Intel pushes password-pumping mojo Intel has teamed up with security firms Symantec and Vasco to create a hardware-based one-time-password system to boost protection against phishers, fraudsters, and identity thieves. "The notion of username and password as security is ridiculous," Intel's Identity Protection Technology (IPT) marketeer Jennifer Gilburg told The …
So how long until someone writes a trojan that sends those passwords in real-time to the bad guys? The point of OTP devices is that they're either not connected to the internet (dongles et al) or a computer for that matter, or for some reason harder to do a targeted hack into (cell-phone apps et al).
This sounds awfuly familiar:
"that provides the PC with a unique ID." A unique ID, kind of like the serial number fiasco of the PIII.
OTP devices also allow someone to be mobile and not tied to a single machine. What keeps someone from using your login information to add another machine to the allowed list. That is the advantage of the dongle/USB/phone app, it goes with the person, not with the computer.
Symantec and security is an oxymoron.
I utterly second that.
The less Symantec have to do with ANYTHING connected either by wires or the ether to my small network, the better.
Stick to Norton ghost, if nowt else you managed to create ONE good piece of software. But that dont make up for the dog egg that is NIS.....
Ok, when I sign up for some new service, I'll link my computer with my account and that OTP will be used, perhaps with my password, to log me in. Now, what do I do if I get a new computer or want to use my friend's computer? Will I just have to fill out a computer reset form? And what's going to keep that any more secure than the current method? Is this issue somehow mitigated by the stuff that Symantec is doing? Perhaps, they keep a database of your computers or something. If there's a database somewhere, then does that mean the end of plausible online anonymity, as you can no longer even claim that your neighbor hacked your wireless account?
Also, does the OTP method help at all with public computers, such as those at schools and libraries?
Can someone offer a more complete description of how this system is supposed to work?
P.S. I kinda like the method that my banks use, which is to ask an extra, weird question if a cookie hasn't been set in my browser. Though, getting the extra question does indicate that you already guessed the username and password correctly.
So, is this new stuff tied in knots with IP protection, or are AMD and others allowed to implement it in their products?
If not, then Intel is trying to get websites to end up operable only via Intel CPUs. That *might* have sort-of worked a few years ago, but with so many mobile browsers based on non-Intel CPUs, it would be a lot less feasible today.
I vaguely recall hearing that some new security stuff that Intel/Symantec were doing was such that it was simply a lot faster on an Intel CPU with some new technology. Is that the case here?
"The problem with OTPs, not to put too fine a point on it, is that they can be a royal pain in the butt"
No, the real problem with OTP's is that they do not work. Neither OTP's nor external crypto dongles nor any authentication in any form can protect against an existing bot. Something like half of our computers do have bots, and that only counts what current tests can find.
The solution starts with not having a bot. Let Intel work on solving that.
The technology seems cool enough, but it isn't obvious to me how this provides better protection than a fob-based one - it only confirms the identity of the PC, not the user.
And how does it protect against phishing sites?
P'raps it's cos it's Saturday and my brain hasn't woken up,
It's Sunday, and i'm fully awake, and I've re-read the article. I still don't get how it is more useful than a separate device (fob or whatever). Unless there is more that we haven't had explained to us, this will provide improved authentication of a device, but if anything it allows the possibility of false user authentication : how does the system know it is not my offspring or a bot that is in control of the PC?
The only use I can see is for improved platform authentication on a network, and maybe govt-related organisations and businesses might find that useful. Otherwise, worse than useless.
Yes it is. Well, not that. But not understanding why you have passwords in the first place, that's ridiculous.
Yes, OTP is a better proposition purely from a security PoV. But there's a reason it's only the admins that got around to actually use them. And the problem with systems that are too cumbersome to use, is that they'll be circumvented and subverted by their own users. Which is arguably much, much worse than a simple username/password combination.
But never let that stand in the way of a good marketeering shtick. "We put it in the chipset!!1!" Sure, that's so useful, it's immediate vendor lock-in across the board. You know what, let's not rely on that.
I really don't want to scramble to recover a gazillion passwords just because my laptop got stolen, the chip died, or heck, the desktop is somewhere I'm not right now. And none of that convenience protects me from having the OTP generating vectors lifted from a 3rd party website.
The animal farm reference is just that more grist for the mill. No thanks, miss piggy.
Given this capability is likely to be routed through the OS, how long until Windows has a virus/trojan that allows remote access to the OTP as well as key-logging so the bad guys again have all they need?
The big advantage of the key-fob is (a) you can use it on multiple PCs, including untrustworthy ones, and (b) it is not connected to the internet and thus virtually immune to malware. Biggest disadvantage is various banks and so on all having different systems so you have a fist full of junk to carry with you if you want access on the move.
Why not have a way of using one OTP key fob with multiple accounts?
"The big advantage of the key-fob is (a) you can use it on multiple PCs, including untrustworthy ones, and (b) it is not connected to the internet and thus virtually immune to malware."
Certainly, one can use the key-fob anywhere one likes, but if it is used on a PC which has a bot (that would be the "untrustworthy ones"), the OTP will not protect the account credentials. The problem is not infection of the key-fob, the problem is a malware bot infection in the user computer or mobile device.
A bot is the real-time presence-by-communication of an attacker inside the computer. As such, the bot has many options, but the easiest is simply to wait until all authentication is done, and then access the opened account from the user's machine, while delaying the user with false data or errors. No authentication through the computer can stop this because no account can distinguish between valid commands ordered by the intended user and false commands ordered by the attacker, both coming from inside the user's own machine. And the bot can prevent user commands from getting through.
By itself, a key-fob is not a secure solution in the current environment. Not having a bot is the solution, and then your key-fob will work fine. Security thus requires some form of trusted hardware, such as a Linux LiveDVD boot.
While it is true it won't protect against real-time tampering with your access, in most cases that would be apparent and so possible to report quickly. Also it is a much bigger challenge to write malware to automate the actions of taking over/tampering with an account in real-time, compared with just passing on the details to someone for selling/exploiting later.
So, yes, its not total protection against a compromised PC but its a lot better than nothing. Of course you would be an idiot to knowing use an infected PC, but making things harder for the bad guys, and making detection of malicious activity easier, has to be a good thing.
Tux, my current friend against 99.9% of malware.
"By itself, a key-fob is not a secure solution in the current environment. "
I understand what you are saying, but I am reminded of the Voltaire quote: "The perfect is the enemy of the good."
OTP mechanisms like keyfobs go a long way to reduce the security effects of phishing attacks. My RSA SecurID token "protects" my credentials quite well... even if my username & password are phished, the credentials are useless after 60 seconds without the corresponding number from the token. Any security exploit would require live session hijacking (as you described), which is a rather complex, unwieldy vector of attack.
Will an OTP mechanism protect you against shadowy intelligence agencies willing to expend significant effort to target your interactions with a specific website? No, probably not.
Will an OTP mechanism confound the overwhelming preponderance of phishing attacks? Yes, quite certainly.
I am reserving judgement about Intel's specific OTP implementation. I prefer the airgap I get from the external keyfob—not to mention that their implementation seems inelegant for reasons that other posters have already described. However, if they manage to popularize it and the system makes a dent in phishing attacks against the populace then that would definitely be a win for all of us.
What is needed is for someone big, an Intel, Google, Microsoft, or Facebook, to standardize on a way to coordinate a single OTP device amongst many users. Have the end user provide the OTP device and provide them some way to register it with the companies they want to use it to login with. Presumably the OTP device would be a cell phone, usable either with an app or via SMS messages, since just about everyone has one - those who don't have/want a cell phone could cheaply buy an outdated phone capable of running an OTP app and use it for this purpose only.
There would need to be some central authority managing all this, with logins going from you -> website -> authority for authorization -> website -> message to you that login was successful. It would be free to the end users, the companies that want to allow us to use it to login would pay them a fee determined by size: free for very small sites, moderate fee for medium sites, and a large but reasonable fee for the very large sites. This would pay for the authority operating the site, plus provide a reasonable profit margin (ideally it would be operated non-profit, but that may be too much to ask!) This would be worth it to them because they would have fewer issues/expenses dealing with users who lost their password information, accidentally created multiple accounts, phishing attacks, bad charges as a result of phishing they end up having to eat, etc.
The reason this hasn't been done yet is that companies like Intel, Microsoft, Symantec, and RSA see this is a potentially big profit center, one where they might be able to charge monopoly rates. Hopefully a company that sees this as something that's for the good of the Internet and not really in their normal line of business, like Google, Facebook, or possibly Apple, will eventually see the logic in doing the legwork to get this going. Once a bit of critical mass was achieved it would eventually kill this Intel initiative, and bring in all the in-house efforts done by corporations for remote access and big banks for account access.
It would be something along the lines of the "MS passport" Microsoft tried to push years ago as a single sign-on for the Internet, but where the central authority managing it would not be an existing big business, but a new corporation created expressly for this purpose and prevented by corporate charter from attempting to enter any other line of business - to prevent them from using this monopoly as a club to other or future markets!
We do need interop. "Anonymous" (as in, minimum information transfer), privacy-protected, but most of all, _mutually authenticated_ interop. And with that it makes no sense to provide anything but an equal footing for each and every actor. But if you can't find a way to do it without a central authority, you might as well give up.
Even "IRL" there are no real central authorities, only artificial ones. Take your passport: If you think of it as issued by a central authority, you think of it wrong. It was, and in name only still is, a document asking other governments to be nice to the passport holder. A letter of credit, of sorts. Forgetting this is exactly what's wrong with "ID" today.
Within the country ("ID cards") or corporations (access badges) it's somewhat different, but the internet isn't a corporate office. It's very much a cooperative of autonomous systems, literally if you go look at its routing structure. And even if that weren't the case it would be fairly stupid to just copy the corporate model anyway. It doesn't scale.
So. The best way to prevent abuse of monopolies is to not have them in the first place. So please don't advocate creating them, hmkay.
So if the PC dies, I lose access to it or whatever else happens... I also lose access to all my accounts for the time being?
Maybe I'm missing the point here but isn't authentication all about confirming your identity to a service? So why would we technically create another identity (the PC we are using) when we already have our own?
With everyone going "cloud" and using mobile devices more each and every day, forcing people to authenticate via an arbitrary desktop PC seems kind of like a money-making afterthought, not a real effort at innovation. Point of the OTP dongles was to allow me to authenticate from anywhere. With this tech, I can authenticate from... wherever my PC is located. Definitely a step backwards.
that I can't see it being adopted. As others have pointed here, how about AMD, ARM or future architectures ? Do they have to pay a license to Intel ? Can Intel resist temptation to nudge competition into a tailspin ? Symantec's competence at anything non-Windows has not been tested so far so how about other OS ? Probably Apple can afford to buy a license but how about the others ? Are websites going to force you to use this scheme thus pushing the you into the stranglehold of a certain vendor ?
I mean what is the estimate of computers currently recruited into a bot army? So the bot army owner has access to username, password and unique key, brilliant.
But what about me? What happens when I want to login from a work computer? Or a friends computer?
Sorry, but a fob is far more useful and secure than this epic fail.
Just didn't know how bad.
At the time I was hoping it would be something like say an extra bios chip which has Kaspersky (I know I know Symantec) or something similar on it, but clearly they want to package all of us "consumers (tm)" into a tight little box, to be dumped at the doorstep of (Insert Country Here) fascist spying government, with their framework of ID's, and basically the corruption of personal responsibility in lieu of big sis getting into everything.
The second thing here is the history of destruction left in the wake of symantec.
Was it msav or cpav - dead.
xtree - dead
Norton Utils (last version worth a crap was 5 or 7?)
but now we are talking security built into the firmware / chips.
Dear Intel, Make these ridiculous IPT Chips Removable. I can manage my names and passwords just fine. Frankly I don't trust you.
The curse of Symantec marches on, now infesting my favorite chip manufacturer.
Take note Intel, I will go elsewhere if you solder this crap in..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
