The dream of having everything in one small device is coming closer and closer. Today, a single device can contain a cellphone, PDA, MP4 player, and high-quality digital camera. Furthermore, the device can be used to read email, play games, open and edit Office documents, surf the Web and more. Although not everyone has such a device, many (if not most) cellphones provide users with the ability to surf the web, download software, play games and so on.

What most people are not yet aware of is the huge security risk that such a device poses. Well, maybe people are aware that if they lose their device then they are in trouble (and so passwords and file encryption should be used, where necessary). However, a potentially greater risk, in my opinion, is that of malware. I would argue that we have pretty much failed at educating users not to download software to their PCs. For this reason, most work places have stringent firewalls and security policies that just prevent users from doing this. Further protection is provided by anti-virus software that sits on the users' personal computers.

When it comes to cellphones, we have double trouble. First, although we haven't succeeded in properly educating users regarding their personal computers, at least some awareness has gotten through. In contrast, there is almost zero awareness as to the dangers of downloading applications to a cellphone. Second, when these devices contain sensitive information relating to work, the organization has much less control. The users connect directly to the cellular network and so firewalls and network policies don't apply. Furthermore, on most devices there is very little that an employer can do to prevent misuse.

In conclusion, these new devices provide great potential but also great risk. We have a lot of work to do in order to both educate users and develop tools to protect the uneducated!

I just got back from the Black Hat USA 2007 security conference in Las Vegas (actually I got back a month ago but have been on vacation). I presented a talk on Anonymous Authentication, a seeming contradiction in terms (anyone interested in details can look here for the white paper and presentation). Black Hat has made a name for itself of being a top security conference where cutting edge research is presented. This reputation has been well earned, and the level of material present was very high. I hope to be back again next year...

We chat, blog, interact with our friends and act freely online. However, we are not always aware that our online conversations are far from private. Of course, if we think about it, then anyone can access what we say. But who really wants to? Besides, it's not really linkable, or is it?

An article by David Rosenblum of Harvard University in the May/June 2007 issue of IEEE Security and Privacy is a must read for anyone who chats, blogs and belongs to an online social network. Not only are our online conversations not private, but they are of great interest to others! Rosenblum outlines why youth act as freely as they do online, and why they really shouldn't. He cites studies that show that employers are now using the web to search for information about potential candidates. If candidates have displayed undesirable behavior (e.g., stating that they take drugs or have outlandish habits), then they may not get the job. Note: it doesn't help to explain that you were younger, that you were just showing off, or anything else. Once you wrote it, it's there, and it can and very well may be held against you.

So, what should you do? First, exercise some reason about what you post. Second, be truly anonymous (e.g., don't use an "anonymous name" that is your ID to your Yahoo! account; this can easily be traced back to you). Third, accept and understand that the written word has power, and once you post something it will always be there to come back and haunt you. (Needless to say, the same is true about pictures. Think about whether in 15 years you want your children to see this picture of you...)

Recently, a true random number generator has been offered for free use online; see the website here. The service owners are very explicit about what such a generator is useful for, and their focus is on scientific simulations. Unfortunately, however, there is also a mention of security and although they state that this feature is not yet implemented, reports on the generator mention cryptography as an application.

It is true that cryptography needs random numbers (or, more accurately, random bit strings). However, these random numbers are used to define cryptographic keys that must be secret. A truly random string that is not secret has zero cryptographic value. So, now you should ask yourself whether you really think that it's a good idea to download your secret key from someone else's website. At the moment, there is no protection on the service so anyone could eavesdrop on the random bits that are downloaded. However, even if the service is protected, do you want anyone else to have access to all of your secret keys?

Using an online random number generator for cryptographic purposes is probably one of the worst ideas possible. It is much much much better to use a pseudorandom generator on your local machine. Having said that, there are hardware random generators available for local machines and these are preferable. Smartcards that generate random strings are also preferable. If you must use software only, make sure you use a call to the operating system (and not some C random() function with the date as a seed; this is so not random that you may as well download your secret keys from an open website).

One very difficult problem that constantly pops us is how to initialize and reset user passwords. In the work place, initialization is usually based on physical presence (it's a new employee, so the IT team can sit down with her). However, password reset is often more problematic: the employee may be on a business trip and the IT team may not sit at every office location. In other settings, it is even more difficult - how do I get a password for my frequent flyer account?

Well, a few weeks ago I tried to open an online account for my frequent flyer program (I won't say which airline). I was very pleased to see that I could not sign up for a password online, and had to ask for one to be sent to my address by regular mail. This seemed to me to be a good security procedure. The problem began when I received my password which was 1234. I assume that this is the same password everyone receives! Now, to give them some credit, the letter I received did not contain my frequent flyer number. However, the webpage used to request a password is not SSL protected. This means that it is possible to just eavesdrop on the site and see which frequent flyers have requested a password. At this point, just assume that the password is 1234 and you have access! You may say that I'm making a mountain out a molehill - it's just a frequent flyer account. However, these accounts allow users to store their credit card number for future reservations (for one example).

So what is a good procedure? Well, the above wouldn't be bad had they sent a random password instead of just 1234. But some places are even worse. When I opened online access to my bank account in a New York bank, the only requirement was that I have my identifying details and the current bank balance. This was considered enough identifying information for me to have Internet access that allowed me to transfer funds and so on. My wife asked me if it's safe to open the bank account to online access. My answer was that it's safer than not! At least by opening it, I can set a good password. Otherwise, it's fair game to anyone learning my balance and identifying information (none of which is truly secret).

Password reset is just as difficult (if not moreso). I won't provide solutions here - my aim in this blog is just to raise awareness to the problem. However, I will give one example from my days at IBM. If I would forget the password to one of my numerous accounts, I would call the IT team. At this point they would ask me identifying information, put me on hold and call me to my known office phone number. The answering machine would pick up (even if I was in the office because I was on hold with them at the same time) and they would leave the new random password on the machine. I would then retrieve the password from my answering service which, importantly, was also password protected. I don't know what they would do if I also forgot the password to my answering service. In any case, this is a well thought out and thorough procedure.