Re: [smartgrid-discuss] Pricing from the NIST TWIKI

[Arshad Noor <arshad.noor@strongauth.com>]

With all due respect, Larry, the (internet security) world has changed
quite a bit since these assumptions were made.  What worked even as
recently as 10 years ago, is no longer sufficient.  Ample evidence of
this is available in the CIO-PwC State of Information Security survey
conducted each year around the world.

Attackers don't necessarily bother going after the few transactions
that involve hundreds of mullions of dollars, when they can be just as
productive with tens of millions of transactions involving just tens or
hundreds of dollars - the end-result is the same to them.

SSL/TLS is completely useless against key-stroke loggers, and rainbow-
table attacks on secret-key based, single-factor authentication.  A
simple internet search shows many man-in-the-middle attacks on SSL
(including one just two weeks ago).

The messaging security of the future does not depend on media-based
protection at all.  It assumes that everything - the network, disk
drive, database, SAN/NAS, etc. - except the two applications
communicating with each other itself - are untrusted.  Take a look at
the Symmetric Key Services Markup Language (SKSML) specification, and
the eNotarization Markup Language (ENML) specification to see examples
of this:

http://www.oasis-open.org/committees/document.php?document_id=30091&wg_abbrev=ekmi

Any new messaging protocol that does not take into account the current
state of the internet - no matter how small or insignificant the
transaction may be - unwittingly plays into the hands of the attackers
of the 21st century.

Arshad Noor
StrongAuth, Inc.

Larry Lackey wrote:
> "Guaranteed" messages with non-repudiation are important, for instance
> being used by single enterprises for billions of dollars per year in
> purchasing / sales, a situation with some parallels to contracting for
> energy.
> 
> In other cases, for example, a secure channel, typically SSL/TLS, with
> best effort delivery has been "good enough" for other types of messages.
> 
> Decisions were made considering the nature of the business relationship
> where one size does not fit all, and delivery mode, non-repudiation, and
> other options are different dimensions to meet the business
> requirements.
> 
> 
> -----Original Message-----
> From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
> Sent: Tuesday, December 30, 2008 11:47 AM
> To: Larry Lackey
> Cc: Toby Considine; smartgrid-discuss@lists.oasis-open.org
> Subject: Re: [smartgrid-discuss] Pricing from the NIST TWIKI
> 
> Unfortunately, allowing for this is type of distinction has allowed
> "phishing" to become one of the most lucrative attacks for attackers
> in the financial industry today.
> 
> A bank can choose to send messages to its customers using "best
> effort, advisory" messages, or it can send "guaranteed, signed"
> messages.  What do you think they do today that allows attackers
> to mimic messages on a daily basis about " your account has been
> compromised" and to "login and update your credentials"?
> 
> If you think that the smartgrid is going to remain impervious to
> attackers, think again.  Any time a power-supplier sends out "best
> effort, advisory" messages, it will be used to attack consumers and
> systems if the attackers can make a buck out of it (and they will
> figure out a way to do it).
> 
> My recommendation: make *ALL* messages guaranteed and non-repudiable.
> 
> This is the only way to assure yourselves that you have a chance of
> preventing the kind of mess the financial industry has created for
> itself using "best effort, advisory" messages.  There is no guarantee
> that "guaranteed, signed" messages will prevent "phishing" attacks
> on the smartgrid, but it certainly raises the cost significantly for
> attackers - perhaps even enough to completely prevent the attacks
> (unless real-world, physical controls are compromised and insiders
> collude to game the system).
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Larry Lackey wrote:
> 
>>Messaging standards such as JMS provide different qualities of
> 
> service,
> 
>>QoS, to meet different business requirements. Both "best effort" and
>>"guaranteed" have their place depending upon the situation, for
> 
> example:
> 
>>Guaranteed in situations where messages have significant legal
>>implications and services such as non-repudiation (mentioned below)
> 
> are
> 
>>appropriate.
>>
>>Best effort in advisory type messages.