$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”

The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.

Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.

The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.

BankInfoSecurity.com: to read and have a copy of the full article - Click Here

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

• Phishing
• Malware
• Keystroke Loggers
• Session Mismanagement
• Fraudulent Droid apps
• Chat-in-the-Middle
• Spoofing
• Vishing
• Smishing
• And many more…

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.

]]> http://blog.pistolstar.us/blog/?feed=rss2&p=323 http://blog.pistolstar.us/blog/?p=315 http://blog.pistolstar.us/blog/?p=315#comments Mon, 26 Apr 2010 14:27:18 +0000 Kimberly Johnson http://blog.pistolstar.us/blog/?p=315

Come join PortalGuard by PistolStar, Inc. at the SharePointPro Virtual Conference, Climbing the Sharepoint Summit. No need to leave your office, just join us online to ask us any questions you like May 20th 9:00am-4:00pm EST. The best part is that registration is open to anyone and free!

Come see if PortalGuard is right for your company! See how you can meet or exceed your security objectives, including:

• Stronger Authentication
• Reducing Risk - both financial and security
• Enhance compliance with both security and industry standards
• Deliver effective password policies
• Implement Best Practices

And Many More…

Conference Website & Information

PortalGuard Homepage

Thanks for Stopping By!

We first would like to extend a thank you out to those of you who stopped by our booth at the SharePointPro Summit this year. It was fascinating to hear about how SharePoint authentication and security is being handled, what specific requirements you are looking for, and how PortalGuard or Tailored Authentication could help you with your SharePoint security needs.

If you did not have a chance to see us at the show, then we encourage you to visit PortalGuard.com, to see how PortalGuard is the solution for meeting and exceeding your security objectives. PortalGuard is supported on multiple platforms including Microsoft SharePoint/IIS, IBM Websphere/Websphere Portal, and Lotus Domino.

PortalGuard:

PortalGuard is an authentication and security solution that allows end-users to securely authenticate and manage their portal login credentials directly from a Web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication. Learn More…

Extensible Authentication Framework:

Many of our customers implement our standard Password Power Plug-ins - the authentication software framework offers robust functionality and feature-rich security, access control, and password management.

But for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard Password Power software product, including ongoing technical support. Learn More…

PistolStar Brings PortalGuard to the SharePointPro Summit & Expo on March 17th & 18th, in Las Vegas!

Come stop by booth #508 for more information on:

PortalGuard:

PortalGuard is an authentication and security solution that allows end-users to securely authenticate and manage a portal password directly from a Web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication.

Security & Auditing:

• One-Time Password - stop being vulnerable to replay attacks
• Limit multiple concurrent logon sessions - prevent multiple users from logging in with the same set of credentials
• Define strike-out limits by person, group or hierarchy – Alerts are emailed when strike-out limits are exceeded
• Lockout inactive users after “n” days – Identify and stop access to dormant user accounts

 Help Desk and End-User Productivity:

• Self-service Active Directory password reset via challenge question/response — Highly configurable and secure!
• Prove your identity to the help desk - by providing highly configurable challenge question and answer functionality

 Services:

• Tailored Authentication - we deliver a product that will fit precisely with your environment
• Excellent Customer Service - receive support directly from the developers
• Easy deployment — let us take you by the hand

† Fully supports & enhances multiple platforms and portals — IBM Lotus Domino (AIX, Solaris, Windows, System i, Linux), IBM WebSphere/WebSphere Portal, and Microsoft SharePoint

For more information please visit: PortalGuard.com

Come stop by booth #324 to learn more about:

PortalGuard:

A password authentication and security solution that allows end-users to securely authenticate and manage a portal password directly from a Web browser.

Tailored Authentication:

For a unique environment and/or situation, which requires specific functionality, our team would make the necessary adaptations to meet or exceed your security objectives, and provide a fully supported product.

Rule-based Alerts:

Security - Activity Monitoring - making early predictions leads to being proactive instead of reactive.

  Bound2Authenticate

When:
Tuesday, January 19, 2010
2:00pm-3:00pm

Where:
Lotusphere, Swan Hotel, Ibis Room

An exclusive raffle is offered to all attendees.

Speaker Information:

Victor Toal is a messaging and collaboration architect and engineer with more than 15 years experience with Domino (since R 4.1), Sametime, Quickr, Lotus Connections, and WebSphere. Victor’s clients include the Pentagon, US Army, banks, as well as manufacturing, tourism, and medical companies. He has worked in the US and overseas (Japan, Austria, Great Britain, Germany, France, Italy, Hungary, Poland, and Czech Republic) and speaks fluent German and Japanese. He is certified in Domino R4-R8.5 and Sametime 7.5 and 8.0.

Unable to attend? Request a recording of the presentation by visiting the Contact Us page.

Recently a new Trojan horse program has appeared, and has many concerned. Trojan Horses, as many of us know, are invasive, but this new one goes beyond that, targeting specifically financial institutions and Internet Explorer users. The new name to fear: W32.Silon. With the target of financial institutions, Silon can intercept Internet Explorer sessions, and steal credentials. Many say this attack has two heads, the generic Trojan horse approach into all applications, and then the financial focus.

When it comes to logging onto your bank account online, that is when to watch out. The Silon Trojan will intercept between the token protected financial sites and the user, putting up a façade that looks like their normal login screen. This allows them to transmit your credentials to hackers, to be able to obtain your financial data, and reap the rewards. The main thing that is clear about this attacker is that it is following and changing wih the authentication trends. With more advanced authentication techniques, attacks are becoming more and more sophisticated. The Silon is a prime example, as it attacks the two prong stronger authentication methods with ease. Bank accounts beware!

For more information check out these links:

http://en.wikipedia.org/wiki/Malware

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

http://in.sys-con.com/node/1162320

In a recent article by Dmitry Shapiro, CTO at Akonix Systems, Inc., “Instant Messaging and Compliance Issues: What You need To Know” the issues that are becoming ever present with IM are discussed. The main issue is the sheer volume of users on these IM systems, totaling in the 100s of millions. This is not to mention what IT managers are most afraid of, which are the public IM systems, such as AOL Instant Messenger and Yahoo Messenger.

Although IM is a functional tool for communication there are key areas with which there is a lot of concern for compliance issues:

-        Record Retention

-        Information Security

-        Theft

-        Copyright Infringement

These issues are ever rising with the number of users and amounts of information on these systems. With the public IM services, the control a manager could have with an internal system is taken away. Tasks such as auditing, logging, and deleting records are all issues when the manager cannot oversee the whole system, and the web of IMs being created.

Without compliance and monitoring, the one thing that is apparent is that risk will increase. Shapiro says that the main issues to watch for are:

-        Organization of records

-        Retention of records

-        Tamper Proof Records

-        Record Retrieval

-        Off-Site Copies

And many more…

With such acts as the Sarbanes-Oxley Act, HIPAA, and GLBA the ability to control, monitor, protect, and delete records is essential. These regulations are going to require IT managers to remain compliant and come up with ways to monitor their users IM behaviors. If this is not done, IMs will be a strong source of theft and cybercrime.

The key is being aware of what types of attacks are able to steal your password, and understanding what precautions to take. In a recent article by InfoWorld, “Prepare for the Next Password Attack”, the most popular attacks were listed, so that awareness is possible.

• Authentication Bypassing – just like it sounds, it bypasses password security
• Password Guessing – hackers attempt to guess credentials by testing tons of passwords until the correct one is guessed. This is usually automated.
• Password Sniffing – picks up plain text passwords over a network
• Keystroke Logging – records what users physically type in when logging on by recording keystrokes
• Hash Cracking – uses bypassing to go into an authentication database, and steal stored credentials
• Credential Replaying – replay a stolen password over a network
• Social Engineering – this includes over the phone, in person, and other alternative ways besides    technology that someone can steal your password

This article does a great job of outlining the common attacks on passwords. With all of this attack talk it is almost frightening to have passwords at all. Putting up defenses is the best way to prevent these attacks, and as said before to be aware of them. By enforcing strong authentication mechanisms and password policies, it is possible to never experience an attack. Just remember knowledge is power.