Top Security Incidents of 2011
I’m sure everyone will agree that 2011 was a busy year in the field of data security! So as the year draws to a close (and hopefully slows down a bit for the holidays), it seems like the appropriate time to reflect on its events and begin the process of distilling our experiences into “lessons learned” that we can take with us into 2012.
Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.
“Tehran Bob”
In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.
In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.
What we learned:
- The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
- Current certificate revocation systems are simply not effective.
- CA “pinning” can provide improved security, but currently only browser vendors have access to it.
- One person can make a difference.
Sony
After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.
It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.
Estimates for the total cost of the attacks range from $170 million into the billions.
What we learned:
- Systems may run just fine, vulnerable, for long periods of time.
- The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”
LulzSec
There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
- Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.
RSA
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
What we learned:
- We are dependent on our vendors.
- Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
- Continuous monitoring is essential.
- An attacker may seek to use you as merely a stepping stone in a larger plan.
Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.
Perhaps 2012 will bring us less interesting times!
- Marsh
« Previous PageNext Page »
Recent Analyst Insight Report Builds a Case for Out-of-Band Phone-Based Authentication
 | The Aberdeen Group recently released an Analyst Insight report, The Case for Phone-based Authentication: Jumping on the Out-of-Band Wagon, which creates a business context for why many businesses are re-evaluating their current authentication strategies. The report notes that business drivers, such as increased compliance guidelines, many highly publicized security breaches – particularly those in the security space such as RSA and DigiNotar, and the growing mobility of today’s workforce, are generating increased interest in out-of-band, phone-based authentication. |
“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.
According to the report, "For organizations looking to augment their existing username and password implementations with two-factor authentication, out-of-band solutions integrate easily with existing application and identity infrastructure, and provide the convenience of leveraging the mobile phones that most enterprise end-users already carry and use."
Click here to download the Aberdeen Analyst Insight report.
~Sarah
« Previous PageNext Page »
The PhoneFactor App vs Soft Token Apps
Most mobile authentication apps are just hardware tokens in disguise, displaying a one-time passcode that the user keys in during login. The PhoneFactor App takes a different approach.
PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.
The PhoneFactor App offers a number of benefits over one-time passcode apps, including:
- Out-of-Band Authentication – By leveraging a separate device – the phone – PhoneFactor protects against malware running on the user’s computer. Passcodes from mobile apps, which are entered into the user’s computer, are not out-of-band and as such are vulnerable to attack.
- Real-Time Fraud Alerts – If an attacker tries to log in with stolen credentials or transfer funds from an account, the legitimate user receives a notification and can report fraud instantly from the PhoneFactor App.
- Transaction Verification – In accordance with the 2012 FFIEC Authentication Guidance, the app can be used to verify transaction details by displaying them in the PhoneFactor App.
- Ease of Use - With no one-time passcodes to enter, authenticating with the PhoneFactor App is quicker and easier. It works instantly with any enterprise or web application, including those running on the user’s phone.
- One App, Countless Uses – The PhoneFactor App can be enabled for multiple accounts. For example, a controller may use the PhoneFactor App to verify online banking transactions while also using it to authenticate to the company VPN.
For more information:
Watch The Video
Try The Online Demo
~Sarah
« Previous PageNext Page »
PhoneFactor Unveils an Innovative Authentication App for iPhones and iPads
The new PhoneFactor App harnesses the power of smartphones and tablets to provide unmatched convenience for users and out-of-band security for enterprises and banks. Here’s how it works:
Try it yourself:
Simply register for a demo account, download the PhoneFactor App from the Apple App Store, and enter the activation code provided on the demo registration screen.
~Sarah
« Previous PageNext Page »
PhoneFactor and Imprivata Team Up to Ensure That Protected Health Information Is Really Protected
They don’t call it Protected Health Information for nothing. Access to electronic medical records must be safeguarded by healthcare organizations. It is critical for regulatory compliance, but perhaps more importantly, it is essential to maintaining patient trust.
Securing access to patient records is vital, but so too is enabling convenient access to those records from a growing number of endpoint devices and locations. PhoneFactor and Imprivata, a leading provider of single sign-on and access management solutions for the healthcare industry, recently joined forces to guard Protected Health Information while enabling easy access for healthcare providers from both inside and outside the hospital walls.
Here’s how it works: Imprivata OneSign® and OneSign Anywhere™ provide authorized doctors, nurses, and other caregivers with fast and secure access to electronic medical records (EMR) and other applications. PhoneFactor provides an additional layer of protection by verifying access through an automated phone call or text message. The caregiver answers the call and presses # or replies to the text message to authenticate. This simple process provides the multi-factor security required by many regulatory agencies, including HIPAA and state pharmacy boards, yet is extremely easy to setup, manage, and use.
PhoneFactor integrates seamlessly with Imprivata via RADIUS and synchronizes with AD and LDAP servers to streamline user management. Easy, automated enrollment and self-service options are available through the phone and web. Learn more about PhoneFactor for Imprivata.
~Sarah
« Previous PageNext Page »
PhoneFactor Aids Customers in Accomplishing Strategic IT Objectives
PhoneFactor helps organizations meet their strategic IT objectives by providing stronger security, an improved user experience, reduced setup and management time, and a lower total cost of ownership. But don’t take our word for it. Here are the top three IT initiatives that our customers say PhoneFactor helped them achieve.
 | Customers also cited: |
Is Mobile Workforce Enablement one of your goals?
Watch the on demand webcast Strong Security for Remote Workers Is Just a Phone Call Away for valuable information on how to support your increasingly mobile workforce while ensuring the strong security necessary to prevent unauthorized access and meet regulatory mandates.
~ Sarah
« Previous PageNext Page »
Slaying BEAST: Mitigating the latest SSL/TLS Vulnerability
Not even two years after Marsh and I described the renegotiation flaw, TLS and SSL have been hit again. The attack, dubbed BEAST by researchers, was described by Rizzo and Duong at the ekoparty security conference. It allows an adversary to decrypt parts of the encrypted data stream, potentially leading to session hijacking, information disclosure, and more. The concept behind the attack had been previously described, but it was thought at the time to be impractical.
The problem lies in the way that block ciphers are used in SSL/TLS. Block ciphers are generally operated in one of several modes that define how encrypted blocks are manipulated to ensure complete confidentiality. Cipher Block Chaining, or CBC mode, is used in SSL for all block ciphers, including AES and Triple-DES. The BEAST attack relies on a weakness in the way CBC mode is used in SSL and TLS. Non-CBC cipher suites, such as those using the RC4 stream encryption algorithm, are not vulnerable.
There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream. Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.
To assist with the necessary server reconfiguration, PhoneFactor has produced a white paper describing the process. Please note that it is just a recommendation that we feel would work for most sites, but it is important for you to evaluate our suggestions in light of your actual architecture.
Download Whitepaper
Download Associated Text File
In the end, TLS is still among the most widely deployed security protocols, and the fact that it’s had a difficult couple of years is an indicator of just how many eyeballs are pointed at it. It’s still always safer to use a public, highly analyzed cryptosystem than to invent one from scratch, as attacks like BEAST show just how difficult it can be to get it right.
- Steve
« Previous PageNext Page »
PhoneFactor vs Security Tokens
Stronger Security, a Better User Experience, and Lower Costs Make PhoneFactor The Clear Winner
Even before the RSA SecurID breach, organizations had begun replacing security tokens with authentication methods that better met the needs of their users and applications. Driven by user complaints, high maintenance and support costs, and decreasing protection against today’s threats, organizations are looking to methods like phone-based authentication to replace current token deployments.
See how PhoneFactor stacks up against security tokens in this head to head comparison:
PhoneFactor | Hard Tokens | Soft Tokens | |
| Security | |||
| Out-of-Band Protection from Malware and MITM |  | ||
| Real-Time Fraud Alerts | | ||
| Transaction-Level Verification | | ||
| Biometrics (Three-Factor) | | ||
| Ease Of Use | |||
| Leverages an Existing Device | | | |
| No Software to Install | | ||
| No Training Required | | ||
| Seamless Authentication for Any Application on Any Device (smart phones, iPads, laptops, etc.) | | ||
| Total Cost of Ownership | |||
| Runs on Existing Server Hardware | | ||
| Automated Enrollment (No Devices to Provision and Ship) | | | |
| User Self Service | | ||
| Fallback Authentication Options | | ||
As the comparison illustrates, PhoneFactor offers a number of benefits over both hardware and software tokens. Its out-of-band security stops even the most sophisticated threats – tokens do not. Additionally, users find it much more convenient to use. This, combined with automated user enrollment, self-service tools, and an easy implementation process, provides a much lower total cost of ownership.
See for yourself – try the online demo or download and install PhoneFactor in your lab for up to 25 users.
« Previous PageNext Page »
Everything You Need to Know About Multi-Factor Authentication In Just 10 Minutes
The recent Epsilon, RSA, and Sony breaches have made the IT security landscape even more frenzied as companies rush to review, and in many cases strengthen, their current security controls. Meanwhile, the banking sector is preparing for new FFIEC regulations on internet banking authentication.
Bottom line: You need to be informed about the latest in multi-factor authentication technology to ensure that you make the best decision for your company and your customers. Watch this 10 minute webcast, featured on SCMagazine.com, to learn about:
|  |
Whether you’re implementing multi-factor authentication for the first time or expanding/upgrading your current implementation, 10 Minutes On Multi-Factor Authentication, will give you the tools you need today to make an informed buying decision.
-Sarah
« Previous PageNext Page »
PhoneFactor Publishes New Whitepaper on Malware Threats
ZeuS and Other Malware Threats Force Authentication to ‘Step Out’ Of Band
When it comes to IT security, it is easy to simply stick with what you know. However, the threat landscape and the needs of users are rapidly changing, and technology must evolve even more quickly to stay ahead of them. And, of course, cost is a huge factor.
 | Malware has rapidly outpaced all other banking security threats, and according to a recent survey by PhoneFactor is now regarded as the greatest threat to online banking today. The magnitude of its infiltration into the financial services sector is astounding. Malware has evolved beyond simple keystroke logging functions to perform sophisticated real-time attacks, such as Man-In-The-Middle (MITM) attacks from online banking trojans like ZeuS, which defeat most of the security measures in place today. |
Financial institutions and their service providers must likewise evolve their security practices to stay ahead of these threats. This whitepaper, ZeuS and Other Malware Threats Force Authentication to ‘Step Out’ Of Band, examines the current malware threats and today’s best practices for mitigating them. Specifically, this whitepaper will explore the role of out-of-band authentication.
Download this whitepaper today.
-Sarah
« Previous PageNext Page »
