Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog
Identity and Authentication Blog

Twitter Failed To Account For Basic Security Vulnerabilities

It is a basic premise in security, prevent rather than react. This was reinforced again recently with the difficulties encountered by Twitter (Infoweek: Twitter Hack Made Possible By Weak Password ). Twitter is a popular, award winning service, that has been around since 2006. It has raised over $22 million but failed to address very basic security vulnerabilities. 

 "According to a report filed by Kim Zetter of Wired News, an 18-year-old hacker calling himself GMZ gained access to the account of a Twitter employee on Monday using a dictionary attack program that he created. Because the Twitter employee's account had access to administrative tools, GMZ was able to access any Twitter member's account by resetting the password."

Several rookie mistakes here. First, having your administrator use the same web application that users use to manage their accounts. The administrator systems should have been a separate server and application. Second, it is sloppy password management to allow a common word as your password. Finally, and most importantly, allowing unlimited login attempts. This is the core issue that allowed the hacker as many chances as they needed to attack the login system. Who doesn’t use a lockout feature to limit the number of login attempts in 2009? 


Strong Passwords Prevent Downadup Virus

A serious new sleeper virus that exploits Microsoft Windows is working its way through corporate networks. According to Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "the best way to prevent the virus is to "get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix."

These of course are not the only options. Given the fact that most organizations have difficulty managing password policies and enforcing "strong" passwords, a more practical option would be to deploy an authentication platform using multiple factors such as keyboard biometrics, geospatial metrics, system parameters, and reflective thinking. Some key factors in considering this type of solution are:

  1. Platform Independence (Easy plugability into exisiting application environments)
  2. Database Flexibility (No heavy lifting if you need to change database vendors)
  3. Easy Integration and Configuration
  4. Open Standards (industry standards w/ built-in WS-Security authentication and encryption mechanisms)
  5. End-To-End Security
  6. Audit and Transaction Logging
  7. Great Administrative Tools (easily manage system and users )


Network World: Risk-based Authorization Scoring for Authentication

Network World features Delfigo solution in "Start-up measures users' trustworthiness for authentication into sites." Key quote:

"Boiled down, Delfigo does context- or risk-based authorization scoring. In other words, the product, DSGateway, calculates, in real time, a risk value - called the "confidence factor" - which reflects the trustworthiness of your authentication in much the same way your credit score reflects your credit worthiness.

Here's how it works, as Klein explained it to me:

a. User signs on with user ID and password.

b. User keyboard biometrics and geospatial data determine "are you who you say you are?"

c. System analyzes current information against user historical profile and assigns a confidence factor (CF).

d. If CF is weak, access is restricted and the user may elect to increase confidence using in-band and out-of-band methods.

e. If confidence factor is sufficient, user is granted access.

The service can continue to monitor the user's activity during the session and if it deviates too far (settable by the administrator) from the user's historical profile a flag can be raised and the user is asked to further authenticate using both in-band and out-of-band methods. Examples of in-band methods could be passwords, tokens, secret questions, keyboard dynamics, while examples of out-of-band methods could be SMS messages.

We've all experienced, I'm sure, services which ask us to periodically re-authenticate, but if the username and password are compromised it really doesn't matter how often the attacker needs to enter them, does it? How much better to use different methods, such as the in-band and out-of-band methods, all the while building up a better level of confidence that the user is who they say they are."


Securing Data From Former Employees

Remember the layoffs of 2001?Those fortunate to keep their jobs were met with a significant increase in their workload.  Not to make lite of the current economy and continued reductions in force, but according to David Griffeth in IAM Insights, here we go again. "The challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out." Not only will IAM professionals have to pick up the slack resulting from reductions in staff, they will need to be aware that over 50% of security breaches come from insiders (or former insiders in  this case).



Browser Based Password Management

Chapin Information Services recently tested password management features in web browsers. The conclusion seems that none were very good, as the results table is littered with "failed" tests.

First factor security, in the form of passwords, continues to be a threat worldwide (i.e. phishing, man in the middle, simple used passwords and a host of other vulnerabilities). CSI's results show that there is little reason to rely on the locked down browser to provide a competent level of security. This is further evidence of a market need for 2nd factor and beyond. The issue is can you provide an extra layer of security without being intrusive, and deliver it at low cost? 

Thinking out loud, what if a user could rely upon their keyboard biometric to validate them like PGP once did for the distribution of their public key? It would be great to be able to save a bio-key and upload it to a site. Provide a  means to enable each user to prove ownership of their bio-key and have a 48 hr delay with safeguards in place to ensure the bio-key is legitimate. That way when the user revisits Amazon or Ebay for example, they could type in their password and be validated.


Identity Thefts Continue To Rise

The Identity Theft Resource Center released its ITRC 2008 Breach List showing that the number of identity thefts jumped from 446 in 2007 to 656 in 2008, an increase of 47%.

The main sources of those breaches?

Insider Theft (stolen by someone inside company)16.50%6.00%
Data on the Move (laptop, thumb drive, PDA, etc.)
Subcontractor (stolen or lost by second party)20.30%
Hacking (stolen by someone outside of company)
Accidental Exposure (inadvertent Internet/Web posting)

Source: Identity Theft Center

The number of course only includes those that were publicly reported. Many organizations still keep these incidents from the public.


Will Downturn in Business Lead To Cost Avoidance And More Account Sharing?

Many large organizations commonly share accounts (i.e multiple users share account passwords or tokens/pins that generate password in order to avoid having to purchase additional user licenses) This has grown with the new shift toward the SaaS model.

As the recession grows, will the need for cost reduction lead to additional account sharing? In many companies the budget cycles are yearly. Given that we are now starting a new year recessionary pressures will lead many organizations to either cut frivolous access to online tools and systems or dramatically cut the number of licenses in use. Are SaaS operations prepared to detect how patterns of access have changed to detect fraud?


The Case for Strong Authentication

The Aberdeen Group recently published a study that found that most organizations still rely primarily on passwords to protect their assets. The study also found within its sample that 64 percent of organizations do not even require users to change their passwords, 45 percent allow standard dictionary terms, like "password," and 29 percent of organizations have no requirements for password length.

Resource: SANs Institute (characteristics of a weak v. strong password)


Page 11 of 11