|
Source: ONLamp.com I think it is extremely important for an organization to account for the reality of doing business (Risk based approach compared to the purist mentality of securing everything) when strategizing an information security plan. It is true that an individual who has a habit of perceiving security issues as purely a technology problem without understanding the business reality is likely to make bad security decisions.
However, I think some people in corporate security take this argument too far and end up awarding critical roles to individuals that do not have the appropriate skill-set and mind-set. More often that not, this happens when organizations responsible for information security misunderstand the argument to mean that you only need to probe for the understanding of business fundamentals and process management when recruiting for talent. Depending upon the criticality of the role awarded, this can deem disaster.
It is my opinion that, in order to construct a talented security team, it is most important to select leaders that have a genuine passion for the technology aspects of information security, yet understand business reality enough in order to serve as liaison between technology and business.
I believe that genuine passion for information security derives from passion for technology, which in turn derives from passion for science. One does not need a degree in science to satisfy this requirement, but only the tendency to indulge into scientific discourse. The following is therefore one of my favorite questions to ask individuals that have progressed in their career in information security:
What have you changed your mind about? Why?
John Brockman has posed this question at http://www.edge.org/q2008/q08_index.html. Richard Dawkins does a fantastic job of explaining why this is such an important question:
When a politician changes his mind, he is a ‘flip-flopper.’ Politicians will do almost anything to disown the virtue - as some of us might see it - of flexibility…. Leading Democratic Presidential candidates, whose original decision to vote in favour of invading Iraq had been based on information believed in good faith but now known to be false, still stand by their earlier error for fear of the dread accusation: ‘flip-flopper’. How very different is the world of science. Scientists actually gain kudos through changing their minds. If a scientist cannot come up with an example where he has changed his mind during his career, he feels the need to apologize. He is suspected of betraying the spirit of science. He is hidebound, rigid, inflexible, dogmatic! It is not really all that paradoxical, when you think about it, that prestige in politics and science should push in opposite directions. I’ll take it no further than just to point it out, with a whiff of irony.
Now that I have brought up the importance of this question, it would be fair for you to expect me to answer it. I can come up with a list of things I have changed my mind about, but I’ll stick to one within the scope of information security:
I used to think that weak security controls and insecure software design are the root-cause for the rise of incidents pertaining to the compromise of PII (Personally Identifiable Information; think Social Security Numbers, etc) and other financial details (Credit Card numbers, bank account numbers, etc) that ultimately leads to the compromise of people’s identities (via stolen or lost laptops, phishing, web-site compromise, etc). Of-course, weak security controls are no excuse: every effort must be made to securely configure systems and to ensure that secure software design efforts are in place. In other words, insecure system and application implementations obviously facilitate the problem but I no longer believe that they are the root-cause.
I believe that root-cause for the reason why people’s identities are being compromised at an alarmingly increasing rate (data leakage) is that the financial institutions authenticate transactions based on a static identifiers.
To put it another way, think of a scenario where you are given an identifier such as the following: 1R3D1D9JJBKDD2ADCDB09234. You are then told that your identifier is your identity, and it can never be replaced. Having heard this, you do your best to protect its secrecy. However, you are also told that you need to disclose the identifier in order to commit any financial transaction. In other words, you must disclose it every time you apply for a loan, open a bank account, sign a cell phone contract, sign up for cable TV, obtain employment, and so on. After a few years, your identifier is likely to be found persisted on hundreds of databases across the world: your employer, your bank, your cable TV company, and any other organization you have committed a financial transaction with is likely to have a copy of it. The companies you give this information to promise to perform routine security audits to ensure that your identifier is secure.
Here’s another scenario. Let’s assume you live in a world where your email address is also the password used to access your email. You are therefore instructed to only share your email address with people you trust. Your web-based email provider promises to perform routine audits on its applications to give you assurance that they are free of security vulnerabilities.
The examples sound absurd, don’t they? Well, they are good examples of how Social Security Numbers (SSNs) work, and exactly how Credit Card numbers work. You take care not to blurt out your SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases. You take care not to expose your Credit Card number, but you must hand it over to people you don’t know at retail stores if you want to use it.
We aren’t going to solve the problem of online PII compromise and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.
Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept cost. This is the reason why the system has not changed. Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed (this cost is also shared by other companies that want to have the capacity to process transactions. The PCI standard is a good example of this situation).
For the next few years, we are going to continue to apply Band-Aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know we’ve accomplished this when we will be able to publish our credit reports publicly without compromising our identities.
What have you changed your mind about? Feel free to comment below.
[In the spirit of science, I’d like to conclude with a video clip from the TED conference that delights me every time I watch it].
Source: ONLamp.com Generate cryptographically secure hashes with hashlib.
Module: hashlib
Purpose: Cryptographic hashes and message digests
Python Version: 2.5
Description:
The hashlib module deprecates the separate md5 and sha modules and makes their API consistent. To work with a specific hash algorithm, use the appropriate constructor function to create a hash object. Then you can use the same API to interact with the hash no matter what algorithm is being used.
Since hashlib is “backed” by OpenSSL, all of of the algorithms provided by that library should be available, including:
md5()
sha1()
sha224()
sha256()
sha384()
sha512()
MD5 Example:
To calculate the MD5 digest for a block of data (here an ASCII string), create the hash, add the data, and compute the digest.
import hashlib
from hashlib_data import lorem
h = hashlib.md5()
h.update(lorem)
print h.hexdigest()
This example uses the hexdigest() method instead of digest() because the output is formatted to be printed. If a binary digest value is acceptable, you can use digest().
$ python hashlib_md5.py
c3abe541f361b1bfbbcfecbf53aad1fb
SHA1 Example:
A SHA1 digest for the same data would be calculated in much the same way:
import hashlib
from hashlib_data import lorem
h = hashlib.sha1()
h.update(lorem)
print h.hexdigest()
Of course, the digest value is different because of the different algorithm.
$ python hashlib_sha1.py
ac2a96a4237886637d5352d606d7a7b6d7ad2f29
new():
Sometimes it is more convenient to refer to the algorithm by name in a string rather than by using the constructor function directly. It is useful, for example, to be able to store the hash type in a configuration file. In those cases, use the new() function directly to create a new hash calculator.
import hashlib
import sys
try:
hash_name = sys.argv[1]
except IndexError:
print 'Specify the hash name as the first argument.'
else:
try:
data = sys.argv[2]
except IndexError:
from hashlib_data import lorem as data
h = hashlib.new(hash_name)
h.update(data)
print h.hexdigest()
When run with a variety of arguments:
$ python hashlib_new.py sha1
ac2a96a4237886637d5352d606d7a7b6d7ad2f29
$ python hashlib_new.py sha256
88b7404fc192fcdb9bb1dba1ad118aa1ccd580e9faa110d12b4d63988cf20332
$ python hashlib_new.py sha512
f58c6935ef9d5a94d296207ee4a7d9bba411539d8677482b7e9d60e4b7137f68d25f9747cab62fe752ec5ed1e5b2fa4cdbc8c9203267f995a5d17e4408dccdb4
$ python hashlib_new.py md5
c3abe541f361b1bfbbcfecbf53aad1fb
Calling update() more than once:
The update() method of the hash calculators can be called repeatedly. Each time, the digest is updated based on the additional text fed in. This can be much more efficient than reading an entire file into memory, for example.
import hashlib
from hashlib_data import lorem
h = hashlib.md5()
h.update(lorem)
all_at_once = h.hexdigest()
def chunkize(size, text):
"Return parts of the text in size-based increments."
start = 0
while start len(text):
chunk = text[start:start+size]
yield chunk
start += size
return
h = hashlib.md5()
for chunk in chunkize(64, lorem):
h.update(chunk)
line_by_line = h.hexdigest()
print 'All at once :', all_at_once
print 'Line by line:', line_by_line
print 'Same :', (all_at_once == line_by_line)
This example is a little contrived because it works with such a small amount of text, but it illustrates how you could incrementally update a digest as data is read or otherwise produced.
$ python hashlib_update.py
All at once : c3abe541f361b1bfbbcfecbf53aad1fb
Line by line: c3abe541f361b1bfbbcfecbf53aad1fb
Same : True
References:
Voidspace: IronPython and Hashlib
hmac module
PyMOTW: hmac
Python Module of the Week Home
Download Sample Code
Technorati Tags:
python, PyMOTW
Source: ONLamp.com I really don’t know what this means, but here is the page that contains the headline. Further down in the page are a few details regarding the announcement. Here are those details:
Python has been declared as programming language of 2007. It was a close finish, but in the end Python appeared to have the largest increase in ratings in one year time (2.04%). There is no clear reason why Python made this huge jump in 2007. Last month Python surpassed Perl for the first time in history, which is an indication that Python has become the “de facto” glue language at system level. It is especially beloved by system administrators and build managers. Chances are high that Python’s star will rise further in 2008, thanks to the upcoming release of Python 3.
|
