April 23rd, 2009
How can Internet security be stepped up?
The state of Internet security nowadays has reached its worst it has ever seen. With botnets attacking Mac’s (which was almost unheard of before last week) and password thefts, eBay and Twitter scams to identity and data theft which breached the Pentagon.
One of the main reasons why security is being breached is not necessarily down to exploiting weaknesses in the system through attacking firewalls; instead, it is the exploitation of humans and human nature.
Passwords are the main issue here, with profanities and spouse and siblings names being used to secure computers. Whilst I don’t (thankfully) have a Wikipedia page, Sarah Palin, the one vice-president candidate, had her email account hacked into using data from the site.
Biometrics is one of the ways used to secure computers, because fingerprints are more unique to people than passwords are. You can’t generate a fingerprint or iris details using a computer, whereas you can with a password.
I spoke to Dr. Guy Bunker, chief scientist at Symantec, about security, biometrics and passwords.
My Hotmail account was hacked into last week and spam messages sent as a result. How secure is a standard username and password?
Usernames and passwords are not that secure; they can be made more secure in several ways. Usernames, especially, should not be a person’s name. A number is better (eg. employee ID) but a mixture of numbers and letters is better still.
Are passwords on their way out, due to the increase of dictionary and brute force attacks?
Passwords, again, not names. Longer passwords are better and a mix of numbers letters and punctuation is best. 10+ characters is (obviously) better that the standard eight. Education on what makes a good password is essential, however, some draconian policies can make it tough for individuals to find one that works.
Replacing numbers with characters and vice-versa, eg. p4ssw0rd is well known and most password crackers try these - so don’t rely on that as your way to create a strong password.
If passwords are not secure, then how can existing systems be made secure using the legacy password approach?
An additional factor is useful in that case. For example, picking out characters at random from a pass phrase (a key-logger will not get all the characters in one go, and its different every time, so even if they have the username and password they won’t get access.) The other factor is often a hardware key or flash drive which are also good.
But consumers don’t want to carry lots of them around with them. There are a number of solutions which use the mobile phone as the third factor - which also works well, provided you have your phone of course!)
Biometrics are very secure, but transmitting the inputted fingerprint across the web could still be an issue. How is this being solved?
Biometrics are also useful - but the data should be transformed algorithmically before use, else you will need to get new thumbs if it is compromised.
Universities can be a major target for theft of data and suchlike; should biometrics be the primary source of authentication for user accounts and internal web services?
Relying solely on biometrics is not good. While chopping someones thumbs off is unlikely (except in films), the back end database could be hacked and someone else’s fingerprint could replace yours… and then they would, as far as the system knows, be you!
As an aside, chip and PIN makes it easy to impersonate someone. All you need is their four-digit PIN and then the cashpoint and traders ‘know’ its you. They don’t look at ‘you’, just that the PIN was entered OK!
What’s your thoughts? Are your usernames and passwords secure enough? Have your employers or universities put in more secure measures to reduce hacking and industrial espionage? Are biometrics the way forwards or if anything, a step back by trivialising security? TalkBack and share your thoughts.
Zack Whittaker, the youngest in the ZDNet network, is a British student at the University of Kent, Canterbury, where he studies BA (Hons) Criminology and Social Policy. His insight into the next-generation is unique and first-hand, sharing his knowledge of the here and now but more so what's next and how to get there.
You can read his public biography and his work disclosures of his current and past industry affiliations.
Fire off an email if you feel like sharing a story or insight, or leave a voicemail. You can also follow him on Twitter to keep up to date with his ramblings.
Subscribe to iGeneration via Email alerts or RSS.
| 04/24/09
