Posts Tagged ‘authentication’

You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?

Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.

Krebs on Security has a good post on this threat along with a discussion of  some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.

Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.

The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.

The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.

A quick “heads up” that I will be presenting on the topic of Social Media Threats on Friday, March 7, at the Delaware Valley Chapter of the Information Systems Security Association. Here’s a link for more info:

Also, I’ll be presenting on Access Management and Federated Identity Management on Thursday, March 20, at the Harrisburg (PA) Chapter of ISACA (previously known as Information Systems Audit and Control Association). Link below:

So if you’re looking for some CPE’s and will be in the area, please drop by and say “hi.”

From an IT context, Authentication is the process by which you prove that you are you when trying to login to a system. It can be accomplished by providing something you:

  • know (a password or PIN)
  • have (smart card or security token)
  • are (a biometric reading such as a fingerprint or iris image)

The vast majority of systems rely on the first option — knowledge-based authentication (KBA) — because it’s easier to implement and is presumed to be cheaper. The ease of implementation is pretty obvious since it only takes a few lines of code to ask someone for a password and compare it to what you already have registered for that user in the data base. The assumption on the cost part is more dubious when you take into account the often hidden cost of having to support users with help desk agents to reset passwords at roughly $25 a pop, not to mention the cost of trying to recover from a breach when passwords have been harvested through an attack on the infrastructure or simply guessed by an attacker due to trivial choices by the user.

In an effort to avoid the cost of acquiring and rolling out hardware readers that are typically needed for the other two options, many organizations have taken to doubling down on KBA approaches by asking users to answer additional questions that, presumably, only they would know the answer to. The problem is that most of these questions are poorly chosen and are often not very private in nature (e.g. mother’s maiden name, high school mascot, etc.).

Systems that do a better job by actually digging into your past and asking you to, for instance, identify which of the following addresses are ones that you have lived at and who were the co-signers on the mortgages are a little harder for the bad guys but not impossible since much of that information exists in online public records.

Worse still is news this week that some of these data bases containing this sort of “private” information about you that can be used by credit bureaus and others to establish your identity has been breached.  A reports that:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

The article goes on to say that compromised data came from systems at Lexis-Nexis, Dun & Bradstreet and Kroll Background America. Assuming this information really is circulating on the Internet it becomes clear that it can’t be relied upon for authentication because it’s no longer something that only the user in question would know — yet another nail in the coffin of KBA systems for anything other than low security applications.

Never mind what the NSA may or may not know about you or Google or Facebook or Apple or any of the other thousands of companies that track us and leverage the power of “Big Data” to try to know us even better than we know ourselves in order to sell us things we didn’t even know we wanted. The real risk of having all your secrets no longer be yours or secret is that now a bad guy can convince your bank, your mortgage company, your stock broker, etc., that he is you because he knows the info that supposedly only you know. Only it just isn’t so…

One of my favorite quotes is “if you aren’t paying for it, you are the product, not the customer.” The reason I like it is that it very succinctly and accurately describes the relationship we as end users have with many of the online services we have come to rely on ranging from email to social media.

We don’t pay for gmail accounts or Facebook accounts or LinkedIn accounts so that means we are the products, not the the customers of these services. So what happens if your account gets hijacked and you need a way to take back control? Can’t you just call customer service and have them restore things as they should be? Not really and that’s because products don’t get to complain — customers do.

So, what can you do to get your account back? One thing is to do some work up front that will make the need less likely and, failing that, make recovery less painful.

One bit of prevention is to make sure you choose a strong password.

Another is to set up two-factor authentication for your account (assuming the service provider supports this — Google and Facebook do, for instance) so that if anyone tries to log in from a new, untrusted device a code will be sent to your mobile phone via SMS (as one example) which must then be entered in order to complete the login process. This way an attacker would not only have to steal your password but also your phone in order to break in. Not impossible, but certainly harder.

Still another precaution you can take is to leverage Facebook’s new “Trusted Contacts” feature which lets you designate 3 to 5 friends who can then be leveraged to provide you with a security code to get back into your account. It’s sort of like giving parts of spare keys to your neighbors so that they can help you get back in if you lock yourself out.

Since the service is brand new there’s no telling just yet how well it will work but it certainly sounds promising. Here’s a good article from PC World that goes into more detail, if you’re interested …

Here’s the video stream (with slides) of the keynote address I gave at last month’s OOP 2013 conference in Munich on the subject of Social Media threats and how they relate to key Identity Management issues involving authentication.

OOP 2013 Keynote - Munich, 22 Jan 2013

OOP 2013 Keynote – Munich, 22 Jan 2013

In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article  below:

Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…

Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.

All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.

I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.

IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.

As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.

One of the hardest problems we face in the IT security space is that of user authentication. In other words, are you really who you claim to be? One the one hand, it’s something we do every day when we run into people we know (or don’t know), yet there have continue to be cases of impersonation, which means our systems for verifying authenticity aren’t perfect. Complicating matters is when this identity verification happens at opposite ends of a wire in cyberspace where many of the mechanisms we rely on in the physical world elude us.

Here’s a link to an iTunes U podcast interview I did with Dr. Steven Furnell, who heads up the School of Computing and Mathematics at the Plymouth University (UK). Apologies in advance for my weak sounding voice and seeming lack of energy as I had to go in for vocal cord surgery two days later.