The Trojan Horse: Sneaking Past Your City Walls
Filed under: Authentication Trends, Data Security, General Information
For centuries the Trojan horse was a weapon of war; a historical piece of trickery and deceit, which was used to bring down the City of Troy. Now in this century, when searching the term Trojan horse, the first result to appear is about the technology verison of the Trojan horse. As many of us know malware stands for malicious software. The vehicle in which it obtains its unwanted access is the Trojan horse programs. These carriers are great at disguise, trickery, and breaking down the walls of your personal identity and even financial status.
Recently a new Trojan horse program has appeared, and has many concerned. Trojan Horses, as many of us know, are invasive, but this new one goes beyond that, targeting specifically financial institutions and Internet Explorer users. The new name to fear: W32.Silon. With the target of financial institutions, Silon can intercept Internet Explorer sessions, and steal credentials. Many say this attack has two heads, the generic Trojan horse approach into all applications, and then the financial focus.
When it comes to logging onto your bank account online, that is when to watch out. The Silon Trojan will intercept between the token protected financial sites and the user, putting up a façade that looks like their normal login screen. This allows them to transmit your credentials to hackers, to be able to obtain your financial data, and reap the rewards. The main thing that is clear about this attacker is that it is following and changing wih the authentication trends. With more advanced authentication techniques, attacks are becoming more and more sophisticated. The Silon is a prime example, as it attacks the two prong stronger authentication methods with ease. Bank accounts beware!
For more information check out these links:
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
http://in.sys-con.com/node/1162320
In the news: Authentication a chief priority, top issue
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security
It’s nice to receive validation of what you do, and we’ve had the pleasure of actually seeing it in print several times in the past several weeks. People in the industry, from security pros responding to surveys to an industry influencer, have spoken out on authentication.
First, to cheer up everyone who’s thinking pessimistically about prospects for the economy, there’s the survey of security pros in the financial services industry (most hard hit by the recession, remember?) which found that almost 50% report improved funding for security projects in the next six months. The big(ger) news is that the respondents ranked authentication, encryption and network access control as “high priorities.” The study was conducted by SearchFinancialSecurity.com and reported in “Financial security pros expect improved funding in second half of 2009.”
In a recent tech industry talk about what the Internet still needs to make it complete, Vinton Cerf, the chief Internet evangelist at Google and co-designer of the TCP/IP protocols that are the foundation of the Internet, stated that one of the Internet’s most critical needs is authentication. He said that anyone doing business involving the Internet (and who isn’t?) should be “deeply concerned” with incorporating authentication. One of the many articles on Cerf’s talk “The Internet is incomplete…” can be found on Computerword.com
Yet another survey, this one by another company in the space, revealed that the adoption of strong authentication is growing. Among its findings: strong authentication and single sign-on (SSO) are “driving organizational cost efficiencies, security and employee productivity” and strong authentication is “no longer being used exclusively for remote access.” More info as well as access to the full survey report can be found in the article, “National Strong Authentication Survey Shows Uptick in Adoption and Growing Synergy with Single Sign-on Solutions” in the Cloud Computing Journal.
We’ll inform you on other news reports on authentication as we find them!
Strong Authentication: Not Just a Buzz Word
Maintaining control over who gains access to the networks in your enterprise has become of even greater concern than ever before. Requiring authentication with just memorized passwords can prove to be inadequate in certain circumstances or in industries that deal with highly sensitive data. This is where strong authentication comes in.
Strong authentication is the use of more than one factor to authenticate and gain access to the enterprise. Organizations imposing strong authentication may require either two-factor or multi-factor authentication. A password can be one of the factors, which may also include a PIN, token, smart card, or a biometric identifier (e.g. a fingerprint or retinal pattern). With strong authentication, organizations eliminate the vulnerabilities of using passwords alone and gain a higher level of assurance their networks are protected from unauthorized access.
We suggest checking out the guidance on strong authentication in Internet banking from the Federal Financial Institutions Examinations Council. It provides enlightenment on the subject that is relevant to all industries.
What is the Future of Password Authentication?
We know all too well the security issues related to passwords, the most notable being users with multiple passwords jotting them on notes left in plain sight in their cubicles. Even though password authentication solutions have become more sophisticated, providing single sign-on and password synchronization, the security drawbacks of password-based authentication methods have more noticeably reared their heads in recent years, mainly because hackers have become more clever and devised other ways to obtain, guess or crack passwords and gain access.
The main issue with password authentication is that it involves a single factor — the password — for gaining access. “Strong” authentication involves more than one factor (two-factor or multi-factor authentication). Those factors should include one each of two or all of the following factors: something the user knows (password, PIN), something the user has (smart card, token), and something the user is (a biometric characteristic such as a fingerprint). With two or three factors in play, an authentication method is harder to compromise.
Adoption of two-factor and multi-factor authentication methods has been slow, so it remains to be seen what the authentication methodology trend will be going down the road. Authentication solutions are currently available that boost the security of passwords by enforcing strict password policies, employing site keys, and incorporating Kerberos, which provides the added protection of mutual authenticating the end-user and the server to which they are seeking access. As organizations tighten their belts during the current economic downturn, will they invest in the later, more cost-efficient solutions rather than the more costly multi-factor authentication methods?