Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!

Toothbrush

 

Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!

 

Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.

 

Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!

 

With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.

 

In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!

 

So go ahead! Invest . . . the Llamas won’t mind.

 

 

 

Source:

http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/2/

How to Mend a Broken Heart: The Heartbleed Bug and what you need to know to protect yourself

broken heart

 

The news broke this week that the Heartbleed Bug had attacked an undetermined amount of websites and their users worldwide. At this time it would seem that a large number of people are affected, however, the magnitude of this Bug may not be made clear for some time. Last year, the Adobe breach  numbers grew drastically as time moved forward.

So what is the Heartbleed Bug?

The researchers who uncovered the problem describe the Bug as a serious flaw within OpenSSL.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Currently affected sites:

Some of the popular websites that have been listed as vulnerable include the following:

-Yahoo.com

-Imgur.com

-Flickr.com

-Okcupid.com

Click here for a full list.

How you can protect yourself.

There a couple of different steps you can take to proactively protect yourself. The first step would be to change your passwords on all of the effected sites that are listed above. It would also be good practice to change all of your passwords in general, just to play it safe. The other, more drastic option would be to avoid using the identified sites entirely. However, this may not be a possible option if you are an active member of the sites affected.

Although many websites do not require password resets to occur on a regular basis, the authentication experts at PortalGuard highly recommend changing your password every 90 days. If you take this simple action, it can possibly save you from a lot of frustration and heartache.

Are You Only a Hacktivists Away from Chaos?

Hacktivist

Data security is a hot topic right now with Target, Michaels, and other large companies reporting data breaches. After all the time, money, and publicity from the breaches, I am sure they wish they could turn back time and deploy a stronger authentication to guard against the black market hacktivists that caused the chaos.

 

In Cameron Shilling’s article “Is Your Business a Data Breach Away from Disaster?,” Shilling states, “data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical ad insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni.” If your company is housing private information, you are a target for the hacktivists. No matter how small or how large, your company is at risk.

 

Even though this is a serious problem, we take these warnings and disregard them with thoughts like “it could never happen to me” or “that takes too much time and money.” But it could happen to you, and a serious data breach is just one hacktivists away, resulting in losing personal information and creditability with your customers.

 

Many companies do not realize that the cost of a data breach can cost hundreds of thousands of dollars.

 

Shilling also points out that there are unforeseen costs to a companies data breach; “costs include direct expenses to investigate, provide notifications and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialist, credit monitoring services and price concessions,” these make up about 40% of the total costs for “fixing” a data breach. Shilling goes on to point out that “the greater losses, which are often hidden to most businesses, arise from indirect costs, like diminishing revenue and profits from lost customer business, and diminishing employee productivity from time spent addressing the breach and its aftermath.” Without a doubt, it is more cost effective and efficient to deploy a strong authentication solution before the breach takes place.

 

Everyone should take the necessary steps to secure their systems and private information. It is well worth the effort to protect against breaches. Many companies and organizations are turning to the affordable, strong, hassle-free two-factor authentication like PassiveKey, created by the authentication experts at PortalGuard.

 

Don’t be at high risk anymore!

 

 

 

Shilling, Cameron G. “Is Your Business a Data Breach Away from Disaster?” Business Magazine Mar. 2014: 26-27. Print.

Two More Colleges Exposed: Indiana University and North Dakota University

collegeThere seems to be a rise lately in the number of campuses that are being subject to data breaches. Today it was brought to light that North Dakota University’s database was compromised exposing around 300K current and former student’s information along with some of their staff as well. Last week, Indiana University informed nearly 146,000 recent graduates and students that their seven-campus data system had accidentally exposed.

This news comes on the heels of the recent University of Maryland breach that effected over 300,000 students, staff, and faculty.

Indiana University

In the case of the Indiana University breach, the accidental exposure to the general public was carried out via three automated search engine web crawlers and was apparently indexed three times over the past year.

The exposed information included all of the needed information to steal a person’s identity easily, including names, addresses, and social security numbers.  This data was all being contained in an unsecure location that was easily accessed by the data-mining applications.

The three web crawlers have not been identified at the time of this article, but the University noted that the actions were carried out in a non-malicious way, by regular search engine web crawlers. The good news to report is, no servers or systems were compromised during this data mining.

Education Link Banner

James Kennedy, the school’s Associate Vice President of Student Services and Systems said; “This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote…”

“At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”

North Dakota University

North Dakota University came forth with news that nearly 300K current students, former students, and faculty may be at risk due to a recent hacking. The effected student’s and faculty’s personal information, including names and social security numbers, were exposed during the breach.

North Dakota University came forth with a notification for all that were possibly impacted on their website this past Wednesday. Their IT service provider, Core Technology Services, had been tipped off about the intrusion on February 7, with the initial intrusion taking place back in October of 2013. It would appear that the attack was made by using compromised credentials that had been obtained by an unauthorized user. Once this discovery was made they immediately shut down the affected server.

The tipster in this case was actually a victim of identity fraud rooting back to the breach.

What is this world coming to?

Back twenty years ago, data breaches did happen; people would steal files from offices or files would mysteriously go missing. Fast forward to current day; with so much of our personal information being held on networks, it is now easier for thieves to steal your personal data without even being on the same continent.

This is why it is now more important than ever to make sure that you are doing everything to protect your network from an attack.

One of the best ways to defend your campus against these types of attacks is to deploy a two-factor authentication solution. This would prevent a user’s credentials from being stolen because there would be a required one-time password needed in order to access the account. This one-time password could be provided a number of secure ways including sending a text-message to a preregistered cell phone.

Many colleges and universities trust their sensitive information to be protected via a web portal that can only be accessed by authorized users. These entry points need to be protected by strong authentication, which more and more campuses are trusting to the authentication experts at PortalGuard.

Sources:

http://www.scmagazine.com/north-dakota-university-system-hacked-roughly-300k-impacted/article/337181/?DCMP=EMC-SCUS_Newswire&spMailingID=8110983&spUserID=Nzc0OTgzMDQ3NzMS1&spJobID=260600201&spReportId=MjYwNjAwMjAxS0

http://www.scmagazine.com/web-crawlers-tap-data-put-about-146k-indiana-univ-students-at-risk/article/336198/

Hackstorm

Hackstorm1

Hailstorms are a threatening phenomenon that can sometimes turn fatal. Hailstones can range from a ¼ of an inch to 7 inches in size, causing severe damage to anything in their path. Attacking hackers, in many ways, are like hailstorms when there is a breach in security, leaving extensive damage.

 

Lately, Cyber security has been on the minds of many people, and with many security breaches at major companies placing personal data at risk, it is no wonder. A recent study done by the Ponemon Institute surveyed CISOs and security technicians; according to SC Magazine.com, here is the feedback Ponemon received:

 

“It takes too long to detect a cyber attack.”

“We don’t have a way to prioritize incidents.”

“We receive too many alerts from too many point solutions.”

The inability to differentiate between serious attacks versus those that do not even penetrate the firewall creates mass confusion as to which attacks should receive priority and which ones should be left alone. Also, according Cruxialcio.com’s article on the survey, “74 percent said poor integration between security products, or none at all, negatively affected response to cyber attacks;” because of this low integration or lack thereof, the attacks are not addressed in a timely manner. This is a problem for CISOs and security technicians all over the world and places personal and corporate information at risk.

 

According to Ponemon in SC Magazine.com’s article, CISOs and security technicians “want information that’s timely and really accurate. Getting both is kind of a Nirvana state, but what they’re getting is slow moving and ‘maybe’ accurate.” Although the problem lies in a more accurate and faster detection of potentially dangerous hackers, many companies are strengthening security at the web application layer by deploying PortalGuard. Its multi-factor authentication and reporting capabilities help solidify the front door of your websites so your engineers can focus on the activities occurring in the more neglected areas of your network infrastructure.

 

 

http://www.cruxialcio.com/security-professionals-lack-compatible-tools-prevent-cyber-attacks-report-4572

 

http://www.scmagazine.com/study-finds-attack-detection-takes-too-long/article/333988/

Data Breach on Campus: Over 300,000 Exposed at University of Maryland

UMD

This week the University of Maryland came forth with an announcement that their campus data base had been breached, exposing sensitive information for over 300,000 students and faculty.  The data breach comes on the heels of many other similar data breaches at retailers across the US including Target, Neaman Marcus, and Michaels Craft Stores.

According to a letter from University of Maryland President, Wallace D. Loh on February 19, 2014; “A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students, and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.”

Education Link Banner

Although the information was limited to the aforementioned personal information, those are almost all of the key things needed to steal someone’s identity.

Kudos to the University for being so forthcoming with information, some companies would rather sit on the information until they have investigated more into the cause, which could lead to more problems for all involved. I think that other companies should take note of the steadfastness that the University has shown, notifying those whose information has been exposed and providing them with the support that they need to curb their fears. The University provided all involved with tips on what to look for with possible cases of fraud that can be connected to such data breach. However, it has yet to be seen if the University will provide the 309,079 with the standard credit monitoring service that has been seen in other recent breaches of the same caliber.

President Loh also noted, “With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.”

Security breaches like these cannot always be prevented, but it is important to make sure that your campus or company is properly equipped to combat these types of attacks. There are a few ways to ensure that your data is being guarded from unauthorized users, this includes incorporating a two-factor solution where the person logging in would need to verify their identity by having to input a one-time use password that would be sent to a separate device like an enrolled cell phone. Many campuses and companies turn to authentication experts like PortalGuard to provide the authentication solutions that have been independently tested and proven to enhance security.  

Source: http://www.umd.edu/datasecurity/

Identifying Authentication Challenges in Education: A look within our clients

Apple on keyboard

Recently, while looking through our customer base, we noticed a very interesting trend within our post-secondary education clients. Once we recognized this trend, we wanted to take a moment and identify this top issue and look at some of the reasons why this could be so?

We identified that the most common hurdle that our clients are facing within the education industry is account lockouts, a.k.a. self-service password reset (SSPR).

When looking at the grand scheme of things, this is not really a surprise.  Schools have a large number of users that are vastly made up of students that have many things on their minds; surely, they will lock themselves out of their account at one point. Add to the mix of faculty and staff, some of which may be adjunct or part-time employees of the college or university, and you have quite the cocktail of end-users. One more piece to add to this puzzle is new students, both freshmen and transfer students that are trying to remember all of the before mentioned things and learn a new campus.

Education Link Banner

When looking at this breakdown of some of the list of possibilities above, the picture becomes a little clearer of why SSPR would be top of the charts. Without a SSPR solution set in place, this could mean an influx of Help Desk calls to unlock the students and faculty’s accounts. This would bog down the phone lines and prevent other, more important tech issues from being solved.

Also, think about it from a cost perspective.

At the start of any semester, there would be a large number of calls placed to the Help Desk to assist in unlocking the accounts. For the school, that means that there may be a need to have extra staff on hand to cover these simple calls. But adding extra staff is not as simple as it sounds: the extra staff costs the college wages, extra training, and the cost of extra equipment needed for them to do their jobs. All of those extras can add up in a hurry!

At the end of the day, PortalGuard understands this is a pain point for the education industry and has provided affordable solutions to help reduce Help Desk calls and also provide strong authentication security on the backend.

When Will We Learn? An observation about security

Dan_Ariely_speaking_at_TED_in_2009

A friend sent me a great TED Talk video this morning, “Are we in control of our own decision?” by Dan Ariely, behavioral economist and author of the book Predictably Irrational.  This video was excellent, well worth a watch and opened my eyes helping me understand some social behaviors.  Personally, I love to consider different perspectives and think outside of the box, whether this makes me genius or crazy has yet to be determined…

The video discusses many examples and makes different comparisons to prove his point on how the actions of people are “predictably irrational”, this made me think about authentication and security naturally.  When looking at recent security breaches in the media, the problems do not seem like new issues, just a recycled story of how information was compromised due to a lack in security.  It would seem that when it is a hot topic in the media many people talk about the issue, but few take action to protect themselves which leads to more security breaches down the line.

After watching this video it became apparent why this may happen.  Dan explains that when a person is faced with a problem and there are many or complex options they are less likely to act.  This could explain why security issues are continuous and abundant.  There are so many options out there which can overwhelm the general public and organizations alike.  If the public or corporation is unsure which angle to cover or how to best protect their information, they are very likely just fold their arms, do nothing and hope for the best.

Dan also spoke about the need to seeing something to believe it, for instance making it tangible.  When security is approached this way it makes more sense, when it comes to protecting a physical asset it is a lot easier to comprehend the risk because it is a tangible object.  People take out insurance policies on their homes, cars and even their lives because it is easier to picture your life with or without their presence.

However, when it comes to the security of identity theft through a security breach it is harder to envision the impact, which results in less people taking it as serious as they should until it is too late and the information is compromised.

All-in-all, this helped me understand a little more why history seems to repeat itself so often.  However, it raised a question in my head… Why do we not learn from others mistakes when it comes to security?

Sources:

http://www.ted.com/talks/dan_ariely_asks_are_we_in_control_of_our_own_decisions.html

http://danariely.com/about-dan/

Social Network Hacked: Snapchat, what happened and why they think it happened

snapchat-numbers-posted-online

Snapchat is one of the hottest social networks out there with millions of users worldwide sharing photos, most of them ‘selfies’ of their users. What makes Snapchat so unique is the App allows you to send the photos which self-delete off of the recipient’s phone a few seconds after viewing.  This mega social network is the latest to get hacked, exposing 4.6 million users’ names and phone numbers.

Fox Business interviewed Adam Levin, co-founder of Identity Theft 911.  “This is a big deal… Anytime you have a hack, it impacts what people do. It’s important to remember that any technology can be defeated, and you should always look at things skeptically.”

Snapchat responded to this recent hacking event saying that the motivation of the hack was to expose Snapchat’s lack of security.  “It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal.  Security matters as much as user experience does.”

It definitely is a little unnerving when you find that security features are not at the top of the priority list when companies are developing a product, and only come into light once the users are personally effected.

With this hack in place it is a reminder to keep vigilance over your personal information.  Many people use the same screen name across multiple accounts, which means the other accounts may also be susceptible to being hacked.

Not only did this hack show the users of Snapchat the application’s vulnerabilities, it also reminds us all to be careful with what they share on social media networks in general.

Sources:

http://en.wikipedia.org/wiki/Selfie

http://www.foxbusiness.com/personal-finance/2014/01/02/snapchats-hack-what-users-should-do-now/

http://hackersnewsbulletin.com/2014/01/proved-snapchat-hack-joke-4-6m-usernames-plus-numbers-posted-online.html

Do You Know Who is Watching You? Part 2

Invisable Hand

On Tuesday we covered the basics of Remote Access/Administration Trojan also known as RATs. You can read that post here.

To dive deeper on the topic, one of the most common types of RATs is “Pandora”. The Pandora RAT allows an attacker to gain access to the following items on a compromised computer: files, processes, services, and active network connection.

If all of this doesn’t concern you, Pandora can also: remotely control the compromised desktop, take screenshots, record webcam footage, record audio, log keystrokes, steal passwords, download files, open Web pages, display onscreen messages, restart the compromised computer, hide the taskbar, and  hide desktop icons. It can even cause one of the most dreaded attacks: system failure and the blue screen of death.  Like many RATs, Pandora is user friendly, and can be mastered by expert and beginner hackers alike.

There is prosperous market of underground software sales based on RATs. They can be purchased from many websites and even appears for sale in hacking forums online.  The three main types that appear for sale are:

1) FUD which is fully undetectable by security vendors

2) Crypter which is a tool used to rearrange files in a way that the actual bytes are scrambled

3) JDB (Java drive-by) which involves a Java applet being placed onto a website disguised as a  pop-up to continue to the site

A few rules to stay protected: keep your anti-virus software up-to-date, avoid opening emails that look suspicious or if you are unsure of the sender, always be a skeptic when clicking on links that you receive from other sources, and only download files from sites that you know are secure. Always be aware of your webcam activity, if you do not have a shutter that closes then consider putting a piece of paper over the shutter as a precaution. Most importantly use common sense, if your computer told you to drop it off a bridge would you?

 

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source:

http://i.telegraph.co.uk/multimedia/archive/01961/hack_1961123b.jpg