Delfigo Security - Strong Authentication

David Baum, July 20, 2010

 As one of the original seed investors in Carbonite, I often worry about data backup. As we move toward a nearly 100% digital life it becomes extremely important that we backup our digital data, because the digital data has become our lives.

As we move toward cloud computing, backup becomes more nebulous. Certainly the online providers are backing up our data in mass to protect themselves from major data center disasters, but in a multitenant environment, what happens to the individual when they lose their cloud data?

As a huge Gmail fan, I used Outlook to synch with the cloud, so I was less worried about backing up my email in the cloud because it was replicated on my local Outlook database. Also, all of the rest of my personal information was store locally in Outlook and I backed that information up with Carbonite.

The scenario above all changed last fall when I made the move to Android for my mobile computing needs. I was “forced” into the cloud to take full advantage of everything great that Android had to offer. This meant that I had to move all my scheduling and contact data into the sky, and thus I stopped using Outlook all together as Gmail became my full time personal information management (PIM) system. Never again would I have to sync the data between my desktop PIM and my mobile device as they were always in sync wirelessly. I must admit for an old client/server user, the move to the cloud was was a bit of a leap for me as the network of contacts that I have built over 25 years in high tech has become my business life blood.

However, I quickly noticed how much more productive I was having all my cloud data available on any computer with a web browser, my Android devices, and my iPad. It worked so well that I stopped worrying about backup. The senior people that I know at Google ensured me that their cloud was backed up in multiple data centers, and that I would never lose my data.

Everything was fine until last week when I got a call from my brother that someone from Nigeria had hacked his Gmail account and changed his password, which locked him out of his account (see log file below).

My first thought was “lights out and game over”, how can you manage your business if you don’t have access to your Gmail account. My second thought turned to backup and I realized that I had not backed up my information in Gmail in over six months. I quickly logged into Gmail and exported all of my contacts and re-synched my email database with my old friend Outlook (maybe syncing backup of the cloud will be Outlook’s legacy).

To Google’s credit, they were able to restore access to my Brother’s Gmail account quickly. However, when he logged back in, all of his contact data was deleted. I can only image the numerous identity thefts that might come from this data being in the wrong hands, but can you imagine losing all of your contact information? Google has too many users to hand restore individual contact databases for their Gmail users, so I would strongly suggest that all users make an effort to backup through export or sync to an external client-based PIM program like Outlook.

The “hacker 101 rule” after accessing a hacked email account is to immediately change the legitimate user’s password to buy precious time in order to download contacts, send out fraudulent emails, setup simple email rules on the unsuspecting user account like “forward all *.bankofamerica.com emails to Nigeria.com” and the Holy Grail problem of most online accounts that know you not by your name but by your email address. This puts everything you are, who you know and what you have the ability to access online at immediate risk and poses a clear and present danger to your online identity. Why? Simple, if the hacker assumes your email address is your account UserID he would simply try and access every social media site like LinkedIn, Twitter and Facebook as well as the major financial sites like Schwab, eTrade Quicken BoA, Wells, and Chase to name a few and he would simply click the link called “forgot my password” and enter the email address. Within seconds an email would arrive to the hacked inbox allowing the fraudster to gain access and full control to every account that uses this password reset modality.

The next big question is how someone was able to hack the account? The obvious answer is that some sort of spyware was installed on the client machine that was sniffing keystrokes for usernames and passwords. The Nigerian Hacker then used this information to log-in and change my brother’s password. Again, Google was able to “notice” this remote login, and inform the active session, but the real question is why would the Gaia (Google’s single sign on and password system) allow this to happen. The problem is that Gaia is not utilizing strong or any visible multi-factor authentication system for client log-ins.

For example, if Google was using a solution like Delfigo Security (yes, one of our portfolio companies) that implements multi-factor authentication including a sophisticated keyboard bio-metric, machine ID, geospatial paramaters, etc, they could have flagged this rouge log-in and aborted the password reset by a user that was clearly not the owner of the account.

We have all heard the news about the high profile break-ins to Gmail accounts that made Google abandon the Chinese market, but what happens when these break-ins occur to ordinary individuals which is more the norm theses days?

Google needs to do more to protect the access plane and provide more timely out of band notification like SMS’s to registered cell phones. In addition, Google should use the confidence factor of the log-in to prevent features such as export and the deletion of data. All of these features could easily be built into the business logic of Gmail and could be triggered from the confidence factor of the login that is provided by systems like Delfigo.

Lastly, users of Cloud Solutions like Gmail should also be careful not to store sensitive information in the various contact note fields. For example, storing social security numbers, credit card numbers, PIN numbers, account passwords, and physical safe combinations should not be stored in plain text fields that are only protected by username and passwords. User should instead move to more secure solutions like eWallet that encrypt the data that is shared between client computers and mobile devices and thus never gets into the cloud.

David Baum is a general partner at Stage 1 Ventures, LLC (www.stage1ventures.com) with 23 years in the information technology industry, including fourteen years in technology finance and nine years in entrepreneurial operating management roles.

Out of band strong authentication options that send one time passwords via phone based systems are widely used by banks and other financial institutions. However, as the research group Gartner points out [Where Strong Authentication Fails and What You Can Do About It], these methods  are susceptible to man in the browser and social engineering attacks when they are not deployed using a layered approach:

“ In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said. If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.”

A layered, risk based approach takes into consideration additional authentication factors in relation to activity type. In addition, requirements are typically raised for higher risk transactions. These additional security elements have demonstrated effectiveness in a variety of scenarios.

An Identity in the Cloud (IDCloud) Technical Committee has been formed by the non-profit OASIS group. They are charged with identifying "gaps in existing identity management standards and investigate the need for profiles to achieve interoperability within current standards. Committee members will perform risk and threat analyses on collected use cases and produce guidelines for mitigating vulnerabilities."

Hopefully, the establishment of this committee will produce positive outcomes. Standards for policy management, authentication services and security tokens  (XACML, SAML, WS-Security, WS-Trust) are essential to to the acceptence and success of cloud computing.  

Who is OASIS?

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for the Smart Grid, security, Web services, XML conformance, business transactions, electronic publishing, and other applications.

The Federal Trade Commission announced that it is once again pushing back enforcement of the “Red Flags” Rule. This time through December 31, 2010 so that Congress can consider legislation that would clarify and fix affect the scope of entities covered by the Rule.

Federal Trade Commission statement:

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Red Flags Rule is part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). It requires “creditors” and “financial institutions” to address the risk of identity theft.

Steve Jobs reference in "Thoughts On Flash"  to "Symantec recently highlighted Flash for having one of the worst security records in 2009" peaked our curiosity. What exactly did Symantec say?

"Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009."

The Symantec report references a SecurityFocus item further commenting on the vulnerability - "An attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file. Successful exploits may allow the attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions."

Steve Jobs recent "Thoughts On Flash", has caused quite a stir. However, none of this is new information. The Flash Player plug-in can access and control system resources, as well as write to the user's file system (to add updates and store Flash cookies). Development issues and security vulnerabilities related to the use of flash have been written about extensively on blogs and technology sites, and are frequently noted in security warnings and reports (see SANs Top Cyber Security Risks, Symantec Global Internet Threat Report or US-Cert Cyber Security Alert.)  Flash has a very large user base that presents a large target for attackers, but has been fairly resiliant to its critics. What is different now is that Jobs is no ordinary critic.

The other interesting news in Jobs missive is Apples claim to be big supporters of open standards - HTML5, CSS, JavaScript, and their role in Webkit. Never really thought of Apple as an "open standards company."  Guess I wasn't paying attention.

Bruce Schneier comments on the value of properly calculating probabilities when performing risk assessment. He cautions on focusing too much of risk assessment on "worst case" thinking. 

My nightmare scenario is that people keep talking about their nightmare scenarios....There's a certain blindness that comes from worst-case thinking. An extension of the precautionary principle, it involves imagining the worst possible outcome and then acting as if it were a certainty. It substitutes imagination for thinking, speculation for risk analysis, and fear for reason."

"Worst-case thinking leads to bad decisions, bad systems design, and bad security."

Symantec points out the most frequently advertised items for sale on underground economy servers.

Source: Symantec Intelligence Quarterly: APJ October - December, 2009