Archive for the ‘Authentication’ Category
February 19, 2012
Layer8 / Network World
The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.
[T]he agency’s Active Authentication program looks to develop what DARPA calls “novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics.”
Posted in Application Security, Authentication, Consumer Information Protection | Leave a Comment »
February 18, 2012
Ellen Messmer / Network World
Earlier this week, a team of mathematicians and cryptographers discovered an unexpected weakness in the encryption system (the way the system generates random numbers) and published their findings. Here is RSA’s response to the findings -
“I’d say all cryptography relies on good true random-number generation. And when that goes wrong, the protocol breaks,” Juels says. He faults the conclusions of the paper that there was something intrinsically wrong with the RSA algorithm. The paper might have found that the RSA algorithm “might be a little less robust than another one,” but “it’s obviously not a problem with the RSA algorithm, it’s the way the keys were generated.”
Posted in Authentication, Communication, Cryptography, Report / Paper | Leave a Comment »
February 18, 2012
John P. Mello / PCWorld
When a user visits a page that Chrome thinks is asking to set up an account, it will place a key icon in the password field of the registration form. If the person clicks on that key, Chrome will ask the user whether he or she wants it to create a password. If the user says yes, Chrome will generate a password that includes letters, numbers and characters that make it difficult for a hacker to crack and impossible for the user to remember — and ask the user to approve it.
Chrome asks the user to approve the password because it may not jibe with the rules established by the site for a proper password. That means a person may have to modify the password manually before accepting it.
Once the password is accepted, Chrome will sync it with the user’s other devices running the browser — provided the sync feature is activated for the person’s Chrome account.
Posted in Application Security, Authentication, Cryptography | Leave a Comment »
December 17, 2011
Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.
This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
October 2, 2011
Gunnar Peterson, in his feed on Intel’s Cloud Access Security blog, discusses four Anti-Patterns that have emerged in Cloud Security
The first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture.
A checklist for Mitigating the Anti-Patterns
- Low/no access control – strong access control protocols for authentication and authorization
- Replicating user accounts – retain enterprise provisioning on Cloud Consumer side
- Copying credentials – implement federated identity
- “Trusted” proxy – improved audit logging and monitoring on the Gateway
Posted in Authentication, Cloud Computing, Cybersecurity | Leave a Comment »
September 13, 2011
Peter Svensson / USA Today
The problem with that black magnetic stripe on the back of your credit card is that it’s about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.
The smart cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be replicated.
Posted in Authentication, Communication, Consumer Information Protection, Cryptography | 1 Comment »
August 29, 2011
Mikko / F-Secure
The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.
Posted in Authentication, Cryptography, Threat Management | Leave a Comment »
August 14, 2011
Mathew J. Schwartz / InformationWeek
Visa announced that it’s putting its muscle behind the adoption of “chip and PIN” capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV–for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards–the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).
Posted in Authentication, Consumer Information Protection, PCI | Leave a Comment »
July 17, 2011
Any passcode that uses a typical formula or obvious pattern provides the same level of security as no passcode (it’s like a lock that can be unlocked without a key). These passcodes souldn’t be used for smart phone devices, security systems, voice mails, debit card PIN, or any external facing devices.
Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”
Posted in Authentication, Cybersecurity, Privacy, Threat Management | Leave a Comment »
July 2, 2011
The Federal Financial Institutions Examination Council (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
January 30, 2011
I agree with Apple turning the iPhone into a universal debit card and Google’s Android supporting Near Field Communication (NFC) but not everything discussed in the article will happen that fast!
Why? Because I strongly believe that before Apple and Google implement a workable biometric ID solutions for cell phones or replace current authentication infrastructure with biometric infrastructure, the authentication will pass through other stages…like, two (or multi)-factor authentication (Yubi-key style touch key, some sort of machine tagging for cell phones) or one-time passwords (sent via out-of-bound channel like SMS or email).
The obvious password replacement is biometric identification — the use of a system capable of recognizing unique physical attributes, such as fingerprints, iris patterns or voices.
Far too many people don’t trust biometrics because it feels like Big Brother technology. But I believe that if the biometric system resides on the user’s cell phone, and is under the user’s control, such technology would be far more acceptable to the public.
Fingerprinting is not very reliable, voice recognition tehnology, in general, is suffering from false-positive and false-negative issues, and iris scanners/sensors are costly.
Posted in Application Security, Authentication, Communication, PCI | 1 Comment »
January 15, 2011
This Book is a result of research study published by the National Research Council (NRC).
Biometric recognition systems are inherently probabilistic, and their performance needs to be assessed within the context of this fundamental and critical characteristic. Biometric recognition involves matching, within a tolerance of approximation, of observed biometric traits against previously collected data for a subject. Approximate matching is required due to the variations in biological attributes and behaviors both within and between persons. Consequently, in contrast to the largely binary results associated with most information technology systems, biometric systems provide probabilistic results.
Posted in Application Security, Authentication, Privacy | Leave a Comment »
January 10, 2011
The moment I read the article’s subject, the first thing came to my mind – A National CyberID…but Declan probably read my mind and added this in the first few paragraphs -
We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.
So, what is it? It is an expansion of the “National Strategy for Trusted Identities” program that the administration introduced back in June 2010.
Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.).
Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.
Posted in Authentication, Consumer Information Protection, Privacy, Senate or House Bill | 1 Comment »
