jump to navigation

Email, Meta Data and Non Repudation (“It wasn’t me!”…Shaggy) January 9, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

SilverStarThis is a simple primer on email, authentication and ‘non repudiation.  To understand ‘non repudation’ as it applies to information security, it is important to understand repudiation. Repudiation is simply the act of denying or renouncing something.  A suspect stating that they did not commit a crime is repudiating the crime.  Non-repudiation is a concept in which a “..a party in a dispute cannot repudiate, or refute the validity of a statement or contract”  Within information security this means that a person cannot dispute that he or she was the origin of an action.  We will use email as an example.

Suppose a person (person A) sends an email to another person (person B) in 2011 in which they attach a document including claims to military heroics which resulted in the awarding of some honor..say a Bronze Star.  Later, after it was discovered that person A was not awarded the bronze star and people began to question them Person A decided to disavow any association with said email or reference to the Bronze Star. In short, they have repudiated the claim that they sent the email and created the document.  Person A goes a step further and claims that the document and the email were “forgeries” intended to sully their (Person’ A’s) good name.  Is it possible to demonstrate with a high degree of confidence (or even certainty) that Person A was indeed the originator of the email and the author of the document? YES!  This is where ‘non repudiation’ or the ability to prevent someone from disputing the action is important.

To understand how this can be achieved, there are a few concepts related to email that should be discussed.

1) Authentication– Authentication is is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.  You can read more in an earlier blog post titled Security 101; Authentication.  Authentication is an important part of access control and email.  Email access control is managed by two components.  1) the user who is assigned a username and 2) the password or other authentication mechanism used to ‘authenticate’ to the system.  By using the correct password that is only known to the user, the system ‘authenticates’ their access and allows them to access the email. The rigor of the authentication provides greater confidence that the person is the originator of the email.  While ‘multi factor’ authentication provides the greatest confidence, a password also provides very strong non-repudiation for most purposes.  (more…)

“…our own policies were not followed…”; Apple and Amazon Hacks August 8, 2012

Posted by Chris Mark in Data Breach, InfoSec & Privacy.
Tags: , , , , , , , , , ,

This past week, tech writer Matt Honan (of Wired) had his Amazon and Apple accounts hacked and his “…digital life destroyed”.  You can read his first hand account here.  The hacker did not use any special technology rather was able to hack the accounts using a basic social engineering and knowledge of who the systems worked.  Here is a description of the hack from CNN.com:

“At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.

Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address — a tip-off that Honan had an AppleID account. (more…)

Security 101; Authentication December 27, 2011

Posted by Chris Mark in InfoSec & Privacy.
Tags: , , , , ,
add a comment

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.

While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry and security, in general.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.  The degree of assurance necessary and thus the degree of required authentication is predicated upon the sensitivity of the object to which you require access.  More sensitive requires greater assurance and therefore more rigorous authentication.

Access control is defined as the combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of authentication- “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

%d bloggers like this: