This week, a fake image of an explosion at the US Pentagon, generated by an AI, surfaced online. Despite being fake, multiple news sources reported it as real, causing a sharp drop of 30 points in the S&P 500 within minutes. This resulted in a $500 billion market cap swing based on false information. However, the market rebounded once the image was confirmed to be fake. The incident raised concerns about the potential dangers of AI. While some argue that the fault lies with AI, others blame the lack of true authentication. In my opinion, the latter is the main issue, as tools like Photoshop can be used to create convincing fake images.
Just a couple of months ago, a shocking revelation shook the cybersecurity world: North Korean hackers are using a sneaky tactic to spread malware – fake job offers on LinkedIn. Yes, you read that right. The world’s foremost professional job seeking platform, with over 830 million members in over 200 countries, is being used by North Korean hackers as a tool for cybercrime. The malware can wreak havoc on victims’ lives, stealing personal information, installing ransomware, or even taking control of their computers. Although LinkedIn is owned by Microsoft, the world’s largest cybersecurity vendor with security sales exceeding $20 billion in 2022, it’s important to remain cautious when seeking career opportunities on the platform because its users are not authenticated.
The potential consequences of the world’s largest job seeking platform facilitating a despot who uses their ill-gotten profits to build and aim nuclear weapons at us are dire. This highlights a significant problem that must be addressed to ensure global security and stability.
It’s high time for governments to act and establish strong Digital Identity and Authentication laws. These laws are crucial in authenticating the identities of individuals and devices connecting to interconnected global networks. By implementing such laws, we can ensure a safer and more secure digital environment for everyone.
Ensuring data privacy and security is a fundamental requirement in today’s digital world. However, it all starts with trusted authentication of a system’s users, devices, and applications. Without reliable identification and authentication of these entities, a system cannot effectively implement its security measures and technologies. Therefore, individual user, device, and application authentication across global digital ecosystems is a critical step towards providing data privacy and security. It’s a non-negotiable requirement in today’s digital landscape.
It’s crucial to use advanced encryption-based authentication that provides a strong foundation for biometric and password authentication. The encryption should be robust enough to withstand attacks and ensure data privacy and security. Ideally, policies and guidelines should be in place to define the minimally-acceptable cryptographic authentication standards. It’s important to note that the use of digital certificates should be avoided in such standards, as they can be vulnerable to attacks. By prioritizing strong encryption-based authentication, we can ensure a safer and more secure digital environment.
Connected Things – Internet of Things (IoT) and Industrial Internet of Things (IIoT)
To ensure the security of IoT devices, it’s crucial to establish US federal policies that build upon existing state laws, such as those in California. These policies should mandate the inclusion of adequate resources in consumer “smart things” to leverage modern cryptosystems effectively. A realistic goal for implementing strict rules on this is January 1, 2025. This is important because cybercriminals using search engines like Shodan can easily access and control connected IoT devices, including thermostats, lighting, and garage door controllers. Researchers at the Infosec Institute found that it takes only 90 seconds for a vulnerable IoT device to be hacked, and malware can take control of the device to participate in D-DOS attacks or spread disinformation. By implementing federal policies that prioritize IoT security, we can protect consumers and prevent cybercriminals from exploiting these devices.
To address the issue of IoT device security, it’s crucial to ensure that users of search engines like Shodan.io are properly authenticated. Unrestricted public access to such technology is a significant part of the problem, and not everyone should have access to it. By implementing proper authentication measures, we can limit access to these tools and prevent malicious actors from exploiting them. This is a critical step towards ensuring the security and privacy of IoT devices and protecting consumers from cyber threats.
To ensure the security of connected things, it’s crucial to establish minimum hardware requirements. A Hardware Secure Element (HSE) is a System on Chip (SOC) that provides an MCU, RAM, Secure Flash, hardware accelerator for public key operation, True Random Number Generator (TRNG), and safe execution space for the crypto-algorithms. The HSE also provides a hardware interface, like I2C or ISO7816, when connected to a main computer system or to an IoT board. The Secure Flash of the HSE is used to store sensitive data like the private key, and the pre-calculated data used to optimize the algorithm execution for the most utilized connected devices. As the computing power of an HSE is often limited, it provides a Hardware Accelerator dedicated to optimizing the calculations needed for the sophisticated mathematics of cryptography. The most secure HSEs also provide hardware countermeasures to prevent side-channel attacks during the execution of the algorithms, as well as physical attacks against the secure flash memory.
In the longer term, home security companies will likely include connected “smart” devices in their protection services. However, this can only be achieved if adequate resources are available within connected things. By establishing minimum hardware requirements, we can ensure that connected devices are equipped with the necessary resources to leverage modern cryptosystems effectively and prevent cyber threats.
The Industrial Internet of Things (IIoT), which includes critical infrastructure, needs to re-evaluate the cryptography they use for authentication and encryption. One potential solution is Split PUF technology, which should be seriously considered. Physical Unclonable Function (PUF) can provide a unique identifier, like a digital fingerprint, which can be harnessed by advanced cryptography. A Split PUF from QuantumBase.com is the ideal solution for IIoT. It consists of two chips that, when snapped together, form a unique identifier. This eliminates supply chain vulnerabilities in terms of protecting the unique identifiers of chips manufactured at a single foundry. With Split PUF, chip A can be made at one foundry, chip B at another foundry, and any combination of chip A & B snapped together, create a unique identifier at the molecular level. By adopting Split PUF technology, IIoT can enhance its security and better protect critical infrastructure from cyber threats.
OpenZiti, a software-defined networking (SDN) solution from Netfoundry.io, is an important tool for securing the Internet of Things (IoT). SDN can help to improve the security of IoT networks by providing a more centralized way to manage and control access to the network. OpenZiti takes this a step further by providing a zero-trust networking approach that ensures secure access to IoT devices and applications. With OpenZiti, software-defined firewalls can be used to control access to the network, ensuring that only authorized devices and users can connect. This helps to prevent unauthorized access and potential cyber-attacks. Additionally, OpenZiti uses software-defined encryption to protect data in transit, ensuring that sensitive information is kept secure. Overall, OpenZiti is a powerful tool for securing IoT networks and ensuring that devices and applications are protected from cyber threats. By leveraging the benefits of SDN and zero-trust networking, OpenZiti provides a comprehensive solution for IoT security.
Authenticating the identities of connected people is important for many reasons.
According to a warning from the FBI, Business Email Compromise (BEC) fraud has resulted in losses of $43 billion for businesses worldwide between June 2016 and December 2021. This type of fraud involves cybercriminals impersonating a company executive or vendor and requesting fraudulent wire transfers or sensitive information.
The need for true authentication for all users has never been more pressing, as cyber threats continue to escalate. According to the World Economic Forum, cyber-attacks are one of the top global risks facing businesses today. Experts from Cybersecurity Ventures estimated that one ransomware attack took place every 11 seconds in 2021, highlighting the urgent need for robust authentication measures to protect against these threats.
While much of the discussion surrounding ransomware centers on whether or not to pay the ransom, the real solution is clear: robust authentication measures. By implementing true authentication measures, such as multi-factor authentication and physical hardware tokens, businesses can significantly reduce their risk of ransomware attacks and protect sensitive information from being compromised.
· Email Security
Email is a critical communication tool for individuals and businesses alike, but it’s also a major target for cybercriminals. In fact, more than 90% of cyber-attacks worldwide begin with an email. The infamous hack of John Podesta’s Gmail account, which was attributed to Russian interference, is just one example of the devastating impact that email attacks can have. It’s worth noting that this attack could have just as easily been carried out by anyone with $129, as demonstrated by a simple online search for “Hack, email, $129.”
To address this issue, it’s essential to implement mandatory strong authentication measures for email users, messages, and account access. By fully authenticating email users and messages, we can significantly reduce the risk of cyber-attacks and protect sensitive information from being compromised. This is an urgent issue that cannot wait years to be addressed. Hackers are gaining unprecedented power through spoofed email “Emergency Data Requests,” which can even grant them the power of subpoena. It’s essential to act now to protect against these threats and ensure that our email systems are secure and protected from cybercriminals.
· The Case for Physical Hardware Tokens
The use of physical hardware tokens for authentication is gaining traction as a highly effective security measure. Google is one company that has implemented this approach, requiring all employees to use a hardware token as their second authentication factor for email access. Since the implementation of this policy, Google has not experienced any negative email incidents. The use of hardware tokens provides an additional layer of security beyond traditional password-based authentication methods.
These tokens generate a unique code that is required for access, making it virtually impossible for cybercriminals to gain unauthorized access to sensitive information. While some may argue that the use of hardware tokens can be inconvenient, Google has demonstrated that it is possible to implement this approach successfully. All users are required to use a hardware token, just like a bank card at an ATM, ensuring that the system is secure and protected from cyber threats.
Overall, the case for physical hardware tokens is strong, and more companies are likely to adopt this approach as a way to enhance their security posture and protect against cyber-attacks.
Apple, Google, and Microsoft have teamed up to replace passwords with FIDO Alliance biometric authentication. While this move is aimed at improving user convenience, it is only a small step forward in terms of security. Biometric data can be stolen en masse, as demonstrated by the OPM breach, and there are many ways to obtain specific biometric data and abuse it to defeat authentication systems without the need for special tools. To address these concerns, it’s important to implement additional security measures beyond biometric authentication.
While biometric authentication is an effective “something you are” factor, it’s still vulnerable to attacks. Therefore, it’s recommended to use “something you have” physical hardware tokens in conjunction with biometrics. This approach provides an additional layer of security, making it more difficult for cybercriminals to gain unauthorized access to sensitive information. Overall, while biometric authentication is a step in the right direction, it’s important to take a comprehensive approach to security and implement additional measures to ensure that sensitive information is protected. By combining biometric authentication with physical hardware tokens, we can create a robust and effective authentication system that is resistant to cyber threats.
As the world becomes increasingly connected, it’s essential to implement robust security measures to protect against cyber threats. However, traditional security measures such as Public Key Infrastructure (PKI) are ill-fitted to the 21st century digital landscape.
PKI was intended for communications and data file encryption last century, and it’s not designed to handle the complex security challenges of today’s digital world.
According to recent reports, nearly 65% of organizations worldwide are unable to secure and govern the growing volume of digital certificates, which can amount to an average of 30,000 per organization. Additionally, more than half of today’s organizations have experienced one or more security incidents due to a digital certificate compromise.
For both connected people and connected things, it’s essential to implement modern security measures that are designed for the hybrid cloud, mobile, IoT, layered-apps, blockchain, and data fabric digital world we are accelerating beyond. This includes moving away from PKI and implementing more advanced security measures.
Accountability in the public square
As the internet becomes increasingly central to our lives, it’s essential to ensure that online interactions are safe and secure. However, the ability to anonymously join online social networks and post whatever one wants is not only a major security risk but also makes it impossible to prosecute bad and dangerous behavior.
Just as it’s a bad idea to allow pre-paid burner cell phones to connect to networks without proper authentication of the user, it’s also a bad idea to allow people to represent themselves as anything they want online. Anonymity for people posting content on social media can be used to facilitate cybercrime and other malicious activities, as well as to spread hate speech, fake news, and other harmful content. To address this issue, it’s time for wireless carriers and internet service providers to follow the same Know Your Customer (KYC) rules that banks must adhere to.
By implementing KYC rules, we can ensure that online users are properly authenticated and that their identities are verified. This will help to prevent cyber-attacks and protect sensitive information from being compromised, as well as make it easier to prosecute bad and dangerous behavior.
While people should have the right to go online and post what they want within reason, it’s important to recognize that anonymity can have serious consequences. By implementing KYC rules, we can strike a balance between privacy and security, ensuring that online interactions are safe and secure for everyone.
A good resource to gaining a better understanding of the damage anonymity in the public square causes, is the docudrama film The Social Dilemma.
As the internet becomes increasingly central to our lives, the spread of fake news has become a major concern. To address this issue, if we truly authenticate everyone, social media platforms can authenticate ‘verified journalist’ users, which can help to eliminate fake news and ensure that readership is trained to look for genuine content.
All legitimate media outlets, sources, and journalists should include a private cryptographic key when content is posted. If a post includes the private key, the platform displays a ‘verified journalist image’ adjacent to the post, similar to a lock image in browsers indicating a secure website. This image/symbol of genuine content can help readers to identify legitimate sources and prevent the spread of fake news.
While there will still be bogus articles posted online, they won’t be able to impersonate a known media source or hide their true identity. By implementing this system, social media platforms can help to ensure that readership is trained to look for genuine content and prevent the spread of fake news.
Overall, the need for authentication of ‘verified journalist’ users is clear. By taking a proactive approach to security and implementing robust authentication measures, we can protect against the spread of fake news and ensure that our information is accurate and reliable.
As the internet becomes increasingly central to our lives, it’s essential to ensure that online interactions are safe and secure. People already need a driver’s license, license plates, and insurance to operate a motor vehicle, and they need proper ID to vote or to fly. Why not require proper authentication to use the internet?
A real ID requirement to fly in the US came into effect this month, and it’s at least 20 years late. Let’s not wait that long to enact Digital Identity & Authentication laws.
Laws such as HB 20, the ‘Save Free Speech on Social Media Act,’ enacted in Texas, restricting how social media sites can moderate their platforms are pointless as is, even if they are half-baked. Online, we don’t know if internet users purporting to be from Texas are even human, let alone from Texas.
As the use of Big Data becomes increasingly prevalent, it’s essential to ensure that accountability applies to the entire ecosystem. This includes companies that earn money from monetizing their users’ data and preferences, as well as the hardware and software makers that enable this practice.
Thousands of popular websites have access to the data that users input, including passwords, bank account numbers, and credit card numbers, before users even click enter. This is a serious breach of ethics, and it’s hard to believe that it’s legal.
The lack of guardrails for the Big Data industry is a major concern, and their reckless actions jeopardize us all. To address this issue, it’s time to reel in Big Data and ensure that they are held accountable for their actions. To address the growing concerns around data privacy and security, it’s essential to implement stricter regulations and guidelines for the collection and use of user data. Companies must be held accountable for any breaches of privacy or security, and the penalties for such breaches must be significant enough to impact their bottom line.
Big Data companies have deep pockets, and until penalties truly damage their financials, they may not be motivated to change their practices. To ensure that companies prioritize user privacy and security, we need to establish clear and enforceable regulations that hold them accountable for their actions. This may involve imposing significant fines, revoking licenses, or even criminal charges in cases of severe breaches.
By implementing robust penalties, we can send a clear message that data privacy and security are non-negotiable, and that companies must take their responsibilities seriously.
Overall, the need for accountability in the Big Data ecosystem is clear. By taking a proactive approach to security and implementing robust measures to protect user data, we can ensure that our sensitive information is secure and that our privacy is protected.
The Authentication Authorities
In my opinion Microsoft’s Blockchain ID project is concerning. While Blockchain is a transparent technology that allows all transactions to be visible to everyone on the network, this could be a problem for users who want to keep their personal information private. Additionally, the system could be used to track users’ online activity, raising concerns about privacy and surveillance.
To ensure the authentication of all users accessing networks that connect to ours, we require a trusted and independent ID Hub that is likely to be a global initiative. Service providers like Microsoft have no business collecting data such as users’ education, bank balances, and health status. It’s none of their business.
While Blockchain is trendy, it’s not always necessary, and it can be slow. Instead, we need a reliable and efficient system that prioritizes user privacy and security. This can be achieved through a trusted, independent ID Hub that is transparent, accountable, and designed to protect users’ sensitive information.
Software Supply Chain
Global economies rely heavily on open-source software from repositories like GitHub and GitLab. However, since these platforms are competitors, they may only introduce as much new security as they feel they can sway their users to accept, without making it too difficult to authenticate, for fear of losing them to the competitor.
This can lead to a lack of robust security measures within the software supply chain. It’s important to recognize that Know Your Customer (KYC) rules are just as important in the software supply chain as they are in financial institutions, where they are required by law. However, laws are currently missing for authenticating all who touch software development, which can lead to countless examples of security failures within open-source software repositories.
To address this issue, it’s essential to implement proper authentication measures for all developers who contribute to open-source software repositories. Multi-Factor Authentication (MFA) is a good tool, but it’s only effective once all developers have been truly authenticated with proper ID. Verified users, with MFA and hardware tokens, are what is needed to ensure that the software supply chain is secure and that our sensitive information is protected.
Hardware and software Zero-Day vulnerabilities.
The discovery of Zero Day vulnerabilities by hackers and their subsequent sale to anyone willing to pay raises serious concerns about cybersecurity. Despite the existence of bug bounty programs from software and hardware makers, these programs pale in comparison to what spies and cybercriminals are willing to pay for such vulnerabilities.
It’s important to recognize that the discovery of bugs in popular hardware and software, and the sale of knowledge or software designed to exploit these vulnerabilities to shady characters, regardless of location, cannot possibly be legal. This needs to be made clear, and meaningful penalties need to be put in place for those who exploit hardware and software, or worse, sell software designed to exploit the vulnerability.
Currently, the rules around this issue are inconsistent. For example, it’s illegal to possess the factored primes that unlock DVDs, but there are no clear laws regarding the sale of Zero Day vulnerabilities. This inconsistency needs to be addressed to ensure that our sensitive information is protected and that our cybersecurity is not compromised.
To learn more about the exploitation of Zero-Day vulnerabilities and why this dangerous practise must be curtailed, please read, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.
Instant Alias is a feature that has been used in email systems to give users greater control over their online presence. With Instant Alias, users could create an alias username to join mailing lists and retain control. If the mailing list sent too many messages, users could simply delete the alias username. This same functionality can be used in an authenticate everything model, whereby authenticated Internet users can create an alias username to use online.
In other words, just because there would be a mandate to authenticate every user touching global networks, it doesn’t mean that they have to always use their real name online. The use of alias usernames can provide users with greater privacy and control over their online identity.
This functionality can be particularly useful in an authenticate everything model, where users are required to authenticate their identity to access online services. Overall, the use of alias usernames can be a valuable tool in protecting user privacy and providing greater control over online identity.
By implementing this functionality in an authenticate everything model, we can ensure that users have the flexibility to use their real name or an alias username as needed, while still maintaining the security and integrity of the authentication process.
There’s a lesson in the rear-view mirror
In my 2019 article titled There’s a lesson in the rear-view mirror, I discussed the importance of authenticating everyone and everything in the digital age. In the article, I explore the challenges and opportunities presented by the need to authenticate all users and devices accessing global networks.
I argue that a proactive approach to authentication is essential to protect against cyber-attacks data breaches and fake news, and that we must prioritize user privacy and security in all authentication processes. Overall, the article provides valuable insights into the importance of authentication in the digital age, and I encourage you to read it to learn more about this critical issue.