Please create an account to participate in the Slashdot moderation system


Forgot your password?
Encryption Security

'Attack Trees' Help Model Potential Security Flaws 110

Our most prolific reader, Anonymous Coward, writes "Here is an article by Bruce Schneier of Counterpane Internet Security from Dr. Dobb's Journal that describes a way to 'model threats against computer systems'." This is Bruce Schneir at his best. Many of the thoughts in this article aren't about cryptography but about other ways intruders might defeat your security measures, and about how to determine what kind of attacks you might expect to face.
This discussion has been archived. No new comments can be posted.

'Attack Trees' Help Model Potential Security Flaws

Comments Filter:
  • . A sequence of steps to attack something is a vector. This allows for multiple vectors to converge at common points.

    Actualy it dosn't, The branches and leaves of the tree represent seperate options for compleating some action, not seperate steps in a process.

    An 'attack tree' for calling some one on the phone would look somthing like this: 1 pick up phone
    2 go to
    2.1 Use netscape(or)
    2.1.1 click icon
    2.1.2 run from command prompt.
    2.2 use IE
    Each node is a 'part' of the node above it, and option, diffrent ways you can do it 'using netscape' is a Part of using

    An attack vector, would be to say, get a user acount, and then do a buffer overflow. You could impersonate that user and get the root password that way. Those options might show up in an attack tree, but they wouldn't nesseraly be connected to eachother
  • Yep, I meant admin account under NT, not 98. My bad. Shoulda been more clear. :(

  • People keep talking about how secure one-time-pad is. I see why it wouldn't be suseptable to mathimatical attack, but why couldn't you brute force it?
  • How can you know how hard a mathematical attack against an encryption algorithm will be? AFAIK the only algorithm known to be safe against pure mathematical attacks is a one-time-pad XOR.

    And for that matter, how can you know the difficulty of cryptanalysis of a specific message encrypted by an algorithm, unless you happen to work for No Such Agency [] (link broken?).
  • Smithers, release the trees. (OK, your funny rating may vary)
  • Since you don't know what the pad is the encrypted text can 'decrypt' to any given plaintext if you are guessing the pad. So brute forcing will give you all possible plaintexts, not much help.
  • These trees only work if you know all nodes. Usually, you just don't know them all, either because the process is too complex, or because new nodes can emerge in the future (for instance, if the PGP example were made before we knew about BO, it would have been different, even though PGP wasn't more or less secure). And that's the problem. Someone else may know a path you don't know, because he knows about a node you don't know.

    So, this model can only be used as a indication of the security of your system. Your system is likely to be less secure than the model says, eg. the "unknown" node is likely to be cheap.

    Having said that, it's IMHO still a very good way to look at your security.
  • It is a good attempt to systematize problems related to security. However it presents a lot of problems to be a good viable model.

    1. It has a serious need on known data. However a big part of attacks are made with data not known apriori.

    2. It is a linear model. Most of the decision-making is made trough choosing branches of the tree. However attacks are frequently a recursive operation (ex. exploiting several ways to login through an interface)

    3. It is a flat model and here it is the biggest problem. Today most attacks are combined attacks where one tries several programs, packets makes decisions through experiment and tries to preform a break-in much like making a wormhole all over the system.

    For those who like too much of maths I think that it would be much moe correct to draw a multidimensional net instead of this. And use more complex things like fuzzy logics. This way I think that we can give a more correct picture

    Each dimension is a net that is constitued of a program or an application package. It has to be noted that one may visit a node several times.
    Between each packet/dimension there are drawn lines of contact. These can be the UNIX forks, OLE/COM/DCOM/CABUUM, CORBA or any other stuff.
    The idea is to draw contacts evaluating a probability of action. With a monetary or a subjective weight to it.

    Under such assumption I would consider that a serious security flaw would be a very short path with a very short weight. A problem. Can we systematiza such thing? And how can we have a good evaluation of the possible unkonowns many crackers use?
  • Sonny Bono, Michael Kennedy, and the students of Texas A&M. Death by timber, all of them

    The trees are on the move, and they are pissed.
  • From what I understood from this article, as well as Bruce's presentation of it at the CSI conference, this is EXTREMELY useful to security staff and managers, in that it allows several things to happen:

    - Each leaf or branch can be assigned valuations (assessments) of: risk, summed cost (all sub-leafs) to complete, time to complete, legal rick to attacker, physical risk to attacker, cost to correct, or just about any factor that you want to assign to the leaf/node.

    - It helps you build the profile of attack by attacker if you happen to have formally though about who it is that might be interested in your system.

    - It helps managers and planners think systematically about the structure and design of their security infrastrcuture.

    - It illustrates weaknesses in another way, so that if you've developed tunnel vision by concentrating on one issue (PGP/BO/whatever), you'll see that you've been focusing on something that is harder to do than simply bribing the janitor to let someone in your office.

    - Those values that you create (and you should assign a branch to 'Unknown attacks' with valuations) can be presented to management, showing you on behalf of the company are exercizing some due diligence just by thinking about this stuff.

    - Each branch can be shared, if you so desire. If a specialist in physical security comes up with a novel way to bypass all standard deadbolts, they can post the new branch/node up and let people assign their own valuations to each step.

    - You can constantly query a system that uses this model for the current weakpoints in your structure according to the most recent data and valuation. Of course, 'Unknown attack' may always be the highest weakness, but at least you can clean the rest of the slate as much as possible.

    No, none of this is really revolutionary in terms of the structure. Game theroy has been around for a while, and been using this method for the same purposes, but an Industry Name such as Bruce's exposes it to a lot more people than the usual academics. It's not a solution or a cure, but a nice, illustrative TOOL.
  • You miss several key points. In my home town the manager of a local buisness and the two late night emploiees were caught steeling from the buisness. The manager had insurance, the two emploies made up an armed robber (black man, 5'10, average hight, dark winter hat on (this was in winter), brown trench coat - ie very average), and the three of them split the money. They had their story down well enough that insurance paid the loss, until one of them confessed.

    I know in one buisness I worked for one of the managers (different from the one above) was stealing from the safe. We knew who, but had no proof. Now send that manager to fill in at a different store and she gets their safe combonation. She knows when the store is closed, tells the compbination to one of her more expirenced theif friends, and some night the safe is robbed, and she isn't implicated because she didn't work their that night. (and in fact they probably forgot she knew the combonation) The only thing really keeping this down is the monthly changing of the safe combonation, and she doesn't know when that happens.

    Good social engineering can also get people to tell the safe combination without intending to. There exist people who can sell air conditioning to esqimos. There are people who can sell sand in a desert, or salt water on the ocean. Some people have the gift of getting people to tell what they should. There are eskimos who won't buy airconditioning from everyone, just like there are people who won't reveal the combination. Many people will give the combination though, and that is enough. (these people always make sure on the night the robbery occures that they have many witnesses that they are not their, that way they can say "Yea he told me, but I'm an honest guy who wouldn't use it or tell anyone. And I was at this party with many people. Joe even videotaped some of it, get his tape I'm probably on it." Add in a small bribe and some people become less honest.

  • To some extent a designer must take into account human factors (it would be a poor idea to design a program requiring the user to memorize a 1024 bit key pair...he would merely write it down). However, most security products rely on authenticating the user in some fashion. Until some sort of biomatic information gathering device becomes widely availible (and still there are problems using this to authenticate over an untrusted network) the software designet is stuck using passwords in SOME manner. With almost any security product this is the week link and there is not much the software designer can do about this.
  • You can't brute force it because you can get anything out of it.

    Suppose the cryptotext is

    and you try "key" (in the brute force sense)
    094502308749382827388383 and get a decode:
    "Sell 1000 of MSFT now"

    but how do you know that you shouldn't have used key
    which produces the decode
    "Buy 2390 of RHAT now" ?

    The point with one-time pads is that you can get any plaintext just by changing the decode key. This is why it there is no way to brute-force or otherwise break one-time pads. But for the system to work, they really have to be one time.

    This doesn't happen with other forms of cryptography, because normally only one key produces anything resembling plain text, and all other keys produce garbage. (Of course, most decode keys for one-time pads give you garbage too).

    Torrey Hoffman (Azog)
  • by legoboy ( 39651 ) on Thursday December 02, 1999 @08:20PM (#1485522)
    Security on Windows 9x really is a lost cause.

    In addition to what pb mentioned in this comment's parent, I had some time to play around on a "locked down" system. You had to give the admin some credit, he did a better job than most people so, but even so...

    On a totally locked down system, you can't access Windows Explorer, and My Computer only allows you to access your own files on the network server. Not even the C drive. But wait! WindowsKey+E brings up Explorer on C:\Windows. Oops. WinKey+F brings up Find, allowing you to check for each and every drive on the network. Find one, and you can right-click, and then select Explore, making it magicly appear in Windows Explorer.

    The admin for this lab had gone and actually deleted from the computers. Good idea, but unfortunately, the computers had web access. Problem solved. You could then create a shortcut to

    At the command prompt, you could try to bring up regedit.exe, but no... Policies didn't allow that. Too bad the policies don't prevent you from using regedit's command line switches, eh? You can export the registry to a plain-text file, then use command line options to delete any entries you don't like.

    Also from the command prompt, you could change the access properties on files on the network drives. I was able to change the both the internet website and the webpages on the LAN. Both were supposedly locked so that only the admin could get at them. Oops.

    Anyway, you want security, you simply don't use Win9x. (This is why Norton's Ghost sells so well, no?)

  • I am doing web development for a commerce firm. Since we are selling online, my boss asked me to report the of security/vulnerability of our webserver. My question is:

    Should I look for a third party software that monitors intruders? What are the available software for a Solaris system currently?

    Should we bring in a security consulting company and ask them for a network and code review check? What are the best companies that are doing this type of thing now?

    We are leaning towards the second option right now, but any advice would be great!

  • []

    Like this????

    Jedi Hacker (Apprentice) and Code Poet
  • by doom ( 14564 ) <> on Thursday December 02, 1999 @08:28PM (#1485525) Homepage Journal
    If you don't have the sympathy of the people you're working with, you're already doomed. A snotty attitude on the part of the security experts rarely helps.

    Example: sysadmin abruptly changes policy to frequently expiring passwords, with no recycling of old passwords.

    Result: users start picking passwords that are dead easy to guess, in fear that they may forget them. They're also very careful to write down their password somewhere near their machine.

  • Actually, I'd believe that the scripting is a bit screwy. Note that there aren't always neato little quotes at the bottom of pages anymore. I think Rob's trying to tweak the M2 stuff. Used to be, I would M2 twice and get a point in karma. Now I think it's ten, but I have no proof.

    Anyone know anymore (Rob, feel free to respond, here)??

    Jedi Hacker (Apprentice) and Code Poet
  • Well, I've been thinking about the Linux on x86 security model lately and I noticed something.

    Say you're a random visitor to a company and you get two minutes' access to a critical workstation. Push Ctrl-Alt-F1 at any time. Then push Ctrl-Alt-Delete. Of course, if you're in a hurry, push the reset button.

    Insert a floppy loaded with the Linux Kernel. You could use a Debian installer disk--or a customized disk would be ideal. Get to a console, which of course is an instant root shell. Mount the main hard drive, add your sniffer or whatever to /etc/rc, and reboot. With a customized disk, the whole job would be done efficiently and almost undetectably.

    The point is that any time a stranger has physical access to an x86 (be it Unix, Windows, or whatever) and no one is watching, security is lost. This factor should be added to your attack trees!
  • If you really give a f**k about security (which is not something I necessarily recommend -- most systems contain "proprietary information" which your competitors wouldn't bother reading if you sent it to them FedEx with a sticker marked "URGENT"), then you shouldn't be messing around with passwords anyway. Long experience of this sort of thing has convinced me that you will never, ever, convince yer average user to follow good password practice, because it breaks the first law of IT -- it is inconvenient for the user. Only the fact that very few systems in the world are worth breaking into stops cracking from becoming endemic.

    Smart-card key systems are reasonably cheap and should be used for anything worth protecting (clue: most corporate networks are not worth protecting). If your data is important to you (clue: five terabytes of Powerpoint presentations are not important) then you should be prepared to pay up for a system that can be kept physically secure.

    For everything else, you can afford to be lax. Occasionally come down hard on someone for installing a virus, have a compulsory passworded screensaver to protect your system from the cleaners, but don't turn the IT department into laughable NSA wannabes.

    The way I look at it is this -- if you get a serious compromise on an average network, you could lose a day's work. Draconian password practices will cost you that every six months in forgotten passwords, etc.

  • I read this almost a week ago, and in my haste, I failed to post to Slashdot....Now I'll never get the t-shirt :-(

    Guess I better put down the Picante and pick up the Pace (tm) !
  • by tilly ( 7530 ) on Friday December 03, 1999 @12:08AM (#1485534)
    You will note that EROS [] takes the idea of reducing the number of nodes closer to the root of the tree as far as possible. (The introductory essays [] are particularly valuable to read.) Every program is passed exactly the access it needs to have which means that there are far fewer programs which run as root or something close to root (the pun with the root of the attack tree is unintended) and therefore there are a lot fewer potential ways to try to break the security.

    For those who do not want to read the essays in detail, here is an explanation "from 20,000 feet" to give you a sense. Unix is based on the idea of an access control list. You have permissions based on who you are, and every process you run will (by default) have permissions to do on your behalf anything that you can do. EROS is based on the idea of a capability. Capabilities can be thought of as handles through which you can request some action and you can do nothing without explicitly being handed the appropriate capability.

    The difference is obvious when you consider trying to cat a file. In Unix you hand a program like cat the names of the files you want it to open and trust it to do nothing other than what you asked. In EROS you have the capability to produce capabilities which we will call file-handles would hand cat the open file-handles from which it could read those files and be guaranteed that it is unable to talk to anything other than you, or read anything other than those files, since it has no other capabilities (not even the ability to produce another file-handle). Note that in Unix you explicitly have to trust that cat won't do anything else while in EROS there is no way that it could.

    This ensuring that processes never have any ability that they do not need to have results in far fewer processes with sufficient permission to cause damage, and therefore results in the attack tree by default being substantially pared down from what is possible even in a heavily locked down Unix system. As a result verifying the security of the operating system becomes a far simpler task. While attempting to verify the security of a Unix system is possible, the OpenBSD [] folks have done an extremely good job of it, the equivalent task for a capability system is far simpler.

    Food for thought. :-)

  • You can create an 'attack tree' for a OTP as well.
    Key points:
    • They depend on an absolutely random key for total mathematical security, as long as the message. This is impractical, so most computer techniques will use a pseudo-random generator. If you can find out or spoof the seed, you can recreate the pad.
    • The problem of key distribution. This is one of the main reasons public-key cryptography was invented. If you can get a copy of the pad, you can break any message sent using it. This degenerates into a similiar tree for breaking PGP, etc.
    • A one-time pad must be used once. If you can persuade the sender to encrypt two messages with the same pad, it is very possible to generate the pad from the two crypt-texts, and bingo!

    So, although OTP's are theoretically secure, in practise you must be very careful to use them properly. Remember, process not product!

  • Sorry, but when I read "attack trees" I can't help but think of the Kite Eating Tree from Peanuts. :*)br>

    But anyhow, the logic behind attack trees looks solid. If you can compromise one system it you can use it as a stepping stone to move on to the next.

    Phrack [] once ran an article called "Distributed Metastasis" which might make an interesting read.

  • We don't have CD-rom's on our public machines. it would still be possible to download drivers and use a backpack drive via a serial port to put the tools on that are necessary to crack our systems, but you'd have to get the drivers on via a locked floppy port
  • Oops. The article was in P55-16 and is available here [].
  • Um, are these Attack Trees some kind of stealth weapon?

    Or a home security option that doesn't need Winalot?

    "Ideal for home security. Attractive *and* functional, guaranteed to enhance and secure any driveway"

    Are they fierce? Can they tell the difference between friend and foe?

  • please say I'm not the only person who automatically thought about Evergreen commandos while reading the title.
  • This basic approach has been done for a while in the safety engineering field with fault trees; take all the existing comments by Bruce and replace "security" with "safety". The idea of applying the model to security is an interesting one, and indeed in many cases safety engineering can become effectively security engineering.

    The typical safety approach using something like Fault Trees starts off with an aim of a safe system, identifies the principle hazards to that system (e.g. bomber releasing an armed bomb in a closed bomb bay), then works down decomposing those hazards using AND/OR junctions to reach a list of specific things which we have to prove about the system (e.g. no software write to location 0xf0001234 which is not immediately preceded by a check of the Bomb_Bay_Open sensor).

    See for and Nancy G. Leveson's book "Safeware" for more info on safety engineering. My post doesn't even scratch the surface of the subject.

    Speaking for myself, not for my employer

  • Why can't people stop assaulting, robbing, raping, beating, murdering, driving aggressively, and all the other nasty things that can be done in the real world? Face it, people are bastards. People are mean. True pacifists are a rarity. With the internet, it is now often easier than ever to vent rage. No real skills often required, no physical prowess, not even much of a plan is needed to carry out many simple attacks against a poorly-secured target.

    In the real world, we avoid eye contact with strangers, we lock our doors, we don't walk down the streets in "that neighborhood", and sometimes we carry protection. Why shouldn't the same apply to the electronic world?

  • by Anonymous Coward
    There have been some projects to bring this concept into the Linux kernel. See the Capabilities for ELF [] project page and the draft describing Linux-Privs []. Through POSIX 1e the all or none nature of root access can be taken care of.

  • Yeah, I know. It was just a very lame early morning attempt at being funny. I got what was coming to me for it I guess.

    We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
  • While this is true, it doesn't really help anyone. It's impossible to defend against attacks you know nothing about, so the best a designer or engineer can do is use as many heads as possible to model what is known.

    You can even make educated guesses about classes of attacks that aren't known to exist but might. E.g., you could always add a "read the victim's mind telepathically" node into Bruce's PGP attack tree, and assign it your best guess of difficulty.

    But the bottom line is, if it isn't known yet -- and can't be reasonably speculated about -- you're screwed. So don't sweat it.

  • For all it's worth, I've found that once you've done your best job brainstorming an attack tree for a given problem, a good way to improve it is to review past attacks on similar (and dissimilar!) systems, asking yourself, "is this sort of attack represented in my tree?". More often than not you find an approach that you missed.

  • A bit pedantic, this, but attack graphs are not always trees. Starting with a 'consequence graph', pick a node as the goal and follow edges in the 'caused by' direction, ignoring edges that take you back to nodes you've already reached: what you end up with will always be acyclic, but not always a tree (which never 'share substructure').

    An obvious example comes from 2-out-of-3 secret sharing:

    • obtain secret: do one of
      • obtain shadows 1 & 2: do all of
      • obtain shadow 1
      • obtain shadow 2
    • obtain shadows 2 & 3: do all of
      • obtain shadow 2
      • obtain shadow 3
    • obtain shadows 1 & 3: do all of
      • obtain shadow 1
      • obtain shadow 3

    Directed acyclic graphs are usually known acronymically as 'DAGs'. Structures with this form are sometimes known as 'polyhierarchies'.

  • Is it just me, or does the author have a thing with BackOrfice? He didn't mention anything else, like MS SMS.

    If you're at an SMS infected workplace, then you basically have no privacy, so PGP will do you no good (well, if you can't guarentee that the message is secure, what good is it?), even over SSH.

  • OK, I get the feeling this is another post I'd have to rate "What the..."

    You could have put it in reply to the absurd post you were talking about, though. I'm guessing it's the one about turning JonKatz to stone.

    Either way, we really need to have a mod category for "wierd." Either that, or an archive (that would actually be pretty cool; a "Slashdot Hall of Fame," perhaps?)

  • Which makes me think of something else - because of the presense of SMS on a machine, then the security of everything the user of that machine has access to is dependant on the security of SMS - i.e. cracking SMS is the leaf node of .

    Yet another reason not to use crap like that.

  • I think something went whacky to the scripts, it was marked as Flamebait and went UP one... Someone made a little error in the code...
  • Why would you attack some trees? They've never done anything to you. And anyway, they're probably spiked, and you don't want to get between these two groups [] of loonies [].
  • No no, I believe moderators select a category AND a direction, and that the two are not associated. so you could mark something (-1, insightful) just as you could mark it (+1, offtopic)

    But, I don't really see how it's flamebait.
  • by Rilke ( 12096 ) on Thursday December 02, 1999 @07:19PM (#1485560)
    Security is not a product -- it's a process

    It's amazing how many people who should know better miss that simple point. I've worked at places that spent fortunes on security products, and yet all the workers wrote their login/passwords right on the monitor because it took the IT security staff so long to create new logins that everybody just shared the same ones.

    NT workstation is one of those perfect examples of a decent product with an easy attack path. The basic security model is reasonable, but then they integrate the web browser and e-mail package with everything else on the system, allowing so many security holes that they'll never really be plugged.

  • Yep - that's unfortunate. Whenever you have physical access to the machine, you can just rip out the plug if you want to. That's why my favorite security book, Practical Internet and UNIX Security [], has an entire chapter on how to lock your machines up, physically. For mission critical 24/7 systems, once you've got things as secure as you can on the network end, you have to make sure the machines are in a secure server room with big locks on the doors, a chemical fire extinguishing system, etc.

  • When I read this article, I wasn't all that impressed. It's a good way of formalizing studying security flaws, but is there anything fundamentally novel here? Isn't this just a straightforward application of goal trees, an AI concept that has been around for quite a while?
  • All this talk about Attack Trees is making me wonder which directory will revolt first!

    Pablo Nevares, "the freshmaker".
  • Good point. However, I think that security may need to be a bit draconian (though the `flogging' example may be a bit much ;-)

    Going from a shop that has little security (like mine (sigh)) to one with good security will be a bit harsh. However, that's a Good Thing(tm).

    I would guess you live at or close to Stanford. Question: do you lock your doors at night? When you leave, maybe? Always? Maybe you or your household had to be bugalurized once or twice before you did that. See the parallel (tenuous, I know)?

    My point is that security is more than passwords. It is, truly, social engineering. People may pick passwords that are `dead easy' to guess, but if the IS department is expecting that, then it only takes one or two deletions of imperitive project software (with apropos backups, to be sure) for the (l)user to catch on.

    Eventually, the easy passwords will pass and the user, understanding the consequense on having stupid-type security, will embrace passwords like 1guYbv%^&bbejkkc.

    Jedi Hacker (Apprentice) and Code Poet
  • Yep. My machine is setup like so:

    I allow Ctrl-Alt-Del, 'cause I'm generally the only one here, but it's easily disabled in /etc/inittab.

    However, the other flaw you mentioned, the boot disk, is a PC hardware/BIOS issue, not a Linux one:

    I do not allow booting from floppies, or anything but the hard drive, and I have a password on my BIOS setup. That is the correct way to secure an x86 machine, configure that in your BIOS.

    Do this also with your Windows machines, etc., since you could just as easily reboot a Windows machine and insert a Linux boot disk. (I've done this before, to mount NTFS and stuff... :)

    Of course, if you have physical access to any machine for long enough, it's compromised. There are BIOS password cracking/bypassing programs available for some BIOSes (at least there were, for DOS)

    Past that you can always take out the hard drive, or insert another one as the first hard drive... This should work, x86 or not! (assuming you can get to the case, and open it. Locked cabinet, anyone?)
    pb Reply or e-mail rather than vaguely moderate [].
  • Please don't compare the security model in windows9x to anything. It was made for home users, and to be backward compatible with DOS programs written in the early 80's. Microsoft has said this from the begining (although you have to look in the right places to find this info.)
  • by trog ( 6564 ) on Thursday December 02, 1999 @09:47PM (#1485569)

    If you need to ask these questions, you have no business doing ANY online commerce.

    As the Sysadmin for a large e-commerse site, I spend roughly 50% of my time on security. While no system is full-proof, the sysadmin MUST be well versed in security and MUST address it on a daily basis.

    All it takes is one stolen credit card number from your site. Lawsuits. Bad publicity. Bankrupt startup.

    For an e-commerce site, system security can potentially MAKE or BREAK your business.

  • Does anyone know if the military is using this type of analysis to create/evaluate installation defense? It looks like this method could be applied to a situation regardless of threat type.

    Maybe I'll actually be closer to winning network RT-strategy games now. :)
  • Eventually, the easy passwords will pass and the user, understanding the consequense on having stupid-type security, will embrace passwords like 1guYbv%^&bbejkkc

    The more difficult the password is to rememeber, the more likely the user will write it down (somewhere the admin can't see). There needs to be a balance between the guessability of the password and the likeliness of the user writing it down.
  • Security was maintained by limiting everones access and making them strickly responsible for there own actions, sharing
    your password with another employee was a flogging offense. If your were to write it somewhere and leave it where it
    could be found, you would be thrown from a fourth floor window.

    The Best way I found was to use the password on the the NoteIt and change the desktop pattern while not at the desk, (Single guess as to the amount of clothes worn in the pic's), or for the Mac heads a 4000+ Folder storm to the desktop while boss is talking to them usually got the point across.

    You have to do this its the only way to get the point across. Works like a charm and saves wear and tear on the parkinglot. [/:-)
  • We really need 'top ten worst posts' added to that ...

    Something like:
    1. FIRST POST!!!!!!! by Anonymous Coward
    2. FIRST PSOT!!!!! by Anonymous Coward
    3. F1Rst POst!!!!!!!!!! by Anonymous Coward
    4. FIRSt P0ST!!!! by Anonymous Coward
    5. first post!!!! by Anonymous Coward
    6. ... ad nauseum

    Hmmmm, maybe not
  • The reason you can't brute force a one-time pad is because you'd get an infinite number of possibles.

    Think of your standard alphabetic subsitituion code. Except that EVERY SINGLE BYTE of the message has a different, random, substitution matrix.

    So for the -first- letter, A--X, while the fourth is A--M.

    You could just generate every possible cipher, and you would indeed get the encrypted message -- as well as every other combination of letters N bytes long.

    So "ATTACK AT DAWN" would be disclosed -- as would "ATTACK AT NOON", "FALL BACK NOW!", and "LETS DO LUNCH." ...
  • Although I do believe the article offers a direction in attack analysis, it merely mimics old artificial intelligence, heuristic, approaches, where a specific goal is mapped out.. I bet you could process these things in LISP. Now, to bring this thing to a monster of a science, would be to create fuzzy diagrams, and especially to incorporate Peter Senge's archetypes (they apply to learning organizations, but since they deal with goals and interaction - they should apply here) Anyone want to start a peer review journal for "Attack Analysis"... I'm sure you could get some extra funding from the DoD or NSA to pull that one off ;)
  • Although I do believe the article offers a direction in attack analysis, it merely mimics old artificial intelligence, heuristic, approaches, where a specific goal is mapped out.. I bet you could process these things in LISP.

    Now, to bring this thing to a monster of a science, would be to create fuzzy diagrams, and especially to incorporate Peter Senge's archetypes (they apply to learning organizations, but since they deal with goals and interaction - they should apply here)

    Anyone want to start a peer review journal for "Attack Analysis"... I'm sure you could get some extra funding from the DoD or NSA to pull that one off ;)
  • by Meridun ( 120516 )
    As someone who has tried to implement SMS at work (since remote unattended installs WOULD be nice with 140 workstations), I would have to say that it's far worse than BO2K in terms of potential damage to the system. In fact, right now we have it turned off, after it hosed the profiles of several execs and has caused erratic behavior of a good many employees. All of this from a simple install with no additional features running.

    As soon as we can get a good Linux system with the necessary applications to do our database and telephony interfacing, we're going to dump NT and all the crap that's written for it.

  • No, you only select the category. The direction is built in. At least that's how it was 2 weeks ago when I got a few moderator points.

    However, there is an "overrated" and an "underrated" category that just effects the score, but not the description.
  • Article is mirrored here [].

  • by friedo ( 112163 ) on Thursday December 02, 1999 @07:32PM (#1485588) Homepage
    This is a good model of explaining security threats. For example, look at an operating system like win98 (I'm not just MS bashing 'cause this is slashdot, I'm making an actual point.) By integrating browsers and such so closely into the operating system, Win98 effectively adds opportunities for more leaf nodes. Take the following example: On a UNIX system, you need at least the root password to take ove rthe entire machine. A regular user's password is nice if you need to telnet in. There are a few ways to do this, such as social engineering, getting a root shell via a buggy network daemon, or guessing. Now look at Windows. There are more ways into the system, so there are more branches. You could get an administrator password by the methods mentioned above. Or you might find a bug in a web browser or email program running under an administrative account. By Microsoft "seemlessly integrating" software with their OS, they've created a situation where there are more nodes closer to the root of the tree. In a better security model, you would want as few nodes close to the root as possible, so that any viable points of attack would have to circumvent numerous obsticles to be successful.

    No startling new thoughts, just my own musings. If you can't tell, I found the article pretty interesting, and I've never thought about a hierarchical method of analyzing security risks.

  • This formalizes in a better manner what I do than anything I've read before. I've always refered to attack vectors before. A sequence of steps to attack something is a vector. This allows for multiple vectors to converge at common points. It shows the commonalities between differnt attacks better. I would extend the design to allow more of a net type structure. One may start out on one path, but based on possibilities diverge on to one of a few different paths and eventually come back to the same path.
  • Sorry bout the moderation man. There is apparently a moderator with a very bad sense of humor running around tonight. I got knocked down to Troll for a funny about the /. fleece long sleeve shirts offered on ThinkGeek. Thankfully, I got moderated BACK up to two, but the fact that it was moderated down in the first place.

    Especially on a quickie. How else do you reply to a quickie but with humor?

    I dunno, maybe it's me.

  • I think it cuts you off when you get to 30, or at least, it cut me off.

    I got two upmods the other day, and Then I lost one. It really makes you a lot more aware of what you submit, since you cant get more easy anymore.

    Also, if you get negative karma, you loose the ability to metamodreate. When the karma system opend up, I had -2, in a few days I had gone down to -9 (-10 would have started me out at score 0, not good)

    It took me forever to get back in the black, but after that it was a straight shot to 30...
  • This is a Good point.

    I've been system security guy #5 in a couple of different company's and the first step in teaching a new person the security proccess was to ask them what there password was, and if they told me I would slap them.

    Understand that these people deserved what ever I dished out, the most common complaint at these jobs was that there monitor wouldnt work after they had poured two liters of Orange Crush in the back of it.

    Security was maintained by limiting everones access and making them strickly responsible for there own actions, sharing your password with another employee was a flogging offense. If your were to write it somewhere and leave it where it could be found, you would be thrown from a fourth floor window.

    The only security measures that where purchased, was a smart card swipe at the front door, and big dude named Machette that would growl at you on a regular basis.
  • Its not a bug, the 'reason' next to the score thing only shows the last moderation. (or, posibly the first, or maybe just a random one, who knows). So, if two moderators dissagree, you end up with thigns like +4:offtopic, or somthing like that. Click on the cid number (after the time, the cid for you is #14), to see the total amout of moderation done to the post
  • Whenver you make life 'uncomfortable' for users, there going to try and get around it. The best security mesure is one that is transperant.

    I remember reading about how a hacker had broken into a military faciliy, now of course all the 'classifed' stuff was not on the network, right? Wrong. Each user had two computers on there desk, one was on the 'net, and the other was not. all the 'good stuff' was supposed to be on the disconneced one, however Dissconnected, 'black boxes' had to go through a 3 year long auditing process, so by the time the users got them, they sucked.

    What happend? users put tons of nucliar infomation on there net-connected boxes, beacuse they were simply faster. not good.
  • That's why you never, ever make your spy^H^H^Hnetwork monitoring tool self-replicating. Take the time to install it by hand, and Norton will never get a copy of it.
  • However, it doesn't seem very useful to the designer of a security product. Any security product needs to be used properly in order to be effective hence most of the social engineering routes on the attack tree are irrelevant to the designer of the software (he cannot control what people do with their passphrases).

    I completley dissagree. Part of designing anything involves thinking about not just the object, but how it will be used. While its true that you can't control what users do with passwords, I think that a designer who takes the wetware into account will end up with a more secure product. If the analysis shows that the most likley way for the product to fail is through a human factor, its time to change your notions of how people were interact with the product.

  • Depends - my Linux (at one time) required boot-time entering of password for the on-the-fly encrypted filesystems to work.

    I got annoyed by it eventually, though, and moved to less secure way of just having my "data" filesystems encrypted and mounted/unmounted interactively.

    In the end, though, nothing can really substitute for physical security. Bios cannot be trusted (reset CMOS settings jumper anyone? cutting battery off?), lack of floppy can be trusted to a degree, and non-encrypted filesystems cannot be trusted at all.

    So, if you want machine without attendant to boot properly, physical security cannot be overlooked. If you're willing to enter the filesystem decryption password every boot, security from physical things becomes better, but not total (keyboard snooping anyone?).

  • by delmoi ( 26744 ) on Thursday December 02, 1999 @10:09PM (#1485599) Homepage
    By Microsoft "seemlessly integrating" software with their OS, they've created a situation where there are more nodes closer to the root of the tree.

    It dosn't matter how close the node is to the root, but how many branches there are in total. Even if all the paths to the UNIX root were hundreds of nodes deep, if they exsist at all, the system is vulnerable. The integration of nodes in MS operating systems do add a lot more nodes that connect, at some point, to the root. so the attacker has a lot more options
  • Yeah. I know. There was a bug.

    Look at #4, #6, #7, etc.

    Hopefully it's been fixed... at least temporarily.

    Time to open the (rest of the) source for slash, it's already pretty fast for some things, but it has some weird bugs...

    Incidentally, slashdot *does* pump out html at a frighteningly fast rate, that isn't the bottleneck. I don't know what we can do about the image server, though. At least it's somewhat better now.
    pb Reply or e-mail rather than vaguely moderate [].
  • Take out the flopy drive, and make sure to disable CD-ROM booting as well. Actualy most bioses let you disable Flopy Booting as well.
  • step one:
    steal computer
    step two:
    cut open case
    step three:
    +install hard drive in your computer, and browse away ;)

    Actualy, I remember reading about IBM security teams. They were about 20% effective in breaking techinical security, and were able to just walk out of buildings with computers under there arms 70% of the time....
  • by PG13 ( 3024 ) on Thursday December 02, 1999 @07:42PM (#1485603)
    The attack tree idea seems like something which would be best provided to a company by their security vendor. Suppose I sell products to encrypt a companies valuable secrets now it is to my benifit that companies who buy my product don't get hacked etc.. even if it isn't the fault of my product. Thus it becomes my job to improve the security model of the company I sell to. Providing them with attack trees (maybe in software form) is probably a good way to convince them that using 1 billion bit encryption isn't sufficent if the executive keeps the passphrase in his desk drawer.

    However, it doesn't seem very useful to the designer of a security product. Any security product needs to be used properly in order to be effective hence most of the social engineering routes on the attack tree are irrelevant to the designer of the software (he cannot control what people do with their passphrases). An attack tree of bugs in the program isn't as helpful because a succesful attack is always one which is unanticipated.

    If you realize their is a danger of buffer overflow you add code to prevent the overflow hence at release the developers should always think any route on the attack tree is impossible (in theory the code CAN be safe (unlikely in practice) unlike the implementation of the scheme (people can always be blackmailed etc..) ). Of course a properly designed modular cryptographic program would probably distrust results from its own subroutines (check against faulty returns from your own procedures just as you do against user input) but the attack tree seems to add nothing to this.
  • Due to the press response when Back Orifice came out (frenzy?), everyone who has enough knowledge/need/desire/basic interest to pick up a copy of Dr Dobbs has heard about Back Orifice, and recognize it as a security problem. On the other hand, most people have not heard of SMS, and if they have, do not consider it a security risk.

    In my opinion it was just an author choosing a well known example for his article. By doing this he made the article that much easier to understanhd by the common reader.

    (BTW, the issue of dobbs in question is rather good. Especially the article about Elliptic Curve Cryptography. It made my brain hurt a little, but thats the breaks.)
  • I seldom buy DDJ on the newsstand, but almost did as a result of this article; it is most definitely a useful way of looking at the analysis of security.

    The basic "tool of thought" here is that of the decision tree, which is one of the essential tools provided to us by Von Neumann in the establishment of Game Theory.

    This "establishment of decision trees" can be extremely useful in organizing processes when there are a whole lot of approaches to choose from, and when you need to pick the most feasible ways of "attacking" problems.

    If some good security checklists can fall out of this, that will be a useful thing...

  • by Anonymous Coward
    There is unrest in the forest, There is trouble with the trees. For the maples want more sunlight, But the oaks ignore their pleas.
  • by pb ( 1020 ) on Thursday December 02, 1999 @08:03PM (#1485607)
    No, sorry, it's actually much worse.

    Win '98 doesn't really have administrative accounts. Accounts are all wrong. They might have some "Policies and profiles" stuff, but that's pretty flawed too. I routinely get around Windows "security", and even that usually involves continually taking out OS "features", until there isn't anything usable left.

    I'd be happy to discuss this with anyone. The effort required to really secure a Win '95/'98 box generally isn't worth it, which is why Microsoft sells NT. (not that that's *so* much better, it has its own problems. :)

    Simple exploits:

    F5 or F8 to bypass or mess with boot sequence. Good to disable this, and put a BIOS password on your computer.

    Ctrl-Esc before you're logged in: can still bring up the Task Manager!

    Cancel the log in, if it asks you for one. Often still brings up Windows.

    Ctrl-Alt-Del. 'nuff said.

    On a "locked-down" Windows box, try to get a command prompt or shell window, so as to execute the commands you want to use. Alt-F3, I think, will often still bring up "Find". See if they disabled "Run", "My Computer", etc.

    If you can get to a web browser, set--say--the app for telnet to C:\COMMAND.COM. :)

    If you can get Macros running, in Word or Excel, I think SHELL("C:\COMMAND.COM") works in Word Basic, but you can look up the SHELL command in the help.

    Originally, you could just shut down Windows '95, and then type in DOS commands--it just dropped you to a prompt, and left you in graphics mode, saying "It is now safe to shutdown your computer"! You could type in, say, "MODE CO80", get back to text mode, and play in DOS from there...

    These are just the pretty obvious ones, of course there are more interesting ways to hack Windows, like copying/editing binaries to run other programs, this sometimes gets around that Policies & Profiles crap...

    On UNIX:


    Damn damn damn damn damn! :)
    pb Reply or e-mail rather than vaguely moderate [].
  • yes, bo2k is very similar to SMS. In fact, I'm really pissed that Norton Antivirus removed bo2k from me entire network when I deployed it... a whole day's work setting up this wonderful systems management tool, and norton wiped out all my work. And to boot, symantec says there is no way for me to remove bo2k from the list of virii it checks for. They even told me I , and I quote "Shouldn't be running that sir, it's a dangerous program.". Thank you. I believe *I* will decide how to run my network.

    But seriously.. the fact remains.. if you want to own a windows box, what are you going to use....
    SMS or bo2k? Which is easier to deploy? Which is stealthier? Which is WAY SMALLER?

    I'm not knocking bo2k.. but if I did want to violate someone's system.. I'd certainy count BO as one of my main tools!

    Also, if you are in a workplace, you probably don't HAVE an expectation of privacy, or at least, you shouldn't. It's not your computer, not your email account, and not your work (this can, of course, be debated endlessly, and I don't fully believe this myself.. )

    The article is dealing with analyzing threats to systems. Your boss looking at *his* computer on your desk is hardly a threat... unless you're goofin....

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal