Sunday, December 31, 2006

Bringing down the house.

There have been so many action movies where the use of access tokens is demonstrated. They really are small devices which usually provide a long string of numbers, which periodically changes and only the device owner knows about it. Therefore it must be the ultimate form of secure authentication. Right?

Well, it's not a bad idea to start with. The problem is that humans are always involved in the process. Like an IT Security director who suggested users should attach their personal access token on the computer they are using to prevent them from misplacing it. OMG. It's like using a sticker with your username and password on top of the screen, version 2.0.

As you can understand the system itself may be sufficiently secure but the way it is deployed and used may severely counteract its benefits.

P.S.: And of course there have been and always will be stupid people :P

Friday, December 22, 2006

Putting emotions aside.

Today I was talking to a friend of mine about a project I'm working on and the PKI in general. We analyzed the current issues concerning end-user security, whether it's an ATM PIN or a website's login. We agreed that the common one-factor (password) authentication is just about to expire. The world needs something better and by this I don't mean "stronger" passwords because this usually increases the complexity of the token one has to remember, therefore compromising the safety of the system. So we were sitting there, drinking coffee, talking about it and suddenly my friend said:

When it comes to security, emotion must get out of the way.

By that he meant that we should eliminate the human factor. The actual words he used were so interesting that I thought they were worth mentioning here. He spontaneously revealed the reason humans are the always the weakest link in a security chain. It's not because they can't count high enough or work 24/7. It's because they have emotions that can drive them out of logic's way and make them do things they will later regret.

Those emotions will make them "help out" a beautiful girl, sympathize for someone pretending to be their colleague or express unreasonable behavior under fear or stress.

By eliminating the human factor we eliminate fraud (OK, maybe that's not entirely true). Computer's never doubt. Their decision making mechanism is binary, something is one or zero, true or false.

Of course computers are products of humans so there you have it again, the human factor. So maybe it's not that easy to get rid of it but surely can contain it in groups of specialized people.

It's one thing having a security expert taking care of your safety and quite another You being solely responsible for it.

So the next time you read a security policy for a service, search for the You-Are-Responsible-For-The-Safety-Of-Your-Account paragraph. Don't accept it and look for something more serious.

Thursday, December 21, 2006

Passwords in the hands of users.

I've talked a couple of times about passwords, how strong they should be, how to strengthen them for that matter, etc. But when it comes to the average user what does he use as a password and how does he understand the whole concept?

There's an interesting article by Bruce Schneier on his weblog. The moment I saw it I had a deja vu. At first I quickly searched through this blog to see if I've already talked about it but no. So I guess it's because this is a constant issue that's been around for years.

The article is based on a research done by some guys who set up a fake MySpace login site and harvested actual user passwords. Then they ran a couple of tests on them and presented the results.

So 23% and 25% of them where 7 and 8 characters long which is good, meaning that people have realized that just because your password is secret to everyone else doesn't mean it has to be three letters long since the attacker can always start guessing.

Also, an impressive 81% are using both letters and numbers although 28% of them are just lowercase letters followed by a single digit. That might have been sufficient enough if over 90% of them weren't dictionary words or names followed by a number like "book2", "label7", etc.

Finally, the most common password was "password1" which is relatively good considering that a few years back it was just "password". So things are slowly getting better :)

At this point I feel obligated to rise a question: do we need stronger passwords or just an alternative to all of this?

Think about it. I'll get back on this...

Tuesday, December 05, 2006

Should Viruses Threaten Us?

The last time I, and anyone I know, was infected by a computer virus it was almost 10 years ago when 1,44MB (3,5'') diskettes where in fashion. Back then, viruses where a true menace since the Internet was not popular enough and the most common file exchange method where these diskettes. At the same time Anti-virus programs had not yet proven their necessity and as a result, a single diskette (used as a means of file transfer) could infect many many computers.

Users trusted a diskette from a person simply because they trusted the person. That was totally wrong since they couldn't really know where it had been before. And without an Anti-virus or any experience on the matter they could, without knowing, use an infected computer and possibly infect others simply by sharing their files with them. It really was like the human HIV virus. The was a big problem.

Since then, many things have changed. For starters, most computers don't have 3,5'' drives any more! Of course there's the Internet which is an even worse potential point of infection since you are practically exchanging files with the entire planet but one would expect computers users had grown wiser.

In our modern world where computers come with pre-installed Anti-virus systems is it acceptable for the average user to be infected or, worse, to infect others?

Today a friend of mine was telling me how his PC got infected by an .mp3 file someone gave him. What it did was create a hidden folder every time that file was played and fill that folder with random data over and over until it took up all the space left in his hard disk. He had to format the disk and install everything from scratch to fix it. He also mentioned another case where a virus cloned itself at runtime and consumed all the CPU time, thous making the system freeze. Rebooting didn't help him since it loaded itself during boot. He had to format the disk again.

While he was talking to me I couldn't help thinking "is this right? is this supposed to happen?". I mean, for a moment I thought I was 10 years in the past exchanging diskettes. I really couldn't believe that a computer user in the year 2006 did not have an Anti-Virus system installed and, worse, that a large computer users group did not shield themselves against such old and common threats.

From what I understood he didn't care much about the incident and, in his mind, thought of this as a totally normal thing because "computers break" and you have to "format them quite often to keep them in shape". Is he mad?! First of all, formatting your master hard drive should be the absolutely last choice you have and, frankly, I can't really think of a problem that demands this kind of solution. Secondly, I can't get over this belief that computers are "mysterious machines that may refuse to start or work properly for no reason". I believe we had almost two decades to familiarize with them so if you feel funny around computers maybe you are falling behind. Try to keep up!

In my little Utopian mind I picture a world where no viruses are left lying around just because everyone is keeping them out of their PC.

Sadly viruses are out there and are more mean and destructive as ever and we've simply forgotten about them. We feel safe when we shouldn't. We may not hear about them or see them before us simply because they are in hibernation. The first chance they get though, we'll know they are there the nasty way.

To sum up, unfortunately we haven't gotten rid of viruses so it's better to keep an eye for them since all it takes is a low-tech piece of code that will get you in trouble when you least expect it. Things can change and will change as soon as we treat our computers with responsibility and understanding.

P.S.: This page has been scanned for known viruses and found clean :)

Monday, December 04, 2006

Why Passwords are a Bad Idea...

BBC News has an interesting article on how passwords may weaken our security by far.

It goes on saying that, according to the UK's International Telecommunications Union, people nowadays have so many passwords to remember for so many different places that they inevitably start re-using the same keys again and again (in the worst case of all, the same password is applied to all authorization queries). As a result, it is quite easy to compromise a man's electronic identity (his online accounts to forums, commercial and banking services, e-mail, etc) just by cracking one or two of his codes (which may also be easy to guess - don't forget about brute forcing and common words). And of course many variant schemes may be seen here. For example if an e-mail account is compromised and the attacker uses the "remind my password" feature to all web sites the user is subscribed in, there's a great portion of them that will return the actual code is clear text via e-mail.

So there you have it, passwords are making people's life hard and at the same time increasing their sense of insecurity. They can't remember all of them! So they start writing them down on a piece of paper which they keep inside their wallet. Or they use (common passwords) their birthday or license plates' number and in general they violate one-by-one all keeping-passwords-safe rules.

And I'm wondering, is it time to move forward to something else? And if yes, what might that be?

Let's consider PKI for a moment. It stands for Public Key Infrastructure. I won't get into too many details here (maybe another time). Just thing of this as a system where all you need is a smart card (looks like a credit card) which holds all your information (identification, license, commercial and banking accounts, private keys). This card is password-protected so you do have to remember one password. Maybe there'll be a next version where there is no password and a biometric sensor protects the card's contents.

Anyway, with a single smart card you can exchange, through secure software, all the necessary authentication info with your e-mail provider (to access your messages), your bank (to check and manage your balance), e-commerce sites (shop online and all) and of course any other place on the WWW in which you need to properly identify yourself in order to gain access.

While some may think of this as a bad idea because all your keys are in one place, a single card - aka single point of failure, which is easy to be stolen and / or compromised. Well that's not exactly true. The card itself is very secure. Yes, someone may steal it from you since it is a physical item but it is highly unlikely he will ever be able to access its contents. So your secrets are safe and your life a lot easier.

After all, strengthening security should never be towards the end-user.

This will make things difficult for him and cause him to compromise his own identity. The PKI concept really means for the end-user to have a single card in his pocket which he must use upon login and take away upon logout. As simple as that and everybody is happy :)

This is a big issue and I'll get back on this sometime soon.

Bottomline, forget about passwords!