This week in security assessment news, I decided to write about Entrepreneur’s article titled “Passwords Are Scarily Insecure. Here Are A Few Safer Alternatives”. I choose this article this week not because this information presented in the article was a revelation to me, but how it appears that this movement of going away from passwords has not really caught fire like you would think. The article points out that passwords innately suffer from two different kinds of problems. One being that when people create passwords, they usually create a weak, or very easy to guess, passwords. Some sites and systems now required a minimum character limit, mixing numbers, letters and punctuation, however these types of requirements are the exception, and not the rule. The next problem passwords have is they are extremely easy to steal from someone. Whether through virus or worms, or simply “impersonating someone you know or trust to gain login information or personal details” (Rafaeli, 2018), this makes passwords simply not reliable. The article then covers several different alternatives that I will talk about, in more detail.
The first alternative offered by the site is the idea of security tokens. These tokens can generate a password based on a “seed record” (Rafaeli, 2018) that will need to be inserted into a login screen. This form of authentication, at this point, is still coupled with a password retrieved from the user as an extra form of security. These tokens are a great alternative as the only way someone would be able to ‘guess’ the password would be to have the device in their own hand. Without it, it would be near impossible to do. While this method is a drastic improvement over regular passwords, it does carry some problems. First, it’s a very expensive method to offer security as physical devices will need to be purchased and distributed to users. It also means that these tokens need to be carried with the users at all times, if they wish to login with it.
The next alternative offered by the site is the idea of biometrics, or a security device that uses fingerprints or facial scans to determine if you are who you say you are. The article mentions that “a fingerprint, for instance, can’t be lost or hacked” (Rafaeli, 2018). This is incredibly useful as a form of authentication as they are relatively quick to complete and user friendly. While this form of authentication is catching on quickly, it is still prone to problems, much like other authentications. The first of it being that it’s not entirely accurate all the time. The technology is still coming along in this area and more advances need to be done. The other area is that should whomever you are authenticating against gets hacked, it is possible for the hackers to steal vital biometric data that can be used for more nefarious things.
Lastly, the site covered phone-based authenticators. This is the latest in the growing authentication security market, and has some of best potential on all of the other methods. This operates by installing an app on your phone and connecting it to your account. When someone tries to log in with your username on a system, you would receive a notification on your phone. From there, you might have to enter a one-time password that would be generated on your phone, or simply authorize the login. I have some personal experience with these type of authenticators as I have 3 of them to satisfy requirements from several games I play. It’s curious that such high security measures are in place for simple games I play, but not for say my bank.
Overall this article was really good in breaking everything down. When offered, you should consider using an alternative authentication methods over passwords. While not entirely foolproof, they make it hard enough that you won’t be a constant victim.
Sources Cited: Rafaeli, R. (2018, March 7). Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives. Retrieved March 29, 2018, from https://www.entrepreneur.com/article/309054
Thursday, March 29, 2018
Wednesday, March 21, 2018
Week 2 - Security Assessment - Orbitz Breach
For this week’s security assessment, I decided to expand upon TechRepublic’s article on a breach at the travel site Orbitz in which 880,000 customer’s payment methods were stolen. The article can be found HERE. This attack is especially unique as it was targeting data that was at least 2 years old and brings up the idea that not only the most cutting edge, most used sites are targets. Older legacy systems are just as much at risk as any other site.
TechRepublic lays out that hackers were able to steal “two years of data, including names, birthdates, home addresses, email addresses, and gender information” (Forrest, 2018). This information, including information about credit cards, could lead to devastating results for those who would be affected. With all this information, including oddly enough information about the customer’s gender, could allow a whole spree of new attacks on other systems or people. While this attack is not necessarily as widespread as many other attacks that have happened in recent history, it’s size is considerable and scary.
While this attack and information stolen is something that would be noteworthy on its own, there is something secondarily that everyone should sit up and take notice on. This attack was not against Orbitz main webpage that is in existence at this very moment. Instead, the hackers targeted a much older legacy system whose security features were not as secure as the main sites. This incident reminds us all that security needs to exist prominently and aggressively across all products that are exposed to the web, and updates and upgrades of these features need to be performed and maintained across all systems, including legacy. TechRepublic states “legacy systems are a reality in most IT environments” (Forrest, 2018), so we should be ever mindful of how well the security features are on legacy systems.
When it comes to how to combat against these sort of attacks, I believe that IT professionals should keep an active document of some nature that maintains what the current security features are on all their systems, including things like versions. This document should be regularly reviewed and if one system requires an upgrade or patch, this document should be consulted to see if any other system requires the same upgrade or patch, even legacy systems. Vigilance and monitoring are our best tools to fight back against attacks like this.
Sources Cited:
Forrest, C. (2018, March 21). Orbitz 880K credit card breach highlights IT's need to protect legacy systems. Retrieved March 21, 2018, from https://www.techrepublic.com/article/orbitz-880k-credit-card-breach-highlights-its-need-to-protect-legacy-systems/#ftag=RSS56d97e7
Friday, March 16, 2018
Week 1 - Security Assessment - Cybercrime-as-a-service
This week I learned about a new and terrifying way that hackers are conducting their attacks against us, and that is through the concept of ‘cybercrime-as-a-service’. A great article produced by zdnet found here walks through a cybercrime-as-a-service named BlackTDS that allows cybercriminals to learn their trade and be assisted in their attacks utilizing a variety of different means. As zdnet points out, this could include “hosting and configuration of the components of a sophisticated drive-by attacks, as well as support for social engineering” (Palmer, 2018). While these features are scary enough, BlackTDS offers their services at a relatively low cost allowing a much smaller barrier of entry for those wishing to do these. It appears that this site began to advertise that it could do these services around the end of the year, and also deliver their attacks through fake updates from major software companies.
Some takeaways I got after reading this article was that we need to do our best to shut down these types of sites as soon as they are uncovered. While many of these sites are situated on foreign soil, we should be reaching out to countries to help in shutting these criminals down and removing their site from the internet. The next big take away from all of this is making sure that any software update you receive from any company is first verified to be from the company you think it is. This can be a bit hard as most updates are received from automatic installers, but we should do our best to verify that these automatic installers are legit, and do not install any updates to any software from a random site that is not the original software site.
Sources Cited: Palmer, D. (2018, March 15). Cyber-crooks find a new way to share malware and scams. Retrieved March 16, 2018, from http://www.zdnet.com/article/cyber-crooks-find-a-new-way-to-share-malware-and-scams/#ftag=RSSbaffb68
Some takeaways I got after reading this article was that we need to do our best to shut down these types of sites as soon as they are uncovered. While many of these sites are situated on foreign soil, we should be reaching out to countries to help in shutting these criminals down and removing their site from the internet. The next big take away from all of this is making sure that any software update you receive from any company is first verified to be from the company you think it is. This can be a bit hard as most updates are received from automatic installers, but we should do our best to verify that these automatic installers are legit, and do not install any updates to any software from a random site that is not the original software site.
Sources Cited: Palmer, D. (2018, March 15). Cyber-crooks find a new way to share malware and scams. Retrieved March 16, 2018, from http://www.zdnet.com/article/cyber-crooks-find-a-new-way-to-share-malware-and-scams/#ftag=RSSbaffb68
Subscribe to:
Posts (Atom)