5 May 2015

Creating a Pattern for Authentication

We all use patterns to create passwords and have our own ‘unique’ formulas that we hope will keep us secure and able to remember them. So, I was not surprised to read a story on TechWeekEurope in which Praetorian had reported that half of users’ passwords follow just 13 structures.

What did shock me thought is that there were as many as 13. How many of you use the tried and tested pattern for creating a password that begins with a capital letter at the start of a memorable word, followed by a memorable number and ending in an exclamation mark? My guess is that it is the majority of you!

It may seem to make sense that fewer structures inevitably make it easier for hackers to decipher passwords and therefore organisations should have policies for ‘strong’ passwords enforced upon them to avoid the obvious, and make it harder. However, the fact of the matter is even if there were double, quadruple or even ten times the number of structures being used, all it would do to a determined cybercriminal is slow them down a little, forcing them to use a wider variety of tools and tactics in their arsenal. It certainly would not stop or deter them.

My answer to the problem is simple. If people like using patterns to create passwords and those passwords are not secure, then remove the password from the equation altogether and use the pattern. This the foundation upon which PINgrid is based.

Of course, the obvious question to ask is what is to stop the professional cybercriminal or opportunist from simply guessing, or identifying patterns? After all, surely that is easier that passwords! So, here is the clever part. Unlike passwords the user never discloses the pattern that they have chosen. 

Using PINgrid, when the user logs in they simply type in the numbers (0-5 digits used in the grid) displayed in their memorable pattern. And, because these numbers are constantly changing it creates a huge range of possibilities. So, in a standard 6x6 configuration, PINgrid provides 2.1 billion unique pattern possibilities, scale that up to 8x8 (0-7 digits used in the grid) and the number grows to an incredible 68.7 billion.

Author: Alissa Lang, Winfrasoft

28 April 2015

Making Passwords Easy to Digest

I am all for making security easy to digest but actually eating passwords is taking thing a step too far in my book.We have all seen the movies where someone eats a piece of paper containing the evidence, but does anyone seriously think this could be the future of authentication? It seems there are people that do!

Security professionals are familiar with the ‘traditional’ authentication factors such as...
  • Something you have – A key-ring token for example
  • Something you know – The username and password combination
  • Something you are – The biometric in all its forms
However, last week some new factors were proposed…
  • Something you have eaten
  • Something you have implanted
  • Something you have injected
These concepts have been mooted in the past as a flight of fantasy, but now PayPals’ Global Head of Developer Evangelism, Jonathan Leblanc has suggested to the Wall Street Journal that ‘natural body identification’ in the form of edible, injectable and implanted devices, could well be the shape of things to come, with current biometric techniques a stepping stone. For those of you old enough to get the reference, it is all starting to sound a little ‘Logan’s Run’ to me!

Whilst I appreciate that our industry need visionaries to help break the stranglehold passwords have on our lives, it is also important that we don’t get carried away. Passwords have been used for hundreds of years in one form or another and whilst people are tired of them, I believe this type of talk is not at all helpful in moving the conversation forward.

Yes, this type of story does grab the headlines but the truth is why would anyone want to use these proposed forms of identification? Especially when there are methods available today that are proven to be practical, affordable and far less invasive. Also, whilst an ingested tablet may be able to identity you that isn’t the same as authenticating you, and in most scenarios we find ourselves in today, it isn’t just about proving that we are who we say we are, but also, that we have the permissions to do what we want to do. 
So, I hope this in years to come it will be those who suggest such crazy ideas that are eating their words and not consuming passwords!

Author: Alissa Lang, Winfrasoft

22 April 2015

Sharing Passwords on National Television

A few days ago I wrote about a recent survey which found employees would be willing to sell their passwords. However, it now seems to be about giving them away for free, by broadcasting them to the nation, in what turned out to be perhaps one of the most ironic television interviews of the year.

You may recall that the French broadcaster TV5Monde was the subject of a major hack, thought to be orchestrated by Islamic State supporters, which caused the station to stop broadcasting for over three hours. But, in what turned out to be an embarrassing interview with a reporter to discuss the incident, a representative from the station could be seen standing in-front of a wall plastered with notes revealing the passwords to accounts such as the station’s Instagram, Twitter and YouTube channels.

Of course, accidentally broadcasting passwords is very different from an employee selling them, but the fact that they were placed on the wall in the first place highlights the theme that employees do not see significance of sharing and disclosing passwords, even when an organisation is in the midst of recovering from a severe cyber-attack. Secondly, the only reason that the passwords would have posted on the wall in the first place was clearly for convenience and ease-of-use, as it means no-one needs to remember them.

The problem with passwords (well one of them) is the fact the for most people they are perceived to be a barrier that is in the way of them getting to where they want to go, and not an intrinsic and important security measure. So, it is inevitable that employees will look to find ways to make the barrier smaller, whether it is posting on the wall, displaying them on a post-it stuck to the monitor, or making them as easy to remember as possible.

So, to counteract this behaviour you need to educate employees as to the importance of security, whether it is accessing the corporate network or the Twitter account. After all in the eyes of the media a data breach is a data breach. Realistically, a hacker is unlikely to do much damage by gaining access to a social network account, but the fallout and reputational impact can be immense and hard to recover from.

Furthermore, you need to look at the password as a tool and ask, if people find them difficult to remember and how can we make it easier? Or, could we do without them altogether? Yes, this contradicts many calls to make passwords stronger and more complex, but that has been said for many years now and it isn’t working.

The time has come for a new approach that makes it easy for employees to play their part in keeping the organisation secure by removing the burden of remembering a password. For more information check out PINgrid.

Author: Alissa Lang, Winfrasoft

17 April 2015

Would your employees sell their company passwords?

We have too many passwords, it is tough to remember all of them, they are not as secure as we would hope (regardless of how ‘strong’ they are) and it costs IT helpdesks a small fortune to handle the constant stream of reset requests. These are all familiar pain-points of the password, but if a new survey is to be believed it would seem that organisations need to watch their back, as one in seven employees are willing to sell their passwords for as little as $150.

This was the finding of a global survey conducted by the identity management company SailPoint earlier this year. This says two things to me, the first is that organisations need to better educate their employees as to the ramifications of a security breech, as I am sure many people are naïve to what a determined criminal can accomplish with one single password. Secondly, if people could be tempted to disclose their password for such a relatively small sum of money, we as security professionals need to take a close look at how we can remove the temptation.

It is often said that the human factor is often the weakest link in the security chain. So clearly, the most obvious way to stop corporate passwords being sold is to remove the need for people to have them in the first place. After all if you don’t have it you can’t sell it! You may say “Easier said than done” but in truth it is simple.

The ubiquity of passwords has for too long made IT departments and security professionals wary of replacing them. This is coupled with the fact that the available alternatives, such as biometrics, have been accompanied by hefty price tags, challenging roll outs and resource intense management. However, new solutions such as PINgrid are taking the elements of password-based security that work well and replacing those that don’t.

So, if you are an employee you still login using a passcode, but it is a one-time-code generated from a pattern that you have memorised within a simple grid (either displayed on-screen, or via an app on a mobile device). Of course an employee could sell their pattern but it would be worthless as the digits within it are never repeated in the same sequence. Therefore, they would also have to sell their device along with it and I don’t know anyone who would be willing to be parted from their phones (whether their own device or a corporate owned one) for a few minutes let alone sell it (apps intact) to a total stranger! 

Author: Alissa Lang, Winfrasoft

18 March 2015

Why I Want To Bank on My Brain and not Biometrics

In an article published today by Infosecurity Magazine, Alissa Lang from Winfrasoft explains how many banks are moving away from passwords by introducing or trialing biometrics. However, Alissa puts forward a strong arguement that they do not have a place in authenticating customers, stating "I want to use my brain when I bank, and not a biometric."

You can read the full story at: http://www.infosecurity-magazine.com/opinions/why-i-want-to-bank-on-my-brain-and/

3 March 2015

The Importance of SME Security in the Supply Chain

In Europe two out of every three employees are employed by SME organisations. However, when the topic of security and cybercrime is being discussed you would be forgiven for thinking that these businesses are in the minority, as the media (and to a large extent the vendors) focus on larger and wealthier enterprises.

It would be fair to say that for the majority of SMEs security issues do not feature heavily in their day-to-day thinking. After all, they are focused on running their revenue generating operations and why would they worry about issues that seemingly only ever happen to the ‘big boys’? And even if they do appreciate the risks, few have the time to keep abreast of the latest threat landscape and ways to safeguard against them.

The problem is however that cybersecurity is very much an issue for SMEs and the impact can be devastating. For one of those large organisations that hit the headlines it can inflict harm on their brand reputation if not managed correctly and it can cost many millions of pounds to resolve, as well as impacting the bottom line, but by and large they have the resources and infrastructure to bounce back. For a vulnerable SME a basic ransomware attack could spell the end of their business.

Of course, some of these attacks on high profile organisations are targeted, and the owner of an SME may counter with the question ‘Why would a cybercriminal be interested in me?’ To answer that question take a moment to think like a criminal. They specialise in finding weak links. Some, will be opportunistic and see an open door, or window, with a wallet left on the table unguarded.  Meanwhile, others will be far more calculated in their approach. Your business may not be the ultimate target but you may present the ‘open window’ through which they can get access to the organisation that is tempting them with a big score! You are just collateral damage. What is more, that organisation you are supplying certainly won’t thank you. 

Going after the weak link in the supply chain isn’t new (you may recall the now famous Lockheed Martin incident back in 2011). For this reason supply chain security has moved up the ICT agenda for large enterprises. So, for those SMEs who can demonstrate that they will not be the weak link, it could well be the point of difference that determines winning a major contract and losing out to a competitor.

Most SMEs do have a basic level of protection, but for many the only time it is mentioned is when the annual renewal of the anti-virus software comes around.

In today’s world of multiple always on, always connected devices it is the password that provides the first line of defence. Get hold of a password and all too often the cybercriminal has the keys to the candy store – confidential information, contracts and contacts, passwords and access to systems, and in some instances that can include third parties!

The challenge for an SME and especially those on the larger side of the spectrum is being able to manage passwords adequately. When someone creates a password they do so because they think they will remember it, not because they think it will be secure. Enforce more complex or so called ‘strong’ passwords and the cost of constant reset requests will go up. Worse still so does the likelihood that they will be written down on a Post-It note and stuck on the side of a monitor (insider attacks can and do happen). Ask them to change their passwords frequently and it will inevitably be a variation on the same theme so DavidSmith1! becomes DavidSmith2!

Large security conscious organisations (and I stress that not all of them are) invest in additional layers of security, such as key-ring tokens and even biometrics, but they introduce complexity, are expensive, are resource intensive to manage and out of reach for most SMEs. What is more, many of them will revert back to password-based authentication if they fail! However, thankfully there is a new breed of innovative and affordable software-based solutions on the market that can give small and large organisations alike the same calibre of first-line defence, replacing passwords without massive change, closing what has until now been an easy door to walk through for the determined cybercriminal.

If you would like to learn more about how to safeguard your supply chain visit: www.pingrid.com

Author: Steven Hope, CEO of Winfrasoft

18 February 2015

Would you use Touch ID for your mobile banking?

You will likely have seem the news that RBS and Nat West are planning to use Apple's Touch ID. On the face of it would seem to make perfect sense to make use of this latest innovation in smartphone technology, however in my opinion Touch ID for banking is not a good idea. 

Firstly, when this technology was launched it was hacked within days and with relative ease, and that was not a big surprise. After all, it simply isn’t commercially viable to place high-quality biometrics technology on a mass-market consumer device costing a few hundred pounds.

I myself am an iPhone user and stopped using Touch ID when I challenged a friend over dinner to get access to my device. It wasn’t until I got home later in the evening that I realised he had succeeded in changing some of my settings.

We do need to move away from passwords and what they are replaced with must strike a balance between delivering security and usability if they are going to become ubiquitous. For me whilst this latest news from RBS and Nat West is great headlines grabber but is ultimately they latest gimmick on the biometrics bandwagon.