政府必须解决数字身份混乱,说智囊团

Share on Twitter
分享推特
Share on Google+
分享谷歌
Share on LinkedIn
分享LinkedIn
Share on Reddit
分享在Reddit
在很多安全事件的处理上,受害人屡屡被告知“展开调查”,接着就没有下文了。服务商要真正尊重客户,珍惜自己的商业名誉,就一定要拿出个调查结果出来,不要以为客户会淡忘掉,更不能让客户觉得调查结果将遥遥无期。
Despite years of strenuous effort, the idea of mass digital identity remains stuck somewhere between non-existent and a total mess.
尽管经过多年的艰苦努力,海量数字身份的想法仍然存在于不存在和混乱之间。
Ask someone to prove their identity today, and almost without exception they will fall back on a paper passport, driving licence, or bank account statements, usually backed by a social security number (SSN). The online world struggles to accommodate these.
请人来证明自己的身份,今天,几乎无一例外会依靠一纸护照,驾驶执照或银行帐户报表,通常是由一个社会安全号码(SSN)支持。网络世界的斗争,以适应这些。
Digital identity systems such as the UK government’s Gov.UK Verify exist but barely any are used in anger. They float around in no man’s land, like clever experiments whose original objective their creators have lost track of.
数字识别系统如英国政府uk验证存在但几乎没有任何用于愤怒。它们漂浮在无人的土地上,就像聪明的实验一样,它们的创造者失去了最初的目标。
Meanwhile, shadowing flesh and blood human identities are virtual ones built from oceans of online data. Much of this is handed over willingly to “surveillance capitalists” – Facebook, Google and advertisers, for instance – but lots more exists in this parallel dimension people are only dimly aware exists.
同时,隐藏血肉之人的身份是从在线数据的海洋中构建出来的虚拟身份。其中大部分是自愿移交给“监视资本家”的,比如脸谱网、谷歌和广告商,但更多的人存在于这个平行的维度,人们只是模模糊糊地意识到存在。
It’s also the world of identity middle-men such as Equifax, which collected so much valuable data it eventually burst at the seams, spilling millions of names, addresses, SSNs, birth dates and driving licence numbers to cybercriminals who could use it to fuel industrial identity theft for years to come.

Sophos Home
Sophos的家
Free home computer security software for all the family
所有的家庭免费上门电脑安全软件
Learn More
了解更多
Not everyone is giving up yet, however, including the Social Market Foundation (SMF), a UK think tank, which argues in a new report that governments should stop shilly-shallying around and press ahead with full-blown digital ID systems.
不是每个人都放弃,然而,然而,包括社会市场基金会(SMF),英国的一个智库, 提出一个新的报告说,政府应该停止犹豫不决,推进全面的数字标识系统。
But aren’t government systems a damp squib? According to the SMF, the problem of systems such as Gov.UK Verify (which uses private-sector partners) is that they were conceived to serve access to government services such as tax and benefits when the real need is much wider.
但不是政府系统的一个哑炮吗?根据单模光纤,系统如uk问题验证(使用私营部门的合作伙伴),他们都为获取政府服务如税收和福利时,真正需要的是更广泛的。
Verify’s usefulness would improve dramatically if only companies could use it to identify people too:
如果公司能用它来识别人,验证的用处就会大幅度提高:
Encouragingly, use of Verify in private sector contexts is being actively explored, and we believe there are significant benefits for consumers that could arise from this.

令人鼓舞的是,在私人部门中使用验证正在积极探索,我们认为有很大的好处的消费者产生的可能。
Advantages such as:
优点如:
Passports could give way to app-based identity systems, possibly backed by biometrics
护照可能会让位给基于应用程序的身份识别系统,这可能是基于生物特征识别技术的。
Expensive paper systems could be banished forever
昂贵的纸张系统可能被永远的放逐
Online verification could be transformed from today’s guesswork and assumption-based model.
在线验证可以从今天的猜测和假设模型转变。
Welfare and immigration fraud would be reduced
福利和移民欺诈将减少
Because everyone would have an ID, social exclusion faced by people who lack documents could be reduced
因为每个人都有身份证,所以那些缺少文件的人面临的社会排斥可以减少。
Verification and digital identity could be about to become an industry in its own right so jobs could be at stake
核查和数字身份可能会成为一个自己的行业,因此就业可能受到威胁。
And cybercriminals would no longer find is easy to carry out identity theft against a system that included real-time identity checks on individuals themselves.
网络犯罪分子将不再发现对一个包括对个人自身进行实时身份检查的系统进行身份盗窃是很容易的。
Sceptics will see in this as a reprise of the failed UK identity card scheme of a decade ago, eventually scrapped in 2010 after burning through £4.5bn ($6.3bn). Certainly, it’s hard to see how a new ID system wouldn’t initially need to rely on physical documents of the sort that sank the original system on cost grounds.
怀疑论者会看到这是一个重复失败的英国身份证计划的十年前,最终取通过਴.5bn燃烧后亿美元)。当然,很难看出一个新的ID系统最初不需要依赖那种以成本为基础而沉没原始系统的物理文档。
The other problem is government itself. Solving the digital identity conundrum once and for all can probably only be done at government level – but what if people don’t trust government?
另一个问题是政府本身。彻底解决数字身份难题只能在政府层面上解决。
The poster child for digital ID is Estonia, the first country in the world to conduct general elections across the Internet backed by a digital identity system years ahead of other developed countries.
数字身份证的宣传对象是爱沙尼亚,这是世界上第一个在因特网上进行大选的国家,它比其他发达国家提前了一个数字身份系统。
Then there’s India’s Aadhaar, a biometric digital ID system with 1.2bn members that critics have described as “Orwellian”.  The worry is that the Aadhaar model hands government the power to withhold as well as enable access to services as a form of social control.
然后
Which of the two extremes should countries such as the UK and US look to? Probably both deserve scrutiny, but it’s interesting that some of the same civil liberties arguments levelled at Aadhaar also dogged the UK’s ID cards.
这两个极端的国家如英国和美国看看吗?也许两者都值得推敲,但
This suggests that the path to 21st century digital identity will not be smooth. The flaw in today’s identity model is that data is smeared just about everywhere and anywhere, and incentives to guard it have become warped by commercial self-interest.
这表明通往二十一世纪数字标识的道路将不平坦。今天的缺陷
But until someone comes up with a way to implement an alternative that doesn’t simply over-centralise power with governments, digital identity will remain a rocky road.
但是,直到有人提出了一种方法来实现一个替代方案。
天威视讯内幕交易案二审维持原判 涉案人数曾创记录
With identity theft at record levels what is hard to believe that digital identity can’t be postponed indefinitely. But the old world of uncertain, weakly defended identity won’t go away quickly – expect Equifax-style breaches to be with us for a while yet.
随着身份盗窃在创纪录的水平,很难相信数字身份可以
信息安全管理体系的部署是一个商业项目,而不是技术或IT项目。除非获得会对业务的成功有重要影响力的董事会、高层管理及高阶业务和职能经理们的积极支持,否则项目会失败。

猜您喜欢

新城万丈塘东段提升改造工程(体育路一渔港桥)海堤部分一Ⅱ标段
网络安全宣传视频移动支付安全
网络安全法普法宣传 004《网络安全法》的突出亮点
希腊海岸油轮漏油 碧海变得一片乌黑
SUGARRAYS NEWTENNISSHOESFORWHOLESALE
商业间谍与黑客参与搜索专利大战 APT攻击让提升员工信息安全意识

SAP admins, there’s an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system.
The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples’ e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn’t done in release versions 605, 606, 616 or 617.
As described by SEC Consult here, when someone registers with SAP’s E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.
For an attacker, then, the process would be:
Register with an e-mail address they can access, and receive the confirmation link;
Immediately register with a “victim’s” e-mail address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).
The SEC Consult post notes that some business processes assume people can be contacted by e-mail.
There’s an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team’s e-mail addresses – including personal addresses if you know them – and because those addresses can only be used once in SAP’s application, effectively prevent your people from applying for that job! Unless of course they whip up a new address …
物联网、智慧家庭让人们的生产和生活越来越便利的同时,安全也越来越受到威胁。
The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®
Sponsored:

The Joy and Pain of Buying IT – Have Your Say
SAP系统管理员,有一个邮件系统的错误,可以给你的人力资源部门头痛,阻止人民从其网络招聘系统注册的电子邮件。
问题是,向求职者提供的注册URL是可以预测的,这意味着攻击者可以将其他人的电子邮件放到系统中,并猜测“电子邮件确认”链接。它可以通过增加预登记临时的确认环节受阻,但这并不是在发布版, 606, 616。
这里所描述的美国证券交易委员会咨询,当有人注册与SAP的网络招聘解决方案,他们会得到一个包含增量确认电子邮件(因此可预测的对象称ndidate_hrobject)。
对于攻击者来说,进程将是:
注册他们可以访问的电子邮件地址,并接收确认链接;
立即用“受害者”的电子邮件地址登记,并猜ndidate_hrobject价值得到确认URL(多猜测可能需要)。
美国证券交易委员会咨询处注意到,有些业务流程假定人们可以通过电子邮件联系。
这个错误有一个意想不到的优势:想象一下你看到一个竞争对手在宣传你的一些人适合的工作。尽可能少的努力,你可以预先登记你的团队的电子邮件地址,包括你知道的个人地址,因为这些地址只能在SAP的应用程序中使用一次,有效地防止你的人申请那份工作!当然除非他们掀起一个新的地址…
上海信息安全产业能级提升需要更多人才介入
咨询说SAP已经在SAP安全说798中处理了这个问题。®
赞助:
买它的欢乐和痛苦让你说
确实要更解用户使用密码的苦恼,设定密码策略和告知用户不难,难在生成方便记忆、各不相同而且高复杂度的密码。

猜您喜欢

央媒走转改:电商先行 助力城步脱贫奔小康
网络信息安全小曲
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
范冰冰李晨烧烤店撸串何炅作陪 两人全程十指紧扣
INSOLVENSI WALNUTCREEKREC
网络信息安全好歌曲