Friday, February 16

Truth really is sometimes stranger than fiction

This has got to be the weirdest story of on-line hacker activity that I've seen. It references another interesting story about the hacker economy.

The End of IdM

I've been telling people over the last 2-3 years that in 5-6 years (circa 2010), there will no longer be stand-alone identity management companies. IdM will be rolled into the platforms. We've seen this Nostradamus-like prediction coming true as Oracle has moved in that direction for a few years now - Peoplesoft, Oblix, Thor, OctetString. And Sun too, of course. Microsoft has integrated many security features (anti-malware, firewall, encryption, etc.) into Windows. And now, I'm hearing more people saying the same. Especially at EMC. Art Coviello made this point clearly at the RSA conference. It's one of the reasons I joined RSA as they were becoming part of EMC. The future is wildly uncertain for smaller independent security providers. EMC really gets it. The focus is on information-centric security. The systems that control your information need built-in security -- not bolt-on security. Bill Gates' RSA address had much of the same focus.

Gates urged companies to think beyond traditional "glass-house" and perimeter-centric security strategies focused largely on keeping intruders and malicious activity out of corporate networks. What is needed, he said, is a "far more powerful paradigm" that uses security as a way to secure information access, not as an impediment to access.

"People want more access" to information, and they want that access at any time, from wherever they happen to be, and via whatever device they happen to have, Gates said. "Traditional network perimeters are fading away," mandating new approaches to security, he added.
This year and 2008 may be the last years for the independents. So, it's time to nail down the technology and get it into your favorite platform - the end is near and the paradigm is shifting.

Tuesday, February 6

Phishing Special Report

Another interesting paper from RSA’S Anti-Fraud Command Center (AFCC)...
Phishing Special Report: What we can expect for 2007

Phishing attacks are more numerous, more varied and more creative than ever. And this on the heals of a NY Times report about a study by a few MIT and Harvard researchers that suggests that site-to-user authentication (generally believed to be a good anti-phishing solution) is ineffective for many users. The full report is available here.

I enjoyed Don Park's comment on the subject:
While I have little doubts about their integrity, I do wonder if the study is not flawed. For example, doesn't using people who willingly let others observe them signing into their bank account for such a study skew the result? It's probably not as bad as counting virgins among prostitutes but I would like to hear more about how they accounted for such problems.
The report does note that participants may have had reason to behave less securely than they would in the real world. But I'm not completely surprised at the report's findings -- the report isn't really saying anything about technology -- it's talking about people.

An interesting premise was made by the researchers:
In real life, security is rarely a user’s primary goal.
Based on the context of that statement, I believe what they're really saying here (in an understated way) is that security is often the furthest thing on a typical user's mind -- the site-to-user authentication (and other security technologies) failed because the user's weren't even trying to look for them. So, even if the technology is effective, it's vitally important to educate end users about how the technology works and what's at stake.

Things are clearly going to get worse before they get better. Since there's no silver bullet that can put an end to all phishing attacks, we can only attempt to provide the right tools and educate people as much as possible.

Don't run with scissors... Look both ways... Wear a helmet... and always verify your financial institution prior to providing credentials. OK - I need help with the wording, but the point is that we need to get more mainstream about on-line security education.

Friday, February 2

Vantage from RSA

The latest edition of Vantage Magazine is available and there's a nice write-up on my old group at Unisys. It's nice to see them in print again - there are some wicked smart folks over there.

There's also some good information on EMC's vision for Information-Centric Security. After all the billions spent on security in recent years ($40B in 2006), less than 20% of companies believe that their information is secure. Firewalls are not enough. This issue provides some insight into how EMC will help solve the problem.

Also - look for the article on Vouching from RSA Labs. I haven't seen this idea anywhere else and it's a nice idea for helping people with lost or forgotten tokens -- without having to burden the Help Desk or use traditional User Self-Service.