Technological and Internet Security

When using computers and other electronic devices, many people take their security for granted and think little about it. For some people, this is not much of a problem, and they will go about their lives as normal, never running into an internet security breach. However, that person is becoming much more rare as technology is advancing and people are becoming more complacent about internet security. The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined (Lawson). At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker (Lawson). A compromise needs to be made to keep online data more secure: security or convenience.

History of Encryption

Early Encryption

In 700 BCE, the Spartan military needed a way to cipher important messages. They used a simple but effective system of wrapping leather strips around wooden poles with a specific diameter (Laird). The dowel would be of a very specific diameter so that the message could only be decoded if it was wrapped around a dowel of the same diameter.

Leon Battista Alberti invented the first poly-alphabetic substitution cipher in 1467, changing the course of encryption forever (Laird). The Alberti cipher was comprised of two metal disks, one inside the other, and used mixed alphabets and variable rotations to encrypt and decrypt a message efficiently. The Alberti cipher preceded the Jefferson Machine, invented in 1797, which was comprised of 26 cylindrical wooden pieces threaded onto an iron dowel (Laird). The letters of the alphabet were inscribed on the edge in random order, but when each was turned correctly it would spell out the secret message.

The first real predecessor to modern computer ciphers was called the Enigma machine. The German military used the Enigma cipher machine during World War II to keep their communications secret. The machine was available commercially during the 1920s, but the military potential of the device was quickly realized and the German army, navy and air force all used a more developed model of the machine to cipher their messages believing that it would make these communications impenetrable to the enemy (Wilson). The Enigma machine is an electro-mechanical device that relies on a series of rotating wheels to scramble messages into incoherent ciphertext (Wilson). The machine's variable elements can be set in many billions of combinations, and each one will generate a completely different ciphertext message. If you know how the machine has been set up, you can type the ciphertext back in and it will unscramble the message. If you don't know the Enigma setting, the message remains almost indecipherable.

The German authorities believed in the absolute security of the Enigma. However, with the help of Polish mathematicians who had managed to acquire a machine prior to the outbreak of World War II, British code breakers stationed at Bletchley Park managed to exploit weaknesses in the machine and how it was used and were able to crack the Enigma code (Wilson). Breaking the Enigma ciphers gave the Allies a key advantage, which, according to historians, shortened the war by two years, thus saving many lives (Wilson).

Computer Encryption

The first computer password was developed in 1961 by the Massachusetts Institute of Technology, when most people had never even seen a computer (Laird). There was no real name for the system at the time, but MIT's CTSS (Compatible Time-Sharing Software) division may have used the first ever username and password system, and may have also experienced the first computer security breach (Laird).

In 1966, when a software bug in MIT's computers jumbled the welcome message and master password files, it created what could have been the first ever computer “hack”. The jumbled files resulted in anyone who logged into the system being given a list of all the username and password combinations in the system. This event showed the need for encryption of computer passwords.

In 1979, the National Bureau of Standards invented the DES or Data Encryption Standard (Laird). DES used state-of-the-art 56-bit encryption which, at that time, was so strong that not even super-computers could crack it. DES was the standard for almost 20 years, until the Electronic Freedom Foundation cracked it in less than 56 hours in 1998, and halved that to 22 hours a year later (Laird). This prompted the development of AES or Advanced Encryption Standard, which is still in use today. 128-bit encryption will theoretically take 2 to the 55th years to crack. However, cracking passwords is not the most common form of online security breach.

Modern Password Encryption and Cracking

Modern Hashing and Basic Cracking

Throughout the past few years, there have been several security breaches in huge databases in which large amounts of passwords are dumped onto various sources around the internet. The first, and arguably the most important of these password dumps was the RockYou.com database dump in 2009 when an SQL injection attack dumped the entire database of over 14 million passwords onto the internet (Lawson). However, a very small amount of these breaches dump out plaintext passwords. The majority of dumped password databases contain “hashed” passwords. Hashing is the practice of putting a plaintext set of characters through an algorithm that will produce very different outputs for any combination of characters, no matter how similar (Lawson). When passed through the MD5 algorithm, for instance, the string “password” (without the quotes) converts to “5f4dcc3b5aa765d61d8327deb882cf99” and “password1” translates into “7c6a180b36896a0a8c02787eeafb0e4c.”

Once a string has been encrypted, there is no way to translate it back to its original form by using cryptography (Lawson). “Password cracking” is therefore the process of feeding plaintext strings through the same function used to encrypt it. When the two outputted hashes match, the password has been cracked.

Modern Cracking Practices

Even though 128-bit encryption will theoretically take 2^55 years to crack, an attack on an internet database is almost never purely brute-force. Instead, hackers have found ways to vastly improve their chances of cracking any given password by using common themes in passwords such as replacing the letter “e” with the number “3,” or the tendency for passwords to start with a capitalized, five-letter word followed by a capitalized, seven-letter word (Lawson).

The RockYou dump was a watershed moment, but it turned out to be only the start of what's become a much larger cracking phenomenon (Lawson). By putting 14 million of the most common passwords into the public domain, it allowed people attacking cryptographically protected password leaks to almost instantaneously crack the weakest passwords (Lawson). That made it possible to devote more resources to cracking the stronger ones.

For instance, after the leak of 6.5 million password hashes from LinkedIn, 90\% of them had been cracked in just six days (Lawson). In the RockYou aftermath, everything changed. Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols — including everything from pet names to cartoon characters — that would seed future password attacks (Lawson).

Phishing

The greatest amount of security breaches every year are through people telling their passwords to others - on purpose or not (“Phishing.org”). The biggest section of that comes from phishing websites. These sites attempt to masquerade as popular websites like Facebook, Twitter, or YouTube, and steal users' passwords when they “log in” to these false websites.

The first big outbreak of phishing began on AOL, which was one of the most popular email and instant-messaging providers of its time (“Phishing.org”). A phisher would send an email or instant message to another AOL member saying that they were an AOL employee and needed their password or other sensitive information. They would entice the victim by using phrases such as “confirm billing information” and “verify your account” (“Phishing.org”). The victim would then click on a link and enter their information which would be fraudulently collected by the attacker.

Phishing got so wide-spread that AOL added a line of text to the bottom of their instant messenger stating that “no AOL employee will ask for your password or billing information” (“Phishing.org”). Even this did not stop all phishing, because the victim would sometimes click a link and enter their information before reading the warning.

The capture of AOL account information may have led phishers to misuse credit card information, and to the realization that attacks against online payment systems were feasible. The first known direct attempt against a payment system affected E-gold in June 2001, which was followed up by a “Post-9/11 ID Check” shortly after the September 11 attacks on the World Trade Center (“Phishing.org”). Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognized as a fully industrialized part of the economy of crime: specializations emerged on a global scale that provided components for cash, which were assembled into finished attacks (“Phishing.org”).

The damage caused by phishing ranges from denial of access to e-mail accounts to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million (“Phishing.org”). United States businesses lose an estimated $2 billion per year as their clients become victims (“Phishing.org”). In 2007, phishing attacks escalated. 3.6 million adults lost $3.2 billion in the 12 months ending in August 2007 (“Phishing.org”). Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at $60 million (“Phishing.org”). In the United Kingdom losses from web banking fraud — mostly from phishing — almost doubled from £12.2m in 2004 to £23.2m in 2005, and 1 in 20 computer users claimed to have lost out to phishing in 2005 (“Phishing.org”).

Solutions to the Internet Security Dilemma

Biometrics

For a long time, perhaps since science fiction was invented, fingerprints, iris scans, and voice locks have been the security methods in high tech facilities. Biometrics are things that are unique to each individual (Swaby). All of these biometrics are also possible alternatives to the password. In order to be used for security purposes, these biometrics also need to be difficult to replicate.

The need for these biometrics to be hard to replicate and unique makes iris scans seem an ideal biometric for security purposes. However, all biometrics useful to security have one fundamental flaw for widespread use: accessibility. Each of these biometrics needs a special device to scan the biometric, and these scanners are not in widespread circulation.

Biometrics that don't need a special scanner like a voice recognizer have a flaw as well, a flaw that is a recurring pattern through the security dilemma: they trade security for accessibility. Even though voice recognition does not need a special scanning device, it is much more easily imitated and is not much more secure than a password (Swaby). In order for an alternative to the password to be accepted, it needs to be accessible and secure.

Gestures and Patterns

One emerging alternative to the classic password is a system based on gestures and patterns. Windows 8 has taken the biggest step toward making this system a reality with its image password system (Swaby). With the Windows 8 system, the user selects a picture like a background and can tap, drag, and connect key points of the picture however they want (Swaby). This same series of gestures must then be entered every time as the key to the lock. Depending on the complexity of the image and the user's input, this system can be very secure and easy to remember at the same time.

The security of this method stacks up quite well. Brute-force cracking would be out of the question because of how much data would be stored in the picture and gesture input. Even though crackers could reduce that time by guessing what the key points of a picture would be, the fact that the user can connect them in almost limitless ways with many gestures would cancel out that advantage (Swaby).

In addition to being very secure, a gesture and pattern based system is also very accessible on many of today's wide-spread devices. Since so many people have access to a tablet or touch screen enabled device, such a system would already be very accessible to a wide variety of people (Swaby). However, in the still-common circumstance that the device a person is using does not have touch capabilities, this system would have to be reduced in complexity. Reducing its complexity would reinstate some of the previous security problems and reduce its effectiveness.

Human Confirmation

A system based on human confirmation would be semi-secure if implemented properly, and the delay in confirmation could seriously limit its effectiveness. However, if it is used properly, it could be very successful. Almost all internet-connected devices today have a camera either built in or attached to them (Swaby). One type of human confirmation system would have the user take a picture of themselves and it would randomly send that picture to a number of the user's friends and ask for confirmation that the picture was indeed of the person they were claiming to be (Swaby). If it received three or more confirmations, then the test would be passed.

There are a few gaping security holes in this system. One of the primary security weaknesses would be that a potential attacker could take a picture of an existing picture of the potential victim. Pictures of a large part of the people in the world are readily available on sites like Facebook and Twitter. However, this could be solved by comparing the selected picture to the available pictures of the potential victim online. If the picture passed this test, it would then be sent on to the user's friends. This would reduce the speed of confirmation even more, but because of the already long confirmation time, it would be insignificant to the effectiveness of the system.

Combination of Security Methods

As described above, each potential replacement for the password has its own strengths and weaknesses. In order to create an ideal replacement system that incorporates both security and convenience, a combination of several systems is needed (Swaby). In order for a combination of several security systems to work together, they need to be attached to each other in one central place so that any one of them can be called upon in specific situations.

For example, biometrics are very secure but not easily accessible. If available, a user could enter an iris scan or fingerprint data and have that stored in this central database. That data would only be called upon if a high priority account or piece of information was trying to be accessed (Swaby). This could be a bank account or an email account depending on the level of importance to the user. If that biometric data was not available, a combination of multiple lower security but higher accessibility checks would all need to be completed to access that high priority account (Swaby). However, if the user is trying to access a lower priority account such as an internet forum account or something similar, a security measure with a higher convenience to security ratio would be used (Swaby).

The key to making such a system secure is to not link any one account to a higher priority one. For example, logging into a low priority account should not give access to the data for the security levels above it. It also depends on not having a “forgot password” type system. One of the pitfalls of the current password system is that if an attacker is able to crack one account, he often has access to all of the victims' accounts (Swaby). This can be because the victim uses the same password for many of his accounts or because access to one account provides the details he needs to “recover” a “forgotten” password for another account. Having all the data in a central location remedies this situation and makes having different levels of security possible (Swaby).

Summary

The internet security of today is not so much a security system as it is an illusion of a security system. The many pitfalls of the password make the task of keeping data secure on the internet impossible. Advancements in computer technology mean that even a humble \$800 computer can try 8.2 billion combinations for a password every second (Lawson). Combined with complex algorithms based real-world password dumps, the password becomes easier to crack and less secure every minute (Lawson). The alternatives to the password all have trade-offs. Biometrics are very secure but inaccessible to many. Gesture and pattern based systems are somewhat complex and inconvenient but are also secure. Human confirmation systems are not complex and require very little effort on the part of the user, but are slow and less secure.

In order to really solve the internet security dilemma, a central security system that combines all the possible internet security systems into one is needed. This system will combine security and convenience. If the user is trying to access high-priority data, the balance will tip towards security and a higher-level security system will be required. If that system is not available, then a combination of several lower-level systems will be required to unlock that same data. If designed correctly, a combination system is the only system that will have the appeal required to replace the password. The transition will not be easy, but eventually, as the security problem worsens, the need for a change will become too great (Swaby). Eventually, the trade-off will have to be made, and the super-convenient password will be traded for a system that is more secure, even if it is less convenient.

Sources

Brostoff, Alexander. “Improve Password System Effectiveness.” MS thesis. University of London, 2004. Web.

“History of Phishing.” Phishing.org. Phishing.org, n.d. Web. 7 Feb 2013. <http://www.phishing.org/history-of-phishing/>

Laird, Sam. “From Parchment to Data Lockers: History of the Password.” Mashable. Mashable, 4 May 2012. Web. 16 Jan. 2013. <http://mashable.com/2012/05/04/password-history-infographic/>.

Lawson, Aurich. “Why passwords have never been weaker - and crackers have never been stronger.” Arstechnica. Arstechnica, 25 November 2012. Web. 30 Jan. 2013. <http://arstechnica.com/security/2012/08/passwords-under-assault/>.

Swaby, Rachel. “The Password Fallacy: Why Our Security System Is Broken, and How To Fix It.” The Atlantic. The Atlantic, 10 Sep. 2012. Web. 25 Nov. 2012. <http://www.theatlantic.com/technology/archive/2012/09/the-password-fallacy-why-our-security-system-is-broken-and-how-to-fix-it/262155/>

Umut, Uludag. “Secure Biometric Systems.” MS thesis. Michigan State University, 2006. Web.

Weirich, Dirk. “Persuasive Password Security.” MS thesis. University of London, 2006. Web.

Wilson, Peter. “Machines behind the codes” Bletchley Park. Bletchley Park, 2010. Web. 31 Jan. 2013. <http://www.bletchleypark.org.uk/content/machines.rhtm>

Computing | Security


QR Code
QR Code technological_security (generated for current page)