in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Information Security: FaceBook Using HTTPS And Social Authentication Captcha

Various sites have covered FaceBook's new data security measures.  First, there is the use of https (with an "s" at the end) connections.  The "s" stands for "secure," and in this case security is provided in the form of data encryption, which is what powers AlertBoot endpoint security software.

Second, there is an update to the use of captchas.  Instead of identifying squiggly, hard-to-read words, you identify your friends to prove that you're human.

HTTPS

What's the difference between "http" and "https"?  That little "s" stands for "secure", and is a combination of the regular http with SSL/TLS.  In short, all your communications between your computer and FaceBook's servers are protected with cryptographic security.

This means, for example, that your internet service provider cannot read your communications (under regular http, it would be possible).  While the risk of your ISP surreptitiously creating copies of your status updates is hardly something you generally need to worry about, there have been instances where security was a concern.

Over the weekend, for example, FaceBook was able to confirm that the entire country of Tunisia was recording FaceBook users' login credentials.  This was easily rectified by redirecting all Tunisian users (based on their IP address) to a secured login page.

Why isn't https used by default?  Well, the connections could be a bit slower due to the extra time required to encrypt and decrypt the protected information.  This can be resolved with extra hardware, but when you've got over 500 million users, "extra" means lots of additional capital.

Social Authentication

Many sites have already covered FB's new Social Authentication: it shows you pictures of your friends and asks you to identify them.  It uses the fact that pictures can be tagged with people's names, which are linked to their actual FB profile.

If you can identify your friends correctly, you're in.  If not, maybe "you" are some hacker in Australia that managed to gain someone else's username and password.  Of course, there are critics: what if your friends make it a habit to tag gummi bears with their names, or if one of your friends tries to break into your account?  Your friends are his friends.

Not much can be done about the latter.  For the former, it looks like up to three pictures will be shown, so unless one of your friends makes it a habit to tag all pictures of gummi bears as "him," there should be very little confusion.

What I really like though, and I'm inferring based on some screenshots, is that it seems FB's Social Authentication will ask you to indentify a sequence of 5 friends.  Furthermore, it offers you 6 names per friend to be ID'ed.  If you do the math, and assuming you have to get all of your friends ID'ed correctly, there is a 0.0129% chance of some guessing it correctly by pure chance.  Those are odds I can live with.  Of course, it also means that around 60,000 accounts out of 500 million will also be accessible due to chance alone, but it would require that person have 500 million valid user login credentials.

As security goes, it's not a bad idea.


Related Articles and Sites:
http://www.pcmag.com/article2/0,2817,2376670,00.asp
http://www.webpronews.com/topnews/2011/01/26/facebook-introduces-secured-connection-social-authentication-security-features

 
<Previous Next>

Data Security: Deloitte Says That Theft Is A Growing Problem

Portable Hard Disk Encryption: NC Dept Of Health And Human Services Loses External Computer Disks

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.