- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
Dear Bob,
I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. It's been great, by the way: I love the way I can simply think what I want to make the system perform properly. The only problem I've had is what happens when I daydream, but let's not go there.
Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.
The very nice agent cheerfully demonstrated that your help desk has no clue how to deal with lost passwords for SpinalTap. She:
1) Asked me for my user ID: unacceptable because it began a phone-based process for resetting a password;
2) Asked me one of my verification questions (“What was the last name of the girl who arranged for me to step on her foot on a ski trip in 1963?”): UNACCEPTABLE because it means the authentication data are not one-way encrypted;
3) Read me my old password: UNACCEPTABLE because it means the password file is not one-way encrypted!
Normally, passwords and other authentication data are one-way encrypted: the responses to questions are encrypted and the ciphertext of the response is compared to the stored ciphertext of the correct answer; however, it is difficult (expensive, slow) in practice to regenerate the original cleartext data unambiguously from the stored ciphertext. (See my lecture on cryptography fundamentals if you like.)
Access to the authentication questions, to their answers, and to the passwords implies that the help desk agent(s) can impersonate customers at any time by logging into SpinalTap using their purloined IDs. The damage caused to your company's reputation if one of your employees were to sabotage a customer’s settings and cause serious damage – psychotic breakdown, for example, due to the impression that two-headed lizards were chewing on his left hallux – could be disastrous.
To put the problem in perspective, it would be the same kind of problem of impersonation as if a member of your staff were falsely accused of damaging company records, sending inappropriate e-mail within the company or to external recipients or posting inappropriate materials on a company Web page. Not only would the victim of the impersonation suffer – so would the company.
M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (3)
Additional Line in the ReplyBy Anonymous on November 3, 2008, 11:50 amTo address your issue: Username: Mich New Password: R3Pl$T0#m3@&3ll If you decide to change it, your password must be of similar or greater complexity and...
Reply | Read entire comment
Sounds like you're talking about Surewest telephone company in RBy Anonymous on September 18, 2008, 11:42 amThis is exactly how Surewest Communications mismanages passwords for everything from email accounts to online access. As example, when I want to change password...
Reply | Read entire comment
How not to manage lost passwordsBy apeshansky on September 18, 2008, 10:17 amYou forgot to post the reply you got: From: noreply@Metaphoronic.com This is an automated reply to your message to CEO of Metaphoronic Corp. Please do not reply...
Reply | Read entire comment
View all comments