« July 2012 | Main | September 2012 »

August 2012

August 22, 2012

Dropbox gets hacked, introduces two factor authentication

After many of their users got spammed, Dropbox took action with a series of tactics to increase their access security. One of their main new features is optional two-factor authentication to log in. Read the full story. 

They haven’t yet announced how they’ll implement two factor authentication or how it will work. Hopefully they won’t try to invent a custom solution and instead use industry standards like SAML (the security assertion markup language) and OATH HOTP to use stronger authentication mechanisms like two-factor authentication and single sign-on from vendors like Scorpion Software.

The key point is Dropbox is finally taking a look at extending its security and trust model, and for that we congratulate them. Hopefully they will follow the trail of some of their competitors like Box.net and include SAML for their more business-focused accounts.

A side benefit is that Dropbox is showing other companies the importance of password security, and what companies can do to gain stronger identity assurance. They’re leading by example and showing the world how to protect against spammers and hackers.

We hope in the future that more businesses will adopt two factor authentication to protect their clients and their own servers, accounts, and basically everything they do on a computer. Two factor authentication systems like AuthAnvil Two Factor Auth add an extra layer of protection because users enter a PIN they know, along with a dynamically generated one-time password produced by an app on their smartphone, a YubiKey in their USB port, or a hardware keyfob on their key ring. That means only the right people can get in. It  decreases the chances of someone going into a website and sending out spam, and also helps prevent internal problems like an ex-employee going into your server and deleting everything.

We hope Dropbox will use industry standards like SAML so our mutual customers can take advantage of their investments in AuthAnvil Password Solutions to protect their Dropbox accounts. We’re proud of them for taking this important step to protect their clients. Go Dropbox!

Posted at 08:00 AM | | Comments (0) | TrackBack (0)

| |

August 16, 2012

Is SSO secure?

This morning I had a CEO from a major IT Service Provider ask my a question point blank:

Is SSO secure?

He was concerned with the realization that more and more services are moving to the cloud, and the recommendation by companies like Microsoft on how to "make it easier on users" and still more secure was to reuse their domain credentials through something like Active Directory Federation Services (ADFS) and dirsync. The concept of federation clearly has benefits, as it does make it easier for people as they have to remember less passwords. However, my response to his question surprised him, and he asked if I would share it publicly.

So here is that response.

The short answer in general is "Yes". SSO can be secure. The longer answer is that it depends on the initial authentication. SSO works by extending the reach of the initial authentication step. So long as that step is robust, subsequent application logins can also be trust worthy. In other words, if a user signs into the SSO system with a stronger credential that increases the level of identity assurance, you can have a higher level of confidence in who is making those requests. A simple password to log into a SSO system is not enough. This is why AuthAnvil Two Factor Auth is mandatory in AuthAnvil Single Sign On. To extend on-premise trust to the cloud, you HAVE to be sure of the initiating party. And you should CONTROL that trust; you shouldn't abdicate that responsibility to yet another cloud service that isn't in your control. 

So ADFS with a domain credential by itself doesn't make cloud access more secure. You are simply using a static password that can be shared, stolen or guessed. Where it is stored and the password policies you set has some benefit and bearing, but not a whole lot. Worse yet, you expose your business to greater risk if that credential can somehow be captured; so if you think that using ADFS in something like Office 365 is a good idea when accessed from untrusted PCs, you are being short sighted. Consider what could happen in a business running Small Business Server with ADFS. If a keylogger or browser plugin sniffer captures that credential as you login to your favorite cloud service, they can now also log into Remote Web Access (RWA) or RD Gateway and directly connect to all your files and PCs. Clearly that becomes a new risk you have to consider. And monitor. And a new threat to defend against.

The benefits of using SSO are about simplifying the user's experience by having them log in once, and then have access to the applications they use all day without having to enter a password again. In the old days of local networks where Kerberos could be used, that was easy. In a world where we have to extend access to applications in the cloud, it gets a bit more difficult. Especially when the hosts we may be using will probably be LESS trusted as they are not managed by the company. Tablets. Smartphones. Home computers. Computers and kiosks in public places. The list goes on and on.

This is one of the benefits of AuthAnvil Password Solutions. You get both AuthAnvil Two Factor Auth and AuthAnvil Single Sign On together, along with static password management with AuthAnvil Password Server. So if you want to access things like Google Apps or Office 365 you can do so WITHOUT having to know a password. You end up using a PIN with a stronger one-time password generated by your AuthAnvil token, an app running on your smartphone or Yubikey. So users don't have to remember another password. That credential is much stronger. Cannot be duplicated or forged. Or ever reused.

So to that CEO, yes SSO can be secure. As long as that initial authentication is strong. Don't rely on a simple password as your sole defense to all your sentive applications and systems. Use a system that supports multifactor authentication with identity assurance like AuthAnvil Single Sign On.

Posted at 09:51 AM in In the Trenches | | Comments (0) | TrackBack (0)

| |

August 15, 2012

Microsoft patch Tuesday caused Wednesday whammy for AuthAnvil Password Solutions

Hey guys,

Just a quick note if you are trying a new install of AuthAnvil Password Solutions today and its not working for you. Yesterday Microsoft decided in their infinite wisdom to update many of the links to their x86 pre-req runtimes. That has caused some issues with our installers, which prevents the intelligence engine that downloads the Microsoft pre-reqs from their site to fail, blocking the installation.

We are aware of the issue and are actively building a new set of installers that address this issue. They are just going into QA testing now and should be available in the next few days. In the meantime, if you are having an issue doing a new install please open a case at www.scorpionsoft.com/help/ and our Customer Service team would be happy to help and point you to appropriate guidance in our knowledgebase on how to get around this so you can have a successful install.

Our apologies for the inconvenience.

Posted at 11:37 AM in Product News | | Comments (1) | TrackBack (0)

| |

Companies spend millions to fix password leaks

We tend to wax poetic about what would happen if your passwords got into the wrong hands. Hey, it’s our job.

But money speaks louder than any of our dire warnings. 

LinkedIn spent up to $1 million so far to fix a security breach. When hackers stole about 6.5 million passwords and posted them online, LinkedIn scrambled with their wallets open to figure out what happened and increase security. Read the full story

Cleaning up after a password breach is shockingly expensive, but it’s not just the clean-up you have to pay for. You could also get sued. And everyone knows, court cases are a money pit. There’s the legal costs, lawyers fees, and the actual money you can get sued for.

Take Yahoo for example. They leaked as many as 450,000 usernames and passwords from a site. Now they’re getting sued for negligence by a customer whose password was stolen. The court case is still developing.

The point is these companies are paying good money to clean up after themselves. It would’ve been infinitely cheaper to secure access to their company infrastructure from the get go and avoid these problems.

If you’re reading this and you don’t have strong password management practices in place like AuthAnvil Password Solutions, then consider how getting sued for negligence would damage your reputation and cost. Remember, Errors & Ommisions (E&O) insurance doesn’t cover you when you knowingly put customers at risk, such as neglecting to change passwords when technicians leave your organization, or letting existing techs share credentials openly so they cannot be tracked or audited.

Don’t wait to get exploited before taking action to enhance your password management process. If you hedge your bets on hoping for the best, you might just find yourself with empty pockets.

Posted at 08:00 AM | | Comments (0) | TrackBack (0)

| |

August 07, 2012

Bank account data stolen when thieves nab computer stacks.

Usually when passwords get stolen it’s through remote access. That’s what makes today's example so bizarre (it’s an oldie but a goodie).

Thieves busted into an unalarmed office at the University of Victoria and stole computer towers. That equipment contained unencrypted banking and insurance information for nearly 12,000 current and former staff.

Wait, what? The building wasn’t alarmed. The files were unencrypted. Did they take any security measures at all? Because of this oversight, nearly 12,000 people had to spend a day phoning their banks to make sure their money is safe and their identity isn’t stolen. What a risk and a waste of time.

Hindsight is always 20/20. We can wag a finger at them, but many of us have the same practices right now in our own businesses.

Do a mental tally. Do you know which staff members have usernames and passwords to sensitive company files? Is there anyone who left or was laid off that might still have access? Do you write your passwords down in a notebook or use lame ones like “password” or “12345”? If so, your information is no safer than our friends over at the University of Victoria.

Take a minute to review your password and access policies. Consider how you audit who has access, when, where and why. And then decide how you would gather that information when you need to investigate. Do you have an irrefutable audit trail and control of who accesses what? You need a snapshot of your risk profile, and the confidence in knowing you have complete oversight of access to the most sensitive information in your business. Get all this with our AuthAnvil Password Server. 

If you don’t have the confidence of full oversight now, let's talk. We can help.

Posted at 08:00 AM | | Comments (0) | TrackBack (0)

| |

August 01, 2012

Yahoo gets hacked. Passwords unencrypted.

Hackers recently used  a common attack vector called SQL injection to get more than 450,000 usernames and passwords, allegedly from Yahoo Voices. The real shocker is the passwords were stored in plaintext. As one of the largest service providers responsible for millions of online accounts, Yahoo didn’t bother to store these user credentials in an encrypted manner. What were they thinking? Read the full story.

Remember, when hackers nab a username and password, it’s not just that specific account that’s at risk. Admit it – chances are you share the same password for multiple accounts. Some people use the same password for most of their accounts like Gmail, Kaseya, and PayPal; many are known to use the same passwords for their bank accounts too. And hackers use this to their advantage. They grab user credentials from one weak site, and then see if they’re the same on other sites. That’s how hackers are stealing cash from Best Buy online customers right now.

In a recent analysis of these Best Buy accounts, one in five had the same credentials for sites like LinkedIn and Yahoo on their main Microsoft account as well. Consider the risk if a hacker could access Microsoft assets like SkyDrive, TechNet, or the Microsoft Online Store. It would be disastrous if an adversary stole private files, software license keys, and more.

If all your staff use the same logon credentials for multiple sites (which they do, believe me), that opens you and your clients’ systems up to a lot of risk. You need to ensure you have the highest possible security for your accounts, because people are the weakest link in your safety measures.

Maybe some of your staff use the same credentials for Yahoo Voice as they do for your PSA. See how easy a breach could be? Imagine what would happen if a staff member’s account to ConnectWise or Autotask was accessed by an untrusted party. Think of the amount of sensitive customer information he would have access to. In any case, it’s surprising that Yahoo stored this account data unencrypted. But in many cases, even businesses that do encrypt data are using older techniques that can’t be trusted anymore. Our latest episode of Crack the Cred shows how easy it is to decipher poorly encrypted passwords once you do have the data.

So today’s lesson is never use the same password twice. And if you’re a business owner, demand that all staff use the strongest passwords they can and encrypt them with the best solutions you can get your hands on; make sure your staff use strong password solutions. That’s where we can help. Let's talk.

Posted at 09:24 AM in In the Trenches | | Comments (0) | TrackBack (0)

| |

Search

Visit Our Company Website
Subscribe to this blog's feed

Categories

Archives

More...

Become a Fan