Corporate cyber-security is a hot topic these days in mainstream media, and for good reason. Many people who gain unauthorized access to a computer, or computer system, are relatively judgment proof from civil liability due to the simple fact that they typically are people with low earning capacities. Corporations, on the other hand, have extremely deep pockets, and thus, are a prime target for litigation. The Associated Press and The New York Times both ran stories today regarding the vulnerability of corporate and private systems from outside attacks. Below is a summary of both articles:
"Goodbye Passwords. You Aren’t a Good Defense.", by Dr. Randall Stross, professor of business at San Jose State University, wrote an article for The New York Times, and in this article, Dr. Stross, talks about how the use of passwords by the general public has made it extremely easy for hackers to gain unauthorized access to personal information. Dr. Stross writes that the best password is "a long, nonsensical string of letters and numbers and punctuation marks" that is replaced with another long string on a regular basis, preferably monthly. However, most people these days have been trained to select a short, easy to remember login and password which accesses some of our most private information. Dr. Stross feels that we need to retrain ourselves from this type of practice and either get rid of passwords and logon’s completely or adopt other technological advances which help identify who we are, all the while, protecting our private information. Dr. Stross advocates crytographic technology for accessing personal information over mnemonics.
Crytographic technology goes something like this, according to Dr. Stross: "as users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code." The necessary software is already on 20% of the PC’s, but that is only part of the battle. Web site hosts have to adopt the technology, and too much wasted energy, in the opinion of Dr. Stross, has been devoted to the OpenID Initiative.
OpenID promotes "single sign-on" which allows the user to log on to one of the OpenID Web sites where one password will grant entrance during the session to all Web sites that accept OpenID credentials. According to Dr. Stross, OpenID, at best, offers little convenience, and ignores the inherent vulnerability of the process of typing ones password into a Web site. Microsoft, Yahoo, Google, and IBM, all are advising the board on the OpenID non-profit organization, but even they are unwilling to totally by into the OpenID Initiative. Each company will create an OpenID for its visitors that can be used on its site, but is unwilling to rely upon the OpenID credentials issued by others. By relying upon cryptographic conversation between computers, protection from inadvertently giving away the keys to a password are totally void, and corporate liability for protecting customer information is diminished further.
The next article by Oskar Garcia, of The Associated Press, talked about how a federal judge has ordered three MIT students from disclosing the security flaws in the automated fare system used by Boston’s subway system, The Massachusetts Bay Transportation Authority, at the Defcon computer hacker’s conference in Las Vegas, Nevada. The lawyer for the MIT students argued that the students were simply trying to share their research with the rest of the conference attendees, and planned to omit key information that would make things easier for anyone who actually wanted to hack the payment system. The lawyer continued to argue that by "ordering the students to not share their findings would be ‘dangerous,’ and have a chilling effect on legitimate researchers who want to point out flaws that lead to system improvements."
Lawyers for the Massachusetts Bay Transportation Authority argued that the presentation by the MIT students would inflict significant damage on the transportation company, unless they had time to fix and correct the flaws to their computer system. Defcon is an annual conference in Las Vegas that is attended by many of the world’s best-known security experts, and has become an annual showcase of the latest discovered weaknesses in computers, phone equipment and other machines.
To read The New York Times article, please click here: Goodbye Passwords. You Aren’t A Good Defense.
To read The Associated Press article, please click here: Court Blocks MIT Students From Showing Subway Hack