Friday, September 24, 2021

Email Security and Passwords — It’s Time for Change

I’m going to buck tradition a bit here. Instead of focusing on what

happened this year or what might happen next year, I’m going to focus my

first column of 2006 on just a couple of issues that mean a lot to me:

passwords and email security.

I’ll preface what I’m going to say with just a bit of background. I’ve

been actively using computers since about 1981, and the Internet (or some

form there of) since about 1983 or 1984. In that time, very little has

substantively changed in the worlds of passwords and of email security.

The state of attacks against our systems, on the other hand, has changed

significantly during that same period of time. Let’s explore each of

these issues in a bit more detail.

Static, re-used passwords are without a doubt the status quo for the vast

majority of systems most people use on a day-to-day basis. In many cases,

these same static passwords receive little or no cryptographic protection

while they’re traversing the dangerous territory of the Internet. Users

themselves are notoriously bad at generating passwords that are difficult

to guess, and they’re equally predictable at using the same (or very

similar) passwords across multiple systems.

These facts combine to produce a rather potent attack cocktail: eavesdrop

on users’ passwords and then use those credentials to gain access to

further machines across each user’s domain of system usage. Now, combine

that with the fact that we’ve seen a rather significant upturn in attacks

that focus on the application (vs. the network or OS layers), and it

should give you an idea of just how vulnerable we’re leaving our business

applications.

Countering this, however, are the available solutions. One-time password

mechanisms in both hardware and software forms have been available for

some time now. Without a doubt, they go a long way to disarming a

significant class of attacks. So, why do you suppose they haven’t gained

more acceptance than in a few niche areas? The most common reasons for

not using them are cost, integration, and, most damning, user acceptance.

Even many Web-based financial service companies don’t require them for

their customers (although there are some notable exceptions, no doubt).

We’ve just got to find a better solution to the problem, and it has to be

perceived, from the CEO on down to the end user, as an enabling

technology, not a prohibitive one.

And then there’s email security.

When I first started using computers while studying mechanical

engineering in college, we were taught that computers were for computing.

Big mainframes for modeling differential systems in FORTRAN and the like.

When I first saw a computer on a network being used to communicate, it

had a profound impact on me that I’ve never forgotten. However, I had no

idea just how insecure the medium was at the time.

The email systems back then were pretty much the same as those available

today, at least from a security standpoint. Sure, there are encryption

and digital signature add-ons that can be used to make email more secure,

but they’re rarely used by the masses and are often perceived as the

domain of techno-geeks (like me, I suppose). As a result, spam, scams,

and phishing attacks are beyond being ‘simply’ rampant.

Those of you who read my February 2005 column (hi Mom) might recall I

talked about the need for authentication in email. It really does come as

a shock to many non-technologists that our email today has absolutely no

mechanism for authenticating the sender, for all practical intents.

Now, think about the ramifications of that statement a bit.

The usefulness of email is eroding rapidly — many would say it’s already

gone. When was the last time you received an email from… say, eBay or

Amazon and didn’t assume it was a spam or phishing scam? Many of these

companies have been the unwitting pawns in phishing attacks and have been

finding they can no longer effectively use email to communicate with

their user communities.

If we don’t start doing a better job at email security, email will die

entirely. Some will welcome that, but I sure won’t. That epiphany that I

experienced back in 1983 is still alive and well for me. Email may well

be the worst possible form of electronic communication, but it’s better

than all the rest. (With due apologies…)

And, to be sure, there are many other problems we should be working on,

but these two are rather important ones and we don’t seem to be making

much progress. Here’s to some substantive advances in 2006!

Similar articles

Latest Articles