Security for Dummies

A couple of days ago, Israel approved the bill for creation of biometric database of all Israeli citizens. Israeli government is going to start issuing biometric "fake-proof" electronic passports.

Writing about the problems they will face I could not expect to find such a strong support to my words. Today's article in Times Online depicts the vulnerability of combination of RFID and biometrics.

"The tests also raise serious questions about the Government’s £4 billion identity card scheme, which relies on the same biometric technology. ID cards are expected to contain similar microchips that will store up to 50 pieces of personal and biometric information about their holders", said Dominic Grieve, the Shadow Home Secretary, “It is of deep concern that the technology underpinning a key part of the UK’s security can be compromised so easily,” he said.

Thanks Times! Maybe now they will start thinking.
Two years since biometrics and RFID were added to UK passports we need another technology to secure this "security".

Israeli Government approves bill calling for creation of database of all Israeli citizens. Data to include fingerprints, computerized facial features embedded on IDs, passports.
The government approved Sunday a motion calling for the establishment of a biometric database by the Ministry of Interior and the Public Security Ministry.
The motion, dubbed the "identification card, travel papers and biometrics database bill," will now be referred back to the various Knesset committees, which would ready it for its Knesset votes.

Another country is falling into this trap. They think it will enhance security and prevent identity theft. They will learn that it will cost them a fortune to collect, to keep and to protect the database. They will see that relying too much on technologies is dangerous. They will realize that this project is too expensive for a small country with limited budget. And at last they will learn that there are much more faked ID cards than before.

Read full story here

There is no doubt that the web has changed our lives. We are looking for information, pictures, news, music, video; we are shopping, dating, you name it. We have everything there. We do a lot there. We spend half of life there.
Then why do we still store gigabytes of info at our home PCs? HDD are not reliable enough (3-5 years lifetime?). What are you doing whith your personal data when you upgrade your PC or purchase a new one?

Why the heck not to keep everything online and sleep tight?
I have 2 reasons for it, maybe some of you have more:
1. The performance - it is stil slower than local drive.
2. The trust - we beleive that the closer the safer.
* Yes, we are still thinking that burned DVD will save our data for promised 100 years! LOL
* No, we do not trust these guys at the server side. We do not beleive that they will take care about our data better than we do. But we do not... we do not take any care at all :)

So what can the internet offer? There are 2 major types of online storage by purpose: sharing and offsite storage/backup (of course most of services offer a combination of both)

See the full story here

First, I would like to distinguish biometric technologies that do not work or must not work. I mean both behavioral (keystroke dynamics, handwriting) and physical (voice, face and palm) recognition systems. Why do I think that these technologies are not working? Simple. The error ratio is too high for real life implementation; it is too easy to trick these systems even for non-experienced hacker.
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.

What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere.
Contnue to the full story here

I have mentioned several times here and here we all need password manager. These three posts in the ITFacts strongly support my words.

Fact #1 63% of Americans use roughly the same password for different online accounts
63% of Americans admit to using the same password or a variation of it for all or most of their online accounts. 6.7% use a variation of a familiar password for most of their online accounts. 22.9% use the same password for most of their online accounts. 3.5% use the same password for all their online accounts.

Fact #2 66% of US employees write down passwords in unsafe places
US workers, managers, and IT staffs alike are increasingly confronted with difficulties arising from computer passwords. Over half of all respondents said the average employee in their firms are required to remember three to five passwords, with an additional 26% saying the number ranges from six to ten or more. 49% responded that employees are required to use passwords more than 25 times per week, with 8% stating the number of password uses exceed 100 per week. 66% stated that employees write down or store passwords in unsafe places, creating a security problem for their companies. 48% of responding IT professionals are actively seeking a reliable password management solution. While 79% of those taking the survey report that security is their number one password management concern, 39% also reported Lost Employee Productivity or Frustration as an issue. In addition, 31% said that helpdesk hours are either lost or spent in frustration by support personnel.

Fact #3Only 14% of business users use a different password for each site
14% of the business users use a unique password for each site. 41% use the same password all the time, while the remaining 45% use “a few” different passwords.

My statement is clear - we need password manager software, better portable one. This can save time, money and nerves.