One of the biggest worries faced by a computer system administrator is that users are really imposters. As an administrator of a small computer cluster used by scientists, this is the number one issue. How do you detect whether a logged-on user is legitimate? Do you want North Koreans running bomb codes on your supercomputer? Could you tell if they were?

If a user Tom's home computer is hacked, and his credentials are stolen, even a fully-patched and properly configured computer system is at risk when Tom logs in, because it may not be Tom, it may be an imposter. There are two obvious kinds of risks: theft of services and the ability to exploit vulnerabilities that are only accessible (internally) to logged-in users. There is a third more subtle risk: information modification. If you are a scientist at an experimental facility, could you tell if the 2s and 3s were swapped in your data files by an imposter?

Of course stolen credentials are a tremendous worry when money is at stake—online banking, for example.

All computer owners must worry about security. When I tell friends to update software or apply patches, they often reply "There is nothing on my computer to steal." But that is not the point. When your computer is hacked, it becomes part of a billion dollar business. Everyone should read the scary talk given by Peter Gutmann about the commercial malware industry. Since 2007 (when the talk was given), the situation has only grown worse. Your computer can be used to attack countries, commercial institutions, and people, can spawn spam. Millions of computers are "owned" by malevolent entities.

Therefore, the only prudent course for service providers is to assume that all their user's computers are hacked. However it is hard to do much about this. Banks in the USA are required to use some sort of multifactor authentication (what you know, have, are). They do two things: First, they remember the computer I am on, probably by using a cookie. Second, if it is a different computer, they require me to answer extra security questions. These measures are both ineffective against a good hacker. If someone owns my computer, they can control it remotely and log in from there using my credentials (that they obtained from a key logger). They also would have captured my security question answers, or could have Googled for them (remember how Sarah Palin's Yahoo account got hacked?).

The best talk on identity that I have seen (a true tour de force) is called "Who is the Dick on My Site" by Dick Hardt. It discusses the more subtle sides of identity on the Internet. As a user, we should control what information we wish to disclose about ourselves. It always ticks me off when sites ask for my birth date. That is PII (personally identifiable information) and is not to be disclosed. I always give a false value. Disclosure of PII should not be required to sign up for a company's newsletters.

Comments

Add new comment

Comment

  • No HTML tags allowed.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.