It is becoming more and more generally acknowledged that perimeter security is insufficient so strong authentication is becoming increasingly important.
Identity is important
May 18th, 2008Canadian Identity Theft Coverage
January 23rd, 2008Identity theft got some more attention today with CBC coverage on reactions to their Going Going Gone segment.
Silentbanker windows trojan/key logger was mentioned as a threat without much in the way of protection being identified.
Jennifer Stoddart and Michael Geist were interviewed with the conclusion being that more teeth is needed for enforcing the need for confidentiality.
The american model requiring disclosure of security breaches was mentioned as a necessary step as well as Canada lagging G8 countries in anti-spam legislation.
Identity theft has been mentioned by the Harper government as a growing crime they will be targeting.
Let’s be clear about what are our secrets
November 25th, 2007There is a need for people, especially system developers, to have a clearer understanding about secrets both for identification and authentication. This also relates to privacy since our secrets must remain private but we may also want to keep information private that is not related to security.
Information used for identification doesn’t necessarily need to be secret but if it is used for authentication it is important that it is secret. Also a secret that a user shares with many different people, systems, and/or services isn’t a secret. Many password implementations don’t take into account the limited capability people have for maintaining secrets or even recognizing what they should keep secret. Even if the information isn’t used as a password often public information is used for password resets which isn’t very secure. The following article raises these issues with the example of birth date which shouldn’t be used as the sole piece of information to identify a person and never for authentication.
A good security system should leverage a small set of secrets that users clearly understand should not be made public and are not directly reused. An example of indirect reuse is to have a master password that creates a unique password that is generated with encryption software from some context specific information like the address of the web site.
Musing about openness and security:
A few days ago I read a report about the dangers of making one’s date of birth public on the web. “After all, unscrupulous people can make use of that data and commit some sort of electronic theft.”
And I thought to myself, what utter tosh. That’s about as meaningful as saying “Most car accidents take place within three miles of home, so don’t drive near home”. Or even “most murders are committed by people known by the victim, so it’s best not to know anyone”.
Currently there’s a lot of personal data freely available on the web, particularly with the advent of electronic social networks. And currently it is possible to misuse that data in order to commit some crime or the other.
So something has to be done. Agreed. But. Rather than make people “hide” personal information, surely the answer lies in making better security “devices”. Surely the answer lies in making a person’s date of birth (or for that matter a person’s mother’s maiden name) less “valuable”.
I don’t know, I must be growing old. Sometimes I look at what we do, and I think to myself: First we take living things and make abject skeletons out of them. Then we carefully build cupboards around the newly formed skeletons. And then we wonder why we have skeletons in cupboards.
We shouldn’t have to hide simple information about ourselves. We shouldn’t have to worry about the Semantic Web, and how people are going to misuse personal information for the most heinous of crimes. We shouldn’t have to worry about “our past catching up with ourselves”. We should not build systems that make use of simple easily-accessible information as security tokens and devices.
Of course we should teach people to be prudent about what information they make available on the web. But let’s not forget that the web has always been about openness and transparency. That this is a good thing.
For centuries people have been putting spare keys under mats and in plant pots and over door ledges. For centuries unscrupulous people have found the spare keys and put them to nefarious use. The answer to that problem was not to change the locks, but the unsafe practice. The right unsafe practice. In this particular instance, the unsafe practice is the use of dates of birth and stuff like that as security tokens.
Just musing.
CBC Newsworld Show on the Use of Online Photos
September 23rd, 2007Yesterday CBC Newsworld had a show about a mother who was shocked to find that photos of her son that had been posted publicly on Flickr also showed up on an MTS Allstream site and a site in Portugal with comments on how cute he was. This was followed by the usual alarmist commentary and conclusion that the mother was taking all the photos off Flickr as if this was the only way to provide protection. There was no mention of the Flickr feature of identifying online photos as private so they could only be seen by designated friends and relatives and not be reposted by the general public to another web site. It is good to inform people of some of the risks of publishing information but it should include information on existing easily applied protection that can be used.
Getting the facts on Identity Theft
February 11th, 2007There has been some contention on the true status of identity theft since it is undergoing transformation in the types that are being perpetrated.
Identity theft status
There is no denying that identity theft continues to be a major problem that merits some creative solutions.
Sometimes Security is protecting us from ourselves
February 11th, 2007Seth Godin has a good idea about protecting our valuable electronic devices from being misplaced, by an alarm for lack_of_proximity.
I would also really like to see a feature where it would be possible to track down lost or stolen cell phones but something to avoid it happening altogether is even better.
An example service for laptops is lojack. Either the valuable portable device needs this type of service or it needs to be inexpensive enough that it can be disposable.
Dell offers lojack as part of a bundle for its laptops.
Prospects for Open-ID
January 17th, 2007The following article is from Network World Identity Management by David Kearns.
It reviews the potential of Open-ID and references some recent questions raised about it by Kim Cameron who favours a solution that includes client side software implementation. Since Open-ID is evolving, with a new version 2 being developed, more information is needed to determine what the real issues and prospects are.
Who Owns your PC?
December 7th, 2006This may seem to be obvious but when you really think about it the answer may not be so obvious.
You bought the personal computer and presumably installed the software that runs on it but are you really in control of what it is used for?
If your PC isn’t secured it can fall prey to malware that takes control of your computer and turns it into a zombie that is remotely controlled at least in part by some criminal. This takeover is sometimes referred to as the criminal owning your computer since they are making use of the asset you have purchased for their own purposes.
But you protest this is the exception to the rule – a special case that with proper precautions won’t happen to you.
However this question of ownership becomes murky even without a bad guy taking over your computer with some trickery.
What about software that has some hidden features to “phone” home and report information about you to the mothership? Sometimes this is advertised as a customization feature but is it a feature you control and have a choice about? If not, its human counterpart with these characteristics might be called a traitor or informant. Your computer is at least partly owned by the software supplier to do its bidding whether you like it or not. There are many examples of software companies who have been caught including these types of features. Their claims that this was just to provide better services seem suspicious without open disclosure. This is where software to catch and allow you to make a decision about software initiated outbound requests can be important.
A lot of decisions about the use of “your” computer resources like memory, disk space, and CPU cycles are often made on your behalf by the Operating System and other software. What seems to be missing is what in privacy circles is called informed consent. Granted it is a challenge to make computers simpler to use and not every computer user wants to tune their computer for optimum performance but have we gone too far in the direction of uncontrollable software defaults and not done enough to inform and empower the computer owner to control how it is used? Even with the tremendous advances in disk, memory, and CPU technology these still can be considered scarce resources that computer owners might not want to be used up by services that we aren’t aware of and probably don’t need.
Web sites do exist that provide information on operating system options can be turned off but at the present time this can be considered a black art to be done at your own risk without the support of the suppliers. What is needed is capabilities to allow owners to intelligently decide what they want to run on their computers and maybe even some artificial intelligence to allow them from a user perspective to provide input on desired performance tradeoffs between programs. Improved owner consent and control could have big benefits both on computer performance and security since systems could move more towards default off rather than default on.
A common example are software vendors that include features that reserve memory even when the software isn’t being used so it will load faster. Are computer owners informed about the tradeoffs of these features and the impact of this on their system? While operating systems generally include a task manager or activity monitor just how informative and useful are these capabilities for the average computer owner? Most don’t even identify the resource hogs with names that relate back to the software name an owner would recognize. Processes can be killed but owner beware about the consequences of trying to control how much of their computer is used by various nefarious unrecognized programs or program components.
Things get even more complicated where Digital Rights Management (DRM) is introduced since this software puts restrictions on computer use to benefit content suppliers and not necessarily to the benefit of computer owners and content purchasers. Do computer owners have sufficient options that there is competition on what restrictions are acceptable? Could this also be considered another example where an outside party is owning your computer for their purposes?
Trusted computing technology also has the capability to control what software can run on “your” computer. Will computer owners have informed consent on how these capabilities will be implemented to their benefit? Who will decide how these technologies will be used to control “your” computer?
Privacy Threat: Walking Bar Codes
November 18th, 2006Video on some of the privacy issues that people need to become informed about.
Two great quotes in the video.
We are in danger of becoming walking bar codes.
People who are willing to give up a little privacy for a little security will get neither.
This is attributed to Benjamin Franklin but his actual quote is more like the following:
They that can give up essential liberty to purchase a little temporary safety deserve neither liberty or safety.
–Benjamin Franklin
The Importance of Passport Security Design
November 16th, 2006Background on electronic passport plans in the US and some concerns that have been raised.
It would be a very bad day if government required documents are used against citizens and the cost of fixing it later could be enormous.
The following video shows a vulnerability of a passport RFID chip being read without a person’s knowledge and being used to activate an attack.
A low tech book cover approach to the threat of passport RFID chips being read by unauthorized people. In light of the previously demonstrated vulnerability it should include a latch or the cover should be slipped on where the passport opens to ensure the passport and cover is fully closed.
A high level overview of some of the technology used in electronic passports: