Don’t Disguise, Randomize!

All of us in the security business face a humiliating reality: Everything we do is only effective against hackers who are dumber than we are. A smarter hacker, with more imagination, could devise a penetration strategy that we are not smart enough to conceive, and hence can offer no countermeasures for.

What do we do about that? We disguise this reality with flowery language, noise, and hype. But when the most protected, most security-conscious merchants fall prey to a humiliating betrayal of the trust of their customers, and when banks lose billions, it’s time to face this simple reality: The hacker that would target us may be smarter than we are.

Can we do anything about it?

Bob places 10 cups in a row, upside down, and hides a piece of candy under one cup. Alice turns up five of these cups. If she finds the candy, she wins. Otherwise Bob wins. Alice and Bob try to predict the each other’s moves in order to prevail. It may turn out that Bob is more predictable than Alice, or that she anticipates his moves better. In that case Alice would win in the long run. What can “dumb Bob” do? Simple. Surrender the decision about where to hide the candy to something called a random-number generator. As if by magic, Bob will force parity and neutralize Alice’s smarts advantage. Randomness cannot be defeated by intelligence.

And that is why we say in the trade (paraphrasing President Reagan’s expression, “Trust but verify”): Trust but randomize!

Nothing is as effective in verifying online identity as random questions regarding the identity attributes. The true identity responds on the basis of the knowledge of these attributes. A hacker who tallied all the previous identity-verification dialogues will fall short. A hacker cannot prepare for a random question. That is what randomness means.

There are any number of examples of the effectiveness of randomization.

Large IT shops are likely to have hired some individuals who could, in small or large ways, be seduced by the bad guys. It has been shown that a pre-publicized, randomized audit of individuals is a powerful deterrent that most employees think is fair.

Rare but randomized phone calls to password-admitted browsers to a financial site will send hackers to another store, knowing that their voice signature will nail them.

Passwords, however long, are breachable if humanly selected. Randomized passwords cannot be outsmarted.

Even hackers have mastered randomization. Dragnets fish for randomized victims. Downloadable malware waits for the random visitor. The name of the game is targets of opportunity.

But randomness is not natural in business. Businesses value streamlining, predictability, and order. So when hackers easily obtain their target’s operational manuals, they know exactly what is allowed and what the attacked executive will do. Even a tiny measure of randomization will go a long way to defeat hackers. A good security policy will build in randomized responses. Randomized forensic checks of memories, queries, load dynamics, etc., will deter attacks or stop them in the early stages.

Modern cryptography is based on mathematical complexity and randomness. For most of us, mathematical complexity is a given. We don’t tinker with it. But the randomness ingredient is our input. We select passwords, PINs, and keys. It may be surprising, but to make a random list of anything is extremely difficult. In experiments where people are asked to list 50 random words, they end up betraying a lot about themselves simply by the makeup of their lists.

Just as Bob in his “cups and candy” game neutralizes Alice’s smarts advantage with a good randomization source, so for us to make full use of what cryptography offers we need to use the services of a high-quality random-number generator. While computers cannot generate a truly random list, they do generate pseudo-random numbers, which may be sufficiently random. You do not want to compromise on the quality of your random-number generator. Any weakness affects every key, every password, every one of the protocols for which you use this faulty device.

The role of randomness is only growing. It looms as the most reliable weapon in our ever-more-critical cyberwar.

Read more about this in my book, The Unending CyberWar, and at www.AGSgo.com/R.htm.