Archive for the 'Security' Category

Single Sign-On - risk versus reward?

Published
by
Phillip
on Thu October 30, 2008
in Security
. Comments

Having read the recent news articles from the BBC and others, both Microsoft and Google are joining the single sign on bandwagon, making their users’ id’s OpenID compatible. Both parties will now join the numerous other companies who have already implemented the API into their sites and applications.

“OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience”- OpenID, 2008

By removing the complexity of remembering different usernames and their associated passwords, users should find improved access to services on the web. However, by simplifying the authentication process down to one set of credentials; does this make security a bigger risk, and, will this add further temptation to those willing to unlawfully access enrolled applications for bigger rewards?

The security risks aren’t necessarily eaves dropping or packet sniffing attacks, but, what if a malicious keylogger has been installed on the user’s PC without the user’s knowledge. By the time the user is aware, it may be too late and it could prove very difficult verifying your identity to the service supplier and subsequently regaining access to your profile. But what could happen in the interim? Should you be using an online document package, consider what information is stored on there. If by accessing all these interlinked accounts, could a perpetrator find enough information to pose as yourself to open bank accounts and other services, fraudulently using your identity for financial gain?

OpenID is a very good service which is based on “an open, decentralized, free framework … [OpenID has] arisen from the open source community to solve the problems that could not be easily solved by other existing technologies” (OpenID, 2008). As OpenID isn’t owned by anyone, does this pose an major issue over accountability, should any security breaches occur? Especially when “anyone can choose to be an OpenID user or an OpenID Provider for free without having to register or be approved by any organization” (OpenID, 2008).

The SitePoint article, The Single Sign-On War Will Ruin OpenID, has also been drawn to my attention. The article explains how “Yahoo! and Google — and probably soon Microsoft — are locked in a battle to become the de facto OpenID provider … However, Google and Yahoo! (and likely Microsoft to follow) are ultimately competing with one another to become the branded single sign-on solution for the web”. So will the potential future fragmentation add additional complication to what should be, a simple, open technology?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

How safe is our personal information?

Published
by
Phillip
on Wed November 21, 2007
in Security
. Comments

Chancellor Alistair Darling yesterday announced the catastrophic loss of the personal records of 25m Britons. The entire Child Benefit database was exported onto disc and sent within the internal mail from the HMRC HQ in Washington, Tyne and Wear to the National Audit Office in London on the 18th October 2007.

Almost everyone who has a child under the age of 16 is affected along with older children still in full-time education.

It amazes me as to why there was such a delay for those affected to be informed of the blunder. According to a BBC News report, “Bosses at the Revenue were not told about what had happened until the 8 November … The Officials involved waited before informing their superiors in the hope that the discs would be found.”

As a parent to a child under the age of 16, I am astonished to discover the extent of what has occurred and the implications it may pose. I cannot believe that it is possible for an error as profound as this to occur in today’s world. We are continually advised by Government of the risks posed by online threats and to ensure that our documents and information is kept secure at all times; yet the biggest threat lies within the heart of Government itself - it’s employee’s. Many of the news reports state that it was due to a junior individual failing to follow procedure. In my view it should not have been possible for such an incident to occur. This information should never have left the HQ of the HMRC.

The 1998 Data Protection Act was designed to ensure that personal information was managed appropriately, however Stewart Mitchell’s report for PC Pro indicates that “the DPA appears powerless to force government or companies to accept their responsibilities”. Organisations are continually failing to secure the information in its possession. Stewart continues “In a recent study at the University of Glamorgan, 300 used disks purchased from the UK, Australia and the US were tested and four out of ten contained sensitive data, such as salary details, financial data, bank and credit account details and visa applications”. According to a report by Sky News, information of this nature could be worth around £5 per person. This values the data in excess of £60m and doesn’t take into account the losses that could potentially be experienced by every individual involved. The information contained on the discs includes names, dates of birth, bank and address details - everything a fraudster would require to set up bank accounts, carry out transactions or create a fake identity. The Government now seriously needs its procedures and security implementations and may also need to reassess its controversial identity card scheme. After all, if the Government can’t be trusted with the information it currently holds, can the electorate trust it with more detailed information?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]