5 hot security defenses that don't deliver

We'd all love to have a magic bullet to stop hackers, but these five defenses won't do the trick, despite what you've been told

Page 2 of 3

Computer systems aren't passing around a pretty picture of your retinal scan, your fingerprint scan, or whatever. Instead, they're passing around a Kerberos ticket, NT hash, or some other nonbiometric token in the background for authentication purposes. No matter what authenticator you use, the bad guy in your exploited system can grab the token, copy it, and use it just like you could.

For example, if you use your fingerprint to log on to your Windows laptop, the security program verifies your print and attaches your identity to a Kerberos token or NT hash. Your fingerprint scan isn't used again until the next log-on session. Bad guys can capture your token or hash and reuse it as much as they like, whenever they like, to access anything you normally can access. They might be prevented from performing an interactive log-on (say, any screen asking them to type in a log-on), but believe me, they don't worry about this hurdle.

Biometrics authentication is worse than standard smart cards in at least two ways. One, every biometric logon I've seen works on only the local computer. This means you can biometrically authenticate yourself to your laptop, but try to do the same on your co-worker's identical laptop sitting next to you and it probably won't work (unless you've gone through the same setup process as you have on your laptop). Most smart card authentication schemes work enterprise-wide from the get-go.

The second biometric problem: What do you do if your biometric identity gets compromised? With a compromised smart card, I can simply issue a new smart card and private digital certificate, then revoke the old one. But how can I revoke your one and only valid retina scan or real fingerprints? If the bad guy steals your store fingerprints or their digital token representation, what are you going to do -- get new fingerprints? New eyeballs? That's a big reason why current implementations of biometrics will never be used globally.

Security dud No. 3: Heuristics
Heuristics is the study of behavior. Antimalware software has added heuristics to its bag of tricks because it has become more and more difficult to detect malware via signatures, mainly because self-morphing malware changes itself so that it can't be identified. While malware isn't perfect at cloaking itself, it can often frustrate antimalware scanners, if only for a few days until a new signature is found and updated.

Malware scanners have fought back by looking for behaviors that indicate maliciousness, such as a file writing itself to another file or a program sending out email on your behalf, without using your regular email program.

Heuristics were once thought to be the savior of the antimalware industry. But after two decades of trying, antimalware programs still struggle to identify malware by behavior alone. This is because too many of today's legitimate programs act in a seemingly manner. For example, many heuristic programs used to look for programs that modified a computer's boot sector, which might be evidence of a boot virus or rootkit. But now, half the computers sold come with their own programs that attempt to prevent unauthorized boot sector modification.

How do they work? They take a digital snapshot of the boot sector, checksum the image, and write the checksum within the boot sector. That checksum is checked and updated when needed upon the next boot. That looks awfully suspicious to most heuristic antimalware programs.

If the heuristic behavior detections are tuned too tightly, you end up with too many false positives. All the heuristic programs have had to dial back their behavior checking -- and we end up living with too many false negatives.

| 1 2 3 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.