Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.

“Tehran Bob”

In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.

In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.

What we learned:

• The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
• Current certificate revocation systems are simply not effective.
• CA “pinning” can provide improved security, but currently only browser vendors have access to it.
• One person can make a difference.

Sony

After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.

It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.

Estimates for the total cost of the attacks range from $170 million into the billions.

What we learned:

• Systems may run just fine, vulnerable, for long periods of time.
• The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”

LulzSec

There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.

In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.

What we learned:

• Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.

RSA

RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.

In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.

Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)

What we learned:

• We are dependent on our vendors.
• Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
• Continuous monitoring is essential.
• An attacker may seek to use you as merely a stepping stone in a larger plan.

Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.

Perhaps 2012 will bring us less interesting times!

- Marsh

The Aberdeen Group recently released an Analyst Insight report, The Case for Phone-based Authentication: Jumping on the Out-of-Band Wagon, which creates a business context for why many businesses are re-evaluating their current authentication strategies. The report notes that business drivers, such as increased compliance guidelines, many highly publicized security breaches – particularly those in the security space such as RSA and DigiNotar, and the growing mobility of today’s workforce, are generating increased interest in out-of-band, phone-based authentication.

“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.

According to the report, "For organizations looking to augment their existing username and password implementations with two-factor authentication, out-of-band solutions integrate easily with existing application and identity infrastructure, and provide the convenience of leveraging the mobile phones that most enterprise end-users already carry and use."

Click here to download the Aberdeen Analyst Insight report.

~Sarah

December 15, 2011 – PhoneFactor, Inc., a leading global provider of multi-factor authentication, today announced the availability of an Analyst Insight report completed by the Aberdeen Group, a leading provider of fact-based research and market intelligence, regarding best practices in the use of technology. A Case for Phone-based Authentication: Jumping on the Out-of-Band Wagon validates the foundation for PhoneFactor’s product line, out-of-band, phone-based authentication.

“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.

The paper creates a business context for why many businesses are re-evaluating their current authentication strategies, including increased compliance guidelines, many highly publicized security breaches – particularly those in the security space such as RSA and DigiNotar — and the increasing mobility of today’s workforce.

“This report echoes what we are seeing in the marketplace as customers are quickly replacing in-band authentication with far more secure out-of-band solutions,” notes Tim Sutton, PhoneFactor CEO and co-founder. “The benefits of security and convenience, coupled with PhoneFactor’s powerful enterprise toolset, make the PhoneFactor platform a leading choice for companies that are replacing legacy token systems with more modern alternatives.”

The report includes a case study from a global provider of information solutions who switched to PhoneFactor from security tokens. Click here to download this Analyst Insight report.

About Aberdeen Group, a Harte-Hanks Company
Aberdeen provides fact-based research and market intelligence that delivers demonstrable results. Having queried more than 30,000 companies in the past two years, Aberdeen is positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions.

As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen’s analytical and independent view of the “customer optimization” process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748.

“We strongly believe that out-of-band transaction verification is critical to stopping threats that have become more sophisticated and virulent,” says Jorge Solis senior vice-president of security at the bank. “We are very pleased to be able to offer this extended level of security to our clients who view us as their trusted business partner.”

Read the article on ABA Banking Journal.

PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.

The PhoneFactor App offers a number of benefits over one-time passcode apps, including:

• Out-of-Band Authentication – By leveraging a separate device – the phone – PhoneFactor protects against malware running on the user’s computer. Passcodes from mobile apps, which are entered into the user’s computer, are not out-of-band and as such are vulnerable to attack.
• Real-Time Fraud Alerts – If an attacker tries to log in with stolen credentials or transfer funds from an account, the legitimate user receives a notification and can report fraud instantly from the PhoneFactor App.
• Transaction Verification – In accordance with the 2012 FFIEC Authentication Guidance, the app can be used to verify transaction details by displaying them in the PhoneFactor App.
• Ease of Use - With no one-time passcodes to enter, authenticating with the PhoneFactor App is quicker and easier. It works instantly with any enterprise or web application, including those running on the user’s phone.
• One App, Countless Uses – The PhoneFactor App can be enabled for multiple accounts. For example, a controller may use the PhoneFactor App to verify online banking transactions while also using it to authenticate to the company VPN.

For more information:
Watch The Video
Try The Online Demo

~Sarah

“The benefit here is it provides one more method to communicate with a customer and to get them to participate in the out of band authentication experience,” Julie Conroy McNelley

Read the article on AmericanBanker.com.

Read the article on CIO.com.

Try it yourself:
Simply register for a demo account, download the PhoneFactor App from the Apple App Store, and enter the activation code provided on the demo registration screen.

~Sarah

December 5, 2011 – PhoneFactor, Inc., a leading global provider of multi-factor authentication, today launched its authentication app for smartphones and tablets. The PhoneFactor App is now available for iPhones and iPads, and will be available soon for Android devices. The App leverages the innovative out-of-band architecture that is a hallmark of the PhoneFactor platform to provide a different kind of authentication app.

While most mobile authentication apps output a one-time-passcode (just replicating the functionality of a hardware token), the PhoneFactor App takes a unique approach. PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.

The PhoneFactor App offers a number of benefits, particularly when compared to one-time passcode apps, including:

• Out-of-Band Authentication – By leveraging a separate device – the phone – PhoneFactor protects against malware running on the user’s computer. Passcodes from mobile apps, which are entered into the user’s computer, are not out-of-band and as such are vulnerable to attack.
• Real-Time Fraud Alerts – If an attacker tries to log in with stolen credentials or transfer funds from an account, the legitimate user receives a notification and can report fraud instantly from the PhoneFactor App.
• Transaction Verification – In accordance with the 2012 FFIEC Authentication Guidance, the app can be used to verify transaction details by displaying them in the PhoneFactor App.
• Ease of Use – With no one-time passcodes to enter, authenticating with the PhoneFactor App is quicker and easier. It works instantly with any enterprise or web application, including those running on the user’s phone.
• One App, Countless Uses – The PhoneFactor App can be enabled for multiple accounts. For example, a controller may use the PhoneFactor App to verify online banking transactions while also using it to authenticate to the company VPN.

“There is a reason people use mobile apps to pay bills, check movie show times, and connect with friends: they are incredibly convenient,” said Timothy Sutton, PhoneFactor CEO. “The same is true for using the PhoneFactor App for authentication. Users always have their phones with them and simply tapping ‘Authenticate’ when prompted by the app just could not be any easier. Users aren’t even aware of the security benefits of PhoneFactor versus security tokens, but they know that they like it better.”

The PhoneFactor App works anywhere the user’s mobile device is connected to a cellular or Wi-Fi network. It is built into the core PhoneFactor platform, which provides out-of-the-box integration with all leading remote access VPNs, web applications, cloud services, and banking systems. It synchronizes with Active Directory and LDAP servers to automate enrollment and centralize user management. Robust reporting and logging is available for auditing and compliance. The PhoneFactor platform is trusted by thousands of organizations to secure millions of logins and transactions each month.

Supporting Quote:
“Enterprises are proactively re-evaluating their strategies for authenticating end-users with methods that are stronger than username and password, and Aberdeen’s research confirms strong interest in phone-based approaches such as PhoneFactor. Unlike software implementations of traditional one-time password tokens, the PhoneFactor mobile app provides an out-of-band solution to authenticate end-users or verify the legitimacy of online transactions – which means effective protection against man-in-the-middle attacks, while leveraging the portability and usability of the mobile phones most end-users already carry and use. Organizations that are looking at phone-based authentication should put out-of-band solutions such as PhoneFactor on their respective short lists.” – Derek Brink, Vice President and Research Fellow for IT Security and IT GRC at the Aberdeen Group, a Harte-Hanks Company

PhoneFactor App Resources:
Video
Online Demo

Source: http://www.phonefactor.com/images/PhoneFactorApp.jpg	Source: http://www.phonefactor.com/images/PhoneFactorApp2.jpg

Bank: First Midwest
Problem: Crooks compromised the bank’s token-based authentication meant to protect online commercial funds transfers.
Solution: Verifying “out of band,” via the phone, all online ACH and wire transfers from commercial clients.

Read the full case study on AmericanBanker.com.