ActivIdentity Blog http://actividentity.com/blog <![CDATA[Preventing Scalable MitB Attacks - ActivIdentity Blog]]>
These attacks can often be spotted if a transaction seems to be taking longer than normal, or if a user is asked for more information that is usually required. Additionally, infected machines often slow down substantially while the malware takes over the processor and Internet connections.

This advanced attack, once an occasional exploit, has evolved into a global, multi-million dollar cyber crime industry – and threatens online banks around the globe in a huge way. For this specific type of attack, the malware lives in the Web browser, and can get between the user and the website, altering what is seen and covertly changing what is being entered. Because these attacks are constantly evolving, organizations are struggling to defend themselves and are increasingly realizing that their traditional online defenses simply cannot keep pace.

Standard Web browsers have not been architected to keep up with the continuous steam of targeted malware attacks, and firewall and antivirus products are simply not enough to protect against the massive number of attacks on the end-user PC. Furthermore, a MitB attack can be successful regardless of the authentication method in place, as the malware has the ability to control the application used to transact online (i.e. the Web browser). In fact, no singular security method has proven to be robust enough to prevent these sophisticated malware attacks on its own. To effectively counter this new wave of online banking fraud, focus must shift to preventing the scalability of malware attacks.

Of course online banking, though convenient, can come with a security price. Customers do not always follow prescribed security procedures and most will not accept higher security at the cost of poor usability. So it is critical that banks provide an effective, layered protection that can be active without requiring any user participation or special procedures.

ActivIdentity’s 4TRESS Authentication Appliance solution enables a cohesive layered and proactive framework for endpoint and backend security needed by banks to combat today’s online threats, as well as those that have yet to appear. Real-time device profiling and mobile location services coupled with versatile strong authentication and out-of-band (OOB) verification go a long way to prevent malware attacks while maintaining customer convenience with transparent and adaptive security calibrated to risk profiles. This, combined with an endpoint security layer of a hardened application, i.e. a secure browser that can communicate with the authentication device’s firmware and connect only to bank Web sites on its “white list”, criminal hackers can be forced to work much harder for any successful MitB attack.]]> Tue, 10 Apr 2012 18:17:00 -0500 <![CDATA[Charges Brought Against Anonymous Hackers and Top Risks of Mobile Banking – Industry News Wrap-Up – ActivIdentity Blog]]>
10 Lessons from RSA Security Conference
Last week marked one of the security industry's largest annual events – the RSA Conference. Several key lessons dominated discussions throughout the week – from increasing challenges in securing mobile devices to defending against advanced persistent threats. InformationWeek highlights some of the top issues that are changing the security equation in 2012. 
Wanted Computer Hacker Helps Bring Charges
On March 6, 2012, it was revealed that "Sabu," a leading member of the international hacktivist collective Anonymous, had been arrested in June 2011, but had been working as an FBI informant since that time. Hector Xavier Monsegur ("Sabu") pleaded guilty to 12 computer crimes during a secret court hearing on August 15, 2011. His work with the FBI led to charges brought against five other top members of LulzSec, an offshoot of the loose-knit international cyber-activist group Anonymous.

Top Risks of Mobile Banking
A new BankInfoSecurity interview with Aite Group's Julie McNelley, highlights several of today's top mobile banking risks. She explains that as new mobile banking applications are introduced to the market it will be very important for banking institutions to have cross-channel monitoring in an effort to mitigate risks. These risks, she says, increase with the consumerization of devices in companies.
]]> Fri, 09 Mar 2012 13:35:00 -0600 <![CDATA[Identity Fraud via Mobile Devices and Cybersecurity Legislation Concerns – Industry News Wrap-Up – ActivIdentity Blog]]>
Identity Fraud Victims Are Smartphone, Social Media Users: Report
Javelin Strategy recently conducted a study on identity fraud and contributing factors. Released on February 22, this report showed that consumers may be put at greater risk for identity fraud via social media and mobile devices. In fact, identity fraud saw an increase of 13 percent from 2010, meaning that more than 11.6 million adults fell victim to it in the United States alone. According to Javelin, smartphone owners are not properly protecting their devices – around 62 percent admitted to not using a password or pin code to lock their devices. Furthermore, eWEEK's Fahmida Rashid reports, "Javelin also found that victims of data breaches were 9.5 times more likely to be a victim of identity fraud than consumers who had not been affected, compared to 2010."

Civil Liberties Groups: Proposed Cybersecurity Bill Is Too Broad
Last week, the Cybersecurity Act of 2012 was introduced in an effort to develop security standards for our nation's critical infrastructure. This week, representatives from the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center have raised concerns, specifically around the language used, about this proposed legislation. Some feel the bill contains "fuzzy definitions" and may lead to broad interpretation by companies looking to counteract cybersecurity threats, reports Elinor Mills of CNET.

NSA: Anonymous Cyber Attacks Could Knock Out US Power Grid
A recent report revealed that the National Security Agency (NSA) believes the "hacktivist" group known as Anonymous could potentially knock out the US power grid in the next one to two years. Considering the organization’s track record of high-profile cyber hacks, officials are uneasy about future attacks and threats posed by this collective. Though experts feel this would be the next logical step, a blog associated with Anonymous claims that shutting off the power grid would be "ridiculous," saying it "makes no sense."]]> Fri, 24 Feb 2012 17:57:00 -0600 <![CDATA[Risk-based Authentication – ActivIdentity Blog]]> What is it and how can it help you to stay ahead of the attackers?
OK, let’s say that you followed my advice and implemented smart cards or OTP tokens that are less prone to APT attacks. What can now be done to tune the security of the solution even further and stay ahead of the attackers this time? And is it possible to do it without sacrifices in user experience and privacy? To answer those questions we need to take a look at some new technologies ActivIdentity has been working on.

1. Advanced Fraud Detection
With our latest version of the appliance based authentication server we have built-in the capability to consider factors such as geographic location and device information when authenticating users. What this means to you is that you can now limit access to trusted devices in trusted countries. Alternatively, users can be asked to use a supplementary, or more secure, method of authentication, such as a One Time Password sent over SMS, when connecting from devices or locations that are not on the trusted list. By adding this additional, but transparent, layered security capability to the solution, security can be increased significantly without impacting the user experience, at least not for user connecting from their trusted devices and locations. For those users, it’s even possible for the system to allow authentication without asking the user to login at all, making the experience as seamless as it can be.

When you sign up for the 4TRESS Fraud Detection Service you also benefit from the intelligence collected by thousands of other customers. If a particular computer has been reported to misbehave elsewhere, you will be made aware of it before a user of that computer can log in to your system. This allows you to use that information to decide which level of authentication should be required, or maybe you decide to prevent access from that computer altogether…

You can configure the 4TRESS Fraud Detection Service to accommodate your specific security needs. Let’s say you want to limit access to specific devices from within a particular area. No problem. To help you in the process, ActivIdentity Professional Services has developed a consulting package around the implementation and configuration of the 4TRESS Fraud Detection Service. By leveraging additional layered security features in the 4TRESS Authentication Server, we can also help you become compliant with the updated FFIEC guidance, PCI DSS and other online commerce/banking related legislations, policies and guidelines around the world.

2. On-going Behavioural Analysis
Another technology that we are currently investigating is the use of behavioural analysis for on-going authentication and improved forensics capabilities. With behavioural analysis user’s interaction with applications is constantly monitored and analysed without impacting user experience or compromising privacy. With time, the behavioural analysis system learns how a specific user behaves and can detect deviations from that behaviour. If a deviation occurs (e.g. someone else took over the computer), the application can chose to re-authenticate the user and/or add the event to an audit database for later forensic study.

If implemented correctly, behavioural analysis can be used to reduce the number of times a user actively needs to authenticate to a system. As long as the behavioural analysis scoring, which is calculated at each user interaction, stays within the defined threshold for the given application, the system can chose to grant the user access without imposing additional user authentication. Just imagine being able to make those online bank payments without having to enter security codes every time...

Now, imagine behavioural analysis being part of the layered security functionality in ActivIdentity 4TRESS Authentication Server together with strong authentication capabilities, advanced fraud detection and tamper-evident audit logging – That’s one way to stay ahead of attackers without sacrificing user experience or privacy!]]> Fri, 24 Feb 2012 11:26:00 -0600 <![CDATA[Android Malware & Bipartisan Cyber Security Bill – Industry News Wrap-Up – ActivIdentity Blog]]>
Android Malware Grew 3,000 Percent in 2011: Report
According to a recently released Juniper report, Android malware grew 3,325 percent in the last seven months of 2011, accounting for about 46.7 percent of unique malware targeting mobile platforms. This research links the explosion of malware in the Android market to Android’s open marketplace, which allows developers to post their apps freely.

Romanian Police Arrest Alleged Hacker in Pentagon, NASA Breaches
“TinKode,” a 20-year-old hacker was recently arrested by Romanian police after hacking into the computer systems at both NASA and the Pentagon and then publicly bragging about it. TinKode, whose real name is Razvan Manole Cernaianu, is not a first-time offender and has targeted large entities with complex network deployments and multiple interfaces on several prior occasions.

New Cyber Security Bill is Bipartisan, But Has its Critics
A new bipartisan cyber security bill, Cybersecurity Act of 2012, was introduced this week in an effort to streamline data security processes and change the way companies share information about data threats. There are, however, concerns about how much personal data will be accessible by the government. Some fear that the way the law is currently written provides the government with access to data it otherwise would not have, even if the companies involved did not want to share that information. Others argue that cyber activity is one of the largest threats to our nation today – and that now is the time for government action.]]> Fri, 17 Feb 2012 22:46:00 -0600 <![CDATA[Mobile Banking vs. Online Banking – Industry News Wrap-Up – ActivIdentity Blog]]>
Mobile Banking Is More Secure Than Online Banking
In a debate on mobile banking security, Pete Daffern, CEO of Clairmail, goes head-to-head with Julie McNelley, Aite Group, looking at the pros and cons. While Daffern votes in favor of mobile banking, opining that “people always know where their phones are,” McNelley argues the PC is more trustworthy, and as online banking has been around longer, the platforms tend to be more mature in their defenses.

New, Stealthy Threats Change Best Responses to Cyberattack
Newly revised guidelines for responding to the emergence of advanced persistent threats have been released. According to the National Institute of Standards and Technology, today’s threats are stealthier than ever, gathering information over extended periods of time before leading to the exfiltration of highly sensitive data. Government Computer News’ Bill Jackson notes that, “Although risk assessments, monitoring and preventive activities can lower the number of security incidents, not all incidents can be prevented, and an incident response capability is necessary.”

DDoS Tools Flourish, Give Attackers Many Options
DDos, or distributed denial-of-service, attacks are increasingly prominent in news headlines. According to research analyst group Arbor Networks, there are now at least 55 different DDos tools available to hacktivists, such as Anonymous. The motivations behind DDoS attacks vary from revenge to extortion, though many commercial DDoS services seem to be focused on taking down competitors.]]> Mon, 13 Feb 2012 11:21:00 -0600 <![CDATA[Explaining OCSP through the DigiNotar Attack – ActivIdentity Blog]]>
It is not every day that the Online Certificate Status Protocol (OCSP) makes headlines. However, this summer there has been a lot said in security circles about the DigiNotar compromise and how OCSP played a role. On various blogs there is a lot of good information being shared but also some misconceptions about the role of OCSP in the attack. This article talks about OCSP and uses the DigiNotar attack as a concrete example of what OCSP is and how it is used.

Certificate Authority (CA)
A Certificate Authority like DigiNotar is server software that issues digital certificates. In the case of DigiNotar, the certificates that made the news were SSL server certificates which protect secure websites. 
In the compromise, hackers were able to issue their own SSL certificates from the DigiNotar CA. Those certificates were used to capture sensitive data from unsuspecting users of sites such as Google’s gmail in Iran. Evidently one of the problems with the security processes at DigiNotar was the use of static passwords. To read more about why static passwords are a bad idea, and why two-factor authentication is a good idea, see http://www.actividentity.com/blog/same-old-static-password-story-is-getting-old.

Certificate Revocation List (CRL)
If a certificate is compromised in some way, the CA operator can add the serial number of the certificate to a “black list” of sorts called the Certificate Revocation List (CRL). New CRLs are published by the CA on a regular schedule chosen by the CA operators such as once every 72 hours or once a week. One of the limitations of CRLs is that they can get rather large depending on the size of the certificate population, leading to latency and bandwidth issues. (There are concepts such as delta CRLs and partitioned/segmented CRLs, but with delta CRLs you still have to have a base CRL, with partitioned CRLs no single CRL can be considered the authoritative source of revocation, and with both delta and partitioned CRLs the relying party (client) and/or CA might not support them.)

In the DigiNotar attack, most of the rogue SSL certificates were discovered by CA operators right away and added to the CRL.

Online Certificate Status Protocol (OCSP)
The Online Certificate Status Protocol (OCSP) is an HTTP-like protocol for being able to securely retrieve the revocation status of one or more certificates rather than download an entire CRL. The OCSP request says “Please give me the revocation status for certificate serial number: 12345” and the OCSP server response is generally “Good” or “Revoked” and the request is signed (I’m simplifying the syntax a bit). 
An OCSP server will always answer “Revoked” for a certificate that is in the CRL (assuming the OCSP Server has downloaded the latest data)*, and by default it will generally answer “Good” for any serial number that is not in the CRL. If you are familiar with the details of the DigiNotar attack, this might set off your alarm bells. “Wait. What if someone creates a rogue certificate that I haven’t discovered yet? You mean to tell me that the OCSP server will say it is a good certificate?” Yes. Traditional OCSP servers assume that your CA knows what they are doing and have secured their systems. If someone creates a rogue certificate, it won’t be in the CRL until you detect it and manually put it in there, and until that time the OCSP server will say it is a good certificate. 
After knowing about the compromise for over a month or so, DigiNotar set their OCSP server to return “revoked” for any “unknown” serial number. However, I am doubtful if any of the rogue certificates would have been considered “unknown” serial numbers to the OCSP server at DigiNotar. If your CA is also your OCSP server, then any certificate that is known to one is likely to be known to the other. 
Another limitation of traditional OCSP is that it doesn’t scale very easily. OCSP Responses need to be signed, which means an expensive high-throughput Hardware Security Module (HSM), and there needs to be a database to hold the CRL data. The server itself needs to be secured as well.

Distributed OCSP (D-OCSP)
Distributed OCSP (D-OCSP) is an ActivIdentity/CoreStreet patented invention. With D-OCSP, the OCSP server pre-signs OCSP responses for only the serial numbers that are either in the CRL or are explicitly configure to be “Good” and puts them together in an OCSP Response List. OCSP middle-tier "Responders" consume these pre-signed lists and can then answer OCSP requests. Responders contain no key information and do no signing, so they can be deployed easily and cheaply. Generally they are spread around the globe geographically and products such as F5 BigIP are used to route the OCSP URL contained in your certificate, e.g. ocsp.mycompany.com, to the nearest Responder. D-OCSP thus resolves the scalability issue of traditional OCSP. One can configure the OCSP Server to only pre-generate “good” responses for specific certificates, thus creating a combined “white and black list” of sorts rather than just the “black list” of the CRL data. 
Then, at the very least, if hackers get into your CA they would also have to know how to install the certificates that they created into your OCSP Server response list. So in a sense, Distributed OCSP also adds one extra layer which can help protect against the off chance of someone getting a hold of your CA and creating rogue certificates.

More about OCSP
OCSP is generally used by companies and organizations when there is a PKI with at least 1,000 certificates. Not all web browsers use OCSP by default, but many of them do. A lightweight version of the OCSP protocol is also supported by Microsoft in modern operating systems.

An example OCSP server is the ActivIdentity CoreStreet Validation Authority. A company that doesn’t wish to have their own OCSP server can purchase it as a managed service through an ActivIdentity partner.

*If one is worried about the lag time between creation of the CRL and the availability of the OCSP response, the ActivIdentity Smart Data Bridge product can be used to send a message from the CA to the Validation Authority immediately after every single certificate revocation event, and have OCSP available within minutes rather than hours or days.
]]> Mon, 06 Feb 2012 19:24:00 -0600 <![CDATA[Top 10 Security Threats of 2012 – Industry News Wrap-Up – ActivIdentity Blog ]]>
10 Security Trends To Watch In 2012
From spear-phishing to botnets to mobile to social networking, 2012 is predicted to be anything but quiet on the security front. InformationWeek’s Mathew J. Schwartz has compiled ten security trends that companies should be on the lookout for – noting that many won’t be a matter of “if,” but “when.”

Cybercrime Gang Stole $5 Million in 72 Hours
South Africa's National Intelligence Agency and police force have launched an investigation after a cybercrime gang recently stole more than $5 million from a government bank, during a 72-hour span. According to MSNBC.com’s Matt Liebowitz, after gaining access to the bank’s network “the cybercrooks increased the withdrawal limits for their new accounts and then, for 72 hours starting at 9:00 a.m. on Jan. 1, made massive withdrawals from ATMs across the country. By the time the holiday break was over, so was the robbery.”

Anonymous to Hack Sony on Monday
SC Magazine’s Darren Pauli reported that hacktivist group Anonymous plans to “wage war” on Sony next week to punish the organization for supporting the highly controversial SOPA Act. He writes that hackers plan to load Sony.com’s homepage with BitTorrent files that allow users to download copyright-protected music and movies -- the very action SOPA is designed to prevent. Additionally, the group is expected to target Sony’s online music store – making song prices free.]]> Fri, 03 Feb 2012 11:13:00 -0600 <![CDATA[Mobile Security & Identity Theft – Industry News Wrap Up - ActivIdentity Blog]]>
Mobile Security Needed
A survey of more than 1,400 PCWorld and Macworld readers revealed some interesting mobile security trends and take-aways. As reported by Nick Mediati, the data indicates that mobile users are becoming increasingly aware of the vulnerability of their devices. He also reports that “more Android owners see the need for security software than iOS owners, but more iOS owners are willing to pay for it.”

California Unveils New Unit to Fight Cybercrime
California Attorney General Kamala Harris announced on Tuesday the creation of a new state Justice Department unit to combat crimes that enlist technology. CNET’s Steven Musil reports that according to the Federal Trade Commission, California has the most identity theft complaints of any state. Furthermore, a department statement revealed that more than one million Californians fall victim to identity theft each year – in 2010 alone, there was $46 million reported lost.  


Five Big Database Breaches of 2011’s Second Half
Though the first half of the year saw this year’s highest profile security breaches – from Sony to RSA to Epsilon – the last six months have seen their fair share. Dark Reading’s Ericka Chickowski outlines some of the most notable recent breaches, along with security lessons learned. 
]]> Mon, 19 Dec 2011 22:47:00 -0600 <![CDATA[2011 Cyber Attacks – Security Industry News Wrap-up – ActivIdentity Blog]]>
The Most Notorious Cybercrooks Of 2011 -- And How They Got Caught
2011 will likely go down in history as "the year of the hack." In this Dark Reading article, contributing editor Ericka Chickowski highlights eight of the most high profile cyber attacks of 2011. From LulzSec and Anonymous to Sony and Celebrity Hackerazzi, this end-of-year recap summarizes each headline-grabbing case, providing the “who,” “what” and “where” of each attack.

Changes Coming To The CISO Position
Enterprise Strategy Group's Jon Oltsik outlines an interesting g prediction for 2012 in this article – opining that major changes are coming to the enterprise CISO position in 2012. He writes, “As security threats and risk management becomes a boardroom-level concern, CISOs are being pulled in two opposing directions” and because of this, the CISO role will need some fine-tuning in the year ahead.

Top Business Trends for 2012
As 2011 draws to a close, Baseline's annual research study of midsize and large organizations reveals the 10 trends that will play a significant role in enterprises in the year ahead. According to Baseline's research, 28 percent of respondents plan to increase their investments in "bring your own device" systems in the year ahead – spelling new challenges for IT departments as they work to manage and secure the proliferation of iPads, iPhones and Android devices entering the workplace.]]> Fri, 09 Dec 2011 17:58:00 -0600 <![CDATA[Best Practices for Online Banking Security - ActivIdentity Blog]]> Give them what they want!
Having had the pleasure to work with many banks around the world to help them design and implement security solutions for their online banking systems, my colleagues and I have picked up a few things about what to do to deliver secure yet user friendly solutions.

For starters, as long as it makes customers feel secure and enables them to access more (preferably all) banking services online, it’s OK to sacrifice a little when it comes to user login experience. Here are a few suggestions on how to use advanced security technologies of today to build an online banking system that offers strong security but maintained high convenience and access to as many services as you want to make available:

  1. At the time of log in, let customers choose which authentication method to use based on what they intend to use the service for. 
  2. Give customers the option to configure their own security levels.
  3. Let customers decide which type of device to connect from. 
  4. Integrate the online banking system and its security with your other operations to give customers a consistent sense of your approach to security. 
  5. Let customers use the same security credential as they use for online banking when they access other bank services. 
  6. Give customers good support the way they want it. Through FAQ on the website, online chat, telephone, email, face to face or by letter. 

And don’t forget transaction security!
One typical misconception in online banking is that security should be all about how to authenticate users to best protect access to the service. That’s not the way I have learnt to look at it. The real risk for online banking customers is that someone steals money from their accounts. It therefore makes a lot of sense to focus more on ways to secure the actual money transfers than just the access to the service. Many of the most successful online banks I have worked with have done just that and here are a few recommendations they gave:

  1. Make it as easy as possible. Only ask for transaction signing when money is transferred to accounts other than the customers’ own accounts and allow transactions to be batched.
  2. Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing. 
  3. Make sure that it is clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks which is particularly important now given the recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by our web browsers. 
  4. Store the transaction data including the customer’s electronic signature in a secure tamper-evident audit database for archiving purposes. It can be very useful to be able to prove that a money transfer was correctly carried out and approved many years after it happened.

Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, therefore needs to be specifically defined to meet those needs. At ActivIdentity Professional Services we specialize in advising customers in these kinds of matters, and we have managed to gather quite a lot of experience during the 14 years we have been active in the field.

If you want more detail around the recommendations made in this blog, please read the full Online Banking Best Practice story.

]]> Mon, 05 Dec 2011 15:18:00 -0600 <![CDATA[Mobile & Tablet Device Security – Industry Wrap-Up – ActivIdentity Blog]]>
Mobile devices, virtualization seen as biggest security challenges: Ponemon survey
A recent study conducted by Ponemon Institute revealed that the increased use of mobile devices has significantly increased enterprise security concerns. For the IT department, mobile devices are considered to be one of the main sources of potential IT security breaches. Compared to last year’s survey, in which nine percent of respondents cited mobile devices as major risks to the enterprise, the number has increased exponentially to 48 percent in 2011.

Kenneth Van Wyk: the Security Implications of Being Stuck with an Old Android OS
There have been several recent reports that indicate vendors of Android smartphones can be slow to distribute the latest system updates to users. This, in turn, poses potential security risks to consumers. Author Kenneth van Wyk stresses the importance of understanding both the short- and long-term effects this can have on security.

Kindle Fire Hits the Office: 5 Security Concerns
As tablets – especially the new, red-hot Kindle Fire – gain increasing popularity, enterprise IT departments face a new wave of security concerns. Author Mathew Schwartz outlines the top five security and privacy challenges enterprises must consider as tablets become the latest “bring your own device” craze for employees.]]> Fri, 18 Nov 2011 23:37:00 -0600 <![CDATA[Cybercriminal Activity – Security Industry News Wrap-up – ActivIdentity Blog]]>
Feds: Cyber Criminals Hijacked 4 Million Computers
This week, the U.S. Department of Justice indicted seven “cyber thieves” for the alleged hijacking of more than four million computers – 500,000 in the U.S. alone. Resulting in massive financial loss – more than $14 million over a four-year period – the Department of Justice has named this the biggest botnet takedown in history. After a two-year investigation, the accused hackers – known as the Rove Group – have been arrested on cybercrime charges, reports ABC News.

Enterprises Need Better Security Strategies Now

Ernst & Young’s latest annual Global Information Security Survey was published this week. Results were compiled from 1,700 survey respondents in more than 25 sectors worldwide. Report findings – which focus on security concerns in cloud computing, mobile devices and social media – reveal the increasing challenges global organizations face in combating new and complex security threats. As noted in this eSecurity Planet article, “security threats are too pervasive, persistent and costly to think about IT security after the fact.”

Security technology or staffing gap: Which is the greater enterprise challenge?
New, sobering data from Applied Research indicates that enterprises are struggling to manage DNS (Domain Name System) attacks, network layer Denial-of-Service (DoS) attacks and attacks on encrypted data. Based on a survey of 1,000 large organizations in 10 countries, the average cost of dealing with these attacks is about $682,000. Additionally, InfoWorld reports that “more than half of enterprises surveyed cited loss of productivity, 43 percent said they lost data, and 31 percent said they lost revenue as a result of these attacks.”]]> Mon, 14 Nov 2011 08:18:00 -0600 <![CDATA[Network Security – Industry News Wrap-up – ActivIdentity Blog]]>
Network Security: Is it the Technology or the Management?
What good are tools, in any sense of the word, if you don't know how to use them? In this case, the tools are responsible for ensuring security in enterprise networks. It should be noted, however, that technology is only half of the equation. As Jeff Hudson notes, "The technology has to be complemented with proper employee training, rigorous adherence to best practices, internal policies and effective IT security management." Network security is about balancing technology with human interaction – otherwise the enterprise will still be at risk.

Advanced Threats Touch Two-Thirds Of Enterprises
According to a report released by Enterprise Strategy Group (ESG), referenced by InformationWeek’s Mathew J. Schwartz, "nearly two-thirds of information security managers report that their businesses have been targeted by advanced persistent threats (APTs), and 72% expect to see such attacks persist in the future." According to the article, combating APTs requires more than just automated technology – the study notes that senior executives at the most effective organizations take a more proactive approach to security by maintaining and enforcing security policies across the board. The ESG research report can be accessed here.

British Police Jail 13 in $4.6 Million Cyber-Fraud Scheme
As a result of unleashing Trojan applications aimed at infecting PCs and capturing sensitive information, a banking fraud gang was able to gain access to hundreds of bank accounts and transfer money into accounts controlled by the hackers. So far, a total of $4.6 million was reported stolen between September 2009 and March 2010. Thirteen people allegedly involved in the attacks have been arrested.]]> Fri, 04 Nov 2011 18:37:00 -0500 <![CDATA[SSL Security, Hacking – Industry News Wrap-up – ActivIdentity Blog]]>
SSL Servers No Match For Laptop-Based Hack
SSL security has been under scrutiny lately due to the recent surge in enterprise security breaches and the increasing number of improperly configured websites, which leave SSL incredibly vulnerable to man-in-the-middle attacks. A hacker group known as The Hackers Choice (THC) this week released a tool that abuses the SSL renegotiation feature and, according to Dark Reading’s Kelly Jackson Higgins, has the potential to take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection.

Fraudsters Find Creative ways to Abuse E-Commerce Sites
It seems that where there’s a website, there’s a way – to hack it, that is. Regardless of whether or not companies are up-to-date with software patches, fraudsters are honing their skills and taking alternate, creative routes to exploit marketing campaigns and/or incentive programs. Author Jeremy Kirk points to a real-world situation in which there were no reported bugs in the abused system – the criminal was using the site as intended, albeit abnormally, to obtain large sums of money

Stupid hacker tricks: Exploits gone bad
“If the Internet is the new Wild West, then hackers are the wanted outlaws of our time. Like the gun-slinging bad boys before them, all it takes is one wrong move to land them in jail,” writes author JP Raphael. From hacking FBI-sponsored websites to DDoS attacks to PayPal, this article examines five hacks gone terribly wrong. These outrageous hacker slip-ups have landed the culprits in InfoWorld’s Stupid Hacker Tricks Hall of Shame.]]> Tue, 01 Nov 2011 19:38:00 -0500 <![CDATA[Card Trapping, Security Hacks - Industry News Wrap-up – ActivIdentity Blog]]>
Criminals turn to 'card-trapping' at ATM machines to get cash
No longer satisfied with skimming attacks, criminals are turning to "cash-trapping" activities. This method of fraud involves physically trapping debit/credit cards in ATMs by installing a device that uses tape, wire or thread to prevent the card from being removed – "criminals can then retrieve the cards using tweezers." In addition to the card, the PIN number must be obtained, either through observation or by utilizing an overlay device on the keypad that records PINs. Although success in this type of attack isn’t as successful as skimming, it was quite prominent in 11 European countries during the first half of this year. The European ATM Security Team (EAST) reported a total of 11,220 ATM fraud incidents through the end of June – roughly 6,756 were related to cash-trapping.

Security Study: Hackers, IT Pros Share Personal Information Online
An anti-virus software company recently published results from a study on IT pros', including hackers, willingness to share personal information in online settings. The study found that "people with technical backgrounds are very inclined to disclose sensitive information like addresses and passwords to strangers they meet online, even though they should know better."

Online shopping, banking at risk from increased hacking
SSL technology is crucial to ensuring secure transactions of online shopping and online banking, but due to a vast number of recent attacks, the level of security provided by SSL certificates has come into question. Web browsers using outdated and fraudulent certificates are prime targets for criminal hackers. Not only are consumers being put at risk, but a $680 billion-a-year global ecommerce market is being threatened as well.]]> Mon, 24 Oct 2011 13:16:00 -0500 <![CDATA[Security Industry News Wrap-up – ID Theft – ActivIdentity Blog]]>
Sony Falls Under Attack Again As Hackers Crack 93,000 User IDs
It was only a few months ago that Sony was affected by a series of attacks, leaving millions of users’ data vulnerable to data theft. Our own Chris Harget, senior product marketing manager, was quoted in Tim Wilson’s article, saying “Some users simplify managing multiple online identities by using common credentials across multiple accounts … The result is that if their gmail or hotmail or Facebook account is compromised, then their eTrade or Citibank or corporate network credentials could be compromised.” He goes on to argue that two-factor authentication could help mitigate this problem.

111 arrested in massive ID theft bust
Last Friday, 111 bank tellers, retail workers, waiters and alleged criminals were arrested for what is being called the biggest identity theft bust in U.S. history. The two-year law enforcement operation – “Operation Swiper” – targeted five groups of criminals that were responsible for stealing more than $13 million in less than a year and a half. Among the companies credited with helping the investigation are Apple, Best Buy, Nordstrom, Macy’s and a handful of financial institutions.

Cellphones Will Become a Way to Attack Otherwise Protected Devices
As companies move toward a culture that embraces its employees’ decision to bring their own devices to work, security experts argue that mobile phones will become “an increasing menace to network security.” Similar to malware infecting laptops through thumb drives, phones that are compromised run the risk of infecting machines when docked to sync or plugged into USB ports to charge. Additionally, it is reported that touch screens have the potential to make users more susceptible to clicking links that lead to malicious sites and subsequently “drive-by” malware downloads.]]> Mon, 17 Oct 2011 17:03:00 -0500 <![CDATA[Online Banking Trojan - Industry News Wrap-up - ActivIdentity Blog]]>
Hackers Crack Internet Encryption: Should You Be Worried?
As Philip Hoyer referenced in a recent blog post, transactions using Transport Layer Security (TLS) 1.0 are no longer safe. TLS 1.0, the Web standard data encryption, is used as part of HTTPS encryption but is vulnerable to attack, as demonstrated by the BEAST exploit. Alex Wawro warns Web surfers to be wary of the information they choose to share online, change passwords often and never click on links or open emails from unknown or untrusted sources.

'Well organized, sophisticated, fast' cybercriminals scare US banks
The U.S. financial industry's IT policy arm, known as BITS, has a new leader who is an expert in email security and authentication. With the increasing amount of new technologies, including social networking, mobile and cloud computing, Paul Smocer is taking the lead on developing new strategies to protect financial service firms and consumers from various types of attacks. In this interview, Smocer is quoted as saying "If you're focused on the ultimate protection of both your organization and your customers, that gives you the focus to continually try to strengthen the environment."

SpyEye Trojan Targets Online Banking Security Systems
Online banking security is under attack by a newly discovered culprit: the SpyEye Trojan, a well-known malware program. This new attack allows hackers to change the victim’s mobile phone number within an online bank account, which reroutes text messages to the criminal’s phone. Researchers claim that the only way to defeat this type of attack is to employ endpoint security that blocks man-in-the-browser-injection (MITB) techniques.]]> Tue, 11 Oct 2011 12:25:00 -0500 <![CDATA[Security Industry News Wrap-Up - Pentagon Cyber Security - ActivIdentity Blog]]>
Pentagon to Help Defend Cyber Networks
With the rising amount of cyberattacks, the Pentagon has created a pilot program to protect its prime suppliers – representing a key breakthrough in the Obama administration’s push to secure critical networks. The current trial program, which was launched in May, involves at least 20 defense firms and will continue to expand through mid-November.

5 Mobile Security Issues To Watch
According to a report released in March by IDC, 41% percent of workers used personal technology to access business applications in 2011, compared to 31% in 2010. Armed with that knowledge, it’s become increasingly more important for enterprises to secure their data and ensure privacy on dual devices – that is, devices that are used in both corporate and personal settings. A former Forrester Research analyst says that one piece of the answer to the consumerization of IT is to "look beyond the device used to interact with data and focus on the data itself." 

Outdated Browsers Leave Many Enterprises Vulnerable To Attack
The Online Trust Alliance (OTA) has created an initiative - "Why Your Browser Matters" - that is aimed to warn users who use outdated browsers to surf the Web; it is expected to start within the next month. The chief scientist of a software security firm says that it is impossible to write a secure browser but moving beyond patching is crucial, regardless of how companies add defenses. Ten percent of Web visitors still use IE 6, despite being an easy target for attackers; it is advised that businesses stop using IE 6 and IE 7 "because the browser is the first line of defense."]]> Fri, 30 Sep 2011 12:15:00 -0500 <![CDATA[Security Hacks – Industry News Wrap-up – ActivIdentity Blog]]> Why hackers don't need to be smart
Roger A. Grimes refutes the claim that malicious hacking has become more sophisticated than ever by pointing out that the same tools are being used to exploit companies’ websites. Grimes claims that businesses and end-users simply aren’t taking the necessary steps to protect themselves, which increases the vulnerability for application exploits and SQL injection – two of the most common methods of compromise.

Firm sends bots into chats to solicit stolen data
What happens once your data is stolen? Online banking credentials, Social Security numbers and the like sometimes end up in underground networks – chat rooms and invitation-only forums – to be bought and sold. Bloomberg’s Michael Riley reports on “robot informants,” or “chat bots,” based on artificial-intelligence software designed to pose as hackers during these potential transactions and solicit stolen data.

Microsoft fixes SSL 'kill switch' blooper
Recent security breaches have prompted the removal of root certificates from multiple corporations in order to protect themselves from potential attacks in the future. ”SSL certificates are used by websites and browsers to identify a site as legitimate” and once the integrity of a website has been compromised, the possibility of “man-in-the-middle” attacks are likely. Our own Philip Hoyer recently wrote a blog post in which he claims that SSL TLS V1.0 protocol is dead – and the only way to protect transactions until the infrastructure is updated is to utilize OTP and PKI technologies.]]> Fri, 23 Sep 2011 14:17:00 -0500 <![CDATA[Transaction Confidentiality Based on SSL is Dead! - ActivIdentity Blog]]> hack on SSL (specifically TLS 1.0) presented by Thai Duong and Juliano Rizzo at the Ekoparty Security conference is true then we have to mark today as a black day for the internet.

What could possibly happen is the equivalent of most men wearing kilts and most women skirts and realizing that all staircases leading to the important places you need to go to are made of glass. Or maybe to put it another way is that x-ray vision glasses are suddenly available to anyone from Oakley.

This scenario has a profound impact and that’s not even starting to worry about the impact on privacy and exposing our private bits. What is fundamentally profound here is that anyone can read your passwords now and steal your browser session. As the technology that was supposed to have protected your password from spying eyes is broken and is allowing a hacker with x-ray vision using the BEAST tool to see all your traffic in the clear.

To spell it out: transaction confidentiality based on the SSL TLS V1.0 protocol (the most used still today) is dead!

So what do we have now left to protect our transactions now?

To start with, authentication should be done as an ever changing and one time password, so even if the attacker sees your password, it always changes and hence cannot be guessed for the next authentication. This can be achieved by many techniques both using OTP technology and PKI using a challenge response.

But this won’t help to a level that is needed since the attacker can then simply read and hijack your session.

So the only true defense from fraudulent transactions is to sign the transaction or part of the transaction data so that the attacker cannot inject bogus material.

This means effectively using a token with a pin pad (software on phone or dedicated hardware token) to enter transaction details or signing the transaction using a PKI cert. This allows a cryptographic signature that the attacker can't forge and is intrinsically linked to the transaction data (for example amount and target account number for a bank transfer) that is independent from the transport security and cannot be forged by the spying attacker.

This is the only way to stay secure until the infrastructure has been upgraded from TLS V1.0.]]> Tue, 20 Sep 2011 15:14:00 -0500 <![CDATA[Security Industry News Wrap-Up - ActivIdentity Blog]]> At ActivIdentity, we like to stay up to date with what’s going on in the security industry. So, beginning today, we’ll be posting a weekly wrap-up of news articles that catch our attention during the work week. In this first installment, we’ll look at a few items addressing security breaches, data legislation and hackers. 

The cost of bad security is higher than you think

Roger A. Grimes makes an assessment of the current state of enterprise security pointing to an outdated approach of using cost-benefit models as a main player in recent security breaches. He suggests that senior management and IT security departments work together to evaluate what needs to be improved or fixed and focus on “getting back to basics.” 

Federal authorities take on Anonymous hackers

This year alone, the FBI completed more than 75 raids and arrested 16 people connected to the illegal hacking incidents carried out by Anonymous. One member claims that Anonymous as a whole is not a threat to national security but that certain individuals may be identified as being dangerous. Anonymous has been allegedly responsible for a variety of hacks this year including prominent technology companies’ websites and social media sites.

Senator to businesses: Protect data or pay

Connecticut Senator Richard Blumenthal introduced new legislation with the intent to protect individuals' personally identifiable information from data theft and penalize firms that don't take the proper steps to secure their customers' information. Security industry analysts, however, are skeptical of the success of the proposed goals in this new federal data protection legislation.

In a similar article on InformationWeek, the CSO of a security company wrote, "The problem is not securing a copy of the data; it's securing data against copying."

]]> Thu, 15 Sep 2011 18:49:00 -0500 <![CDATA[Smart Card Technology -- increase productivity without decreasing the bottom line - ActivIdentity Blog]]> For most organizations, increasing productivity is so critical to success that it has spawned endless presentations and other initiatives. We all know that many of those PowerPoint decks will collect virtual dust, but some will serve as roadmaps that accelerate successful careers.

Although many theories abound, improving productivity generally requires organizations to do more without adding personnel or investing in additional technology. Virtualization is a nice example of the latter.  Companies are able to increase utilization of physical servers by using them concurrently for multiple business applications.

Investing in security is another area that offers the promise of increased productivity, particularly solutions that leverage investments in physical access, such as ID badges, in order to provide strong authentication for network, application and computer access.

Without relinquishing IT control, deploying such solutions offers users greater convenience as employees will only need to carry a single security device and there will be streamlined management processes for issuing, updating and revoking that credential. Establishing processes that can be controlled and audited and the  solution offers stronger security.

Deployment generally involves two phases. The first phase is to consider how employees can use their existing buildings access smart cards to access computer systems. For example, instead of logging onto Windows using a static password, the user taps the smart card against a reader that is connected to (or embedded in) a laptop and enters a PIN. In that scenario, one factor authentication, which is something you know such as a password, is replaced with two-factor authentication -- something you know (PIN) and something you have (the smart card). The method can also be used for some remote access use cases like Citrix.

The second phase requires upgrading buildings access smart cards to incorporate a smart card chip (Crescendo logical access card products from HID Global offer some excellent examples). The smart card chip doesn’t change the way the smart card functions for physical access, but it greatly expands its capabilities as an IT security credential. The holder can now use the smart card to logon to operating systems, applications and VPNs, and also to encrypt files and emails, as well as sign documents and transactions.

Buying security technology is often compared with buying insurance. Who could argue with a proposition that keeps your premiums the same, but gives you greater coverage?

]]> Thu, 08 Sep 2011 16:15:00 -0500 <![CDATA[Same Old Static Password Story is Getting Old - ActivIdentity Blog]]>

I want to draw your attention though to the fact that previously we spoke about the vulnerability of passwords. At that time, we speculated and tried to convince people that they were insecure, but since then the world has changed significantly in the following ways:

  1. The highly publicized attack of Anonymous group to HBGary. What is interesting in the analysis of the attack from ARSTechnica is that, although the attack was a combination of several techniques like SQLInjection, Rainbow tables, Social Engineering, etc., the main cause was the same old problem: Simple passwords (each was just six lower case letters and two numbers) and the same passwords used for different systems such as email, Twitter accounts, and LinkedIn, were also used for the administration of Google Apps email.

  2. Through the increased activity of exploits to websites that protect their user accounts with passwords, and the publication of those passwords from groups such as Anonymous and Lulzsec, it is finally possible to scientifically analyze how inept we are in effectively using passwords, especially different passwords for different sites. One such analysis by Joseph Bonneau of HBGary rootkit.com and gawker.com regarding passwords show that nearly 30% of users with the same email address use the same password.

  3. The continuous exploitation and the sheer number of leaked passwords mean that the quantitative analysis of the passwords used makes it proportionally easier for the attacker to have a progressively more educated ‘guess’ for a random account password to attack.

This really means that now, more than ever, one should move away from using passwords and static credentials and embrace the use of APT resistant OTP tokens (see my blog entry ‘Not all OTP tokens are the same’) or adopt PKI-based authentication now that it can be implemented in an easily deployable appliance.]]> Mon, 22 Aug 2011 17:55:00 -0500 <![CDATA[New Surveys Show Smart Cards Trending Up – ActivIdentity Blog]]> breaches, and hunger for publicity of some of the hackers, have heightened awareness to say the least. Still, there have been hacking sprees and malware storms in the past that did not lead to a visible proactive response from the IT community. Even when predictions make sense they don’t always come true.

Today however, a previously predicted increase in smart card adoption seems to both make sense and be true. The data on this comes from a just-released research report by Aberdeen Group analyst Derek Brink, titled "The Case For Smart Cards."

  • This report evaluates data from several longitudinal surveys and previous reports with some interesting findings: Between December 2010 and May 2011 surveys show a 1.5-2x increase in the number of organizations who planned to use smart cards in the next 12 months, or are evaluating smart cards.
  • The same surveys showed 2.5-3x decrease in the number of organizations who planned to use OTP or were evaluating OTP.
  • RSA's breach is offered as a partial explanation for these trends.
  • Referenced reports indicate traditional perimeter defense is full of holes, traditional passwords are insecure, and privileged accounts are often unmanaged (allowing account escalation).
  • The maturation of the smart card ecosystem and the CMS appliance option are called out several times as favorable to new smart card adoption.
  • The report is very positive on the multi-purpose (multi-layered strong authentication) nature of smart cards.

While it is heartening to see a positive response to negative events, there are still worries about where we go from here. It is likely the highly publicized hacks we’ve seen this year are just the tip of the iceberg. Some of the most dangerous hacker types—organized criminals, unscrupulous competitors and state actors—will take great pains to conceal their successful data thefts, rather than advertise them. How do we get IT groups to respond to those?
PAN7DFHW9BWX
]]> Mon, 25 Jul 2011 15:55:00 -0500 <![CDATA[Demystify PKI - ActivIdentity Blog]]> OTP that enterprises could use. PKI became almost an IT boogie man.

Then a funny thing happened. Two, actually. First, PKI was adopted by governments and powerful credential management software (CMS) was created to automate much of the credential issuance, update and revocation process. Ecosystem vendors such as Microsoft, Juniper, and Cisco built PKI support into their offerings. CMS software eventually made its way into appliances that could provide a much simpler “sweet spot” PKI solution for “closed-loop” PKI (Issuer and Authenticator are part of the same organization hence greatly reducing the number of parts in the system). Second, security threats began to attack aspects of the most common OTP (e.g., the industry breaches and subsequent Lockheed Martin attack), causing enterprises to wonder what better authentication methods are out there.

Today, PKI is getting a second look. Many people still have a knee-jerk suspicion that PKI was designed to make them feel stupid, but modern closed-loop PKI managed by an appliance does just the opposite. New CMS appliances make it so IT doesn’t even have to understand PKI to deploy a military-grade smart card solution.

In retrospect, as an Internet Meme, PKI suffered from hype before the tools were in place to manage it, and from security experts getting over excited and describing the ultimate PKI solution possible, even though few Enterprise users needed some of the more esoteric, complex and labor-intensive features. When PKI vendors got carried away educating users about every possible use case, they turned potential users off of the most high-value, low-cost use cases. If I were to tell you I could give you a device that you just plugged into your PC, it worked like an ATM card and gave you secure access to PCs, networks, cloud applications, and VPNs, you would probably think, “Hey that sounds easier for users than clunky OTP tokens, how do I get that?.” This is not your father’s PKI.]]> Tue, 05 Jul 2011 10:51:00 -0500 <![CDATA[Smart Cards - Next Level Enterprise Security - ActivIdentity Blog]]> OTP token solution is enough to cover your enterprise security needs, the next step is to complement it (or maybe even replace it) with a smart card solution. Smart cards don't require seed files, thereby removing one point of attack. If implemented correctly in your IT environment, they remove the need for static passwords, thereby removing the Achilles heel that leaves many organizations vulnerable to an APT attack.

Given a detailed use-case study and appropriate workflow implementation, smart cards can even make user's interaction with IT systems more convenient. And if you add single sign on capabilities and self-help systems you can also improve productivity and overall security awareness, not to mention cutting help desk costs.

But before going about adding all these security features on top of your IT environment, it is important to recognize that if you want your security systems to function and truly deliver value, they have to be considered in their combined entirety and even be integrated if that is possible. Using different security credentials, albeit secure ones, for each system will only confuse users and hardly contribute to increased security. A strategic decision needs to be made to choose one (or maybe two) security credentials that should be used across all systems. For instance, smart cards can be used to access computers, networks, applications, VPN, and even doors. If that’s not enough, OTP tokens can be used to complement the solution by providing secure access to web based email from Internet kiosks and other devices where smart card usage might not be possible.

With a proven implementation methodology and well-defined integration approach delivered by people with solid experience, it is possible to make all this happen without significant impact on applications, users or productivity.

The ActivIdentity Professional Services team is fortunate to work daily with implementing these kinds of solutions at enterprises around the world and we would love to help your company too. Contact ps@actividentity.com for more information.]]> Thu, 30 Jun 2011 11:08:00 -0500 <![CDATA[Not all OTP tokens are the same - ActivIdentity Blog]]> OTP tokens are in the news these days. One particular implementation of the technology has been so successful that its product name is almost synonymous with an OTP token, similar to what happened with videogames in the ’90s in America ‘Nintendo’ and mobile phones in India, commonly called ‘Nokia’.

In February 2010 an industry leader announced that an APT attack had extracted information from their servers. Then in May the network at Lockheed experienced a ‘major disruption’ which was attributed in part to an attack leveraging that stolen information.

These attacks have inevitably raised questions amongst network security professionals as to whether OTP tokens are fundamentally flawed, or does the technology just need tweaking a bit. To answer that question it’s helpful to get a better understanding of how they work. One aspect, which my colleague Julian Lovelock has already blogged on is key management (see Jun 9, 2011: Are OTP tokens secure? It’s a good question, but not a great one.).

Another is the token algorithm itself.

It turns out there are different flavors of token algorithm, and they differ in the way they display the ever changing number. These variations influence both the way we use them and their security.

OTP algorithms normally are based on a static key (per device) and to make the numbers (OTPs) change use variables called ‘moving factors, often time, event or both:



Some tokens use a time based algorithm. The issue with time as a moving factor is obviously that it is a common variable across all devices and everyone in the world knows what the current time is. This means that if you can get to the key of a token and then you know the algorithm (secret sauce) and the current time, voila’ you can generate the changing number.

Some other tokens use a counter or event (the number of times a user presses the button to display the OTP) as the moving factor. This means that every token has a differing variable and hence for an attacker it is really difficult to predict what that number is for a particular token. The issue with a simple counter based OTP algorithms is that the OTP does not really expire so it is susceptible to phishing (receiving an alluring email tricking you into entering your OTP).

Which brings us to another category of OTP algorithms that use both time and counter and hence really combine the best of properties of both time and counter based tokens. In this case they are more difficult to phish and harder to predict as each token in real life has a differing counter, making a seed compromise much less effective.

So there you have it! There are actually different OTP tokens out there and by understanding the differences you can make an informed choice that if you want to replace a token with another you might actually want to ask for one that uses both time and event as moving factors.

For a more detailed analysis of how OTP works and what the differences are I published a paper a few years ago that you can find here – OTP and Challenge-Response Algorithms for Financial and e-Government Identity Assurance.]]> Mon, 20 Jun 2011 17:45:00 -0500 <![CDATA[Strong authentication and Smart Cards - ActivIdentity Blog]]> enterprise system security has been based on a very simple principle. Anyone already inside the network is decent and can get to pretty much any resource just by knowing the relevant password, whereas those outside the network need strong authentication. Call it the perimeter defense model. OTP tokens for VPN authentication; static passwords to log onto the ERP system once your inside. It’s the IT equivalent to having a strong lock on the front door of your building and a weak lock on your filing cabinet. You know, the one with your genius plans for world domination. Oh, and hiding the key to the filing cabinet on the very next shelf directly across.

And yet, to be honest, for most of those 20 years this strategy was good enough for a lot of companies. There were a few cases of people breaking in through a window, (think SQL injection attack on the company website) but this was usually fixed by bolstering the perimeter defenses or installing a burglar alarm (think Intrusion Detection Systems). Anyway, fitting strong locks to every internal door and filing cabinet (think strong authentication for laptops, workstations, servers and applications) was prohibitively expensive.

So what’s changed? Actually a couple of things have changed. Firstly, there’s the ubiquitous and ominous ‘Advanced Persistent Threat’. As the name implies, this is a broad term, but the pattern is often formulaic: Research your target both at an organizational level (suppliers, IT systems, etc.) and at an individual level (place of work, boss, vacation periods). Information that we would have once considered personal and private is now shared freely on business and social networking sites. Secondly, build yourself a piece of malware tailored to the target environment. Check out your friendly not-so-local-hacker website for starter kits and helpful tips. Thirdly, attach the malware to an email (it can look as innocuous as an attached .pdf file or a link to a website that is infected with a zero day vulnerability), make it look like it’s from a trustworthy source, and send it. Ideally, give it an enticing title such as ‘2011 Recruitment Plan’. Chances are that your unwitting target will open the attachment and you will have infected the recipient’s computer. You are inside the perimeter and no amount of strong authentication could have stopped you from getting there.

Now the attackers take advantage of the misplaced trust that is afforded to users already inside the network. Weak static passwords are all that stand between them and almost any system resource on the network. From the beach head of that one compromised machine they can sniff passwords, guess passwords, brute force password files, and take advantage of the fact that most users use the same password for multiple logins. With time they will gain access to any system they want.

Hence my assertion that strong authentication at the perimeter only is no longer sufficient. Eventually a persistent thieve will find a way into the building. If the contents are valuable to you, its time to start putting strong locks on the doors to your rooms and your filing cabinets. In IT terms -- that means implementing strong authentication at the level of individual desktop, laptops, servers and applications.

The other thing that’s changed - its no longer prohibitively expensive.
]]> Thu, 09 Jun 2011 15:46:00 -0500 <![CDATA[Are OTP tokens secure? - ActivIdentity Blog]]> OTP tokens can still be considered secure. As with most things worth blogging about, there’s no black and white answer. However, a great question for any organization to ask itself is ‘Are OTP tokens secure enough?’ Nothing is perfect, (although doing nothing rarely results in perfection).

Much of the concern around the security of OTP tokens stems from their underlying reliance on a symmetric key model. What that means in practical terms is that you need to load into the authentication server an exact copy of the key that’s injected into the OTP token. These keys, often referred to as ‘seeds’ therefore need to be managed. And the processes and systems that manage those keys/seeds are great places for attackers to go after. This is what appears to have happened in the recent breaches.

When determining whether OTP tokens are secure enough, enterprises should take a look at how the keys are being managed. In many cases the process is as follows. The token vendor injects a key into the token during manufacturing. In parallel a seed file is created containing all the keys for a batch of tokens. The tokens are shipped to the customer along with the seed file. An administrator at the customer site loads the seed file into the authentication server.

Do you see, there’s actually 6 potential points of compromise in the chain?
1. The manufacturing process that generates the seed file
2. The transport of that seed file to the customer site
3. The management of that seed file on site, prior to being loaded into the authentication server
4. The secure storage of the seed file within the authentication server
5. The retention by the customer of that seed file (often on a CD) subsequent to its being loaded into the authentication server
6. The retention of that seed file by the OTP token vendor

To quote Mark Diodati from Gartner ‘I have seen many seed record CDs (OK, floppies back in the day) on the desks of system administrators or sitting on top of the server.‘

A far more secure model is one in which customers can initialize OTP tokens themselves from the admin console of the authentication server. In this model those pesky seed files are removed from the process because the key is simultaneously injected into the token and authentication server database. This eliminates 5 of the 6 potential points of compromise that attackers can go after.

Going forward RSA will no doubt take extraordinary steps to ensure that seed files can’t be stolen from their internal systems. But, if you have six unlocked doors in your house, then just locking the one the burglars came through last time doesn’t necessarily make for a secure home.

Of course there is a way to avoid all six points of compromise, which is to deploy smart cards, since these rely on an asymmetric key model. But that’s a blog for another day.
]]> Thu, 09 Jun 2011 15:44:00 -0500