3 November 2014

Winfrasoft To Reassess How Assets And Information Can Be Secured At Info-Crime Summit In London

Winfrasoft will be helping more than 200 heads of security to move away from password-based protection at the Info-Crime Summit The company behind the award-winning PINgrid is sponsoring and participating in the event which takes place in London on 25th and 26th November.

CEO of Winfrasoft, Steven Hope will host a 40 minute boardroom session which will open with a brief history of the password, a candid review of what passwords are good and bad for, a discussion around the inherent flaws of password protection in today’s world and practical measures that can be taken to solve them. Hope states: 

“Archaic password-based systems underpin most of today’s authentication and often it is the only line of defence. Now is the time to reassess how assets and information are secured from the ground up, with the help of the latest technology innovations.”

Winfrasoft is a FIDO Alliance member, Microsoft Certified partner in Security & Identity and embedded systems, and contributing member of OATH, so is ideally placed to provide information security professionals attending the Info-Crime Summit with the information and tools needed, in order to respond to the surge in dissatisfaction and disillusionment surrounding password-based authentication.

The company will also being demonstrating its award-winning PINgrid authentication solution. It uses a 6x6 number grid that can be presented to the user on-screen, or on their smart device via an app. The user simply creates a memorable pattern (from a possible 2.1 billion different combinations) and then each time they wish to logon to a site protected by PINgrid they use this pattern to extract a one-time code (OTC) from the numbers on the grid. Furthermore, as PINgrid is kept separate from the login screen it safeguards against keylogging, screen scrapping, fingerprint smudges and shoulder surfing.

For more information about the Info-Crime Summit visit: http://www.info-crime.com/

28 October 2014

Passing Comment on Passwords (Part Four)

A recent article in The Telegraph reported that this year 110 million pieces of data have already been illegally sold, representing a 300 percent rise since 2012. This data mostly consists of login credentials, essentially meaning username and password details.

Of course, the same advice is wheeled out, encouraging everyone to be more diligent and to change passwords more frequently. But personally, I do not have a free evening every two weeks that I can dedicate to changing every password on every online account I have! Meanwhile, Facebook is busy scouring the web to try and find out if our details have been compromised. But I would prefer it if efforts were focused on stopping it happen in the first place.

Asking people to regularly change passwords just isn’t feasible and we should have learnt by now that the majority of us just won’t do it. Even, if everyone did change their passwords regularly at best it would possibly reduce the ‘quality’ of the data being bought and sold.

Speaking at the Information Security Solutions Europe (ISSE) conference in Brussels last week the Head of European Cybercrime Centre (EC3), Troels Oerting, commented that most of the people who go online do not have a clue what they are getting in to and someone needs to protect them. Meanwhile, the former Cyber-Security Coordinator of the Obama Administration, Howard Schmidt, advised that we need better security to have less victims, but this makes it harder for people to do their jobs.

A recurring theme at the conference was the fact that still cybercrime has the potential to deliver high profit and at low risk of being caught, especially as much of it is conducted across national borders. So, all the while login credentials are easy pickings there is no reason to expect this to change. The positive feedback I can report is that there is much consensus among security professionals that we must move away from passwords, with recognition for initiatives such as the FIDO Alliance (of which Winfrasoft is a member) that is  working to balance improved security with user convenience. So, now the debate has moved on to how to achieve it.

 Adding layers of security is one approach and this week Google has been introducing its new security key, which is essentially a hard-token for 2FA. However, I suspect it won’t be on many peoples Christmas lists for two reasons. The first is that it is a token and that means I will need to carry it around with the other tokens I already have on my key ring. The second issue I have is that is it a USB and neither my smartphone or my tablet (the two devices that I tend to use the most for going online) have USB ports.

I agree that adding layers of complexity is important to thwart cybercriminals but if you make it more complex for the user then you end up with paralysis. So, as smartphones and tablets have become ubiquitous it is these devices that I strongly believe hold the key (as opposed to the key ring token!). Placing the token on to these devices adds convenience, as you always have it with you. Then, if you remove the need for the user to remember password and the requirement for the organisation to store it, in my book you have a winning solution.

To find out how this works in practice take a look at PINgrid: www.pingrid.com

Author: Alissa Lang, Winfrasoft

23 October 2014

Winfrasoft Appliance update for SSL 3.0 POODLE attack (CVE-2014-3566)

Winfrasoft is pleased to make available Winfrasoft Appliance Update 2.0 for all Winfrasoft appliances running Microsoft Forefront TMG, UAG and Winfrasoft AuthCentral. The update protects the appliance from the recently discovered vulnerability in the SSL 3.0 protocol and the POODLE attack (CVE-2014-3566) and further hardens the cryptographic configuration of the appliance.
Detailed information and the download location of Winfrasoft Appliance Update 2.0 is available here: http://www.winfrasoft.com/support/kb/kb-42.aspx
All support enquiries should be emailed to support@winfrasoft.com

The SSL 3.0 vulnerability is an industry wide issue and is not restricted to a single vendor. Further information about the vulnerability and the attack is available here:

10 October 2014

Passing comment on passwords (Part three)

The fallout from the celebrity iCloud hack continued this week with Apple announcing that it has added an extra layer of security. So, now if you are an Apple device user and have third party apps that connect to your iCloud (I suspect that will be many of you!) you now need to create a unique password for each app. However, we all know that if you have an Apple device you will have a lot of apps and many of these will be connected to your iCloud, so are we really going to create ‘unique’ passwords for each? I suspect what will happen is that people will use the same password for every app, and therein lies the big problem with passwords in general.

Today, passwords underpin security. Businesses use passwords in an attempt to add security, for those of us who use them (essentially everyone), security is of course important, but we typically put the emphasis on convenience. Meanwhile, the cybercriminal is on the hunt for them.

In an article published by Sky News, researchers at Carnegie Mellon University in the US think that they have found the secret formula to creating and remembering up to 14 complex passwords. It suggest that you use a person an action and an object to create a password for example ‘Bill Gates rowing teacup’ or ‘Steve Jobs tasting cheese’ (these are all words that were used in the research). We have had fun playing around with the idea but I can’t see it catching on. I have more than 14 accounts that require passwords, many of them require the use of numbers and non-alphabet characters, and some have a specific character limit which means it simply wouldn’t work. But first and foremost I do not want to spending my day trying to remember if ‘Tiger Woods sheering hen’ or ‘Luke Skywalker juicing owl’ is my Facebook, Amazon or LinkedIn password! And then, if I get that bit right did I add an uppercase letter and exclamation at the end in order to satisfy the need to make it supposedly ‘strong’?

The truth is that until we address the imbalance between security and convenience all that is ever being done is papering over the cracks. The fact that academics at Carnegie Mellon University even deemed such research necessary highlights just how crazy the concept of password management has become in our modern lives. What is more, none of this takes in to account the fact that no matter how long and convoluted you make a password, if it is stored somewhere (and you can be sure an organisation has your password as you disclose it every time you logon or transact) then it is vulnerable to theft and abuse.

If you want to learn more about how passwords are past it then we will be demonstrating PINgrid, at GITEX Technology Week in Dubai next week. We will in hall 3 and on stand C3.

Author: Alissa Lang, Winfrasoft

26 September 2014

Passing comment on passwords (Part two)

I very much like the idea of needing to remember just one secret that I can use to logon to all of my online services, so the concept of a password manager is in many ways very appealing. However, this week I was not at all surprised to read that a UC Berkeley report has found five popular password managers contained critical vulnerabilities.

My problem with this type of solution is the fact that every single one I have investigated to date uses a password at the front-end! Yes it is true that this approach means you only need to remember just one password, so one major bugbear of password usage has been nullified. But if someone cracks that code, then they now have access to all your accounts, meaning halcyon days for the identity thieves and fraudsters out there.

Meanwhile, it seems that not a day goes by without the revelation of a new biometric innovation that is heralded as the next big thing in authentication. We have had fingerprints, palm vein, voice and facial recognition, and now in a story published online by Time it seems we can now all be identified by our heart rhythm using an ECG-authenticating wristband. Authentication in a heartbeat if you will!

However, in an article published by the Washington Post entitled ‘We know the password system is broken. So what’s next? Hayley Tsukayama takes a closer look at the viability of using some of the mainstream biometrics as an alternative to passwords. Having experienced biometrics first-hand (I once lived in South Africa in a gated community) I am very dubious about their effectiveness. When I first moved in we were issued with a card to gain access, but these were soon replaced by fingerprint readers and they often failed. As a result the security guard on duty would check to see if he recognised me and would then use his fingerprint to open the gate. My point is that if a biometric fails, what do you do? And therefore biometrics will only ever be as strong as the back-up you have in place.   

Meanwhile, amongst the masses of news stories bemoaning passwords an article published on DARKReading by Corey Nachreiner stands out like a sore thumb as he bravely puts a case for the defence of passwords. He argues that if you adhere to best practice you are likely to be OK. He may have a point, but the problem with this approach is that it means creating many different and complex passwords for each of the online resources that you use, and that brings us back to the reason password managers have grown in popularity!

A password manager that doesn’t rely on a password would be an immense step in the right direction in marrying convenience with security.

Author: Alissa Lang, Winfrasoft

12 September 2014

Passing comment on passwords

In the last few weeks passwords have been making headlines for all the wrong reasons. The leaked compromising photos of Jennifer Lawrence and other celebrities were front page news, after they apparently fell fowl of having ‘weak’ passwords to protect their iCloud accounts. This news has prompted an outpouring of advice from experts, telling people how to go about creating ‘strong’ passwords. In contrast The Register published a story in which Dinei Florencio and Cormac Herley rubbish the very concept strong passwords

Last week Google announced an update to its password generator that creates passwords for you and this may prove to be very useful , given that Wednesday it was reported that five million Google passwords have been leaked on Russian cybercrime forums.

Meanwhile, Yahoo has shared the 500 password that you should not use (take a look and see if you have any of them. In contrast an article published by PC Magazine suggests that: “There are safe and secure ways to share passwords, and as long as you're doing it properly, it's a perfectly acceptable practice.” I would argue that the exact opposite is true. A password is a secret!

There is certainly a lot of mixed messages and advice but the cold hard truth is that passwords are not secure, and even if you are diligent and try to make a password as complicate as possible it is still vulnerable, as a story published on Tuesday by The Daily Mail highlights. The cybercrime attack involved people are being sent an email invoice regarding the upcoming Peter Pan pantomime in Bournemouth. When the recipient clicks on the message it installs a virus that could potentially steal passwords and other information.

As I have said before a password is supposed to be a secret. But a secret is no longer a secret if you tell someone, write or type it, if you are overheard (literally or virtually) saying it, or it is stolen, and this makes the things we use passwords to safeguard vulnerable to those who want to exploit or extort us.

This week I would like to leave you with a comment from Eugene Kim published by Business Insider in which he says “If there’s anything good that came out of last week’s iCloud leak, it’s that more people are aware of two-factor authentication now.” I couldn’t agree more, but I would suggest taking a close look at PINgrid!

Author: Alissa Lang, Winfrasoft

3 September 2014

Winfrasoft to Showcase PINgrid the Password Alternative At GITEX Technology Week

BRACKNELL, UK - Winfrasoft, will be showing visitors to GITEX Technology Week how its award-wining pattern-based authentication solution, PINgrid, is making passwords a thing of the past. The authentication company with be on stand C3-1C at the Dubai World Trade Centre from 12th till the 16th October. 

The PINgrid solution is attracting widespread attention from the banking, payments, healthcare and retail communities around the world, as a cost-effective way to replace traditional hard-tokens and to remove the negative impact of the barriers passwords put in the way of accessing online services and corporate networks. To demonstrate the effectiveness of PINgrid, Winfrasoft will run a week long challenge at GITEX Technology Week.

Sales and Marketing Director at Winfrasoft, Alissa Lang explains: “Anyone that visits our stand will have as many chances as they like to try login in to a desktop that we have protected through PINgrid. If they can crack the code they walk away with a Microsoft Surface Pro 3.” The 8x8 number grid version of PINgrid has 68.7 billion pattern combinations, so to give people a chance Winfrasoft will be using the standard 6x6 grid configuration that contains just 2.1 billion different combinations! 

Lang adds: “Despite rigorous and regular penetration testing PINgrid has never been cracked. However, the real purpose of the challenge is to get people hands on with the solution and to demonstrate just how strong yet usable it is, whether it is implemented as a 1.5, 2 or even 3 factor authentication solution.” 

With the PINgrid solution in place an organisation can present the grid-based challenge on-screen in 1.5FA format, or it can be used to transform any smartphone or tablet in to a soft-token using the PINgrid app. The user sets the pattern of their choice and when they want to login they simply type the numbers that feature in their grid pattern in to the PIN box displayed on their laptop, desktop or mobile device screen. As the numbers are constantly changing the code they enter changes.

“Because the pattern is never revealed and the numbers are forever changing, PINgrid safeguards against common attacks such as keylogging, screen scrapping and even shoulder surfing,” comments Lang. “In fact we will encourage visitors to carefully watch our team login and then try to do the same.” 

Winfrasoft’s attendance at GITEX Technology Week follows a highly successful exhibition of PINgrid at CeBIT in Germany at the invitation of the UKTI and Infosecurity Europe in London earlier this year. To learn more about PINgrid you can watch this short video: https://www.youtube.com/watch?v=YshA42jh5kg

For more information about GITEX Technology Week and to register visit: www.gitex.com. CEO of Winfrasoft, Steven Hope will be available for briefing at the event and to schedule a meeting contact Graham Thatcher on Tel: +44 (0) 2380 111 970 or Email: graham.thatcher@mccint.com.

2 September 2014

Don’t Let Passwords Leave You Exposed

It would seem that password security can leave you exposed in more ways than one, if the latest story on ITSecurityGuru and the national media is to be believed. The story suggests that a piece of software that guesses passwords for the ‘Find my iPhone’ feature is to blame for nude photos of the Oscar winning actress, Jennifer Lawrence, hitting the Internet and social media this week.

The story is a stark reminder that if you do not want to people to see your personal pictures and private information then the best thing to do is not put it online in the first place! But, if you are going to do it then make sure that the password you choose is as ‘strong’ as possible (it is understood that the hack used the most common Apple passwords). The advice of using a mix of upper and lowercase, letters and numbers, doesn’t just apply to iCloud, but also to Dropbox, Facebook, Gmail, in fact any online multitude of resources that we all regularly use. 

However, strong password is a bit of a misnomer as in truth no password is really very strong, and this latest story lays bare how inadequate password security continues to be in safeguarding the way in which we protect the data we choose to store and share online. iCloud is just one of a long line of stories that highlight the frailty of passwords and I am sure it won’t be the last.

So, my question to every organisation that uses passwords is simply – Why?

We as users of these services need to be mindful of how we use them, but in my view those who provide them have a duty-of care to do their very best to provide adequate protection, and passwords are clearly not up to the task.

To find out more about passwords, how people use them and the problems it is causing take a look at: https://www.youtube.com/watch?v=YshA42jh5kg

Steven Hope, CEO of Winfrasoft

1 September 2014

Dear diary, please save me from passwords and PINs

I know I am not alone when I say that I loathe passwords! I seem to have hundreds of them (or truth be told a small handful for hundreds of websites). Passwords sit at the top my list of things to place in to Room 101, however, unlike other things in my life that I have an immense dislike of, such as cauliflower, I simply cannot avoid them. Or can I?

One afternoon a few weeks back I decided that I was going to try and go an entire day without using a single password or PIN and keep a diary of my experience. I knew it would be a challenge but truth be told on the day of the task I didn’t make it out of bed before logging on. A little dejected I decided to rethink my strategy and chose to monitor how often I used a password and a PIN, in order to see if my hatred is misplaced.

As I say, the day started with the alarm going off on my Google Nexus 7 at 6.45am, as usual I reached for the device and automatically entered my PIN to access it. Fortunately, I am already logged on to my email account and Facebook, so after watching a dozen or so ALS Ice Bucket Challenges (thankfully no nominations that day!) I ventured out for breakfast.

Latte ordered I sat down and logged on to the cafĂ©’s WIFI network to catch up with my corporate email account. Then it was a short walk to the office where I placed my finger on the pad of the biometric fingerprint reader (true this isn’t a password or PIN but it always takes at least half a dozen attempts before it recognises me).

Once at my desk, I open the laptop and it is CTRL+ALT+DEL and enter password. Already I had used a PIN or Password five times and it wasn’t even 9am. The rest of the morning was spent on the telephone, so the tally didn’t increase. However, all that was to change at lunchtime!

I remembered that I needed to transfer some money for a holiday so went on the HSBC website and logged on with my username, a secret word, my four digit PIN and then the six digits generated by my SecureKey. As I was setting up a new payment I then needed to use a SecureKey for a second time. Of all the things I ‘own’ I think I like this the least.

Having fifteen minutes left I remembered that I wanted to order a shirt (it was a bargain in the sale and an email I read in bed that morning said it was ending today). The good news was that it was available and in my size, but the bad news was that the site used Verified by Visa (or something like that) and as I cannot remember the last time I used it. As a result I had no idea what the password was. I made a few attempts but had to reset it and if you asked me now I would have no clue as to what it is, so I will have to reset it again in the future (that is if I decide to shop with them again).

2pm and it was back to work. I was sent an email about the latest issue of a German security magazine that had just been published. I clicked the link and surprise surprise, to read the pdf/ebook version I need to log in. As with my earlier online shopping experience I only visit the site every month or two, so I again made a couple of educated guesses but to no avail. But this time rather than persevere with a reset I decided to park the idea, get back to work and wait for the printed version to arrive in the post.

The rest of the afternoon consisted of pitching out a news story out to the media and one of the services I use requires a username and password. Fortunately, I know this one as I have it printed on a piece of paper on my desk! That said I did logon to corporate Facebook, Twitter and LinkedIn accounts to share the announcement.

At 6pm the working day done (the office-based part of it anyway) and it was off for a bit of exercise. I have recently changed gyms and it has an access control panel on the door that requires me to enter an eight digit code and the odds of me remembering now or in the future are slim. This is not a big issue as I have it stored in the notes on my iPhone. However, I have to use the code to get in, to get in to the changing room, to get back in after my workout and then to leave the premises. That is four times for the embarrassingly short gym session!

Finally back home after a long day, dinner cooked and I am delighted to report that I can operate the microwave without authenticating myself. So what did I learn? I realised that my hatred of the current methods of authentication that we are all expected to use is not unfounded. In many instances they put up barriers that caused inconvenience and frustration. What is more, my shortcuts of writing them down really isn’t great for the organisations that are expecting us to use them.

This was just one average day for one person, so imagine the amount of time and energy that is being wasted all around the world. Of course, I know that there are bigger things to worry about but, when you know that there are better way of doing things but are forced to use the same old antiquated approach it is just plain annoying. True I could boycott sites using passwords altogether but that would be cutting my nose off to spite my face. But I cannot help think that things must change and soon.

Author: Graham Thatcher, Winfrasoft Press Office

19 August 2014

12 Easy-Peasy Passwords Designed to Foil Hackers

PINgrid gets a nod in Discovery's 12 easy-peasy password solutions list. While there are some strange, and amusing, solutions in the lineup, PINgrid does stand out as an option which is actually workable in day to day use - and already is by many customers!

Check out the list: http://news.discovery.com/tech/biotechnology/easy-peasy-passwords-designed-to-foil-hackers-140807.htm

Thanks Discovery.

6 August 2014

Biometrics To Replace Passwords! I Just Can’t Put My Finger On Why It Would

A recent survey from Intelligent Environments has revealed that 79% of the 2,000 consumers its polled would be prepared to replace passwords with biometric security. But the truth is that if you give a consumer a choice of anything over a password they will take it, since passwords have become a huge pain in everybody's life - even when you're not online.

That said, to say fingerprints are the way forward is quite a leap. Talking about the iPhone 5s as a stepping stone to delivering a fingerprint reader to the masses is in reality a pipedream. In Europe the iPhone accounts for less than 20% of the smart phone market (depending on which poll you read) and of that only a subset are 5s devices, so in reality there aren’t many of the touch ID readers out there. The iPad Air 2 is rumoured to have a touch ID reader too when it is released, but the sales of iPads have already fallen off a cliff, as the market gets saturated and consumers don’t upgrade their tablets as often as their phone. Apple are only just opening up the fingerprint reader to other developers to make use of, all while Samsung is doing something completely different with Android and the Galaxy S5. Let us not forget the fact that that the iPhone 5s touch ID fingerprint reader was hacked within hours of it being released.

So, if you rephrase the consumer question to something like “would you switch from a password to a fingerprint if it cost you £550+ to get started and has proven to be unsecure?” I don’t think you would get a very high uptake rate.

At the end of the day biometric solutions are expensive and history has shown that the lower cost you make them the less secure they become. When a consumer uses a bank login system they expect it to be free, but in reality somebody is paying for it somewhere; and you’ll find that it’s the consumer one way or another. A viable mass market banking login system has be very secure, very low cost and very easy to use, which means forgoing a biometric hardware offering; at least for the foreseeable future. The good news is that there are already technologies on the market today that can deliver on the cost vs security vs usability factors if the banking world would care to look beyond the big brand vendors for an answer.

Author: Steven Hope, CEO of Winfrasoft

24 July 2014

CEO of Winfrasoft talks to the Editor of ITSecurityGuru about the state of the authentication market

The CEO of Winfrasoft, Steven Hope, recently met with the Editor of ITSecurityGuru, Dan Raywood, in London to talk about the state of the authentication market, and how it hopes to break the token to server silo mantra. 

You can read the full story at...


22 July 2014

Winfrasoft Joins The FIDO Alliance To Support Simpler And Stronger Authentication

Winfrasoft, the developer of the award-winning PINgrid soft-token authentication solution, today announces its membership of the FIDO (Fast IDentity Online) Alliance, an industry consortium revolutionising online authentication with standards for strong authentication.

“We are excited to welcome our newest associate member Winfrasoft,” said Michael Barrett, FIDO Alliance president. “The FIDO vision of universal strong authentication promises better security, enhanced privacy, more commerce and expansion of services throughout digital industries. Winfrasoft’s addition to our Alliance supports our industry goal to make user authentication easier and safer for all parties.”

CEO of Winfrasoft, Steven Hope states: “Winfrasoft has joined the FIDO Alliance as we share the vision to break the token<->server silo mantra.” Hope adds: “The global demand for our PINgrid solution, from organisations of all sizes and sectors, suggests that the market is beginning to break free from inflexible hard-tokens and unsecure password-based authentication. Through the creation of a standards-based foundation the FIDO Alliance will open up a world of opportunities for vendors and end-user organisations and deliver huge benefits to consumers.”

To learn more about why businesses and consumers all want to see an end to password-based authentication and how the PINgrid solution works visit: www.pingrid.org.  

8 July 2014

Winfrasoft Launches New Global Reseller Programme For PINgrid

Opportunity For Channel To Add Pattern-Based Authentication Solution To Their Portfolio As Organisations Look For Password Alternatives

Winfrasoft, today announces its new global Reseller Programme, which now offers deal registration and discounts of up to 40% on its authentication solutions including the award-winning PINgrid. By adding pattern-based 1.5 and 2 Factor Authentication to a reseller’s portfolio they are able to capitalise on the current demand to find an alternative to password-based verification and the need for authentication from anywhere and on any device. 

PINgrid uses number grid-based patterns rather than passwords or clunky keyring tokens, to provide 1.5, two and even three factor authentication and transaction verification for applications such as: Internet banking, e-commerce sites, corporate network access, mobile apps and door access systems. The solution utilisies 256bit FIPS compliant cryptograpgic algorthims and is underpinned by OATH logic. It can be implemented standalone, or easily integrated within exisiting apps and websites using the PINgrid SDK. 

When the customer needs to authenticate themselves they look at a challenge grid presented to them on screen that is populated with seemingly random numbers from 0 to 5. They simply type the digits that fall within their memorable pattern to create a One Time Code.
Sales and Marketing Director at Winfrasoft, Alissa Lang explains: “We are providing resellers with a way to win new business, by offering affordable and strong authentication solutions for organisations that are either looking to replace their existing hard-token system, or those who want better security, but have found traditional token-based solutions way out of their price range.”

Platinum and Gold members of the Winfrasoft Reseller Programme benefit from a dedicated Account Manager, deal registration, free telemarketing and marketing activities, sales incentives and promotions, qualified sales opportunities and pre-sales support, training, live product demonstrations  for prospects and technical support. Companies interested in joining the Winfrasoft Reseller Programme please email: reseller@winfrasoft.com.