Saturday, May 24, 2008

Security is all about breaking assumptions !


Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold
  1. If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
  2. If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.

Saturday, May 3, 2008

30th Anniversary of SPAM

As per this BBC news article, 3rd May 2008 is the 30th Anniversary of email SPAM. The first spam message was sent to 400 users on the ARPANET by a DEC employee on 3rd May 1978. But, this was not yet the beginning of the commercial SPAM era. It was only in April 1994 when a group of immigration lawyers sent the first commercial spam message to more than 6000 USENET discussion groups thus,spawning a new rogue business model using the internet.