Security Basics mailing list archives
Re: Device Authentication - The answer to attacks lauched using stolen passwords?
From: Nick Owen <nickowen () mindspring com>
Date: Wed, 06 Sep 2006 13:52:12 -0400
Saqib Ali wrote:
A recent "self-serving" report by Phoenix Technologies indicated that 84 of attacks could have been prevented only if Device Authentication was used in addition to user authentication. - Evidence Abound: · Losses from stolen IDs and passwords far exceeded damages from worms, viruses, and other attack methods not utilizing logon accounts · Vast majority of attackers, 78 percent, committed crimes from their home computers; most often using unsanctioned computers with no relationship to the penetrated organization · 88 percent, of those crimes were committed from a home PC using stolen IDs and passwords and following normal logon procedures. - Link to full report: https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf -Their solution? Use Trusted Platform Module to authenticate devices. - Problem? TPM can also be used to force DRM. (EFF and ACLU member don't like DRM to say the least) - Alternatives? 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial damage; 2) Use software based device authentication. e.g. Passmark as used by Bank of America 3) Create a world-wide PKI, issue SSL certificates to machines as well as users, and then perform client side authentication from the server. 4) Use IP addresses to perform machine authentication. <grin> - Read more at: http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243 Any thoughts?
I don't accept the assumption that device authentication is the way to go. I find it more useful to look at what your are trying to authenticate. Is it a user for a session? Is it a host for mutual authentication? Is is a transaction? I would bet that doing cryptographically secure mutual authentication would eliminate most of the *current* phishing attacks, thus it might be more important to authenticate the host, not the user's device. Of course, that won't last forever... Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 05)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)