July 07, 2005

Fear-commerce, something called Virtualisation, and Identity Doublethink.

According to pipeline, "E-commerce is buried beneath a blanket of fear. Online purchases, according to some observers, are down by nearly half; Internet banking by nearly a third." I'm not sure I believe that bad, but has anyone heard any stats? Seen any drop-off? This second CNN article disagrees, but a survey from Pew (Register reports) says that 90% of americans have done at least one thing to deal with the current threatening online environment:

The survey found:
* 81 per cent of net users say they have stopped opening unsolicited email attachments Half those quizzed (48 per cent) say they have stopped visiting potentially dodgy web sites out of spyware concerns
* A quarter (25 per cent) of those questioned said they have stopped downloading music or video files from peer-to-peer networks in order to avoid getting unwanted software programs on their computers.
* A minority of surfers (18 per cent) say they have changed the web browser software they use in order to avoid malware attack

The same survey also found suggestion that people are ignoring the security advice of suppliers such as Microsoft, which makes perfect sense to me, as their advice on security has to be politely termed as 'conflicted'. Lynn Wheeler reports on on their claim that they are doing "virtualisation" and security has to wait until that is done. Seeing as I don't understand those words, I can't comment on how plausible this excuse is!

Microsoft confirms plans for virtualization hypervisor - Computer Business Review
(Anne & Lynn Wheeler, Wed Jun 29 16:03:10 2005)
i'm at annual ieee chip conference ... it is invitation only so they can talk about non-public information. late yesterday the senior engineer from amd, gave a talk on futures. he was introduced as having spent some amount of his career starting in '62 building cryptographic hardware at nsa and having been one of the primary co-authors of the orange book. he didn't mention security in his talk ... but in the Q&A afterwards somebody asked about security. He commented that you probably aren't going to really see it until virtualization.

Turns out this is what i did during the 60s and 70s ... and i got con'ed into be chair of next year sessions on "security, authentication, partitioning, and virtualization". slightly indirect reference.

Also from Lynn, for those interested in the background behind the CardSystems breach, here's a good article. Yes, it really does say that Cable and Wireless are their security auditor...

And over in Australia, it seems that the notion that centralised identity means easy identity theft is starting to gain traction:

But Mr Ruddock told a security technology conference in Sydney today a national ID card could actually compromise Australians' security.

"We haven't supported an approach where all personal information is centralised on one database and a single form of identification is used," Mr Ruddock told the gathering of government, security and business leaders.

Such an approach could actually increase the risk of identity fraud because only one document would need to be counterfeited to establish an identity.

It is significant that people are starting to think about the problem. Consider the British view:

When the experts were asked whether the government's all-singing and dancing electronic ID card would solve the problem, there was hollow laughter all around. It would simply locate all identities in one place, creating an El Dorado for phishers.

The hollow laughter reflects the British Government's current claim that an identity card will stop terrorism, benefit fraud, and make a nice hot cup of tea, all for the bargain price of 100 of their quaint old sterling pounds.

A rather sterling performance by the London emergency services in this morning's tube and bus bombings focusses attention on the terrorist threat. Dare we ask: would the bombers would have had to show their identity to get on the bus? I don't think so, and I'm personally very impressed with the concentration by the Brits on the real issues: setting up crime scenes, getting the areas cleared and people back to work, and refusing to play the media's game of spreading panic and mayhem.

Finally, Tao describes how banks in america are now employing computers to phone you up to ask you about your credit card transactions. I wonder if such computers are too expensive for phishers, or whether they are well enough funded to overcome that barrier already?

Posted by iang at July 7, 2005 12:51 PM | TrackBack

Centralized and even federated identity schemes could certainly become a goldmine for phishers and keyloggers. It seems such schemes will require hardware 2 factor authentication to be viable and relatively immune to such attacks.

Has anyone put much thought into vulnerabilities that Microsoft's proposed InfoCard system might face?

Posted by: Dave Jevans at July 20, 2005 12:45 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.