WHAT IS SECURITY BY OBSCURITY AND WHY HAS RSA STUMBLED?


The breach at RSA just goes to show that security by obscurity never works.

And you are probably wondering just what is ‘security by obscurity’ ?

Lets use a simple metaphor that is familiar to us all to help explain the concept.

We have all at one time or another left a spare key under the doormat, just in case we are locked out of the house, or we leave it for someone else to use to get in.   Well,  simply put, that is - security through obscurity.

The theoretical security vulnerability is that anybody could break into the house by unlocking the door using the spare key from under the mat.    Add to that scenario the reality that any burglar worth his salt will check out the most obvious hiding places, and so we, the house owner, run a  greater risk of a burglary by hiding the key in this way, since the effort of finding the key is likely to be less effort to the burglar than breaking in by another means. We have in effect added a vulnerability  (the fact that the key is stored under the doormat) to the system, and one which is very easy to guess and exploit.

In the case of computer code or RSA algorithms the assumption is that the algorithm cannot be broken – that the burglar wont find the key under the mat.  Alas we have just found out how fatally flawed that logic is.  And boy it could not have happened to more iconic an institution than RSA.   The very same RSA that invented the public and private key algorithm (based on factoring of primes) that has formed the foundation of Internet security for the last 25 years.   But at the end of the day it is still security by obscurity.  

Enter Kerckhoff and his principle.  http://en.wikipedia.org/wiki/Auguste_Kerckhoffs
http://artofinfosec.com/335/crypto-kerckhoffs-principle/

 “ Assume your enemy has the details of your system “

If your security relies on some level of operational system "secrecy" to work, it is just a matter of when, not if, the system will be compromised. The problem with traditional shared secret tokens,  (not to mention cost, deployment and custody issues)   is that they do nothing to establish context of the mutual authentication i.e. the establishment of trust between the parties.    They are merely additional layers of "secret passwords", regardless of how those factors are generated or delivered.    http://www.schneier.com/crypto-gram-0205.html


The application most used by the RSA SecureID token, being the generation of a “One Time Password”  which is then entered into the browser;   is reliant upon the integrity of the browser,  the very vehicle  for which trust has not yet been established.   This constitutes a fatal flaw in the ‘design’ of the system.

The primary issue involved in this breach is the wide applicability of the "secret" elements that were compromised. In a properly architected authentication system, any security failure should be at worst, a one-in-a-row event.  In this case – assuming the hackers indeed have succeeded in ‘stealing the password’  ( the seed to the key generator)  they can exploit the vulnerability of all of RSA’s customers.   Not just one or two.

Being the ‘chosen’ security vendor to  “  90% of the Fortune 500 “  ( per RSA’s website)  leads to hubris and hubris leads to complacency.  The World now operates at Internet speed.  Just ask the Tunisian and Egyptian ( and who knows more) Governments about that.    No one can assume that their position is safe.  The rise of Hacktivism (http://bit.ly/gcqhxe) means that security has now risen right up the agenda and for RSA to be seen to be stumbling at such a crucial time could prove to be very damaging.    

Fortunately there are nimble and agile upstarts like http://www.liveensure.com who are showing the industry that innovation is alive and well and that solutions (that work) are available and they are affordable too.  

Other references: 

Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more