The news is a surging stream of cyberattacks and breaches.

It is happening all around us, and we can get numb.

If well-funded corporations can’t stop it, what about the rest of us?

The good news: Multifactor is now affordable for smaller organizations.

We hope this free infographic helps you decide if the time is right to consider Multifactor Authentication.

Do you have something worth protecting?

Learn More

The post 6 Reasons You Need Multifactor appeared first on TransAuth.

Some people are giddy while others are angry.  Some people find it fascinating, and others could not care less.  Among those with an opinion, it has spawned a flurry of debate.

Part of the spectacle is the sheer volume of affected people.  Latest reports indicate that as many as 37 Million users may have been exposed.

No, we don’t wish to rephrase that.

Cheeky comments aside, this incident may give us a chance to surface some very important cultural questions as we grapple with our maturity in the digital age.

“On the Internet, no one knows you’re a dog“, says the old cartoon.

But there are important distinctions between privacy and anonymity.

Accountability can be maintained with with privacy.  No so much with anonymity.

So, which should we be defending?

Privacy and Anonymity on the Internet have a long, tumultuous past.

We may need to determine which one is more worth fighting for.

And give some serious thought as to why.

This is a big, uncomfortable question.

We all have things we’d like to keep private.  And it is much easier to say we believe in privacy for all than it is to defend it.  But, what happens when that privacy causes damage to other people?  Where do we draw the line of engagement and responsibility?

My heart hurts for all the unaware spouses that may be in for a very publicly humiliating debacle if this thing continues.

Let’s hope that the attackers can accomplish their goals without damaging the privacy of the innocent.  If they are willing to destroy others’ privacy, then there will be some who say they deserve none of their own.

The post Security vs. Privacy? appeared first on TransAuth.

What makes this such a compelling story?

We Cannot Help But Look

It is hard to blame anyone for being drawn to the wreckage; it really has been quite a grisly spectacle, right down to the skull-themed images splashed across the screens of the employee’s workstation screens when the attack was announced.  The attackers apparently prefer drama to comedy.

The breadth and depth of the pwnage from a technical perspective is astonishing.  So far, it appears that around 100TB of secrets, personal data, movies and even employee PHI were stolen and in many cases, leaked onto the Internet.

Then, the attackers promised an ominous “Christmas present”.  That date coincides with the slated release date of the movie that may be at the center of the controversy, The Intervew.  The warnings came complete with references to 9/11 and other vague but assertive threats of violence.  It has been a highway motorcycle wreck, and we cannot keep ourselves from watching with morbidly intense curiosity.

And, as of today, Sony tapped out.  They pulled the movie citing failing support and safety concerns.

Does it change anything for the rest of the world?

When Kevin Mandia himself says an attack has no precedent, you know things are pretty bad.

But, what does this colossal breach mean for the rest of us?

Is this bigger news just because it involves Hollywood?

Or, is the sheer magnitude of the attack something that should concern us all?

For the worse?  

Is the Internet in more danger now than before?  That seems highly unlikely.  But perhaps this underscores the idea that stopping a focused, motivated and dedicated adversary is difficult if not impossible. It was thorough, vindictive, savage attack, and we won’t know what the technical lessons are until the autopsy is complete.

From a broader perspective, there may be some debate about whether this was handled like a hostage situation, and what the implications could be of ceding to the demands of the attackers.

For the better?  

What if there are some silver linings from this sort of event?  Sony will have to fight a bit harder to find them, of course, but generally, something of this magnitude yields some fruit.

Could awareness about incident response be improved?

Could this define a new APT model or specific attacks that cybersecurity practitioners can defend against in the future?

Might companies recalibrate budgets, strategies and metrics to strive for security instead of compliance?

For the indifferent?

Or is this just another loud fart in a hurricane?  These mega breaches are occurring at an astonishing rate.  Is it possible that people are starting to get numb to it?  Could we become victims of alarm fatigue before the next big attack is announced?

Whats next?

The Sony saga will likely continue for some time, and may well leave an indelible mark on the company that is difficult to recover from.  Hopefully, we are all are able to extract some positive lessons from this very public depantsing.

I’ll stop shy of suggesting that the terrorists win with this salvo, but I will offer one possible apropos ending to this sordid affair:

What if Sony can rise from the ashes of this devastating attack by making a blockbuster movie about the very attack that brought them to their knees?  I could imagine video games, action figures, lunch boxes, tshirts, the whole buffet.  Imagine if they could turn this lemon tree into a lemonade factory that catapults them well beyond the earnings this movie would have earned them without all this free publicity?  I wonder how the attackers would feel about that?

If Sony can figure out how to keep the movie safe until its released, they might be able to pull it off.

The post Does the Sony Hack Change Anything? appeared first on TransAuth.

Passwords have received a sizable black eye in the media lately.  Perhaps rightly so. After all, passwords played a role in 3/4 of network intrusions in 2013.

Many infosec wonks have declared the password dead without even reaching for the defib.

So, are passwords really an irrevokably bad credential?  Have they ceased to be? Are they an ex-credential?

No.

Not even a little bit.

We just need to think about using them differently.

The negligence lies with the person who gave the monkey the keys.  Sadly, the monkey gets all the blame from the media.  Poor monkey.

By the way, negligence is a word that shows up in legal circles frequently because it implies a lack of responsibility, which makes me wonder how long it will be before some unsuspecting organization is found legally negligent for trusting passwords alone as an adequate access control.

We should all know better by now.

Mostly Dead?

The fact of the matter is that passwords are the most portable, inexpensive, easily-changed credential available.  Their well-known vulnerabilities can be compensated for by adding a secondary credential to create Multifactor Authentication (MFA).

MFA solves many of the problems associated with passwords alone.  Ultimately, both factors are unlikely to be compromised at the same time.

Think about ATMs:

Have you ever forgotten your PIN?  Or lost a card?

Probably.

Have you ever lost your PIN and your card at the same time, to the same person?

Almost certainly not.

Using a knowledge-based credential (like a password) in conjunction with either a possession-based credential (like a key), or an inherence-based credential (like a fingerprint) can help prevent any one credential’s weaknesses from allowing a compromise.

In short: diversifying risks, increases the resilience of the system.

Partly Alive?

Remember, passwords are not inherently evil. They have some flaws, but they also have some very redeeming qualities, and will continue to be around for some time. Just remember to reinforce your passwords with a secondary credential (we have some suggestions if you’re interested).

Sadly, as far as we know, there are no MFA providers that allow a monkey as your secondary factor.

Progress can only get us so far.

–Andrew

The post Are Passwords Really Dead? appeared first on TransAuth.

Is Multi-factor Authentication the holy grail of Security?

This question has been thrown about quite a bit lately. A wide variety of responses have surfaced.

We have a fairly short, straightforward answer:

No.  

Actually, the longer answer is:

No it is not. And stop looking for holy grails of Security.

Back To The Start

Authentication typically happens once.  At the beginning of a session.  And then is forgotten about until the session expires.  What happens after that is not Authentication’s job.

Make no mistake: Authentication is a critical process.  It is often the first step in granting access to a resource.  If fumbled, it can completely bypass any other security measures that are in place.  However, it is not fair to blame Authentication for other design flaws in the overall system.

There have been a number of articles citing a weakness in MFA for failing to prevent things such as session hijacking, Trojans, Phishing and Man-In-The-Middle attacks.

These articles all raise a very valid point: Good security solutions don’t make you secure; they help you improve your security.

MFA was never designed to fix insecure server session implementations, prevent malware from infecting your system, or alert a user they’re about to access a fraudulent website.  Anyone thinking it could do these things has a case of severely mismanaged expectations.

Refactoring Expectations

Multi-factor Authentication can solve a number of problems inherent in single-factor systems.  Passwords are weak and attackers are going to look for the easiest path in.  They won’t tear down a wall if the door is unlocked.  Good security solutions move the low hanging fruit upwards.  And passwords are obviously low-hanging fruit (or an unlocked door, if we keep mixing metaphors).  eBay, Target, LinkedIn, Yahoo, Dropbox, Facebook and countless others will attest to that.

Anyone trying to sell you Security as a packaged end-state is not looking out for your best interests.  Security is not a state or a product, it is a process and an art.  

That that end, Multi-factor should absolutely be a part of your arsenal to reinforce the rest of your security design.  It won’t prevent all attacks, but it can stop password attacks, which are much more damaging than a mere flesh wound.

The post Will Multi-Factor Save Us? appeared first on TransAuth.

It has been hard to avoid the headlines about the collective Internet meltdown over Heartbleed this week.

In case you missed it: Heartbleed (CVE-2014-0160) is a vulnerability in some versions of OpenSSL, an application that helps secure the majority of Internet communications.  This issue is so massive, it already has its own website and stylized logo.

Is it really a big deal?

Yes, this is really a pretty big deal.

Imagine every conversation you’ve ever had with your doctor, lawyer or friend where you assumed (or asked for) privacy.  You trust the other party, so you pour your heart out.  You share private information, you confess to crimes, you give out your credit card numbers, all sorts of things come out that you’d prefer to keep private.

Now imagine that there was someone hiding in the room the whole time with a tape recorder (okay, a smart phone) recording the whole conversation.  Now imagine this same thing happened in 70% of all doctor/lawyer/accountant/retail/ecommerce interactions.

In other words, most of everything you ever assumed was safe may have been exposed to unauthorized ears and eyes.

Should I freak out and burn my computer?

Maybe, but probably not in most cases.

It depends who you are and what you do on the Internet.  Here’s a quick guide for response levels:

More information will continue to come in about this vulnerability, and the impact of this event may develop further than it already has.

What next?

As everyone starts to make sense about what happened here, keep your guard up.  This sort of event is exactly the sort of thing that scammers will try to capitalize on.  Dishonest people will try to use the fear and confusion generated by this event to their advantage.  Watch out for phishing attempts and other tricks.

While not much could have been done to protect against the vulnerability itself from a provider standpoint, this may be a good opportunity for users to empower themselves.  Users who have Multi-Factor Authentication can rest easy about their credentials because most MFA solutions do not send useful credentials over the wire.  Use https://twofactorauth.org/ to see who’s already got this capability, and demand it from providers who do not currently use it.

Unfortunately, this won’t protect your credit card info from being sniped, but we’ll suggest that MFA could help with this scenario by being required for card transactions as well, but that’s another conversation for another day.

Good luck!

-Andrew

The post Bleedheartbreak appeared first on TransAuth.

First, we should define ‘phishing’ for anyone who isn’t already familiar with this term.  Phishing is defined by everybody’s favorite crowd-sourced knowledgebase as:

…The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

In a nushell: someone trying to scam you via email.

Some of these attempts are easy to spot because of bad spelling and grammar, or they appear to come from sites you don’t have anything to do with.  They all will ask you to do something like click on a link or download something.  Here’s an example of spammy ESL gone awry:

Let’s take a second to dissect what’s wrong with this fine specimen:

• They don’t know who you are – unless your parents named you “Customer”, in which case, umm…sorry?
• Why have they italicized the “L” in parcel?  Is it a very special L?
• “Sent” is the generally accepted way of placing the word “send” into a past tense.
• And no sentence should start with “And”.  Except mine.  I’m exempt from that rule.
• Okay, picking on grammar and spelling is starting to feel mean.  “arrice”, “bussness”, you get the point.  Something is wrong.
• DANGER WILL ROBINSON! They’ve sent a zip file. Trust us: it is not a good zip file.

However, some are quite cleverly designed and can fool even the seasoned infosec pro.  The recent Google Drive phishing scam is a great example.  It was well-crafted and tricked a lot of people (so don’t feel bad if you were one of them).  So, how do we ferret out phishy emails when they don’t ferret themselves out?

Here are a few easy tips you can follow to avoid being the next phishing victim:

1. Remember, email is not trustworthy – This is tricky.  Psychologically, we associate email with connections with other humans (and occasionally dogs)  So, our brains easily start to associate all our emails with our trusted relationships.  Stay vigilant!  Email is an insecure mode of communication, and tricking people is excessively easy.  Use a service like this to send a fake email and see who figures it out.  Don’t do what this guy did, though.
2. Check your links – When presented with a link in an email, make sure it’s what it says.  Most email clients will let you hover over a link to see where it actually points.  Just because the link says “PayPal” doesn’t mean it goes to PayPal, you need to check the URL it points too.  This example shows an email “from” PayPal, but the link points to Paypal-secure-check.com.  The URL must match.  If you are not sure if the URL matches, copy the link, paste it into a text editor to review manually.  Or, save some time and just don’t click it.
3. Attachments Are Bad, Mmmkay? – I won’t get into the topic of how email was not meant for file transfer right now.  I’ll just say this: unless you are expecting a link from someone you know, don’t click on it.  Attachments can be zip files, executables, scripts, even simple HTML files.  These all can be used to turn you into a pwn star.
4. Keep Your Credentials To Yourself – Never give your credentials to a site you clicked into from an email.  If PayPal needs something from you, open a new browser and go to PayPal.com and enter in your credentials there.  Once logged in, your links should work if they are legitimate.  No one should ever ask you for your password.  Period.
5. Ask yourself what the email wants – This is a bit abstract, but the ultimate question is: what does this email want from me?  Does it want me to click on something?  Download something?  Does it want a hug?  Emails that want you to do something need additional scrutiny become complying with their requests.  You wouldn’t close your eyes and open your mouth just because a stranger asked you to, would you?  You answered, “no”, right?
6. Check the headers – This is a bit more advanced, but worth mentioning.  Checking email headers can be very valuable to determine legitimacy.  The nuances of doing it like a pro are beyond the scope of this article, but here’s a good primer on reading the guts of email headers.

If you do get tricked, here are a few critical steps:

1. If you downloaded a file – you may need to either clean or reinstall your system.  Clearing out new or stubborn malware can be quite a chore, but we like Malware Bytes on Windows systems when it does happen.  There are myriad other options for other OSes.
2. If you gave up some user credentials or other sensitive information – Change whatever information you lost immediately.  Passwords, bank info, etc.  Contact the associated service and let them know what happened so they can keep an eye out for fraudulent activity.

Prevention is the best medicine of course (we also like a spoonful of whiskey, just in case). Stay alert, wherever possible, enable Multi-Factor Authentication, and keep your system and security tools up to date.

Otherwise, good luck storming the castle!

-Andrew

The post Avoid Phishing Hooks appeared first on TransAuth.

It has been widely reported that Google purchased an Israeli Authentication Startup called SlickLogin.  

There are many interesting wrinkles to the story.  Our favorite tidbit though, is that SlickLogin does not have a single customer.

Yet.

The solution is quite ingenious: it uses uniquely generated high frequency audio waves generated by the computer to identify that the users phone is present during a login event.  This is a very low-friction design, and our guess is that Google knows making strong authentication easier to use is paramount to gaining wider user acceptance.

What Does This Mean?

Because TransAuth is similar in design and aim, we have been asked quite a bit what we think about this move.

Overall we’re very excited!  It validates that service providers and organizations see value in a fast, effective login process.  We’ve known for years that reducing the effort and time required to secure logins would be required for mass user acceptance.  Let’s face it, we all expect easy and instant.  We’ve tasted it, and we don’t want to give it up now.

We believe this may be the first jab in a battle of the easiest secured access.  What’s great about a battle like that is that users win.  Logins get more secure, and possibly easier to use.  That’s great news in our book.

What’s Different?

While SlickLogin has an awesome concept so far, we wonder about a few key differences in design.  A lot of these questions will be sorted out with wider testing and use, but for now, all we have are guesses, observations and questions.

We use Wireless, they use Audio

Audio is a very clever way to enable M2M (machine to machine) communication.  However, as a broadcast medium, it is open to interference.  How will it perform in noisy environments?  What if you can’t turn up your speakers because of other audio issues (like a library).  What if you are using a desktop without audio?

We feel that using Bluetooth, NFC and WiFi will yield a more consistent, controlled, harder to intercept result.

We are local first, they are central first

We like the idea of OOB (out of band) or side channel authentication.  That means that the credential has to travel a different route than the machine being accessed is using.  This helps prevent some man-in-the-machine attacks.  However, it also requires a network connection in order to work.  That is not always possible with mobiles, as I’m sure many if not all people have experienced.

Our design focuses on local communications first, and central communications later.  This means that TransAuth works even when the user is unable to get a network connection.

We support app-less use, they require an app

We also prefer a mobile app.  It improves the assurance level of the authentication process.  However, we also realize that not all people have a modern smartphone (if a smartphone at all).  However, almost everyone has a mobile phone, and almost every mobile phone has Bluetooth.  We can work with that.
Additionally, we are able to use non-mobile based wireless tokens in instances where phones are not available or allowed.  Many manufacturing and healthcare environments do not allow mobile phones, impacting the multi-factor design.

So, The World Is Safe, Then?

C’mon.  Of course not.  Securing Logins means that we’ll see less headlines about stolen passwords and identity theft.  That’s good news.  But, once the low-hanging fruit is removed, the attackers will simply move up the tree to the next lowest-hanging fruit.  It’ll be something, it just won’t be credential theft.

But, this is a great step in the right direction to securing digital identities.  We look forward to what’s next!

–Andrew

The post Google Acquires Authentication Startup SlickLogin appeared first on TransAuth.

For many in the security industry, it’s not really even a topic of debate any more.  Most people are creatures of habit, and in some respects, habit is just another word for predictable.

Without a doubt, predictability is a liability in security.

In the age of GPU farms, passwords are now so vulnerable that even an untrained user can crack almost 50% in his/her first attempt.  So, if any website you’ve ever created an account on has been compromised, you can just expect that the username and password you use there is known by others.  Assume that it is spray painted on billboard somewhere.  Using common usernames and common passwords is a sure ticket to account, if not identity, total pwnage.

So, what are you to do?

If you are bent on sticking with single factor passwords, you have basically one sound approach:

Use one password per site.  It must be long, it must be complex, it must not be predictable.  And how are you to manage your 73 online accounts with usernames and these complex passwords?

Well, we’d suggest a password manager like Keepass or Password Safe.  These are open source (read: free) managers that are very capable, but there are no shortage of other options.  A google search for “password manager” turns up 225,000,000 results.  Good luck!

You could also consider Multi-Factor Authentication.

Multi-Factor Authentication (MFA) allows you to offload the job of securing your credentials to technology.  MFA has many forms: One Time Passwords, biometrics, certificates, smart cards, RFID cards, and more.  The idea is that instead of just one factor (something you know), you add another factor (something you are or something you have).  Adding this secondary factor to your login process greatly decreases the likelihood of someone compromising your password by increasing the requirements for access beyond the trivial entry of a password.

MFA will not protect all aspects of your computing experience, but with new products like TransAuth to help make it easier, there is no excuse not to secure your accounts with it now.

The post Are Passwords Passé? appeared first on TransAuth.

We certainly think so.

The issue, as we see it, was that for a long time, things did have to get harder to get more secure.  People had to carry around extra devices, and read characters from one place, and then type them into another, or some other sort of menial labor.  All worth while in its time, but that is now outdated thinking.

Advances in mobile technology and wireless devices presents a perfect opportunity for users to secure their identities by selecting a secondary device of their choice to serve as their secondary credential.

Then, we handle the rest.

No more data entry.  No more games of bingo.  No more swiping your finger twelve times because your TPM isn’t sure if it’s really you.

So, now, all you have to do is log in like you always have, and your second factor is automatically detected and registered.

If someone steals your Key Device (for example, your phone), they’d need your username and password too to gain access to your account.

If someone steals your password, they’d need your Key Device to access your account.

If someone steals your username, your password and your Key Device, you can add a PIN requirement as well.

If someone steals your username, your password, your Key Device and your PIN…well, maybe you aren’t cut out to operate a computer in the first place.

Arrange a demonstration today!

The post Can Secure Be Easy? appeared first on TransAuth.