Measuring Identity Theft

Chris Hoofnagle, of the Berkeley Center for Law And Technology just published a fascinating report entitled "Measuring Identity Theft at Top Banks." If you have not already, and you are at all interested in security and privacy, you owe it to yourself to read the report. It analyzes identity theft reported to the Federal Trade Commission to start developing an understanding about which institutions have more of it.

Chris is very clear that this is a first version of the report and that it needs to be extended and expanded, and even lists a number of weaknesses of the current methodology in the report. However, it strikes me that one of the unfortunate side-effects of this type of analysis is that people may read it as an indictment of some of the victims of identity theft: the organizations who are targeted. Granted, many organizations are clearly not doing enough to help their customers avoid identity theft. Some, such as TJX and the U.K. Government, have shown a completely reckless disregard for their customers privacy, apparently without any significant consequences. Yet, many organizations are doing interesting things to combat the problem. Without truly understanding what it was that caused Bank of America to show up as the institution with the largest incidence of identity theft I do not think we should rush to indict them as an unsafe institution to do business with.

To that end, and in the hope that both Chris Hoofnagle, and others who extend his work, do so in ways that assist our understanding of this serious crime, I composed a commentary about the report. I already sent it to Chris, but thought it might be interesting reading to others as well. Chris responded to my commentary, and his responses, where relevant, are also included below.

1.       The source of the information used by the criminals may be entirely unrelated to the institution the consumer reported as being involved in the crime. For example, if you look only at the phishing subset of identity fraud, as much as 75% of it is targeted at eBay ( However, eBay shows up relatively low in the report. This could be for a number of reasons:

a.       The institution where the information came from may not be the institution where it was used. This may, in fact, explain the occurrence of identity fraud at telecom companies. It is not too  difficult to open a new wireless account and using the information gleaned from account takeover at eBay probably gives you enough information to do so.  I have seen proprietary, largely anecdotal, evidence that many account compromises are not actually used on the site where the account was stolen, but somewhere else that provides more value.

b.      The FTC does not get involved in crimes involving eBay to the same extent that they do in crimes involving financial institutions. Much of the crime is about monetizing information these days, and doing so is far easier on Bank of America than on Pay Pal, far easier on Pay Pal than on eBay, and far easier on eBay than on other online properties.

c.       The crimes are almost exclusively targeted at the end-user. End users of certain institutions are probably far more likely to be victimized by less than perfect attacks on their identity because of the type of customer the institution targets. For example, Capital One targets primarily the low-income, less educated, and less credit worthy credit card customer. It stands to reason that they would be more likely to fall for fraud than an HSBC customer, who is likely more sophisticated. HSBC, at least in the U.S. also would have far fewer customers than Capital One, skewing the results. In short, without taking into account predisposing factors such as the education level of the customers, the number of customers, and so on, the result seems more flawed than the study acknowledges.

Chris responds that "…banks are underinvesting and downplaying their true losses from identity theft.  Blame is a difficult issue here–yes, the impostor is to blame, but there are situations in law where one becomes  responsible for the criminal actions of third parties.  Landlords, for  instance, can be liable to tenants for certain criminal actions of  third parties.  It's in this spirit that banks share some blame in these crimes." I would add that, yes, many banks are, and they are proving far more interested in complying with voluntary regulations such as the FFIEC guidelines than they are in truly helping their customers protect themselves. That much is obvious from the implementation of completely ineffective authentication systems, such as measurement of typing cadence. However, some organizations are doing the right thing, and have recognized that protecting their customers is key to their survival as a business. On the whole though, maybe the banks' rush to comply with even voluntary standards, like FFIEC, is indicative of the power of regulation and should be harnessed?

2.       The reports mentions that the data is a step toward giving the consumer information to vote with their feet and choose “safer institutions.” However, what constitutes a safer institution? Certainly, an institution with a lower incident of identity theft by deposits is not necessarily any safer, because that data is skewed in favor of institutions with a few very large accounts. Likewise, an institution with a lower overall count of identity theft is also not necessarily safer. The fact that Third First National Bank of The Side Street off Main in SomeTown, Idaho had no incidents of identity theft could simply be a reflection of the fact that they have less than 6 accounts, not that their strategy to use 4-digit pin codes on their web site was particularly effective. The “safer institutions” are the ones that provide their customers with the information they need to protect themselves, that include information on how to authenticate a web site to the customer, and which take a lead in customer education and fraud combat. Bank of America’s site key system is often cited as a model in that space. Discover Card’s refusal to present customers with even an SSL certificate prior to logon sits at the other end of the spectrum. The present study, unfortunately, seems to indicate that just because an institution has less fraud, in absolute terms, makes it safer.

3.       On page 2 the report mentions that institutions should report the number of identity theft events avoided. How exactly could that be measured? Is that not like proving a negative? Certainly, an institution can cite numbers on how many incidents of attempts at opening fraudulent accounts its customer service representatives caught, but that hardly captures the full picture. I can prove I did not get hacked this week, but my “proof” may only prove that my detection mechanisms are flawed.

4.       Another explanation for fraud at telecom companies may be stolen devices. Without an understanding of the nature of the fraud it is impossible to say what the source is, and to pass any judgment on the organizations acumen in helping its customers. The data appears to have no indication at all on what the source of the fraud is.

5.       Which brings me to my point about suggested further study: why. Why is it that some institutions have a far greater incidence of identity theft than others? At this point, I think we need some hypotheses about the contributing factors, including customer demographics, number of customers, size of the accounts, the ease with which account takeover can be monetized, the protective measures in place at the institutions, the type of advice given to customers, and so on. This requires far more data gathering, and some multivariate analysis of the impact of each variable on the number of accounts stolen.

6.       Are the months covered by the report (by necessity obviously) actually representative of the year 2006? Certainly, the data is very interesting, and this report is the first of its kind. However, future studies, I believe, must look at larger, more representative, data sets. Looking, again, at the subset of fraud presented by phishing attacks, I am not at all convinced that the months in this report are representative. According to the Anti-Phishing Working Group’s report for December 2006 ( January and March were some of the calmest months for phishing in 2006, and September had the lowest figure of the latter half of 2006. Of course, much of the fraud reported in September may have been based on data stolen in prior months, but the fact still remains that the activity differs by month. In fact reports for January and March were both about one standard deviation below the annual average. Reports for September, while roughly at the annual average, were almost one and a half standard deviations below the average for the second half of the year. Compared to the average for the second half January and March reports were well over three standard deviations below the average. Thus, I do not think it is reasonable to say that January, March, and September were representative months since it is clear that the number of reports trended significantly upward for the year. Obviously, the current report advances our understanding far more than not having any analysis at all, and a larger analysis would have taken for longer. I would just like to see a more representative sample in the next report.

 Chris responded that the months were chosen totally randomly, and that the seasonality of the crime makes that a weakness. However, obtaining an entire year's worth of records takes a year.

7.       The report merges data for institutions such as “Citibank Visa and “Citybank” into one canonical representation. Is that actually accurate though? For example, did Citibank National Association use different protective measures than Citibank (South Dakota) National Association? If they did, the merge is not warranted. In fact, if a single institution has different ways to access different types of accounts, then I think each type of account needs to be considered separately.

8.       You mentioned that getting data on wireless subscribers is not possible. I disagree. It is possible to get some form of data, although it is obviously not entirely accurate. In a couple of internet searches I managed to find several sources of such data. For example, AT&T reports having 70.1 million subscribers ( T-Mobile USA reported having 25M by the end of 2006 ( HTC actually reports numbers for all the major carriers at They may not be completely accurate, but as a first-order approximation I think they should do nicely.

Chris responds to this that he considers any number untrustworthy unless it is filed in a document with the goverment. It is hard to disagree with that position, but I personally would have been inclined to make do with potentially flawed numbers if accurate data is impossible to come by. I will consider that merely a disagreement merely on scientific philosophy.

9.       On page 7 the report, again, makes the claim that “A more complete picture of identity theft will not emerge until institutions provide more transparency on the problem.” While I applaud the effort to get transparency into the problem, this is fraught with problems in several ways. First, the institution, while it is an incidental victim, is not the true victim, and not the true target. The end-user is. The institution may not always know that it was involved, especially not if the account is stolen from one institution but used at another one. Data on the institutions, like you have in the present study, may indicate that it is easier to monetize stolen information in some places than in others, but says nothing about the protective measures those institutions are using to protect the information they themselves own

 On the whole, I find the report fascinating, and an important first step in furthering our understanding of identity theft. I thank Chris for doing this. Now we need to keep building on it and develop a real understanding of the causes of identity theft and how effective the mitigators are.

Q&A with Amazon about the Server 2008 Security Resource Kit

Yesterday the editor from the IT section at sent me some questions about the Windows Server 2008 Security Resource Kit. The answers will eventually go on the book detail page.

The questions, particularly questions 3 – 6, were interesting and thought-provoking, so I thought I would post them here as well.

Question 1:
The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive (six of the 12 are Microsoft MVPs, and the others are all either current or former product group employees at Microsoft). How important was it to assemble such a group for this title?

Answer 1:
In my opinion, it was necessary. Server products are necessarily complex, and security, by its very nature, requires a very broad understanding of the product. Developing that understanding in a single person is possible, but very time consuming and still does not lead to the breadth of perspective that you find in a group of people. No single person can truly understand both what it is like to implement Active Directory in a 50,000 seat organization, and how to run a 50-seat small business network long-term, and neither of them is probably going to also be one of the world's foremost experts on implementing public key cryptography infrastructures. By putting together this world-wide team of experts (representing four countries on three continents) we were able to produce a resource that had far more depth and breadth of knowledge than would otherwise have been possible, and you get the expertise of 12 of the foremost experts on Windows Security in a single package.

Question 2:
What extras are available on the Resource Kit CD?

Answer 2:
First, you get a bonus chapter on Rights Management Services, as well as an electronic copy of the entire book. I am very excited about the electronic copy because it provides a searchable way to read the book. These types of books are always used as references and being able to search it is very valuable.

You also get some tools that may come in handy for managing servers. Scripting Guru Ed Wilson wrote some custom PowerShell scripts specifically for this book to manage user accounts and other security related aspects of your deployment. In addition, I wrote a couple of tools for the book. One is my password generator, which I first made available several years ago. It enables you to manage unique administrator account passwords and service account passwords on hundreds or thousands of servers on a network. I also included my elevation tools, which allow you to launch an elevated instance of Windows Explorer, as well as elevating any command you want from the command line. Having worked with User Account Control (UAC) daily for about two years I find that one of the biggest impediments to running under UAC is the multiple prompts you get when you perform many file operations. As an administrator, that is a very common task. Elevating Windows Explorer lets you do those operations with a single elevation prompt, and still leave UAC turned on.

Question 3:
Comparing the two programs, what are some of the fundamental differences between Windows Server 2008 and Windows Server 2003?

Answer 3:
To me, the biggest difference is the fact that while Windows Server 2003 was built under the security best practices of 2002, Windows Server 2008 incorporates all the secure development practices Microsoft learned in the five years since. The field of secure software development has progressed immensely between 2002 and 2007, and incorporating them will make Windows Server 2008 much more able to stand up to the threats we will see in the next five years. By the way, it is with a heavy heart that I say that, as I worked hard on security in Windows Server 2003, but it is true.

Apart from the engineering process, the first thing people will notice is the completely new management model in Windows Server 2008. Instead of installing a lot of separate components, you now deploy roles to the server. This makes a lot of sense because the roles are what you bought the server to fill. By implementing that metaphor in the management tools the risk for misconfiguration is greatly reduced.

The new kernel features are also very important and will make a big difference for many. First, the new virtualization features are fundamentally going to change how we build and run data centers. The improvements in security, reliability, and performance in the kernel features, such as thread scheduling, and in the networking features, such as the new network file system, also are going to be valuable to many.

Question 4:
What do you feel is the biggest security oversight made by network admins?

Answer 4:
Put a slightly different way, the area where I see the most room for improvement is in security posture management. Administrators are far too focused on vulnerabilities and on the types of "hardening" tweaks that were useful in the 1990s, when software shipped wide open by default. Today, those things are not nearly as important as it is to manage the security posture of your servers. Far too many administrators still believe in the perimeter and fail to recognize that just about every organizational network today is semi-hostile, at best. The biggest security oversight is not to analyze and manage the threats posed to servers by other actors on the network. The Security Resource Kit goes into depth in discussing what I refer to as Network Threat Modeling, as the analysis phase of Server and Domain Isolation – probably the most powerful security tool in the arsenal today. Yet, the proportion of networks that use these tools is infinitesimal.

Question 5:
What are your thoughts on the constant hype surrounding potential security flaws in Vista?

Answer 5:
As I have written elsewhere ( I fail to see any data backing up the argument. Certainly, there have been flaws in Vista – and anyone who expected it to be flawless was unrealistic – but the improvements are tremendous over Windows XP. Windows Vista has about half as many critical problems as Windows XP in the same time-frame. I'm not sure that it would have been reasonable to expect it to perform much better than that given how large and complex modern software is and how fast the security landscape is moving.

Therefore, I have to think that the reasons for the hype are something other than data. The popular press seems to operate on the assumption that complaining about Microsoft generates advertising revenue, and they are probably correct. The fact of the matter today is that a significant portion of the software industry, specifically the security portion, has built its business almost exclusively on selling software that purports to protect Microsoft's customers from Microsoft's screw-ups. It is simply terrifying to it, and a grave threat to its business model, that Microsoft should actually manage to produce software, and particularly operating systems, that are so secure they do not need most of the products that portion of the industry sells.

The popular press, being a largely advertising funded business, has happily latched on to this perception and boosted the unsubstantiated claims of Windows Vista's vulnerability to the benefit of their major advertisers. It is truly a sick eco-system that harms the customer in both the short and long term. The threats today, as I mentioned above, are trending toward the types of things that the security software industry cannot protect against. The new threats are against people, and the focus needs to shift to helping people make better security decisions and take responsibility for their own actions. Unfortunately, the current unsubstantiated hype about Windows Vista is not about protecting customers, it is about selling unnecessary security software and inculcating users and IT managers alike in the belief that they must buy third party software to run Windows safely; a belief that, with a few notable exceptions, such as anti-virus software, is falsified  by the data. In fact, the hype has even lead to a huge growth industry in malicious, fake, security software. I have seen a lot of people lured by the hype into buying security software that is not security software at all, but simply malware in disguise. The average consumer, inundated with hype, is unable to make out what to really believe. This sick ecosystem is harmful and the press and the pundits are not helping, but only increasing the hype.

Question 6:
In your opinion, which network faces the biggest security risks today:  the small office with multiple power users or large corporation with a large LUA base?

Answer 6:
The unmanaged networks. I have seen very well managed and very secure networks in both small and large organizations, and I have seen poorly managed and very insecure networks in both as well. It is not really a matter of size but of how much time and effort is put into the security aspects of it. One of the largest weaknesses seems to be training. Security today is about end-points. The attacks are against people far more prevalent than those against technology and vulnerabilities. We need to, as an industry, understand how to push the security out to the assets that we are trying to protect. In the past we have centralized security because it was a way to centralize management of security. The challenge now is to de-centralize security, while still permitting centralized management. This is a non-trivial task, but it must be done. As a starting point, I dare every IT manager to start analyzing the risks to his or her network, and specifically, what it is they want the network to be used for. Once you understand what it is you want the network to provide you have a chance to work on making it provide that and nothing else. To me, that is the most important thing we can do. A properly staffed IT group, with adequate training and resources to train its users, an organizational mandate to protect the organization's assets, and a keen understanding of the business they serve will build a network that is adequately secured regardless of the size of the network. Windows Server 2008 certainly provides some very powerful technologies to help you manage security in your network, but while that is a necessary component, it is insufficient by itself. At a very base level, it is about the people and the processes you have, more than about the technology. Technology will help, but it is just a tool that your people will implement using a process that helps or hurts.

Resource Kit Done!

Last Friday the last of the Windows Server 2008 Security Resource Kit finally went to press! This was a project I had not really planned and so, to complete it in time, I brought in an amazing crew of co-authors. Together, we managed to put together 17 chapters on how to manage security in one of the most exciting products this year.

 The contributors to the Security Resource Kit are:

  • Jimmy Andersson – Principal Advisor at Q Advice AB and Microsoft Active Directory MVP
  • Susan Bradley – Small Business Server MVP
  • Darren Canavor – Software Architect in the Windows Security group at Microsoft
  • Kurt Dillard – Consultant, and former Program Manager in the Microsoft Solutions for Security group
  • Eric Fitzgerald – Currently on the Forefront team, and formerly program manager for the auditing sub-system in Windows
  • Roger Grimes – Consultant in the ACE team at Microsoft
  • Byron Hynes – Enterprise Technology Strategist at Microsoft
  • Alun Jones – Creator of WFTPD, and Microsoft Security MVP
  • Brian Komar – President of IdentIT, Inc and Microsoft Security MVP
  • Brian Lich – Senior Technical Writer at Microsoft
  • Darren Mar-Elia – Founder and CTO of SDM Software, and Microsoft Group Policy MVP

The book has 16 chapters plus a bonus chapter on Rights Management Services on the CD. The chapters in the book are:

  1. Subjects, Users, and Other Actors
  2. Authenticators and Authentication Protocols
  3. Objects: The Stuff You Want
  4. Understanding UAC
  5. Windows Firewall(s)
  6. Services
  7. Group Policy
  8. Auditing
  9. Designing Active Directory Domain Services for Security
  10. Implementing Active Directory Certificate Services
  11. Securing Server Roles
  12. Patch Management
  13. Managing Security Dependencies to Secure Your Network
  14. Securing the Branch Office
  15. Small Business Considerations
  16. Securing Server Applications

As with my Protect Your Windows Network book, there are some assorted goodies on the CD. The first one is a much improved version of the command line elevation tool that I wrote for Windows Vista Security. It now includes not just command line elevation capability, but I also added the ability to launch an elevated Windows Explorer window. The easiest way to do that is by right-clicking the folder and selecting "Elevate Explorer Here" as shown here:

The ability to elevate Windows Explorer was not included in Windows Vista, nor in Windows Server 2008, because Explorer is not really designed to be run in multiple instances in the same session. However, I find that it works quite well in spite of that, and it is extremely useful when you need to perform multiple file operations requiring elevation.

Note the little green dot in the window above. It shows me what privileges I am running with and is provided by Aaron Margosis' most excellent Privbar tool. I highly recommend using it with the Elevation Tools so you can keep track of which windows are elevated.

The Security Resource Kit CD also comes with 15 custom-written PowerShell scripts, and an electronic version of the entire book, as well as some assorted other pieces.

All in all, I am really happy with it. I hope you will like it too.

Mitigate the Image Uploader Vulnerabilities

The big security news this week is the six vulnerabilities found in various image uploader ActiveX controls. In case you haven't seen the news, there are exploits available publicly for remote vulnerabilities in five different ActiveX controls. US-CERT is offering the, relatively unhelpful, advice that users disable all ActiveX controls in their browser. Doing so would have the effect of disabling a lot of things, notably virtually every corporate expense reporting application. Your users will probably have a thing or two to say about that. You can mitigate that by adding all the sites users will ever need to the Trusted Sites zone, but if you haven't done that in the 10 years or so that you have had the option, you probably will not do it now.

That means you, like me, are probably looking for other options. Tom Liston, of SANS/IntelGuardians, created an application to set the kill bit on the affected controls. It is a nice little tool. However, his tool is local only, the source is not available, it is not digitally signed but instead uses an MD5 signature for source verification (standard on Linux, but not on Windows), and it uses a non-standard way of defining the control.

Another way to handle the problem, which is more scalable to an enterprise environment, is to dust off the old SlayOCX vbscript that I wrote for the VML vulnerability about 18 months ago. We can tie that into a logon script, and then link the logon script to a GPO. That will effectively disable the controls on all managed systems. First, we need a custom script with all the ActiveX controls enumerated:

<begin script>

REM Facebook
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0 -l

REM Yahoo MediaGrid
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 22FD7C0A-850C-4A53-9821-0B0915C96139 -l

REM Yahoo DataGrid
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 5F810AFC-BB5F-4416-BE63-E01DD117BD6C -l

REM Aurigma controls from
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 104B0A37-AB99-4F06-8032-8BBDC3B77DDB -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 17D667BA-5675-4AAB-9221-08B9379384D4 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 48DD0448-9209-4F81-9F6D-D83562940134 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 55027008-315F-4F45-BBC3-8BE119764741 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k 6E5E167B-1566-4316-B27F-0DDAB3484CF7 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k A18962F6-E6ED-40B1-97C9-1FB36F38BFA8 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k AE6C4705-0F11-4ACB-BDD4-37F138BEF289 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k B85537E9-2D9C-400A-BC92-B04F4D9FF17D -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k BA162249-F2C5-4851-8ADC-FC58CB424243 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k D1EA8D3D-F511-4388-B754-4A0CC14A4778 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k F1F51698-7B63-4394-8743-1F4CF1853DE1 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k F89EF74A-956B-4BD3-A066-4F23DF891982 -l
\\<your domain>\sysvol\<your domain>\SlayOCX.vbs -k FB90BA05-66E6-4c56-BCD3-D65B0F7EBA39 -l

</end script>

 Next, we can follow the directions in the original post to configure a logon script:

  1. Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "NoPicturesPlease.cmd". Alternatively, just download and expand the file attached to this post.
  2. Open NoPicturesPlease.cmd in Notepad, hit CTRL+H and do a global find replace on "<your domain>" with the name of your domain.
  3. Copy the NoPicturesPlease.cmd file and SlayOCX.vbs to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
  4. Open the GPMC (if you do not have the GrouIndifferentp Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
  5. Right-click the domain or OU where you want to link the GPO – you may as well do it at the domain level – and select "Create and Link a GPO Here…" Name your new GPO "NoPicturesPlease"
  6. Right-click the GPO NoPicturesPlease and select "Edit…"
  7. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
  8. Double-click "Startup" in the right-hand pane
  9. Click "Add…"
  10. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "NoPicturesPlease.cmd". Click "Open"
  11. Click "OK" again.
  12. Close the GPO editor and go back to the GPMC
  13. In the "Security Filtering" pane remove "Authenticated Users" and click Add…
  14. In the text box called "Enter the object name…" type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

When the computers next restart they will automatically apply the mitigation and kill bit all the relevant ActiveX controls. If any given ActiveX control does not exist on a particular computer nothing will be done to it. The script will also create a log file in the root of the boot volume, called "SlayOCX.log". By monitoring that log file you can tell how much the mitigation has modified the computers as well. If it finds any of the ActiveX controls you also have a good indication that people are surfing social networking sites at work, just in case you worry about such things.

If you want to ever undo the mitigation you can modify NoPicturesPlease.cmd to use the -r switch instead of the -k switch.

Write down your passwords

A few years back I caused quite a stir when I mentioned in passing during a presentation that writing down your password is a really good idea. A journalist in the room decided that saying so qualified me as insane, and my employer sending an insane person all the way to Australia to give a presentation was newsworthy, so he drummed it up far bigger than it really was.

I still maintain that writing your password down is the only sane thing to do. At last count, I have 114 different passwords, for different systems, and those are only the ones I actually care about and need written down. The reason I am able to have 114 different passwords is because I do write them down. Personally, I tend to use Password Safe. It is convenient, relatively secure, and the few bugs it has are mostly annoyances.

Then, a few weeks back, I received an unsolicited e-mail asking if I wanted to review a new password organizer. I, of course, said yes. Then, a few days later, this arrived:

Password OrganizerPassword organizer


OK, that was not what I expected. Innovention Lab had actually taken me very literally when I quipped that the Chinese invented a cure for poor memory thousands of years ago.

My first thought when I saw this was "OK, I know what I would steal first." And that is definitely the big shortcoming of the Password Organizer. It is quite clear what it is, and no password is required to read the passwords store in it.

For some, however, this may be a good way to solve the problem of password overload. I once helped a mortgage broker get started with Password Safe, and after having gone back and forth via e-mail for about a week, I was ready to give up. Password Safe has a discussion forum, with thousands of posts, most of which deal with problems using it. It is simply too complicated. The password managers that are not are not secure enough. By contrast, no user manual is required to use the book. That, I think, may be what is needed to fill a very large but unique niche. For a home user, or even a small business owner who can ensure that the book stays protected, something like the Password Organizer may be just the ticket. If the bad guy can get to the book, a lot of other security has already been breached, and you have very big problems.

Personally, I do not plan on using it. I move around too much and I do not want to have to carry the book with me. I also like to use unique randomly generated passwords. For example, the password for my bank is over 20 characters long. That may be the second very large shortcoming of the Password Organizer: it does not help me generate random passwords. After all, what that journalist failed to listen to several years ago was my claim that, as long as your password is written down, you don't have to know what it is.

Theft-proof biometrics

At last, there is a biometric authentication technique that cannot be stolen. Or, well, it can, but at least it won't work any longer.

Drs. Philip M. Rodwell and Steven M. Furnell recently published "A non-intrusive biometric authentication mechanism utilising physiological characteristics of the human head" in Computers and Security (vol. 26, pp. 468-478). The technique, drawn from Dr. Rodwell's research, involves measuring the resonance of human speech as modulated by the geometry of the head it originates in. In other words, while pure voice recognition involves measuring things like cadence, volume, and pitch; and can be capture by high-definition audio recorders, this technique cannot be as easily captured. It requires measurements of the propagation effects inside the head to be taken at several points during speech. Consequently, if the head is separated from its owner, no further propagation would take place. Thus, the actual biometric authenticator is considerably harder to steal.

Of course, any authenticator can be captured and replayed. The measurements, in fact, are simply taken by two microphones. Simply placing two microphones in the required position and waiting for the victim to start blabbing may actually be enough. As the implementation is designed to be used in a mobile phone (indeed, Dr. Rodwell is sponsored by British mobile telephony provider Orange) such measurements cannot be terribly difficult to obtain. Presumably, the good doctor's have thought of ways to mitigate that attack as well.

Whatever you think of this technique, I am highly encouraged about the fact that people are thinking differently about security and trying to come up with novel concepts to help us be secure.