What is a One Time Password and How Can it be Useful?
Filed under: Authentication Security, Authentication Trends, General Information, IT Security, password security
A One Time Password (OTP) is a password that is only valid for a single session or transaction. This technology eliminates the need to save or remember any passwords. It provides stronger security than a static password because after it has been captured, the intruder will not be able to use it.
Implementation of OTP does however require additional technology to provide an OTP each time authentication is required. The password is usually a long string of digits generated by a variety of algorithms and distributed by several hardware technologies. It is the intent of this article to describe some of the more prevalent algorithms and distribution technologies.
Generation algorithms empower randomness to prevent being able to determine the next One Time Password. Several algorithms exist:
-
Mathematical algorithms that are based on the previous password.
-
A random seed is passed to a function that generates the password.
-
The password is then used as the seed for the next password generation.
-
Time Synchronization (OTPs are only available for a short period of time)
-
OTPs are related to a physical hardware token.
-
The token has an accurate clock that has been synchronized with the clock on the authentication server.
-
Password generation and acceptance is based on the current time.
-
Time Synchronized Challenge.
-
Time Synchronized Challenge OTP is based on the end-user inputting a time synchronized value into the token device in order to be authenticated.
A number of technologies exist for delivering the OTP to the end-user:
-
There are physical tokens/devices that can generate a One Time Password.
-
These devices are usually in the form of a credit card with keyfob technology,
-
A more prevalent way of delivering an OTP is for an Authentication Server to provide the OTP via PDAs and Cell Phones.
OTP technology requires additional technology and equipment, but the increased security will make it more than worthwhile in the long run.
Can Single Sign On be improved?
Filed under: Authentication Trends, Data Security, General Information, IT Security, password security
Single Sign On (SSO) is the concept of an end-user needing one username and password pair to gain access to multiple data sensitive resources. SSO provides a tremendous ROI (return on investment) as having one password to remember, significantly reduces the involvement of helpdesk personnel in the maintenance of passwords, not to mention the increased productivity and job satisfaction for the end-user.
With almost all benefits, comes a down side and SSO is no exception. Having one password protecting multiple resources delivers much sought after improvements. However, if the one password is compromised, ALL the resources are now subject to intrusion. The traditional technology of having a different password for each resource certainly reduces this risk, but brings us back to helpdesk and end-user frustration and costs.
Wouldn’t it be great if the security of multiple passwords and the ROI of SSO could be combined to form a very secure and prosperous union?
Good news! This article introduces technologies designed to improve single authentication and when combined with SSO creates a very powerful union designed to protect and serve. SSO in combination with Smart Cards or One Time Password Tokens will improve the single authentication and enhance the benefits gained from SSO.
Smart Card Technology
Instead of using a password that can be discovered by a user with negative intentions, Smart Cards can be used to prevent unauthorized access to sensitive data. Physically, a Smart Card is a hand held card with integrated circuits that has the ability to process data. Data is moved from the card to the reader via contact metal or radio frequencies. Access to the controlled resource is granted only when the user has a card and a pin/password needed to verify ownership of the card. Requiring both the physical device and the knowledge of the password makes for an extremely difficult to crack security system. The likelihood of a malicious intruder discovering both the card and the pin is extremely low and therefore significantly more secure than a single password.
One Time Password Tokens
A One Time Password or OTP is a password that allows access for a single session or transaction. Should the password be recorded by a would-be intruder during the single login session, they will not be able to use the password as it becomes invalid after the single transaction. The OTP is generated and made available by a number of different technologies. There are handheld devices that display the OTP or the OTP can be delivered through a user’s cell phone. The provider of the OTP is configured with an algorithm that generates the OTPs from a random source. Various algorithms are used to generate passwords in such a way that the next password cannot be guessed or determined by an intruder.
It would take some time and investment, but employing a SSO solution combined with improved single authentication will provide a powerful and cost effective security system to a company that cannot take chances with their secure data.
What does it take for world class technical support?: Tech Support gives some Insight
Filed under: General Information, Technical Support Exploration
Many Technical Support departments get a reputation for delivering sub-standard support. Many support personnel can’t wait to move out of the department and on to something they think is more rewarding and exciting. Why is this? Perhaps it’s because providing excellent technical support takes a certain kind of drive, stamina and commitment to the cause that isn’t for everyone. I’m sure all of us at one time or another have come across a support person that you knew just didn’t care or have the tools available to them to properly provide the support you so desperately needed.
When, and if, you have come across a support representative that really made a difference in your day, you probably took notice as good support is hard to find.
So what is it then, that constitutes a World Class Technical Support department? Is it knowledge of the product and its surrounding? Is it how responsive and informative the personnel are? Perhaps it is thoroughness, or a team that can provide the same excellent quality of support to any country in the world. Could it be the reinforcement from engineering that the support individual receives when they need it?
It is this support engineers opinion that all of the above mentioned qualities together, in a tight knit operation, are required to provide top notch support anywhere on this globe of ours. Let’s take each quality one at a time and expose a little more of them:
Knowledge
Someone once told me the Knowledge is King. There is no substitute for a support engineer that has excellent knowledge of the products they are supporting. Not only of their companys product, but also of other products and environments that the product will be co-existing with or running on. What a time savings it is if you find out from the support rep that the cause of the trouble is not with their product, but another product that is affecting their product. The support person has the Knowledge to walk you through the repair of the third party product and you don’t have to go through another cycle of support with the other company.
Responsiveness
An end user should not have to spend their valuable time chasing down a support team to get support. You have a problem and you need it fixed. Do you often wonder what exactly it is that the support department is doing if they are not working on your issue? How comforting it is to hear from the support person just to let you know that they are a bit tied up at the moment, but are working on the issue and explaining to you what they are doing without you having to ask or escalate the issue to get results.
Complete and educational answers
It is one thing to solve the customer’s problem, but if at the same time you can educate them on why or how the solution works, they will be that much better for it the next time the situation, or something similar, arises. If the support individual takes a little time now to give a more comprehensive and informative answer, the customer may not need the assistance the next time. This is a win/win for both parties. The support person has one less issue to deal with the next time the customer has the same or similar issue and the customer won’t have to spend time in the support process resolving the problem.
Availability
If you are going to call yourself World Class, you have to be flexible enough to work outside of your own company’s timezone and withstand/endure a language barrier. Working outside of the normal 9 to 5 grind can be trying, but being there for a customer on the other side of the world just makes it all worthwhile to the customer and to the company in the long run.
Close relationship with development. No “levels” of support
A quality that really separates great support teams from mediocre support teams is when the support team has direct and accommodating help from their development engineers. These are the employees with the most powerful knowledge and it should not be kept from or made difficult to be accessed by the person responsible for helping the customer.
Record keeping of cases
Finally, an accurate and up to date database of support issues has to be maintained to keep all the different customers and issues organized. It is comforting to receive a support case or incident number within an hour of requesting help. If multiple problems are being worked at once, having the ID of the case posted in the subject of each correspondence makes it easy for both sides to be efficient. Notification of when and why a case has been brought to resolution and a follow up on how the end user thought the support team performed is paramount in fighting these technical battles.
When considering the purchase of any equipment, software or services from a high tech company, one would be prudent to discuss these qualities with their sales representative to make sure they understand how the experience with the company will be when the payment has been made and they are then asked to earn the money.
Phishing, Spear Phishing & Whaling: Attacks That Are on the Rise
Filed under: Authentication Trends, Data Security, IT Security
With security breaches occurring constantly, some of the ones to look out for are the email attacks coming into your mailbox. Currently attacks such as phishing, spear phishing, and whaling are on the rise. In order to bring light to these attacks, it is key to understand what they are, and how to prevent them.
Phishing: “In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.” – Wikipedia.com
Spear Phishing: A much more targeted attack on a target. Usually the targets are linked to vital information, such as checkbooks, SSN’s, and credit card numbers.
Whaling: These are possibly the worst. Executives and “big fish” in the company are targeted for their passwords and vital information.
According to a recent article on blogtalkradio.com, “Criminal Hackers Clean Out Bank Accounts Using Spear Phishing”, attacks like these are increasing by at least 50%. Phishing attacks are powerful and can damage bank accounts and identities in days. The article discusses a case where $440,000 was taken over the course of five days without the account owners even knowing.
These attacks are usually in the form of emails, which can even look like company documents. Once the user clicks on any link which appears to be from the “important” source, a virus is usually downloaded and allows the attacker to see all of your user data. There are even instances when these viruses will attach to the user’s web browser, and allow the attacker to see all sites visited, including personal sites, such as online banking.
So with this information it is key to also offer some solutions to these attacks:
-
Have anti-virus protection installed in your computer
-
Look into getting a Credit Freeze
-
Check your bank statements often and keep track of financials
Finally, the obvious solution is to not open emails that you don’t trust, no matter what. Recently at PistolStar we addressed this exact issue with the U.S. navy. The government, as an industry, relies on their information being secure. Recent regulations have now required that all government emails contain a digital signature, to verify the sender. Basically if it is not signed, it is not trusted. We created an Email-Signature Plug-In that signs all outgoing unsigned emails, to make sure the receivers know who the email is from, and that they are a trusted sender.
With the implementiation of such plug-ins, regulations, and solutions the number of attacks will hopefully decrease. The key is to make sure that you and your company are secure and protected, and remember….
If it’s not signed, it is not trusted!
Bookmarklet-based Password Managers Exposed
Filed under: Data Security, General Information, IT Security, Uncategorized, password security
Due to the number of websites a user accesses per day, and that most require authentication, it is no wonder why everyone is looking for tool to remember their passwords. Websites are using techniques such as mixing capital letters, symbols, and spaces to increase the strength of the password, and the difficulty of hacking and obtaining it.
One way that users are keeping track of these multiple credentials is with password management tools. These usually remember the password for the user, so forgetting it is not an option. Unfortunately it has been found that these tools can also decrease security and allow for a window of opportunity for hackers to come in.
In the article by Rachel Kremen, “Plugging a Password Leak: How a Simple Fix made Password Managers More Secure” the issues with password managers that use bookmarklets, to automate the login in process for the user’s websites, was exposed. The researchers investigated six popular bookmarlet-based password managers, Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The findings were alarming.
The way that these managers work is by storing the user’s passwords to their favorite sites, on a central server. When the user visits the site again, the bookmarklet is used to see which site the user is on, and provide the credentials.
Researchers found this to be a red flag. The main question that was brought up, is how does the manager know for sure that the website it thinks the user is on, actually is? After running tests, they discovered that with a few pieces of code, the manager could be fooled and produce the credentials for the user’s website, even when not visiting the site itself.
Hackers could easily obtain the credentials for bank websites, credit cards, and other personal information. The password manager would provide the credentials, without recognizing that it is actually a hacker’s website it is providing to.
Luckily the solution was easy. With implementation and SSL, using the referrer header would make the forgery of the website difficult. The password manager services researched did take the researchers up on the suggestion, made the changes, and/or informed their users.
Imagine the losses that could occur. With everyone placing their trust in websites, it is vital to protect the information to access them. Although remembering these passwords can be challenging, so is tracking a cyber criminal who has taken your identity. With these tools it is important to understand what knowledge you are providing to them, and how it will be used. Putting your passwords in all one basket is not necessarily the best plan for secure authentication.
What’s New with Password Protection?
Filed under: Authentication Security, Authentication Trends, Data Security, password security
In a recent article a common issue was being discussed, password security. It is apparent that people have a hard time remembering, and creating strong secure passwords. It also seems impossible to have users remember passwords successfully for all of the applications they use, including the websites they visit as well. In response to this constant struggle between user and password, people, like PistolStar, have come up with solutions.
One of them is creating a strong challenge question and response method for users to self-service their own passwords. This allows them to create questions specific to them, which will later be used to confirm their identitiy. This has been a successful and strong method for quite some time, but now people are wondering what else is possible.
On The Blog of Content Protection, authored by Eric Diehl, the posting “Retrieveing Passwords Through Social Interaction” brought to light a strange way to go about recovering your password. Microsoft began to think of recovering passwords, as “not what you know, but who you know”. This created the idea of using trustees to recover your password.
The user would define a list of trustees, and who would then receive recovery codes. Once the user forgot their password they would contact their trustee for the recovery code. This was an interesting concept which created a security wall made of human interaction.
With this solution does come many issues, such as forgetting who your trustees are, and the time it takes to retrieve the codes from the trustees. You can read more in Microsoft’s report:
It’s Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication
The idea of social marketing is being chased after by marketers everywhere, but what about social password recovery? Developers are you ready to jump out of your seats….or stay seated? You decide.
Press Release: PortalGuard
PortalGuard is now officially announced! July 14, 2009 we sent out the PortalGuard Press Release announcement, and just look at all of the places it turned up:
WebSphere Journal: http://websphere.sys-con.com/node/1034525
WebSphere Power: http://www.webspherepower.com/newsitems/00045441.html
WebSphere World (a WebSphere user community) http://www.websphere-world.com/modules.php?name=News&file=article&sid=2024
Sphere.com: http://www.sphere.com/sphereit/?q=sphereit:blogs.zdnet.com/emergingtech/?p=137&sortby=rel&daysago=7&page=1
DominoPower: http://www.dominopower.com/newsitems/00045440.html
(Release also ran on Outlook Power)
Web Security Journal: https://security.sys-con.com/node/1034525
TMC NET News: http://www.tmcnet.com/usubmit/2009/07/14/4272072.htm
IT.TMCNet: http://it.tmcnet.com/news/2009/07/14/4272072.htm
(Release also ran on TMC Net Healthcare Technology)
Reuters: http://www.reuters.com/article/pressRelease/idUS114914+14-Jul-2009+MW20090714
Business Week- Business Exchange: http://bx.businessweek.com/sharepoint/pistolstar-now-offers-stronger-authentication-and-enhanced-security-usabilty-and-compliance-for-microsoft-sharepoint/9067359377387311683-5a92b34a67671712c9ebca78fe0b3cf9/
IT Business Net: http://hardware.itbusinessnet.com/articles/viewarticle.jsp?id=797705
AOL Money & Finance: http://money.aol.com/news/articles/qp/pr/_a/pistolstar-now-offers-stronger/rfid231808530
Java.Blogs: http://javablogs.com/views/ViewBlog.action?id=12600
(need to scroll down)
WeDoWebSphere Twitter page: http://twitter.com/wedowebsphere (Tweet was on 7/23)
Layoffs: Studies Say There Are Threats to Data
Recently in Insurance Buyers’ News, a direct mail newsletter, came to our office and included a serious article that businesses should be considering today. Unfortunately with layoffs still occurring, the numbers of disgruntled employees is rising, which poses a threat to a company’s data.
“Layoffs Increase Data Breach Risks”, discusses a recent example with a systems administrator. He demanded money and references, or else he would attack the servers. Although he was caught and prosecuted, the damage that could have been done would have been a serious cost to the company.
Studies are beginning to show that employees are not planning on taking just their pens when they leave, but also vital information. The question of course becomes, how are you going to protect your data? It is important to be prepared, especially if there is a possibility of layoffs in the near future.
We recommend a few key tactics to protecting your company from the potential threat:
-
Control access to applications
-
Create a strong SSO solution with stronger authentication
-
Allow administrators to be able to easily audit usernames and inactive users
Many laid off employees have been found to still be able to access their old accounts, even after the layoff occurred. Treating employees with respect is a way to make these hard times smoother, but protecting your data, and current employees is key.