Tuesday, August 20, 2013

Security Theater: Believing Screenshots

I heard a statement today that interested me greatly. I'll quote it directly for accuracy:

"Our auditors accept screenshots for proof of our licensing use, but not spreadsheets because spreadsheets can be manipulated."

Now that is an interesting proposal. Let's examine it.

No security is 100%, it is only meant to raise the level of effort required to defeat above what an attacker is willing to contribute (I'm not going to discuss whether or not believable images can be created. If you've used the internet in the past decade, you already know that).

The assumption our un-named auditor is making is that editing an image and making it believable is too much effort for someone to put in. Perhaps they're right. If an attacker's options are to buy proprietary library for $50 a year or to spend time zooming in and out in photo shop, they might pay the money.

If their options are to spend a little time in photo shop instead of buying Microsoft Office for hundreds of dollars the attacker might be willing to put a little more time and effort into the project. Let's not mention the fact that most Enterprise level software sells for thousands or tens of thousands per year. Suddenly the hourly rate might make it worth while.

My point is that the man in picture was never going to be eaten by a shark, there are no spider-mice, and auditors should be a little more careful.