An Updated Word About Competition in the Information Security Industry

A year ago, I had written a post about competition in the information security space, of which I work as a part of for a vendor that has been in it for nearly a quarter century: Check Point Software Technologies. A few things have changed since I wrote the post and I decided, rather than merely repost my previous post, create a new version of it and update with some relevant information. I’ve removed the old post because it largely says the same thing.

Why I’m In This Industry

The devices, networks, and social institutions we use today are only useful because, on the whole, most people largely trust them. If this trust erodes, people will not make use of them.

It took me many years of working at Nokia to realize that regardless of what I do in life, I am always going to be looking for where the flaws are in the systems and do what I can to improve these systems so they will remain trusted.

As a company, Check Point firmly believes customers deserve the best security for their digital information. That, plus my long-time history with Check Point was why I ultimately decided to go work for Check Point when they acquired Nokia’s Security Appliance Business back in 2009. The talented, smart people I work with day-in and day-out working toward the same goal is why I’m still here, even though some have left for what they see as greener pastures, or at the very least, a different pasture.

What About The Competition

One of the things I’ve always tried to do online is to bring facts, understanding, and details to light. This is what I did with the FireWall-1 FAQ back and the day and what I’m trying to do as part of my effort with Check Point’s user community: CheckMates.

You may have noticed that I occasionally delve into the subject of Check Point’s competition in my online discourse. The main reason I do this is because some of them are saying stuff that flat out isn’t true, a gross misrepesentation, or they advocate a poor approach.

To be clear, I think healthy competition is a good thing. It raises all boats, regardless of who you ultimately use. Despite our differences in approach, there is a common enemy: the malicious actors who attempt to penetrate and disrupt our customers networks. We would do better as an industry to remember that and work better together toward defeating that common enemy.

Despite that common goal, everyone who works for a security vendor, particularly in a sales or marketing capacity, wants to succeed over the competition. As part of that, each vendor puts outs information that puts their offering in the best light. Certainly Check Point has done this with some past marketing campaigns such as:

This is all part of normal, healthy competition that happens in any industry.

Palo Alto Networks is clearly a different competitor and seems to play by different rules, particularly with respect to Check Point.

It’s Personal for Palo Alto Networks

Nir Zuk, the co-founder of Palo Alto Networks, drives a car with the license plate CHKPKLR. This was widely known since at least 2005 and a picture of said license plate was featured prominently at their 2016 Sales Kick Off:

CHKPKLR

The guy up on stage? Their CEO Mark McLaughlin, propagating the “Check Point Killer” message to the assembled masses.

Over the years, I’ve heard countless stories of how Nir Zuk would come in to talk to a (potential) customer and spend a significant amount of time talking about Check Point, to the point where he was thrown out of at least one customer meeting! Given how some customers feel about Check Point, I’m sure that tactic did help to drive some sales.

In the following picture, you can see Palo Alto Networks Chief Marketing Officer Rene Bonvanie with a slide behind him of Check Point CEO Gil Shwed:

Gil Shwed is not my friend

To take it one step further, it was recently discovered that Palo Alto Networks has a so-called “Check Point Kill Squad.” This was disclosed by way of a screenshot of what appeared to be an internal portal from Palo Alto Networks. There was no real information in this screenshot, just partial bullet points of a few competitive talking points against Check Point SandBlast and the fact they also have a Competitive team–nothing that wasn’t already widely known or easily to deduce.

Rather than simply ignore it, Palo Alto Networks saw fit to issue a DMCA takedown notice, causing Moti Sagey’s LinkedIn account to be temporarily suspended. Given their propensity to use EULAs as a way to prevent the truth from being disclosed about their products, using a DMCA takedown to needle someone at a competitor doesn’t seem too far fetched.

Conclusion

It’s clear the hatred of Check Point is institutionalized at Palo Alto Networks and that it comes straight from the top. Given they still haven’t fixed potential bypasses in their product two years after they were reported, it makes me question what business they are truly in.

Disclaimer: My blog, my personal opinions. I’m sure you knew that.

Taking CheckMates On The Road

After a couple months of mostly being at home (nice change of pace), I’m now taking the Check Point CheckMates community on the road!

Aside from building the community site, where we’ve definitely seen an uptick in activity in recent weeks, part of my charter is to faciliate in-person Check Point meetups. We are starting these in a number of locations! Four in particular I’d like to draw your attention to are ones I will be at!

Sadly, I didn’t get the bright idea to do this before last week, where I was in Cincinnati. However, it’s not too late to see me in the following places over the next few weeks:

Also, while I have your attention, I’d be remiss if I didn’t point out the Ask Me Anything we’re doing with Dr. Dorit Dor and her management team on the 18th of September. Get your questions in now!

Ye Olde PhoneBoy FireWall-1 FAQ is Back…In A Manner of Speaking

Many of you probably remember the Check Point FireWall-1 FAQ I ran for many years. Many have told me it was their “go-to” source of information on all things Check Point, well before Check Point had SecureKnowledge.

Well, I’m here to say: it’s back…in a manner of speaking.

More specifically, I am back doing the activity I was doing twenty years ago, namely trying to help the Check Point community make the best use of the stuff they bought and make the resulting information available to everyone.

The one difference? I’m doing it for Check Point now, as opposed to doing it as an independent effort. The name of the site? CheckMates–and no, it’s not a dating site.

This site was previously called Exchange Point and was launched around the time R80 was released a little over a year ago. Previously the site was just focused on management, but it has been expanded to cover all of the products that make up Check Point Infinity.

Even in the past, I personally didn’t have all the answers. The one thing I did do was make what I did know and what others contributed available to all. I had plenty of help from people in the community back then, including from people at Check Point.

In that regard, nothing’s changed. CheckMates will be a collaborative effort. Unlike in the past, Check Point’s role will be more prominent, especially since they are hosting the site and paying my salary.

At the end of the day, I want CheckMates to be like phoneboy.com was back in the day: to be the go-to resource for all things Check Point. It’s a tall order, and I know what’s there is not much now, but phoneboy.com wasn’t much back when I started, either.

To give you a small sample of the discussions on CheckMates, I’ve put together a small sample of some of the threads that happened last week.

How Long is Long Enough for a Password?

As much as we might want to see different authentication methods available, passwords aren’t going anyway anytime soon. This means a significant part of our security online comes down to choosing good passwords.

There are three basic rules for choosing good passwords:

  1. The more complex the better
  2. The longer the better
  3. Don’t use the same password on multiple sites

Some services like Office 365 are being criticized for only allowing 16 character passwords. Some services offer even less than this.

If you actually do a little math, and choose the characters in your password carefully enough, perhaps using a tool like LastPass to generate and manage the passwords, even a 16 character password is more than strong enough to withstand a brute force attack!

To demonstrate that, I’m going to use the GRC Haystacks tool just to show the search space required in order to find a given password. Yes, I know there are some in the security community that poo-poo some of the contributions to information security that Steve Gibson has made. The tool is merely expressing the results of math and is being used for illustrative purposes.

A password can theoretically have four different types of characters:

  • Uppercase characters (26 possible options)
  • Lowercase characters (26 possible options)
  • Numbers (10 possible options)
  • Special characters (33 characters)

This gives us a total of 95 possible values for a given character of a password. Note that this may vary from site to site as some sites might restrict the special character space. Some sites might even allow for emoji, which I am excluding since outside of smartphone platforms, these are not universally available.

Let’s assume we pick a 16 character password that leverages all four character types and is relatively random. The time required to exhaustively search this space with a tool like hashcat or John The Ripper? A much longer time than I can even conceive of!

16 Character Complex Password

What about if I choose a 16 character password that is all lowercase, but random? Even if a lot of computing power is thrown at the password hash, we’re still looking at several years of computing time:

16 Character Lowercase Password

However, by adding a little bit of complexity, say, uppercase characters, the search space suddenly increases by orders of magnitude!

16 Character Upper and Lowercase Password

Even a 12 character complex password has a pretty large search space to search through:

12 Character Complex Password

All of this assumes you are choosing truly random characters for your password. If you’re using a well-known password manager, it’s probably random enough. Obviously, if you choose dictionary words for your password, or simple variations thereof, the odds of someone guessing your 16 character password are much higher.

Then again, how might someone perform a brute force attack on your password? Certainly if someone leaks the hashed passwords it’s possible. It’s likely not the result of an online brute force attack as that is likely to be detected and/or blocked and will most certainly take much longer.

And yes, the amount of time it takes to validate a password is a factor here. To illustrate this, let’s talk passcodes on phones. At least on Apple devices, if you enable the wipe feature, Apple will wipe the device after 10 failed passcode attempts. The phone only allows passcode entry via the screen and each attempt takes 80 milliseconds to process, as I discussed previously. After a few failed attempts, the phone will lock out additional attempts for a period of time. Which means, it’s not like someone can pick up your phone and a few seconds later, your phone is wiped.

With those constraints in place, how long and complex of a passcode do you really need to keep yours phone from being unlocked by someone other than you? Probably nowhere near as many as you think, so long as you avoid obvious and common ones. For the sake of argument, let’s look at an 8 digit passcode:

8 Digit PIN

To exhaustively search this space, assuming 80ms per guess and no other limiting factors, it would take about 103 days to try all possible combinations. Since there are other limiting factors as noted above, including the fact that the ability to automate passcode guessing is limited, it would take a bit longer. Of course, if the iPhone owner enabled the “erase after 10 failed attempts” option, all bets are off.

The bottom is line is, when you actually look at the math, you don’t need quite as long of a password as you think you do. Assuming the limit is at least 12 characters and all special characters are supported, you can make a complex enough password to sufficiently mitigate most brute force attacks. Even a 16 character password with just mixed case letters has a pretty large search space, assuming your passwords have sufficient entropy.

Having said all that, I’m all for sites supporting longer passwords. Length does allow people to make more complex passwords that are far easier to type, which can be good for people just learning good password hygiene. Also, if it helps people feel more secure to have a longer password and adding support for longer passwords is trivial, why not support it?

Obviously, if there is a massive increase in available computing power anytime soon, some of these assumptions will have to be reexamined. That said, I suspect we’ll have bigger issues to deal with than just the security of our passwords.

Disclaimer: My employer, Check Point Software Technologies, didn’t offer an opinion on this issue. The above thoughts are my own.

Cloudflares with a Chance of Goatse

As I’m sure you’ve heard by now, Cloudflare had a case of CloudBleed, causing what amounts to a massive privacy violation for any site that happened to use them, at least if they used one of three specific features of Cloudflare: Email Obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites. A potential list of compromised sites showed up, which may not be entirely accurate because plenty of sites use Cloudflare but may not necessarily use these features.

The advice that is given as a result of this bug?

Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, it’s better to be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.

Which is fine if, like me, you actually use a password manager (I recommend LastPass). However, it’s not entirely complete advice as “HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” were leaked. Changing passwords won’t suddenly fix this disclosure issue, particularly if the sites in question do a poor job invalidating cookies and tokens. Think that’s far fetched? Think again.

Changing passwords also doesn’t fix applications that may have communicated on the backend to a Cloudflare-backed site (either on your behalf or otherwise). The potential scope of this issue is…scary.

That said, I can’t imagine every one who ever used a given service over the last several months had their information disclosed. While this event increases the risk above zero, it’s not clear by how much for a given user. Also, the impact of disclosure of a login cookie/token for my bank or a service like Cloudflare is far different than for a site like Techdirt, which out of an abundance of caution is forcing everyone to reset their password on the site.

I feel sorry for the average Internet user, who has seen umpteen of these notifications lately (just from Yahoo alone)! The advice of “change all your passwords” is quite simply untenable for the vast majority of Internet users. Even though I use a password manager as part of good password hygiene, I certainly don’t have time to visit all the sites in LastPass, much less change all my passwords manually!

And, as I noted earlier, changing your password won’t fully address the issue. Still, it’s probably as a good a time as any to make sure your critical accounts are as protected as they can be. For me, that meant changing my Cloudflare password and API key as well as enabling multi-factor authentication. I’ve also changed the password for a few sites listed on the potential list of compromised sites. I will keep checking LastPass in case they decide to integrate this list of sites into their Security Challenge, which they’ve done in the past.

Even if you do none of this, my guess is that the vast majority of the users won’t be impacted by CloudBleed. At least I hope they won’t be.

Disclaimer: My employer, Check Point Software Technologies, didn’t offer an opinion on this issue. The above thoughts are my own.