Authentication, Identity and Zero Days: Web Security Ain’t What it Used to be

What a weird year it’s been for web security professionals. It seems like every year more threats arrive on the world stage, but 2012 has been a particularly crazy year even by recent standards.

This week’s article from ArsTechnica has a title that’s scary enough to make Donald Rumsfeld blush: “Crack in Internet’s foundation of trust allows HTTPS session hijacking”. That sounds kind of bad, right? Earlier this year Microsoft was forced to change their security practices around Certificates due to one of the largest targeted attacks in history. Recently’s Mat Honan had his Apple account hacked and his life torn apart by a 15 year old with no significant computer skills. This attack, while not technical, could be much worse because it involves social engineering instead of computer science. What’s an admin to do?!


The truth is that securing massive web properties has never been easy, but the exposure that a breach of trust creates can be amplified due to the new communications systems that exist today. There’s a big difference, in terms of liability, between a group of 5 hackers selling stolen credit card info on the black market, and that same group of hackers instead tweeting out the millions of credit cards. But if they don’t need access to advanced hardware to get these credit cards, or even really to distribute them, how can you defend against this? Put bluntly, if hackers don’t need computers to win, how can we stop them?

The answer is taking security seriously. Penetration tests are not just for Enterprises and financial institutions, major internet companies would be well-advised to consider these services. It’s not just about having good encryptions, it’s about sensible authentication policies and managing user identities. The final piece of the puzzle, beyond training and good technology, is regulation.

Cosmo, the 15 year old hacker, was able to compromise Mat Honan because different services online felt that different pieces of information could be used as authentication. If one site considers the last 4 digits of your credit card sacrosanct, but another thinks of this as non-identifying, all an attacker has to do is use one ID against another. Just like PCI there needs to be Identity management regulation for authenticating digital identities. Social engineering is perhaps the wrong term for this kind of attack, in reality it’s more like identity arbitrage. The answer is to eliminate the arbitrage opportunity through standardization.

In short, Security will be a problem from a social perspective until identity management becomes consistent. Technology can only protect from so much, on some level every system comes down to some human interaction. It’s about training people to understand the risks that their actions create, from Architects to Customer service personnel.