The One In Five

The Harvard/MIT study of Bank of America’s web site security, including SiteKey system and SSL certificate verification (see New York Times and Slashdot), tackles the problem of real users using real websites to see how they respond to the authentication protocols. The security, for the most part, failed the users, with the researchers citing difficulties in testing the usability of these controls.

Slashdot comments, as expected, complain about the intractability of the Trainables in their charge, diminishing the argument to “Users == Lusers.”

I couldn’t find a fleshy threat model in the study’s methodology. The subjects (recruited from Harvard Yard) were asked to log on to the bank’s legitimate website on a university computer under the guise of testing usability. Meanwhile, the researchers played pranks on their browsers, causing it to display incorrect information regarding SiteKey and SSL certificates. It seems to me that the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack. My understanding of published incidents is that phishing generally originates with a convincingly deceptive e-mail containing a link to a phony banking site, or through a keystroke logger. A more interesting question for me would be “Would the users pay more attention to the security clues if they were following an e-mail link?” The common credential collection trojan appears to be outside the scope of the research.

Since Harvard students should probably pride themselves on not being representative of the populace as a whole, I can’t see that there’s a tremendous amount that can be taken from this research. The approach seems more like an episode of “Punk’d” (even though I’ve never watched it) or “Candid Camera” (which I have) or the Jim Coyle/Mel Sharpe stuff (which I love, but no link! I’m shocked!). Is there a difference between a drawing a valid audit (or research) conclusion and just giving a Muntz-esque “Ha Ha” followed by a “Stop hitting yourself”?

A couple brief notes.
From Pogo Was Right, a link to the Boston Globe op-ed on privacy, security and Harry Potter hackers. The nut of the argument of Mr. Peters, CISSP:

People take to the streets to protest the Patriot Act or the search of phone records even though the payoff may be stopping a terrorist. But the same people freely give their phone number or address to a checkout clerk when the only payoff is an abundance of junk marketing.

I remember hearing a guy named Maple quote an IBM study stating the Americans love their privacy, but will trade it away for a fifty cent off coupon. That was 1998, and I don’t think much has changed.

I’m not quite ready to give up on the power of consumer, but this chart is the most distressing for me. The consumer doesn’t matter if the shareholder get his bit.

And I was flattered that the Periodical of Record for Road Racing in North America picked up my post on the Ducati laptop lost and found. I should let Ducati know that I’d be happy to test the security of the USB Ducati Data Analysis on the 1098S just to make it is, you know, compliant with EU Privacy Directive. Maybe hook it up with some 802.11n and turn the 1098 into the only Desmo driven war driving device.

The lost laptop story has become tiresome. Some individual, proving themselves to be careless, or even just human, loses a laptop with some sort of confidential information. SB1386 has made this the most banal folk tale of the 2000s.

Fortunately, after perusing the results of the MotoGP tests in Jerez, I read the Roadracing World’s version of the lost laptop story. Four cats from DC head out early to the Laguna Seca track on the Wednesday before the big MotoGP race. They find a carry-on piece of luggage, which contained a passport, tickets, MotoGP credentials and (yes) a laptop containing precious Ducati Corse data. So, instead of heading over to Repsol Honda, or eBay, these gentlemen returned the baggage to the Corse engineer it belonged. In return, the Ducati folks treat them like royalty throughout that weekend, and invite them to the season closer at Valencia. Hanging out with umbrella girls, scooter rides with Randy Mamola, asking Garry McCoy where it hurts, watching Nicky Hayden win the championship, all worthy activities paid in gratitude from Ducati.

Admittedly, Ducati Corse is cooler than the Department of Veterans Affairs or Wells Fargo will ever be. But if people knew that they could go on a scooter ride with Randy Mamola if they returned laptops loaded with trade secrets or personally identifiably information, our privacy problems here would soon be over.

The Bonham & Butterfield auction of Steve McQueen’s motor related ephemera included his credit card. According to February’s Sports Car Market, the unsigned Wells Fargo MasterCharge (exp 07/80) was purchased for $9,945. (some coverage here of the auction).

According to this Tao Security link, you can get a better deal on credit cards on IRC.

A post and response from computerworld.com and cogent commentary from Mike Rothman.
My issues are primarily with Eric Ogren who cites “the only two effective regulations.”

1. Executive accountability of SOX.
Accountability is a good idea, and formalized some of the accountability that existed de facto. However, it is currently implemented by a legion of auditors with blank checklists seeking billable hours. Accountability could be frightening to the honest CEO, but SOX will just double the thrill factor for the corrupt.

2. SB1386 Disclosure
SB1386 as a shaming device? I believe it was designed to function as a means to protect the consumer. If its objective was to shame the violating corporations in the marketplace, it has failed. I believe there is sufficient evidence that public notification of a privacy breach is not a significant indicator of long term market performance. Other non-security, non-privacy related factors have more influence, and the investing/consuming public has become somewhat inured to notification after 2006’s breach-o-palooza notification blizzard. If it was designed to punish corporations, it would have provisions of fines, jail time, drawing and quartering for the execs (not unlike SOX). Market impact is a mild, short term side effect, equivalent to postage and printing notifications.

EO also cites the ineffective enforcement of HIPAA and PCI “regulations.” Well, I’ll go along with HIPAA, which was a bitter sausage long in the making, shoved in a casing of some of the weakest enforcement mechanisms this side of the FDCPA. I don’t understand all the byzantine economics of the health care industry, so I have a hard time imagining an FFIEC correllary that could oversee physicians, dentists, hospitals, clinics and insurance companies.

But PCI compliance brought CardSystems to its knees precisely because it was not a regulation, but a business agreement.

All in all, I have to agree with Rothman. I’ll even go beyond that. Compliance is a by-product. If your focus is on protecting the customer’s information, compliance will occur. If your focus is on compliance, you will likely waste resources chasing the wrong rabbit down the wrong rabbit hole, and never really achieve your objective. So, what are you trying to do?