May 3, 2012 – PhoneFactor, Inc., the leading global provider of phone-based authentication services, today announced that Network Products Guide, the industry’s leading technology research and advisory guide, has named PhoneFactor a finalist for the 7th Annual 2012 Hot Companies and Best Products Awards in the Hot Technologies category. The Hot Technology award in particular recognizes technologies that are experiencing rapid market adoption of their products with continued high-speed growth, many times replacing a declining technology.

PhoneFactor’s platform features a suite of phone-based authentication options, including a phone call, text message, and smartphone app. By leveraging a user’s existing phone, PhoneFactor provides unmatched user convenience, a low total cost of ownership, and strong out-of-band protection from today’s most sophisticated threats.

PhoneFactor’s innovative approach to multi-factor authentication is particularly well–suited to today’s elevated threat environment, as well as the busy IT department and multi-tasking end user. PhoneFactor is often chosen over legacy technologies like security tokens and certificates.

“We are pleased to be recognized as a leader in our field,” says Tim Sutton, PhoneFactor CEO. “New, challenging threats are requiring improved, innovative approaches to user authentication and it’s gratifying that PhoneFactor’s vision of the phone as the best authentication device is being validated.”

About Network Products Guide Awards
As the industry’s leading technology research and advisory publication, Network Products Guide plays a vital role in keeping decision makers and end-users informed of the choices they can make in all areas of information technology. You will discover a wealth of information and tools in this guide including the best products and services, roadmaps, industry directions, technology advancements and independent product evaluations that facilitate in making the most pertinent technology decisions impacting business and personal goals. The guide follows conscientious research methodologies developed and enhanced by industry experts. To learn more, visit www.networkproductsguide.com.

We recently surveyed more than 300 IT professionals, and their responses indicate an overwhelming lack of confidence in the security of their corporate networks. This was particularly apparent when IT pros were asked how much of their own money they would stake that their networks will not be breached in the coming year.

The majority (70%) of respondents were only Somewhat or Not At All Confident that an unauthorized person could not gain access to their network. And when asked if an expert hacker would be capable of infiltrating their network, 84% thought it was at least possible.

So, we asked IT professionals to put their money where their mouth is. How much of their own money would they be willing to bet that their company’s network will NOT be compromised in the next 12 months? The majority (58%) would bet $0.

It’s easy for a person to say that their network is secure, but when we asked them to make a bet using their own money they simply would not do so unless these further protections were put into place.

So, what’s driving all of this uncertainty? More than half of respondents cited malware, including root-kits, zero day exploits, and man-in-the-browser attacks as putting their networks at risk. Other key concerns include: Use of personal devices to access company resources (BYOD), the sheer volume of attacks, and widespread use of remote network access.

Perhaps one of the most unsettling insights to come out of the survey is the fact that only a quarter of IT professionals were confident that they would know if their network had been infiltrated.

Recently, a number of high-profile instances of attackers lurking undetected within corporate networks, sometimes for years, have come to light. In one such case, the email of Nortel executives was compromised for nearly a decade, allowing an attacker to access trade secrets and other sensitive information sent via email.

Knowing when an attacker is attempting to infiltrate your network is critical, particularly if the attacker been able to breach your first line of defense. For 87% of IT pros, receiving a real-time alert by phone call, text or e-mail any time someone attempted to log in with a stolen password increased their confidence in the security of their network. For one-third, this would have a significant impact on their confidence level.

A similar number of IT professionals, indicated that verifying user logins through an out-of-band phone call would increase their confidence.

Given the increased confidence out-of-band authentication and the real-time fraud alerts out-of-band methods can provide, we asked respondents whether having these tools in place would impact their willingness to bet on the security of their networks – 78% answered in the affirmative.

This lack of confidence in current security controls is driving adoption of out-of-band authentication from PhoneFactor. Nearly half (45%) of all respondents indicated that their company was planning to increase their use of out-of-band authentication over the next two years.

PhoneFactor provides strong protection from malware, fends off increasingly prevalent attacks, and shores up security for increasingly mobile workforces and the many devices that are used to access company networks.

If you aren’t willing to bet a dime on the security of your network, you are still taking a gamble. Put the odds in your favor with out-of-band authentication with real-time fraud alerts.

Following the launch of its authentication app for iPhones and iPads last December, PhoneFactor recently released a version of the app for Android smartphones and tablets. By adding support for Android devices, the PhoneFactor App now ensures that iOS users are not the only hip people “App Authenticating” around the office, house, coffee shop, or wherever their busy lives takes them.

Smartphones and tablets have become an extension of daily life for hundreds of millions of people worldwide. As of late 2011, there were more than 440 million iOS and Android devices in the field. By leveraging the devices, which millions of users already carry with them, PhoneFactor provides simple, secure, and cost-effective multi-factor authentication.

The PhoneFactor authentication app works by pushing a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions. The PhoneFactor App provides strong, out-of-band protection from today’s most sophisticated threats. And it’s easy for IT to set up and easy for your employees and customers to use.

The most trusted device your users own can be used to establish trust when accessing your network. If you haven’t “App Authenticated” yet, click here to give it a try.

March 6, 2012 – PhoneFactor, Inc., a leading global provider of multi-factor authentication, today announced the availability of revealing new survey data. Last month more than 300 IT professionals were surveyed about the security of their corporate networks, and their responses indicate an overwhelming lack of confidence. In fact, more than half were unwilling to bet their own money that their corporate network would not be breached in the next year. Having the right tools in place, such as real-time alerts and stronger authentication, increases confidence enough for most to raise their bets. Other findings include:

• More than two-thirds (70.3%) of respondents are only somewhat confident or not at all confident that an unauthorized person could not gain access to their network.
• Only one-quarter (25.7%) of respondents are very confident that they would know that their network had been infiltrated.
• When asked if an expert hacker would be capable of infiltrating their network, 84.4% thought it was at least possible, with 23.1% answering that an expert hacker could definitely gain access to their corporate network.
• Some of the top reasons respondents feel their network may be vulnerable are:
  • Malware, including root-kits, zero day exploits, and man-in-the-browser attacks (55.4%);
  • Use of personal devices to access company resources (45%);
  • Sheer volume of attacks (35.2%); and
  • Widespread use of remote network access (32.6%).

  In banking, Current authentication methods are defeated by many of today’s current attacks (22%) ranks as the fourth biggest influencer.

• When asked to wager one of five amounts – $0, $1000, $5000, $50,000, or $1,000,000 – that their network will NOT be compromised in the next 12 months, 57.7% refused to take the bet, going instead with $0.
• Real-time alerts by phone call, text or e-mail any time someone attempted to log in with a stolen password increased respondents’ confidence in making a bet by 87%.
• Verifying user logins through an out-of-band phone call increased their confidence in making a bet by a minimum of 93.1%, with greater increases in banking and large companies.
• When respondents were then asked again how likely they would be to raise their initial bet that their network would NOT be compromised in the next 12 months if out-of-band authentication and real-time fraud alerts were in place 77.8% answered in the affirmative, increasing to 80.8% in banking.
• Also worth noting is that nearly half (44.6%) of all respondents indicated that their company was planning to increase their use of out-of-band authentication over the next two years.

“It’s easy for a person to say that their network is secure, but when we asked them to make a bet using their own money they simply would not do so unless these further protections were put into place,” said Sarah Fender, Vice President of Marketing and Product Management at PhoneFactor.

“This persistence is reflected in PhoneFactor’s growth across all industries,” Fender continued. Organizations are deploying PhoneFactor’s out-of-band authentication platform to provide better protection from malware, fend off increasingly prevalent attacks, and shore up security for their increasingly mobile workforces and the many devices that are used to access the network.”

February 28, 2012 – PhoneFactor, Inc., a leading global provider of multi-factor authentication, today launched the Android version of its authentication app for smartphones and tablets. The PhoneFactor App was initially unveiled late last year for iPhones and iPads, adding a third method of securing account logins and transactions using a phone. PhoneFactor’s completely out-of-band authentication platform also includes phone call and text message options.

By adding support for Android devices, the PhoneFactor App now ensures that iOS users are not the only hip people “App Authenticating” around the office, house, coffee shop, or wherever their busy lives takes them. Smartphones and tablets have become an extension of daily life for hundreds of millions of people worldwide. Using these same devices to provide multi-factor authentication – a function that has become a must-have security tool in nearly every industry – is preferred by users over carrying security tokens and more convenient than certificates that requires the user to be on their work or home computer.

The PhoneFactor App is extremely easy to use. It works by pushing a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions. To report fraud, the user simply taps the “Report Fraud” option instead to block the attacker and alert the company’s fraud response team.

The PhoneFactor App works anywhere the user’s mobile device is connected to either a cellular or a Wi-Fi network. This means users can “App Authenticate” anywhere, including on a plane in the air – definitely increasing the cool factor for both iOS and Android users.

“Smartphones and tablets are the multi-tool of today’s professional generation. Busy hyper-taskers use them for everything from checking email and paying bills to remotely performing complex and high risk job tasks. The PhoneFactor App makes multi-factor authentication second-nature for them,” commented Tim Sutton, PhoneFactor CEO. “We’re glad that Android is now available so that everyone can experience App Authenticating.”

People whose companies use PhoneFactor can download the PhoneFactor App in the Apple App Store or the Android Marketplace for free.

February 15, 2012 – PhoneFactor, Inc., the leading global provider of out-of-band authentication services, today announced that Info Security Products Guide, the industry’s leading information security research and advisory guide, has named PhoneFactor a finalist for the 2012 Global Excellence Awards in the Authentication Solution (Multi, Single or Two-Factor) category. These prestigious global awards recognize security and IT vendors with advanced, ground-breaking products and solutions that are helping set the bar higher for others in all areas of technology.

PhoneFactor’s platform features a suite of phone-based authentication options, including a phone call, text message, and smartphone app. By leveraging a user’s existing phone, PhoneFactor provides unmatched convenience, a low total cost of ownership, and strong out-of-band protection from today’s most sophisticated threats.

PhoneFactor’s easy-to-use authentication serves customers in every industry. Its real-time fraud alerts and transaction verification features set PhoneFactor apart from all others protecting banking logins and transactions. Healthcare providers love the flexibility of using only their phone instead of carrying multiple security tokens. And in enterprises across the globe IT managers find PhoneFactor exceedingly simple to set up, manage, and support with off-the-shelf implementation for most remote access vpn software, Citrix, Microsoft Terminal Services, OWA, and other common applications. Additionally, PhoneFactor includes robust reporting, logging, and many other enterprise tools to streamline productivity.

“We are honored to again be recognized as an industry leader,” notes Tim Sutton, PhoneFactor CEO. “As PhoneFactor continues to evolve our product to thwart today’s – and tomorrow’s – advanced threats, it is gratifying to see our endeavors recognized.”

About Info Security Products Guide
Info Security Products Guide sponsors leading conferences and expos worldwide and plays a vital role in keeping end-users informed of the choices they can make when it comes to protecting their digital resources. It is written expressly for those who are adamant on staying informed of security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping info security and market research that facilitate in making the most pertinent security decisions. The Info Security Products Guide Awards recognize and honor excellence in all areas of information security. To learn more, visit www.infosecurityproductsguide.com and stay secured.

Read the review on SCMagazine.com.

Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.

“Tehran Bob”

In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.

In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.

What we learned:

• The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
• Current certificate revocation systems are simply not effective.
• CA “pinning” can provide improved security, but currently only browser vendors have access to it.
• One person can make a difference.

Sony

After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.

It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.

Estimates for the total cost of the attacks range from $170 million into the billions.

What we learned:

• Systems may run just fine, vulnerable, for long periods of time.
• The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”

LulzSec

There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.

In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.

What we learned:

• Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.

RSA

RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.

In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.

Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)

What we learned:

• We are dependent on our vendors.
• Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
• Continuous monitoring is essential.
• An attacker may seek to use you as merely a stepping stone in a larger plan.

Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.

Perhaps 2012 will bring us less interesting times!

- Marsh