Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog
Identity and Authentication Blog

A Look At Security Behaviors

Google presented a compelling study examining security related behaviors by "expert" security users (those with a set number of years of professional experience in the field) and non-experts representing "typical" internet users. By surveying these groups, the Google team who recently presented the paper at the Symposium On Usable Privacy and Security compared not effectiveness of one security technology or another, but instead presented data related to behavior and perception of security technologies.

The results show that the two groups of users tended toward different security behaviors, but that both were concerned and acted on that concern. "the computer security experts seem, in some ways, to live in less fear of the dangers of the Internet than the non-expert population. In some cases this may just be an indication of how experts and non-experts fear different threats—perhaps the group of non-experts is more concerned about their old passwords being guessed or stolen and therefore change their passwords regularly, while the experts are worrying about having their passwords phished, and therefore are more likely to activate two-factor authentication" says Josephine Wolff for Slate in an article discussing the results of the study.

User behaviors, education and perception play a key role in broadly used security practices and technologies, regardless of how the population is segmented. The Google study shows that users are taking measures to protect themselves, but that doing so can look very different across individuals and groups. Arguably, users could collectively do more, but in order to meet their needs, security providers should arm themselves with a strong understanding of who is currently using what technology, and why.

 

Who Will Guard the Guards?

This week LastPass, a popular password manager which is  often invoked in discussions around securing multiple passwords, announced it had detected suspicious activity on their network, saying: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

While many users consider their passwords completely secure with products like this, the specifics of the data the would-be hackers may have accessed remind us that "Quis custodiet ipsos custodes?" is a relevant question and important concept when considering security. Fortunately, LastPass has their guards in the right place at the right time. For a Q and A with their users, click here.

 

Why Don't Security Questions Work?

Security questions (sometimes referred to as "challenge" or "secret" questions) are used widely as a security enhancement for online account access. We know that these questions are vulnerable to social engineering or being bypassed when hackers simply guess the answers, but a new study from Google examines exactly how and where these questions create issues. For example, if you have ever forgotten the answer to a hard question (even one that you set up yourself), you're in good company: This happens to 40% of users who choose this strategy. Click here for more interesting data points from the study. The data show why security question are less desirable for both users and organizations than transparent methods of strong authentication that don't share these vulnerabilities.

 

Are You Still Vulnerable to Heartbleed?

On the anniversary of Heartbleed, and the discussions it raised around security vulnerabilities and strategies for all kinds of effected organizations, Fortune reports that 74% of Forbes Global 2000 companies are still vulnerable, having put off, or ignored the relatively simple and well documented fix for this vulnerability. Citing a report by Venafi, a security firm that recently released this report, Fortune's Robert Hackett outlines the steps required to fix the vulnerability and suggests that while many organizations released statements saying they would fix the vulnerability, many have not.

Regardless of the complexity (or lack thereof) of the performing the fix, organizations would have to prioritize it, and promote it through what can be complex production release processes while dedicating resources that are stretched thin more often than not. If organizations remain reactionary, instead of educating their teams and planning for the inevitable need to respond to new reports of vulnerabilities and to keep pace with best practices in security, this pattern will continue, and organizations and their users will remain at risk.

 

Can Google's Password Alert Save Chrome Users From Themselves?

Last week Google released Password Alert, a Chrome extension intended to help users avoid phishing attacks and keep passwords safe by preventing users from inputting their Google password on other sites and from reusing Google passwords on non-Google sites. Whenever a Google password is input into a website, Password Alert shows a message saying "Your Gmail password was just exposed to a non-Gmail page," and tells users to change their Gmail password immediately. While many users would likely tell you they know the difference between a phishing site and the real thing, phishing continues to be an issue and some of the most used and trafficked sites and apps are still targets. Says Andy Greenberg for Slate/Wired: "Phishing remains one of the most serious and intractable problems in information security, and is often the initial breach point for hacker schemes ranging from mass credit card harvesting to sophisticated, state-sponsored targeted attacks. Google estimates that as many as 45 percent of some well-crafted phishing emails can successfully trick users, and that 2 percent of all Gmail messages it sees are phishing attempts. A Verizon report published earlier this month found that a phishing campaign launched against a target corporation or agency can find a gullible user and gain an initial point of compromise within as little as 80 seconds."

It took just a day for a hack to appear on YouTube, showing how a site can get around this tool by simply inserting a few lines of code. Google has since issued a patch.

It isn't as easy as a Chrome add on to instill in users the kind of wariness and discipline that will keep them safe online. As this blog has previously discussed, increased awareness and education are needed as opposed to tools that blunt a user's ability to compromise themselves unknowingly. Tools will always be vulnerable, and the best weapon more likely to be awareness of the dangers facing users.

 

What Would It Take To Hack One of These?

Jeremy Epstien, a senior computer scientist for SRI, recently published an article on Slate.com discussing the abysmal security features of a touch screen voting device used by "dozens of local governments" in Virginia. While these machines have now been decommissioned, the article represents one instance of what is most likely a very widespread problem - It's probably a lot easier to hack into many of the machines we use day to day than we think, or believe, it is. In this case, a report by the Virginia Information Technologies Agency ("VITA") revealed:

  • "The encryption key for the wireless connection is “abcde,” and that key is unchangeable.
  • The system hasn’t been patched since 2004.
  • The administrator password seems to be hardwired to “admin.” Because the system has a weak set of controls, it would be easy for someone to guess and then enter in the password.
  • The database is a very obsolete version of Microsoft Access and uses a very weak encryption key (“shoup”). There are no controls on changing the database. That means that someone could copy the voting database to a separate machine (which is easy to do given the weaknesses described above), edit the votes, and put it back. There are no controls to detect that the tampering occurred.
  • The USB ports and other physical connections are only marginally physically protected from tampering. Furthermore, there are no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant, given how severe the other problems are."

Again, this particular machine has now been decommissioned, but it's very hard to believe these types of issues don't exist elsewhere, making hacking critical functions (voting in this case), something that doesn't take a high degree of skill, or even planning. What would one need to do to hack the system described here? From the article:

  • "Take your laptop to a polling place and sit outside in the parking lot.
  • Use a free sniffer to capture the traffic, and use that to figure out the wireless connection password, which was “abcde.”
  • Connect to the voting machine over Wi-Fi.
  • If asked for a password, the administrator password is “admin.”
  • Download the Microsoft Access database using Windows Explorer.
  • Use a free tool to extract the hardwired key (“shoup”).
  • Use Microsoft Access to add, delete, or change any of the votes in the database.
  • Upload the modified copy of the Microsoft Access database back to the voting machine.
  • Wait for the election results to be published."

It is important to consider protecting our systems and the technologies we use every day an take for granted at their most basic levels. It can seem like a daunting task to protect against some of the more sophisticated attacks that have recently made the news, but first we should look to our basic systems, and make sure none of our passwords are still "Admin".

 

18 Year Old Security Flaw Can Still Get Your Password

Cylance, a firm that has been working on a security vulnerability in Windows for the past month and a half, has made public the details of an 18 year old security hole that makes users' usernames and passwords vulnerable when redirected from an HTTP or HTTPS connection to a malicious SMB server. "Cylance found no fewer than four Windows API functions that can be used to redirect a user from an HTTP or HTTPS connection to a malicious SMB server. The forced authentication makes it relatively easy to get hold of usernames and passwords, even if they are held in encrypted form. As well as Windows itself, other programs affected by the problem include AVG Free, Internet Explorer, Windows Media Player, BitDefender Free, TeamViewer, and Github for Windows" says Mark Wilson for betanews.com, in a post summarizing the findings.

Microsoft will likely release a patch for this, and Wilson notes at least one available workaround at the close of his post, but this news will add to the growing urgency around using more than a username and password to authenticate. For those who use the same credentials across multiple sites, this should also serve as a wake up call - If all you/your users use to authenticate is a username and password, and/or you use the same credentials to access multiple sites, it is time to reconsider your position, and begin using second/multi-factor authentication to verify that users are who they say they are.

 

How Critical is Trust?

"Can we have expiring data based on time and need? Can an employee revoke access given to his company for his/her personal data once he leaves the company? Can the keys to the data be handed to the employee and not the employer?" These questions, posed by Deepak Jeevankumar in TechCrunch this week draw attention to an important and often under-explored area of the discussion around security: Trust. Trusted entities (sites, providers, merchants...) have ability not just to draw customers and users (many of whom may be fleeing compromised competitors, but to educate the promote the secure practices that will make our online lives safer.

Threat sharing networks, which provide an ongoing view into threats and security of sites we may rely on every day, is one technology that can help us get there. In addition, companies and organizations can take steps to establish and demonstrate trust while still maintaining the policies that protect them - making it a "2 way street", which in turn will build trust.

Mr. Jeevankumar argues that shifting our way of thinking to focus more on trust, to innovate around it, and to focus on how it can change the dynamic and frustrating cycle we find ourselves in, will help us to have safer lives online.

 

Is 2 Factor Enough?

Is 2 factor authentication enough?

The value of a second factor when it comes to authentication has been widely discussed, here and across the media. A second factor when authenticating gives the user a second level of protection, which might be enough to stop many of the basic hacks sites and organizations have fallen victim to, where all that was needed to access a system was a valid set of user credentials.

A chat room service called Slack got hacked this week, and in response, added 2 factor authentication. But that's not all they did - they also added a "password kill switch feature" which allows an administrator to kick out groups of users and require a password reset. Balancing user experience and security has also been discussed at length here, but Slack adding this feature suggests that security isn't always losing to ease of use anymore. The difference here is that an administrator would use this feature when they suspect that some thing might be amiss, showing that a heightened awareness of security and potential security risks is part of the response. This is different some simply adding complexity to password requirements or even by requiring a second factor, which effects all users. Slack's decision to add security that is responsive is a step beyond requiring 2 factor, in the right direction

 
  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  6 
  •  7 
  •  8 
  •  9 
  •  10 
  •  Next 
  •  End 
  • »


Page 1 of 11