Time – Again – For Trustworthy Computing

August 21st 2009

Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord. The strategy is to steal a user’s one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim’s computer.SecurID Card

One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there’s no way to use your computer reliably. Attackers can intercept what you’re doing, change it to benefit them, and you won’t know what happened until you look at your bank statement.

The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.

Continue Reading »

Posted under Security | 1 Comment »

Another plea for password sanity

August 15th 2009

Here’s a recent posting on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here’s the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you’re going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Continue Reading »

Posted under Security | No Comments »

Revising OpenID for WordPress

September 21st 2008

Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well – I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities. Continue Reading »

Posted under Security & WordPress | 2 Comments »

“Design Patterns” for Identity Systems

September 18th 2008

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.

There are four patterns: local, direct, indirect, and off-line.

Continue Reading »

Posted under Security | No Comments »

Next »