Strong Authentication is Good, Unless …

… it results in your
being arrested!

In her September 28, 2019
article, “Army communication head at Mar-a-Lago sentenced for lying,” Jane
Musgrave describes how an army officer in charge of communications at
Mar-a-Lago had lied about posting a photograph of a young girl on a Russian
website … see https://www.msn.com/en-us/news/crime/army-communication-head-at-mar-a-lago-sentenced-for-lying/ar-AAHWZZF
It turns out that the photographs “did not constitute child pornography.”
However, the army officer lied to law enforcement about owning the email
account that was associated with the posting. The agents then asked him “to try
to use the email address to access the website,” the site then asked hm to fill
in missing numbers from his cell phone, thereby affirming that the email
account was his.

This is an example of a
professed victim acting in the role of attacker or perpetrator. I have an
article due out in early 2020 in the ISACA Journal with the title
“When Victims and Defenders Behave Like Cybercriminals.” Modern technologies
allow for all manner of impersonation and anonymization, but in some cases,
there are ways to identify a device’s location at a particular point in time,
although proving that the owner of the device was the actual user at the time
requires more evidence.

There is a fascinating
article by Lauren Smiley in the October 2019 issue of Wired
magazine about how a Fitbit worn by the murder victim was able to time stamp
the time of death due to the time that heartbeats ceased. The title of the
article is “The Telltale Heart: He was an unlikely suspect. 90 years old.
Wouldn’t hurt a fly. But there was a witness and the victim was wearing it.” Of
course, that doesn’t confirm who did it. But, other corroborating evidence from
a local camera—actually a neighbor’s Ring security camera—provided additional
information that pointed to the suspect. Here is another case where
identification was a result of today’s pervasive technologies, although, when
you read the article, it could just be circumstantial and the real perpetrator
could possibly be other than the suspect.

This raises the question
as to whether technologies, such as GPS, fitness/health devices, and smart
phones, can be fully trusted and if they can be relied upon for providing
incriminating evidence. Certainly, we are increasingly seeing CCTV videos and
face recognition playing a part in proving presence and culpability in the
physical world. The question as to whether the same rules apply in the virtual
world remains open, as discussed in Smiley’s article.


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2019/12/09/strong-authentication-is-good-unless/