Outdated security habbits die hard
A few days ago I had a meeting with some fellow security officers and an interesting topic came up: “What is the value of putting up disclaimers when logging into systems”
I think we have all seen them, the annoying pop-up messages or scrolling text before you log onto a system telling you that it is an offence to log on unless you are authorized, etc, etc. If you do not know what I am talking about, here is the MS knowledge base article on how to set it up on a windows box.
The debate was around the question if such disclaimers actually add any security to the system. In order to answer that question we need to understand the origin of the disclaimer a little better. Apparently there has been a a court case in which an hacker who was changed with breaking into a computer system by guessing the administrator password successfully defend himself by stating that when he first opened the system he was asked to “Please enter your username and password”. When he entered his username and password he got a message stating “invalid username or password, please try again”. So he was not trying to break into the system, but just doing what he was requested.
This little story makes me wonder, would this excuse for hacking still fly today. As I am not a lawyer (or have any intentions of becoming one) I am in not a position to give an authoritive answer, but I am going to make a guess based on what I do know about Dutch law. In order for someone to be found guilty of trespassing (either IRL or on a computer) you must prove that the person entered an “area” that he was not allowed to enter and that he knew was restricted. In other words if you just happen to wonder into an restricted area, but you were unable to know that you should not go there it is not trespassing. However if you did jump a fence in the progress, you would be hard put to state that you were not aware. In the case of a computer it would be my opinion that having to enter a username and password should be sufficient reason for you to know that the system is restricted.
In my opinion this measure is one of those measures that we take out of sheer inertia, or to keep up with the Joneses, just like changing your password every month or putting a disclaimer on the bottom of an email.
Like the disclaimer, the monthly password change has a historical origin. Rumor has it that the “industry standard” monthly password change is derived from a calculation of how long it would take to perform brute force password attack on an old mainframe. Based on the outcome of this calculation (two months) changing your password every month very effectively reduces the risk of your password being cracked. However, the basic assumptions on which this habit is based have changed dramatically. For example due to Moore’s law and Rainbow tables.
Does sticking to these out-dated practices hurt? On the one hand these measures are cheap to implement. It only takes some changes to the registry, group policy or a text file. On the other hand they can be counterproductive. The disclaimer can cause annoyance when you have to click it away multiple times a day and will certainly not be read every time it is displayed.
The once a month password change is worse, because it encourages bad password practices like writing passwords down or using numbered increments. (Password03, Password04, etc)
Better alternatives like awareness trainings and dual factor authentication are available.
I would like to hear your thoughts on the matter fbreedijk (at) schubergphilis (dot) com
