I am happy to report that I was recruited into writing a new blog on our RSA website-- some of the subject matters that I get excited about are more synergistic with the content here. I trust this will be a good introduction for you to all my august colleagues, and that you shall gain from the wealth of diverse security viewpoints as well.
One such topic that has been brewing for some time is that of identity fraud. This type rears its ugly head in all sorts of ways, and sometimes as it did here, does so in big, mean ways. As I read of the Gov. Palin email debacle, several thoughts occurred to me on the hows and whys, and if it wasn't time for us all to move the security benchmark to a higher standard.
Enjoy the blog on Gov. Palin, Yahoo! Email and Security—A Call To Action? . And do write in with your thoughts, comments.
Or, read on here...
Gov. Palin, Yahoo! Email and Security—A Call To Action?
What’s going on?
The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.
“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally? It may well be, since using basic authentication to re-generate a password might use the simplest [and weakest] of challenge questions.
But it needn’t be that way. And we know so because these days our corporate email systems use a myriad of authentication methods. In fact, if I even want to access my corporate email on my iPhone, the system insists on my entering my passcode. This is then matched along with the security access codes I set up on my iPhone to get me a secure connection into my office network. That’s good security, even more essential for business applications.
So why aren’t we more secure?
An interesting question, given that there are at least a dozen different layered authentication methodologies that are well-proven for various applications [one-time passwords provided through various hardware and software authenticators, knowledge- and risk-based authentication, challenge/response questions, device profiling, adaptive authentication for the phone, and so on] and some are apropos for email and messaging too.
The dilemma here is that it is necessary for a service provider to build simple, usable security solutions for the multitudes of subscribers who use free email services worldwide. Remember the grandparents who want to see the baby photos? Know the computer jocks and students who expect the service providers’ technology to protect their emails and not be bothered by extensive authentication requirements? Ergo, the most basic and weak challenge/response approach for Gov. Palin’s email password reset, selected from a limited and easily-found range of identification questions—decidedly easy to use, but quite hackable.
Yet, consumers are adopting security quite rapidly
When anti-spam filters became a standard part of browsers, consumers were asked what levels of security they wanted. Higher levels meant occasional permissions had to be granted for various sites or information to be accessed and displayed. Better technology reduced these interruptions, but largely, consumers adapted to these security features. So did the uninitiated who learned how to use ATMs, and the impatient who acquiesced to entering zip codes at gas stations when using credit cards.
The time is right for some security advancements
I think the time is right for a series of options that need to be considered by email service providers, security technology providers and consumers.
For the Service Providers: Can the choice of enforcing the level of one’s own privacy be given back to the user? And if so, up to what extent? I think the time is right to do so extensively, and the providers might actually gain from the added security credibility.
For the technology providers: The call of the day is to offer effective strong authentication solutions such as those based on user behavior patterns that are transparent to the end users as much as possible. Many of the previously-mentioned technologies are well-proven and even commoditized for broader adoption.
For the consumers: Legally, you own your own email content [but not the services that host it], so it’s up to you to demand how you protect your own email content. Perhaps you need to either use the most secure email services for your most sensitive data, or to be very disciplined in password management with changing your passwords frequently and even using incorrect answers for your challenge questions!
And, if you are a celebrity, or think you are, demand and use higher security!
Comments