Thinking Security: Who Are You?
This is the 41st blog in a series about security and how security is about how you think.
Identifying someone in real life is rather easy – everyone has a face and probably some form of physical identification proving who they are. We’ve come a long way from paper identification – lamination and other methods to ensure authenticity in physical form (such as holograms and special bar codes). Think about the controls on the physical identifications that you have (for example, driver’s licenses or passports) to ensure that they are valid and not altered. When someone shows you and ID, you hopefully can trust that the identification is valid. But it could be a fake.
Now, let’s think about identifying someone when they aren’t physically present in front of you. Start with a phone call. Can you trust the caller ID when it shows up on your phone? What if you don’t recognize the phone number? it’s not one of the contacts on your smartphone, so it doesn’t show up with a name, like “Mom.”) What if it shows as UNAVAILABLE (which means that I’m unavailable as well)? Does that phone number really identify the person on the other end of the line?
When we trust someone, we quickly authenticate who the person is and how much we can trust them. In person, we quickly trust certain people (police, for example), but what about others? Can we trust them to be what their identity really is? Now, as we go virtual, how can we have that same level of confidence in who someone really is? For example, deep fakes (fake images online that are so close to the original they fool you into trusting them as real) present a big ongoing problem. How can we authenticate and trust in the digital world?
There are many ways that we could authenticate in the digital world. The first is IP address (and I’ll be general here between an IP version 4 address such as 10.17.88.4 and an IP version 6 address such as fe80::215:17ff:ffff:b28c). But does that really identify someone? Not really − for two reasons. First of all, it’s an identification of the network connection of the system, not any particular user of that system. Secondly, IP addresses are widely used and reused – for example, when you go into a cloud or turn on your smartphone, you get an address from the company’s pool of addresses and they make it work for you – so it’s really identifying where the address came from (for example, Amazon, Azure, or Google), not the person who’s using the service. There could also be many systems transiting through one public IP address (the concept of Network Address Translation).
Can we authenticate someone by name using Domain Name Service (DNS)? For example, if the URL goes to www.anysite.com, can we trust it? Somewhat. DNS is a very sensitive system and there have been many incentives and protocols to help it be secure because it is at the core of the internet. But any DNS address may be more than one actual computer so that, for example, a website can handle the load of Internet shopping. It’s not foolproof, but you can probably trust that the website is the right one.
How about if that website is protected, like www.anysite.com, with Transport Layer Security (TLS, formerly known as Secure Sockets Layer)? Then it depends on the “certificate” that provides the guarantee that it’s really the right site. Many browsers will double check the validity for you and provide a padlock and highlight the site if it is validated. But the sense that it really is the right site might be false. Do you know if your bank’s website is https://www.boa.com/ or https://www.bankofamerica.com/? And what if they look exactly the same? This is similar to the fake ID in the physical world. The process has been done correctly, but the initial identity could have been faked.
The issue gets cloudier when you receive a link in an email or other media. It may be an URL “shortcut” that has a display form (what you see with the link) and a different “hyperlink” (where you actually go). Many email clients help the user uncover these inconsistencies: you can find the real URL by hovering over the link.
Then it could be the email address itself. If you receive an email from collection@IRS.gov (the United States Tax authority), but hover over the URL, and see that it’s firstname.lastname@example.org, the latter is the real sender of the email.
There have been some advances in the computer software that we use (email clients, web browsers, operating systems) to help show the user the actual source of the data that they get. However, it still comes down to how we THINK about security. For example, the IRS would never send an email to you. They would send a letter to your home (because they would know that address more readily than they would your email address).
We should always THINK about our security before we respond with any personal information about ourselves: identification numbers, bank accounts or other sensitive information. A criminal could use these to impersonate us. This discussion goes back to the security mantra “Authenticate, then trust,” which is at the heart about how we THINK about security.