Delfigo Security - Strong Authentication

Steve Jobs recent "Thoughts On Flash", has caused quite a stir. However, none of this is new information. The Flash Player plug-in can access and control system resources, as well as write to the user's file system (to add updates and store Flash cookies). Development issues and security vulnerabilities related to the use of flash have been written about extensively on blogs and technology sites, and are frequently noted in security warnings and reports (see SANs Top Cyber Security Risks, Symantec Global Internet Threat Report or US-Cert Cyber Security Alert.)  Flash has a very large user base that presents a large target for attackers, but has been fairly resiliant to its critics. What is different now is that Jobs is no ordinary critic.

The other interesting news in Jobs missive is Apples claim to be big supporters of open standards - HTML5, CSS, JavaScript, and their role in Webkit. Never really thought of Apple as an "open standards company."  Guess I wasn't paying attention.

Bruce Schneier comments on the value of properly calculating probabilities when performing risk assessment. He cautions on focusing too much of risk assessment on "worst case" thinking. 

My nightmare scenario is that people keep talking about their nightmare scenarios....There's a certain blindness that comes from worst-case thinking. An extension of the precautionary principle, it involves imagining the worst possible outcome and then acting as if it were a certainty. It substitutes imagination for thinking, speculation for risk analysis, and fear for reason."

"Worst-case thinking leads to bad decisions, bad systems design, and bad security."

Symantec points out the most frequently advertised items for sale on underground economy servers.

Source: Symantec Intelligence Quarterly: APJ October - December, 2009

Whats My Pass recently listed the 500 Most Common Passwords from the 2005 book Perfect Passwords by Mark Burnett (note: some are offensive). The top 3 are 12345, password and 12345678. One interesting thing that caught our eye - the key difference between numbers 1 and 3 of course must be that those using number 3 work in "secure" organizations that require a strong 8 character password.

Second factor security using keyboard biometrics can help assist in eliminating the releveance of a weak vs. a strong password. It should not matter if the user's password was made up of 3 simple letters only, or a 10 character mix of letters, numbers, symbols and case. Like fingerprints, we all produce a unique keystroke when typing. If this second layer of security has been properly trained into the system, a set of unique patterns will be available for comparison against new entries. Only one individual should be able to duplicate the keystroke pattern with sufficient confidence that the system would authenticate. The simplicity or complexity of the password would not matter, which in turn alleviates a number of usability and password management issues.

A recent New York Times article once again draws attention to potentical vulnerabilities of token based temporary passwords. Saul Hansell describes in the article how hackers use new trojans to capture passwords in real time, thereby by-passing the security of offered by a token based device that utilizes a complex algorithm to generate a new temporary password every minute.

Source: How Hackers Snatch Real-Time Security ID Numbers

---

I wholeheartedly agree with Fran Rosch's comment that the industry must move to stronger authentication technologies. There is no doubt in anyone's mind that simple User ID and Password (including strong passwords) offer very little to no security when it comes to protecting digital assets. 

The complexity and frequency of cyber threats today call for companies to consider a new breed of strong authentication - one that strives to validate the user and not just the device. One-time-passwords (OTP) delivered through unique (individually assigned) tokens have been around for a while. Fran argues correctly that infrastructure costs limited the wide spread use of such token based OTP. The infrastructure costs may have been addressed with a Cloud based offering of OTP, but what about the usability of such token based OTP? People lose or forget physical devices. People damage physical devices. I speak from personal experience having learned from my own internal customer base. 

Why not rely of technology that requires no tokens what so ever? No Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices. A strong authentication solution that is more than two-factor and delivers true multifactor authentication with zero distribution and end user management costs is what enterprises should look for when having to scale solutions globally and across a large user base.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).

---

A recent RSA survey, Tight Budgets Harm IT Security, once again reaffirms that the biggest complaint IT security executives have is having less money to handle increasing threats. When Delfigo started out just over a year ago we knew from years of experience managing IT departments that cost, both fixed and operating, were the top concerns for identity and access management. That was a key element that drove early decisions to develop a solution that utilized open standards, easily integrated with existing technologies and back-end systems, and most importantly is simple to use and does not require end users to change their access routines or behaviors. There are no tokens or software downloads required. One of our key objectives was  to eliminate the very things that create the majority of integration and management challenges, and drive up the total cost of ownership of the second factor or strong authentication solutions in the market today.

---

Twitter is in the news again - this time their internal documents stored on Google Apps that were hacked.

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.  

Twitter management was swift to jump into action with internal policy changes. With the popularity of Twitter on the uptick, security practices, policies, and procedures must be front of mind for the management team.

Companies such as Twitter, Google, and Facebook are immensely popular, with membership in the tens millions. Strong passwords are simply no longer adequate to secure data and identity. I am sure these companies are concerned and challenged with how to best contain this increasing menace. However, it would be cost prohibitive for these companies, whose business model is based on free use adoption, to start sending out tokens or force each member to install digital certificates in their browsers for second factor authentication. In addition, even if they were willing to set up token-based second factor authentication for members willing to pay a premium to protect online accounts, they would be confronted with significant integration, distribution and ongoing management challenges that would constantly impose a burden upon organizational resources.

Another primary concern is user convenience. Clearly these social media sites would not be enjoying the same level of popularity if members were subject to cumbersome processes to secure online access. Therefore, balancing the need for strong authentication with user convenience is of utmost importance for these companies as well. But this seemingly insurmountable challenge is not without a solution. Delfigo Security's business model and product architecture is predicated on addressing these very challenges - it provides implicit multifactor authentication without inconveniencing end users. There is no need for end users to change their current use patterns to have the assurance their account and profile information is secure on these sites. And our DSGateway platform is easily deployed, configured, and managed. It is a true zero footprint solution and requires no client downloads or tokens.

I agree with analyst Dan Blum of the Burton Group when he said, "I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service," Blum says. "I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that."

Any regular user of these social media sites should be concerned as well. Delfigo would like to make Twitter and other social media companies an offer. We will provide our strong authentication solution free of per user (member) fees for up to one year . If you want to assure that your information is safe you should hope they take us up on this offer."

Bharat Nair is Vice President of Business Development at Delfigo Security, This e-mail address is being protected from spambots. You need JavaScript enabled to view it , Boston, MA. He can be reached at http://www.delfigosecurity.com or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).

---