Unwitting Mules and Computers

Scales of Justice When I first traveled through Switzerland some 16 years ago, I went to France for the day, leaving from Geneva. On entering France, the guards saw a long, curly haired, American in a rental car, and they assumed I would be carrying drugs, so they took apart the car. I didn’t mind it until it occurred to me that perhaps the last guy who rented might have left something behind. Fortunately, none of that happened.

Last year, I attended one of my favorite conferences, the Workshop on the Economics of Information Security (WEIS08). I met there a number of good folk from the law enforcement community, and some talked about some of their successful investigations into crime on the computer. In one case, the investigators found megabytes of illicit material on someone’s hard drive. An astute and bright man from Microsoft by the name of Stuart Schechter pointedly asked the question how the investigators knew that the owner of the PC had stored the illicit material. The implication here would be that bad guys could be using the computer without the knowledge of its owner. The detective answered that such evidence is only one component used to charge and/or convict someone.

Now comes a case reported by AP in neighboring Massachusetts where this scenario has been brought to the fore. Michael Fiola, an employee of the state government, was fired, arrested, and shunned because some criminal broke into his computer.

What are the lessons to be learned? There is this common notion by many that end users aren’t generally the victims of the people who break into their computers. Not so in this case. There is also a belief that faith in government prosecutors alone will get an innocent person out of trouble. Not so in this case. They did eventually drop the charges, but only at the cost of his entire savings, large amounts of stress, etc.

This is not the only such case in which this has happened. So, do you know what’s on your computer? Are you sure?

Ole asks a great question

[not unusual for Ole, by the way.]

Why does security have to be so complicated?

Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve had. One was a long time ago. A friend of mine was part of a cable start-up team. Some of you will know who this was. He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”

My response was simply, “Are you now – are you now or have you ever a child?” Nearly any child who is motivated enough will get around just about any parental block. Kids are smart.

The same is largely true with security. A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter. A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security. I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime. Crime has existed since Eve gave Adam the apple. The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person. Computers simply provide a new attack vector for the same types of crimes.

Bad guys are as smart as good guys, but their best is probably no better than our best.

Financial Institutions and Passwords

You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess. But in at least one very big case, you would be wrong. What makes a strong password? Several things:

A lot of characters. The more the merrier. The only limitation on this is that you have to remember All of That.
A lot of randomness. That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
Characters that are not letters or numbers. This increases the search space, given a certain sized password.

Now let’s review the actual guidance given by a very popular broker:

Your new password must:

Include 6-8 characters AND numbers

Include at least one number BETWEEN the first and last characters

Contain no symbols (!,%,# etc.)

Cannot match or be a subset of your Login ID

Examples of valid passwords: kev6in, 2be111, wil1iam

In other words, they’re violating two very big rules. The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords. Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.

This site is not alone. Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard. Well it’s a bad standard. Who takes on the risk? In the brokerage world, the chances are that you are assuming at least some risk.

A lesson in transitive trust

Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred. There just was so much of it. Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community. A murder in the Zürich area, however, is rare. Maybe it’s because everyone has a gun, as my friend Neal might say. Who knows? The point is that people here are not inured to that level of violence.

Now we are discovering the online version of that. When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do. Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen. But they weren’t the only ones. Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same. Why? Because humans don’t like having to remember lots and lots of passwords. And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well. And that means that your friends may have been attacked, as we previously discussed.

How could this be worse? Let’s add Paypal into the mix. If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account. Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.

Now let’s aggregate all of the people who do that. The popular OpenID providers include Google, Yahoo, and Verisign. As the number of providers increases, the concentration of risk of any one single failure decreases. Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket. On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.

This leads to a few conclusions:

A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
The insurance and credit industries can’t manage concentrated risk. We’ve seen what happens in the housing market. The Internet can reproduce those conditions. Hence, there will be limitations on transitive trust imposed.

Conveniently, you are not without any protection, nor are the banks. There are large federated market places already out there. Perhaps the two biggest are eBay and Amazon. Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies. In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0. It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.

Paypal is another matter. If someone has broken into your Paypal account, here is what they can do:

Empty it of any credit it might have;
Charge against your credit cards; and/or
Take money from your bank.

If you’re paying attention and act quickly, you might prevent some of these nasties from happening. But first you will have to read a tome that is their agreement. In all likelihood you have no recourse to whatever final decision they make. If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering. What does it mean to pay attention? It means that you are receiving and reading email from paypal.com. That means that they have to have a current email address. When was the last time you checked that they do? Assuming that they do, it also means that you have to read what you are receiving. Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal. Remember, how this posted started by talking about being inured to crime? Well, here we go again.

Beware Best Western

The customers of Best Western are the latest to have their identities stolen. As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses. There’s a clear lesson here in authorization: nobody needs to have access to the aggregate data that Best Western had. It might be necessary to modify one or two reservations at once. Perhaps it might even be necessary to know how much of a block is sold. But the whole kitten caboodle? Nobody needs that information. Here are some protections Best Western could have taken:

Apply specific encryption of the credit card information and compartmentalize the use of any decryption key. Hotels have need to retain credit card information in order to guarantee bookings. Encrypting credit card data is nowhere near a perfect solution because there is relatively little clear text information and some of that can be guessed, like the first four digits.
Encrypt all backups and protect the decryption keys so that multilevel authorization is required to access them. Many backups are stolen. If they are stolen no encryption is perfect and so notification is necessary, but with encryption those whose information is stolen can take action, like have a house sitter or change credit card numbers.
Employ intrusion detection within the database. When a specific user acts outside a profile, flag it and see what is going on.

In perhaps a more perfect world a separate identity provider could retain identifying characteristics of an individual such as address and credit card number. Commerce likes some of this information because they can market to you, and absent legislation they have very little motivation to protect the information.