Page Content

“Verified by VISA”: Still Using SSNs Online, Dropped by PEFCU

I have written before about the "Verified by VISA" program. While shopping for Thanksgiving online this year, I noticed that Verified by Visa scripts were blocked by NoScript, and I could complete my purchases without authenticating. It was tempting to conclude that the implementation was faulty, but a few phone calls clarified that the Purdue Employee Federal Credit Union stopped participating in the program. I have ambivalent feelings about this. I'm glad that PEFCU let us escape from the current implementation and surprise enrollment based on SSN at the time of purchase, and SSN-based password reset. Yet, I wish a password-protection system was in place because it could significantly improve security (see below). Getting such a system to work is difficult, because in addition to needing to enroll customers, both banks and merchants have to support it. For the sake of curiosity, I counted the number of participating stores in various countries, as listed on the relevant VISA web sites:
CountryNumber of Stores
Hong Kong20
Multiply this by the fraction of participating banks (data not available for the US), and for a program that started in 2001, that's spotty coverage. Adoption would be better by getting people to enroll when applying for credit cards, when making a payment, by mail at any time, or in person at their bank. The more people adopt it, the more stores and banks will be keen on reducing their risk as the cost per participating card holder would decrease. Ambushing people at the time of an online purchase with an SSN request violates the security principle of psychological acceptability. The online password reset based on entering your SSN, which I had criticized, is still exposing people to SSN-guessing risks, and also the only means to change your password. I wish that VISA would overhaul the implementation and use an acceptable process (e.g., a nonce-protected link via email to a page with a security question). The reason I'm interested is because I'd rather have a password-protected credit card, and a single password to manage, than a hundred+ online shopping accounts that keep my credit card information with varying degrees of (in)security. Using an appropriate choke-point would reduce attack surface, memorization requirements, and identity theft.

Firefox Vulnerabilities: Souvenirs of Windows 95

I've been waiting for an announcement of vulnerabilities in Firefox due to popular extensions. I've compared it to Windows 95 before. Yet students often opine that Firefox is more secure than Internet Explorer. It is worth repeating this explanation from the announcement:

"Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension."

Asking which of Firefox and Internet Explorer is most secure is like asking which of two random peasants is wealthier. They both might be doing their best and there may be significant differences but I wouldn't expect either to be a financier. While I'm running with this analogy, let me compare the widespread and often mandatory use of client scripts in websites (e.g., JavaScript) to CDOs: they both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy. They have also both caused a lot of damage, as having scripting enabled is required for many attacks on browsers. How much smaller would botnets be without scripting? Like CDOs, scripting is a financial affair; it is needed to support advertising and measure the number of visitors and click-throughs. Scripting will stay with us because there's money involved, and if advertisers had their way, there would be no option to disable plugins and JavaScript, nor would there be extensions like NoScript. To be fair, there are beneficial uses for JavaScript, but it's a tangled mess with a disputable net value. Here's my take on media and advertising:

Every medium supported exclusively by advertising tends to have a net value of zero for viewers and users (viewsers?). This is where radio and TV are right now. If the value was significantly higher than zero, advertisers could wring more profits from it, for example by increasing the duration or number of annoying things, polluting your mind or gathering and exploiting more information. If it was significantly less than zero, then they would lose viewership and therefore revenue.

So, with time, and if advertising is allowed to power all websites through the requirement for scripting and JavaScript, surfing the web will become as pleasant, useful and watchable as TV, for example (with the difference that your TV can't be used --yet-- to attack people and other nations). I don't mind being locked out of websites that critically depend on advertising revenue -- just like I don't watch TV anymore because it has become a negative value proposition to me. However I mind being needlessly exposed to risks due to other people's decisions, when I use other websites. I'm looking forward to the "component directory lockdown" in Firefox 3.6 as a step in the right direction, and that's the bright light at the end of the tunnel: some things are improving.

Are We All Aware Yet?


So, here we are, in November already. We've finished up with National Cyber Security Awareness Month — feel safer? I was talking with someone who observed that he remembered "National Computer Security Day" (started back in the late 1990s) that then became "National Computer Security Week" for a few years. Well, the problems didn't go away when everyone started to call it "cyber," so we switched to a whole month but only of "awareness." This is also the "Cyber Leap Ahead Year." At the same level of progress, we'll soon have "The Decade of Living Cyber Securely." The Hundred Years' War comes to mind for some reason, but I don't think our economic system will last that long with losses mounting as they are. The Singularity may not be when computers become more powerful than the human mind, but will be the point at which all intellectual property, national security information, and financial data has been stolen and is no longer under the control of its rightful owners.

Overly gloomy? Perhaps. But consider that today is also the 21st anniversary of the Morris Internet Worm. Back then, it was a big deal because a few thousand computers were affected. Meanwhile, today's news has a story about the Conficker worm passing the 7 million host level, and growing. Back in 1988 there were about 100 known computer viruses. Today, most vendors have given up trying to measure malware as the numbers are in the millions. And now we are seeing instances of fraud based on fake anti-malware programs being marketed that actually infect the hosts on which they are installed! The sophistication and number of these things are increasing non-linearly as people continue to try to defend fundamentally unsecurable systems.

And as far as awareness goes, a few weeks ago I was talking with some grad students (not from Purdue). Someone mentioned the Worm incident; several of the students had never heard of it. I'm not suggesting that this should be required study, but it is indicative of something I think is happening: the overall awareness of security issues and history seems to be declining among the population studying computing. I did a quick poll, and many of the same students only vaguely recalled ever hearing about anything such as the Orange Book or Common Criteria, about covert channels, about reference monitors, or about a half dozen other things I mentioned. Apparently, anything older than about 5 years doesn't seem to register. I also asked them to name 5 operating systems (preferably ones they had used), and once they got to 4, most were stumped (Windows, Linux, MacOS and a couple said "Multics" because I had asked about it earlier; one young man smugly added "whatever it is running on my cellphone," which turned out to be a Windows variant). No wonder everyone insists on using the same OS, the same browser, and the same 3 programming languages — they have never been exposed to anything else!

About the same time, I was having a conversation with a senior cyber security engineer of a major security defense contractor (no, I won't say which one). The engineer was talking about a problem that had been posed in a recent RFP. I happened to mention that it sounded like something that might be best solved with a capability architecture. I got a blank look in return. Somewhat surprised, I said "You know, capabilities and rings — as in Multics and System/38." The reaction to that amazed me: "Those sound kinda familiar. Are those versions of SE Linux?"

Sigh. So much for awareness, even among the professionals who are supposed to be working in security. The problems are getting bigger faster than we have been addressing them, and too many of the next generation of computing professionals don't even know the basic fundamentals or history of information security. Unfortunately, the focus of government and industry seems to continue to be on trying to "fix" the existing platforms rather than solve the actual problems. How do we get "awareness" into that mix?

There are times when I look back over my professional career and compare it to trying to patch holes in a sinking ship while the passengers are cheerfully boring new holes in the bottom to drop in chum for the circling sharks. The biggest difference is that if I was on the ship, at least I might get a little more sun and fresh air.

More later.

Cassandra Firing GnuPG Blanks

A routine software update (a minor revision number) caused a serious problem. A number of blank messages were sent until we realized that attempts to sign messages with GnuPG from PHP resulted in empty strings. If you received a blank message from Cassandra, you can find out what it was about by logging to the service. Then click on the affected profile name (from the subject of the email), then "Search" and "this month". This will retrieve the latest alerts over an interval of one month for that profile. Messages will not be signed until we figure out a fix. We're sorry for the inconvenience. Edit (Monday 11/2, noon): This has been fixed and emails are signed again. I also added a pre-flight test to detect this condition in the future.