The Financial Industry - Courts Try to Prove Reasonable Security

September 3, 2010 by Chief Content Writer · Comment
Filed under: Authentication Security, Data Security, General Information, IT Security, Security Attacks, Uncategorized 

$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”

The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.

Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.

The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.

BankInfoSecurity.com: to read and have a copy of the full article - Click Here

Tags: , , , , , , , , , ,

Authentication Adaptability: Survival is Key

September 2, 2010 by Chief Content Writer · Comment
Filed under: Authentication Trends, General Information, PortalGuard, Uncategorized, compliance 

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.

Tags: , , , , , , , , , , , , , , , , , ,

PortalGuard has Great Success at the 2010 SharePointPro Summit & Expo

March 29, 2010 by Kimberly Johnson · Comment
Filed under: General Information, PortalGuard, SharePoint Authentication, SharePointPro Summit & Expo, Uncategorized 

Thanks for Stopping By!

We first would like to extend a thank you out to those of you who stopped by our booth at the SharePointPro Summit this year. It was fascinating to hear about how SharePoint authentication and security is being handled, what specific requirements you are looking for, and how PortalGuard or Tailored Authentication could help you with your SharePoint security needs.

If you did not have a chance to see us at the show, then we encourage you to visit PortalGuard.com, to see how PortalGuard is the solution for meeting and exceeding your security objectives. PortalGuard is supported on multiple platforms including Microsoft SharePoint/IIS, IBM Websphere/Websphere Portal, and Lotus Domino.

PortalGuard:

PortalGuard is an authentication and security solution that allows end-users to securely authenticate and manage their portal login credentials directly from a Web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication. Learn More…

Extensible Authentication Framework:

Many of our customers implement our standard Password Power Plug-ins - the authentication software framework offers robust functionality and feature-rich security, access control, and password management.

But for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard Password Power software product, including ongoing technical support. Learn More…

The Booth
Mark and Kim Representing PortalGuard at the Booth
What Are Your Specific Requirements?


Tags: , , , ,

PistolStar Brings PortalGuard to the SharePointPro Summit & Expo

February 24, 2010 by Kimberly Johnson · Comment
Filed under: General Information, SharePoint Authentication, SharePointPro Summit & Expo 

 

PistolStar Brings PortalGuard to the SharePointPro Summit & Expo on March 17th & 18th, in Las Vegas!

Come stop by booth #508 for more information on:

PortalGuard:

PortalGuard is an authentication and security solution that allows end-users to securely authenticate and manage a portal password directly from a Web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication.

Security & Auditing:

  • One-Time Password - stop being vulnerable to replay attacks
  • Limit multiple concurrent logon sessions - prevent multiple users from logging in with the same set of credentials
  • Define strike-out limits by person, group or hierarchy – Alerts are emailed when strike-out limits are exceeded
  • Lockout inactive users after “n” days – Identify and stop access to dormant user accounts

 Help Desk and End-User Productivity:

  • Self-service Active Directory password reset via challenge question/response — Highly configurable and secure!
  • Prove your identity to the help desk - by providing highly configurable challenge question and answer functionality

 Services:

  • Tailored Authentication - we deliver a product that will fit precisely with your environment
  • Excellent Customer Service - receive support directly from the developers
  • Easy deployment — let us take you by the hand

 

† Fully supports & enhances multiple platforms and portals — IBM Lotus Domino (AIX, Solaris, Windows, System i, Linux), IBM WebSphere/WebSphere Portal, and Microsoft SharePoint

For more information please visit: PortalGuard.com

Tags: ,

The Trojan Horse: Sneaking Past Your City Walls

November 4, 2009 by Kimberly Johnson · Comment
Filed under: Authentication Trends, Data Security, General Information 

For centuries the Trojan horse was a weapon of war; a historical piece of trickery and deceit, which was used to bring down the City of Troy. Now in this century, when searching the term Trojan horse, the first result to appear is about the technology verison of the  Trojan horse. As many of us know malware stands for malicious software. The vehicle in which it obtains its unwanted access is the Trojan horse programs. These carriers are great at disguise, trickery, and breaking down the walls of your personal identity and even financial status.

 

Recently a new Trojan horse program has appeared, and has many concerned. Trojan Horses, as many of us know, are invasive, but this new one goes beyond that, targeting specifically financial institutions and Internet Explorer users. The new name to fear: W32.Silon. With the target of financial institutions, Silon can intercept Internet Explorer sessions, and steal credentials. Many say this attack has two heads, the generic Trojan horse approach into all applications, and then the financial focus.

 

When it comes to logging onto your bank account online, that is when to watch out. The Silon Trojan will intercept between the token protected financial sites and the user, putting up a façade that looks like their normal login screen. This allows them to transmit your credentials to hackers, to be able to obtain your financial data, and reap the rewards. The main thing that is clear about this attacker is that it is following and changing wih the authentication trends. With more advanced authentication techniques, attacks are becoming more and more sophisticated. The Silon is a prime example, as it attacks the two prong stronger authentication methods with ease. Bank accounts beware!

 

For more information check out these links:

http://en.wikipedia.org/wiki/Malware

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

http://in.sys-con.com/node/1162320

Tags: , , , , , , ,

Attacks Need Access to Happen: Yahoo Users Beware

September 23, 2009 by Kimberly Johnson · Comment
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, password security 

Recently 1,000s of attacks have been occurring involving Yahoo mail and their users, and that is just one proxy that has been recorded. Brute force attacks are being used to steal users’ credentials and access their email accounts to conduct spamming attacks. With the future of Authentication Trends showing an increase in hackers, and phishing attacks, it is no wonder this is a recent hot topic. Attacks need access to happen and with the growing number of access points, to get to data, it is no wonder attacks are increasing as well.

The main login page for Yahoo mail is protected against these brute force attacks, which are when hackers just keep trying to guess credentials, until they are able to steal them. Usually they implement an automated script that cycles through passwords and names, until finding the correct match. They use mechanisms such as:

 

·     Enforce strike-out limits - the user will be prompted to enter in a CAPTCHA after they fail at    entering their credentials “n” number of times.

·     Incorrect credential is not specified – the error page following an incorrect login attempt, does not inform the user which part of their credentials, the username or password, was incorrect.

 

These mechanisms have been working to protect Yahoo mail users. Recent attacks and stealing of credentials happened through a service application, outside of Yahoo. With this API access point, hackers saw an open door.

This API is meant for ISP’s and third-party Web applications, but it does not enforce the same authentication mechanisms as Yahoo mail does, such as anti-automation defenses. There are no strike-out limits or CAPTCHAs, and the error page specifies which part of the credential you entered incorrectly. Hackers figured out quickly how to hammer this application with attacks, daily.

With further investigation it was found that hackers were trying something different in their attacks. Usually these brute force attacks are aimed at the Web interface that is highly visible, but this application was not for end-users, and just helped validating authentication credentials.

To fight these attacks the Web Application Security Consortium Distributed Open Proxy Honeypot project is being created. By getting attackers to push through the one proxy server for the project, the suspects can be monitored. It is a great idea, but with multiple phases of implementation, which started in 2007.

Yahoo has hundreds of servers, and attackers are learning to spread their attacks across a breadth of them. With current authentication mechanisms and projects, IT professionals are attempting to reduce attacks. Of course we all have to take a look at the overwhelming problem; users require multiple access points on a daily basis, and access opens the door for attacks. This will definitely be an ongoing dilemma.

 

Tags: , , , , , , , , , ,

Cloud Computing: The “Greener” Solution for Government

September 15, 2009 by Kimberly Johnson · Comment
Filed under: Authentication Trends, General Information, Uncategorized 

Upon visiting apps.gov, out of curiosity about what exactly cloud computing is, I came across the video showing the new plans the government has in store. Typically known as a huge overwhelming IT “creature”, the government is planning on changing their ways, in regards to IT systems.

Currently the government is riddled with 100s of systems, unique applications and environments, all across the globe. There are large IT infrastructures behind these individual systems supporting them as separate entities. What has now been looked at more closely is that some of these large systems are duplicating work that many other systems are completing as well, such as email functions.

The U.S. CIO Vivek Kundra is onboard with combining these massive infrastructures, to cut down on the serious carbon footprint they are leaving behind. With the idea of combining services and using the same infrastructure for multiple environments the government is attempting to cut down on costs.

Of course the question is will it work? The hope is that there will be less maintenance costs, less staff to maintain, and it is a greener solution. The government is showing the greatest amounts of concern with security, privacy, and procurement at the moment. Of course it is a giant system, with many legacy applications, that many are predicting will not go away.

If anything is to change it won’t be fast, and will be almost like a case study for the government to attack at all angles. The main idea that this brought up is if the government can do it, why can’t we? Although most of us are relying on external IT infrastructure, it would be interesting to see what would happen if everyone was onboard with cloud computing.

Learn More…

Apps.Gov

Tags: , , , , , , ,

Portable Devices: Be Careful Where You are Storing Your Information

September 2, 2009 by Kimberly Johnson · Comment
Filed under: Authentication Security, Data Security, General Information, Portable Device Security 

160,000 portable devices are misplaced in Chicago taxicabs every year. Although this seems like a random fact, it should be a rude awakening for those of you who have portable devices, which contain almost all of your business and personal information. Just imagine for a minute that you lose your Blackberry in the airport? Would you panic?

Nowadays portable devices are holding an amazing amount of information, and are almost acting like small computers for business professionals, when out of the office. Stored information can include:

  • Social Security Numbers
  • Emails
  • Website Credentials
  • Passwords
  • Company Planning and Contacts
  • Confidential customer and/or company information

With all of this information being stored on these small portable devices it is becoming a big concern. Many businesses have started to implement mobile device security plans, and seem to be less concerned with the cost of the device, and more in tune with the cost of losing and/or recovering the information.

In the following article, “Lost Black Berry? Data Could Open a Security Breach”, there are a few cases of lost devices that caught my attention:

  •  A device that contained the personal numbers of congress members
  • Losing a device in the O’Hare airport
  • Having it stolen out of your car
  • Selling it on ebay, without remembering to delete all of the data

All of these cases are extremely dangerous to the owner of the device, and the information inside. There are cases as well when laws become involved. For instance, if a doctor loses their Blackberry, which contains client information, it does not only effect the owner of the device. With the healthcare industry, it can violate the Health Insurance Portability and Accountability Act, or with the financial and public companies this could easily violate the Sarbanes-Oxley Act.

In order to combat these issues certain techniques have been created. Such as:

  • Biometrics
  • Passwords (If enabled by the user)
  • Remote Data Deletion (Only works if the phone is turned on)

All of these techniques have their benefits and down sides as well. It is clear that we need to protect the data on these devices as though they are another computer to be protected. It is important to understand what sort of implications loosing the device has, and whether or not the company is ready to handle any such issues.

Tags: , , , , , , , ,

What is a Domino Web Server Configuration Database?: DOMCFG.NSF Demystified

September 1, 2009 by Larry Conroy · Comment
Filed under: General Information 

Whether you realize it or not, accessing a protected resource or web page that is hosted by a Domino server more than likely involves a login display that is stored and run from a domcfg.nsf. 

Let’s start by breaking down the name domcfg.nsf.  The beginning, domcfg, is short for Domino Web Server Configuration and the .nsf is the filename extension used by Domino to indicate a Notes Storage Facility or database for short. 

The login screen that prompts for and accepts the username and password that, if correct, will allow access to the requested resource is created and configured in the domcfg.nsf.  IBM Lotus Domino, by default, provides an HTML log-in form in the domcfg to allow a user to enter the name and password.  The power of the domcfg is most notable when it is used to customize the form to contain additional information. 

Custom forms can be created within the domcfg by copying, renaming and altering the default form.  The customization of the form (or visual displayed to the end user when logging in), results in a login window that can be most impressive and can make or break the web site it is protecting.  A single domcfg can parent the login page for an entire web server or multiple individual web sites on the server.  This includes allowing custom graphics to compliment the look and feel of the web site itself.   

The form customization utilities are powerful enough to take username and password values from a web based cookie transmitted as part of the authentication attempt.  This allows for “Single Sign On” to the Domino server which completely eliminates the need to display to and waste the time of the end user asking for credentials. 

Additionally, the domcfg.nsf allows developers to customize the error messages for failure and session timeout events that may occur during the login session.  Also, functionality such as a button and the coding behind it to help a user reset a forgotten password can be added to the form.

All of the customizable functionality available within the domcfg.nsf Domino database makes the storage facility a valuable tool for any web site hosted on a Domino server.

Tags: , , , , ,

What is a One Time Password and How Can it be Useful?

August 31, 2009 by Larry Conroy · Comment
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, password security 

A One Time Password (OTP) is a password that is only valid for a single session or transaction.  This technology eliminates the need to save or remember any passwords.  It provides stronger security than a static password because after it has been captured, the intruder will not be able to use it.

Implementation of OTP does however require additional technology to provide an OTP each time authentication is required.  The password is usually a long string of digits generated by a variety of algorithms and distributed by several hardware technologies.  It is the intent of this article to describe some of the more prevalent algorithms and distribution technologies.

Generation algorithms empower randomness to prevent being able to determine the next One Time Password.  Several algorithms exist: 

  • Mathematical algorithms that are based on the previous password.
  • A random seed is passed to a function that generates the password.
  • The password is then used as the seed for the next password generation.
  •  Time Synchronization (OTPs are only available for a short period of time)
  • OTPs are related to a physical hardware token. 
  • The token has an accurate clock that has been synchronized with the clock on the authentication server.
  • Password generation and acceptance is based on the current time.
  • Time Synchronized Challenge.
  • Time Synchronized Challenge OTP is based on the end-user inputting a time synchronized value into the token device in order to be authenticated.

A number of technologies exist for delivering the OTP to the end-user:

  • There are physical tokens/devices that can generate a One Time Password.
  • These devices are usually in the form of a credit card with keyfob technology,
  • A more prevalent way of delivering an OTP is for an Authentication Server to provide the OTP via PDAs and Cell Phones.

OTP technology requires additional technology and equipment, but the increased security will make it more than worthwhile in the long run.

Tags: , , , , , , , ,

Next Page »