XKCD: Authorization

Image Credits: xkcd

This comic highlights a common security practice that security conscience users employ. We take a lot of measures to ensure that malware and other users can’t install anything without elevated privileges  All this effort put in to secure our computer’s admin account can be wasted by one singular deficiency. Our user accounts which we actively use and are generally less privileged but the way we use these accounts is with the assumption that our accounts are secure. We no longer log out of the websites or programs we use when we step away from our computers. Instead, we’re logged into social media, email, and forums. If our screen isn’t locked, it’s an open invitation for free access.

This is the origin of the so-called “facebook hacks” where someone’s status is defaced by a friend (or not) just by finding an open browser. This is a great reminder that we need to secure not only our admin accounts but our user accounts as well. A good password remains invaluable, as well as preventing auto-login to windows. Even if we have logged out, we use our browsers to save our passwords. This means that malicious or mischievous people don’t even need our password now to wreak havoc or let loose the dogs of war.

There are three points areas that security could be improved to mitigate this issue: the browser, the provider, and the user.

One possible mitigation could be through the browser. Perhaps browsers themselves could demand a login and password to access the saved passwords feature for a set amount of time. The browser can even auto-expire / delete login cookies after a certain amount of time as a security feature.

This also is a wake-up call for service providers to provide additional security for their users. Instead of allowing indefinite logins  have more frequent expirations. Banks already do this to provide security for their users. With how much is invested into social media, perhaps it’s time for these sites to do the same. They are already securing the communication channels, but  a massive hole is still open: the user.

In the end I feel that the user is the largest weakness to any security system. Inadequate passwords and security settings based on convenience rather than security are what users want and so security is left trying to work its way around the user instead of being bullish and demanding procedures be followed. What ends up being needed then is a new system that can provide security yet finds itself convenient to the end user.

Here are two technologies that are trying to solve that problem in different ways:

1. LastPass – a password manager so you can have long complex passwords that are hard to crack without memorizing them.

2. Yubikey – a USB-based system which provides two-factor authentication without the need to type anything out.

Agent[31]

Agent[31] is a Cyber Pyscho. He might be doing home network, cybersecurity, or surfing the cyberwebs. Reach into his cybernet and glean some (hopefully) useful information.