Andrews and Arnold has a facility whereby you can receive a warning email when you have logged in to one of their servers from what is supposedly a new, or unknown, unrecognised machine. This is a great security feature, and a laudable initiative.
This detection of ‘unrecognised’ or ‘unknown’ machines has to be done by recognising browsers, and the amount of information available to AA’s security system is limited. Their mechanism for detection uses IP addresses, however - for most users - IP address change. Even if you’re lucky enough, or unlucky enough, from the point of view of privacy, to have a static IP address, or, in the case of IPv6, a static prefix, then modern operating systems often mess around with IPv6 addresses, changing the low order bits regularly for privacy purposes.
The low order bits changing means that I cannot make any sense out of these alert emails at the detailed level of ‘who is that on my network’. If the high 64 bits are familiar then that is reassuring, if they are unfamiliar then there’s a huge problem if you have not been ‘away from home’, using another machine or your own machine is portable and was connected to an unfamiliar network.
This means that I am always getting false alarms from the system and I suspect that just such a phenomenon will cause some users to stop reading these emails as carefully as they should, or even worse just binning them, even doing so automatically. So false alarms are bad.
It’s worse than that. The junk that identifies the browser from the ‘user agent string’ contains a ragtag collection of names and version numbers of various software components deemed to be of importance. Software updates cause some of these to change, so the user agent string changes. For our purposes here, this kind of user agent string change means absolutely nothing but another source of a false alarm. There is no ‘new’ system just because there has been a software update. You’re the same person even though you have just had another birthday. As I just have - groan. Anyway, user agent strings are a fine false alarm generator.
This is not a manifesto advocating dropping the system and doing nothing. I think it’s valuable and the false alarms are a threat to its effectiveness, as users may turn off, or worst of all auto-bin the emails. They may start to regularly think ‘yeah yeah another one’ and miss genuine bad news alerts, especially with IPv6 addresses which are difficult to read and need to be read carefully.
I’m suggesting that IPv6 has become an added threat to the effectiveness of the system in many ways, some unexpected. How to sort out the problem?
Forgive my ignorance, but could cookies help? I don’t know anything much about such technology. Even if they are a cure-all for the current problems though, many users routinely reject cookies and a solution that does not reach these people is no good. I suppose perhaps a fix for that might be to explain in detail to users of varying levels of techno savvy what the issue is and why it would be a good thing to ‘please please genuinely agree in a willing and informed manner to accept this particular cookie’. Perhaps some users will not know how to change cookie settings though.
Aside from false alarms, another important improvement over the current system would be measures to reduce the chances of users just skimming over truly bad warning emails. One way would be by making alert emails easier to read and make any odd significant information stand out.
What about saying ‘IP address has changed’? Could whitelist addresses and have recorded info about your regular expected addresses, so the system remembers multiple legitimate addresses seen before. Or even have a system where you could submit a list of your regular, known prefixes and say ‘I do | do not have a static IPv4 address (or address block) | IPv6 prefix’ and give values and prefix lengths if any. You would also need to declare how many machines you use, in order to whitelist where you log in from, as one user being on multiple machines is not truly fundamentally evil. You should also be able to say whether or not each machine is portable or not or is multi-homed or not. If you have a dynamic IPv4 address then an address change is no surprise, so the email could explicitly tell you that. It’s quite a bit of code, just logic, a load of conditions to check, tests to apply and then appropriate specific multiple alert strings to be written into the text, to draw the user’s attention to what she/he should be looking at and what to be worried or not worried about.
Also, what about always zapping the low-order bits of every IPv6 address? Or at least making that an option? (Does the AA system already do this ?) That would be a huge step forward towards beating the false alarms.
One last thing: what about doing DNS ptr reverse lookups on the addresses? If the result is not a junk .arpa string or a fail then including the result in the email might help users interpret it and might help them recognise alerts that are truly bad, because they could perhaps look really suspicious when the DNS name is seen, and that could lead the user to read the whole alert more carefully.
What is the best way of helping a user to interpret an unknown IP address? Could a tool be made available to help users dig into an address they are not happy about, doing so without much clue being required?
Any suggestions / ideas generally?
One final question: this post is possibly more general in its relevance than only being about a system that A&A has. Do other organisations have exactly the same ‘new login’ warning system too?
