Cyber UL - "Paper discussing the way computer security systems are rated and how out of whack these ratings are from reality. Maybe a system based on the ratings the UL uses for alarm systems and safes makes more sense."
2fb5fdc74087f7f16ef45a10719b228a3b3baeb8530c0c9b54dd15051e5c3589<PRE>
Cyberspace Underwriters Laboratories
[2]tan@l0pht.com
Cyberspace Underwriters Laboratories - 01/11/1999
Underwriters Laboratory
Underwriters Laboratories was founded in 1894 by an electrical
inspector from Boston, William Henry Merrill. In 1893, Chicago
authorities grew concerned over the public safety due to the
proliferation of untamed DC circuits and the new, even more dangerous
technology of AC circuits. These new and little-understood
technologies threatened our society with frequent fires which caused
critics to question if the technology could ever be harnessed safely.
Merrill was called in and setup a one-room laboratory with $350.00 in
electrical test equipment and published his first report on March 24,
1894.
Back in Boston, insurance underwriters rejected Merrill's plans for a
non-biased testing facility for certification of electrical devices.
Chicago however, embraced the idea. Merrill took advantage of the
situation in Chicago to get up and running and within months had
support at the national level.
Today, UL has tested over 12,500 products world-wide and is a
internationally recognized authority on safety and technology. The UL
mark of approval has come to provide an earned level of trust between
customers and manufacturers and safely allowed our society to leverage
hundreds of inventions that would have otherwise been unfit for public
use.
While originally targeting inventions which could potentially cause
physical harm to the user, the UL has expanded into the listing of
alarm system products as well as alarm system installers. Individual
products are listed as meeting UL standards and the companies that
install those products are also listed as qualified to install the
product as intended. Insurance companies have leveraged the UL's
scrutiny to properly ascertain their risks.
Cyberspace
Today, technology continues to grow at a rapid pace, perhaps even out
of control. The commercialization of the Internet has led many
businesses to offer services out there in what has been called the
Wild Wild West (WWW). As a result, the public safety is at risk.
Utilities are bridging control systems to Internet attached
back-office systems. Banks are offering 'cyber-banking' and merchants
are collecting information about consumers as they transact their
business over the Web. Individual privacy and the fiduciary trust
banks and merchants have established over hundreds of years are open
to new threats as these activities become more and more prevalent.
Similarly to early electrical inventions, today's computer security
products may introduce more harm than good when implemented by end
users. While some of these products do what they claim, most do not.
The lack of standards and meaningful certification has allowed the
sale of products that are either intentionally or unintentionally
snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as
advertised at all. For instance, some products have been marketed as
utilizing the latest and greatest encryption mechanisms when in fact,
the version they are selling does not utilize any encryption at all.
Just as in the late 1800's, the consumers have little understanding of
the inventions they are purchasing. They are presented with claims by
the product's marketers and have no way of proving those claims to be
true or false. Just as it was back then, this has not stopped the
large-scale application of these inventions, regardless of public
safety. In the late 1900's, nobody has stepped up to the plate to
expand the UL's role into computer security products or to take that
role as their own. To some extent, groups like Nomad Mobile Research
Center and L0pht Heavy Industries have acted as modern day Merrill's,
publishing non-biased findings to this affect.
This is not to say that certification of computer security products
has not been attempted in the past. ICSA for instance, operates a
certification program for products. CISSP and other organizations also
offer certification of information security professionals. These
organizations however, have failed drastically at providing what the
UL has provided on a more general 'technology' level. These failures
could be examined in detail but such an excersise is outside the scope
of this article.
The bottom line for ICSA is that it does not have the rigorous
standards that the UL has and its credibility has suffered as a
result. ICSA fails to see the certification process as ongoing or
cyclical allowing for products to inherit their 'certification'. As a
result, it is believed by some that there is a problem in that there
is a lack of non-biased inspection of software and that money buys
more certifications than good product design and implementation.
CISSP certifies individuals in the computer security industry. While
sorting out those who are fluent in the industry jargin and concept,
the work of CISSP's still lacks accountability in that their
certification is tied to a test rather than what the UL referrs to as
a 'field counter-check'. Like most computer certifications however,
this is simply a test of test-taking skills rather than a test of
experience and understanding.
Cyber-UL
Product certification needs to be performed on every version of a
product. Small changes that could ripple through traditional
technologies causing safety problems are at least ten fold when
applied to computer software. Many similarities may be drawn between
the certification of computer security products and the listing of
alarm systems and components that UL performs today.
UL has a stringent set of tests which are performed on physical
security systems which seek UL listing. For instance, safes and vaults
have a number of different labels which indicate their adherence to
different standards. UL utilizes 'young hotshot' safe-crackers wishing
to make a name for themselves, to do the actual testing. This way,
specialists are motivated (by not only fame but by financial
compensation as well) to validate the claims that the vendors'
marketing people want to make. The entire safe and vault business
operates around these ratings to communicate to the customer what it
is that the product was designed to do. Based on value and risk, a
customer may choose to spend more or less on higher or lower rated
labels.
The two major factors which influence the level of rating are time and
tools. The 'hotshot' safe-crackers are given samples of the product
and guidelines for their attempts to defeat its security. For
instance, a TL-30 rating means that the cracker is limited to tools
not including torches or explosives and is given 30 minutes of actual
working time to defeat the security. If X6 is appended to the rating,
the rating applies to not only the door, but the container (the rest
of the safe). This aligns the vendor's claims to the actual
performance of the product. Also, if a new version of the safe comes
out, it does not inherit the old version's listing, it must be
re-listed.
This addresses a big problem that was sure to arise with safe vendors
and has definitely risen in the computer security arena. Customers,
due to human nature, want products to be certified as 'secure'. Just
as customers like to hear promises of security, vendors love to make
them. In 1913, UL tested the first 'security devices'. With this
expansion into security devices, they recognized the need to replace
the word 'Approved' with the words 'Inspected' or 'Listed'. Due to
what UL has established with security devices, customers are not
lulled into a false sense of security and vendors do not make
outrageous claims. Customers are presented with 'product x is rated at
rating y' rather than 'its ICSA certified'. Vendors claim to be
resistant to certain toolsets for certain amounts of time. This is not
what the computer security field looks like today, but is where it
needs to go. The manufacturer and consumer must realize that testing
'security' is not the same as testing 'functionality' and because of
that, claims need to be adjusted to fit reality. If a door-knob opens
a door, the door works. If a safe-lock opens when you dial the
combination, it does not mean the safe works. You can however, perform
tests on the safe to assure that it operates as advertised within
certain heat and force constraints.
While listing individual devices as meeting UL standards is useful to
a security professional or consumer, it is only a small part of the
picture. Installation and configuration of components is critical to
the actual effectiveness of the security solution. For this reason,
installation of alarm systems is another area of influence for the UL.
This may seem like a daunting task since the number of implementations
is exponential to the number of products. UL has, with only about
4,000 employees, listed more than 12,500 products in over 40 countries
and developed over 600 standards for product safety. The tact taken to
assure the correct installation of alarm systems has been to list
alarm installation companies. Systems installed by UL listed companies
may qualify for a UL issued certificate. The certificate registers the
customer's alarm system becomes an eligible candidate for 'field
counter-checks' (spot-audits) which are performed to assure that
listed installers are not cutting corners. If a system which has
received a certificate fails the field counter-check, the installer
could potentially loose their UL listing. The UL has maintained a
quality program by scaling the number of field counter-checks as
needed.
Problems with the model
While the UL model for security devices seems to address many of the
same issues that surround Cyberspace, there are a number of problems
with deploying the model for computer security devices as it stands.
The first problem is that if a security system is defeated in the
physical world, it is typically very obvious to those who come into
work on Monday and see that the money is gone and the safe is in
pieces. Detection of a cyber intrusion is typically NOT very obvious
to those who come into work on Monday. Because of this fact,
safe-crackers have very limited time to crack a vault. Hackers on the
other hand, have unlimited time to crack a system. Once they get in,
safe crackers typically REMOVE items which then become 'missing'.
Hackers typically COPY items unless their motives are political rather
than financial, leaving the originals and the system intact. For cyber
intrusions to become less surreptitious, intrusion detection needs to
mature and become more widely deployed if 'time' is to be a meaningful
factor in the process.
The commercial model is based around the storage of valuables,
particularly jewelry and cash. In addition to the (American) UL
standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60),
there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a
Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160,
160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are
based on time and tools. Time and tools is an excellent set of
criteria for rating computer security components in areas such as
encryption. In America, the various insurance agencies determine what
rating is required for them to insure a given amount to be stored in
the safe or vault. In Europe, the Dutch Safe Rating Committee
publishes a similar standard assigning a range of financial value to
each rating in each of the three systems.
This does not, however, address liability for storage of information
such as credit ratings, social security numbers, bank balances, web
surfing preferences, political affiliations, which is subject not only
to theft but to alteration or even just surreptitious access. When
storing sensitive information, a more appropriate place to look for
examples is to the government. Classified information presents many of
the same requirements for storage that sensitive information on the
public or even commercial interests.
To meet the U.S. Government's needs in this area, General Services
Administration (GSA) has published standards (classes 1-8, black, red,
green and blue labels) which rate storage containers for everything
from weapons to information processing systems to filing cabinets.
They additionally publish information on storage of confidential,
secret, and top-secret materials in GSA Approved (or Non-GSA Approved)
containers. This information includes additional requirements for
alarm systems, restricted building access, guard check points, etc...
Specifics on GSA classes and labels are seemingly difficult to come
by. Based on the information I have found in the document library of
locks.nfsec.navy.mil/document_library/guides however, much of what has
been worked out by the GSA could potentially serve as a foundation for
developing similar standards for the storage of information on the
public.
The U.S. Department of Commerce has commissioned the National
Institute of Standards and Technology (NIST) to maintain FIPS PUB
140-1, Security Requirements For Cryptographic Modules. The document
sets forth a standard for specification of cryptographic-based
security systems protecting unclassified information. It provides for
product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This
range is designed to cover a wide range of data sensitivity, from 'low
value administrative data' to 'million dollar funds transfers' to
'life protecting data'. The standard is typically utilized for devices
which protect tokens or encrypt data such as crypto boxes.
While this system may or may not be successful in real life, it
certainly deserves closer examination in that it represents what may
be the closest thing that the U.S. Government has to UL for computer
security products. Under the FIPS 140-1 Testing and Validation model,
vendors select an accredited FIPS 140-1 testing lab, submit their
'module' for testing and pay the testing fee. The lab then tests the
product for conformance to FIPS 140-1 and passes a report on the
'module' to NIST/CSE for validation. Throughout this process, the lab
may submit questions for guidance and clarification to NIST/CSE. If
the report is favorable, a validation certificate is issued by
NIST/CSE for the 'module'. The certificate is presented to the vendor
through the lab and the 'module' is added to the published list of
Validated FIPS 140-1 Modules.
The problem may stem from the difference between UL's roots and those
of ICSA and CISSP. It certainly manifested itself in the fact that the
UL is the only one providing non-biased product inspections as well as
accountability for the quality of the installations out there in the
field. Requirements for the use of 'listed' intrusion detection
systems, encryption mechanisms, and companies could on its own make an
impact if that listing actually meant something. The use of strict
procedures and specific levels of physical security could be required
as in the GSA model and this too could help the private sector. This
has not been the tact taken to date, however.
The second problem is that manufacturers of physical security devices
are pressured by customers to have a UL listing. This is because
customers are pressured by insurance underwriters to use products that
meet UL specifications. In Cyberspace, businesses currently feel that
the embarrassment and loss of public trust are more costly than the
actual damage caused by hackers. Citibank has become the most
well-known example of what happens when computer intrusions are made
public knowledge. By taking commendable actions and not covering up
the intrusion, Citibank is now known as the bank that got hacked
instead of the bank that handled the situation appropriately. Since
silence seems to be the best policy, cyber merchants choose to 'eat'
their losses rather than risk the negative publicity. Until these
losses become intolerable and insurance is necessary, there may be no
motivation to drive the certification, approval or listing of products
by UL or any similar organization.
It took UL about 30 years from being subsidized by the insurance
agencies to being self-supporting off fees paid by manufacturers for
testing. Merrill was the first full-time employee as a result of this
change. Insurance underwriters and Consumer Product Safety Commission
were instrumental in gaining public acceptance of UL work. It was the
public's safety that was of concern and liability drove companies to
insure. Insurance underwriters found they were then saddled with the
problem and addressed it effectively with the UL. Perhaps at some
point the collection and storage of information on the public will
carry some sort of liability with it.
A Call for Action
Without a call for action, I would simply be a whiner. At this point,
you the reader can assist with very little effort. Whether you are a
vendor, insurance company, end user, or hacker, let me know your
thoughts on the state of the industry, the state of the UL and/or this
article's conclusions. As a hacker, is the relationship between the
hot-shot safe crackers and the UL an attractive one you would be
interested in? Is the UL listing process for installations sufficient?
Will it encounter problems unforeseen by this article? As an insurer,
am I missing part of the picture; are companies actually insuring
their computer systems and data to mitigate loss or liability? As a
manufacturer do you foresee problems with the UL model being imposed
on computer security products? As an end user do you feel that
computer security is important? Do you feel that the current system
actually is sufficient? Have you been wanting something better or do
you feel that you are being slighted by my insinuation that you do not
fully understand the products you purchase? Any and all feedback on
this article would be appreciated no matter where it comes from
(although manufacturer comments will be taken with a grain of salt).
Forward those comments to tan@l0pht.com. If there is enough feedback,
I may write a follow up article on this topic. I am considering going
into detail on each rating system UL, German, Scandinavian, GSA and
FIPS 140-1, highlighting overlaps with the computer security
discepline.
Thanks to the UL for providing documentation on the history of the UL
and directing me to Peter Tallman of the Melville, N.Y. office. Thanks
to Peter Tallman for clarifying some of the issues surrounding the
listing of safes and alarm systems and directing me to Beverly
Borowski whom I hope can assist me in my future research. Also of use
to date was FED-STD-809, the federal standard for neutralization and
repair of GSA approved containers as well as a yearly publication by
the Dutch Safe Rating Committee called 'Recommendations for Insuring
Money in Safes and Strongrooms'. GSA's web site (www.gsa.gov) provides
a searchable index of federal standards including FED-STD-809. The
Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling
Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands
- Tel. 070-3912008. Additional thanks to the researchers at the L0pht
for their assistance, particularly to Brian Oblivion for providing
extensive documentation on FIPS 140-1.
</PRE>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed