ActivIdentity Blog

Android Malware & Bipartisan Cyber Security Bill – Industry News Wrap-Up – ActivIdentity Blog

This week's industry news wrap-up will focus on the proliferation of Android malware, the hacker allegedly responsible for recent Pentagon and NASA breaches and conflicting views on a newly introduced bipartisan cyber security bill.

Android Malware Grew 3,000 Percent in 2011: Report
According to a recently released Juniper report, Android malware grew 3,325 percent in the last seven months of 2011, accounting for about 46.7 percent of unique malware targeting mobile platforms. This research links the explosion of malware in the Android market to Android’s open marketplace, which allows developers to post their apps freely.

Romanian Police Arrest Alleged Hacker in Pentagon, NASA Breaches
“TinKode,” a 20-year-old hacker was recently arrested by Romanian police after hacking into the computer systems at both NASA and the Pentagon and then publicly bragging about it. TinKode, whose real name is Razvan Manole Cernaianu, is not a first-time offender and has targeted large entities with complex network deployments and multiple interfaces on several prior occasions.

New Cyber Security Bill is Bipartisan, But Has its Critics
A new bipartisan cyber security bill, Cybersecurity Act of 2012, was introduced this week in an effort to streamline data security processes and change the way companies share information about data threats. There are, however, concerns about how much personal data will be accessible by the government. Some fear that the way the law is currently written provides the government with access to data it otherwise would not have, even if the companies involved did not want to share that information. Others argue that cyber activity is one of the largest threats to our nation today – and that now is the time for government action.

Mobile Banking vs. Online Banking – Industry News Wrap-Up – ActivIdentity Blog

This week's industry news wrap-up will focus on the ongoing industry debate on which is more secure – mobile or online banking. We’ll also examine the threats that are changing the way organizations respond to cyber attacks, and the proliferation of DDos tools available to potential cyber attackers today.

Mobile Banking Is More Secure Than Online Banking
In a debate on mobile banking security, Pete Daffern, CEO of Clairmail, goes head-to-head with Julie McNelley, Aite Group, looking at the pros and cons. While Daffern votes in favor of mobile banking, opining that “people always know where their phones are,” McNelley argues the PC is more trustworthy, and as online banking has been around longer, the platforms tend to be more mature in their defenses.

New, Stealthy Threats Change Best Responses to Cyberattack
Newly revised guidelines for responding to the emergence of advanced persistent threats have been released. According to the National Institute of Standards and Technology, today’s threats are stealthier than ever, gathering information over extended periods of time before leading to the exfiltration of highly sensitive data. Government Computer News’ Bill Jackson notes that, “Although risk assessments, monitoring and preventive activities can lower the number of security incidents, not all incidents can be prevented, and an incident response capability is necessary.”

DDoS Tools Flourish, Give Attackers Many Options
DDos, or distributed denial-of-service, attacks are increasingly prominent in news headlines. According to research analyst group Arbor Networks, there are now at least 55 different DDos tools available to hacktivists, such as Anonymous. The motivations behind DDoS attacks vary from revenge to extortion, though many commercial DDoS services seem to be focused on taking down competitors.

Explaining OCSP through the DigiNotar Attack – ActivIdentity Blog

Author: Ben Erwin, Director of Support, Training, and Technical Publications, ActivIdentity

It is not every day that the Online Certificate Status Protocol (OCSP) makes headlines. However, this summer there has been a lot said in security circles about the DigiNotar compromise and how OCSP played a role. On various blogs there is a lot of good information being shared but also some misconceptions about the role of OCSP in the attack. This article talks about OCSP and uses the DigiNotar attack as a concrete example of what OCSP is and how it is used.

Certificate Authority (CA)
A Certificate Authority like DigiNotar is server software that issues digital certificates. In the case of DigiNotar, the certificates that made the news were SSL server certificates which protect secure websites. 

Top 10 Security Threats of 2012 – Industry News Wrap-Up – ActivIdentity Blog

This week’s industry news wrap-up will focus on ten of the top security trends to watch this year, as well as the latest cyber attacks to make headlines.

10 Security Trends To Watch In 2012
From spear-phishing to botnets to mobile to social networking, 2012 is predicted to be anything but quiet on the security front. InformationWeek’s Mathew J. Schwartz has compiled ten security trends that companies should be on the lookout for – noting that many won’t be a matter of “if,” but “when.”

Cybercrime Gang Stole $5 Million in 72 Hours
South Africa's National Intelligence Agency and police force have launched an investigation after a cybercrime gang recently stole more than $5 million from a government bank, during a 72-hour span. According to MSNBC.com’s Matt Liebowitz, after gaining access to the bank’s network “the cybercrooks increased the withdrawal limits for their new accounts and then, for 72 hours starting at 9:00 a.m. on Jan. 1, made massive withdrawals from ATMs across the country. By the time the holiday break was over, so was the robbery.”

Anonymous to Hack Sony on Monday
SC Magazine’s Darren Pauli reported that hacktivist group Anonymous plans to “wage war” on Sony next week to punish the organization for supporting the highly controversial SOPA Act. He writes that hackers plan to load Sony.com’s homepage with BitTorrent files that allow users to download copyright-protected music and movies -- the very action SOPA is designed to prevent. Additionally, the group is expected to target Sony’s online music store – making song prices free.

Mobile Security & Identity Theft – Industry News Wrap Up - ActivIdentity Blog

This week’s industry news wrap-up will focus on consumers’ increasing awareness of mobile security vulnerabilities, a roundup of the largest breaches over the last six months and California’s plans to combat cybercrime and identity theft.  

Mobile Security Needed
A survey of more than 1,400 PCWorld and Macworld readers revealed some interesting mobile security trends and take-aways. As reported by Nick Mediati, the data indicates that mobile users are becoming increasingly aware of the vulnerability of their devices. He also reports that “more Android owners see the need for security software than iOS owners, but more iOS owners are willing to pay for it.”

California Unveils New Unit to Fight Cybercrime
California Attorney General Kamala Harris announced on Tuesday the creation of a new state Justice Department unit to combat crimes that enlist technology. CNET’s Steven Musil reports that according to the Federal Trade Commission, California has the most identity theft complaints of any state. Furthermore, a department statement revealed that more than one million Californians fall victim to identity theft each year – in 2010 alone, there was $46 million reported lost.  


Five Big Database Breaches of 2011’s Second Half
Though the first half of the year saw this year’s highest profile security breaches – from Sony to RSA to Epsilon – the last six months have seen their fair share. Dark Reading’s Ericka Chickowski outlines some of the most notable recent breaches, along with security lessons learned. 

2011 Cyber Attacks – Security Industry News Wrap-up – ActivIdentity Blog

This week's industry news wrap-up will outline some of the most notorious cyber attacks of 2011, examine the evolving role of the CISO, and delve into new research on the ever-growing "bring your own device" craze.

The Most Notorious Cybercrooks Of 2011 -- And How They Got Caught
2011 will likely go down in history as "the year of the hack." In this Dark Reading article, contributing editor Ericka Chickowski highlights eight of the most high profile cyber attacks of 2011. From LulzSec and Anonymous to Sony and Celebrity Hackerazzi, this end-of-year recap summarizes each headline-grabbing case, providing the “who,” “what” and “where” of each attack.

Changes Coming To The CISO Position
Enterprise Strategy Group's Jon Oltsik outlines an interesting g prediction for 2012 in this article – opining that major changes are coming to the enterprise CISO position in 2012. He writes, “As security threats and risk management becomes a boardroom-level concern, CISOs are being pulled in two opposing directions” and because of this, the CISO role will need some fine-tuning in the year ahead.

Top Business Trends for 2012
As 2011 draws to a close, Baseline's annual research study of midsize and large organizations reveals the 10 trends that will play a significant role in enterprises in the year ahead. According to Baseline's research, 28 percent of respondents plan to increase their investments in "bring your own device" systems in the year ahead – spelling new challenges for IT departments as they work to manage and secure the proliferation of iPads, iPhones and Android devices entering the workplace.

Best Practices for Online Banking Security - ActivIdentity Blog

Give them what they want!

1. At the time of log in, let customers choose which authentication method to use based on what they intend to use the service for. 
2. Give customers the option to configure their own security levels.
3. Let customers decide which type of device to connect from. 
4. Integrate the online banking system and its security with your other operations to give customers a consistent sense of your approach to security. 
5. Let customers use the same security credential as they use for online banking when they access other bank services. 
6. Give customers good support the way they want it. Through FAQ on the website, online chat, telephone, email, face to face or by letter. 

1. Make it as easy as possible. Only ask for transaction signing when money is transferred to accounts other than the customers’ own accounts and allow transactions to be batched.
2. Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing. 
3. Make sure that it is clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks which is particularly important now given the recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by our web browsers. 
4. Store the transaction data including the customer’s electronic signature in a secure tamper-evident audit database for archiving purposes. It can be very useful to be able to prove that a money transfer was correctly carried out and approved many years after it happened.

Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, therefore needs to be specifically defined to meet those needs. At ActivIdentity Professional Services we specialize in advising customers in these kinds of matters, and we have managed to gather quite a lot of experience during the 14 years we have been active in the field.

If you want more detail around the recommendations made in this blog, please read the full Online Banking Best Practice story.

Mobile & Tablet Device Security – Industry Wrap-Up – ActivIdentity Blog

In light of this week’s partnership announcement with Good Technology, our industry news wrap-up will include some industry articles focused on mobile and tablet device security – for both the enterprise and consumers. Here are this week’s stories of interest:

Mobile devices, virtualization seen as biggest security challenges: Ponemon survey
A recent study conducted by Ponemon Institute revealed that the increased use of mobile devices has significantly increased enterprise security concerns. For the IT department, mobile devices are considered to be one of the main sources of potential IT security breaches. Compared to last year’s survey, in which nine percent of respondents cited mobile devices as major risks to the enterprise, the number has increased exponentially to 48 percent in 2011.

Kenneth Van Wyk: the Security Implications of Being Stuck with an Old Android OS
There have been several recent reports that indicate vendors of Android smartphones can be slow to distribute the latest system updates to users. This, in turn, poses potential security risks to consumers. Author Kenneth van Wyk stresses the importance of understanding both the short- and long-term effects this can have on security.

Kindle Fire Hits the Office: 5 Security Concerns
As tablets – especially the new, red-hot Kindle Fire – gain increasing popularity, enterprise IT departments face a new wave of security concerns. Author Mathew Schwartz outlines the top five security and privacy challenges enterprises must consider as tablets become the latest “bring your own device” craze for employees.

Cybercriminal Activity – Security Industry News Wrap-up – ActivIdentity Blog

This week’s industry news wrap-up will focus on headline-grabbing cybercriminal activity, as well as the critical industry need for enhanced, holistic enterprise security strategies. Here are the stories that caught our attention:

Feds: Cyber Criminals Hijacked 4 Million Computers
This week, the U.S. Department of Justice indicted seven “cyber thieves” for the alleged hijacking of more than four million computers – 500,000 in the U.S. alone. Resulting in massive financial loss – more than $14 million over a four-year period – the Department of Justice has named this the biggest botnet takedown in history. After a two-year investigation, the accused hackers – known as the Rove Group – have been arrested on cybercrime charges, reports ABC News.

Enterprises Need Better Security Strategies Now

Ernst & Young’s latest annual Global Information Security Survey was published this week. Results were compiled from 1,700 survey respondents in more than 25 sectors worldwide. Report findings – which focus on security concerns in cloud computing, mobile devices and social media – reveal the increasing challenges global organizations face in combating new and complex security threats. As noted in this eSecurity Planet article, “security threats are too pervasive, persistent and costly to think about IT security after the fact.”

Security technology or staffing gap: Which is the greater enterprise challenge?
New, sobering data from Applied Research indicates that enterprises are struggling to manage DNS (Domain Name System) attacks, network layer Denial-of-Service (DoS) attacks and attacks on encrypted data. Based on a survey of 1,000 large organizations in 10 countries, the average cost of dealing with these attacks is about $682,000. Additionally, InfoWorld reports that “more than half of enterprises surveyed cited loss of productivity, 43 percent said they lost data, and 31 percent said they lost revenue as a result of these attacks.”

Network Security – Industry News Wrap-up – ActivIdentity Blog

This week’s industry news wrap-up will focus on network security, the effect of APTs on enterprise and an FBI bust of a banking fraud crime ring. Here are the stories that caught our attention:

Network Security: Is it the Technology or the Management?
What good are tools, in any sense of the word, if you don't know how to use them? In this case, the tools are responsible for ensuring security in enterprise networks. It should be noted, however, that technology is only half of the equation. As Jeff Hudson notes, "The technology has to be complemented with proper employee training, rigorous adherence to best practices, internal policies and effective IT security management." Network security is about balancing technology with human interaction – otherwise the enterprise will still be at risk.

Advanced Threats Touch Two-Thirds Of Enterprises
According to a report released by Enterprise Strategy Group (ESG), referenced by InformationWeek’s Mathew J. Schwartz, "nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future." According to the article, combating APTs requires more than just automated technology – the study notes that senior executives at the most effective organizations take a more proactive approach to security by maintaining and enforcing security policies across the board. The ESG research report can be accessed here.

British Police Jail 13 in $4.6 Million Cyber-Fraud Scheme
As a result of unleashing Trojan applications aimed at infecting PCs and capturing sensitive information, a banking fraud gang was able to gain access to hundreds of bank accounts and transfer money into accounts controlled by the hackers. So far, a total of $4.6 million was reported stolen between September 2009 and March 2010. Thirteen people allegedly involved in the attacks have been arrested.

SSL Security, Hacking – Industry News Wrap-up – ActivIdentity Blog

This week’s industry news wrap-up will focus on SSL security scrutiny, abuse of ecommerce sites and hacking gone awry. Here are the stories that caught our attention:

SSL Servers No Match For Laptop-Based Hack
SSL security has been under scrutiny lately due to the recent surge in enterprise security breaches and the increasing number of improperly configured websites, which leave SSL incredibly vulnerable to man-in-the-middle attacks. A hacker group known as The Hackers Choice (THC) this week released a tool that abuses the SSL renegotiation feature and, according to Dark Reading’s Kelly Jackson Higgins, has the potential to take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection.

Fraudsters Find Creative ways to Abuse E-Commerce Sites
It seems that where there’s a website, there’s a way – to hack it, that is. Regardless of whether or not companies are up-to-date with software patches, fraudsters are honing their skills and taking alternate, creative routes to exploit marketing campaigns and/or incentive programs. Author Jeremy Kirk points to a real-world situation in which there were no reported bugs in the abused system – the criminal was using the site as intended, albeit abnormally, to obtain large sums of money

Stupid hacker tricks: Exploits gone bad
“If the Internet is the new Wild West, then hackers are the wanted outlaws of our time. Like the gun-slinging bad boys before them, all it takes is one wrong move to land them in jail,” writes author JP Raphael. From hacking FBI-sponsored websites to DDoS attacks to PayPal, this article examines five hacks gone terribly wrong. These outrageous hacker slip-ups have landed the culprits in InfoWorld’s Stupid Hacker Tricks Hall of Shame.

Card Trapping, Security Hacks - Industry News Wrap-up – ActivIdentity Blog

This week's industry news wrap-up will focus on 'card-trapping,' hackers and IT pros sharing personal information online and the risks of online shopping and banking due to increasing assault on previously secure technology. Here are the stories that caught our attention:

Criminals turn to 'card-trapping' at ATM machines to get cash
No longer satisfied with skimming attacks, criminals are turning to "cash-trapping" activities. This method of fraud involves physically trapping debit/credit cards in ATMs by installing a device that uses tape, wire or thread to prevent the card from being removed – "criminals can then retrieve the cards using tweezers." In addition to the card, the PIN number must be obtained, either through observation or by utilizing an overlay device on the keypad that records PINs. Although success in this type of attack isn’t as successful as skimming, it was quite prominent in 11 European countries during the first half of this year. The European ATM Security Team (EAST) reported a total of 11,220 ATM fraud incidents through the end of June – roughly 6,756 were related to cash-trapping.

Security Study: Hackers, IT Pros Share Personal Information Online
An anti-virus software company recently published results from a study on IT pros', including hackers, willingness to share personal information in online settings. The study found that "people with technical backgrounds are very inclined to disclose sensitive information like addresses and passwords to strangers they meet online, even though they should know better."

Online shopping, banking at risk from increased hacking
SSL technology is crucial to ensuring secure transactions of online shopping and online banking, but due to a vast number of recent attacks, the level of security provided by SSL certificates has come into question. Web browsers using outdated and fraudulent certificates are prime targets for criminal hackers. Not only are consumers being put at risk, but a $680 billion-a-year global ecommerce market is being threatened as well.

Security Industry News Wrap-up – ID Theft – ActivIdentity Blog

In this week’s industry news wrap-up, we’ll take a look at the recent attack on a prominent company, arrests made in an ID theft bust and how cellphones may compromise network security. Here are the stories that caught our attention:

Sony Falls Under Attack Again As Hackers Crack 93,000 User IDs
It was only a few months ago that Sony was affected by a series of attacks, leaving millions of users’ data vulnerable to data theft. Our own Chris Harget, senior product marketing manager, was quoted in Tim Wilson’s article, saying “Some users simplify managing multiple online identities by using common credentials across multiple accounts … The result is that if their gmail or hotmail or Facebook account is compromised, then their eTrade or Citibank or corporate network credentials could be compromised.” He goes on to argue that two-factor authentication could help mitigate this problem.

111 arrested in massive ID theft bust
Last Friday, 111 bank tellers, retail workers, waiters and alleged criminals were arrested for what is being called the biggest identity theft bust in U.S. history. The two-year law enforcement operation – “Operation Swiper” – targeted five groups of criminals that were responsible for stealing more than $13 million in less than a year and a half. Among the companies credited with helping the investigation are Apple, Best Buy, Nordstrom, Macy’s and a handful of financial institutions.

Cellphones Will Become a Way to Attack Otherwise Protected Devices
As companies move toward a culture that embraces its employees’ decision to bring their own devices to work, security experts argue that mobile phones will become “an increasing menace to network security.” Similar to malware infecting laptops through thumb drives, phones that are compromised run the risk of infecting machines when docked to sync or plugged into USB ports to charge. Additionally, it is reported that touch screens have the potential to make users more susceptible to clicking links that lead to malicious sites and subsequently “drive-by” malware downloads.

Online Banking Trojan - Industry News Wrap-up - ActivIdentity Blog

In this week's industry news wrap-up, we'll take a look at attacks on encrypted data, an interview with the BITS and a new online banking Trojan. Here are the stories that caught our attention:

Hackers Crack Internet Encryption: Should You Be Worried?
As Philip Hoyer referenced in a recent blog post, transactions using Transport Layer Security (TLS) 1.0 are no longer safe. TLS 1.0, the Web standard data encryption, is used as part of HTTPS encryption but is vulnerable to attack, as demonstrated by the BEAST exploit. Alex Wawro warns Web surfers to be wary of the information they choose to share online, change passwords often and never click on links or open emails from unknown or untrusted sources.

'Well organized, sophisticated, fast' cybercriminals scare US banks
The U.S. financial industry's IT policy arm, known as BITS, has a new leader who is an expert in email security and authentication. With the increasing amount of new technologies, including social networking, mobile and cloud computing, Paul Smocer is taking the lead on developing new strategies to protect financial service firms and consumers from various types of attacks. In this interview, Smocer is quoted as saying "If you're focused on the ultimate protection of both your organization and your customers, that gives you the focus to continually try to strengthen the environment."

SpyEye Trojan Targets Online Banking Security Systems
Online banking security is under attack by a newly discovered culprit: the SpyEye Trojan, a well-known malware program. This new attack allows hackers to change the victim’s mobile phone number within an online bank account, which reroutes text messages to the criminal’s phone. Researchers claim that the only way to defeat this type of attack is to employ endpoint security that blocks man-in-the-browser-injection (MITB) techniques.

Security Industry News Wrap-Up - Pentagon Cyber Security - ActivIdentity Blog

In this week's industry news wrap-up, we’ll take a look at the Pentagon’s defense tactics against cyberattacks, mobile security issues and outdated browser attacks. Here are the stories that caught our eyes:

Pentagon to Help Defend Cyber Networks
With the rising amount of cyberattacks, the Pentagon has created a pilot program to protect its prime suppliers – representing a key breakthrough in the Obama administration’s push to secure critical networks. The current trial program, which was launched in May, involves at least 20 defense firms and will continue to expand through mid-November.

5 Mobile Security Issues To Watch
According to a report released in March by IDC, 41% percent of workers used personal technology to access business applications in 2011, compared to 31% in 2010. Armed with that knowledge, it’s become increasingly more important for enterprises to secure their data and ensure privacy on dual devices – that is, devices that are used in both corporate and personal settings. A former Forrester Research analyst says that one piece of the answer to the consumerization of IT is to "look beyond the device used to interact with data and focus on the data itself." 

Outdated Browsers Leave Many Enterprises Vulnerable To Attack
The Online Trust Alliance (OTA) has created an initiative - "Why Your Browser Matters" - that is aimed to warn users who use outdated browsers to surf the Web; it is expected to start within the next month. The chief scientist of a software security firm says that it is impossible to write a secure browser but moving beyond patching is crucial, regardless of how companies add defenses. Ten percent of Web visitors still use IE 6, despite being an easy target for attackers; it is advised that businesses stop using IE 6 and IE 7 "because the browser is the first line of defense."

Security Hacks – Industry News Wrap-up – ActivIdentity Blog

Why hackers don't need to be smart
Roger A. Grimes refutes the claim that malicious hacking has become more sophisticated than ever by pointing out that the same tools are being used to exploit companies’ websites. Grimes claims that businesses and end-users simply aren’t taking the necessary steps to protect themselves, which increases the vulnerability for application exploits and SQL injection – two of the most common methods of compromise.

Firm sends bots into chats to solicit stolen data
What happens once your data is stolen? Online banking credentials, Social Security numbers and the like sometimes end up in underground networks – chat rooms and invitation-only forums – to be bought and sold. Bloomberg’s Michael Riley reports on “robot informants,” or “chat bots,” based on artificial-intelligence software designed to pose as hackers during these potential transactions and solicit stolen data.

Microsoft fixes SSL 'kill switch' blooper
Recent security breaches have prompted the removal of root certificates from multiple corporations in order to protect themselves from potential attacks in the future. ”SSL certificates are used by websites and browsers to identify a site as legitimate” and once the integrity of a website has been compromised, the possibility of “man-in-the-middle” attacks are likely. Our own Philip Hoyer recently wrote a blog post in which he claims that SSL TLS V1.0 protocol is dead – and the only way to protect transactions until the infrastructure is updated is to utilize OTP and PKI technologies.

Transaction Confidentiality Based on SSL is Dead! - ActivIdentity Blog

If SSL and the internet security foundation is crumbling, hold on we are in for a bumpy ride! If the alleged hack on SSL (specifically TLS 1.0) presented by Thai Duong and Juliano Rizzo at the Ekoparty Security conference is true then we have to mark today as a black day for the internet.

What could possibly happen is the equivalent of most men wearing kilts and most women skirts and realizing that all staircases leading to the important places you need to go to are made of glass. Or maybe to put it another way is that x-ray vision glasses are suddenly available to anyone from Oakley.

This scenario has a profound impact and that’s not even starting to worry about the impact on privacy and exposing our private bits. What is fundamentally profound here is that anyone can read your passwords now and steal your browser session. As the technology that was supposed to have protected your password from spying eyes is broken and is allowing a hacker with x-ray vision using the BEAST tool to see all your traffic in the clear.

To spell it out: transaction confidentiality based on the SSL TLS V1.0 protocol (the most used still today) is dead!

So what do we have now left to protect our transactions now?

To start with, authentication should be done as an ever changing and one time password, so even if the attacker sees your password, it always changes and hence cannot be guessed for the next authentication. This can be achieved by many techniques both using OTP technology and PKI using a challenge response.

But this won’t help to a level that is needed since the attacker can then simply read and hijack your session.

So the only true defense from fraudulent transactions is to sign the transaction or part of the transaction data so that the attacker cannot inject bogus material.

This means effectively using a token with a pin pad (software on phone or dedicated hardware token) to enter transaction details or signing the transaction using a PKI cert. This allows a cryptographic signature that the attacker can't forge and is intrinsically linked to the transaction data (for example amount and target account number for a bank transfer) that is independent from the transport security and cannot be forged by the spying attacker.

This is the only way to stay secure until the infrastructure has been upgraded from TLS V1.0.

Security Industry News Wrap-Up - ActivIdentity Blog

At ActivIdentity, we like to stay up to date with what’s going on in the security industry. So, beginning today, we’ll be posting a weekly wrap-up of news articles that catch our attention during the work week. In this first installment, we’ll look at a few items addressing security breaches, data legislation and hackers. 

The cost of bad security is higher than you think

Roger A. Grimes makes an assessment of the current state of enterprise security pointing to an outdated approach of using cost-benefit models as a main player in recent security breaches. He suggests that senior management and IT security departments work together to evaluate what needs to be improved or fixed and focus on “getting back to basics.” 

Federal authorities take on Anonymous hackers

This year alone, the FBI completed more than 75 raids and arrested 16 people connected to the illegal hacking incidents carried out by Anonymous. One member claims that Anonymous as a whole is not a threat to national security but that certain individuals may be identified as being dangerous. Anonymous has been allegedly responsible for a variety of hacks this year including prominent technology companies’ websites and social media sites.

Senator to businesses: Protect data or pay

Connecticut Senator Richard Blumenthal introduced new legislation with the intent to protect individuals' personally identifiable information from data theft and penalize firms that don't take the proper steps to secure their customers' information. Security industry analysts, however, are skeptical of the success of the proposed goals in this new federal data protection legislation.

In a similar article on InformationWeek, the CSO of a security company wrote, "The problem is not securing a copy of the data; it's securing data against copying."

Smart Card Technology -- increase productivity without decreasing the bottom line - ActivIdentity Blog

For most organizations, increasing productivity is so critical to success that it has spawned endless presentations and other initiatives. We all know that many of those PowerPoint decks will collect virtual dust, but some will serve as roadmaps that accelerate successful careers.

Although many theories abound, improving productivity generally requires organizations to do more without adding personnel or investing in additional technology. Virtualization is a nice example of the latter.  Companies are able to increase utilization of physical servers by using them concurrently for multiple business applications.

Investing in security is another area that offers the promise of increased productivity, particularly solutions that leverage investments in physical access, such as ID badges, in order to provide strong authentication for network, application and computer access.

Without relinquishing IT control, deploying such solutions offers users greater convenience as employees will only need to carry a single security device and there will be streamlined management processes for issuing, updating and revoking that credential. Establishing processes that can be controlled and audited and the  solution offers stronger security.

Deployment generally involves two phases. The first phase is to consider how employees can use their existing buildings access smart cards to access computer systems. For example, instead of logging onto Windows using a static password, the user taps the smart card against a reader that is connected to (or embedded in) a laptop and enters a PIN. In that scenario, one factor authentication, which is something you know such as a password, is replaced with two-factor authentication -- something you know (PIN) and something you have (the smart card). The method can also be used for some remote access use cases like Citrix.

The second phase requires upgrading buildings access smart cards to incorporate a smart card chip (Crescendo logical access card products from HID Global offer some excellent examples). The smart card chip doesn’t change the way the smart card functions for physical access, but it greatly expands its capabilities as an IT security credential. The holder can now use the smart card to logon to operating systems, applications and VPNs, and also to encrypt files and emails, as well as sign documents and transactions.

Buying security technology is often compared with buying insurance. Who could argue with a proposition that keeps your premiums the same, but gives you greater coverage?

Same Old Static Password Story is Getting Old - ActivIdentity Blog

We all hear that they are insecure, but we continue to use them nonetheless -- the good old password or static credential (compared to a dynamic changing credential such as a One-Time-Password or full PKI authentication).


I want to draw your attention though to the fact that previously we spoke about the vulnerability of passwords. At that time, we speculated and tried to convince people that they were insecure, but since then the world has changed significantly in the following ways:

1. The highly publicized attack of Anonymous group to HBGary. What is interesting in the analysis of the attack from ARSTechnica is that, although the attack was a combination of several techniques like SQLInjection, Rainbow tables, Social Engineering, etc., the main cause was the same old problem: Simple passwords (each was just six lower case letters and two numbers) and the same passwords used for different systems such as email, Twitter accounts, and LinkedIn, were also used for the administration of Google Apps email.
   
   
2. Through the increased activity of exploits to websites that protect their user accounts with passwords, and the publication of those passwords from groups such as Anonymous and Lulzsec, it is finally possible to scientifically analyze how inept we are in effectively using passwords, especially different passwords for different sites. One such analysis by Joseph Bonneau of HBGary rootkit.com and gawker.com regarding passwords show that nearly 30% of users with the same email address use the same password.
   
   
3. The continuous exploitation and the sheer number of leaked passwords mean that the quantitative analysis of the passwords used makes it proportionally easier for the attacker to have a progressively more educated ‘guess’ for a random account password to attack.
   
   

This really means that now, more than ever, one should move away from using passwords and static credentials and embrace the use of APT resistant OTP tokens (see my blog entry ‘Not all OTP tokens are the same’) or adopt PKI-based authentication now that it can be implemented in an easily deployable appliance.

New Surveys Show Smart Cards Trending Up – ActivIdentity Blog

It’s not every day you see your predictions come true. We’ve known for awhile that the threat environment was increasing. So far in 2011 Sony, Sega, RSA, Epsilon, HBGary, and WordPress together have had 178 million to 218 million user accounts, email addresses, token seed files or "records" stolen.  The scale of the breaches, and hunger for publicity of some of the hackers, have heightened awareness to say the least. Still, there have been hacking sprees and malware storms in the past that did not lead to a visible proactive response from the IT community. Even when predictions make sense they don’t always come true.

Today however, a previously predicted increase in smart card adoption seems to both make sense and be true. The data on this comes from a just-released research report by Aberdeen Group analyst Derek Brink, titled "The Case For Smart Cards."

• This report evaluates data from several longitudinal surveys and previous reports with some interesting findings: Between December 2010 and May 2011 surveys show a 1.5-2x increase in the number of organizations who planned to use smart cards in the next 12 months, or are evaluating smart cards.
• The same surveys showed 2.5-3x decrease in the number of organizations who planned to use OTP or were evaluating OTP.
• RSA's breach is offered as a partial explanation for these trends.
• Referenced reports indicate traditional perimeter defense is full of holes, traditional passwords are insecure, and privileged accounts are often unmanaged (allowing account escalation).
• The maturation of the smart card ecosystem and the CMS appliance option are called out several times as favorable to new smart card adoption.
• The report is very positive on the multi-purpose (multi-layered strong authentication) nature of smart cards.

While it is heartening to see a positive response to negative events, there are still worries about where we go from here. It is likely the highly publicized hacks we’ve seen this year are just the tip of the iceberg. Some of the most dangerous hacker types—organized criminals, unscrupulous competitors and state actors—will take great pains to conceal their successful data thefts, rather than advertise them. How do we get IT groups to respond to those?

Demystify PKI - ActivIdentity Blog

In the early days of the Internet, Public Key Infrastructure (PKI) was touted as the most secure way to authenticate users, devices, and documents. Excitement built, IT decisions makers began to investigate, and many articles were written. Then, quite suddenly, there was a large media backlash against PKI. It was a sledge hammer used to kill a fly. It was arbitrarily complex and required labor-intensive key ceremonies with other organizations to deliver some features such as encrypted or digitally-signed email. It was overly complex for mere mortal IT professionals, and surely there were simpler methods of authentication such as OTP that enterprises could use. PKI became almost an IT boogie man.

Then a funny thing happened. Two, actually. First, PKI was adopted by governments and powerful credential management software (CMS) was created to automate much of the credential issuance, update and revocation process. Ecosystem vendors such as Microsoft, Juniper, and Cisco built PKI support into their offerings. CMS software eventually made its way into appliances that could provide a much simpler “sweet spot” PKI solution for “closed-loop” PKI (Issuer and Authenticator are part of the same organization hence greatly reducing the number of parts in the system). Second, security threats began to attack aspects of the most common OTP (e.g., the industry breaches and subsequent Lockheed Martin attack), causing enterprises to wonder what better authentication methods are out there.

Today, PKI is getting a second look. Many people still have a knee-jerk suspicion that PKI was designed to make them feel stupid, but modern closed-loop PKI managed by an appliance does just the opposite. New CMS appliances make it so IT doesn’t even have to understand PKI to deploy a military-grade smart card solution.

In retrospect, as an Internet Meme, PKI suffered from hype before the tools were in place to manage it, and from security experts getting over excited and describing the ultimate PKI solution possible, even though few Enterprise users needed some of the more esoteric, complex and labor-intensive features. When PKI vendors got carried away educating users about every possible use case, they turned potential users off of the most high-value, low-cost use cases. If I were to tell you I could give you a device that you just plugged into your PC, it worked like an ATM card and gave you secure access to PCs, networks, cloud applications, and VPNs, you would probably think, “Hey that sounds easier for users than clunky OTP tokens, how do I get that?.” This is not your father’s PKI.

Smart Cards - Next Level Enterprise Security - ActivIdentity Blog

If you don't feel that an OTP token solution is enough to cover your enterprise security needs, the next step is to complement it (or maybe even replace it) with a smart card solution. Smart cards don't require seed files, thereby removing one point of attack. If implemented correctly in your IT environment, they remove the need for static passwords, thereby removing the Achilles heel that leaves many organizations vulnerable to an APT attack.

Given a detailed use-case study and appropriate workflow implementation, smart cards can even make user's interaction with IT systems more convenient. And if you add single sign on capabilities and self-help systems you can also improve productivity and overall security awareness, not to mention cutting help desk costs.

But before going about adding all these security features on top of your IT environment, it is important to recognize that if you want your security systems to function and truly deliver value, they have to be considered in their combined entirety and even be integrated if that is possible. Using different security credentials, albeit secure ones, for each system will only confuse users and hardly contribute to increased security. A strategic decision needs to be made to choose one (or maybe two) security credentials that should be used across all systems. For instance, smart cards can be used to access computers, networks, applications, VPN, and even doors. If that’s not enough, OTP tokens can be used to complement the solution by providing secure access to web based email from Internet kiosks and other devices where smart card usage might not be possible.

With a proven implementation methodology and well-defined integration approach delivered by people with solid experience, it is possible to make all this happen without significant impact on applications, users or productivity.

The ActivIdentity Professional Services team is fortunate to work daily with implementing these kinds of solutions at enterprises around the world and we would love to help your company too. Contact ps@actividentity.com for more information.

Not all OTP tokens are the same - ActivIdentity Blog

OTP tokens are in the news these days. One particular implementation of the technology has been so successful that its product name is almost synonymous with an OTP token, similar to what happened with videogames in the ’90s in America ‘Nintendo’ and mobile phones in India, commonly called ‘Nokia’.

In February 2010 an industry leader announced that an APT attack had extracted information from their servers. Then in May the network at Lockheed experienced a ‘major disruption’ which was attributed in part to an attack leveraging that stolen information.

These attacks have inevitably raised questions amongst network security professionals as to whether OTP tokens are fundamentally flawed, or does the technology just need tweaking a bit. To answer that question it’s helpful to get a better understanding of how they work. One aspect, which my colleague Julian Lovelock has already blogged on is key management (see Jun 9, 2011: Are OTP tokens secure? It’s a good question, but not a great one.).

Another is the token algorithm itself.

It turns out there are different flavors of token algorithm, and they differ in the way they display the ever changing number. These variations influence both the way we use them and their security.

OTP algorithms normally are based on a static key (per device) and to make the numbers (OTPs) change use variables called ‘moving factors, often time, event or both:



Some tokens use a time based algorithm. The issue with time as a moving factor is obviously that it is a common variable across all devices and everyone in the world knows what the current time is. This means that if you can get to the key of a token and then you know the algorithm (secret sauce) and the current time, voila’ you can generate the changing number.

Some other tokens use a counter or event (the number of times a user presses the button to display the OTP) as the moving factor. This means that every token has a differing variable and hence for an attacker it is really difficult to predict what that number is for a particular token. The issue with a simple counter based OTP algorithms is that the OTP does not really expire so it is susceptible to phishing (receiving an alluring email tricking you into entering your OTP).

Which brings us to another category of OTP algorithms that use both time and counter and hence really combine the best of properties of both time and counter based tokens. In this case they are more difficult to phish and harder to predict as each token in real life has a differing counter, making a seed compromise much less effective.

So there you have it! There are actually different OTP tokens out there and by understanding the differences you can make an informed choice that if you want to replace a token with another you might actually want to ask for one that uses both time and event as moving factors.

For a more detailed analysis of how OTP works and what the differences are I published a paper a few years ago that you can find here – OTP and Challenge-Response Algorithms for Financial and e-Government Identity Assurance.

Strong authentication and Smart Cards - ActivIdentity Blog

For the last twenty years enterprise system security has been based on a very simple principle. Anyone already inside the network is decent and can get to pretty much any resource just by knowing the relevant password, whereas those outside the network need strong authentication. Call it the perimeter defense model. OTP tokens for VPN authentication; static passwords to log onto the ERP system once your inside. It’s the IT equivalent to having a strong lock on the front door of your building and a weak lock on your filing cabinet. You know, the one with your genius plans for world domination. Oh, and hiding the key to the filing cabinet on the very next shelf directly across.

And yet, to be honest, for most of those 20 years this strategy was good enough for a lot of companies. There were a few cases of people breaking in through a window, (think SQL injection attack on the company website) but this was usually fixed by bolstering the perimeter defenses or installing a burglar alarm (think Intrusion Detection Systems). Anyway, fitting strong locks to every internal door and filing cabinet (think strong authentication for laptops, workstations, servers and applications) was prohibitively expensive.

So what’s changed? Actually a couple of things have changed. Firstly, there’s the ubiquitous and ominous ‘Advanced Persistent Threat’. As the name implies, this is a broad term, but the pattern is often formulaic: Research your target both at an organizational level (suppliers, IT systems, etc.) and at an individual level (place of work, boss, vacation periods). Information that we would have once considered personal and private is now shared freely on business and social networking sites. Secondly, build yourself a piece of malware tailored to the target environment. Check out your friendly not-so-local-hacker website for starter kits and helpful tips. Thirdly, attach the malware to an email (it can look as innocuous as an attached .pdf file or a link to a website that is infected with a zero day vulnerability), make it look like it’s from a trustworthy source, and send it. Ideally, give it an enticing title such as ‘2011 Recruitment Plan’. Chances are that your unwitting target will open the attachment and you will have infected the recipient’s computer. You are inside the perimeter and no amount of strong authentication could have stopped you from getting there.

Now the attackers take advantage of the misplaced trust that is afforded to users already inside the network. Weak static passwords are all that stand between them and almost any system resource on the network. From the beach head of that one compromised machine they can sniff passwords, guess passwords, brute force password files, and take advantage of the fact that most users use the same password for multiple logins. With time they will gain access to any system they want.

Hence my assertion that strong authentication at the perimeter only is no longer sufficient. Eventually a persistent thieve will find a way into the building. If the contents are valuable to you, its time to start putting strong locks on the doors to your rooms and your filing cabinets. In IT terms -- that means implementing strong authentication at the level of individual desktop, laptops, servers and applications.

The other thing that’s changed - its no longer prohibitively expensive.

Are OTP tokens secure? - ActivIdentity Blog

There’s a lot of chatter at the moment, for understandable reasons, about whether OTP tokens can still be considered secure. As with most things worth blogging about, there’s no black and white answer. However, a great question for any organization to ask itself is ‘Are OTP tokens secure enough?’ Nothing is perfect, (although doing nothing rarely results in perfection).

Much of the concern around the security of OTP tokens stems from their underlying reliance on a symmetric key model. What that means in practical terms is that you need to load into the authentication server an exact copy of the key that’s injected into the OTP token. These keys, often referred to as ‘seeds’ therefore need to be managed. And the processes and systems that manage those keys/seeds are great places for attackers to go after. This is what appears to have happened in the recent breaches.

When determining whether OTP tokens are secure enough, enterprises should take a look at how the keys are being managed. In many cases the process is as follows. The token vendor injects a key into the token during manufacturing. In parallel a seed file is created containing all the keys for a batch of tokens. The tokens are shipped to the customer along with the seed file. An administrator at the customer site loads the seed file into the authentication server.

Do you see, there’s actually 6 potential points of compromise in the chain?
1. The manufacturing process that generates the seed file
2. The transport of that seed file to the customer site
3. The management of that seed file on site, prior to being loaded into the authentication server
4. The secure storage of the seed file within the authentication server
5. The retention by the customer of that seed file (often on a CD) subsequent to its being loaded into the authentication server
6. The retention of that seed file by the OTP token vendor

To quote Mark Diodati from Gartner ‘I have seen many seed record CDs (OK, floppies back in the day) on the desks of system administrators or sitting on top of the server.‘

A far more secure model is one in which customers can initialize OTP tokens themselves from the admin console of the authentication server. In this model those pesky seed files are removed from the process because the key is simultaneously injected into the token and authentication server database. This eliminates 5 of the 6 potential points of compromise that attackers can go after.

Going forward RSA will no doubt take extraordinary steps to ensure that seed files can’t be stolen from their internal systems. But, if you have six unlocked doors in your house, then just locking the one the burglars came through last time doesn’t necessarily make for a secure home.

Of course there is a way to avoid all six points of compromise, which is to deploy smart cards, since these rely on an asymmetric key model. But that’s a blog for another day.

Search Blog

Category

Identity & Access Management

Recent Posts

Recent Comments

Blogroll

The Forrester Blog For Security & Risk Professionals
Computer Weekly: David Lacey's IT Security Blog
Infosecurity Magazine: Security Viewpoint
Pro Security Zone: Editor's Blog
IT Pro
Adventures in Security
ha.ckers.org
Information Security: Security Bytes
Krebs on Security
SC: Data Breach Blog
Schneier on Security
Securosis
GovInfoSecurity.com: The Security Scrutinizer
GCN Tech Blog
Cybersecurity
Gartner Blog Network
Cnet: Insecurity Complex
Computerworld: Security Impact Blog
Computerworld: Security is Sexy
eWeek Security Watch
InformationWeek Security Weblog
Network World: Security Strategies Alert
ZDNet.com: Zero Day
Bank Info Security: Industry Insights
Bank Technology News
CRN Community: Hot Topics
Threatpost: Digital Underground