Friday, July 12, 2013

Manufacturing Passwords

-By:  Dave Edstrom
The title “Manufacturing Passwords” can be thought of as a double entendre. It could discuss passwords in the area of manufacturing, or, alternately, creating passwords themselves. These are actually both important topics.
In the June 2013 edition of IMTS Insider, I wrote about cyber security and manufacturing. Continuing with that theme, this time around we’ll examine the topic of passwords and manufacturing.
As manufacturing becomes more and more interconnected with the outside world, the need for security will increase exponentially. Security can be thought of as an onion with different layers that are needed for protection. The only 100% secure system is one that is not on any network, sitting in an electromagnetically sealed room running on its own power source where no individuals can get to it. Even then, I would be reluctant to bet my last dollar that someone couldn’t figure out a way to break in. Unless that system was a black box with a fixed function, it would likely not be a very useful system. Being on a network and accepting risk is part of doing business today.
One of the simplest areas to protect is having a good password system in place for all users and services. When you type your password, you are going through an authentication process. By entering your login name and password, the system authenticates you and lets you in. We are all familiar with the requirement that some sites have for strong passwords. While we think it can be an inconvenience, this is really for our protection — it makes it more difficult to break into that password. The two most important aspects of strong passwords are the length as well as the types of characters, numbers, and special symbols used.
A strong password for a user would be something along the lines of a!&tR)^-n8@#&y\B. That password is 16 characters in length and has a variety of characters to it. The obvious challenge with that type of password is that it is hard for us humans to remember. The trick is having a password that a human can remember and makes it difficult for computers to guess by having that mix of characters and a long password. The time it takes for a computer to guess your password can easily be quantified. Let’s say that your password is “PeterIMTS”. I am sure that is not Peter Eelman’s password, but if it were, an offline attack using five servers that used a total of 25 Graphic Processing Units (GPU) that could guess Peter’s password in couple of hours. (The processors your kids use to run video games make great password crackers.) An offline attack is where the password file has been downloaded or stolen from a site and the bad guys just keep trying to break the passwords so they can get specific passwords for specific users. If we used those same 25 GPUs with the password of a!&tR)^-n8@#&y\B, it would take about one hundred billion centuries. You read that right, one hundred billion centuries. The age of the universe is about 13.77 billion years old, just in case you are worried it was not long enough or complicated enough. That is with today’s computers. Keep in mind that Moore’s Law tells us the speed of computers effectively doubles every 18 to 24 months.
A not-so-obvious point to understand here is that Peter’s password of PeterIMTS is not stored in some file that anyone can just open (if they stole the file) and simply read what it is. What happens is that when your password is entered, it goes through what is called a one-way mathematical algorithm where what comes out the other side is a very long and complicated set of characters. There are different mathematical algorithms that are used today. As a user, this is not your worry unless you find out that the bad guy has broken into your site and taken your password file. When that happens, the first thing users are typically told is to immediately change their passwords. If you ever find out a site is storing your passwords in clear text or “in the open,” run and don’t walk to get your valuable information off that site.
The first password of a!&tR)^-n8@#&y\B is too hard and PeterIMTS is too easy, so what is a good compromise? There are many strategies and this topic is as controversial as mixing both politics and religion. Whatever I point out for your consideration, it’s likely any number of security experts would suggest a different and possibly better way. I am offering a suggestion that I think is reasonable. It is just one suggestion. Keep in mind that the trick is both a variety of characters as well as the length of the password that causes these massive brute force attacks to take a long time.
Let’s go back to Peter and his password. Peter could use a technique called haystacks. A haystack basically means creating a bigger haystack for the bad guy to find your password. I first heard of this technique at a Sun conference years ago and then later on a podcast with Steve Gibson of Security Now on the This Week in Tech (TWiT) series of podcasts. There is lots of good information on this topic at A haystack is basically padding a password with a string of special characters that you can remember that are a prefix or suffix or both to the site for which you want a secure password.
Let’s look at an example with Peter. Peter would pick a series of characters that he could remember. This might be 8Caps*MJ23$ Those 11 characters would then be added to any site that Peter would go to. Peter likes the Caps and the Bulls, so this might be a reasonable way to pad his passwords. For example, Peter goes to a site called Legendary Hockey Player Jerseys. They want a password. Creating a new password every time is a hassle and using the same password is simply not wise. In this case, Peter could have a policy that says he will grab the first character of whatever sites he goes to and pads it with his Peter only padding set of characters. The password would be LHPJ8Caps*MJ23$. Now using that same 25 GPU system, it would take about 500 million centuries to break it. Peter should be able sleep at night with that type of security. The key of course is that only Peter knows his private padding password. If Peter went to his Bank of America site, it might be BOA8Caps*MJ23$. It is also critical to not have the same password at more than one site. Obviously, if Peter had a sticky note on his monitor with 8Caps*MJ23$, that would be a security hole.
At one of my previous employers, we couldn’t get some of our sales reps to take password security seriously. The sales VP had the technical team pull down a password-guessing program and run it against our password file. The results of the cracked passwords were published to their peers and the offending sales reps with the results. The VP then gave the sales reps explicit instructions to change to a secure password NOW. Peer pressure can be a powerful force because it just takes one weak password to give the guys wearing black hats all the entry they need into the network.
I am sure some of you are thinking — “but that still isn’t secure, because what happens if someone finds out my password? They become me with just my login and password.” You are absolutely correct. What we have been talking about is single factor authentication. In others words, a password is something that you know. For systems where having just a login and password are not deemed enough, there is two-factor authentication.
Two-factor authentication adds another variable. For example, a company I worked at had a special password generator calculator, a device we called “the enigma,” and every employee that needed a remote login had one. It was unique for each employee. How it worked is that the employee would login to a special system with a unique login and an 8-digit challenge that they had one minute to reply to with their enigma response. For example, when I first turned on my enigma, I had to enter in my password and then immediately enter in the challenge. It would then come back with the unique number that I would have to enter into the system for that given one-minute window just for Dave Edstrom. If that was successful, I would then be asked which system I wanted to login to with my username and password. That was deemed as secure enough for our needs.
For other systems, even two-factor authentication isn’t enough, and a third factor is added. The third factor is something that you are. It might be a fingerprint or retina scan. In summary, a single factor authentication is typically something you know. A two-factor is usually something you know, as well as something you have, such as an enigma card. A third factor might add something like a retina scan.
Some might argue that authentication involving an enigma card and a fingerprint or retina scan is enough and would eliminate the need for a user to remember a password. Companies employ various levels of authentication depending on the system. In the long run, having humans pick and try to remember passwords is not a good idea. Many smartphone manufacturers are considering biometrics for the security systems on their devices.
If you have traveled recently, you likely noticed new traveler kiosks in some of the larger airports. These kiosks are part of a trusted traveler program. These programs go by different names around the globe, but the common theme is that it is for those travelers who have been deemed “safe” for air travel and not a terrorist threat. What these kiosks all share is a multi-factor authentication system. These multiple factors usually require that the traveler has a current passport, scanned at the kiosk, plus two-factor biometric scanning – such as finger print scan and facial recognition. They’re also required to enter their flight number. These multiple factors fall into something you have, which is your passport, something you are, which are the two biometrics, and finally a booked flight, which is the reason you are at the airport to begin with. All of these factors combined provide the airport and airline with a high degree of confidence that the person traveling is the person that has been previously checked out and is not considered a traveling risk. The background checks can be quite extensive, but the benefits are a more streamlined entry and exit process when traveling.
At this point, you should be asking what the security policies are regarding passwords in your manufacturing shop or plant. What would happen if you ran a password-guessing program? The degree of security needs to be balanced with the risk. For example, let’s say that you have a crossword program that requires a login and password to save your last game. You got it free at iTunes and there is no financial transaction involved, and the worst thing that could happen is a stranger could pick up from your last crossword puzzle. Let’s compare that to the login for your health provider where you have all of your family’s medical records. You likely would want a very secure password for this site. What would happen if a nation state decided to attack your company’s site because they just read you were the proud recipient of a new aerospace contract? Would you bet your company’s intellectual property on your current security system? Who makes that determination at your company?
Just as a reminder, you can get a Ph.D. in the area of cyber security, so please treat these articles as simply high-level guides on what to think about. It’s not meant to be an all-encompassing discussion of security best practices. My goal is to spark conversations in shops and plants regarding security, but I’m not providing a recommendation that works for all scenarios. If you now have more questions than answers, then I have done my job. Remember Andy Grove of Intel’s timeless advice, “only the paranoid survive.” When it comes to security, be very paranoid.
Next month, I will discuss authentication and authorization. Please keep the comments and suggestions coming on cyber security in manufacturing!

No comments:

Post a Comment