Two recent events have focussed my attention on password issues. The first was a proposal from a tax department to allow electronic filing of tax returns "signed" with a password via the internet or a telephone. The second was the discovery that my mobile phone service provider had posted my bill on a very poorly secured website. These ideas might also be useful when evaluating other security proposals:
- "The use of a password for authentication is widely adopted in the internet". This is the Lemming Argument: "Ten million lemmings can't be wrong." Additionally, password systems are not all the same. Other relevant factors include the manner in which the passwords are being used, the value of the information they protect, and the measures in place to detect abuse.
- Users do not always follow instructions. You may ask them to keep their password confidential, change them periodically, and report any loss or compromise, but not all of them will.
- Adding more functionality changes the risks. I have not been able to imagine a substantial benefit an attacker could gain by submitting a false tax return for another person, why would anyone bother? However, by also allowing an interactive tax enquiry the risks increase because the attacker can gain personal information about the victim. This could be enough to allow identity theft.
- One million is not a large number. Various parts of the proposal made it apparent that the "password" proposed was, in fact, a six-digit PIN. It should be apparent that, given a country's population, some passwords could be discovered by simple guessing. While this will be a trivial percentage of the population, it will be very important to the victims.
- A password protected by symmetric encryption does not provide non-repudiation.
- Claiming conformance with industry standards means nothing without saying which industry, which standard, and the manner in which the standard is met.
- "This will help promote E-government and e-commerce development". Unfortunately, not:, although password systems are simpler for the user to understand and use individually, users should choose a different password for each site. The burden of remembering different passwords increases with each new site until the user has to stop because they cannot remember more.
- An ID number (identity card number, social security number or similar) should not be used as the initial password. The problem of setting an initial password when the user is not present is solvable - banks use secure mailers to distribute PINs. Setting it to an ID number assumes that only the user knows the number, which is untrue.
- Make sure the site security is consistent. There is little point in using SSL for confidential information if the password used to access that information is sent in the clear.
- Any password can be guessed with infinite tries. User accounts should be deactivated after a number of invalid logon attempts.
Passwords can be a useful component of an information security system, if properly managed. However, too many systems use them because they are cheap and easy, without considering the limitations.
AVAR 2002 Conference Preview
As we head towards the close of the year, the highlight of the anti-virus calendar in Asia approaches. Now in its' fifth year, the Association of Anti-Virus Asia Researchers International Conference will be held in Seoul, Korea on 21 - 22 November. Previous years have seen the event grow to about 180 participants from around the globe.
Following the trend of previous years, several speeches are reports from government agencies in the region. Seung-Cheol Goh of the Korea Information Security Agency will cover the incident response of the Korean Government, with particular reference to the efforts made for the 2002 Korea and Japan World Cup. Zhang Jian of the China National Computer Virus Emergency Response Center will survey the situation in China, including dealing with a new virus found in China and testing of anti-virus products. Shigeru Ishii of the Information technology Promotion Agency in Japan will summarise the results of their computer virus infection surveys in Japan and overseas. The surveys also show usage rates of anti-virus software on clients, servers, groupware and gateways, and rate of pattern file update, which should interest developers, to see how their software is really being used.
As a counterpoint to these government reports, Costin Raiu will present an outsiders' view of anti-virus protection in Asia. What can a Romanian say about Asia? Quite a lot, by using statistics from his "Smallpot" project - a very specific honeypot used to monitor CodeRed, Nimda and Spida infections, Mr Raiu will provide a review of the average security status of the large mass of computers connected to the Internet in Asia.
Larry Bridwell will add data from America to the debate and show how the problem is out of control. I certainly look forwards to seeing what new insights can be gleaned by comparing and contrasting the data from these disparate sources.
Policy is the foundation that information security is built on, and Takuya Yamazaki of the Ministry of Economy, Trade, and Industry Deputy in Japan will present the most current concept and views of information security policy of Japan, indicating the boundary of the role between public sector and private sector.
The management level is also addressed. In the second day keynote speech, Jimmy Kuo will review the year. Always and entertaining speaker, Paul Ducklin will tell us how to avoid being a victim. Looking at blended threats, Motoaki Yamamura will provide a big picture view of what computer systems managers need to know now in order to stay ahead of emerging viruses and hacking techniques. Some presentations are definitely heading towards the technical aspects. Alex Shipp will discuss the different strategies useful for desktop and Internet level anti-virus protection. Randy Abrams will describe and demonstrate the automated virus scanning system in use at Microsoft. Jong Purisima addresses the increasing problem of malware that targets systems as a whole and the future of System Disinfection.
Naming, apart from providing a rare opportunity to quote Shakespeare in an anti-virus context, has been a controversial topic for a long time. Nick FitzGerald will take the rose by the thorns and make the first public presentation of the Revised CARO Naming Convention.
Then there are the firmly technical speeches. Vesselin Bontchev and Katrin Tocheva give the keynote speech on the first day, discussing the future of macro and script polymorphism. Last year, Dr. Bontchev's keynote on the responsibilities of the anti-virus researcher prompted some debate so I am sure this will be an eye-opener.
Won-Hyok Choi will discuss how to detect and repair viruses that hook the Windows API and attack Win32. Turning this around, Yoshihiro Yasuda will consider the appropriate Win32 hooking that can be used for malware analysis and the design of research tools.
SiHaeng Cho will discuss the influence of double-byte character sets in script viruses and worms, and how to prevent this from influencing the integrity of anti-virus software. Completing the line-up, Myles Jordan will discuss metamorphism, its evolution and the application of a meta-heuristic system to detect this latest generation of viral techniques.
The programme also features a panel discussion, banquet, the AVAR AGM and a hospitality programme. Overall, the programme covers the full range, from Government policy down to the last technical bit. To close with the words of the Conference Chairman, Charles Ahn, "The dream of building a robust information society can become a reality only when information security is guaranteed, and I believe, the 5th AVAR International Conference will be the small yet meaningful step toward that dream."
| Conference: | AVAR 2002 |
|---|---|
| Dates: | 21-22 November 2002 |
| Venue: | Ritz-Carlton Hotel, Seoul |
Updated: 26th April 2008
Lemmings Vindicated
Allan Dyer
The highly respected biologist, Richard Dawkins, has written that the reputation of lemmings for jumping over cliffs in mass suicide stampedes is entirely mythical. I apologise to all lemmings for suggesting they are as dumb as password advocates.