Two More Colleges Exposed: Indiana University and North Dakota University

collegeThere seems to be a rise lately in the number of campuses that are being subject to data breaches. Today it was brought to light that North Dakota University’s database was compromised exposing around 300K current and former student’s information along with some of their staff as well. Last week, Indiana University informed nearly 146,000 recent graduates and students that their seven-campus data system had accidentally exposed.

This news comes on the heels of the recent University of Maryland breach that effected over 300,000 students, staff, and faculty.

Indiana University

In the case of the Indiana University breach, the accidental exposure to the general public was carried out via three automated search engine web crawlers and was apparently indexed three times over the past year.

The exposed information included all of the needed information to steal a person’s identity easily, including names, addresses, and social security numbers.  This data was all being contained in an unsecure location that was easily accessed by the data-mining applications.

The three web crawlers have not been identified at the time of this article, but the University noted that the actions were carried out in a non-malicious way, by regular search engine web crawlers. The good news to report is, no servers or systems were compromised during this data mining.

Education Link Banner

James Kennedy, the school’s Associate Vice President of Student Services and Systems said; “This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote…”

“At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”

North Dakota University

North Dakota University came forth with news that nearly 300K current students, former students, and faculty may be at risk due to a recent hacking. The effected student’s and faculty’s personal information, including names and social security numbers, were exposed during the breach.

North Dakota University came forth with a notification for all that were possibly impacted on their website this past Wednesday. Their IT service provider, Core Technology Services, had been tipped off about the intrusion on February 7, with the initial intrusion taking place back in October of 2013. It would appear that the attack was made by using compromised credentials that had been obtained by an unauthorized user. Once this discovery was made they immediately shut down the affected server.

The tipster in this case was actually a victim of identity fraud rooting back to the breach.

What is this world coming to?

Back twenty years ago, data breaches did happen; people would steal files from offices or files would mysteriously go missing. Fast forward to current day; with so much of our personal information being held on networks, it is now easier for thieves to steal your personal data without even being on the same continent.

This is why it is now more important than ever to make sure that you are doing everything to protect your network from an attack.

One of the best ways to defend your campus against these types of attacks is to deploy a two-factor authentication solution. This would prevent a user’s credentials from being stolen because there would be a required one-time password needed in order to access the account. This one-time password could be provided a number of secure ways including sending a text-message to a preregistered cell phone.

Many colleges and universities trust their sensitive information to be protected via a web portal that can only be accessed by authorized users. These entry points need to be protected by strong authentication, which more and more campuses are trusting to the authentication experts at PortalGuard.

Sources:

http://www.scmagazine.com/north-dakota-university-system-hacked-roughly-300k-impacted/article/337181/?DCMP=EMC-SCUS_Newswire&spMailingID=8110983&spUserID=Nzc0OTgzMDQ3NzMS1&spJobID=260600201&spReportId=MjYwNjAwMjAxS0

http://www.scmagazine.com/web-crawlers-tap-data-put-about-146k-indiana-univ-students-at-risk/article/336198/

Hackstorm

Hackstorm1

Hailstorms are a threatening phenomenon that can sometimes turn fatal. Hailstones can range from a ¼ of an inch to 7 inches in size, causing severe damage to anything in their path. Attacking hackers, in many ways, are like hailstorms when there is a breach in security, leaving extensive damage.

 

Lately, Cyber security has been on the minds of many people, and with many security breaches at major companies placing personal data at risk, it is no wonder. A recent study done by the Ponemon Institute surveyed CISOs and security technicians; according to SC Magazine.com, here is the feedback Ponemon received:

 

“It takes too long to detect a cyber attack.”

“We don’t have a way to prioritize incidents.”

“We receive too many alerts from too many point solutions.”

The inability to differentiate between serious attacks versus those that do not even penetrate the firewall creates mass confusion as to which attacks should receive priority and which ones should be left alone. Also, according Cruxialcio.com’s article on the survey, “74 percent said poor integration between security products, or none at all, negatively affected response to cyber attacks;” because of this low integration or lack thereof, the attacks are not addressed in a timely manner. This is a problem for CISOs and security technicians all over the world and places personal and corporate information at risk.

 

According to Ponemon in SC Magazine.com’s article, CISOs and security technicians “want information that’s timely and really accurate. Getting both is kind of a Nirvana state, but what they’re getting is slow moving and ‘maybe’ accurate.” Although the problem lies in a more accurate and faster detection of potentially dangerous hackers, many companies are strengthening security at the web application layer by deploying PortalGuard. Its multi-factor authentication and reporting capabilities help solidify the front door of your websites so your engineers can focus on the activities occurring in the more neglected areas of your network infrastructure.

 

 

http://www.cruxialcio.com/security-professionals-lack-compatible-tools-prevent-cyber-attacks-report-4572

 

http://www.scmagazine.com/study-finds-attack-detection-takes-too-long/article/333988/

Data Breach on Campus: Over 300,000 Exposed at University of Maryland

UMD

This week the University of Maryland came forth with an announcement that their campus data base had been breached, exposing sensitive information for over 300,000 students and faculty.  The data breach comes on the heels of many other similar data breaches at retailers across the US including Target, Neaman Marcus, and Michaels Craft Stores.

According to a letter from University of Maryland President, Wallace D. Loh on February 19, 2014; “A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students, and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.”

Education Link Banner

Although the information was limited to the aforementioned personal information, those are almost all of the key things needed to steal someone’s identity.

Kudos to the University for being so forthcoming with information, some companies would rather sit on the information until they have investigated more into the cause, which could lead to more problems for all involved. I think that other companies should take note of the steadfastness that the University has shown, notifying those whose information has been exposed and providing them with the support that they need to curb their fears. The University provided all involved with tips on what to look for with possible cases of fraud that can be connected to such data breach. However, it has yet to be seen if the University will provide the 309,079 with the standard credit monitoring service that has been seen in other recent breaches of the same caliber.

President Loh also noted, “With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.”

Security breaches like these cannot always be prevented, but it is important to make sure that your campus or company is properly equipped to combat these types of attacks. There are a few ways to ensure that your data is being guarded from unauthorized users, this includes incorporating a two-factor solution where the person logging in would need to verify their identity by having to input a one-time use password that would be sent to a separate device like an enrolled cell phone. Many campuses and companies turn to authentication experts like PortalGuard to provide the authentication solutions that have been independently tested and proven to enhance security.  

Source: http://www.umd.edu/datasecurity/

The Shortcomings of Two-Factor

As more and more organizations are adding two-factor authentication systems to their web applications, the reactions are in.  Among those with  appreciation for the stronger authentication mechanisms are also various criticisms of the approach, ranging from resistance due to holding-up workflow, to reminding us that even the most hardened of locks can still be picked.  Whereas the two-factor trend continues to expand, as we’ve continually reported on this blog staggering numbers of organizations continue to ignore the solution, and these accounts may shed some light on the reasons for their resistance.

MedAllie’s A. John Blair MD is one such fellow that has expressed disinterest over implementing two-factor within EHR (Electronic Health Records) security at the Health IT Policy Committee in January.  Citing concerns over productivity, Blair states that he sees the additional factors of security as a workflow obstacle, stating that clinical workflow should be the topmost priority when evaluating the system’s security:

“If the provider honestly believes these enhancements will improve care and efficiency–and particularly if they are indirectly tied to increased reimbursements for improved health care value–interoperability will advance rapidly. If the providers do not believe this, nothing else we do here will make much of a difference in the long run.”

Blair’s point is a certainly a valid one, though prioritizing accessibility to patient sensitive data over ensuring its security is surely a matter of conflict of interests, and so one whose right or wrong answers are purely situational.  In this case, as in many, the need for security might not be apparent until data becomes compromised.

In another article, Mark Risher, CEO and co-founder of Impermium, a vendor of digital fingerprinting software lays out his reasons why the two-factor authentication system is not the be-all end-all measure for securing data that it’s being made out to be.  He feels as though “service providers need to take on more of the responsibility for securing a consumer’s information online, utilizing similar proactive monitoring and not expecting [two-factor] perimeter defenses to suffice”.  Stating that while multi-factor approaches to security certainly enhance it, that more still must be done to guard against hack attacks.

Risher’s suggestion is a sort of ‘virtual police’, in the form of learning algorithms that, much like actual policemen, can track and intelligently identify suspicious behavior.  His description largely resembles contextual authentication, which may prove to be the heightened level of security over two-factor that some are looking for.

Read More – Physician sees two-factor authentication as efficiency barrier

Read More – Why two-factor authentication isn’t a cure-all

Two-Factor Takeover

In extension to our post last week stating that Apple is the latest to join in a trend that’s having more and more of the presently most influential companies adding enhanced security in the form of two-factor login to their accounts, we follow up this week with yet another.  Twitter will be joining the likes of Apple, Google, Facebook and Microsoft as they begin rolling out the feature in a short, but unspecified time from now.

It appears as though Twitter has had this project underway since at least early February, when they had posted a job position for the project.  It is likely no coincidence that the service had suffered a hacking attack in which 250,000 account passwords were compromised just the week before the job posting.  When just yesterday the Associated Press had also suffered a compromised account, in which bogus messages were tweeted, the need for the enhanced security is especially evident.

 

Source: The Wired

Source: Ars Technica

Continuing Towards a World Without Passwords

In a move that appears to be an attempt to catch up to its competitors Google and Facebook, Apple and Microsoft are now the latest monoliths to have introduced a two-factor authentication option for their users’ Apple IDs, and Microsoft accounts, respectively.  Once again the evidence shows that we’re on our way towards a world without passwords.  Multi-factor authentication is ever more trendy, and now everybody’s doing it.

Similarly to the existing two-step verification offered by Google and others, Apple and Microsoft’s added security follows suit by requiring those users whom have enabled the feature to input a special code during authentication; rather than the usual username and password, the additional factor of the password code effectively enhances the security for the account.  This special code, often known as a TOTP (time-based one-time password) is typically delivered via a text message to the users cell phone, once it has been registered as a trusted device.  Much like Google’s Google Authenticator mobile app,  which allows users to receive the password codes via a convenient app rather than text messages, Apple offers the same convenience via their ‘Find My iPhone’ app, and Microsoft as well, through an as yet unnamed app of their own.

As with these previous methods of offering two-factor authentication however, these follow seemingly in identical footsteps, and therefore bring not only the enhanced security benefits with them, but also the headaches.  Although multi-factor authentication eliminates the need to remember the password in some cases, it still implements further steps and disruption to a user’s routine. The ideal situation would be to implement two-factor authentication which is transparent to the user while being able to block unwanted access.

Read more about Apple two-factor…

Read more about Microsoft two-factor…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Knock Down the Barriers: What Does Two-factor Authentication Solution Need to Have?

At the recent RSA Conference 2013 in San Francisco, one of the resounding themes was the expansion of authentication solutions. The idea of replacing the old password as a login method is one that is feverishly being worked on by many vendors. However the main struggle for vendors is handling the tradeoff between usability and security.

Matt Honan identified this after explaining that security has two tradeoffs, convenience and privacy. For example, if you implement a password policy which is unusable, the security solution fails and is abandoned or circumvented. Privacy also limits what an organization can leverage for two-factor authentication. Many organizations are terrified of alienating their users and like the idea of offering a simple, private solution versus a secure one.

Overall there is a lack of confidence in the marketplace as some of the leading solutions have experienced major hacks leaving behind doubts about the authentication methods being secure.

There is no “holy grail” solution for people to feel good about purchasing. It is unfortunate to see many organizations take the “it will not happen to us” approach because there is no simple answer to two-factor authentication.

When the question was posed “What do YOU need out of two-factor authentication?”, the common themes were that a solution needs to be:

  • Secure
  • Simple to use to avoid resistance from users
  • Inexpensive
  • Seamlessly integrated with all systems
  • Able to solve the provisioning/enrollment problem of tokens
  • Without the requirement of massive infrastructure
  • Easy to deploy and manage
  • Combined with single sign-on (SSO) for increased usability
  • Reliable
  • Using tokens which are easy to create, deploy, revoke, and replace

Luckily there are options emerging on the market which are attempting to provide the following. It is important to take a look at the options and be careful with vendor selection. Are you ready to take the next step and evaluate the vendors on the market?

References:
http://bitzermobile.com/blog-musings-from-rsa-2013/
http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx

Lack of Confidence in Two-factor Industry

download self-service password resetWith recent research into how you and the general industry views two-factor authentication it is amazing to see the lack of confidence in one solution to stand above the rest. It seems that all the solutions in the market have one downside or another which is difficult for organizations to justify. This seems to be one of the main reasons keeping you from implementing it. In our related blog post “Are You for or Against Two-factor Authentication?” vendors and consultants weighed in on the subject with no clear answer being given. How are you supposed to invest in a solution which does not have 100% confidence behind it?

Well we’d like to at least take a look at what PortalGuard has to offer. The download we are offering allows you to try out the various methods PortalGuard has to offer allowing you to easily implement choices when it comes to how you will present two-factor authentication to your users. However, beyond the download PortalGuard’s PassiveKey solves the main problem two-factor has and becomes an excellent two-factor alternative which is 100% transparent to the user. For more information please download the demo and visit the website to see how it works:

Two-factor Download: http://portalguard.com/twofactor_download_request.php

Two-factor Alternative: http://www.portalguard.com/transparent_user_authentication.html

CJIS and Advanced Authentication – Approaching Deadline

February was the month of the deadline for the new Advanced Authentication requirements being enforced by the CJIS, one of the largest divisions of the FBI, which has now been postponed to September of 2013 due to most local governments not being able to meet these requirements by this time. The requirements are now requiring that in order to access any sensitive data in the CJIS database requires Advanced Authentication (AA), also known as two-factor or multi-factor authentication. The requirement is being put in place to protect the data and require the user to really prove who he/she claims to be.

As defined in one of our previous posts (What is two-factor/multi-factor authentication?) the new AA implementations will need to require at least two out of the three authentication factors to prove a user’s identity. Here is the definition directly from the FBI standards:

“Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. Advanced Authentication is also called Multi-Factor or Two-Factor authentication.”

Many times the existing authentication for building access, such as smart cards  will be able to be leveraged, but these are not as convenient for the mobile workforce the requirements are targeting. The penalties for not being compliant are severe including no access to the CJIS database. CJIS will not help you choose the best authentication solution but can help you determine if you are in compliance when using it.

The key to a good solution really will be the flexibility it offers. Due to the target users being mobile and usually working from a car or on the road the second factors you put in place need to not only be secure but usable. Many are leaning towards biometrics but with limited vendor options on the market which are proven it is difficult to feel secure with these solutions, not to mention the cost which can be incurred when purchasing these solutions. It is also important to choose a vendor who can provide various authentication methods so you are not forced to purchase disparate solutions to achieve one goal.

I’d suggest that you take a look at the following links to help you understand the guidelines as well as take a look at PortalGuard’s example of meeting CJIS compliance requirements:

CJIS Security Policy: http://www.cjin.nc.gov/infoSharing/Presentations/CJIS%20Security%20Policy%20v5%201_07132012_-ns[1].pdf

PortalGuard’s CJIS Guidelines: http://portalguard.com/pdfs/CJIS%20Compliance.pdf

PortalGuard’s Two-factor Authentication: http://www.portalguard.com/two-factor_authentication.html

What is Two-factor/Multi-factor Authentication?

According to Wikipedia the high-level definition is an approach to authentication which requires the presentation of two or more of the three authentication factors:

 

 

  • A knowledge factor (something the user “knows”)
  • A possession factor (something the user “has”)
  • A inherence factor (something the user “is”)

The extra factors are implemented to make sure that the user is authorized and to prove their identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the three factors listed above. So for example, the user would be required to enter in their username, their password (something they know), and a hardware token generated one-time password (something they have). The use of two distinct authentication factors helps eliminate an organization’s security concerns around granting access based on a single, knowledge-based factor, the password.

A common example of authentication which is mistaken for two-factor authentication is knowledge-based authentication where the user is asked to provide their username, password, and answer to a knowledge question. This does not meet the definition because the password and answer are both factors the user knows.

Increasing in popularity the one-time password or OTP is becoming a preferred second factor as it is only valid for one login session or transaction. OTPs avoid the shortcomings with static passwords, including being unsusceptible to replay attacks. If a hacker records an OTP which was already used, they will not be able to reuse it since it is no longer valid. OTPs can be delivered via SMS, email, printed, hardware tokens, landline, or transparently using a browser plug-in.

Being one of the driving factors behind two-factor authentication regulatory compliance is forcing organizations to implement stronger authentication. Take for example the largest division of the FBI, the Criminal Justice Information System (CJIS) has an Advanced Authentication compliance requirement which is making law enforcement and local governments take action. Effective September 30, 2013 Advanced Authentication will be a requirement for all law enforcement personnel accessing NCIC criminal justice information outside of a secure location. Other regulatory compliance standards such as the FFIEC, PCI DSS, and HIPAA are also driving the market towards two-factor authentication.

However, what if your organization does not have these regulatory compliance standards pushing you towards implementing two-factor? Do you still feel like your data is sensitive enough to protect with stronger authentication? Or do you take on an “it’s not going to happen to me” attitude?

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169