Thursday, 01 October 2009 00:12
Charles Bouthot
Whats My Pass recently listed the 500 Most Common Passwords from the 2005 book Perfect Passwords by Mark Burnett (note: some are offensive). The top 3 are 12345, password and 12345678. One interesting thing that caught our eye - the key difference between numbers 1 and 3 of course must be that those using number 3 work in "secure" organizations that require a strong 8 character password. Second factor security using keyboard biometrics can help assist in eliminating the releveance of a weak vs. a strong password. It should not matter if the user's password was made up of 3 simple letters only, or a 10 character mix of letters, numbers, symbols and case. Like fingerprints, we all produce a unique keystroke when typing. If this second layer of security has been properly trained into the system, a set of unique patterns will be available for comparison against new entries. Only one individual should be able to duplicate the keystroke pattern with sufficient confidence that the system would authenticate. The simplicity or complexity of the password would not matter, which in turn alleviates a number of usability and password management issues.
|
Monday, 09 February 2009 01:38
Charles Bouthot
Larry Dignan finds no argument with Google's Cem Paya, who made the "passwords are useless, outdated and a security risk" comment at Wharton's Information Security Best Practices conference. So why are passwords still a primary form of security? According to Dignan, Paya offered the following reasons: - There's no business model for issuing IDs to consumers.
- Limiting user choice may annoy people.
- Service providers can't rely on third parties to manage identities-if that third party screws up it's your problem.
- Strong authentication has to be mandatory, but mandating an emerging technology risks losing customers.
- An opt-in policy can do harm to customer satisfaction problems. What happens when you need a driver for your USB token?
Interesting.
Wednesday, 04 February 2009 02:17
Charles Bouthot
Information Week (Account and Identity Mismanagement) comments on a frequently occuring theme - failure to revoke account privileges before an employee is terminated. This time it is with regard to the Fannie Mae contractor who introduced a malicious script to their servers.
Tuesday, 27 January 2009 02:47
Charles Bouthot
Jordan Weissmann writes in Legal Times how lending user identification to enable others to share your accounts can prove very costly. Online subscription services are using revenue recovery solutions to monitor user accounts for fraudulent use and license violations. In the case described, one online service provider is using copyright law to seek "enhanced damages," instead of seeking judgement on subscription fees only. The defendents (those who used the service, as well as those who shared the account) are being accused of illegally distributing content. This raises the cost from a mere $5000 to cover fees, to $150,000 per database that was accessed.
Thursday, 22 January 2009 04:58
Charles Bouthot
It is a basic premise in security, prevent rather than react. This was reinforced again recently with the difficulties encountered by Twitter (Infoweek: Twitter Hack Made Possible By Weak Password ). Twitter is a popular, award winning service, that has been around since 2006. It has raised over $22 million but failed to address very basic security vulnerabilities. "According to a report filed by Kim Zetter of Wired News, an 18-year-old hacker calling himself GMZ gained access to the account of a Twitter employee on Monday using a dictionary attack program that he created. Because the Twitter employee's account had access to administrative tools, GMZ was able to access any Twitter member's account by resetting the password."
Several rookie mistakes here. First, having your administrator use the same web application that users use to manage their accounts. The administrator systems should have been a separate server and application. Second, it is sloppy password management to allow a common word as your password. Finally, and most importantly, allowing unlimited login attempts. This is the core issue that allowed the hacker as many chances as they needed to attack the login system. Who doesn’t use a lockout feature to limit the number of login attempts in 2009?
Thursday, 22 January 2009 03:08
Charles Bouthot
A serious new sleeper virus that exploits Microsoft Windows is working its way through corporate networks. According to Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "the best way to prevent the virus is to "get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix." These of course are not the only options. Given the fact that most organizations have difficulty managing password policies and enforcing "strong" passwords, a more practical option would be to deploy an authentication platform using multiple factors such as keyboard biometrics, geospatial metrics, system parameters, and reflective thinking. Some key factors in considering this type of solution are: - Platform Independence (Easy plugability into exisiting application environments)
- Database Flexibility (No heavy lifting if you need to change database vendors)
- Easy Integration and Configuration
- Open Standards (industry standards w/ built-in WS-Security authentication and encryption mechanisms)
- End-To-End Security
- Audit and Transaction Logging
- Great Administrative Tools (easily manage system and users )
Thursday, 15 January 2009 05:04
Charles Bouthot
Chapin Information Services recently tested password management features in web browsers. The conclusion seems that none were very good, as the results table is littered with "failed" tests.
First factor security, in the form of passwords, continues to be a threat worldwide (i.e. phishing, man in the middle, simple used passwords and a host of other vulnerabilities). CSI's results show that there is little reason to rely on the locked down browser to provide a competent level of security. This is further evidence of a market need for 2nd factor and beyond. The issue is can you provide an extra layer of security without being intrusive, and deliver it at low cost? Thinking out loud, what if a user could rely upon their keyboard biometric to validate them like PGP once did for the distribution of their public key? It would be great to be able to save a bio-key and upload it to a site. Provide a means to enable each user to prove ownership of their bio-key and have a 48 hr delay with safeguards in place to ensure the bio-key is legitimate. That way when the user revisits Amazon or Ebay for example, they could type in their password and be validated.
Monday, 12 January 2009 05:06
Charles Bouthot
Many large organizations commonly share accounts (i.e multiple users share account passwords or tokens/pins that generate password in order to avoid having to purchase additional user licenses) This has grown with the new shift toward the SaaS model. As the recession grows, will the need for cost reduction lead to additional account sharing? In many companies the budget cycles are yearly. Given that we are now starting a new year recessionary pressures will lead many organizations to either cut frivolous access to online tools and systems or dramatically cut the number of licenses in use. Are SaaS operations prepared to detect how patterns of access have changed to detect fraud?
|
|
|
|
|
