It’s a common belief that Apple has gone to extraordinary lengths to protect individuals’ privacy through mechanisms such as Touch ID, but what are its limits? Today Forbes reported that a U.S. attorney was able to get a warrant for the fingerprints of everyone at a particular residence for the express purpose of unlocking iPhones.
Putting aside the shocking breadth of the warrant, suppose you want to resist granting access to an iPhone. It is not that hard for someone to force your finger onto a phone. It is quite a different matter for someone to force a password out of your head. Apple has gone to some lengths to limit certain forms of attack. For instance, the Touch ID generally will not authenticate a severed finger, nor will it authenticate a fingerprint copy. Also, Apple doesn’t actually store fingerprint images, but rather hashes of the information used to collect fingerprints. Note that if the hashing method is known, then the hash itself is sensitive.
For those who care, the question is what length someone is likely to go to gain access to a phone. Were someone holding a gun to my head and demanding access to my phone, unless it meant harming my family, I’d probably give them the information they wanted. Short of that, however, I might resist, at least long enough to get to have my day in court. If that would be your approach, then you might want to skip Touch ID, lest someone simply gets rough with you to get your fingerprint. The problem is that Touch ID cannot currently be required in combination with a pass code on iPhones and iPads. Either suffices. And this goes against the a basic concept of two-factor authentication. Combine something you have, like a fingerprint, with something you know, like a pass code.
Steps you should take after the Yahoo! breach.
Yesterday, Yahoo! announced that at least 500 million accounts have been breached. This means that information you gave Yahoo! may be in the hands of hackers, but it could also mean a lot more. The New York Times has an excellent interactive tool today that demonstrates how much of your information may have leaked, not just from Yahoo! but from other breaches.
Not only should people change their Yahoo! passwords, but it is also important for people to review all passwords and information shared with Yahoo! In particular:
- Many people use the same password across multiple accounts. If you did this, you should change passwords on all systems where that password was used. When you do, you should see to it that no passwords are shared between two systems.
- Hackers are smart. If you only tweak the same password just a little bit for use on multiple systems, a determined hacker or more likely a determined script may well break into other accounts. For example, if your Yahoo! password was DogCatY! and your E-Bay Password were DogCatEBay, you should assume the E-Bay account is broken as well.
- This means you should keep a secure record of what passwords are used where, for just this sort of eventuality. By “secure” I mean encrypted and local. Having two pristine USB keys (one for backup) is ideal, where the contents are encrypted at the application layer. I also make use of Firefox’s password manager. That in itself is a risk, because if Firefox is hacked your passwords may be gone as well.
- Unfortunately passwords may not be the only information hackers have. Yahoo! has previously made use of so-called “backup security questions”. Not only is it important to disable those questions, but it is important to first review them to see where else you may have used them. Security questions are a horrible idea for many reasons: they may reveal private aspects of your life, much of which might be discovered anyway. Sites like United Airlines recently implemented security questions. My recommendation: choose random answers and record them in a secure place that is separate from your passwords.
- It is possible that hackers may have read any email you received on Yahoo! In particular, one should review any financial accounts where information is transmitted to Yahoo!
- Use of cloud-based storage as a backup for your passwords should be viewed with great suspicion. There have been a number of such tools that themselves have been found to be vulnerable.
- Hackers may have your cell phone number, for those who use SMS as secondary authentication. While SMS is not secure communication, the chances of it being hacked are relatively low. The safest practice is not to rely solely on SMS for authentication. My bank uses both a secret and an SMS message, relying on the tried and true two-factor authentication approach of something you have and something you know. A better solution is a secret and an app with a secure push notification. This is what MasterCard has done in Europe.
These suggestions are good for the sort of mass breach that we are seeing with Yahoo! In addition, one has to be careful with the amount of trust placed in a cell phone. If the phone is lost, you should assume that hackers will be able to get into it. Keeping a record of the applications you use, particularly those that have financial or security implications, will help you recover from the loss.
These suggestions are written with the notion that Yahoo! is not going to be the only site that will have had this problem. Although not to this scale, we’ve seen this sort of thing before, and we will see it again. I’ll have more to say about this from an industry perspective in a while.
Yahoo picture by Sebastian Bergmann – originally posted to Flickr as Yahoo!, CC BY-SA 2.0
This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.
Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience. This year was no exception. The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists. Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work. Here are a few samples:
- Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
- Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
- The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
- A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure. One of the key messages from the presentation was that open standards are critically important to security.
- On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.
The papers are mostly available at the web site, as are the presentations. This stuff is important. It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.
Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like. Others just use SMS, where their cell phone number is the important for people to reach them. For some, however, their email address is their identity, and their only means of being reached by friends and family. That’s true for me, at least. I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use. This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.
If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint? Why would you want to do this? Let’s look at a few cases:
- Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else. What happens if you decide to change ISPs? Do you lose your email address? And do you care? Can someone else get your old email address, and what are they likely to receive?
- You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into. The first thing the bad guy does is change all of the security questions that are meant to cover password recovery. How, then, are you able to prove to the service provider that the account was yours in the first place? Can you even get your old account shut down, so that the attacker can’t masquerade as you?
- This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account? Who do you go to in order to prove that you are the legitimate owner of the account?
- Your mail service provider goes out of business, and the domain they have been using for you is sold.
- There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off. It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.
For all but the last case, you have a way of at least mitigating the problem by have your own domain name, like ofcourseimright.com. That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain. However, is this just moving the problem? It could be if someone breaks into a registrar account that is not well secured. However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).
The hard part is finding someone to host your domain. This sounds like a royal pain in the butt. And it is! So why not just use your cell phone or a social network site? Cell numbers are at least portable in many countries. Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen. Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.
[not unusual for Ole, by the way.]
Why does security have to be so complicated?
Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve had. One was a long time ago. A friend of mine was part of a cable start-up team. Some of you will know who this was. He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”
My response was simply, “Are you now – are you now or have you ever a child?” Nearly any child who is motivated enough will get around just about any parental block. Kids are smart.
The same is largely true with security. A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter. A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security. I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime. Crime has existed since Eve gave Adam the apple. The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person. Computers simply provide a new attack vector for the same types of crimes.
Bad guys are as smart as good guys, but their best is probably no better than our best.