3D printers and feckless customer service people are two of the biggest threats to our security. Mic Wright ponders the future of passwords and keys.
Start-ups often take the same approach to security that students do to bike insurance: it’s expensive and you probably won’t have anything bad happen to you, so why worry? But that analogy is dangerous. The worst that’ll happen to students with uninsured bikes is having to schlep to lectures on foot before they buy yet another broken down old bone-shaker. (I speak from experience.)
Yet start-up founders who assume they’ll never have to face a security screw-up are mortgaging their reputation and, in fact, their entire businesses on a hope and a prayer. Virtually every online business has suffered a security issue or data breach. It’s not a question of if but when you’ll have to deal with a problem.
What product people see as security features, hackers see as puzzles, as provocations to be beaten. Thus it is that both virtual safeguards like passwords and encryption and physical barriers like locks are becoming fiendishly complex as the number of wannabe insurgents increases with the population’s improved digital literacy.
Handcuffs – the physical kind – are an instructive example of how technology is beginning to outpace the traditional methods of keeping us secure. Want to know why handcuff manufacturers are sweating? Two words: 3D printing.
Handcuffs present a unique challenge: they have to be opened by a standard key, available to every officer on a force, so detainees don’t have to be tied to a single contact. But that means keys can be copied. A German hacker and security consultant known by the mundane handle “Ray” did just that at the Hackers On Planet Earth conference in New York.
Using a laser-cutter and 3D printer, Ray was able to create plastic copies of the keys to handcuffs made by the German firm Bonowi and English lock manufacturer Chubb. Both firms work hard to avoid their keys falling into the hands of buyers outside the law enforcement community, but of course that system is far from foolproof.
Ray told Forbes that he purchased the Chubb key from eBay and got hold of the Bonowi key from another, undisclosed source. He measured each key with callipers and created models in a CAD package which he then used to reproduce the originals in plexiglass using the laser cutter and ABS plastic using a Repman 3D printer.
3D printers are only going to get cheaper and more accessible. Similarly, just as the tools to mess with public phone boxes became readily available in the 70s, during the golden age of phone phreaking, cheap components to crack other forms of physical security are easily acquired now.
In July, during the Black Hat security conference, Cody Brocious, a 24-year-old security researcher and software developer, revealed a pair of vulnerabilities in the locks used in more than 4 million hotel room doors.
Using the open-source Arduino hardware platform, Brocious was able to create a substitute for the portable programming device that lockmaker Onity would usually supply. He determined that the firmware did not require authentication before giving up access to its memory. With less than $50 worth of equipment, those locks were rendered useless.
While Chubb and Bonowi do not appear to have responded publicly to Ray’s research yet, Onity has offered two solutions to hotels affected by Brocious’s research. The first is a very basic hardware tweak – a cap that can be screwed over the open port. That will slow hackers down slightly and has the benefit to hotels of being free.
The second is more costly and time-consuming. Onity says it will upgrade the firmware in the HT and ADVANCE series locks, which are vulnerable to the hack. But the upgrades will take a few weeks and the shipping, handling and labour costs are on the hotels.
As ingenious hackers armed with readily available technology ruffle feathers in the physical security world, we’re also becoming more reliant on technology in the virtual. So much of our lives and experiences are tied to web storage now. The recent case of Wired’s Mat Honan, whose iPad, iPhone and MacBook Air were all permanently wiped by hackers, shows how damaging a security breach can be. They gained access to his iCloud account by social engineering an Apple customer service representative to get the credentials they needed.
Thowing our hands in the air and declaring that “passwords are broken” isn’t good enough. Bruce Schneier, BT’s chief security officer and a security commentator so celebrated he is the subject of his own equivalent of Chuck Norris Facts (example: “Bruce Schneier’s skin has no pores. Pores are vulnerabilities.”) has written extensively on the issue. In 2008, he said in The Guardian:
“I’ve been reading a lot how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications but you have to choose a good one. And that’s hard. The best way to explain how to choose a good password is to describe how they’re broken…”
Schneier goes on to describe how password guessing applications can quickly run through sets of common passwords: “With a couple of weeks to a month’s worth of time, this guessing strategy breaks about two-thirds of all passwords. But that assumes no biographical data. Any smart guesser collects whatever personal information it can on the subject before beginning. Postal codes are common appendages, so they’re tested.”
He recommends using strong passwords based around a sentence but notes that they fail because people become sloppy and websites are equally sloppy “allowing people to set up easy-to-guess ‘secret questions’ as a backup password or [emailing] them to customers”. The latter failing was central to the problems highlighted in Tesco’s password procedures this month.
As software architect Troy Hunt writes in his post about Tesco’s problems: “When you decide data is worth protecting, you need to be consistent in your approach. There’s no point tightly securing it in one location then having it flapping around in the breeze at another.” Getting security right is hard and there is always a trade-off between convenience for the customer and the need to protect the information they have entrusted a company with.
As IBM system designer Fred Sampson pointed out in 2006, scanning the table of contents in Schneier’s now seminal book Beyond Fear: Thinking Sensibly About Security in an Uncertain World provides a neat summary of the main issues with any security system:
“All Security Involves Trade-offs/Security Trade-offs Are Subjective/Attackers Never Change Their Tunes, Just Their Instruments/Technology Creates Security Imbalances/Security Is a Weakest-Link Problem/Security Revolves Around People”
Kevin Mitnick, the notorious former hacker who achieved most of his exploits through wrangling people rather than code, succinctly explains why people are any system’s biggest problem area:
“A company can spend hundreds of thousands of dollars on firewalls, detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and the attacker gets in, then all that money spent on technology is essentially wasted. It’s essentially meaningless.”
Two-factor authentication, offered by both Google and Facebook, can greatly improve account security, but as the online establishment attempts to outfox the fiendish minds at work in the hacking and criminal communities, we run the risk of subjecting users to the virtual equivalent of the onerous, time-sapping and often ineffective measures in place at most airports.
Many of those laborious security procedures are what Schneier has termed “security theatre”. He explained the term in a 2009 essay for the New Internationalist: “Security theatre refers to security measures that make people feel more secure without doing anything to actually improve their security.
“An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security but it looks like security to have a uniformed guard-for-hire looking at ID cards…
“Security is both a feeling and a reality. The propensity for security theatre comes from the interplay between the public and its leaders. When people are scared, they need something done that will make them feel safe, even if it doesn’t truly make them safer.
“Politicians naturally want to do something in response to crisis, even if that something doesn’t make any sense. Often this ‘something’ is directly related to the details of a recent event: we confiscate liquids, screen shoes and ban box cutters on aeroplanes. But it’s not the target and tactics of the last attack that are important but the next attack.”
In other words – to use a quote from ice hockey player Wayne Gretzy, often repeated by Steve Jobs – “I skate to where the puck is going to be, not where it has been.” The trouble with security online and off at this point in our evolution is that it has always been chasing the puck.
When Apple and Amazon tightened up procedures following the highly publicised hacking attack on Honan, they were being reactive, but they did little to look to the future.
It’s obvious that every corporation with interests in the cloud wants to keep their portion of the virtual sky free from bandits. But people are the biggest problem in securing the future and we need to first improve education around passwords and personal security.
Just as schoolchildren would benefit from practical advice about how to deal with the tax man and other financial headaches, they should also be taught how to protect themselves online beyond simply warning them against the beastly perverts on Habbo and the scammers offering them African riches in misspelled emails.