There has been a big push over the last few years to develop what has been coined as “usable security”. Things like drawing patterns on Android devices instead of typing in a 4 digit pin or identifying particular things in an image instead of typing a password have been developed. The biggest problem with these usable security mechanisms is that they often take longer to use than the alternatives.

Imagine if you had to take your mouse and click at 10 particular spots in an image every time you wanted to unlock your screen at work. Doing this would take several more seconds at every sign on and would add up quickly. Often for systems that are used often keying in a password is still the fastest method.

Well Microsoft has developed a new solution. Instead of having password requirements that are visible to the user, like minimum length, they want to let users use anything as a password. Even simple passwords like “love” would be accepted. However there is a catch, only a small number of users will be allowed to use a particular password.

Complex password requirements were introduced to combat spraying and braying attacks. A spray and bray attack is when an attacker tries to use one particular password on a large number of accounts. This way bypassing lock out procedures. This solution by Microsoft will fix this by only allowing a small number of accounts to be compromised and thus reduce the benefits of the spray and pray attack while keeping passwords simple and easy to remember.

According to Confused using social websites such as Twitter or Facebook can increase your risk of being robbed. It is even being said that using Facebook or Twitter may soon increase your home owners insurance. At first glance this seems pretty scary and is something that most people likely never considered.

Robbers want to rob a house when they will have the greatest chance of not getting caught. That means they do not want anyone to be home. These articles point out that when you post your ware abouts online, you are informing robbers. They could use the information that you are not home to go to your house and rob it. The first assumption is that your address is freely available. After doing a quick check of my computer illiterate friends on Facebook, I didn’t find any with that information available. However, the robber could use your name and a phone book to look you up.

The other problem is robbers already have tons of ways to find people that are not home. Simply picking up a phone book and calling numbers in order and going to the houses that do not pick up. In fact the robber could get lucky and they home owner would have put a message on their voice mail saying they will be out of town. Robbers also know that nearly everyone works during the day. So they can simply go up to a house during the day and knock to see if someone answers the door.

If we look at someone who can guarantee is not home during a certain time, such as a news anchor who is live on air at a certain time each day. We do not see an increase in the likelihood of robber for news anchors versus the average person.

I’m not saying its perfectly fine to post your ware abouts online. I just want to point out that it is very doubtful it increases your likelihood of being robbed. I hope the smart people at the insurance companies actually look at some data and not just jump on the chance to charge more money.

We have all be on the phone talking to someone that we may not know all to well, when at the end of the conversation they say “sounds good, go ahead and shoot me an email about this.”. If you are like me you think, “why we just talked about it”. However that email actually is used for quite a few things: The most obvious one is that it will be used as a reminder, people often use there inbox as a to-do list. The next thing that email will be used for is a record of your request, most companies have very strict policies on change management where all changes must have a request associated with it. The final thing that email will be used for is authentication, with the raise of knowledge about social engineering over the phone email as authentication has come into play.

The lapse in policy comes from the last two things the email serves. It comes from the assumption that only the person who controls the email account can send an email from that email address.  Unfortunately email, like most Internet protocols was invented before security was taken into account. Its actually considered quite trivial to send an email appearing to come form any name and email address that you please.

Fortunately there is a simple fix to this problem: Simply reply to all request emails with a confirmation request. So if person A requests person B to preform some task on the companies file server. Before preforming the task, person B should send a confirmation email to A asking for A to confirm the task.  Then the request and the confirmation should be stored for record keeping and we can be sure to the point of the security of the email account that the request was authentic.

Bruce Schneier has a great insight on risk. In a recent post to his blog he wrote:

People have a natural intuition about risk, and in many ways it’s very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for.

This struck me as I listened to yet another conference presenter complaining about security awareness training. He was talking about the difficulty of getting employees at his company to actually follow his security policies: encrypting data on memory sticks, not sharing passwords, not logging in from untrusted wireless networks. “We have to make people understand the risks,” he said.

It seems to me that his co-workers understand the risks better than he does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

Bruce hits risk assessments right on the head in this post. The risk inherent in what is considered risky Internet  behaviour is not as bad as many make it out to be. People often surf the web in untrustworthy wireless networks and store data on none encrypted memory sticks and nothing bad ever seems to happen because of it. At least on the personal level. We may read news articles once a week that describe how some sensitive data was lost on a stolen laptop or some other similar story. The thing to take from them is that they are in the news, if it happened to everyone it wouldn’t be news worthy. Bruce goes on to say:

“Fire someone who breaks security procedure, quickly and publicly,” I suggested to the presenter. “That’ll increase security awareness faster than any of your posters or lectures or newsletters.” If the risks are real, people will get it.

This is exactly correct. People need a real risk to be aware of the riskiness of their behaviour. However the network administrators need to take into account the actual risk, likelihood, and cost of each policy. You can’t stop business in the name of security.