Authentication Adaptability: Survival is Key

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

• Phishing
• Malware
• Keystroke Loggers
• Session Mismanagement
• Fraudulent Droid apps
• Chat-in-the-Middle
• Spoofing
• Vishing
• Smishing
• And many more…

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.

Bound2Authenticate Presented by Victor Toal at Lotusphere 2010

  Bound2Authenticate Presented By Victor Toal

When:
Tuesday, January 19, 2010
2:00pm-3:00pm

Where:
Lotusphere, Swan Hotel, Ibis Room

An exclusive raffle is offered to all attendees.

Speaker Information:

Victor Toal is a messaging and collaboration architect and engineer with more than 15 years experience with Domino (since R 4.1), Sametime, Quickr, Lotus Connections, and WebSphere. Victor’s clients include the Pentagon, US Army, banks, as well as manufacturing, tourism, and medical companies. He has worked in the US and overseas (Japan, Austria, Great Britain, Germany, France, Italy, Hungary, Poland, and Czech Republic) and speaks fluent German and Japanese. He is certified in Domino R4-R8.5 and Sametime 7.5 and 8.0.

Unable to attend? Request a recording of the presentation by visiting the Contact Us page.

The Trojan Horse: Sneaking Past Your City Walls

For centuries the Trojan horse was a weapon of war; a historical piece of trickery and deceit, which was used to bring down the City of Troy. Now in this century, when searching the term Trojan horse, the first result to appear is about the technology verison of the  Trojan horse. As many of us know malware stands for malicious software. The vehicle in which it obtains its unwanted access is the Trojan horse programs. These carriers are great at disguise, trickery, and breaking down the walls of your personal identity and even financial status.

 

Recently a new Trojan horse program has appeared, and has many concerned. Trojan Horses, as many of us know, are invasive, but this new one goes beyond that, targeting specifically financial institutions and Internet Explorer users. The new name to fear: W32.Silon. With the target of financial institutions, Silon can intercept Internet Explorer sessions, and steal credentials. Many say this attack has two heads, the generic Trojan horse approach into all applications, and then the financial focus.

 

When it comes to logging onto your bank account online, that is when to watch out. The Silon Trojan will intercept between the token protected financial sites and the user, putting up a façade that looks like their normal login screen. This allows them to transmit your credentials to hackers, to be able to obtain your financial data, and reap the rewards. The main thing that is clear about this attacker is that it is following and changing wih the authentication trends. With more advanced authentication techniques, attacks are becoming more and more sophisticated. The Silon is a prime example, as it attacks the two prong stronger authentication methods with ease. Bank accounts beware!

 

For more information check out these links:

http://en.wikipedia.org/wiki/Malware

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

http://in.sys-con.com/node/1162320

Attacks Need Access to Happen: Yahoo Users Beware

Recently 1,000s of attacks have been occurring involving Yahoo mail and their users, and that is just one proxy that has been recorded. Brute force attacks are being used to steal users’ credentials and access their email accounts to conduct spamming attacks. With the future of Authentication Trends showing an increase in hackers, and phishing attacks, it is no wonder this is a recent hot topic. Attacks need access to happen and with the growing number of access points, to get to data, it is no wonder attacks are increasing as well.

The main login page for Yahoo mail is protected against these brute force attacks, which are when hackers just keep trying to guess credentials, until they are able to steal them. Usually they implement an automated script that cycles through passwords and names, until finding the correct match. They use mechanisms such as:

 

·     Enforce strike-out limits - the user will be prompted to enter in a CAPTCHA after they fail at    entering their credentials “n” number of times.

·     Incorrect credential is not specified – the error page following an incorrect login attempt, does not inform the user which part of their credentials, the username or password, was incorrect.

 

These mechanisms have been working to protect Yahoo mail users. Recent attacks and stealing of credentials happened through a service application, outside of Yahoo. With this API access point, hackers saw an open door.

This API is meant for ISP’s and third-party Web applications, but it does not enforce the same authentication mechanisms as Yahoo mail does, such as anti-automation defenses. There are no strike-out limits or CAPTCHAs, and the error page specifies which part of the credential you entered incorrectly. Hackers figured out quickly how to hammer this application with attacks, daily.

With further investigation it was found that hackers were trying something different in their attacks. Usually these brute force attacks are aimed at the Web interface that is highly visible, but this application was not for end-users, and just helped validating authentication credentials.

To fight these attacks the Web Application Security Consortium Distributed Open Proxy Honeypot project is being created. By getting attackers to push through the one proxy server for the project, the suspects can be monitored. It is a great idea, but with multiple phases of implementation, which started in 2007.

Yahoo has hundreds of servers, and attackers are learning to spread their attacks across a breadth of them. With current authentication mechanisms and projects, IT professionals are attempting to reduce attacks. Of course we all have to take a look at the overwhelming problem; users require multiple access points on a daily basis, and access opens the door for attacks. This will definitely be an ongoing dilemma.

 

Cloud Computing: The “Greener” Solution for Government

Upon visiting apps.gov, out of curiosity about what exactly cloud computing is, I came across the video showing the new plans the government has in store. Typically known as a huge overwhelming IT “creature”, the government is planning on changing their ways, in regards to IT systems.

Currently the government is riddled with 100s of systems, unique applications and environments, all across the globe. There are large IT infrastructures behind these individual systems supporting them as separate entities. What has now been looked at more closely is that some of these large systems are duplicating work that many other systems are completing as well, such as email functions.

The U.S. CIO Vivek Kundra is onboard with combining these massive infrastructures, to cut down on the serious carbon footprint they are leaving behind. With the idea of combining services and using the same infrastructure for multiple environments the government is attempting to cut down on costs.

Of course the question is will it work? The hope is that there will be less maintenance costs, less staff to maintain, and it is a greener solution. The government is showing the greatest amounts of concern with security, privacy, and procurement at the moment. Of course it is a giant system, with many legacy applications, that many are predicting will not go away.

If anything is to change it won’t be fast, and will be almost like a case study for the government to attack at all angles. The main idea that this brought up is if the government can do it, why can’t we? Although most of us are relying on external IT infrastructure, it would be interesting to see what would happen if everyone was onboard with cloud computing.

Learn More…

Apps.Gov

What is a One Time Password and How Can it be Useful?

A One Time Password (OTP) is a password that is only valid for a single session or transaction.  This technology eliminates the need to save or remember any passwords.  It provides stronger security than a static password because after it has been captured, the intruder will not be able to use it.

Implementation of OTP does however require additional technology to provide an OTP each time authentication is required.  The password is usually a long string of digits generated by a variety of algorithms and distributed by several hardware technologies.  It is the intent of this article to describe some of the more prevalent algorithms and distribution technologies.

Generation algorithms empower randomness to prevent being able to determine the next One Time Password.  Several algorithms exist: 

• Mathematical algorithms that are based on the previous password.
• A random seed is passed to a function that generates the password.
• The password is then used as the seed for the next password generation.

•  Time Synchronization (OTPs are only available for a short period of time)
• OTPs are related to a physical hardware token. 
• The token has an accurate clock that has been synchronized with the clock on the authentication server.

• Password generation and acceptance is based on the current time.
• Time Synchronized Challenge.
• Time Synchronized Challenge OTP is based on the end-user inputting a time synchronized value into the token device in order to be authenticated.

A number of technologies exist for delivering the OTP to the end-user:

• There are physical tokens/devices that can generate a One Time Password.
• These devices are usually in the form of a credit card with keyfob technology,
• A more prevalent way of delivering an OTP is for an Authentication Server to provide the OTP via PDAs and Cell Phones.

OTP technology requires additional technology and equipment, but the increased security will make it more than worthwhile in the long run.

Can Single Sign On be improved?

Single Sign On (SSO) is the concept of an end-user needing one username and password pair to gain access to multiple data sensitive resources.  SSO provides a tremendous ROI (return on investment) as having one password to remember, significantly reduces the involvement of helpdesk personnel in the maintenance of passwords, not to mention the increased productivity and job satisfaction for the end-user.

 With almost all benefits, comes a down side and SSO is no exception.  Having one password protecting multiple resources delivers much sought after improvements.  However, if the one password is compromised, ALL the resources are now subject to intrusion.  The traditional technology of having a different password for each resource certainly reduces this risk, but brings us back to helpdesk and end-user frustration and costs.

 Wouldn’t it be great if the security of multiple passwords and the ROI of SSO could be combined to form a very secure and prosperous union? 

 

Good news!  This article introduces technologies designed to improve single authentication and when combined with SSO creates a very powerful union designed to protect and serve. SSO in combination with Smart Cards or One Time Password Tokens will improve the single authentication and enhance the benefits gained from SSO.

 

Smart Card Technology

Instead of using a password that can be discovered by a user with negative intentions, Smart Cards can be used to prevent unauthorized access to sensitive data.  Physically, a Smart Card is a hand held card with integrated circuits that has the ability to process data.  Data is moved from the card to the reader via contact metal or radio frequencies.  Access to the controlled resource is granted only when the user has a card and a pin/password needed to verify ownership of the card.  Requiring both the physical device and the knowledge of the password makes for an extremely difficult to crack security system.  The likelihood of a malicious intruder discovering both the card and the pin is extremely low and therefore significantly more secure than a single password.

 

One Time Password Tokens

A One Time Password or OTP is a password that allows access for a single session or transaction.  Should the password be recorded by a would-be intruder during the single login session, they will not be able to use the password as it becomes invalid after the single transaction.  The OTP is generated and made available by a number of different technologies.  There are handheld devices that display the OTP or the OTP can be delivered through a user’s cell phone.  The provider of the OTP is configured with an algorithm that generates the OTPs from a random source.  Various algorithms are used to generate passwords in such a way that the next password cannot be guessed or determined by an intruder.

 

It would take some time and investment, but employing a SSO solution combined with improved single authentication will provide a powerful and cost effective security system to a company that cannot take chances with their secure data.

Phishing, Spear Phishing & Whaling: Attacks That Are on the Rise

With security breaches occurring constantly, some of the ones to look out for are the email attacks coming into your mailbox. Currently attacks such as phishing, spear phishing, and whaling are on the rise. In order to bring light to these attacks, it is key to understand what they are, and how to prevent them.

Phishing: “In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.” – Wikipedia.com

Spear Phishing: A much more targeted attack on a target. Usually the targets are linked to vital information, such as checkbooks, SSN’s, and credit card numbers.

Whaling: These are possibly the worst. Executives and “big fish” in the company are targeted for their passwords and vital information.

According to a recent article on blogtalkradio.com, “Criminal Hackers Clean Out Bank Accounts Using Spear Phishing”, attacks like these are increasing by at least 50%. Phishing attacks are powerful and can damage bank accounts and identities in days. The article discusses a case where $440,000 was taken over the course of five days without the account owners even knowing.

These attacks are usually in the form of emails, which can even look like company documents. Once the user clicks on any link which appears to be from the “important” source, a virus is usually downloaded and allows the attacker to see all of your user data. There are even instances when these viruses will attach to the user’s web browser, and allow the attacker to see all sites visited, including personal sites, such as online banking.

So with this information it is key to also offer some solutions to these attacks:

• Have anti-virus protection installed in your computer

• Look into getting a Credit Freeze

• Check your bank statements often and keep track of financials           

Finally, the obvious solution is to not open emails that you don’t trust, no matter what. Recently at PistolStar we addressed this exact issue with the U.S. navy. The government, as an industry, relies on their information being secure. Recent regulations have now required that all government emails contain a digital signature, to verify the sender.  Basically if it is not signed, it is not trusted. We created an Email-Signature Plug-In that signs all outgoing unsigned emails, to make sure the receivers know who the email is from, and that they are a trusted sender.

With the implementiation of such plug-ins, regulations, and solutions the number of attacks will hopefully decrease. The key is to make sure that you and your company are secure and protected, and remember….

If it’s not signed, it is not trusted!

What’s New with Password Protection?

In a recent article a common issue was being discussed, password security. It is apparent that people have a hard time remembering, and creating strong secure passwords. It also seems impossible to have users remember passwords successfully for all of the applications they use, including the websites they visit as well. In response to this constant struggle between user and password, people, like PistolStar, have come up with solutions.

One of them is creating a strong challenge question and response method for users to self-service their own passwords. This allows them to create questions specific to them, which will later be used to confirm their identitiy. This has been a successful and strong method for quite some time, but now people are wondering what else is possible.

On The Blog of Content Protection, authored by Eric Diehl, the posting “Retrieveing Passwords Through Social Interaction” brought to light a strange way to go about recovering your password. Microsoft began to think of recovering passwords, as “not what you know, but who you know”. This created the idea of using trustees to recover your password.

The user would define a list of trustees, and who would then receive recovery codes. Once the user forgot their password they would contact their trustee for the recovery code. This was an interesting concept which created a security wall made of human interaction.

With this solution does come many issues, such as forgetting who your trustees are, and the time it takes to retrieve the codes from the trustees. You can read more in Microsoft’s report:

It’s Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication

The idea of social marketing is being chased after by marketers everywhere, but what about social password recovery? Developers are you ready to jump out of your seats….or stay seated? You decide.

 

In the news: Authentication a chief priority, top issue

It’s nice to receive validation of what you do, and we’ve had the pleasure of actually seeing it in print several times in the past several weeks. People in the industry, from security pros responding to surveys to an industry influencer, have spoken out on authentication.

First, to cheer up everyone who’s thinking pessimistically about prospects for the economy, there’s the survey of security pros in the financial services industry (most hard hit by the recession, remember?) which found that almost 50% report improved funding for security projects in the next six months. The big(ger) news is that the respondents ranked authentication, encryption and network access control as “high priorities.” The study was conducted by SearchFinancialSecurity.com and reported in “Financial security pros expect improved funding in second half of 2009.”

In a recent tech industry talk about what the Internet still needs to make it complete, Vinton Cerf, the chief Internet evangelist at Google and co-designer of the TCP/IP protocols that are the foundation of the Internet, stated that one of the Internet’s most critical needs is authentication. He said that anyone doing business involving the Internet (and who isn’t?) should be “deeply concerned” with incorporating authentication. One of the many articles on Cerf’s talk “The Internet is incomplete…” can be found on Computerword.com

Yet another survey, this one by another company in the space, revealed that the adoption of strong authentication is growing. Among its findings: strong authentication and single sign-on (SSO) are “driving organizational cost efficiencies, security and employee productivity” and strong authentication is “no longer being used exclusively for remote access.” More info as well as access to the full survey report can be found in the article, “National Strong Authentication Survey Shows Uptick in Adoption and Growing Synergy with Single Sign-on Solutions” in the Cloud Computing Journal.

We’ll inform you on other news reports on authentication as we find them!

Next Page »

• Past Blog Posts

  • September 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008

• Background Info

  • About PistolStar
  • About the Blog
  • Blog Authors

• Categories

  • Authentication Security
  • Authentication Trends
  • compliance
  • Customer Case Studies
  • Data Security
  • Deployment Issues
  • General Information
  • IT Security
  • Kerberos Authentication
  • Lotus Notes & Domino 8.5
  • Lotusphere 2009
  • Lotusphere 2010
  • password security
  • Portable Device Security
  • PortalGuard
  • Security Attacks
  • SharePoint Authentication
  • SharePointPro Summit & Expo
  • Technical Support Exploration
  • Uncategorized
  • WebSphere Portal Authentication

• Recent Comments

• Recent Posts

  • The Financial Industry - Courts Try to Prove Reasonable Security
  • Authentication Adaptability: Survival is Key
  • PortalGuard Climbs the SharePoint Summit
  • PortalGuard has Great Success at the 2010 SharePointPro Summit & Expo
  • PistolStar Brings PortalGuard to the SharePointPro Summit & Expo