Managing Credentials on the Web

January 19, 2011 at 11:19 pm | Posted in Cyber Security, Identity Management | 1 Comment
Tags: , , , , , , , , , , , , , , , , ,

I enjoyed reading a good natured rant about the vagaries of managing your identity online on the Des Res blog the other week.  If, like me, you work for a large organisation, you’ll probably be obliged to follow strict rules on selecting a password for access to corporate systems.  If, again like me, you use a lot of websites that require you to select credentials for logging in, you may struggle to manage a large (and constantly growing) set of strong passwords without writing them down.  In these circumstances, it’s very tempting to re-use the strong password for your work systems for other purposes.

Identity 2.0

Identity 2.0 or digital identity has long promised to solve these problems in a world where a user can potentially have one online identity, with a pre-certified proof which is submitted when required for authentication.  This model is represented by Microsoft’s Cardspace and the open source Higgins project, but has been slow to gain momentum.  However, in recent years, a number of the larger IAM vendors, starting with CA Technologies, have added support for these technologies to their Web Access Management products.

Multiple Identities Online

Of course, being able to use a single identity and set of credentials for all your online activities is a real “good news/bad news” story.  The convenience of managing a single set of credentials comes at a price:  it’s quite conceivable that your visits to different websites could be aggregated and correlated, to build a far more comprehensive (and revealing) picture of your online activity than you might feel comfortable with.  It’s also true to say that not all web sites we visit (and register for) justify the same level of strength in authenticating our identity.  For example:

  • Online Banking: There’s so much at stake if your banking credentials become compromised that it’s obvious to all but the hard of thinking that those credentials should never be used elsewhere.  In a previous post, I described how my bank allows me to be warned if I try to re-use internet banking credentials on another site, by providing me with a free copy of Trusteer Rapport.  This protection can be easily extended to other high risk sites.
  • Social Media: As I’ve described on these pages before, I use a wide range of social media applications (in the widest sense of the term) to maintain my contact list, collect and collate information and publicise this blog.  Each site requires a separate set of credentials, but increasingly I’m offered the chance to sign in to one application using the credentials from another (very often, either Twitter or Facebook).  This makes use of the Open Authentication (OAuth) protocol.  OAuth allows the user to authenticate with their chosen service to generate a token.  The token can then be used to allow another application to access resources for a given period of time.  So, for example, when configuring Tweetdeck, I authenticate in turn to Twitter, Facebook, LinkedIn and Google Buzz and authorise Tweetdeck to use the OAuth tokens to retrieve data from those applications until I revoke that access.

Single Sign On
This still leaves a wide range on different sites that require a login.  I use a wide range of Cloud Services, including Drop Box (of which, more in a moment), Windows Live Mesh, Mind Meister (for collaborating on mind maps), MobileNoter (for sharing and synchronising Microsoft OneNote) and of course, Google Docs.  These (or at least the data I entrust to them) are important enough to me to warrant good quality credentials and together they make a good case for Single Sign On.  With more than 10 years’ experience in Identity Management projects, I’ve always viewed SSO as primarily a user productivity tool, with some incidental security benefits.  However, I came across a story on Mashable, describing tools for managing web passwords and quickly realised that I could:

  • Store all my credentials in a single location;
  • Secure them with a single strong password, which never leaves my machine;
  • Synchronise that credential store across multiple computers by locating the credential store on Drop Box;
  • Use the same, synchronised solution on my iPhone.

So, armed with these requirements and the Mashable product reviews, I eventually settled on 1Password.  As well as a management app, which sits in the system tray, 1Password installs a plug-in for all the modern browsers (I’m using it with IE and Firefox) which detects when you’re completing a registration or login form and prompts you to save the credentials.  Next time you visit the site, just press the 1Password button to login.  Incidentally, the Mashable article mentions that 1Password is primarily a Mac product, with a Windows version in beta.  The Windows version is now in fact available as a paid-for GA product.

Summing Up

So, in conclusion, it’s possible to figure out a strategy to at least simplify sign on and credential management to a wide range of web sites and applications, each with differing needs for strength and protection.  By and large, the tools to do this a available for free and even the commercial components I chose are available for a very modest fee.  All in all, the benefits far outweigh the modest outlay of time and cash.

2010 in review

January 2, 2011 at 11:42 am | Posted in Uncategorized | 1 Comment
Tags: ,

The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

Healthy blog!

The Blog-Health-o-Meter™ reads Fresher than ever.

Crunchy numbers

Featured image

A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 3,000 times in 2010. That’s about 7 full 747s.

In 2010, there were 23 new posts, growing the total archive of this blog to 37 posts. There were 75 pictures uploaded, taking up a total of 9mb. That’s about 1 pictures per week.

The busiest day of the year was April 7th with 32 views. The most popular post that day was OneNote in the Cloud.

Where did they come from?

The top referring sites in 2010 were 74.125.155.132, mobilenoter.com, ifreestores.com, iheartonenote.com, and stumbleupon.com.

Some visitors came searching, mostly for onenote iphone, iam governance, one note iphone, motorola5200, and mobilenoter.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

1

OneNote in the Cloud September 2009
12 comments

2

OneNote, iPhone and Wi-Fi January 2010
8 comments

3

Send Back Pictures to OneNote January 2010

4

1st Impressions – IBM and IAM Governance August 2009
1 comment

5

OneNote to go … September 2009
2 comments

New Year’s Resolution

December 31, 2010 at 1:39 pm | Posted in Uncategorized | Leave a comment
Tags: ,

2010 has been a bit of a watershed for me and the new direction for my career has left me seriously short on time.  Sadly, one of the things that has suffered is the time I’ve devoted to this blog.  I’ve promised myself that I’m going to rectify this in 2011, by posting on this blog once a week throughout the year.

I know it won’t be easy, but it might be fun and it will be inspiring.  Therefore I’m promising to make use of The DailyPost, and the community of other bloggers with similar goals, to keep me going, including asking for help when I need it and encouraging others when I can.

If you already read my blog, I hope you’ll encourage me with comments and likes, and good will along the way.

Wishing you a peaceful and prosperous New Year,

Tom Mellor

Happy Holidays

December 19, 2010 at 12:10 am | Posted in Uncategorized | Leave a comment

This time last year, we were cruising the Caribbean, on our way to the Panama Canal.

This year, looking out the window of V1951 Towers, I can see the Christmas lights in the trees reflecting on the snow.It’s been another frenetic and eventful year, with business making an unexpected but thus far fruitful change of direction.

We’re taking just a short break over the holiday period and we’ll be back in the office (and back on WordPress) from Wednesday December 29th, but in the meantime, we’d like to wish all our friends and colleagues

Best Wishes for the Holidays

and a

Happy and Prosperous New Year

We look forward to chatting with you again in 2011.

Kind Regards,

Tom and Hilary

Out of the Loop

November 14, 2010 at 12:37 am | Posted in Cloud Security, Security Governance | 1 Comment
Tags: , , ,

Recently, I was reading the Times on the early train to London, and I came across a multi-page section on Cloud Security – proof positive that cloud services are now firmly on the business agenda.  While I understand the attraction of cloud in delivering quick, cost effective and scalable solutions to business problems, it strikes me that it also presents yet another opportunity for the business to cut IT (and particularly IT Security) out of the decision making process.

A few weeks back the BCS Information Systems Security Group held their AGM at IBM Bedfont and a number of IBMers including myself presented during the course of the day.  My topic was “Maintaining Security Governance in the Cloud”.

My central theme was that cloud computing offers the prospect of delivering IT capacity that dynamically flexes to meet changing business requirements.However, this flexibility and cost-effectiveness comes at a price.There is a substantial risk that sensitive information will leak out of the business, and the lack of transparency of the provider’s security processes make it essential that the business’s security governance processes are adapted to reflect these new risks.

Burton Group (recently acquired by Gartner, Inc.), Cloud Computing Security in the Enterprise, Dan Blum, July 15, 2009

So, faced with a new set of risks and preparing to trade control over IT systems (and their security) for the benefits of the SPI model of cloud services, never has it been so vital for the business to take good advice from  security Subject Matter Experts on the increased governance processes needed to protect the business data and (more importantly) its reputation.   Studies and surveys regularly report that 75% or more of businesses view security as the biggest single inhibitor to moving their IT operations into the Cloud.  This suggests that those businesses understand – at least intuitively – that traditional controls are built on physical access to the technology stack and that Cloud deployment models mean that control is passed to the Cloud Provider.  Nevertheless, a recent study conducted by Ponemon Institute for Symantec (“Flying Blind in the Cloud.  The State of Information Governance“) suggests that businesses are prepared to enter into contracts with Cloud Service Providers, without engaging their IT security team to advise them:

  • 65% select a CSP based on market reputation (word of mouth) while only 18% utilise their in-house security team to carry out an assessment
  • 80% admit that their in-house security team is rarely or never involved in the selection of s CSP
  • 49% are not confident that their organisation knows all the cloud services that are deployed.

In fact, businesses need to enlist the specialist knowledge of their security SMEs to help with the selection of a CSP and the negotiation of contracts.  The Cloud Security Alliance suggests in “Security Guidance for Critical Areas of Focus in  Cloud Computing V2.1” that,  together, they need to:

  • Review specific information security governance structure and processes, as well as specific security controls, as part of due diligence when selecting cloud service providers
  • Incorporate collaborative governance structures and processes between the business and the provider into service agreements
  • Engage their Security SMEs when discussing SLAs and contractual obligations, to ensure that security requirements are contractually enforceable.
  • Understand how current security metrics will change when moving to the cloud.
  • Include security metrics and standards (particularly legal and compliance requirements) in any Service Level Agreements and contracts.

Security SMEs will help to bring this about, when we can present a clear and unambiguous explanation to the business as to how the balance of risks and controls is altered in e Public Cloud and how this needs to translate to more sophisticated shared governance.  this in turns requires that we have a precise definition of what Cloud is and a robust baseline of cloud security knowledge.  The Cloud Security Alliance has introduced the Certificate of Cloud Security Knowledge (CCSK) to address this latter issue.  This certification is not designed to replace existing well-established schemes, such as CISSP, CISM and CISA, but rather  to demonstrate competence in the specific security challenges of Cloud deployments, by testing an understanding of two significant and authoritative documents:

The CCSK is strongly supported by a broad coalition of experts and organizations from around the world. The collaboration with ENISA means that the world’s two leading organizations for vendor neutral cloud security research are providing the foundation for the industry’s first cloud security certification. CSA’s breadth of industry participation and strategic alliances are being leveraged to communicate the need and value of this certification to employers within cloud providers, cloud consumers, consultants and variety of other stakeholders.  I’ll nail my colours to the mast here and commit to sitting the CCSK exam before the end of this year.  How about you?

Wrong Number

September 11, 2010 at 11:58 pm | Posted in Cyber Security, Privacy | Leave a comment
Tags: , , , , , , ,

At a recent briefing on Cyber Security, one of the speakers remarked that there’s no correlation between the size (numbers, budget, resources) of the attacker and their capability to mount an attack on your networks.  My friend and former colleague Nik Barron drew my attention recently to a presentation at Defcon 18 on the subject of “Practical Cellphone Spying“.

It’s common knowledge  that the crypto scheme in GSM is so weak that it’s easily broken, but in fact,  if you’re within radio range of a target cellphone it’s possible to intercept calls and SMS (text messages) by bypassing the crypto scheme entirely.  In his talk, Paget  explains how to build and operate an IMSI catcher, a fake GSM base station which can trick a target handset into sending you its voice traffic. In fact, GSM phones are designed to accept instructions from the BTS (GSM base station).  Even if instructed to turn off crypto, the handset will not warn the user.  Paget’s solution is based on an overlap between the ISM (Industrial, Scientific, medical) Band and the GSM Band in the US.  This band is also a ham band (ISM is a secondary use), so it’s possible to operate with an amateur radio licence and the necessary equipment can be built by a reasonably skilled amateur for around £1,000.

So, while what Paget proposes – the ability to seduce mobile phones to connect to a fake base station and to use those connections to intercept voice or SMS communications – has been possible for a long time, but crucially, it was always sufficiently difficult and expensive (hundreds of thousands of dollars) that it remained in the province of intelligence services, organised crime or other well-funded adversaries.  While the price (and the expertise needed) is still probably just beyond the point where the public might attempt to “listen in” on their neighbours,  it’s possible to envisage “drive by” interception, using systems built primarily around a laptop (or even a handheld device).

Why does this concern me?  Well, my main area of expertise is around the design and implementation of Identity and Access Management (IAM) systems.  In my field, it’s common practice to use SMS messages for out-of-band transmission of credentials, either for distributing new credentials or for one time passwords, used as part of a multi-factor authentication scheme.  We must now seriously question our trust in SMS as a secure transport for these applications.


Protecting Data Outside the Office

September 4, 2010 at 11:58 pm | Posted in Data Protection, Human Factors in Security | 1 Comment
Tags: , , , , , ,

A recent article in the Times caught my eye.  It was discussing the notion of “extreme jobs”.  I think most of us can agree with the idea that there’s been an inexorable increase in the pressure on us to always be available, working longer and longer hours and still prepared to answer the mobile phone to a customer or the boss late into the night, at weekends and even on holiday.

Coupled with the ready availability of increasingly sophisticated mobile technology, it’s inevitable that many of us will take work home with us, or at least, outside the safety of the office environment.  For many of us, that means we’re taking with us sensitive information and the consequences of the loss of that data could be catastrophic.

One of my current tasks is preparing security awareness training for colleagues working on a large Public Sector bid.  We’ll be delivering this training to highly skilled and very experienced IT professionals, but looking around, I’m reminded that what is obvious and necessary to a security specialist is often at best an annoying distraction to others.  We all have to remember that mishandling sensitive information can have grave contractual and even legal consequences both for an individual and for their employer.  So, take a look at these 5 simple precautions, to make sure it’s not you that makes the headlines.

1:  Pay attention to the physical security of your laptop while travelling

Any attempt to work outside the office almost inevitably means taking a laptop, loaded with project data (including sensitive commercial and even personal data) with you while you’re travelling.  No matter how you travel, it’s bound to present plenty of opportunities for your laptop to be lost or stolen.  It’s fair to assume that, generally the motive for theft is to sell the laptop onwards, rather than a concerted attempt to obtain any data stored on it.  However, you should take reasonable care not to advertise that you might be a valuable target.  Don’t for example wear your company pass outside the building.  The risk is greatest, when you have to leave the laptop unattended:

  • While driving, keep the laptop out of sight, in the boot of your car.
  • When staying in a hotel, keep the laptop in a safe, if one is provided in your room.
  • When using the laptop in a public place, secure the laptop with a Kensington lock.

2:  Use whole disk encryption to protect your data

If your laptop is lost or stolen, the cost of replacing the hardware is relatively minor – and it’s insured anyway, isn’t it?  The real cost of the incident is the loss or disclosure of sensitive information stored on the laptop.  To  protect against this, you should install whole disk encryption software.  This  ensures that all the data on the laptop’s disk is encrypted, when the laptop is shut down.  Only when the laptop is powered up and the authorised user completes pre-boot authentication, is the disk data decrypted and available for use.  Commercial software is available from a number of well-known vendors, including PGP and DESlock.  You should bear in mind that, unless care is taken, even the authorised user may be unable to decrypt the data on the disk.  You should make sure that:

  • You run the operating system’s disk maintenance utilities to defragment the disk and check and mark any bad areas on the disk;
  • You should make a full backup of the disk volume(s) before installing the encryption software;
  • The install process will give the opportunity to create Emergency Recovery Information – make sure you write this ERI to a CD or other removable medium and store it somewhere safe;
  • Most importantly, the encryption software only takes effect when the laptop is shut down or hibernated.  You should never travel with your laptop in standby.

3:  Protect yourself against eavesdropping when working in public places

One of my favourite tech commentators is Peter Cochrane, who writes a regular column for Silicon.com.  Earlier this year, Peter reported on how easy it was to collect sensitive information from fellow travellers on the train.  Anyone who travels regularly on commuter train services will be familiar with indiscreet conversations and (even worse) one-sided mobile phone conversations, that give away far more sensitive information than they should.  Do resist the temptation to discuss sensitive matters in public places and try to curtail calls to your mobile until you can find somewhere more private.

Back to Peter Cochrane again.  During his frequent air travel, he noticed people using mobile phones to photograph – or even video – the screens of other people’s laptops.  His blog shows how it’s possible (given enough patience and a bit of experimenting) to get a reasonable picture of someone’s laptop screen.  This situation is easily fixed for a modest outlay, through the use of a privacy screen.  These clip over the laptop screen and make it impossible to read the screen unless you’re directly in front of it.  These screens work along the same lines as polarising sun glasses – do make sure they’re fitted the right way round.

4:  If you must use removable media, take extra care

It’s almost an immutable law of nature that, if you copy sensitive data to removable media, eventually, that media is going to get lost.  The simplest remedy of course is not to use removable media.  My current employer bans the use of these devices on Public Sector projects and, at one time, at least one UK government department  filled the USB ports of laptops with superglue, to be absolutely sure.  Of course, a blanket ban isn’t always practicable, so, if you do need to use a memory stick, removable drive or similar, here are a few suggestions:

  • Don’t ever allow the use of personal removable devices – you have no idea how or where they’ve been used before or will be next
  • Have a pool of memory sticks for your project, clearly marked and with some sort of unique identifier.  Make team members check them in and out (with a signature) when they need them and make sure that missing or overdue devices are always followed up immediately.
  • Always encrypt the device.  As we discussed earlier in this article, the use of whole disk encryption when dealing with sensitive information is absolutely vital.  So, if all your team members have the capability, it’s crazy not to use it for removable devices as well.
  • It’s well worth the effort to select only the minimum amount of data for copying onto the removable media.  It might be quicker to export the whole contents of a database, but you must do everything in your power to limit the potential loss.

5:  Always use a secure connection over public networks.

Finally, when you’re out of the office and you need to work, be careful to secure your communications.  Assume that all networks (in hotels or other public spaces, in customer sites and even at home) are hostile.  Always use a Virtual Private Network (VPN) connection to encrypt all your traffic when connecting to your organisation’s intranet from outside and never use a public computer or your home computer to connect to the intranet.

So, to summarise, a mixture of sensible procedural precautions, together with a few simple and inexpensive technical additions can do much to control the risks of taking sensitive information outside the normal office environment.  These measures might be a little inconvenient, but they will go a long way to ensuring that you’re not the one found responsible for a data loss, resulting in massive reputational damage, the loss of contracts and potentially huge fines for your employer.

Five Things To Do With A PC When You Have No Internet Connection (via Speaking Freely)

August 16, 2010 at 11:00 pm | Posted in Home Office, Systems Management | 3 Comments

A while back I wrote about the frustration of losing broadband at a critical time (is there ever a good time for it to happen?). So, I was intrigued come across this post on the “Speaking Freely” blog by Digital Ghost.  It’s from February 2007, but you can catch more recent posts here.

We all know that we need to keep on top of the housekeeping on our PC, particularly if we use it for business as well as home use. The truth is, we don’t bother until something goes wrong.

Take a look at 5 (well, 6 actually, but you can read them for yourself) eminently sensible things to do while you’re waiting for your broadband provider to come to your rescue.

I had no connectivity at all yesterday but since it was Monday, I wanted to remain productive. 1. Clean out and categorize your bookmarks. I don’t know about you, but I tend to just click ‘bookmark this page’ and call it good. Yesterday, when I hit the little ‘down arrow’ on Firefox to let the bookmark list scroll down I counted. Not sites, but seconds. 11 seconds worth of scrolling bookmarks is way too many. If you haven’t visited a site in a mo … Read More

via Speaking Freely

21st Century Typing Pool

August 8, 2010 at 5:43 pm | Posted in Collaboration | Leave a comment
Tags: , , , , , , , ,

I’ve written before in this blog about the difficulties of managing information across multiple computers and other devices, when you’re an independent consultant, looking to stretch your budget using (mostly) free tools.  In those posts, I’ve speculated that at some point, I would need to resolve the problem of how to collaborate in real-time with colleagues.  As it happens, it was after my recent return to the corporate world that the first real need came up.

I accepted an assignment to write a short document for an important customer.  The document was to be co-authored by me and a colleague, with other members of our team making contributions or acting as reviewers.  The problem was that we had a very short period of time to produce a first draft and it was unlikely that we’d be able to find much time working together in the same office – a clear case for online collaboration.

The nice thing about my current employer is that staff are actively encouraged to experiment with social media, collaboration and other tools.  So in casting around for a solution, there were no shortage of suggestions.  Keep in mind that:

  • We didn’t have the time to be very formal in our approach;
  • There was no clear demarcation on who should write each section – we anticipated that we’d all contribute to all of it;
  • It was to be only a short (no more than 20 page) document.

Given who we work for, the logical first step was to try out Lotus Quickr. This web-based system allows real-time collaboration for teams and can work both inside and outside the corporate firewall.  It was useful for building a library for the reference material we needed for our task, particularly with connectors allowing us to drag and drop files into the library on the Windows desktop and to use it from within email (Lotus Notes) and IM (Lotus SameTime).  However, while it has all the facilities for managing collaboration on a document, they proved too formal for our requirements.  Documents must be checked out for editing and then checked back in for review.  That was just too slow (and single user!) for our purposes.

Our next attempt was to use a wiki.  This allowed us to work on our document collaboratively, either in a simple markup language or using a WYSIWYG editor from a web browser.  So far, so good.  The problem came when we tried to simultaneously edit the document.  Wikis are designed to be open for anyone to edit.  The philosophy is that incorrect information, bad grammar or typos will be quickly corrected by someone else.  This is fine, if you have the time to break your document into a series of hyperlinked pages.  For us though, when we were both working simultaneously, the last one to save changes was confronted with either overwriting his coauthor’s changes or discarding his own.

Finally, my co-author (Identity and Access Management specialist Matt Kowalski) persuaded me that we should try Google Docs.  We both use a number of Google services already (in my case, Buzz and Wave, as well as Calendar), so it was a simple matter to set up an account, import our existing draft from Microsoft Word and get started.  Google Docs is like using the 50% of functionality in Word that everyone uses, without being slowed down by the other 50% that no-one uses.  Even the toolbars are familiar enough to start working straightaway.  You of course have control over who can collaborate and who can view, but within those boundaries, everyone can work simultaneously.  This can be a little unnerving at first, seeing changes happen elsewhere on the page, as you’re typing.

Google Docs allows some collaboration apart from document editing.  It provides an online chat window when collaborators are editing or viewing the document at the same time.  However, it occurred to me that the whole idea of Google Wave is to provide more sophisticated collaboration tools.  The downside of Wave of course is that you can’t create, edit or share documents.  However, you can work around that by integrating the two services, using the Google Wave iFrame gadget.  I know that Google Wave will be shut down at the end of this year, but for now, it seems worth taking the time to experiment.  To me, it seems to work well, albeit in somewhat limited screen real estate.

Of course, if I’m going to consider using such a combination for real work, I need to consider security – that is after all my speciality.  The first consideration is to be able to back up and restore anything I commit to Google Docs.  For this, I turned again to Backupify.  Sure enough, their free service includes backup of a single Google Docs account.  I configured it and by next morning, I’d received an email confirming the first successful backup.  To be sure, I accessed the archive at Backupify.  I opened the archive, located my document and opened it, without any drama at all.

For a real commercial solution using Google Docs, it would be necessary to add further security.  CA Technologies recently announced new cloud based capabilities for its Identity and Access Management (IAM) suite, allowing customers to provision users with credentials in Google Apps (including Google Docs) and also to enforce access through CA Siteminder and for business partners through CA Federation Manager.  No doubt other vendors either have or are developing equivalent capabilities.

By way of a conclusion, we found a solution to our dilemma – a multiuser, real-time collaboration system, to edit and then publish a document.  In practice, it was easy to use and the necessary security can be easily (and to some extent for free) added.  Give it a try yourself – if you want to try it in Wave, then you’ll have to be quick.

Protecting your Identity

August 1, 2010 at 12:23 am | Posted in Data Protection, Identity Theft | 7 Comments
Tags: , , , , , , ,

A post on Twitter from @backupify the other day amused me …

“Google Apps has the same vulnerability as Microsoft products: Users”

They were making the point (explained further in their blog) that, according to a poll,  a significant number of administrators, if they were fired, would take with them business sensitive information.  Now, I’m not looking at those that take business sensitive information (customer databases, price lists, R&D files) as serious as that might be.  What interests me is that a significant number said they’d take a key set of credentials with them.  Yet another reminder of how vulnerable our online identity can be.

It also occurs to me that you can’t always expect to mitigate users’ behaviour with software based controls, particularly when those users are members of the general public, with, at best, a sketchy idea of what online security is all about.  back in 2003, I was working as lead architect on an Identity Management solution for ABSA, South Africa’s biggest retails bank (and now part of the Barclays group).  3 customers had funds removed from their accounts through ABSA’s internet banking facilities, in what appeared to be the country’s first documented case this type of crime.  It transpired that the 3 customers had picked up a keystroke logger, not having the necessary security software installed on their home PCs.  Nevertheless, it was their Bank that reaped the bad publicity.

Since then, banks around the world have done much to try to protect their customers, offering free or highly subsidised anti-virus software, offering various alternatives to the wholly inadequate use of passwords for authentication and even in some cases, confirming transactions through SMS message to your mobile phone.  My business bank account is protected by a token, which generates a one time password (OTP) as well as a conventional password.  My Bank also supplies me with free anti-fraud software from Trusteer.  The Rapport browser plug-in protects session information stored in the browser and defends against man-in-the middle attacks, trojans and phishing scams.  Most significantly for this discussion, it also monitors the user’s activity on the web and warns if the user attempts to use their Internet banking password in conjunction with another site.

Still though, users will continue fall victim to identity theft because of unwise behaviour online.  So, I was pleased to see Macafee launch a decent eguide to Identity Theft on their website recently.  As well as the guide, Macafee provide an online self-assessment tool.  By answering a series of questions, you can build a picture of the risks you run of identity theft, based on your online behaviour.  The risk assessment tool generates a detailed report in PDF.

Working through the tool, I found that my risk is assessed as moderate.  I could guess as I carried out the assessment which answers were affecting the score, but I feel comfortable that I’m making informed decisions to accept some risks.  After all, you can’t remove all risks, only mitigate some and accept the rest.  In fact, for many years, Marcus Ranum, who is widely credited with designing the first ever commercial firewall, published a picture of a set of wire cutters, under the title “The Ultimate Firewall”.  This illustrates the basic dichotomy in computer security – that for total security you can’t have any connectivity.  All security is a compromise with usability.

The Macafee eGuide and risk assessment tool are welcome resources, provided that they’re brought to the attention of users.  Of course, their publication coincides with the launch of Identity Protection features into their flagship consumer packages.  These features prompt the user for permission before Personally Identifiable Information (PII) is sent to a web site.  This is the consumer equivalent of the Data Loss Prevention (DLP) solutions, which are beginning to be deployed by large organisations.  These packages aim to identify information assets (files to you and me) on computer systems) that contain PII and apply policies to control what can be done with those files.  This in turn limits the dangers of accidental or malicious leakage of the PII through USB sticks, email attachments, printed copy and so on.  All these technologies will of course help, but ultimately, each of us is responsible for protecting our identity through responsible online behaviour.  At least for now, too many users are completely unaware of the risks in what they do online.   To find out more about the risks, try starting at the UK Information Commissioner’s website.

« Previous PageNext Page »

Create a free website or blog at WordPress.com.
Entries and comments feeds.