
I’m sure everyone will agree that 2011 was a busy year in the field of data security! So as the year draws to a close (and hopefully slows down a bit for the holidays), it seems like the appropriate time to reflect on its events and begin the process of distilling our experiences into “lessons learned” that we can take with us into 2012.
Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.
“Tehran Bob”
In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.
In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.
What we learned:
Sony
After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.
It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.
Estimates for the total cost of the attacks range from $170 million into the billions.
What we learned:
LulzSec
There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
RSA
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
What we learned:
Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.
Perhaps 2012 will bring us less interesting times!
- Marsh
“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.
According to the report, "For organizations looking to augment their existing username and password implementations with two-factor authentication, out-of-band solutions integrate easily with existing application and identity infrastructure, and provide the convenience of leveraging the mobile phones that most enterprise end-users already carry and use."
Click here to download the Aberdeen Analyst Insight report.
~Sarah
Most mobile authentication apps are just hardware tokens in disguise, displaying a one-time passcode that the user keys in during login. The PhoneFactor App takes a different approach.
PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.
The PhoneFactor App offers a number of benefits over one-time passcode apps, including:
For more information:
Watch The Video
Try The Online Demo
~Sarah
The new PhoneFactor App harnesses the power of smartphones and tablets to provide unmatched convenience for users and out-of-band security for enterprises and banks. Here’s how it works:
Try it yourself:
Simply register for a demo account, download the PhoneFactor App from the Apple App Store, and enter the activation code provided on the demo registration screen.
~Sarah
They don’t call it Protected Health Information for nothing. Access to electronic medical records must be safeguarded by healthcare organizations. It is critical for regulatory compliance, but perhaps more importantly, it is essential to maintaining patient trust.
Securing access to patient records is vital, but so too is enabling convenient access to those records from a growing number of endpoint devices and locations. PhoneFactor and Imprivata, a leading provider of single sign-on and access management solutions for the healthcare industry, recently joined forces to guard Protected Health Information while enabling easy access for healthcare providers from both inside and outside the hospital walls.
Here’s how it works: Imprivata OneSign® and OneSign Anywhere™ provide authorized doctors, nurses, and other caregivers with fast and secure access to electronic medical records (EMR) and other applications. PhoneFactor provides an additional layer of protection by verifying access through an automated phone call or text message. The caregiver answers the call and presses # or replies to the text message to authenticate. This simple process provides the multi-factor security required by many regulatory agencies, including HIPAA and state pharmacy boards, yet is extremely easy to setup, manage, and use.
PhoneFactor integrates seamlessly with Imprivata via RADIUS and synchronizes with AD and LDAP servers to streamline user management. Easy, automated enrollment and self-service options are available through the phone and web. Learn more about PhoneFactor for Imprivata.
~Sarah
PhoneFactor helps organizations meet their strategic IT objectives by providing stronger security, an improved user experience, reduced setup and management time, and a lower total cost of ownership. But don’t take our word for it. Here are the top three IT initiatives that our customers say PhoneFactor helped them achieve.
![]() | Customers also cited: |

Is Mobile Workforce Enablement one of your goals?
Watch the on demand webcast Strong Security for Remote Workers Is Just a Phone Call Away for valuable information on how to support your increasingly mobile workforce while ensuring the strong security necessary to prevent unauthorized access and meet regulatory mandates.
~ Sarah
Not even two years after Marsh and I described the renegotiation flaw, TLS and SSL have been hit again. The attack, dubbed BEAST by researchers, was described by Rizzo and Duong at the ekoparty security conference. It allows an adversary to decrypt parts of the encrypted data stream, potentially leading to session hijacking, information disclosure, and more. The concept behind the attack had been previously described, but it was thought at the time to be impractical.
The problem lies in the way that block ciphers are used in SSL/TLS. Block ciphers are generally operated in one of several modes that define how encrypted blocks are manipulated to ensure complete confidentiality. Cipher Block Chaining, or CBC mode, is used in SSL for all block ciphers, including AES and Triple-DES. The BEAST attack relies on a weakness in the way CBC mode is used in SSL and TLS. Non-CBC cipher suites, such as those using the RC4 stream encryption algorithm, are not vulnerable.
There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream. Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.
To assist with the necessary server reconfiguration, PhoneFactor has produced a white paper describing the process. Please note that it is just a recommendation that we feel would work for most sites, but it is important for you to evaluate our suggestions in light of your actual architecture.
Download Whitepaper
Download Associated Text File
In the end, TLS is still among the most widely deployed security protocols, and the fact that it’s had a difficult couple of years is an indicator of just how many eyeballs are pointed at it. It’s still always safer to use a public, highly analyzed cryptosystem than to invent one from scratch, as attacks like BEAST show just how difficult it can be to get it right.
- Steve
Stronger Security, a Better User Experience, and Lower Costs Make PhoneFactor The Clear Winner
Even before the RSA SecurID breach, organizations had begun replacing security tokens with authentication methods that better met the needs of their users and applications. Driven by user complaints, high maintenance and support costs, and decreasing protection against today’s threats, organizations are looking to methods like phone-based authentication to replace current token deployments.
See how PhoneFactor stacks up against security tokens in this head to head comparison:
PhoneFactor | Hard Tokens | Soft Tokens | |
| Security | |||
| Out-of-Band Protection from Malware and MITM | ![]() | ||
| Real-Time Fraud Alerts | ![]() | ||
| Transaction-Level Verification | ![]() | ||
| Biometrics (Three-Factor) | ![]() | ||
| Ease Of Use | |||
| Leverages an Existing Device | ![]() | ![]() | |
| No Software to Install | ![]() | ||
| No Training Required | ![]() | ||
| Seamless Authentication for Any Application on Any Device (smart phones, iPads, laptops, etc.) | ![]() | ||
| Total Cost of Ownership | |||
| Runs on Existing Server Hardware | ![]() | ||
| Automated Enrollment (No Devices to Provision and Ship) | ![]() | ![]() | |
| User Self Service | ![]() | ||
| Fallback Authentication Options | ![]() | ||
As the comparison illustrates, PhoneFactor offers a number of benefits over both hardware and software tokens. Its out-of-band security stops even the most sophisticated threats – tokens do not. Additionally, users find it much more convenient to use. This, combined with automated user enrollment, self-service tools, and an easy implementation process, provides a much lower total cost of ownership.
See for yourself – try the online demo or download and install PhoneFactor in your lab for up to 25 users.
The recent Epsilon, RSA, and Sony breaches have made the IT security landscape even more frenzied as companies rush to review, and in many cases strengthen, their current security controls. Meanwhile, the banking sector is preparing for new FFIEC regulations on internet banking authentication.
Bottom line: You need to be informed about the latest in multi-factor authentication technology to ensure that you make the best decision for your company and your customers. Watch this 10 minute webcast, featured on SCMagazine.com, to learn about:
| ![]() |
Whether you’re implementing multi-factor authentication for the first time or expanding/upgrading your current implementation, 10 Minutes On Multi-Factor Authentication, will give you the tools you need today to make an informed buying decision.
-Sarah
ZeuS and Other Malware Threats Force Authentication to ‘Step Out’ Of Band
When it comes to IT security, it is easy to simply stick with what you know. However, the threat landscape and the needs of users are rapidly changing, and technology must evolve even more quickly to stay ahead of them. And, of course, cost is a huge factor.
Financial institutions and their service providers must likewise evolve their security practices to stay ahead of these threats. This whitepaper, ZeuS and Other Malware Threats Force Authentication to ‘Step Out’ Of Band, examines the current malware threats and today’s best practices for mitigating them. Specifically, this whitepaper will explore the role of out-of-band authentication.
Download this whitepaper today.
-Sarah