Two separate posts from different but related areas. First, at the Financial Cryptography blog iang asks a beautiful question - Why are so many bright people fooling themselves about the science in information security? His exploration of the question is a must read, I cannot do it justice here. But I did want to focus in on one area, he cites from the paper from Microsoft Research So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives.Now this really does make you question where science fits in the infosec field, but this by itself does not absolve infosec's track record, because there are some solutions to the problems, and those solutions require engineering finding and fixing vulnerabilities. Not infosec's traditinal focusing on threats and then blaming users for getting owned on the poorly built systems.
Engineering in security is the single most strategic area for infosec to focus on, but outside of a few forward looking organizations, its shunted off to the side with the results passed on to customers and shareholders.
Engineering means recognizing constraints not building battlestar galactica, often the most interesting solutions can be quite cheap. This brings us to the second must read of the day - multichannel protocols against relay attacks. For years the US was left behind in being able to leverage SMS or other cheap mobile channels as a factor in security. But this is changing and could offer some solutions to age old problems in computer security at a reasonable cost. here is what Bob Blakley has to say
So there's the challenge - note its not CIA, its not even the gold standard (authentication, authorization, auditing), its not threats. Its engineering for simplicity, safety and usability. Multiple, weak channels can be stronger than one medium strength one. Security is not about the strength of any one mechanism, its not about decomposing the system and finding some perfect crypto mechanism, its about building up the security view, its a composition challenge. Now that we have security protocols that compose, we need to use them to make this happen.Forbidding reliance on identity absent PROOF that no one can have impersonated the identity holder is certainly SUFFICIENT to prevent identity theft, but it goes a long way past NECESSARY. In fact, I claim it goes all the way to "impossible".What do you think it would mean to "prove" that an "impostor" could not have faked the process by which "I" authenticated "myself" to blogger to post this response?Even if one could define and then actually generate such a proof, however, I don't think that doing so would be the right response to the identity theft problem. What your proposal is trying to prevent is - by my definition - not identity theft but simple fraud. If I simply take your credit card number and use it to purchase goods, I haven't stolen your identity. If you cancel the credit card, I can't use it any more - so you're still in control.I define "Identity theft" as the theft of a "breeder document" which enables ME to generate NEW identities which people attribute to you. If I learn your Social Security Number and your address (and maybe your mother's birthdate and maiden name, or some other such highly esoteric piece of information), then I can write off to EnormousGlobalBank and take out a NEW credit card in your name. And when you cancel that card (assuming you can), then I can do it AGAIN.If you accept that this is the problem, I think there's an easier solution than one which relies on demonstrating a "proof" to a third party. It goes like this. Imagine that your Social Security card is the sole "breeder document" for accounts. Now imagine that you (and everyone else is issued a new Social Security card - the actual physical card, not the number.Imagine that this card has four new features. The first is an LCD window which can scroll text. The second is a "yes" button. The third is a "no" button. And the fourth is a vibrate mode.Finally, imagine that EVERY TIME you try to open an account using your SSN, the institution trying to create the account sends out a signal. The signal causes your card to vibrate. When you take the card out of your pocket, the screen displays a message on its LCD screen saying "EnormousGlobalBank creating new VasterCard Account for you. OK?" If you believe that the account is being created because of some process you initiated, you press the "yes" button. Otherwise, you press the "no" button.The key here is NOT authentication. It's awareness (creating the opportunity for the "real" "owner" of the "identity" to know what's being done on his behalf), and, most importantly, TIMELINESS. A big part of the identity theft problem comes from the fact that the average person checks her credit report every time she buys a house - i.e. not often enough to realize that something shady is going on and stop it before a lot of damage is done.
Comments