jump to navigation

Security 101; Authentication December 27, 2011

Posted by Chris Mark in InfoSec & Privacy.
Tags: , , , , ,
add a comment

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.

While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry and security, in general.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.  The degree of assurance necessary and thus the degree of required authentication is predicated upon the sensitivity of the object to which you require access.  More sensitive requires greater assurance and therefore more rigorous authentication.

Access control is defined as the combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of authentication- “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

(Guest Post) “Is Privacy Possible?” December 26, 2011

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , , ,
add a comment

There is a lot of discussion lately about the right to privacy online.  Specifically, discussion has centered around two concepts of late – 1) the “do not track” concept and 2) the right to be forgotten. While there is significant debate about what these concepts mean, I think it’s interesting to take a look at the notion of privacy in today’s world.  What does it really mean to have privacy?  Is it possible to have privacy or are these policies and plans simply the act of closing the barn door after the horse has gotten out?

The fact of the matter is that privacy, at best, is a nebulous concept.  The amount of data that is available on any given individual, irrespective of social media, is plentiful to say the least.  Even before the advent of Facebook, MySpace, LinkedIn and other sharing sites, the information available on individuals was mind-boggling.  Over the last decade or more, a number of laws have been established to prevent the sharing and selling of information about individuals.  The Federal Trade Commission has been actively involved in pursuing violators and enforcing these privacy protection standards.  The “enforcement actions” in which the FTC has been involved range from companies selling customer  lists to those whose networks have been breached resulting in the loss of customer data. For a list of enforcement actions, visit the FTC website.

It may be helpful at this point to try to define exactly what privacy is, particularly in this day of social media and (over) sharing.  One of the primary challenges with privacy, especially in such a connected age, is the complexity of defining it.  How can one protect or preserve something, when one can’t fully define what that something is.  Robert Post once wrote “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

The concept of privacy to which I subscribe is that “privacy as control over information,” as described by Charles Fried. Fried refines the notion of privacy as the absence of information by saying, “Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.”  I like this definition for a few reasons.  First, it provides some personal accountability for the individual.  Many modern definitions of privacy place the onus of protecting that information entirely on the enterprise or company in question, as if the very act of holding consumer data is a breach of privacy.  While this definition would certainly call for some action on the part of those organizations, it also calls on the individual to be selective about the information that is made available.  The phenomenon of “facebook firings” brings this issue into stark relief.  Individuals can control the quality of information that is shared by using care with respect to what information they post on their own sites.

The other component of this definition that resonates is that of cooperation and transparency on the part of the organization toward the individual. This is an element of privacy that is present in most, if not all, of the current information privacy models.  (For reference, see OECD Guidelines on the Protection of Privacy, FTC Fair Information Practice Principles and Privacy by Design).  According to this element of privacy, the individual should have access to any of his or her personal information held by the company.  Further, the individual should have the right to correct any inaccuracies and to determine how or if that information can be shared with third parties.

This takes us back to the question posed in the title; “is privacy possible?”  The answer is still rather nebulous, but what we do know is that it relies on both the individual and the organization. This is not to say that concepts like “do not track” and “the right to be forgotten” are useless, but that we as a society have to refine our definition of what privacy is – the concept is far more complex than legislators and the media would have one believe.  Individuals must be cognizant of the information that they are sharing on public forums and how that data might be used.   Similarly, companies must be aware of the sensitivities around sharing consumer information and take appropriate steps to ensure an appropriate level of protection – in terms of policy, process, and technology.

Heather Mark

This is a guest post from my wife, the illustrious Dr. Heather Mark.  She is a frequently published and quoted expert on regulatory compliance and privacy issues.  This is a post from her personal blog which you can read here.

Two Leaders Lost; Reflecting on Vaclav Havel and Kim Jong Il December 19, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

In the past few days the world has lost two leaders who could not have more profoundly different.  As leaders of countries have a profound impact on global risk, it seemed appropriate to discuss these two leaders and their differences.

Vaclav Havel (1936-2011) was a Czech writer, dramatist and politician.  He is largely responsible for the Czech revolution which peacefully defeated communism and implemented democracy in Czechoslovakia in what is know known as the Velvet Revolution or Velvet Divorce.  He was the last president of Czechoslovakia and first president of the Czech Republic.  Vaclav was a prolific writer who changed peoples’ perspectives on politics, life, and economics.  One of his quotes is: “We had all become used to the totalitarian system and accepted it as an unchangeable fact and thus helped to perpetuate it”.  You can read more about Vaclav here.

Kim Jong Il, or the “Dear Leader” (1941-2011 ) was the dictator of the Democratic People’s Republic of Korea (DPRK).  This is more commonly known as North Korea.  While many believe, and it is put forth that North Korea is Communist, in truth only their economic system is Communist.  They are a dictatorship.  Preceding Kim Jong Il was his father Kim Il Sung (the Great Leader), and proceding his reign is his son, Kim Jon Un (the Great Successor).  Compare the words of Vaclav Havel above, with those of Kim Jong-Il in the song: “There is no motherland without you”.   You can read more about Kim Jong Il here.

“You pushed away the severe storm.
You made us believe, Comrade Kim Jong-il.
We cannot live without you.
Our country cannot exist without you!”

Vaclav Havel fought his entire life for the values of Democracy, freedom, and prosperity for his people.  He lead the only violent free revolution which resulted in two countries being formed- the Czech Republic and Slovakia.  He was revered throughout the world and will certainly be missed.  Kim Jong Il fought his entire life to maintain an iron clad grip on power by oppressing and imprisoning those who dare speak against him.  North Korea is one of the poorest countries on Earth yet they pursue nuclear weapons with a passion.  He was universally reviled and will only be missed because it is unclear what his successor brings.  Sometimes “The Devil You Know is Better Than The Devil You Don’t.”

Vaclav you will be missed.  Kim Jong Il, God help us if you are missed.

Updated Whitepaper- Deterrence Theory & Modern Piracy December 19, 2011

Posted by Chris Mark in Piracy & Maritime Security, Uncategorized.
Tags: , , , , , , ,
add a comment

I spoke on this topic at the Piracy Week event in London this past October.  It was a well received presentation so I thought I would repost the whitepaper with a few updates.  Deterrence theory plays a part in crime prevention, security and even dealing with teenagers ;).  You can download the paper here.

Understanding how people respond to deterrents as well as the rational actor model will help develop strategies for dealing with piracy and other crimes.  It should be noted that deterrence theory really goes out the window once someone is taking action for ideological purposes.  (that is my disclaimer)…pic was taken from johnbsheldon.com

Updated Whitepaper; Weapons & Tactics in the Prevention of Hijackings December 19, 2011

Posted by Chris Mark in Piracy & Maritime Security, Uncategorized.
Tags: , , , , , , , ,
add a comment

Originally I named this paper “Weapons and Tactics in the Prevention of Piracy” but in retrospect the title was incorrect.  Piracy is a multi-dimensional problem that could refer to a single act “The ship was pirated” or a larger geopolitical issue:  “Somalia leads the world in piracy”.  Weapons and tactics are simply tools that can be used to delay or prevent a single act.  For this reason, I renamed the paper.  You can download and read the paper here.