I’ve written a lot about passwords in this blog and for many security and tech bloggers, it remains and evergreen topic. For all its problems, the password still holds sway as the primary authentication method. But with attacks becoming ever more sophisticated and predictable use of weak, guessable passwords, one has to wonder how long can we really keep on using them?
In theory, a password is an ideal authentication token, assuming knowledge of it resides only in the mind of the owner and it is securely stored on any other systems only in encrypted form. Practically, however, we know that this is rarely the case.
So what does the future hold? How can we replace the ubiquitous password with something more secure and less vulnerable to attack?
In life, we authenticate each other mainly by facial recognition, sometimes by voice (as in over the phone). Faces and voices are all unique and probably impossible to duplicate, though a voiceprint pattern could probably be altered by physical surgery. How about some combination of facial recognition combined with a spoken passphrase? That would give you three factors: face, voiceprint, passphrase.
Palmprints, fingerprints, iris scans could all be used to capitalize on the uniqueness of these things to authenticate you and various combinations of things could be devised.
The problem with these things, however, is that the hardware and software necessary to implement them effectively presents costs in terms of both money and system overhead. Facial recognition and voiceprint could be easily implemented using web cam and built in microphones on laptops and other smart devices.
Without a doubt, we eventually will see the password replaced by better methods. What do you think those methods will be?
Time to lighten up a bit. This hokey “PSA” about phishing is really true, but the payoff in hilarity comes at the end. Pay careful attention to the “date” that Bob managed to finally get from that online dating site.
Hope your July was great and here’s to a fantastic month of August!
One more on the dangers of the internet and this one is the best yet. Good tips wrapped up in a credible story.
- Confront it. Be proactive. Go after the attackers and fight back. Bullies and cowards – which comprise most of the script kiddie population – will turn tail and run if you let them know you’re going to fight back. Even the few organized criminal elements, unless they have some political agenda and can use you to forward it, will give up easily in the face of a determined counter attack.
- Neglect it. Let them play around and waste their time as long as they aren’t doing any real damage. Just make sure that they can’t get beyond your sandbox or firewall. Sooner or later, having not obtained anything of value, they’ll give up.
- Turn in your resignation and run screaming out the door because you failed to put adequate security measures in place. Don’t laugh: It has happened.
By far, the best approach is to confront the threat and engage in an active counter strike. This can be done by immediately implementing logging of all attack traffic and engaging law enforcement to help trace the attack back to its source. The bad guys want to remain anonymous: Do everything you can to make them visible.
Do you agree, or disagree? Comments, please.
Every day, I see student computers and laptops infected with malware. Every day, I see questionable posts made by people who think only their friends can see what they write. That’s what “Sarah” thought and this video is a reminder that the internet is a very dangerous–and public–place. Please impress upon family, friends and co-workers that prudence is the best approach.
Call it poetic justice. Call it criminal stupidity. Call it what you want. I call it hilarious. I got a good laugh out of this at a time when I certainly need some laughs. From Sophos’ Naked Security blog:
A US child abuse image collector turned himself in to local police earlier this month, after ransomware hit his PC and showed messages warning him that the FBI were on to his nasty activities.
Jay Matthew Riley, 21, of Woodbridge, Virginia, was apparently hit by the ransomware attack while surfing the web to add to his collection of unsavoury images.
As is usual with such malware, he was shown a warning demanding cash in return for keeping quiet about his suspicious activities.
He fell for the scam. Good for him. Maybe he’ll turn his life around.
The problem is that regular, law-abiding netizens get this ransomware, too, and those that fall for it and pay the bogus “fine” end up a few hundred dollars lighter in the wallet. Oh, and their banking information is probably comprised, too, so the losses can end up being much greater.
Law enforcement, especially the FBI and other three-letter agencies, do not enforce the law by such means, so NEVER comply with any directive to pay “fines” or “penalties” when such things pop up on your screen. Best to call your favorite Geek and have him/her clean the malware off your machine.
On the other hand, if you are a pedophile or sexual predator, feel free to head down to the local police station, where they should be able to help you out with three hots and a cot for a long time.
By now, we all know that each of us is being monitored: All of our electronic communications, email, Internet traffic, cell phone transmissions, faxes, even landline (which is really all delivered via microwave towers these days) is being intercepted and recorded in massive data centers run by the NSA. There are probably other secret three-letter (or four-letter, depending on your viewpoint) agencies that we don’t even know about yet who function as backups to the ones we do know about.
It’s unfortunate that our government is forcing its citizens to learn the art of surveillance in order to protect our First Amendment rights under the United States Constitution. This is being done, purportedly, to protect us from terrorism. The truth — and this is known by those who are doing it — is that our government is out of control and fears that its criminal activities will be exposed. I’m not talking about what we already know, I’m talking about those deep, dark secrets that, if discovered, could bring the government down.
But, that’s for others to address and fix.
There have long existed techniques for jamming radio transmissions to cripple enemy communications in times of war. One of these techniques is the transmission of high power carrier signals containing nothing but noise spread across the known frequency band the enemy is using, making it impossible for the enemy to get any valid traffic through the noise. This principle is applicable to internet traffic with a twist.
One could simply record random atmospheric noise in MP3 files, encrypt them to make them look like something of interest and keep a steady stream of them flowing from one’s internet connection to the cloud. Done with sufficient volume, this would tend to mask most of your valid traffic, burying it in the noise, so the watchers would have to sort through useless, random noise.
I’m not advocating this, mind you, just making an observation. I could probably turn this into a plausible plot for a cyber-thriller novel, but I’m not a novelist. If any novelist finds this an interesting plot, feel free to run with it.
The news has been filled with pieces about how your internet, telephone and email traffic is being monitored by the NSA. It’s called PRISM. That’s not an acronym, but a descriptive moniker according to Steve Gibson. A prism splits light into its spectrum; PRISM splits the light on fiber optic cables into two paths – one to the internet router and the other to the NSA data collection facility.
Security Now! podcast, Episode 408, “The State of Surveillance (How the NSA’s PRISM program works.),” is a must listen for everyone. Here’s why, in Steve’s own words:
Leo and I remind our listeners that we just had another Microsoft Patch Tuesday. Then I detail and carefully lay down a solid foundation of theory of the operation of the NSA’s PRISM program. This explains EVERYTHING about what the NSA is doing, and how. I even explain how and why the program got its name.
Big Brother is Watching You! The Thought Police aren’t far behind.
Sophos produces some excellent videos and this one definitely qualifies. I have been saying these things for years, but this video punches home the whys and wherefores of the three biggest wireless security myths. Enjoy!