Delfigo Security - Strong Authentication

Larry Dignan finds no argument with Google's Cem Paya, who  made the "passwords are useless, outdated and a security risk" comment at Wharton's Information Security Best Practices conference.

So why are passwords still a primary form of security? According to Dignan, Paya offered the following reasons:

• There's no business model for issuing IDs to consumers.
  
• Limiting user choice may annoy people. 
  
• Service providers can't rely on third parties to manage identities-if that third party screws up it's your problem.
  
• Strong authentication has to be mandatory, but mandating an emerging technology risks losing customers.
  
• An opt-in policy can do harm to customer satisfaction problems. What happens when you need a driver for your USB token?   

Interesting.

Information Week (Account and Identity Mismanagement) comments on a frequently occuring theme - failure to revoke account privileges before an employee is terminated. This time it is with regard to the Fannie Mae contractor who introduced a malicious script to their servers.

Jordan Weissmann writes in Legal Times how lending user identification to enable others to share your accounts can prove very costly. Online subscription services are using revenue recovery solutions to  monitor user accounts for fraudulent use and license violations. In the case described, one online service provider is using copyright law to seek "enhanced damages," instead of seeking judgement on subscription fees only. The defendents (those who used the service, as well as those who shared the account) are being accused of illegally distributing content. This raises the cost from a mere $5000 to cover fees, to $150,000 per  database that was accessed.

It is a basic premise in security, prevent rather than react. This was reinforced again recently with the difficulties encountered by Twitter (Infoweek: Twitter Hack Made Possible By Weak Password ). Twitter is a popular, award winning service, that has been around since 2006. It has raised over $22 million but failed to address very basic security vulnerabilities. 

 "According to a report filed by Kim Zetter of Wired News, an 18-year-old hacker calling himself GMZ gained access to the account of a Twitter employee on Monday using a dictionary attack program that he created. Because the Twitter employee's account had access to administrative tools, GMZ was able to access any Twitter member's account by resetting the password."

Several rookie mistakes here. First, having your administrator use the same web application that users use to manage their accounts. The administrator systems should have been a separate server and application. Second, it is sloppy password management to allow a common word as your password. Finally, and most importantly, allowing unlimited login attempts. This is the core issue that allowed the hacker as many chances as they needed to attack the login system. Who doesn’t use a lockout feature to limit the number of login attempts in 2009?