Thursday, October 8, 2009

CyberInsecurity: The Cost of Monopoly - remixed

This week had big news about 20,000 hotmail accounts publicly exploited and published - victims of another phish - but is there a deeper lesson to be learned?

This post's title is the same of a famous paper in 2003 penned by some (now) influential security folks: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman and one Bruce Schneier. The paper got its fair share of fame not least due to allegations that Geer lost his job because of its scathing assessment of Microsoft product (lack of) security and the risk to the internet because of that.

The basic tenet of the article was that homogeneity (they called a monoculture) of one operating system will crystallize hacker focus on a single predictable target and any exploit can then be multiplied over millions of hosts.

6 years later, no-one is arguing: Botnets and compromised hosts are the primary platform for attacks, fraud and other crime that benefit from anonymity.

But now we are heading for a new monopoly and a new homogeneity: Google Accounts and SSO (Single Signon)
Its been bothering me for a while but now Google is really picking up steam it needs a public comment: Google Voice, GMail, GTalk, Google Docs, Picasa but most importantly OpenSocial/FriendConnect, OAUTH, Adwords, AppEngine, Adsense and Google Checkout. Its an impressive array of value to the user. But is you Google username and password the "keys to the castle"?

Who me - panic?

Try this now: click or type
Did you know you were signed up for THAT MANY SERVICES?

So why are OpenSocial/FriendConnect, OAUTH, Adwords, Adsense and Google Checkout more important? Simply because they are gateways to value. Behind each of these services is value that is primarily protected by a single username and password. So how easy is it to phish that? Probably much easier than a bank account because the public has been taught to be paranoid about banking but....surely my Gmail account is of no interest to a fraudster - right?

As Ben Metcalfe (dotBen) says: "My GMail password scares me with its power!". Ben points out that we 2FA would be a nice idea. Setting aside the arguments for/against tokens, the simple exploitation of 2FA in authentication scenarios and the emergence of MITB (Man in the Browser) attacks.

I strongly disagree with Metcalfe's suggestion* to split the services - this is security by obscurity or security via homogeneity, after all, when users have multiple accounts they just use the same passwords - dah!

However, Google, whilst being a monoculture has one distinct advantage from the Microsoft monoculture because an upgrade is entirely under Google's control (Microsoft products are only as patched as the competence of their sysadmins).

So why hasn't Google offered this? Its irresponsible to not provide adequate protection**.
I'd posit that a corporate decision on acquiring someone harmless like Vasco*** or someone potent like Verisign to solve 2FA would be a vexing challenge. I'd posit that Google knows this problem needs to be solved and they need to take time to find the right partner or acquisition candidate. I'd also posit that the Chrome OS and the Android Phone/Netbook OS would kickstart a userbase where 2FA is built into consumer devices.

So are we seeing a replay of the monculture that caused the last 8 years of cybercrime? Will the homogeneity of Google Accounts deliver exploits of identity theft rather than just merely an exploit "platform" (that M$-Windows became)? After-all, if we follow the money it always leads to a user's credentials and the assets those credentials protect....

Thanks to Dan Geer et al...the more things change, the more they stay the same.

* dotBens comments about IMAP/POP3 are more valid because these are largely progrmmatic and often "in the clear"
** Its been confirmed by security researc
hers that they already perform some sort of "Device tracking" and perhaps this is a method of "Account Hijack" mitigation
*** do these companies have a future?
**** If you get the joke of this last picture, you are
even sadder than me :)

No comments:

Post a Comment