RSA blog: Renaissance of the OTP hardware token

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with  one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have withstood the test of time, and lately, are undergoing a renaissance with a newfound interest among security managers. There has been a spate of newer, dare I say smarter, hardware tokens in the past couple of years from Yubico and OneSpan, along with wider support for FIDO standards as well.

In this month’s blog for RSA, I look at this evolution, why the hardware token remains relevant, and some of the current trends in multi-factor authentication (MFA).

Avast blog: Primary update: Voting issues in Los Angeles and Iowa

Last week Super Tuesday brought many of us to the polls to vote for our favorite candidate for President. And while voting went smoothly in most places, there was one major tech failure in Los Angeles, which saw the debut of new voting machines. Let’s compare what went wrong in LA with the earlier problems seen during the Iowa caucuses.

In our earlier blog, I brought you up to date with what happened with the Russians hacking our 2016 and 2018 elections. But the problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors. For Iowa, the culprit was a poorly implemented mobile vote count smartphone app from the vendor Shadow Inc. For LA, it was a series of both tech and non-tech circumstances.

I go into details about each situation and what we’ve learned in this post for Avast’s blog.

In search of better browser privacy options

A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.

If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot. It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser.

Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. The others tagged data with identifiers that could be linked to an enduser’s computer along with sharing browsing history with backend servers. Edge and Yandex also saved data that persisted across a fresh browser installation on the same computer. That isn’t nice, because this correlated data could be used to link different apps running on that computer to build an overall user profile.

One problem is the search bar autocomplete function. This is a big time saver for users, but it also a big privacy invasion depending on what data is transmitted back to the vendor’s own servers. Safari generated 32 requests to search servers and these requests persist across browser restarts. Leith proposed adding a function to both Chrome and Firefox to disable this autocomplete function upon startup for those who have privacy concerns. He also has proposed to Apple that Safari’s default start page be reconfigured and an option to avoid unnecessary network connections. He has not heard back from any of the vendors on his suggestions.

So if you are a privacy-concerned user, what are your options? First, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote recently. Second, if you feel like switching browsers, you could experiment with Brave or Authentic8’s Silo browser or Dooble. I reviewed two of them many years ago; here is a more updated review on some other alternative browsers done by the folks at ProtonMail.

If you want to stick with your current browser, you could depend on your laptop vendor’s privacy additions, such as what HP provides. However, those periodically crash and don’t deliver the best experience. I am not picking on HP, it is just what I currently use, and perhaps other vendors may have more reliable privacy add-ons. You could also run a VPN all the time to protect your IP address, but you will still have issues with the leaked backend collections. And if you are using a mobile device, there is Jumbo, which helps you assemble a better privacy profile. What Jumbo illustrates though is that  privacy shouldn’t be this hard. You shouldn’t have to track down numerous menus scattered across your desktop or mobile device.

Sadly, we still have a lot of room to improve our browser privacy.

RSA Blog: The Tried and True Past Cybersecurity Practices Still Relevant Today

Too often we focus on the new and latest infosec darling. But many times, the tried and true is still relevant.

I was thinking about this when a friend recently sent me a copy of , which was published in 2003. Schneier has been around the infosec community for decades: he has written more than a dozen books and has his own blog that publishes interesting links to security-related events, strategies and failures..

His 2003 book contains a surprisingly cogent and relevant series of suggestions that still resonate today. I spent some time re-reading it, and want to share with you what we can learn from the past and how many infosec tropes are still valid after more than 15 years.

You can read my column for RSA’s blog here.

Steer clear of Plaid for your small business accounting

If you are looking for a small business accounting software service, don’t consider WaveApps, Sage or the site And.co. All of them use the banking connector Plaid.com and have a major shortcoming. Let me explain my journey.

When I first began my freelancing business in 1992 (can it be?), I used the best accounting program at that time: QuickBooks for DOS. It was simple, it was easy to setup, and it did the job. I stayed with QB when I went to Windows and then to Mac, upgrading every few years, either when my accountant told me that they couldn’t use my aging software or when Intuit told me that I had to upgrade.

I use my accounting software for three things:

  • To keep track of my expenses and payments, entering information once or twice a month to stay on top of things.
  • To produce invoices and to accept credit card payments from my clients
  • To produce reports once a year for my accountant to produce my business tax filings

That isn’t a lot of requirements to be sure. Naturally, over time some of them have changed: when I first began my accountant directly read my QB file. Now she just wants a few year-end statements, which almost every accounting tool can produce. Also, enabling credit card payments isn’t a big deal that it once was: there are so many other solutions that don’t have to originate from the accounting software tool itself (such as Square, for example).

One thing that hasn’t changed is my goal: having to spend as little time as possible using the software, because this means that I have more time to spend actually writing and doing the work that I get paid to do.

But installing software on my desktop is so last century. Eventually, Intuit stopped making physical software and every QB version is now in the cloud. Their solutions start at $25/month, discounted for the first few months. Actually, that isn’t completely accurate: they also have a “self-employed” version for $15/month, but it has so few features that you can’t really use it effectively – such as producing those yearend reports that I need for my accountant.

Several years ago, I found Waveapps. It was free, it had just enough features to make it useful for me (see above) and did I mention it was free? I started using it and was generally happy. One of the nice features was how it connected to my corporate checking account at Bank of America and imported all my transactions, which made it easier to prepare my books and track my payments.

A few weeks ago, Wave decided to “upgrade” its banking connector to Plaid. And that broke my BofA connection. The problem is that I have setup my banking login to use an SMS text multi-factor authentication (MFA). I wish BofA offered something better, but that is what they have — they call it “extra security” — and so I use it. Plaid doesn’t support my bank account’s “extra security” MFA setting.

This begins The 2020 Accounting Software Evaluation Project. It deserves the capital letters because it meant that I had to start looking around, reading software reviews, signing up for the software service providers, and checking them out. I very quickly found that Sage and And.co (I do hate their domain name) also use Plaid as a banking connector, so I wasn’t getting very far by switching to them. Meanwhile, here we are into February and I still haven’t decided on what to do with my accounting software.

I took time to email the PR person at Plaid, who initially told me that the BofA MFA issue was a bug and they were working on a fix. That was a lie, or perhaps a misunderstanding. Eventually, this is what I got from them: “Plaid supports the standard MFA for Bank of America and most of the other 11,000 institutions on the Plaid network, but we do not currently support BofA’s perpetual MFA setting.” This is also not true. BofA only offers a single MFA method: sending SMS texts to your phone. I wish they offered a smartphone authenticator app, but they don’t.

So my dilemma is this: should I eschew security for convenience? I can turn off the MFA and get my accounting data imported, and then will have to turn it back on. I could try to switch accounting providers to something else  — I haven’t tried all of the small business providers, but I have a feeling that Plaid has them as customers too. I could find another bank that has better security and perhaps works with Plaid, but that would mean changing a lot of my bill paying data too.

No good choices, to be sure. I guess I will just stick with Wave for the time being, but I am not happy about it. Secure users shouldn’t use plaid.com.

A field guide to Iran’s hacking groups

Iran has been in the news alot lately. And there have been some excellent analyses of the various hacking groups that are sponsored by the Iranian state government. Most of us know that Iran has hacked numerous businesses over the years, including numerous banks, the Bowman Dam in New York in 2013, the Las Vegas Sands hotel in 2014, various universities and government agencies and even UNICEF. When you review all the data, you begin to see the extent of its activities. It is hard to keep all the group names distinct, what with names like Static Kitten, Charming Kitten, Clever Kitten and Flying Kitten. (This summary from Security Boulevard is a good place to start and has links to all the various felines.) Check Point has found 35 different weekly victims, and their latest analysis shows that 17% of them are Americans. Half of the overall targets are government agencies and financial companies.

To get a more detailed analysis of the various groups, Cyberint Research has published this 30-page document that describes the tactics, techniques and procedures used by ten such groups, matching them to the MITRE ATT&CK threat and group IDs. The group IDs are useful because different security researchers use different descriptive names (the Kitten ones come from CrowdStrike, for example).

What comes out of reading this document is pretty depressing, because the scale of Iran’s efforts is enormous. They are a very determined adversary, and they have taken aim at just about everyone over the past decade. Part of the problem is that there are many private hackers who are taking credit for some of the attacks, such as the recent defacement of the Federal Depository Library Program, although “hacker culture in Iran is gradually being forced into submission by the regime through increasingly controlled infrastructure and internet laws, and recruitment to state-sponsored cyber warfare groups,” according to a report from Intsights.

And a recent news report in the Jerusalem Post says that Iranian hacking is getting increasingly more sophisticated and broadening their targets  The story cites two former Israeli government cyber agents that claim Iran is now using Chinese hacking tools in their attacks, which can be useful if Iran wants to confuse the attack origins. According to these sources, Israel gets more than 8M daily total cyber attacks.

To add insult to injury, other attackers are leveraging these threats by using them as a phishing lure, sending a message that pretends to be from Microsoft and asking you to login with your credentials. (A word to the wise: don’t.)

The US National Cyber Awareness System through CERT issued this alert last week. They recommend that you have your incident response plan in order and have the key roles delineated and rehearsed so you can stem any potential losses. Lotem Finkelstein, head of Check Point’s cyber intelligence group, agrees: “You should ensure that MFA is enabled and you brush up your incident response plans.“ Other suggestions from CERT include limiting PowerShell usage and log its activities, make sure everything is up to date on patches, and ensure that your network monitoring is doing its job.

Digital Shadows, a security consultancy, also has plenty of other practical suggestions in this blog post for improving your infosec. They recommend being able to keep lines of communication open and help your management understand the implications and risks involved. You should also have a plan for potential DDOS attacks and work through at least a tabletop exercise if not a complete fire drill to see where you are weakest.

Iran is a formidable foe. If they haven’t been on your radar before now, take a moment to review some of these documents and understand what you are up against.

Review of Thales’ SafeNet Trusted Access

Thales SafeNetTrusted Access (STA) offers a compelling blend of security solutions that bridge the MFA, SSO and access management worlds in a single, well-integrated package. STA does this by offering policy-based access controls and SSO with very strong authentication features. These policies are flexible and powerful enough that you can address a broad range of access scenarios.

Because STA covers multiple security workflows, there are several places that it can fit into your overall data protection needs. Part of your own motivation for using this product will depend on the particular direction that you are coming from. What you need STA to do will depend on what you have already purchased and where your existing security tools are weakest.

If you presently use another SSO tool, or if you aren’t happy with your existing identity management product, you might examine whether they can support or integrate with STA and use it as your principal identity provider. This will give you greater automation scope and move towards better MFA coverage for your consolidated logins.

If delivering MFA is your primary focus for purchasing a new identity product, STA should be on your short list of vendors. If you are rolling out MFA protection as part of a larger effort to secure your users and logins, then things get more interesting and the case for using STA becomes more compelling. For example, it can handle a variety of application authentication situations and be granular enough to deploy these methods for particular user collections and circumstances. Many older IAM products bolted-on their MFA methods with cumbersome or quirky integration methods or required you to purchase separate add-on products for these features. STA has had this flexibility built-in from the get-go and has a well-integrated MFA set of solutions.

If you presently use another vendor’s authentication app or have a collection of hardware tokens that you are trying to migration away from, you might want to examine whether STA’s MobilePass+ offers improvements to the user workflows that could increase MFA coverage across your application portfolio.

Thales SafeNetTrusted Access is available at this link. Pricing starts at $3.50 /user/month, which includes access management, SSO, authentication tokens and services support. A premium subscription which adds PKI MFA support is also available.

You can read my full report here. And here is my screencast video that points out the major product features:

 

Medium One-Zero: How to Totally Secure Your Smartphone

The more we use our smartphones, the more we open ourselves up to the possibility that the data stored on them will be hacked. The bad guys are getting better and better at finding ways into our phones through a combination of subtle malware and exploits. I review some of the more recent news stories about cell phone security, which should be enough to worry even the least paranoid among us. Then I describe the loss of privacy and the how hackers can gain access to our accounts through these exploits. Finally, I provide a few practical suggestions on how you can be more vigilant and increase your infosec posture. You can read the article on Medium’s OneZero site.

RSA blog: Why you need a chief trust officer

Lately it seems like trust is in short supply with tech-oriented businesses. It certainly doesn’t help that there have been a recent series of major breaches among security tech vendors. And the discussions about various social networks accepting political advertising haven’t exactly helped matters either. We could be witnessing a crisis of confidence in our industry, and CISOs may be forced to join the front lines of this fight.

One way to get ahead of the issue might be to anoint a Chief Trust Officer. The genesis of the title is to recognize that the role of the CISO is evolving. Corporations need a manager focused less on talking about technical threats and more about engendering trust in the business’ systems. The CTrO, as it is abbreviated, should assure stakeholders that they have the right set of tools and systems in place.

This isn’t exactly a new idea: Tom Patterson (seen here) and Bob West were appointed in that position at Unisys and CipherCloud respectively more than five years ago, and Bill Burns had held his position at Informatica for more than three years. Burns was originally their CISO and given the job to increase transparency and improve overall security and communications. Still, the title hasn’t exactly caught on: contemporary searches on job boards such as Glassdoor and Indeed find few open positions advertised. Perhaps finding a CTrO is more of an internal promotion than hiring from outside the organization. It is interesting that all the instances cited above are from the tech universe. Does that say we in IT are quicker to recognize the problem, or just that we have given it lip service?

Tom Patterson echoes a phrase that was often used by Ronald Reagan: “trust but verify.” It is a good maxim for any CTrO to keep in mind.

I spoke to Drummond Reed, who has been for three years now an actual CTrO for the security startup Evernym. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three titles is “to build and support trust. For a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Speaking to my comment about paying lip service, Reed makes an important point: the title can’t be just an empty promise, but needs to carry some actual authority, and must be at a level that can rise above just another technology manager. The CTrO needs to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust,” advises Reed.

Trust is something that RSA’s President Rohit Ghai speaks about often. Corporations should “enable trust; not eradicate threats. Enable digital wellness; not eradicate digital illness.” I think this is also a good thing for CTrO’s to keep in mind as they go about their daily work lives. Ghai talks about trust as the inverse of risk: “we can enhance trust by delivering value and reducing risk,” and by that he means not just managing new digital risks, but all kinds of risks.

In addition to hiring a CTrO, perhaps it is time we also focus more on enabling and promoting trust. For that I have a suggestion: let’s start treating digital trust as a non-renewable resource. Just like the energy conservationists promote moving to more renewable energy sources, we have to do the same with promoting better trust-maintaining technologies. These include better authentication, better red team defensive strategies, and better network governance. You have seen me write about these topics in other columns over the past couple of years, but perhaps they are more compelling in this context.