The Financial Industry - Courts Try to Prove Reasonable Security
Filed under: Authentication Security, Data Security, General Information, IT Security, Security Attacks, Uncategorized
$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”
The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.
Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.
The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.
BankInfoSecurity.com: to read and have a copy of the full article - Click Here
Issues in Compliance for Instant Messaging
Compliance is always a large concern, especially with attacks and data breaches increasing. It is important to understand the industry and regulatory requirements that need to be enforced within your corporation and security environment. One area that experts are beginning to see as an issue is instant messaging. This is a communication method that is hard to regulate and record, which could pose problems with industries with strict compliance standards.
In a recent article by Dmitry Shapiro, CTO at Akonix Systems, Inc., “Instant Messaging and Compliance Issues: What You need To Know” the issues that are becoming ever present with IM are discussed. The main issue is the sheer volume of users on these IM systems, totaling in the 100s of millions. This is not to mention what IT managers are most afraid of, which are the public IM systems, such as AOL Instant Messenger and Yahoo Messenger.
Although IM is a functional tool for communication there are key areas with which there is a lot of concern for compliance issues:
- Record Retention
- Information Security
- Theft
- Copyright Infringement
These issues are ever rising with the number of users and amounts of information on these systems. With the public IM services, the control a manager could have with an internal system is taken away. Tasks such as auditing, logging, and deleting records are all issues when the manager cannot oversee the whole system, and the web of IMs being created.
Without compliance and monitoring, the one thing that is apparent is that risk will increase. Shapiro says that the main issues to watch for are:
- Organization of records
- Retention of records
- Tamper Proof Records
- Record Retrieval
- Off-Site Copies
And many more…
With such acts as the Sarbanes-Oxley Act, HIPAA, and GLBA the ability to control, monitor, protect, and delete records is essential. These regulations are going to require IT managers to remain compliant and come up with ways to monitor their users IM behaviors. If this is not done, IMs will be a strong source of theft and cybercrime.
Common Password Attacks: Do You Know How They’ll Steal Your Password?
Filed under: Authentication Security, IT Security, password security
Just like we have multiple ways to secure our passwords, hackers have multiple ways to steal them right out from underneath us. Passwords are so valuable to us, some can hardly imagine letting one slip into the wrong hands. So the main question is how do you protect yourself?
The key is being aware of what types of attacks are able to steal your password, and understanding what precautions to take. In a recent article by InfoWorld, “Prepare for the Next Password Attack”, the most popular attacks were listed, so that awareness is possible.
• Authentication Bypassing – just like it sounds, it bypasses password security
• Password Guessing – hackers attempt to guess credentials by testing tons of passwords until the correct one is guessed. This is usually automated.
• Password Sniffing – picks up plain text passwords over a network
• Keystroke Logging – records what users physically type in when logging on by recording keystrokes
• Hash Cracking – uses bypassing to go into an authentication database, and steal stored credentials
• Credential Replaying – replay a stolen password over a network
• Social Engineering – this includes over the phone, in person, and other alternative ways besides technology that someone can steal your password
This article does a great job of outlining the common attacks on passwords. With all of this attack talk it is almost frightening to have passwords at all. Putting up defenses is the best way to prevent these attacks, and as said before to be aware of them. By enforcing strong authentication mechanisms and password policies, it is possible to never experience an attack. Just remember knowledge is power.
Attacks Need Access to Happen: Yahoo Users Beware
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, password security
Recently 1,000s of attacks have been occurring involving Yahoo mail and their users, and that is just one proxy that has been recorded. Brute force attacks are being used to steal users’ credentials and access their email accounts to conduct spamming attacks. With the future of Authentication Trends showing an increase in hackers, and phishing attacks, it is no wonder this is a recent hot topic. Attacks need access to happen and with the growing number of access points, to get to data, it is no wonder attacks are increasing as well.
The main login page for Yahoo mail is protected against these brute force attacks, which are when hackers just keep trying to guess credentials, until they are able to steal them. Usually they implement an automated script that cycles through passwords and names, until finding the correct match. They use mechanisms such as:
· Enforce strike-out limits - the user will be prompted to enter in a CAPTCHA after they fail at entering their credentials “n” number of times.
· Incorrect credential is not specified – the error page following an incorrect login attempt, does not inform the user which part of their credentials, the username or password, was incorrect.
These mechanisms have been working to protect Yahoo mail users. Recent attacks and stealing of credentials happened through a service application, outside of Yahoo. With this API access point, hackers saw an open door.
This API is meant for ISP’s and third-party Web applications, but it does not enforce the same authentication mechanisms as Yahoo mail does, such as anti-automation defenses. There are no strike-out limits or CAPTCHAs, and the error page specifies which part of the credential you entered incorrectly. Hackers figured out quickly how to hammer this application with attacks, daily.
With further investigation it was found that hackers were trying something different in their attacks. Usually these brute force attacks are aimed at the Web interface that is highly visible, but this application was not for end-users, and just helped validating authentication credentials.
To fight these attacks the Web Application Security Consortium Distributed Open Proxy Honeypot project is being created. By getting attackers to push through the one proxy server for the project, the suspects can be monitored. It is a great idea, but with multiple phases of implementation, which started in 2007.
Yahoo has hundreds of servers, and attackers are learning to spread their attacks across a breadth of them. With current authentication mechanisms and projects, IT professionals are attempting to reduce attacks. Of course we all have to take a look at the overwhelming problem; users require multiple access points on a daily basis, and access opens the door for attacks. This will definitely be an ongoing dilemma.
What is a One Time Password and How Can it be Useful?
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, password security
A One Time Password (OTP) is a password that is only valid for a single session or transaction. This technology eliminates the need to save or remember any passwords. It provides stronger security than a static password because after it has been captured, the intruder will not be able to use it.
Implementation of OTP does however require additional technology to provide an OTP each time authentication is required. The password is usually a long string of digits generated by a variety of algorithms and distributed by several hardware technologies. It is the intent of this article to describe some of the more prevalent algorithms and distribution technologies.
Generation algorithms empower randomness to prevent being able to determine the next One Time Password. Several algorithms exist:
-
Mathematical algorithms that are based on the previous password.
-
A random seed is passed to a function that generates the password.
-
The password is then used as the seed for the next password generation.
-
Time Synchronization (OTPs are only available for a short period of time)
-
OTPs are related to a physical hardware token.
-
The token has an accurate clock that has been synchronized with the clock on the authentication server.
-
Password generation and acceptance is based on the current time.
-
Time Synchronized Challenge.
-
Time Synchronized Challenge OTP is based on the end-user inputting a time synchronized value into the token device in order to be authenticated.
A number of technologies exist for delivering the OTP to the end-user:
-
There are physical tokens/devices that can generate a One Time Password.
-
These devices are usually in the form of a credit card with keyfob technology,
-
A more prevalent way of delivering an OTP is for an Authentication Server to provide the OTP via PDAs and Cell Phones.
OTP technology requires additional technology and equipment, but the increased security will make it more than worthwhile in the long run.
Can Single Sign On be improved?
Filed under: Authentication Trends, Data Security, General Information, IT Security, password security
Single Sign On (SSO) is the concept of an end-user needing one username and password pair to gain access to multiple data sensitive resources. SSO provides a tremendous ROI (return on investment) as having one password to remember, significantly reduces the involvement of helpdesk personnel in the maintenance of passwords, not to mention the increased productivity and job satisfaction for the end-user.
With almost all benefits, comes a down side and SSO is no exception. Having one password protecting multiple resources delivers much sought after improvements. However, if the one password is compromised, ALL the resources are now subject to intrusion. The traditional technology of having a different password for each resource certainly reduces this risk, but brings us back to helpdesk and end-user frustration and costs.
Wouldn’t it be great if the security of multiple passwords and the ROI of SSO could be combined to form a very secure and prosperous union?
Good news! This article introduces technologies designed to improve single authentication and when combined with SSO creates a very powerful union designed to protect and serve. SSO in combination with Smart Cards or One Time Password Tokens will improve the single authentication and enhance the benefits gained from SSO.
Smart Card Technology
Instead of using a password that can be discovered by a user with negative intentions, Smart Cards can be used to prevent unauthorized access to sensitive data. Physically, a Smart Card is a hand held card with integrated circuits that has the ability to process data. Data is moved from the card to the reader via contact metal or radio frequencies. Access to the controlled resource is granted only when the user has a card and a pin/password needed to verify ownership of the card. Requiring both the physical device and the knowledge of the password makes for an extremely difficult to crack security system. The likelihood of a malicious intruder discovering both the card and the pin is extremely low and therefore significantly more secure than a single password.
One Time Password Tokens
A One Time Password or OTP is a password that allows access for a single session or transaction. Should the password be recorded by a would-be intruder during the single login session, they will not be able to use the password as it becomes invalid after the single transaction. The OTP is generated and made available by a number of different technologies. There are handheld devices that display the OTP or the OTP can be delivered through a user’s cell phone. The provider of the OTP is configured with an algorithm that generates the OTPs from a random source. Various algorithms are used to generate passwords in such a way that the next password cannot be guessed or determined by an intruder.
It would take some time and investment, but employing a SSO solution combined with improved single authentication will provide a powerful and cost effective security system to a company that cannot take chances with their secure data.
Phishing, Spear Phishing & Whaling: Attacks That Are on the Rise
Filed under: Authentication Trends, Data Security, IT Security
With security breaches occurring constantly, some of the ones to look out for are the email attacks coming into your mailbox. Currently attacks such as phishing, spear phishing, and whaling are on the rise. In order to bring light to these attacks, it is key to understand what they are, and how to prevent them.
Phishing: “In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.” – Wikipedia.com
Spear Phishing: A much more targeted attack on a target. Usually the targets are linked to vital information, such as checkbooks, SSN’s, and credit card numbers.
Whaling: These are possibly the worst. Executives and “big fish” in the company are targeted for their passwords and vital information.
According to a recent article on blogtalkradio.com, “Criminal Hackers Clean Out Bank Accounts Using Spear Phishing”, attacks like these are increasing by at least 50%. Phishing attacks are powerful and can damage bank accounts and identities in days. The article discusses a case where $440,000 was taken over the course of five days without the account owners even knowing.
These attacks are usually in the form of emails, which can even look like company documents. Once the user clicks on any link which appears to be from the “important” source, a virus is usually downloaded and allows the attacker to see all of your user data. There are even instances when these viruses will attach to the user’s web browser, and allow the attacker to see all sites visited, including personal sites, such as online banking.
So with this information it is key to also offer some solutions to these attacks:
-
Have anti-virus protection installed in your computer
-
Look into getting a Credit Freeze
-
Check your bank statements often and keep track of financials
Finally, the obvious solution is to not open emails that you don’t trust, no matter what. Recently at PistolStar we addressed this exact issue with the U.S. navy. The government, as an industry, relies on their information being secure. Recent regulations have now required that all government emails contain a digital signature, to verify the sender. Basically if it is not signed, it is not trusted. We created an Email-Signature Plug-In that signs all outgoing unsigned emails, to make sure the receivers know who the email is from, and that they are a trusted sender.
With the implementiation of such plug-ins, regulations, and solutions the number of attacks will hopefully decrease. The key is to make sure that you and your company are secure and protected, and remember….
If it’s not signed, it is not trusted!
Bookmarklet-based Password Managers Exposed
Filed under: Data Security, General Information, IT Security, Uncategorized, password security
Due to the number of websites a user accesses per day, and that most require authentication, it is no wonder why everyone is looking for tool to remember their passwords. Websites are using techniques such as mixing capital letters, symbols, and spaces to increase the strength of the password, and the difficulty of hacking and obtaining it.
One way that users are keeping track of these multiple credentials is with password management tools. These usually remember the password for the user, so forgetting it is not an option. Unfortunately it has been found that these tools can also decrease security and allow for a window of opportunity for hackers to come in.
In the article by Rachel Kremen, “Plugging a Password Leak: How a Simple Fix made Password Managers More Secure” the issues with password managers that use bookmarklets, to automate the login in process for the user’s websites, was exposed. The researchers investigated six popular bookmarlet-based password managers, Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The findings were alarming.
The way that these managers work is by storing the user’s passwords to their favorite sites, on a central server. When the user visits the site again, the bookmarklet is used to see which site the user is on, and provide the credentials.
Researchers found this to be a red flag. The main question that was brought up, is how does the manager know for sure that the website it thinks the user is on, actually is? After running tests, they discovered that with a few pieces of code, the manager could be fooled and produce the credentials for the user’s website, even when not visiting the site itself.
Hackers could easily obtain the credentials for bank websites, credit cards, and other personal information. The password manager would provide the credentials, without recognizing that it is actually a hacker’s website it is providing to.
Luckily the solution was easy. With implementation and SSL, using the referrer header would make the forgery of the website difficult. The password manager services researched did take the researchers up on the suggestion, made the changes, and/or informed their users.
Imagine the losses that could occur. With everyone placing their trust in websites, it is vital to protect the information to access them. Although remembering these passwords can be challenging, so is tracking a cyber criminal who has taken your identity. With these tools it is important to understand what knowledge you are providing to them, and how it will be used. Putting your passwords in all one basket is not necessarily the best plan for secure authentication.
In the news: Authentication a chief priority, top issue
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security
It’s nice to receive validation of what you do, and we’ve had the pleasure of actually seeing it in print several times in the past several weeks. People in the industry, from security pros responding to surveys to an industry influencer, have spoken out on authentication.
First, to cheer up everyone who’s thinking pessimistically about prospects for the economy, there’s the survey of security pros in the financial services industry (most hard hit by the recession, remember?) which found that almost 50% report improved funding for security projects in the next six months. The big(ger) news is that the respondents ranked authentication, encryption and network access control as “high priorities.” The study was conducted by SearchFinancialSecurity.com and reported in “Financial security pros expect improved funding in second half of 2009.”
In a recent tech industry talk about what the Internet still needs to make it complete, Vinton Cerf, the chief Internet evangelist at Google and co-designer of the TCP/IP protocols that are the foundation of the Internet, stated that one of the Internet’s most critical needs is authentication. He said that anyone doing business involving the Internet (and who isn’t?) should be “deeply concerned” with incorporating authentication. One of the many articles on Cerf’s talk “The Internet is incomplete…” can be found on Computerword.com
Yet another survey, this one by another company in the space, revealed that the adoption of strong authentication is growing. Among its findings: strong authentication and single sign-on (SSO) are “driving organizational cost efficiencies, security and employee productivity” and strong authentication is “no longer being used exclusively for remote access.” More info as well as access to the full survey report can be found in the article, “National Strong Authentication Survey Shows Uptick in Adoption and Growing Synergy with Single Sign-on Solutions” in the Cloud Computing Journal.
We’ll inform you on other news reports on authentication as we find them!
Security Focus Starts Inside
Filed under: Authentication Security, Data Security, IT Security, Kerberos Authentication
It is the insiders (i.e. your company’s employees) and not the outside hackers that represent the greatest threat to your information assets. And, their unauthorized access to supposedly protected data can surprisingly be accidental as much as it can be intentional. This reveals that most organizations have not taken sufficient measures to prevent insider access and attacks and ensure that internal security, particularly access control, is adequately addressed.
Strengthening authentication and making passwords stronger should be paramount when implementing an authentication, password management or identity management system. However, security is often secondary to usability among the project’s goals. The focus of password management is on improving the user experience and reducing the number of passwords as well as centralizing passwords to ease the IT staff’s burden of managing multiple, disparate accounts. But, by placing less emphasis on the security aspects of authentication, organizations place their assets at risk. Yes, productivity is improved for end-users and IT staffers to the point of achieving a respectable ROI. Nevertheless, with the rise in data theft, particularly during the economic downturn, if even the most robust authentication solution has inadequate security features, it cannot deliver enough ROI to cover the potential cost of a successful hacking event.
Companies can easily and cost-effectively strengthen authentication and passwords while protecting access to sensitive data. Here are some possible approaches:
- Incorporate password security functionality such as password strength validation, password expiration intervals, password frequency limits, and strike-out limits by person, group and hierarchy
- Integrate the Kerberos authentication protocol with Active Directory authentication to mutually authenticate the user and the server to which they are attempting access — and without transmitting passwords.
- Require users to respond to a set of pre-configured challenge questions, as well as enter their username and password. Multiple challenge question/response functionality is easy to set-up and allows quick access.
- Implement real-time monitoring and alert functionality to obtain knowledge on user login activity.
Benefits can include:
- Ensuring passwords and access-related features meet compliance requirements
- Enabling secure access to applications and databases
- Enforcing password policies
- Ensuring passwords and access-related features meet compliance requirements
- Achieiving greater oversight of user login and authentication behavior
- Increasing the overall efficiency of authentication and password management
- Maintaining security overall
For more ideas, as well as to learn more about the above, contact Mark Cochran, a PistolStar authentication expert.