On Friday I traveled from Seattle to the other coast for my brother’s college graduation. While in another aiport along the way (stupid layovers ;)) I heard a conversation that made the whole stop worthwhile.Our flight was late, and it was one of those little puddle jumpers. Most of the travelers were traveling for business (it’s always quite obvious now isn’t it) and were pretty annoyed that they would be late to dinners and such that were planned. The guy next to me wasn’t annoyed so much as concerned that he had something to do for work. He and I were chatting some and he said he had a document to send off, and was annoyed that it would not be sent until too late to be of interest.So standing next to me he proceeds to make a phone call. I usually stand in airports and either read or do work, but for some reason I was just spacing out that day, just looking out the window and enjoying the sunshine. I overheard bits and pieces of what he said, and I just had to share what I heard.Of course, I only heard one half of the conversation, but here’s what I heard (making up a name, since I have no idea what his real name is):“Hi, it’s Bob. I’m stuck in the airport….yes I know, frustrating. So I need to send a document out, would you mind doing it for me?”“Great, go in to my office, you should have the key. Let me know when you’re there.”“Ok great. So please go to my computer, and log on. My username is XXXXX and my password is YYYYY. Working?”“Ah great. So in my documents, find <doc name I didn't pay attention to>. Ok, so let’s open Outlook. Go ahead and open a new email, and attach the document to it”From there, I ran to a seat to type this up before I forgot the details. :)So long as people do that with their username/password, there’s nothing we can do in the security world to protect people. Perhaps we need to spend more time helping users deploy systems in a way that lets them get what they need done, and not in a way that protects them in ways that encourage them to share their usernames/passwords.
After our conversation at the airport, I did a google search of your name and found this web site. I have some good news and bad news.
- The document got sent.
- someone hacked into the network with my username and password.
I want to talk to you when you have a minute. Especially, after this comment from your blog:
"From there, I ran to a seat to type this up before I forgot the details". So you had a copy of my real username and password and then shortly after that I was hacked.
Call me. My phone number is in the DIT you ripped out.
I am curious if you have ideas on a way to handle this. Obviously we can't just chuck security.
The things I can think of in this case are:
1. Some sort of delegation where the user has already said someone could access something and simply has to contact them and tell them to access it.
2. Some sort of callback mechanism where the person tries to access it and the user got a ping on their phone that allowed him to allow the access. Maybe combined in some way with 1 above for extra security.
3. The user goes through some complicated dance on the phone to identify himself to an electronic device on the other end to authorize the access and then more dancing to get done what they want done. I don't visualize this being simple unless it is relatively insecure.
4. The overal networking infrastructure gets beefed up to the point that your "controller" device is never out of contact with your other electronic devices no matter where you are.
I think which ever bit of infrastructure one puts in place there will always be a "easy" way or rather "human" way to brake the rules. I have had a similar problem on our network and no matter what we say to our Directors their secretaries always know their password. To me the problem is - its just must easier to give your password away!
Bob- "Call me. My phone number is in the DIT you ripped out" what you talking about ?!?!?
Two (or is it three) words:
Two-factor authentication. There always needs to be something the user knows and something the user physically has - be it some form of biometric or just a plain smart-card.
Since I don't know your real name, nor the name of your organization, nor your u/p, nor do you know my name, I find it hard to believe. :) But it was taken in good spirit. :)
I've actually been thinking a lot about this since Friday.
On one hand, I think that we need to do a better job facilitating people doing this sort of information sharing. Clearly if we do anything to prevent it, the user will just work around it. If they are willing to share their username/password, all bets are off. Anything we do will just get in their way. And at the end of the day, security in your organization doesn't matter if your organization doesn't exist anymore because you can't get your job done.
On the flip side, clealry there is a middle ground here. Should we do a better job helping users share access to data? If nothing else, at least you could preserve an audit trail there.
Bob and the coworker did a kind of mutual auth based on voice recognition then Bob's coworker was allowed to act on behalf of Bob to send the doc.
- The key was easily "sniffable" by someone standing near Bob when he made the call.
- There was no way to limit the "services" for which the coworker was allowed to impersonate Bob.
- The key validity period was probably too long. Wouldn't want the coworker to continue to be Bob for too long.
Other than the obvious problems I've listed how is this really any worse than using delegation/kerberos? What I'm trying to say is that I don't think the security holes here stem from "passwords are bad".
I just got back from Digital ID World. One presenter did an informal study. They stood outside a BART station (presumably not dressed like gangbangers) and offered travelers a $10 Starbucks card if they gave them their userid and password. Over 70% did! One fellow couldn't remember them, and actually sent his administrator back with them so he could get the card!
Of course, they probably didn't provide the system in which the id/pw was relevant, but I mean really...
There's still a lot of education to be done.