SAN FRANCISCO – Oddly enough, when listening to Dan Kaminsky speak about information security, it's possible to feel really smart and really dumb at the same time: Dumb because few in the industry can ever hope to comprehend advanced concepts like DNSSEC and homomorphic encryption as well as he does, and smart because of his ability to analyze security issues through a unique prism that somehow turns vexing problems into fascinating revelations.
If we have to put a new label on it to admit we're losing this battle, great.
RSA Conference 2012
During a talk at RSA Conference 2012 Wednesday, Kaminsky, chief scientist for DKH, turned his unique brand of unconventional wisdom toward security innovation, examining concepts in security that are widely considered troubling but can be used more effectively, and others that are widely used but may not be as effective as they seem.
At the top of the list of security technologies getting a bad rap were passwords. While a show of hands from the audience indicated the majority of attendees agreed that passwords are a fundamentally broken technology, Kaminsky didn't shy away from challenging that perception.
"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."
He said other authentication technologies are either too difficult to use, or, in the case of biometrics, too easy to beat, which he demonstrated by simply picking up a bottled water. "I touched this Crystal Geyser, and I put my authentication credentials on it," Kaminsky said, pointing to his thumbprint on the bottle.
Kaminsky said for those reasons the industry is "stuck with" passwords for now, but there are ways to improve how passwords are implemented and used. One such way could be through server-side password generation. Though server-generated passwords would be random and more difficult for individuals to remember, Kaminsky said they would eliminate the use of commonly used, easily guessed passwords.
"Over time, through various data breaches, massive dumps of passwords have started to come out, and we're analyzing them," Kaminsky said. "What's the most common password? “Password1”, because it's got an uppercase letter, lowercase letters and a number," the minimum requirements most enterprises place on user passwords.
An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory.
'I love APT'
Kaminsky, who became an industry superstar in 2008 when he revealed critical flaws in the Domain Name Server system that could allow attackers to redirect traffic at their discretion, shared a unique take on the concept of advanced persistent threats, or APT. Though he admitted the industry as a whole loathes the term, Kaminsky said he loves it.
"As a researcher, there really isn't anything advanced about this stuff," he said. But through APT "we have finally found a way, as an industry, to speak about these attacks that we can't deal with because once they get in, they stay in forever.
"If we have to put a new label on it to admit we're losing this battle, great," Kaminsky added. "We have a term for a conversation that can finally be had."
Security needs better science
Conversely, Kaminsky questioned some long-standing technologies, like endpoint antivirus. He said it's one of several areas in information security where the effectiveness of the commonly used technologies has never really been proven through genuine double blind comparative analysis like that of the pharmaceutical industry.
What he'd like to see is a study that places antivirus software on 2,000 machines and compares infection rates of those machines during a six-month period against 2,000 other machines that don't have antivirus software.
"No one's talking about doing anything on this scale," Kaminsky said. Instead, they choose to accept the status quo that antivirus needs to be on all endpoints. "It's not like we aren't spending enough time on security, but we're not spending enough time on science."
An alternative to database encryption?
In that same vein, Kaminsky touched on database encryption. While it's widely prescribed as a compliance panacea, he said in reality if an attacker gains access to a database through an SQL injection flaw, for example, the attacker gains access to the database encryption keys as well, negating the benefit of the encryption.
A more effective alternative, proposed Kaminsky, is to add a hard-coded encryption key to database applications so they can encrypt database columns as needed because separating the encryption from the database means a bad guy who gains back-end access can't steal encrypted data without full code-execution privileges on the front end.
"No one was more surprised than me to realize hard-coded keys in an application can be a good idea, but they can be," Kaminsky said. "There are in fact circumstances where an attacker has one piece, but not the other."
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can also be heard each month on SearchSecurity.com's Security Squad podcast.
View all of our RSA 2012 Conference coverage.
This was first published in March 2012