                    Cyberspace Underwriters Laboratories
                              [2]tan@l0pht.com
                                      
   Cyberspace Underwriters Laboratories - 01/11/1999
   Underwriters Laboratory
   
   Underwriters Laboratories was founded in 1894 by an electrical
   inspector from Boston, William Henry Merrill. In 1893, Chicago
   authorities grew concerned over the public safety due to the
   proliferation of untamed DC circuits and the new, even more dangerous
   technology of AC circuits. These new and little-understood
   technologies threatened our society with frequent fires which caused
   critics to question if the technology could ever be harnessed safely.
   Merrill was called in and setup a one-room laboratory with $350.00 in
   electrical test equipment and published his first report on March 24,
   1894.
   
   Back in Boston, insurance underwriters rejected Merrill's plans for a
   non-biased testing facility for certification of electrical devices.
   Chicago however, embraced the idea. Merrill took advantage of the
   situation in Chicago to get up and running and within months had
   support at the national level.
   
   Today, UL has tested over 12,500 products world-wide and is a
   internationally recognized authority on safety and technology. The UL
   mark of approval has come to provide an earned level of trust between
   customers and manufacturers and safely allowed our society to leverage
   hundreds of inventions that would have otherwise been unfit for public
   use.
   
   While originally targeting inventions which could potentially cause
   physical harm to the user, the UL has expanded into the listing of
   alarm system products as well as alarm system installers. Individual
   products are listed as meeting UL standards and the companies that
   install those products are also listed as qualified to install the
   product as intended. Insurance companies have leveraged the UL's
   scrutiny to properly ascertain their risks.
   
   Cyberspace
   
   Today, technology continues to grow at a rapid pace, perhaps even out
   of control. The commercialization of the Internet has led many
   businesses to offer services out there in what has been called the
   Wild Wild West (WWW). As a result, the public safety is at risk.
   Utilities are bridging control systems to Internet attached
   back-office systems. Banks are offering 'cyber-banking' and merchants
   are collecting information about consumers as they transact their
   business over the Web. Individual privacy and the fiduciary trust
   banks and merchants have established over hundreds of years are open
   to new threats as these activities become more and more prevalent.
   
   Similarly to early electrical inventions, today's computer security
   products may introduce more harm than good when implemented by end
   users. While some of these products do what they claim, most do not.
   The lack of standards and meaningful certification has allowed the
   sale of products that are either intentionally or unintentionally
   snake-oil. While many of the products may solve old problems and
   inadvertently introduce worse ones, some just do not perform as
   advertised at all. For instance, some products have been marketed as
   utilizing the latest and greatest encryption mechanisms when in fact,
   the version they are selling does not utilize any encryption at all.
   
   Just as in the late 1800's, the consumers have little understanding of
   the inventions they are purchasing. They are presented with claims by
   the product's marketers and have no way of proving those claims to be
   true or false. Just as it was back then, this has not stopped the
   large-scale application of these inventions, regardless of public
   safety. In the late 1900's, nobody has stepped up to the plate to
   expand the UL's role into computer security products or to take that
   role as their own. To some extent, groups like Nomad Mobile Research
   Center and L0pht Heavy Industries have acted as modern day Merrill's,
   publishing non-biased findings to this affect.
   
   This is not to say that certification of computer security products
   has not been attempted in the past. ICSA for instance, operates a
   certification program for products. CISSP and other organizations also
   offer certification of information security professionals. These
   organizations however, have failed drastically at providing what the
   UL has provided on a more general 'technology' level. These failures
   could be examined in detail but such an excersise is outside the scope
   of this article.
   
   The bottom line for ICSA is that it does not have the rigorous
   standards that the UL has and its credibility has suffered as a
   result. ICSA fails to see the certification process as ongoing or
   cyclical allowing for products to inherit their 'certification'. As a
   result, it is believed by some that there is a problem in that there
   is a lack of non-biased inspection of software and that money buys
   more certifications than good product design and implementation.
   
   CISSP certifies individuals in the computer security industry. While
   sorting out those who are fluent in the industry jargin and concept,
   the work of CISSP's still lacks accountability in that their
   certification is tied to a test rather than what the UL referrs to as
   a 'field counter-check'. Like most computer certifications however,
   this is simply a test of test-taking skills rather than a test of
   experience and understanding.
   
   Cyber-UL
   
   Product certification needs to be performed on every version of a
   product. Small changes that could ripple through traditional
   technologies causing safety problems are at least ten fold when
   applied to computer software. Many similarities may be drawn between
   the certification of computer security products and the listing of
   alarm systems and components that UL performs today.
   
   UL has a stringent set of tests which are performed on physical
   security systems which seek UL listing. For instance, safes and vaults
   have a number of different labels which indicate their adherence to
   different standards. UL utilizes 'young hotshot' safe-crackers wishing
   to make a name for themselves, to do the actual testing. This way,
   specialists are motivated (by not only fame but by financial
   compensation as well) to validate the claims that the vendors'
   marketing people want to make. The entire safe and vault business
   operates around these ratings to communicate to the customer what it
   is that the product was designed to do. Based on value and risk, a
   customer may choose to spend more or less on higher or lower rated
   labels.
   
   The two major factors which influence the level of rating are time and
   tools. The 'hotshot' safe-crackers are given samples of the product
   and guidelines for their attempts to defeat its security. For
   instance, a TL-30 rating means that the cracker is limited to tools
   not including torches or explosives and is given 30 minutes of actual
   working time to defeat the security. If X6 is appended to the rating,
   the rating applies to not only the door, but the container (the rest
   of the safe). This aligns the vendor's claims to the actual
   performance of the product. Also, if a new version of the safe comes
   out, it does not inherit the old version's listing, it must be
   re-listed.
   
   This addresses a big problem that was sure to arise with safe vendors
   and has definitely risen in the computer security arena. Customers,
   due to human nature, want products to be certified as 'secure'. Just
   as customers like to hear promises of security, vendors love to make
   them. In 1913, UL tested the first 'security devices'. With this
   expansion into security devices, they recognized the need to replace
   the word 'Approved' with the words 'Inspected' or 'Listed'. Due to
   what UL has established with security devices, customers are not
   lulled into a false sense of security and vendors do not make
   outrageous claims. Customers are presented with 'product x is rated at
   rating y' rather than 'its ICSA certified'. Vendors claim to be
   resistant to certain toolsets for certain amounts of time. This is not
   what the computer security field looks like today, but is where it
   needs to go. The manufacturer and consumer must realize that testing
   'security' is not the same as testing 'functionality' and because of
   that, claims need to be adjusted to fit reality. If a door-knob opens
   a door, the door works. If a safe-lock opens when you dial the
   combination, it does not mean the safe works. You can however, perform
   tests on the safe to assure that it operates as advertised within
   certain heat and force constraints.
   
   While listing individual devices as meeting UL standards is useful to
   a security professional or consumer, it is only a small part of the
   picture. Installation and configuration of components is critical to
   the actual effectiveness of the security solution. For this reason,
   installation of alarm systems is another area of influence for the UL.
   This may seem like a daunting task since the number of implementations
   is exponential to the number of products. UL has, with only about
   4,000 employees, listed more than 12,500 products in over 40 countries
   and developed over 600 standards for product safety. The tact taken to
   assure the correct installation of alarm systems has been to list
   alarm installation companies. Systems installed by UL listed companies
   may qualify for a UL issued certificate. The certificate registers the
   customer's alarm system becomes an eligible candidate for 'field
   counter-checks' (spot-audits) which are performed to assure that
   listed installers are not cutting corners. If a system which has
   received a certificate fails the field counter-check, the installer
   could potentially loose their UL listing. The UL has maintained a
   quality program by scaling the number of field counter-checks as
   needed.
   
   Problems with the model
   
   While the UL model for security devices seems to address many of the
   same issues that surround Cyberspace, there are a number of problems
   with deploying the model for computer security devices as it stands.
   
   The first problem is that if a security system is defeated in the
   physical world, it is typically very obvious to those who come into
   work on Monday and see that the money is gone and the safe is in
   pieces. Detection of a cyber intrusion is typically NOT very obvious
   to those who come into work on Monday. Because of this fact,
   safe-crackers have very limited time to crack a vault. Hackers on the
   other hand, have unlimited time to crack a system. Once they get in,
   safe crackers typically REMOVE items which then become 'missing'.
   Hackers typically COPY items unless their motives are political rather
   than financial, leaving the originals and the system intact. For cyber
   intrusions to become less surreptitious, intrusion detection needs to
   mature and become more widely deployed if 'time' is to be a meaningful
   factor in the process.
   
   The commercial model is based around the storage of valuables,
   particularly jewelry and cash. In addition to the (American) UL
   standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60),
   there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a
   Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160,
   160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are
   based on time and tools. Time and tools is an excellent set of
   criteria for rating computer security components in areas such as
   encryption. In America, the various insurance agencies determine what
   rating is required for them to insure a given amount to be stored in
   the safe or vault. In Europe, the Dutch Safe Rating Committee
   publishes a similar standard assigning a range of financial value to
   each rating in each of the three systems.
   
   This does not, however, address liability for storage of information
   such as credit ratings, social security numbers, bank balances, web
   surfing preferences, political affiliations, which is subject not only
   to theft but to alteration or even just surreptitious access. When
   storing sensitive information, a more appropriate place to look for
   examples is to the government. Classified information presents many of
   the same requirements for storage that sensitive information on the
   public or even commercial interests.
   
   To meet the U.S. Government's needs in this area, General Services
   Administration (GSA) has published standards (classes 1-8, black, red,
   green and blue labels) which rate storage containers for everything
   from weapons to information processing systems to filing cabinets.
   They additionally publish information on storage of confidential,
   secret, and top-secret materials in GSA Approved (or Non-GSA Approved)
   containers. This information includes additional requirements for
   alarm systems, restricted building access, guard check points, etc...
   Specifics on GSA classes and labels are seemingly difficult to come
   by. Based on the information I have found in the document library of
   locks.nfsec.navy.mil/document_library/guides however, much of what has
   been worked out by the GSA could potentially serve as a foundation for
   developing similar standards for the storage of information on the
   public.
   
   The U.S. Department of Commerce has commissioned the National
   Institute of Standards and Technology (NIST) to maintain FIPS PUB
   140-1, Security Requirements For Cryptographic Modules. The document
   sets forth a standard for specification of cryptographic-based
   security systems protecting unclassified information. It provides for
   product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This
   range is designed to cover a wide range of data sensitivity, from 'low
   value administrative data' to 'million dollar funds transfers' to
   'life protecting data'. The standard is typically utilized for devices
   which protect tokens or encrypt data such as crypto boxes.
   
   While this system may or may not be successful in real life, it
   certainly deserves closer examination in that it represents what may
   be the closest thing that the U.S. Government has to UL for computer
   security products. Under the FIPS 140-1 Testing and Validation model,
   vendors select an accredited FIPS 140-1 testing lab, submit their
   'module' for testing and pay the testing fee. The lab then tests the
   product for conformance to FIPS 140-1 and passes a report on the
   'module' to NIST/CSE for validation. Throughout this process, the lab
   may submit questions for guidance and clarification to NIST/CSE. If
   the report is favorable, a validation certificate is issued by
   NIST/CSE for the 'module'. The certificate is presented to the vendor
   through the lab and the 'module' is added to the published list of
   Validated FIPS 140-1 Modules.
   
   The problem may stem from the difference between UL's roots and those
   of ICSA and CISSP. It certainly manifested itself in the fact that the
   UL is the only one providing non-biased product inspections as well as
   accountability for the quality of the installations out there in the
   field. Requirements for the use of 'listed' intrusion detection
   systems, encryption mechanisms, and companies could on its own make an
   impact if that listing actually meant something. The use of strict
   procedures and specific levels of physical security could be required
   as in the GSA model and this too could help the private sector. This
   has not been the tact taken to date, however.
   
   The second problem is that manufacturers of physical security devices
   are pressured by customers to have a UL listing. This is because
   customers are pressured by insurance underwriters to use products that
   meet UL specifications. In Cyberspace, businesses currently feel that
   the embarrassment and loss of public trust are more costly than the
   actual damage caused by hackers. Citibank has become the most
   well-known example of what happens when computer intrusions are made
   public knowledge. By taking commendable actions and not covering up
   the intrusion, Citibank is now known as the bank that got hacked
   instead of the bank that handled the situation appropriately. Since
   silence seems to be the best policy, cyber merchants choose to 'eat'
   their losses rather than risk the negative publicity. Until these
   losses become intolerable and insurance is necessary, there may be no
   motivation to drive the certification, approval or listing of products
   by UL or any similar organization.
   
   It took UL about 30 years from being subsidized by the insurance
   agencies to being self-supporting off fees paid by manufacturers for
   testing. Merrill was the first full-time employee as a result of this
   change. Insurance underwriters and Consumer Product Safety Commission
   were instrumental in gaining public acceptance of UL work. It was the
   public's safety that was of concern and liability drove companies to
   insure. Insurance underwriters found they were then saddled with the
   problem and addressed it effectively with the UL. Perhaps at some
   point the collection and storage of information on the public will
   carry some sort of liability with it.
   
   A Call for Action
   
   Without a call for action, I would simply be a whiner. At this point,
   you the reader can assist with very little effort. Whether you are a
   vendor, insurance company, end user, or hacker, let me know your
   thoughts on the state of the industry, the state of the UL and/or this
   article's conclusions. As a hacker, is the relationship between the
   hot-shot safe crackers and the UL an attractive one you would be
   interested in? Is the UL listing process for installations sufficient?
   Will it encounter problems unforeseen by this article? As an insurer,
   am I missing part of the picture; are companies actually insuring
   their computer systems and data to mitigate loss or liability? As a
   manufacturer do you foresee problems with the UL model being imposed
   on computer security products? As an end user do you feel that
   computer security is important? Do you feel that the current system
   actually is sufficient? Have you been wanting something better or do
   you feel that you are being slighted by my insinuation that you do not
   fully understand the products you purchase? Any and all feedback on
   this article would be appreciated no matter where it comes from
   (although manufacturer comments will be taken with a grain of salt).
   Forward those comments to tan@l0pht.com. If there is enough feedback,
   I may write a follow up article on this topic. I am considering going
   into detail on each rating system UL, German, Scandinavian, GSA and
   FIPS 140-1, highlighting overlaps with the computer security
   discepline.
   
   Thanks to the UL for providing documentation on the history of the UL
   and directing me to Peter Tallman of the Melville, N.Y. office. Thanks
   to Peter Tallman for clarifying some of the issues surrounding the
   listing of safes and alarm systems and directing me to Beverly
   Borowski whom I hope can assist me in my future research. Also of use
   to date was FED-STD-809, the federal standard for neutralization and
   repair of GSA approved containers as well as a yearly publication by
   the Dutch Safe Rating Committee called 'Recommendations for Insuring
   Money in Safes and Strongrooms'. GSA's web site (www.gsa.gov) provides
   a searchable index of federal standards including FED-STD-809. The
   Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling
   Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands
   - Tel. 070-3912008. Additional thanks to the researchers at the L0pht
   for their assistance, particularly to Brian Oblivion for providing
   extensive documentation on FIPS 140-1.