets) to CMS via dial-up connections.  This allowed providers to transmit the MDSs (containing loads of ePHI) via a facility workstation but leaving the MDS transmission files on protected servers in secure data centers.  However, early next year CMS will require these same providers to move to a different transmission method.  The new method is ostensibly better.  It provides data transfer over high-speed broadband connections.  The problem lies in how CMS decided to deploy the solution.

When software residing on the provider’s desktop, supplied by CMS, initiates a connection to begin data transfer, all connections to the provider’s network are terminated.  CMS representatives say this is to protect their network from bad stuff on provider networks.  OK.  I get it.  But there is a problem with this.  Our ePHI, formerly residing in a safe location, must now be transferred to one or more desktop systems in hundreds of facilities, since each facility must submit its own MDSs.  The CMS, the agency responsible for making sure providers protect patient information, is forcing providers to circumvent or weaken existing security controls.

To be fair, a CMS contact told us the agency plans to resolve this sometime next year.  But the fix will come long after we roll this out to over 500 facilities.

Maybe I’m missing something, but in both cases described above the product or service provider should have put themselves in the seat occupied by the customer.  Asking some very simple questions while sitting there would have revealed problems with their offerings.

Luckily, I can simply ignore the password tool.  Unfortunately, there’s no workaround for CMS--another fine example of our government at work.

Tell us what you think

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

25 comments
mikifinaz1
mikifinaz1

I once attended a talk given by a man who was involved with making a totally secure system for the government. Bottom line they got their perfect system, down side no one could use it, it was too difficult for average users to work with.

Jaqui
Jaqui

This surprises you? Why? You have been using MS products for how long and corporate stupidity about security still surprises you?

tmcclure
tmcclure

What can you expect from an industry that is lazy and a government that is inept? I say lazy because I can't count the number of products that have bugs or vulnerabilities. They are more interested in getting the product out the door ASAP and fixing it later. Worse still, we have been trained to accept and expect it.

tcobb
tcobb

Omigosh! Why can't we force a commitee of knowledgeable individuals, who have no financial interest in the outcome, into existence that had the power to stop stupid decisions from being jammed down our throats. If a few people on the outside can see what a mistake we are making why can't they?

misceng
misceng

For security, safety or just plain user manuals I can think of one method I believe would be foolproof. Get the managing director of the supplier and isolate him/her with the equipment and instructions to see if the procedures are actually workable. The threat should be that this will be repeated until it is got right. It is a matter of creating the correct incentive in the person who can make things happen.

richardp
richardp

Apply this approach which I learned in a Technical Writing course years ago --> Write in terms your audience would use (i.e. the language they speak). I seek to design tools that seem useful, and then test it by portraying myself in their shoes . Though this takes time (seemingly too much time), the result seeks USABILITY towards the given PURPOSE. p.s. Look up Kerckhoffs' principle #2.

KBT882
KBT882

The route of the problem is not knowing what the original problem is that they are trying to solve ??? and they then come up with a gadget which they need to find a use for. Passwords are the problem: they are inherently insecure. Short or long, they can be easily compromised and few remember the complex ones. But all that stands between me and my money (which is more important than my email account) is a piece of plastic and a four digit PIN. This method has proved to be effective for years. We don???t need new ways of storing passwords of increasing length and complexity, we need a better method of proving who we are; and they already exist.

mta0907
mta0907

Solutions provided to federal agencies are required to meet specific criter outlined in Federal Information Processing Standards (FIPS) and Special Publications. Regardless of their flaws, vendors are required to prove they are compliant with the appropriate standards before a federal agency integrates them into their infrastructure. Anyone who adopts a non-compliant technology is just as guilty of non-compliance as the vendor. No excuses.

apotheon
apotheon

The point is that the people developing the standards to which one must comply are clearly smoking something illegal -- or just incompetent. "Better" compliance, in other words, can sometimes mean worse security. Yes, you have to comply. That goes without saying. The fact that "better" compliance can mean worse security is a huge problem, though.

mta0907
mta0907

Not true. First of all, if the spirit as well as the details of federal standards are understood and adhered to, there is a high probability that an acceptable level of security will be achieved commensurate with the target assurance level. All too often, those responsible for ensuring compliance either don't know what they are doing or think they are better than everyone else which leads to rouge activities and increased risk. This does not mean to imply that the standards are perfect, but if understood, then the spirit of commitment and cooperation does lead to good security. The second point, which I believe was the main point for this thread, is that all too often vendors are not developing products that are in compliance with established standards which in turn makes the job for security engineers who are required to comply with standards very difficult. Sometimes the vendor solutions are more secure but sometimes they are not. The point is that as their customer, it would behoove them to pay attention to our requirements and needs regardless of whether or not they agree with them.

apotheon
apotheon

"[i]First of all, if the spirit as well as the details of federal standards are understood and adhered to, there is a high probability that an acceptable level of security will be achieved commensurate with the target assurance level.[/i]" Many government standards are defined by people who don't know what the hell they're doing -- but if you want to place blind faith in government "standards", go for it. "[i]if understood, then the spirit of commitment and cooperation does lead to good security.[/i]" Regulatory mandates often contradict good sense. Even more often, they're right for some limited set of circumstances, for a limited period of time, but are applied for much longer over a much broader range of circumstances -- and woe betide the guy who violates them because they actually damage security in his case.

Neon Samurai
Neon Samurai

But then what does one do if the imposed standard is broken. I don't mean "I'm a better info sec analyst than them so I know better" but confirmed by peer review broken. The company producing the product is still minimizing expenses to maximize profits. That means that meeting the broken standard is all they are going to do for the paper work. So, you have companies sticking to the minimum spirit of a confirmed broken standard rather than practices that truly keep the consumer safe. Routers are a good example, they ship wide open with default admin credentials; how many home owners do more than change the admin password? How many home users belonging to the "linksys" world wireless network do you see in your scanner? It's more convenient for the company to reduce customer service calls than it is to ship a router properly secured for consumer's information safety. I'm not sure that stronger gov imposed standards are the answer either but I don't see businesses truly securing products without them either.

HAL 9000
HAL 9000

The Government Agencies are terrible for coming out with usable standards that may come close to actually working. I can remember once reading the safety precautions mandated by a Government Think Tank for a Medical Cyclotron. It was all nice and safe as far as it went and the 6 inch think Safety Manual covered just about everything on Physical Security but no where did it say that placing a Radio Active Substance at the Focal Point of this device was a [b]Bad Idea.[/b] Apparently starting a Fission Reaction was OK because it wasn't disallowed in the Manual. :D You could have burnt out the device completely costing Millions of $ and at least a years down time without breaching one Safety Setting. Or the fact that the people being treated couldn't gain access to this establishment because they where not Cleared to enter the Grounds let alone the buildings. :D Sort of defeats the purpose that it was designed for I would have thought. Then the one that Allowed Protesters to Walk onto the Grounds of the only Reactor in AU because the Guard wasn't allowed to stop people walking past him. Apparently this was OK as the people concerned never reached the insides of the Containment Building. The fact that they could just stroll through the gate whenever they felt like it wasn't important. :0 But the best one happened about 12 or so years ago here I advised the Then Government to lay out a extra Optical Fiber Cable and to use it exclusively for the Government Agencies. At the time they where connecting everything together so the different Departments could share Data under tightly Controlled Guidelines. which was a good thing. But they declined this advice and said that as they then owned one of the Telco's rolling out the cable they did actually own the cable and the Telco would do as they where told when it came to Bandwidth Availability. Didn't matter that they where well advanced in selling at least part of that Telco at the time either. Anyway roll forward 9 years and they where experiencing exactly the problems that I for told them they would face. Things had got so bad that they had been fighting with the Telco which now they only owned a Large % of and where actively looking for an alternative that worked. So they dug up a plan to roll out their own Cable and use it as they saw fit. Makes perfect sense too but a few years late now. They now have to Survey a new Route at least 1 Kilometer away from the existing cable to prevent digging it up, Import the Machinery to dig the trenches and lay the cable as well as the workers to actually do it as there are not enough Locally Trained personal Available. What would have originally cost them a Measly 4 Million is now going to cost well in Excess of 40 Billion + Cost overruns when they eventually get around to doing it. But they did save 4 Million $ all those years previously when they had money to spend. Now they don't and their existing systems are suffering which will only get worse and be unusable long before the money becomes available to fix the Penny Pinching that they seem to love. [/rant] Col

seanferd
seanferd

So thanks. I hope you get an extra-special screwdriver for the holidays this year. :D

HAL 9000
HAL 9000

Granted I had to buy it myself but I got exactly what I wanted. Only thing is I had to compromise with [b]SWMBO[/b] as a 21 foot lathe and a 3 Phase Milling machine wasn't allowed under the house. :( Seems that I can now make some things that I actually need. :) Col

JCitizen
JCitizen

And Happy New Year! To you and yours also!

HAL 9000
HAL 9000

I got sick & tired of drawing up what I wanted made up. I need a Guy like Dougy where I could just walk up to him and say something like [b]Make Me a Wing Wong for a Gooses Bridle[/b] and he knew exactly what I meant. Most of the guys in the machine shop now ask for drawings so they have some idea of what I want. I've been away for far too long and can not be bothered to train up another guy to read my mind. :D Besides they all make things out of the wrong materials even if they look right to me. :^0 Now Lesson number 1 The Places that I used to deal with for materials are no longer. It's hard to get small lots of the different materials that I want and even worse it's now exorbitantly expensive. Someone has worked out that there is a market for Small Lots and charge accordingly. :( Lesson Number 2 Lathes should be on a Flat Level Surface or they walk away down the slope. Yep I know better but I'm [b]LAZY[/b] and making the room necessary takes time. Besides it's good exercises in chasing something so big and heavy around under the house. :D Lesson Number 3 You should never let the Wifes Kids play with your measuring tools. They ruin them completely and the wife doesn't understand why you now need to buy new ones. After all that Micrometer is supposed to be used as a spanner on round objects isn't it? :0 Final lesson so far, Never clean the crap off a Mill with a End Mill bit in place they are sharp even though they don't feel it and they BITE! Yep I know better on that as well but I wasn't thinking at the time. Perhaps if I had of been looking at what I was doing instead of pointing out to [b]SWMBO[/b] where these things where going to go it wouldn't have happened either. Yep I also know better and you should always be looking at what you are doing and not be the slightest bit distracted but it was turned off not running and I wanted to clean the area up so I could thrown something else at it and I was going to use that bit fitted. Lesson Blood doesn't hurt Carbide tips in the slightest. But I already knew that. It does however make it hard to see things unless you clean it off first. OH and don't let the Wifes son use your Safety Glasses they ruin those as well. Though I was a bit surprised to see what he did to my 6 Inch Verniers. I never knew you could bend the blades and not have a loose slide. :0 I hope you have had a Wonderful Christmas and will have a Exciting and Prosperous New Year. I'm going to be broke replacing all of the tools that I have had used that I didn't hide. Though I don't think that any of the calipers have been abused yet. :^0 Col

JCitizen
JCitizen

It's been a while since I turned a tap on a good ol' engine lathe or CNC turning center. I always loved that work. Creating things practical and even just stuff I like is akin being an artist; and the personal rewards are great.

HAL 9000
HAL 9000

What can I say I buy my own Chrissy Presents so I get exactly what I want. :0 Col

JCitizen
JCitizen

If I had that kind of equipment, I'd be making cannon barrels! Yeh, I know, not exactly something you really need. For me it is a real quality life, though!

HAL 9000
HAL 9000

NA it's a Bit heavy but I can make a really nasty dagger to impale them on. And as it's a One Use Only thing I don't need to heat treat it any old scrap laying around will do too. :^0 Col

seanferd
seanferd

That sounds awesome. Did you need an extra service line run to the house? :) Oh, and: Can you chase stupid apprentices around with it? :^0

iravgupta
iravgupta

when you wrote "I simply through the device..." instead of "I simply threw the device...".

MGP2
MGP2

...that you had to post that publicly, as opposed to hitting the "contact" button on the main story page so you could inform him of his mistake privately?

apotheon
apotheon

ravi16aug was probably thinking that was an easy way to inform him of his error. There's a slight laziness barrier to entry for the contact link. I'm not saying this was the better choice -- just that laziness probably played a role in choosing this option, rather than the contact link. On the other hand, maybe ravi16aug is one of those people who likes to publicly call people out on errors. I really don't know.