Cyberspace Underwriters Laboratories

 

 

Underwriters Laboratory

 

            Underwriters Laboratories was founded in 1894 by an electrical inspector from Boston, William Henry Merrill.  In 1893, Chicago authorities grew concerned over the public safety due to the proliferation of untamed DC circuits and the new, even more dangerous technology of AC circuits.  These new and little-understood technologies threatened our society with frequent fires which caused critics to question if the technology could ever be harnessed safely.  Merrill was called in and setup a one-room laboratory with $350.00 in electrical test equipment and published his first report on March 24, 1894.

 

            Back in Boston, insurance underwriters rejected Merrill's plans for a non-biased testing facility for certification of electrical devices.  Chicago however, embraced the idea.  Merrill took advantage of the situation in Chicago to get up and running and within months had support at the national level.

 

            Today, UL has tested over 12,500 products world-wide and is a internationally recognized authority on safety and technology.  The UL mark of approval has come to provide an earned level of trust between customers and manufacturers and safely allowed our society to leverage hundreds of inventions that would have otherwise been unfit for public use.

 

            While originally targeting inventions which could potentially cause physical harm to the user, the UL has expanded into the listing of alarm system products as well as alarm system installers.  Individual products are listed as meeting UL standards and the companies that install those products are also listed as qualified to install the product as intended.  Insurance companies have leveraged the UL's scrutiny to properly ascertain their risks.

 

 

Cyberspace

 

            Today, technology continues to grow at a rapid pace, perhaps even out of control.  The commercialization of the Internet has led many businesses to offer services out there in what has been called the Wild Wild West (WWW).  As a result, the public safety is at risk.  Utilities are bridging control systems to Internet attached back-office systems.  Banks are offering 'cyber-banking' and merchants are collecting information about consumers as they transact their business over the Web.  Individual privacy and the fiduciary trust banks and merchants have established over hundreds of years are open to new threats as these activities become more and more prevalent.

 

            Similarly to early electrical inventions, today's computer security products may introduce more harm than good when implemented by end users.  While some of these products do what they claim, most do not.  The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil.  While many of the products may solve old problems and inadvertently introduce worse ones, some just do not perform as advertised at all.  For instance, some products have been marketed as utilizing the latest and greatest encryption mechanisms when in fact, the version they are selling does not utilize any encryption at all.

 

            Just as in the late 1800's, the consumers have little understanding of the inventions they are purchasing.  They are presented with claims by the product's marketers and have no way of proving those claims to be true or false.  Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety.  In the late 1900's, nobody has stepped up to the plate to expand the UL's role into computer security products or to take that role as their own.  To some extent, groups like Nomad Mobile Research Center and L0pht Heavy Industries have acted as modern day Merrill's, publishing non-biased findings to this affect.

 

            This is not to say that certification of computer security products has not been attempted in the past.  ICSA for instance, operates a certification program for products.  CISSP and other organizations also offer certification of information security professionals.  These organizations however, have failed drastically at providing what the UL has provided on a more general 'technology' level.  These failures could be examined in detail but such an excersise is outside the scope of this article.

 

            The bottom line for ICSA is that it does not have the rigorous standards that the UL has and its credibility has suffered as a result.  ICSA fails to see the certification process as ongoing or cyclical allowing for products to inherit their 'certification'.  As a result, it is believed by some that there is a  problem in that there is a lack of non-biased inspection of software and that money buys more certifications than good product design and implementation.

 

            CISSP certifies individuals in the computer security industry.  While sorting out those who are fluent in the industry jargin and concept, the work of CISSP's still lacks accountability in that their certification is tied to a test rather than what the UL referrs to as a 'field counter-check'.  Like most computer certifications however, this is simply a test of test-taking skills rather than a test of experience and understanding.

 

 

Cyber-UL

 

            Product certification needs to be performed on every version of a product.  Small changes that could ripple through traditional technologies causing safety problems are at least ten fold when applied to computer software.  Many similarities may be drawn between the certification of computer security products and the listing of alarm systems and components that UL performs today.

 

            UL has a stringent set of tests which are performed on physical security systems which seek UL listing.  For instance, safes and vaults have a number of different labels which indicate their adherence to different standards.  UL utilizes 'young hotshot' safe-crackers wishing to make a name for themselves, to do the actual testing.  This way, specialists are motivated (by not only fame but by financial compensation as well) to validate the claims that the vendors' marketing people want to make.  The entire safe and vault business operates around these ratings to communicate to the customer what it is that the product was designed to do.  Based on value and risk, a customer may choose to spend more or less on higher or lower rated labels.

 

            The two major factors which influence the level of rating are time and tools.  The 'hotshot' safe-crackers are given samples of the product and guidelines for their attempts to defeat its security.  For instance, a TL-30 rating means that the cracker is limited to tools not including torches or explosives and is given 30 minutes of actual working time to defeat the security.  If X6 is appended to the rating, the rating applies to not only the door, but the container (the rest of the safe).  This aligns the vendor's claims to the actual performance of the product.  Also, if a new version of the safe comes out, it does not inherit the old version's listing, it must be re-listed.

 

            This addresses a big problem that was sure to arise with safe vendors and has definitely risen in the computer security arena.  Customers, due to human nature, want products to be certified as 'secure'.  Just as customers like to hear promises of security, vendors love to make them.  In 1913, UL tested the first 'security devices'.  With this expansion into security devices, they recognized the need to replace the word 'Approved' with the words 'Inspected' or 'Listed'.  Due to what UL has established with security devices, customers are not lulled into a false sense of security and vendors do not make outrageous claims.  Customers are presented with 'product x is rated at rating y' rather than 'its ICSA certified'.  Vendors claim to be resistant to certain toolsets for certain amounts of time.  This is not what the computer security field looks like today, but is where it needs to go.  The manufacturer and consumer must realize that testing 'security' is not the same as testing 'functionality' and because of that, claims need to be adjusted to fit reality.  If a door-knob opens a door, the door works.  If a safe-lock opens when you dial the combination, it does not mean the safe works.  You can however, perform tests on the safe to assure that it operates as advertised within certain heat and force constraints.

 

            While listing individual devices as meeting UL standards is useful to a security professional or consumer, it is only a small part of the picture.  Installation and configuration of components is critical to the actual effectiveness of the security solution.  For this reason, installation of alarm systems is another area of influence for the UL.  This may seem like a daunting task since the number of implementations is exponential to the number of products.  UL has, with only about 4,000 employees, listed more than 12,500 products in over 40 countries and developed over 600 standards for product safety.  The tact taken to assure the correct installation of alarm systems has been to list alarm installation companies.  Systems installed by UL listed companies may qualify for a UL issued certificate.  The certificate registers the customer's alarm system becomes an eligible candidate for 'field counter-checks' (spot-audits) which are performed to assure that listed installers are not cutting corners.  If a system which has received a certificate fails the field counter-check, the installer could potentially loose their UL listing.  The UL has maintained a quality program by scaling the number of field counter-checks as needed.

 

 

Problems with the model

 

            While the UL model for security devices seems to address many of the same issues that surround Cyberspace, there are a number of problems with deploying the model for computer security devices as it stands.

 

            The first problem is that if a security system is defeated in the physical world, it is typically very obvious to those who come into work on Monday and see that the money is gone and the safe is in pieces.  Detection of a cyber intrusion is typically NOT very obvious to those who come into work on Monday.  Because of this fact, safe-crackers have very limited time to crack a vault.  Hackers on the other hand, have unlimited time to crack a system.  Once they get in, safe crackers typically REMOVE items which then become 'missing'.  Hackers typically COPY items unless their motives are political rather than financial, leaving the originals and the system intact.  For cyber intrusions to become less surreptitious, intrusion detection needs to mature and become more widely deployed if 'time' is to be a meaningful factor in the process.

 

            The commercial model is based around the storage of valuables, particularly jewelry and cash.  In addition to the (American) UL standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60), there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160, 160-180, 180-200, 200-240, 240-280, 280-320, 320-360).  All three are based on time and tools.  Time and tools is an excellent set of criteria for rating computer security components in areas such as encryption.  In America, the various insurance agencies determine what rating is required for them to insure a given amount to be stored in the safe or vault.  In Europe, the Dutch Safe Rating Committee publishes a similar standard assigning a range of financial value to each rating in each of the three systems.

 

            This does not, however, address liability for storage of information such as credit ratings, social security numbers, bank balances, web surfing preferences, political affiliations, which is subject not only to theft but to alteration or even just surreptitious access.  When storing sensitive information, a more appropriate place to look for examples is to the government.  Classified information presents many of the same requirements for storage that sensitive information on the public or even commercial interests. 

 

            To meet the U.S. Government's needs in this area, General Services Administration (GSA) has published standards (classes 1-8, black, red, green and blue labels) which rate storage containers for everything from weapons to information processing systems to filing cabinets.  They additionally publish information on storage of confidential, secret, and top-secret materials in GSA Approved (or Non-GSA Approved) containers.  This information includes additional requirements for alarm systems, restricted building access, guard check points, etc...  Specifics on GSA classes and labels are seemingly difficult to come by.  Based on the information I have found in the document library of locks.nfsec.navy.mil/document_library/guides however, much of what has been worked out by the GSA could potentially serve as a foundation for developing similar standards for the storage of information on the public. 

 

            The U.S. Department of Commerce has commissioned the National Institute of Standards and Technology (NIST) to maintain FIPS PUB 140-1, Security Requirements For Cryptographic Modules.  The document sets forth a standard for specification of cryptographic-based security systems protecting unclassified information.  It provides for product ratings from 1 to 4 with 1 being lame and 4 being k-rad.  This range is designed to cover a wide range of data sensitivity, from 'low value administrative data' to 'million dollar funds transfers' to 'life protecting data'.  The standard is typically utilized for devices which protect tokens or encrypt data such as crypto boxes.

 

            While this system may or may not be successful in real life, it certainly deserves closer examination in that it represents what may be the closest thing that the U.S. Government has to UL for computer security products.  Under the FIPS 140-1 Testing and Validation model, vendors select an accredited FIPS 140-1 testing lab, submit their 'module' for testing and pay the testing fee.  The lab then tests the product for conformance to FIPS 140-1 and passes a report on the 'module' to NIST/CSE for validation.  Throughout this process, the lab may submit questions for guidance and clarification to NIST/CSE.  If the report is favorable, a validation certificate is issued by NIST/CSE for the 'module'.  The certificate is presented to the vendor through the lab and the 'module' is added to the published list of Validated FIPS 140-1 Modules.

 

            The problem may stem from the difference between UL's roots and those of ICSA and CISSP.  It certainly manifested itself in the fact that the UL is the only one providing non-biased product inspections as well as accountability for the quality of the installations out there in the field.  Requirements for the use of 'listed' intrusion detection systems, encryption mechanisms, and companies could on its own make an impact if that listing actually meant something.  The use of strict procedures and specific levels of physical security could be required as in the GSA model and this too could help the private sector.  This has not been the tact taken to date, however.

 

            The second problem is that manufacturers of physical security devices are pressured by customers to have a UL listing.  This is because customers are pressured by insurance underwriters to use products that meet UL specifications.  In Cyberspace, businesses currently feel that the embarrassment and loss of public trust are more costly than the actual damage caused by hackers.  Citibank has become the most well-known example of what happens when computer intrusions are made public knowledge.  By taking commendable actions and not covering up the intrusion, Citibank is now known as the bank that got hacked instead of the bank that handled the situation appropriately.  Since silence seems to be the best policy, cyber merchants choose to 'eat' their losses rather than risk the negative publicity.  Until these losses become intolerable and insurance is necessary, there may be no motivation to drive the certification, approval or listing of products by UL or any similar organization.

 

            It took UL about 30 years from being subsidized by the insurance agencies to being self-supporting off fees paid by manufacturers for testing.  Merrill was the first full-time employee as a result of this change.  Insurance underwriters and Consumer Product Safety Commission were instrumental in gaining public acceptance of UL work.  It was the public's safety that was of concern and liability drove companies to insure.  Insurance underwriters found they were then saddled with the problem and addressed it effectively with the UL.  Perhaps at some point the collection and storage of information on the public will carry some sort of liability with it.

 

 

A Call for Action

 

            Without a call for action, I would simply be a whiner.  At this point, you the reader can assist with very little effort.  Whether you are a vendor, insurance company, end user, or hacker, let me know your thoughts on the state of the industry, the state of the UL and/or this article's conclusions.  As a hacker, is the relationship between the hot-shot safe crackers and the UL an attractive one you would be interested in?  Is the UL listing process for installations sufficient?  Will it encounter problems unforeseen by this article?  As an insurer, am I missing part of the picture; are companies actually insuring their computer systems and data to mitigate loss or liability?  As a manufacturer do you foresee problems with the UL model being imposed on computer security products?  As an end user do you feel that computer security is important?  Do you feel that the current system actually is sufficient?  Have you been wanting something better or do you feel that you are being slighted by my insinuation that you do not fully understand the products you purchase?  Any and all feedback on this article would be appreciated no matter where it comes from (although manufacturer comments will be taken with a grain of salt).  Forward those comments to tan@l0pht.com.  If there is enough feedback, I may write a follow up article on this topic.  I am considering going into detail on each rating system UL, German, Scandinavian, GSA and FIPS 140-1, highlighting overlaps with the computer security discepline.

 

            Thanks to the UL for providing documentation on the history of the UL and directing me to Peter Tallman of the Melville, N.Y. office.   Thanks to Peter Tallman for clarifying some of the issues surrounding the listing of safes and alarm systems and directing me to Beverly Borowski whom I hope can assist me in my future research.  Also of use to date was FED-STD-809, the federal standard for neutralization and repair of GSA approved containers as well as a yearly publication by the Dutch Safe Rating Committee called 'Recommendations for Insuring Money in Safes and Strongrooms'.  GSA's web site (www.gsa.gov) provides a searchable index of federal standards including FED-STD-809.  The Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands - Tel. 070-3912008.  Additional thanks to the researchers at the L0pht for their assistance, particularly to Brian Oblivion for providing extensive documentation on FIPS 140-1.