Systemic flaws and a rapidly shifting threatscape spell doom for many of today’s trusted security technologies
Perhaps nothing, not even the weather, changes as fast as computer technology. With that brisk pace of progress comes a grave responsibility: securing it.
Every wave of new tech, no matter how small or esoteric, brings with it new threats. The security community slaves to keep up and, all things considered, does a pretty good job against hackers, who shift technologies and methodologies rapidly, leaving last year’s well-recognized attacks to the dustbin.
Have you had to enable the write-protect notch on your floppy disk lately to prevent boot viruses or malicious overwriting? Have you had to turn off your modem to prevent hackers from dialing it at night? Have you had to unload your ansi.sys driver to prevent malicious text files from remapping your keyboard to make your next keystroke reformat your hard drive? Did you review your autoexec.bat and config.sys files to make sure no malicious entries were inserted to autostart malware?
Not so much these days — hackers have moved on, and the technology made to prevent older hacks like these is no longer top of mind. Sometimes we defenders have done such a good job that the attackers decided to move on to more fruitful options. Sometimes a particular defensive feature gets removed because the good guys determined it didn’t protect that well in the first place or had unexpected weaknesses.
If you, like me, have been in the computer security world long enough, you’ve seen a lot of security tech come and go. It’s almost to the point where you can start to predict what will stick and be improved and what will sooner or later become obsolete. The pace of change in attacks and technology alike mean that even so-called cutting-edge defenses, like biometric authentication and advanced firewalls, will eventually fail and go away. Surveying today’s defense technologies, here’s what I think is destined for the history books.
Biometric authentication is tantalizing cure-all for log-on security. After all, using your face, fingerprint, DNA, or some other biometric marker seems like the perfect log-on credential — to someone who doesn’t specialize in log-on authentication. As far as those experts are concerned, it’s not so much that biometric methods are rarely as accurate as most people think; it’s more that, once stolen, your biometric markers can’t be changed.
Take your fingerprints. Most people have only 10. Anytime your fingerprints are used as a biometric logon, those fingerprints — or, more accurately, the digital representations of those fingerprints — must be stored for future log-on comparison. Unfortunately, log-on credentials are far too often compromised or stolen. If the bad guy steals the digital representation of your fingerprints, how could any system tell the difference between your real fingerprints and their previously accepted digital representations?
In that case, the only solution might be to tell every system in the world that might rely on your fingerprints to not rely on your fingerprints, if that were even possible. The same is true for any other biometric marker. You’ll have a hard time repudiating your real DNA, face, retina scan, and so on if a bad player gets their hands on the digital representation of those biometric markers.
That doesn’t even take into account issues around systems that only allow you to logon if you use, say, your fingerprint when you can no longer reliably use your fingerprint. What then?
Biometric markers used in conjunction with a secret only you know (password, PIN, and so on) are one way to defeat hackers that have your biometric logon marker. Of course mental secrets can be captured as well, as happens often with nonbiometric two-factor log-on credentials like smartcards and USB key fobs. In those instances, admins can easily issue you a new physical factor and you can pick a new PIN or password. That isn’t the case when one of the factors is your body.
While biometric logons are fast becoming a trendy security feature, there’s a reason they aren’t — and won’t ever be — ubiquitous. Once people realize that biometric logons aren’t what they pretend to be, they will lose popularity and either disappear, always require a second form of authentication, or only be used when high-assurance identification is not needed.
Doomed security technology No. 2: SSL
Secure Socket Layer was invented by long-gone Netscape in 1995. For two decades it served us adequately. But if you haven’t heard, it is irrevocably broken and can’t be repaired, thanks to the Poodle attack. SSL’s replacement, TLS (Transport Layer Security), is slightly better. Of all the doomed security tech discussed in this article, SSL is the closest to be being replaced, as it should no longer be used.
The problem? Hundreds of thousands of websites rely on or allow SSL. If you disable all SSL — a common default in the latest versions of popular browsers — all sorts of websites don’t work. Or they will work, but only because the browser or application accepts “downleveling” to SSL. If it’s not websites and browsers, then it’s the millions of old SSH servers out there.
OpenSSH is seemingly constantly being hacked these days. While it’s true that about half of OpenSSH hacks have nothing to do with SSL, SSL vulnerabilities account for the other half. Millions of SSH/OpenSSH sites still use SSL even though they shouldn’t.
Worse, terminology among tech pros is contributing to the problem, as nearly everyone in the computer security industry calls TLS digital certificates “SSL certs” though they don’t use SSL. It’s like calling a copy machine a Xerox when it’s not that brand. If we’re going to hasten the world off SSL, we need to start calling TLS certs “TLS certs.
Make a vow today: Don’t use SSL ever, and call Web server certs TLS certs. That’s what they are or should be. The sooner we get rid of the word “SSL,” the sooner it will be relegated to history’s dustbin.
Doomed security technology No. 3: Public key encryption
This may surprise some people, but most of the public key encryption we use today — RSA, Diffie-Hellman, and so on — is predicted to be readable as soon as quantum computing and cryptography are figured out. Many, including this author, have been long (and incorrectly) predicting that usable quantum computing was mere years away. But when researchers finally get it working, most known public encryption ciphers, including the popular ones, will be readily broken. Spy agencies around the world have been saving encrypted secrets for years waiting for the big breakthrough — or, if you believe some rumors, they already have solved the problem and are reading all our secrets.
Some crypto experts, like Bruce Schneier, have long been dubious about the promise of quantum cryptography. But even the critics can’t dismiss the likelihood that, once it’s figured out, any secret encrypted by RSA, Diffie-Hellman, and even ECC are immediately readable.
That’s not to say there aren’t quantum-resistant cipher algorithms. There are a few, including lattice-based cryptography and Supersingular Isogeny Key Exchange. But if your public cipher isn’t one of those, you’re out of luck if and when quantum computing becomes widespread.
Doomed security technology No. 4: IPsec
When enabled, IPsec allows all network traffic between two or more points to be cryptographically protected for packet integrity and privacy, aka encrypted. Invented in 1993 and made an open standard in 1995, IPsec is widely supported by hundreds of vendors and used on millions of enterprise computers.
Unlike most of the doomed security defenses discussed in this article, IPsec works and works great. But its problems are two-fold.
First, although widely used and deployed, it has never reached the critical mass necessary to keep it in use for much longer. Plus, IPsec is complex and isn’t supported by all vendors. Worse, it can often be defeated by only one device in between the source and destination that does not support it — such as a gateway or load balancer. At many companies, the number of computers that get IPsec exceptions is greater than the number of computers forced to use it.
IPsec’s complexity also creates performance issues. When enabled, it can significantly slow down every connection using it, unless you deploy specialized IPsec-enabled hardware on both sides of the tunnel. Thus, high-volume transaction servers such as databases and most Web servers simply can’t afford to employ it. And those two types of servers are precisely where most important data resides. If you can’t protect most data, what good is it?
Plus, despite being a “common” open standard, IPsec implementations don’t typically work between vendors, another factor that has slowed down or prevented widespread adoption of IPsec.
But the death knell for IPsec is the ubiquity of HTTPS. When you have HTTPS enabled, you don’t need IPsec. It’s an either/or decision, and the world has spoken. HTTPS has won. As long as you have a valid TLS digital certificate and a compatible client, it works: no interoperability problems, low complexity. There is some performance impact, but it’s not noticeable to most users. The world is quickly becoming a default world of HTTPS. As that progresses, IPsec dies.
Doomed security technology No. 5: Firewalls
The ubiquity of HTTPS essentially spells the doom of the traditional firewall. I wrote about this in 2012, creating a mini-firestorm that won me invites to speak at conferences all over the world.
Some people would say I was wrong. Three years later, firewalls are still everywhere. True, but most aren’t configured and almost all don’t have the “least permissive, block-by-default” rules that make a firewall valuable in the first place. Most firewalls I come across have overly permissive rules. I often see “Allow All ANY ANY” rules, which essentially means the firewall is worse than useless. It’s doing nothing but slowing down network connections.
Anyway you define a firewall, it must include some portion that allows only specific, predefined ports in order to be useful. As the world moves to HTTPS-only network connections, all firewalls will eventually have only a few rules — HTTP/HTTPS and maybe DNS. Other protocols, such ads DNS, DHCP, and so on, will likely start using HTTPS-only too. In fact, I can’t imagine a future that doesn’t end up HTTPS-only. When that happens, what of the firewall?
The main protection firewalls offer is to secure against a remote attack on a vulnerable service. Remotely vulnerable services, usually exploited by one-touch, remotely exploitable buffer overflows, used to be among the most common attacks. Look at the Robert Morris Internet worm, Code Red, Blaster, and SQL Slammer. But when’s the last time you heard of a global, fast-acting buffer overflow worm? Probably not since the early 2000s, and none of those were as bad as the worms from the 1980s and 1990s. Essentially, if you don’t have an unpatched, vulnerable listening service, then you don’t need a traditional firewall — and right now you don’t. Yep, you heard me right. You don’t need a firewall.
Firewall vendors often write to tell me that their “advanced” firewall has features beyond the traditional firewall that makes theirs worth buying. Well, I’ve been waiting for more than two decades for “advanced firewalls” to save the day. It turns out they don’t. If they perform “deep packet inspection” or signature scanning, it either slows down network traffic too much, is rife with false positives, or scans for only a small subset of attacks. Most “advanced” firewalls scan for a few dozen to a few hundred attacks. These days, more than 390,000 new malware programs are registered every day, not including all the hacker attacks that are indistinguishable from legitimate activity.
Even when firewalls do a perfect job at preventing what they say they prevent, they don’t really work, given that they don’t stop the two biggest malicious attacks most organizations face on a daily basis: unpatched software and social engineering.
Put it this way: Every customer and person I know currently running a firewall is as hacked as someone who doesn’t. I don’t fault firewalls. Perhaps they worked so well back in the day that hackers moved on to other sorts of attacks. For whatever reason, firewalls are nearly useless today and have been trending in that direction for more than a decade.
Doomed security technology No. 6: Antivirus scanners
Depending on whose statistics you believe, malware programs currently number in the tens to hundreds of millions — an overwhelming fact that has rendered antivirus scanners nearly useless.
Not entirely useless, because they stop 80 to 99.9 percent of attacks against the average user. But the average user is exposed to hundreds of malicious programs every year; even with the best odds, the bad guy wins every once in a while. If you keep your PC free from malware for more than a year, you’ve done something special.
That isn’t to say we shouldn’t applaud antivirus vendors. They’ve done a tremendous job against astronomical odds. I can’t think of any sector that has had to adjust to the kinds of overwhelming progressive numbers and advances in technology since the late 1980s, when there were only a few dozen viruses to detect.
But what will really kill antivirus scanners isn’t this glut of malware. It’s whitelisting. Right now the average computer will run any program you install. That’s why malware is everywhere. But computer and operating system manufacturers are beginning to reset the “run anything” paradigm for the safety of their customers — a movement that is antithetical to antivirus programs, which allow everything to run unimpeded except for programs that contain one of the more than 500 million known antivirus signatures. “Run by default, block by exception” is giving way to “block by default, allow by exception.”
Of course, computers have long had whitelisting programs, aka application control programs. I reviewed some of the more popular products back in 2009. The problem: Most people don’t use whitelisting, even when it’s built in. The biggest roadblock? The fear of what users will do if they can’t install everything they want willy-nilly or the big management headache of having to approve every program that can be run on a user’s system.
But malware and hackers are getting more pervasive and worse, and vendors are responding by enabling whitelisting by default. Apple’s OS X introduced a near version of default whitelisting three years ago with Gatekeeper. iOS devices have had near-whitelisting for much longer in that they can run only approved applications from the App Store (unless the device is jailbroken). Some malicious programs have slipped by Apple, but the process has been incredibly successful at stopping the huge influx that normally follows popular OSes and programs.
Microsoft has long had a similar mechanism, through Software Restriction Policies and AppLocker, but an even stronger push is coming in Windows 10 with DeviceGuard. Microsoft’s Windows Store also offers the same protections as Apple’s App Store. While Microsoft won’t be enabling DeviceGuard or Windows Store-only applications by default, the features are there and are easier to use than before.
Once whitelisting becomes the default on most popular operating systems, it’s game over for malware and, subsequently, for antivirus scanners. I can’t say I’ll miss either.
Doomed security technology No. 7: Antispam filters
Spam still makes up more than half of the Internet’s email. You might not notice this anymore, thanks to antispam filters, which have reached levels of accuracy that antivirus vendors can only claim to deliver. Yet spammers keep spitting out billions of unwanted messages each day. In the end, only two things will ever stop them: universal, pervasive, high-assurance authentication and more cohesive international laws.
Spammers still exist mainly because we can’t easily catch them. But as the Internet matures, pervasive anonymity will be replaced by pervasive high-assurance identities. At that point, when someone sends you a message claiming to have a bag of money to mail you, you will be assured they are who they say they are.
High-assurance identities can only be established when all users are required to adopt two-factor (or higher) authentication to verify their identity, followed by identity-assured computers and networks. Every cog in between the sender and the receiver will have a higher level of reliability. Part of that reliability will be provided by pervasive HTTPS (discussed above), but it will ultimately require additional mechanisms at every stage of authentication to assure that when I say I’m someone, I really am that someone.
Today, almost anyone can claim to be anyone else, and there’s no universal way to verify that person’s claim. This will change. Almost every other critical infrastructure we rely on — transportation, power, and so on — requires this assurance. The Internet may be the Wild West right now, but the increasingly essential nature of the Internet as infrastructure virtually ensures that it will eventually move in the direction of identity assurance.
Meanwhile, the international border problem that permeates nearly every online-criminal prosecution is likely to be resolved in the near future. Right now, many major countries do not accept evidence or warrants issued by other countries, which makes arresting spammers (and other malicious actors) nearly impossible. You can collect all the evidence you like, but if the attacker’s home country won’t enforce the warrant, your case is toast.
As the Internet matures, however, countries that don’t help ferret out the Internet’s biggest criminals will be penalized. They may be placed on a blacklist. In fact, some already are. For example, many companies and websites reject all traffic originating from China, whether it’s legitimate or not. Once we can identify criminals and their home countries beyond repudiation, as outlined above, those home countries will be forced to respond or suffer penalties.
The heyday of the spammers where most of their crap reached your inbox is already over. Pervasive identities and international law changes will close the coffin lid on spam — and the security tech necessary to combat it.
Doomed security technology No. 8: Anti-DoS protections
Thankfully, the same pervasive identity protections mentioned above will be the death knell for denial-of-service (DoS) attacks and the technologies that have arisen to quell them.
These days, anyone can launch free Internet tools to overwhelm websites with billions of packets. Most operating systems have built-in anti-DoS attack protections, and more than a dozen vendors can protect your websites even when being hit by extraordinary amounts of bogus traffic. But the loss of pervasive anonymity will stop all malicious senders of DoS traffic. Once we can identify them, we can arrest them.
Think of it this way: Back in the 1920s there were a lot of rich and famous bank robbers. Banks finally beefed up their protection, and cops got better at identifying and arresting them. Robbers still hit banks, but they rarely get rich, and they almost always get caught, especially when they persist in robbing more banks. The same will happen to DoS senders. As soon as we can quickly identify them, the sooner they will disappear as the bothersome elements of society that they are.
Doomed security technology No. 9: Huge event logs
Computer security event monitoring and alerting is difficult. Every computer is easily capable of generating tens of thousands of events on its own each day. Collect them to a centralized logging database and pretty soon you’re talking petabytes of needed storage. Today’s event log management systems are often lauded for the vast size of their disk storage arrays.
The only problem: This sort of event logging doesn’t work. When nearly every collected event packet is worthless and goes unread, and the cumulative effect of all the worthless unread events is a huge storage cost, something has to give. Soon enough admins will require application and operating system vendors to give them more signal and less noise, by passing along useful events without the mundane log clutter. In other words, event log vendors will soon be bragging about how little space they take rather than how much.
Doomed security technology No. 10: Anonymity tools (not to mention anonymity and privacy)
Lastly, any mistaken vestige of anonymity and privacy will be completely wiped away. We already really don’t have it. The best book I can recommend on the subject is Bruce Schneier’s “Data and Goliath.” A quick read will scare you to death if you didn’t already realize how little privacy and anonymity you truly have.
Even hackers who think that hiding on Tor and other “darknets” give them some semblance of anonymity must understand how quickly the cops are arresting people doing bad things on those networks. Anonymous kingpin after anonymous kingpin ends up being arrested, identified in court, and serving real jail sentences with real jail numbers attached to their real identity.
The truth is, anonymity tools don’t work. Many companies, and certainly law enforcement, already know who you are. The only difference is that, in the future, everyone will know the score and stop pretending they are staying hidden and anonymous online.
I would love for a consumer’s bill of rights guaranteeing privacy to be created and passed, but past experience teaches me that too many citizens are more than willing to give up their right to privacy in return for supposed protection. How do I know? Because it’s already the standard everywhere but the Internet. You can bet the Internet is next.