Friday 25 February 2005

ITsafe safeword concerns

Categories: , , , , .

Yesterday, I talked about the UK Government's ITsafe security alerts system, and how it uses a "safeword" in an attempt to reduce spoofing attacks. I have some concerns:

  1. This doesn't reduce the perceived authority of spoofed messages; it only increases the authority of legitimate messages.
  2. The safeword may be stolen by hackers, either by spyware, packet sniffing, or via an "inside job."
  3. There seems to be no way to periodically change the safeword, as one should with a password.

The reality is that these sort of weak measures can lead to a false sense of security. Arguably, that's worse than no measures at all.

Imagine the situation if virus writers managed to steal the ITsafe signup database. They could spam consumers, pretending to be the UK Government. Their messages could contain a dire warning that they should install a patch.

  • Naturally, the patch would contain a virus.
  • Naturally, the text of the message would employ the usual, proven social engineering tricks of such virus vectors.
  • Naturally, a significant percentage of consumers would be fooled into installing the virus.

Would the presence of the "safeword" make the consumer more likely to take the bait? I think so.

Thursday 24 February 2005

UK.Gov has idea, shocker

Categories: , , , , .

As reported elsewhere, The UK government now has a service, ITsafe, for advising citizens about viruses and other threats. It comes from the NISCC (National Infrastructure Security Coordination Centre).

To quote the website:

ITsafe is designed to provide both home users and small businesses with proven, plain English advice to help protect computers, mobile phones and other devices from malicious attack. It consists of both the Advice on this website, and a low-volume Alerting Service.

While this is potentially good news, that's not directly the point of this post. However, one tiny aspect of the alerting service shows an interesting idea.

When a consumer signs up to receive alerts, they're asked to provide a "safeword": this is to reduce the risk of spoofing. All messages the service sends will use this word in the subject line. A consumer can then quickly check that the message has really come from ITsafe, as someone else would not know the safeword.

This is an interesting idea, and one that banks and credit card companies could learn from. It appears to be a lightweight, yet powerful way to foil phishing attacks. However, there's the potential for this to cause a false sense of security. We'll cover this tomorrow.

[Edited Feb 25 2005 7.30pm UTC: adds concerns about false sense of security, a subject for a future blog entry.]