| Tuesday July 22nd 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

HOWTO: Use con-games to improve information security


“Understanding scam victims: seven principles for systems security” by Cambridge University’s Frank Stajano and Paul Wilson is an excellent look at the principles involved in “short cons” (confidence games that only take a few minutes to “play”) and how they can be applied to information security. The authors examine the mechanics of scams demonstrated in the BBC show “The Real Hustle” and then extract the principles that drive them and show how they are also used in online ripoffs…

con gamesThis illustrates something important. Many people feel that they are wise to certain scams or take steps to protect their property; but, often, these steps don’t go far enough. A con artist can easily answer people’s concerns or provide all sorts of proof to put minds at ease. In order to protect oneself, it’s essential to remove all possibility of compromise. There’s no point parking your own car if you then give the valet your keys. Despite this, the mark felt more secure when, in actual fact, he had made the hustler’s job easier…….

Much of systems security boils down to “allowing certain principals to perform certain actions on the system while disallowing anyone else from doing them”; as such, it relies implicitly on some form of authentication–recognizing which principals should be authorized and which ones shouldn’t. The lesson for the security engineer is that the security of the whole system often relies on the users also performing some authentication, and that they may be deceived too, in ways that are qualitatively differ- ent from those in which computer systems can be deceived. In online banking, for example, the role of verifier is not just for the web site (which clearly must authenticate its customers): to some extent, the customers themselves should also authenticate the web site before entering their credentials, otherwise they might be phished. However it is not enough just to make it “technically possible”18 : it must also be humanly doable by non-techies. How many banking customers check (or even understand the meaning of) the https padlock?19

Source

Related Posts: On this day...

Reader Feedback

One Response to “HOWTO: Use con-games to improve information security”

  1. Clay says:

    Howdy, i read your blog occasionally and i own a similar one and i was just wondering if you get a lot of spam comments? If so how do you prevent it, any plugin or anything you can advise? I get so much lately it’s driving me mad so any assistance is very much appreciated.

Leave a Reply

You must be logged in to post a comment.