Security Basics mailing list archives

Device Authentication - The answer to attacks lauched using stolen passwords?


From: "Saqib Ali" <docbook.xml () gmail com>
Date: Tue, 5 Sep 2006 12:17:25 -0700

A recent "self-serving" report by Phoenix Technologies indicated that
84 of attacks could have been prevented only if Device Authentication
was used in addition to user authentication.

- Evidence Abound:
· Losses from stolen IDs and passwords far exceeded damages from
worms, viruses, and other attack methods not utilizing logon accounts
· Vast majority of attackers, 78 percent, committed crimes from their
home computers; most often using unsanctioned computers with no
relationship to the penetrated organization
· 88 percent, of those crimes were committed from a home PC using
stolen IDs and passwords and following normal logon procedures.

- Link to full report:
https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf

-Their solution?
 Use Trusted Platform Module to authenticate devices.

- Problem?
TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
to say the least)

- Alternatives?
1) Be a sitting duck. Passwords WILL stolen and USED to cause financial damage;
2) Use software based device authentication. e.g. Passmark as used by
Bank of America
3) Create a world-wide PKI, issue SSL certificates to machines as well
as users, and then perform client side authentication from the server.
4) Use IP addresses to perform machine authentication. <grin>

- Read more at:
http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243

Any thoughts?

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


Current thread: