Re: [SC-L] Question about the terms "encypt" and "secure"
On Sun, 05 Mar 2006 12:35:23 -0500 "William L. Anderson" <[EMAIL PROTECTED]> wrote: > Today's NYTimes has an article about "piggybacking" on open wireless > networks and what some people think about it and what some are doing > about it. The link is: > http://www.nytimes.com/2006/03/05/technology/05wireless.html > (subscription may be req'd) > > One question popped up for me when I read the following sentence: > > "For the Brodeurs in Los Angeles, a close reading of their network's > manual helped them to finally encrypt their network." > > My question is whether it's more accurate to say "secure their network" > rather than "encrypt". I'm not clear myself about the meaning of these > terms; I think of encryption as being one way to make a network secure. > > And if there is a substantive difference in these terms, then I'd like > to understand it. I believe that a better understanding of security > would help ordinary users take more secure actions. I'm an optimist. > I suspect that in general you're right, but in this case they really meant "encrypt" -- turn on WEP to secure the net. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
RE: [SC-L] Question about the terms "encypt" and "secure"
I think it's important to understand the difference between encryption and security (or being secure). Encryption is a tool, being secure is a state. Think of encryption as a lock on a door. Putting a lock on a door doesn't necessarily make your house any more secure. If you leave your windows open or leave your key under the doormat your not really any more secure. Even if you don't leave you windows open and have a key lying around, some one can always break the door down or our force themselves in as you enter or exit. Encryption functions much the same way - it's a tool. If used properly, it can help to secure your system. Unfortunately, using encryption rarely translates into having a secure system. WEP, the first wireless encryption protocol, has been vulnerable for a long time (it's pretty much worthless). WPA, the successor to WEP, is also vulnerable to attack if you have a weak encryption key. Even if you were sure that the protocol to encrypt your networks works, an attacker could try to steal the key or brute force it. Then there is the issue of client security - which brings up a whole different set of security problems. Clicking on a few check boxes and setting a key to a wireless network may encrypt the traffic between the clients and the WAP, but that doesn't mean your network is any more secure. -dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William L. Anderson Sent: Sunday, March 05, 2006 10:35 AM To: Secure Coding Mailing List Subject: [SC-L] Question about the terms "encypt" and "secure" Today's NYTimes has an article about "piggybacking" on open wireless networks and what some people think about it and what some are doing about it. The link is: http://www.nytimes.com/2006/03/05/technology/05wireless.html (subscription may be req'd) One question popped up for me when I read the following sentence: "For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network." My question is whether it's more accurate to say "secure their network" rather than "encrypt". I'm not clear myself about the meaning of these terms; I think of encryption as being one way to make a network secure. And if there is a substantive difference in these terms, then I'd like to understand it. I believe that a better understanding of security would help ordinary users take more secure actions. I'm an optimist. -Bill Anderson ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
RE: [SC-L] Question about the terms "encypt" and "secure"
At 6:04 AM -0800 3/6/06, Jeremy Epstein wrote: > Encryption is one way to secure the *transport* on the network (subject to > various caveats about appropriate use of crypto, trust issues, etc.). I'd > strongly disagree with anyone who says that encryption "makes a network > secure" - because people interpret that to mean "if I encrypt the network, I > don't need to do anything else". I cannot think of any other _network_ security mechanisms that do not also apply to securing a single multiuser machine. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
RE: [SC-L] Question about the terms "encypt" and "secure"
Encryption is one way to secure the *transport* on the network (subject to various caveats about appropriate use of crypto, trust issues, etc.). I'd strongly disagree with anyone who says that encryption "makes a network secure" - because people interpret that to mean "if I encrypt the network, I don't need to do anything else". In fact, there's lots of other things you need to do, such as authenticating the actions, ensuring you have adequate audit trails, ensuring that there are no security vulnerabilities, etc. Some people consider that to be host security as a separate topic, and so for them, encryption *does* secure the network. But I get nervous when someone says encryption secures the network, lest it be considered as an excuse to ignore all the other problems. WRT the Marine Guards approach, years ago another approach was to run cables through pressurized conduits with sensors to detect if anyone tampered with the conduit before they could tap into the line. No idea if this is still done, or if there are new attacks possible (e.g., measuring the power leakage from the conduits). At that time, "Orange Book" evaluations weren't allowed to rely on cryptography as a security measure, so a network evaluation I worked on suggested using the Marine Guards approach. Not that we expected anyone to do it, but it was the only way to get past the ridiculous requirement... --Jeremy > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ljknews > Sent: Monday, March 06, 2006 8:00 AM > To: Secure Coding Mailing List > Subject: Re: [SC-L] Question about the terms "encypt" and "secure" > > At 12:35 PM -0500 3/5/06, William L. Anderson wrote: > > > My question is whether it's more accurate to say "secure > their network" > > rather than "encrypt". I'm not clear myself about the > meaning of these > > terms; I think of encryption as being one way to make a > network secure. > > Another way that was described some years ago was Marine > Guards every 5 feet down the Thick Ethernet cable to prevent > unauthorized taps. Of course that was by someone in the > cryptographic business :-) > -- > Larry Kilgallen > ___ > Secure Coding mailing list (SC-L) > SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
RE: [SC-L] Question about the terms "encypt" and "secure"
This is a very good question and is worth a careful answer. For most "off the shelf" users and press people, "securing" and "encrypting traffic on" do amount to the same thing when it comes to wireless networks. In this case, the encryption they turn on is hopefully WPA and not WEP. Early versions of 802.11b were not secure even when WEP was enabled. (Possibly the most interesting invasion of privacy around that problem was the X10 camera interception attack: http://www.g4tv.com/techtvvault/features/36722/Cracking_X10_Cams.html). The problem was a serious design flaw in WEP itself...that's the kind of stuff we all talk about here. Google up Avi Rubin's WEP crack work. But turning the security feature "on" may not be enough to really secure a wireless installation. Some people go to great lengths to re-key often, hardwire MAC addresses, etc to protect their wireless networks. It all depends on what you use your wireless net for. My wireless net is completely open out at my house. But the nearest neighbor is 1/2 a mile away. For someone to steal my signal without investing in a more powerful antenna, they would be very much visible from the house. (BTW, this is not an invitation to come borrow my wireless net bruce!) There are a number of good books on wireless security. The one I recommend most highly is Bill Arbaugh's book http://www.amazon.com/gp/product/0321136209/qid=1141652351/sr=1-2/ref=sr _1_2/102-4633854-8331342?s=books&v=glance&n=283155. I am also a fan of Bruce Potter's book http://www.amazon.com/gp/product/0596100523/ref=pd_bxgy_img_b/102-463385 4-8331342?%5Fencoding=UTF8. For the purposes of this list, we use the term "securing" to mean "designing and implementing properly"...sometimes with the additional implied "oh yeah and installing and operating properly too." As Mike Howard says pithily, "software security is not security software." gem www.swsec.com This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Question about the terms "encypt" and "secure"
At 12:35 PM -0500 3/5/06, William L. Anderson wrote: > My question is whether it's more accurate to say "secure their network" > rather than "encrypt". I'm not clear myself about the meaning of these > terms; I think of encryption as being one way to make a network secure. Another way that was described some years ago was Marine Guards every 5 feet down the Thick Ethernet cable to prevent unauthorized taps. Of course that was by someone in the cryptographic business :-) -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Question about the terms "encypt" and "secure"
Today's NYTimes has an article about "piggybacking" on open wireless networks and what some people think about it and what some are doing about it. The link is: http://www.nytimes.com/2006/03/05/technology/05wireless.html (subscription may be req'd) One question popped up for me when I read the following sentence: "For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network." My question is whether it's more accurate to say "secure their network" rather than "encrypt". I'm not clear myself about the meaning of these terms; I think of encryption as being one way to make a network secure. And if there is a substantive difference in these terms, then I'd like to understand it. I believe that a better understanding of security would help ordinary users take more secure actions. I'm an optimist. -Bill Anderson smime.p7s Description: S/MIME Cryptographic Signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php