Pew should evolve the questions they are asking and the advice they are giving based on how the threat environment is changing. But they should keep asking.
Last year, Pew Research surveyed just over 1,000 people to try to get a feel for how informed they are about cybersecurity. That’s a great idea because it informs us as a society as to how well consumers are able to defend themselves against common attacks. Let’s consider some ways that this survey could be evolved, and how consumers can mitigate certain common risks. Keep in mind that Pew conducted the survey in June of last year in a fast changing world.
Several of the questions related to phishing, Wifi access points and VPNs. VPNs have been in the news recently because of the Trump administration’s and Congress’ backtracking on privacy protections. While privacy invasion by service providers is a serious problem, accessing one’s bank at an open access point is probably considerably less so. There are two reasons for this. First, banks almost all make use of TLS to protect communications. Attempts to fake bank sites by intercepting communications will, at the very least produce a warning that browser manufacturers have made increasingly difficult to bypass. Second, many financial institutions make use of apps in mobile devices that take some care to validate that the user is actually talking to their service. In this way, these apps actually mark a significant reduction in phishing risk. Yes, the implication is that using a laptop with a web browser is a slightly riskier means to access your bank than the app it likely provides, and yes, there’s a question hiding there for Pew in its survey.
Another question on the survey refers to password quality. While this is something of a problem, there are two bigger problems hiding that consumers should understand:
- Reuse of passwords. Consumers will often reuse passwords simply because it’s hard to remember many of them. Worse, many password managers themselves have had vulnerabilities. Why not? It’s like the apocryphal Willie Sutton quote about robbing banks because that’s where the money is. Still, with numerous break-ins, such as those that occurred with Yahoo! last year*, and the others that have surely gone unreported or unnoticed, re-use of passwords is a very dangerous practice.
- Aggregation of trust in smart phones. As recent articles about American Customs and Border Patrol demanding access to smart phones demonstrate, access to many services such as Facebook, Twitter, and email can be gained just by gaining access to the phone. Worse, because SMS and email are often used to reset user passwords, access to the phone itself typically means easy access to most consumer services.
One final area that requires coverage: as the two followers of my blog are keenly aware, IoT presents a whole new class of risk that Pew has yet to address in its survey.
The risks I mention were not well understood as early as five years ago. But now they are, and they have been for at least the last several years. Pew should keep surveying, and keep informing everyone, but they should also evolve the questions they are asking and the advice they are giving.
* Those who show disdain toward Yahoo! may find they themselves live in an enormous glass house.
“On the Internet, nobody knows you’re a dog.” Right? Not if you are known at all. Those days are gone. As if to prove the point, one of my favorite web sites is on the wrong side of this issue. An actress unsuccessfully sued imdb.com for lost wages for having included her age on their site. There is a well known axiom in Hollywood that starlets have a half-life, and age is something that is best kept secret. IMDB countered that what matters is not an actress’ age but her ability to play a certain age.
My point is this: she sued and was unable to have information about her removed. Is age something that you believe should be private? I do. I especially do for people born after 1989 where a birthday and a home city can lead to someone guessing your Social Security Number.
But what about other physical attributes one might consider private? “He has a mole that you can only see if he’s naked.” How about illness? “This actor cannot lift his arm due to a stroke.” Once the information is out there, there’s no way to get rid of it. And this in the UK, which is subject to the European Data Privacy Directive. The situation is considerably bleaker for your personal information in the United States.
Related to this is The Right To Be Forgotten. In Europe they are considering new rules that say that you have a right to have information about you removed. This has some American firms in an uproar, arguing that a lack of transparency only increases risk and inefficiency. But what are the limits? What about this actress who doesn’t want her age known? How did her age provide for market efficiency?
This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.
Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience. This year was no exception. The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists. Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work. Here are a few samples:
- Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
- Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
- The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
- A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure. One of the key messages from the presentation was that open standards are critically important to security.
- On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.
The papers are mostly available at the web site, as are the presentations. This stuff is important. It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.
Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like. Others just use SMS, where their cell phone number is the important for people to reach them. For some, however, their email address is their identity, and their only means of being reached by friends and family. That’s true for me, at least. I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use. This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.
If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint? Why would you want to do this? Let’s look at a few cases:
- Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else. What happens if you decide to change ISPs? Do you lose your email address? And do you care? Can someone else get your old email address, and what are they likely to receive?
- You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into. The first thing the bad guy does is change all of the security questions that are meant to cover password recovery. How, then, are you able to prove to the service provider that the account was yours in the first place? Can you even get your old account shut down, so that the attacker can’t masquerade as you?
- This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account? Who do you go to in order to prove that you are the legitimate owner of the account?
- Your mail service provider goes out of business, and the domain they have been using for you is sold.
- There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off. It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.
For all but the last case, you have a way of at least mitigating the problem by have your own domain name, like ofcourseimright.com. That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain. However, is this just moving the problem? It could be if someone breaks into a registrar account that is not well secured. However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).
The hard part is finding someone to host your domain. This sounds like a royal pain in the butt. And it is! So why not just use your cell phone or a social network site? Cell numbers are at least portable in many countries. Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen. Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.
New research published in yesterday’s Proceedings of the National Acadamy of Sciences has dramatic implications for Americans and identity theft. Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at Heinz College of Carnegie Mellon. He has spent the better part of two years with his colleague Ralph Gross, looking at social security numbers as both identifier and authenticator, something we have all known was a bad combination. Professor Acquisti demonstrates just how bad of an idea it has been in the last twenty years. In that time there have been two significant policy changes that have made numbers extremely predictable based on two pieces of information:
The policy changes involve release of something known as the Death Master File (DMF), which was intended to prevent someone from expropriating a dead person’s identity, and the Enumeration at Birth (EAB) initiative, which has had the effect of allocating SSNs shortly after birth. These combined with the facts that SSNs have structure based on location, and that the less significant components are serialized in allocation, and it makes for a predictable SSN.
This gets worse. While it may be possible to fix this problem for future generations that use SSNs, either by randomizing all or lesser components, or by not filing applications upon birth, the millions of people who have assignments in this time period are in an extremely difficult spot, because the workaround is a change of number. This argues for a new form of identity that separates authentication and identity, but the effort to do so requires that the finance, education, and medical sectors (not to mention government) change their means of identifying individuals. This will be no easy task.
This research is a remarkable piece of work by Professor Acquisti and his colleagues.