24 October 2010

Idle thoughts V: "blanket"

It seems one of the reasons for attacking an email account is manipulation of trust, by masquerading as the original owner in need of urgent financial assistance.

This presents different problems than merely forgetting your password.

A 'slow' password. Infrequent use means difficulty in memorizing, but also less vulnerability to keylogging on public access to the Internet or other attack vectors. Can be recorded on a physical token. Only usable after certain events which are correlated with account compromise: change of account password, recovery methods, or the 'slow' password itself, depending on frequency of use of the account. The effort associated with avoiding compromise is offset by the greater value placed in the account by the individual, compared to the value of the account for the attacker. Recovery using the 'slow' password is not instant, and collisions lead to extension of lockout. The value of the account remains constant for the owner, while for an attacker the value of the account falls sharply as knowledge of the compromise permeates the trust network.

It seems that a network of accounts can avoid compromise by preventing the reading of new or all email messages after the 'slow' password has been used, so linked accounts which have been identified by exploitation of the compromised account can be protected. However, if the 'slow' password has also been compromised, the benefit to the account owner by retrieval of contacts and previous messages might offset the danger of this information being accessible to the attacker, once knowledge of the attack has already been spread.

The value is not the account itself, but rather information that others have about the owner of the account. This entry says the same thing in like four different ways ._.

No comments:

Post a Comment