[ISN] Assumptions Regarding Security of Any System

From: mea culpa (jerichoat_private)
Date: Mon Nov 16 1998 - 11:47:52 PST

  • Next message: mea culpa: "[ISN] Dispatches from the hacker wars"

    From: Edentificaat_private
    Extract from: Electronic Identity Fraud Newsletter Volume 1, Issue 2
    
    THE ASSUMPTIONS REGARDING THE SECURITY OF ANY ELECTRONIC COMMERCE OR
    COMMUNICATION SYSTEM
    
    CAN ANY SYSTEM BEING USED OR PROPOSED TODAY IN ELECTRONIC COMMERCE BE MADE
    SECURE?
    
    NO!!!  Absolutely secure encryption cannot provide security, perfect
    firewalls can't provide security; perfect digital certification can't
    provide security and neither can the combination of all three. 
    
    I can hear everyone saying, "Wait a minute! Are you crazy?" 
    
    No system, no matter how advanced the technology, can be secure if it has
    an unsecured element. System security is a weakest link phenomenon. The
    weakest link in this environment is Identity Certainty. All commerce today
    relies almost exclusively on digital identities. These digital identities
    may be in the form of credit cards, government identification cards, or
    digital files in large or small databases, operated either locally or by
    international information providers. 
    
    The problem is that the focus has been placed on the physical security of
    the system, and not the security of the information contained in the
    digital identities. The primary source of the digital identification is
    the individual. There is no imprimatur as to the truth of the information
    provided, regarding the identity of the individual and no significant
    attempt at verifying the truth of the information. 
    
    These digital identifications are freely exchanged and ultimately
    contained in innumerable databases. This is an open system. It takes no
    sophistication for a criminal to insert an identity in the system or to
    manipulate an identity within the system. 
    
    Complicating and significantly weakening the security of the system is the
    obsolete paradigm that; there is a one to one relationship between a
    digital identity and a real person. This assumption does not withstand
    scrutiny.
    
    There is no way of knowing with any certainty that a digital identity
    actually is the surrogate for the person whose information is represented
    by the digital identity. Most information that ends up as a digital
    identity is collected remotely. In the rare instance where the information
    is collected face-to-face, it is collected by a person not familiar with
    the stranger offering the identity information. To the extent there is an
    attempt at verification it is by comparing one set of digital information
    collected in this manner with another set collected in the same manner. 
    
    Furthermore, the input of identity information into the system is in a
    wide- open environment with no uniform controls. There is virtually no
    security for this crucial piece of information in the system including
    encryption, firewalls or any other approach. Therefore, there is no
    compensation for this breach of system security. The proof of this pudding
    is the rapidly growing problem of identity fraud. (The use of biometrics;
    their strengths and weaknesses will be the subject of a future
    newsletter.)
    
    CONCLUSIONS
    ~~~~~~~~~~~~
    The origin of the problem of "Identity Certainty" is in the assumption
    that the fraudster and digital identity are the same unique person. The
    solutions to this problem will only be found when that assumption is
    addressed. Those who are designing the electronic commerce system are
    still using 19th century definitions when designing for the 21st Century.
    These definitions no longer apply and their use will result in a weak and
    vulnerable system.
    
    By, John F. Ellingson, Madison, WI - editor 
    Principal in e-DENTIFICATION, LLC
    Personal Email Address: JohnE37179 @ aol.com
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:27 PDT