Tuesday, June 28, 2011

Image based authentication

I found a very interesting paper about a very different authentication method as opposed to what is used today. The basic idea is to forget about passwords and rather select a set of images that will be presented to a user when he wants to log in together with a set of decoy images. The user selects the appropriate images and the login is done via selecting only the correct images.

They claim that this system is more useful then traditional username-password mechanisms as it is easier for a person to remember images rather then complicated text. They also claim that "password" recovery would be made easier via this method. It would have been nice to see some well-known services using such a system. However, to my knowledge, no such authentication methods are in use. 

Furthermore, such a system would render password managers obsolete, as, from what I understood in the paper, it would be very hard to store the images used for login. And to prevent the same type of problems that exists in password based systems you would have to choose different images. Maybe for just one account this would be great, but for multiple user accounts it would be hard. 

I would really like some opinions of such an authentication method. Please feel free to comment.

Tuesday, June 21, 2011

Dropbox drops security

I came across a very interesting piece of news today. For about 4 hours you could log in to a Dropbox account using only  the username and with any password. This, once again, brings back to light the main problem in Cloud Computing: The loss of control. As a user, you are totally dependent on the Cloud Provider (in this case Dropbox) to manage your data. It's a great most of the time, as you don't have to bother with all configurations - including security. But it does have its downside. If the Provider does some bad PooPoo you have no way of protecting the data. 

On a personal note, I think Hussein Fahmy, Amalia Brad and I are especially proud of the fact that we foresaw something like this occurring. In my master thesis, "New Threats in Cloud Computing With focus on Cloud Misuse and Cloud Vulnerabilities from the Client Side", I actually presented a threat called Isolation Failure. The presumption was exactly what happened with Dropbox. An attacker somehow manages to gain access to the data stored on the cloud due to a vulnerability in the Cloud Provider. At that point, it was all based on presumptions as no such case had yet happened. Until now. What happened to Dropbox is exactly the way I described the scenario in my Thesis. I am particularly happy of the solution described in Lifehacker as I gave the same solution to the threat in my thesis. So, in essence Dropbox just gave me a proof of concept for one of my suggested Threats.

I am curious to see what the repercussions of this "accident" will be. Will people actually listen and start to also think of the client-side of Cloud Computing? Will providers also inform clients that their data is not entirely safe? Will they inform them that malware on their machine will still leave to data-loss? 

When I first began my studies in this field I was a bit unsure as to the feasibility and need to provide security on the Client-Side when using Cloud Computing. Now, more than ever, I am convinced that I have chosen the correct path in my studies.

Finally I am eager to find out what just happened? Dropbox says they “ made a code update”. From where I’m standing it’s a code downgrade. Did they just comment the part of the code that checked the credentials of the user? As far as I know, Dropbox is built on top of Amazon S3 so I am also wondering if this vulnerability was propagated there as well. Anyways, I am looking forward to seeing what exactly happened.