Lenny Zeltser on Information Security

Beyond Logins: Continuous and Seamless User Authentication

User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates continuous verification of the user’s identity.

Initial attempts at continuous user authentication can be seen in security policies that lock the user’s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people and leave much room for innovation.

Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity. For instance, the user’s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns. Similarly, a mobile phone could regularly examine the user’s bio-signs to spot an impostor.

The notion of continuous and seamless authentication isn’t new; however, it has yet to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:

• Continuous Authentication using Biometric Keystroke Dynamics and Keystroke Dynamics Based Human Authentication System using Genetic Algorithm discussed challenges and solutions for continuous authentication techniques based on the user’s typing activity.
• Physical Access Protection using Continuous Authentication discussed prototype systems that continuously and seamlessly authenticated PC users through “video from a camera, and fingerprint images from a mouse equipped with a fingerprint scanner.”
• Continuous Mobile Authentication Using Touchscreen Gestures proposed an approach that tracked the user’s user’s “unique touch features, such as finger pressure and trajectory, the speed and acceleration of movement” as the person interacted with the mobile device.
• Continuous Identity Authentication Using Multi-modal Physiological Sensors proposed multiple physiological sensors that could be used for this purpose, including eye position, pupil size, skin conductivity, blink rate, etc.

Users of modern web applications and mobile devices demand strong security measures that don’t get in the way of normal activities. Continuous user authentication could help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only after observing an anomaly that exceeded a reasonable threshold.

Related articles you might like:

• Creative Options for Better Authentication of Mobile Phone Users
• We Still Suck at Protecting Logon Credentials

— Lenny Zeltser

Creative Options for Better Authentication of Mobile Phone Users

If you think your mobile phone is already deeply embedded in your life, consider the critical role it will have in just a few years. As the importance and sensitivity of the data handled by mobile phones increase, so do the repercussions of the devices falling into unauthorized hands. Manufacturers and app developers will need to implement creative ways of authenticating legitimate phone users without relying on awkward passwords and PINs.

Here are a few creative options for determining whether an authorized person is using the phone:

• Scan the user’s fingerprint while the person is holding the phone. Apple’s purchase of AuthenTec fueled speculations that Apple will include a 2D fingerprint reader in an upcoming iPhone.
• Identify the unique walking pattern of the phone’s user using an accelerometer already built into many smartphones. This authentication approach is described in a paper titled Pace Independent Human Identification Using Cell Phone Accelerometer Dynamics.
• Examine the user’s appearance using the phone’s built-in camera, potentially looking at eye patterns, facial geometry or ear shape. One such approach is described in the paper Face and Eye Detection for Person Authentication in Mobile Phones. For another example, consider EyeVerify’s authentication software based on eye vein biometrics.
• Analyze the phone user’s thermal imaging patterns as means of authentication. This approach is described in the paper Thermal Imaging As A Biometrics Approach To Facial Signature Authentication. For an example of thermal imaging phone technology, see the IR-Blue accessory for iPhone and Android devices.
• Tune into the user’s voice patterns to authenticate the person using approaches outlined in the paper Shedding Some Light on Voice Authentication and implemented by researchers in the context of mobile phones.
• Sense the manner in which the user holds the phone, paying attention to the strength of the grip or finger placement. This approach is being discussed in the context of firearms—see papers Hangrip Recognition and Algorithm Design for Grip-Pattern Verification in Smart Gun. It could be applied to mobile phones, too.

Authentication factors above might not work on their own, but they could be combined with each other to reach the right balance between false positives and false negatives.

For additional context, the authentication decision could account for the expected bio-pattern of the legitimate user, such as the heart rate range that could be obtained using activity trackers that integrate with phones, such as FuelBand, Fitbit or UP. The phone could also pay attention to the user’s breathing patterns, in the style of the Breathing Zone iPhone App.The decision could also incorporate the person’s expected physical location and activities (i.e. jogging); for an example of the phone can “predict” the user’s activities see the Google Now app.

Innovative authentication options are gradually becoming available for mobile phones. More will come to light over the next few years. In the next decade, we’ll see authentication mechanisms that effortlessly tie the bio-measured identity and  context with the phone’s hardware and software functions. In some ways, it will be hard to distinguish between the mobile device and its user.

For a follow up to this post, take a look at Beyond Logins: Continuous and Seamless User Authentication.

— Lenny Zeltser

5 Favorite Security Reads of the Week

Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:

• Six Degrees Of Desperation: When Defense Becomes Offense by Christopher Hoff
• Premature Counter Offensive Actions Could Yield Painful Results by Will Gragido
• Laptops as a Security Model for Hybrid Cloud by Chris Brenton
• Malware Root Cause Analysis by Corey Harrell
• Different Ways of Looking at Security Bugs by Jim Bird

Also, below are the articles I published in the past couple of weeks:

• Tips For Getting the Right IT Job - New Cheat Sheet
• Mutually-Assured Destruction in Cyberspace
• What Does a Security Product Manager Do?
• Allowing Gullible Victims to Self-Select in Online Attacks
• Looking at Mutex Objects for Malware Discovery and Indicators of Compromise (SANS forensics blog)

Looking forward to next week!

For more recommendations, see my earlier security reads of the week.

— Lenny Zeltser

Tips for Getting the Right IT Job - New Cheat Sheet

I published a new cheat sheet, this one offering practical tips for finding and getting the right job in Information Technology, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.

This cheat sheet covers the following topics:

• What to do before you start looking for a job
• How to use social networking as an ongoing part of your career
• Steps towards finding the IT position worth pursuing
• Advice on crafting and polishing your resume
• Tips for negotiating a favorable compensation package

If you have comments or tips related to getting the right IT job, please leave a comment or drop me a note.

— Lenny Zeltser

Mutually-Assured Destruction in Cyberspace

Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when “real-world” warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.

Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has to engage in a systemic campaign to compromise IT assets of its adversaries. The logical goal of such offensive operations is the state of mutually-assured destruction that deters each party in the conflict from taking advantage of the IT assets it compromised.

Here’s why I believe this might be the case:

1. There is presently no practical way to defend IT infrastructure of any nation state against intrusions, be they commercial or government assets. If there was, we wouldn’t be experiencing so many breaches.
2. As the result, a country needs to assume that an adversarial nation state will be able to successfully compromise a significant number of the country’s critical IT assets. Many of these intrusions will be undetected.
3. Therefore, the country will need to find a way to deter the adversary from taking aggressive action against a significant number of the IT assets it illicitly controls.
4. One way to accomplish this is for the country to compromise a meaningful amount of the adversary’s critical IT infrastructure, creating the situation of a mutually-assured destruction.

The idea of mutually-assured destruction in cyberspace isn’t novel. It was brought up at an RSA Conference panel in February 2012. According to the Threatpost’s article discussing that panel:

“Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia. The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities - ‘big stones, and plate glass windows,’ said Lewis. ‘We’re back to mutually assured destruction.’”

A June 2012 article in the New York Times discusses several cyber warfare initiatives that appear to have been conducted by the U.S. and highlights some of the challenges of achieving cyber warfare dominance and reaching the state of mutually-assured destruction.

Nations with the interest, expertise and budget to conduct offensive cyber activities are probably busy hacking each other to avoid being outpaced in this process by their adversaries. They are doing this to achieve the state of mutually-assured destruction as a way of deterring each other from launching a full-scale cyber war. Just a theory.

— Lenny Zeltser

What Does a Security Product Manager Do?

It’s unusual for information security professionals to work in a group that directly generates revenue instead of being a cost center. Many find working within a cost center hard, in part because when it is time to cut costs, infosec budgets are among the first to go. Product management provides an opportunity for infosec pros to work in a profit center for a change. (There are others, such as consulting and sales.)

From my perspective, the primary goal of product management is to define product capabilities and drive product adoption. Sometimes this view on product management is called product development.

• Defining product capabilities entails working closely with customers to understand and anticipate their needs. It also requires understanding the company’s strengths and weaknesses related to the market as well as the competitive landscape.
• Driving product adoption involves those steps that help the product find its way to its consumers. This usually requires the need to understand the company’s channel and partnerships, unless the product is sold directly. It also involves regular customer interactions and some aspects of marketing.

In the world of information security, a product might be a hardware gadget, such as a network tap, a piece of software such as an anti-malware tool, or a service, such as a managed security offering. Sometimes it is a combination of these categories.

Here are the type of tasks a product manager might be asked to perform to support the objectives outlined above:

• Define a strategy for the product’s evolution to support business and customer needs.
• Create specifications, prioritize requirements and maintain a roadmap of the features being developed.
• Manage the process of making the product available to customers.
• Act as a subject matter expert for the product’s capabilities in pre and post-sales discussions.
• Collaborate with the engineering team building the product to clarify requirements and specifications.

— Lenny Zeltser

Allowing Gullible Victims to Self-Select in Online Attacks

Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”

This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:

“We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD.”

An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”

Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.

Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.

So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.

Hand-picked related articles:

• When Bots Chat With Social Network Participants
• Faux-Targeted Attacks and the Magic of Cold Reading
• Social Engineering in On-Line Scams: “Home Income Kit”

— Lenny Zeltser

5 Favorite Security Reads of the Week

Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:

• Browsers and Malware by Augusto Paes de Barros
• Safe in Its Shell by Anil Dash
• Citadel Trojan Uses Insidious Forms of Social Engineering by Social-Engineer.org
• Malware Uncertainty & False Positives by Gunter Ollmann
• Obama Order Sped Up Wave of Cyberattacks Against Iran by David E. Sanger

Also, during the past week I published the following posts:

• The Endowment Effect in Information Security
• How to Extract Flash Objects From Malicious MS Office Documents (SANS forensics blog)

Looking forward to next week!

For more recommendations, see my earlier security reads of the week.

— Lenny Zeltser

The Endowment Effect in Information Security

There are many reasons why business managers seem to ignore the risks brought forth by information security professionals. I outlined six of them in an earlier post. In this note, I’d like to add another possible explanation: the endowment effect, which affects how humans value their possessions.

Richard Thaler coined the term endowment effect to describe the tendency of individuals to value the item in their possession more highly than the same item possessed by someone else. In the words of Dan Ariely, “once we own something, its value increases in our eyes.” Dan also points out that ownership isn’t the only way to endow something with higher value:

“You can also create value by investing time and effort into something (hence why we cherish those scraggly scarves we knit ourselves) or by knowing that someone else has (gifts fall under this category).”

This propensity seems irrational, yet it was observed in numerous experiments.

Information security professionals experience a sense of ownership for the data they safeguard. Therefore, the endowment effect might bias us towards overestimating the value of this data. Business managers are somewhat removed from the data by layers of applications and business processes and aren’t affected by the bias to the same degree.

In other words, business managers might value the data less than how infosec professionals value it. This would contribute to the disagreement regarding the level of risk associated with security of the data.

If information security professionals are, indeed, irrationally influenced by the endowment effect, what can we do about it? Alternatively, when persuading business managers to agree with our perspective, how might we influence them to experience the endowment effect to the same extent?

— Lenny Zeltser