I’m going to buck tradition a bit here. Instead of focusing on what
happened this year or what might happen next year, I’m going to focus my
first column of 2006 on just a couple of issues that mean a lot to me:
passwords and email security.
I’ll preface what I’m going to say with just a bit of background. I’ve
been actively using computers since about 1981, and the Internet (or some
form there of) since about 1983 or 1984. In that time, very little has
substantively changed in the worlds of passwords and of email security.
The state of attacks against our systems, on the other hand, has changed
significantly during that same period of time. Let’s explore each of
these issues in a bit more detail.
Static, re-used passwords are without a doubt the status quo for the vast
majority of systems most people use on a day-to-day basis. In many cases,
these same static passwords receive little or no cryptographic protection
while they’re traversing the dangerous territory of the Internet. Users
themselves are notoriously bad at generating passwords that are difficult
to guess, and they’re equally predictable at using the same (or very
similar) passwords across multiple systems.
These facts combine to produce a rather potent attack cocktail: eavesdrop
on users’ passwords and then use those credentials to gain access to
further machines across each user’s domain of system usage. Now, combine
that with the fact that we’ve seen a rather significant upturn in attacks
that focus on the application (vs. the network or OS layers), and it
should give you an idea of just how vulnerable we’re leaving our business
applications.
Countering this, however, are the available solutions. One-time password
mechanisms in both hardware and software forms have been available for
some time now. Without a doubt, they go a long way to disarming a
significant class of attacks. So, why do you suppose they haven’t gained
more acceptance than in a few niche areas? The most common reasons for
not using them are cost, integration, and, most damning, user acceptance.
Even many Web-based financial service companies don’t require them for
their customers (although there are some notable exceptions, no doubt).
We’ve just got to find a better solution to the problem, and it has to be
perceived, from the CEO on down to the end user, as an enabling
technology, not a prohibitive one.
And then there’s email security.
When I first started using computers while studying mechanical
engineering in college, we were taught that computers were for computing.
Big mainframes for modeling differential systems in FORTRAN and the like.
When I first saw a computer on a network being used to communicate, it
had a profound impact on me that I’ve never forgotten. However, I had no
idea just how insecure the medium was at the time.
The email systems back then were pretty much the same as those available
today, at least from a security standpoint. Sure, there are encryption
and digital signature add-ons that can be used to make email more secure,
but they’re rarely used by the masses and are often perceived as the
domain of techno-geeks (like me, I suppose). As a result, spam, scams,
and phishing attacks are beyond being ‘simply’ rampant.
Those of you who read my February 2005 column (hi Mom) might recall I
talked about the need for authentication in email. It really does come as
a shock to many non-technologists that our email today has absolutely no
mechanism for authenticating the sender, for all practical intents.
Now, think about the ramifications of that statement a bit.
The usefulness of email is eroding rapidly — many would say it’s already
gone. When was the last time you received an email from… say, eBay or
Amazon and didn’t assume it was a spam or phishing scam? Many of these
companies have been the unwitting pawns in phishing attacks and have been
finding they can no longer effectively use email to communicate with
their user communities.
If we don’t start doing a better job at email security, email will die
entirely. Some will welcome that, but I sure won’t. That epiphany that I
experienced back in 1983 is still alive and well for me. Email may well
be the worst possible form of electronic communication, but it’s better
than all the rest. (With due apologies…)
And, to be sure, there are many other problems we should be working on,
but these two are rather important ones and we don’t seem to be making
much progress. Here’s to some substantive advances in 2006!