Token-based security cracked

Two-factor security tokens have always been thought of as the solution to password security woes. But now history has been made with man-in-the-middle attacks being used for the first time to circumvent token security being rolled out by banks at huge costs.

Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup Inc. Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack.

These attacks are worrisome because they took advantage, fairly early on, of a system that's seen as enhancing security for banking customers. Token devices are used to create a temporary second password for online banking customers. These passwords are valid for a very short period of time and can be used only once, making it impossible for attackers to steal them for later use. U.S. banks have been offering the tokens to users in an effort to comply with federal guidelines that call for stronger, two-factor authentication for online transactions by year's end.

Security experts had predicted that phishers would eventually use a man-in-the-middle attack to circumvent token-based authentication, but these recent attacks mark the first time they have actually done so.

CATEGORIES : 1identity theft, 1tokens, 1id management, 1banking, 1passwords

VARs & Integrators waking up to NAC action

The first time solution provider Chris Labatt-Simon mentioned network access control to a customer three years ago, the executive was so stunned by the cost and complexity of putting a client on every single machine in his corporate network that he actually burst out laughing. But a few weeks later, after the same customer's network was brought to its knees by a worm introduced from a contractor's infected notebook PC, he grew much more receptive.

Labatt-Simon, president and CEO of D&D Consulting, Albany, N.Y., is one of a growing number of solution providers educating more customers about NAC solutions, which address network security not by just protecting network borders, but by looking at applications and clients. Sales are starting to flow from the education process, said Labatt-Simon, who expects D&D's NAC deployments to hit 50,000 seats this year, up from 5,000 last year. "Perimeter security is going away as we know it," said Labatt-Simon. "It's easier to protect your [network] if you protect the client."

While he acknowledges that some customers are taking a wait-and-see attitude, Labatt-Simon feels that eventually it will become a cornerstone of every company's network security strategy. "There is a fear of NAC, but at some point in time the need for NAC is going to outweigh these fears—probably after the next major worm outbreak," he said.

The article this posting links to offers a nice comparative description of the current vendor solutions out there.

CATEGORIES : 1nac, 1 endpoint security

A chronological take on the EMC/RSA Deal

OPINION PIECE

A lot is floating around on the Internet about this $2.1Bn aquisition. Some are for it and some are against it. EMC stock has taken a hammering and the management of both companies are having to answer a lot of tricky questions. See EMC/RSA aquisition draws mixed reviews.

The main drivers for Storage companies wanting to get into security (such as this aquisition) or Security Companies wanting to get into storage (Symatec/Veritas) are Compliance and the spate of highly publicised data security breaches (as opposed to network breaches) over the last 12 months. Its that simple.

Most security efforts have traditionally focused on securing the perimeter and the network using tools such as firewalls, antivirus software and intrusion-detection systems. In future, expect to see more attention devoted to securing the data residing in storage networks, databases, servers, laptops and desktops. Why? Because hackers and insiders have started going after the "data-at-rest" and because traditional network perimeters have begun fading away as companies tie their networks with those of partners, suppliers and customers.

"Data at rest" is sitting there like a big duck waiting to get shot. And get shot it has been - and well publicised too - leading to lawsuits, stock price collapses, management getting fired, legal fines and even companies going bankrupt as a result of the fallout.

Observers to this aquisition seem to have short memories. I cannot fathom what all the fuss is about. This deal makes perfect logical sense to me - in fact I am surprised it has taken so long to happen. Let us take a chronological walk through time at the events over the last 12 months leading up to this to justify my statement.

We reported on this blog on 5th May 2005 that Storage managers site security as top concern . In fact, the conjunction of information security and storage was one of the driving factors behind the previous year's acquisition of Veritas Software Corp. by Symantec Corp.

On 20th June 2005, after many high profile data security incidents in the financial services industry started filtering through the presses, we penned a story Storage security market is born when Netapp aquired startup Decru for $272M. The article noted that "The move by NetApp trumps the industry in what will likely be a rush by other vendors to either buy or create their own storage security technology, an area that has been neglected up to now." Another interesting snippet was "within two years, you won't be able to have a conversation with a client about storage without talking about security." Well that was one year ago.

On 29th July 2005 we penned an interesting story storage security creates resurgence in mainframe technology when IMB announced new mainframe technology to handle increasing demands in data encryption. Gartner even gave this a thumbs-up, noting that "Organizations seeking to allay security concerns should look to the IBM mainframe as one significant piece of a comprehensive approach to safeguarding corporate data. "

On 12th July 2005 some 50 million US identities had been exposed to data breaches and we declared 2005 : The year of the Data Breach and advised Encrypt or invite disaster

On 10th August 2005, we blogged Publicized data security breaches rocket after revealing data from the Privacy Rights Clearing House that 61 U.S. organizations have reported exposures of personal information of more than 50 million individuals in the past 180 days. The majority of these breaches were as a result of lack of encryption or proper data-at-rest protection.

We followed this up on the 11th August 2005 with Cryptography enters mainstream and it is this article that makes the most sense for me for the EMC/RSA deal. The expanded use of data encryption and resultant cryptography will result in an explosion in the number of cryptographic keys, and equally there will be a wider array of policies under which these keys are governed. In order to enforce security policies consistently, manage risk and comply with regulatory requirements, enterprises will need a robust, automated and centralized key management system. And this is exactly where RSA plays.

On 17th August 2005 we posted Security spending shifts where we noted that authentication and encryption had jumped from 7 to 25% of all security projects over last 12 months.

On 11th October I summed up the main issues of some of Dimension Data's biggest global clients at a 3-day round-table held at Sun City in South Africa (Top infosec issues for 2006 ) and Privacy and Legislation was flagged as the #1 infosec issue likely to impact their infosec programs in 2006 and authetnication and encryption the most likely technologies deployed to address those issues.

On 1st November the encryption problem had extended to mobile devices such as phones and laptops in a very popular article we wrote called Laptops pose massive security risk

After a few dramatic hurricanes in the US in Sept/Oct 2005, interruption of service and disaster recovery became big storage topics leading to data replication,data backup and data transport challenges. And with these challenges came security issues associated with moving masses of data from one place to the next. This was highlighted on 28th October 2005 when we penned a posting Data security, encryption tops user concerns.

On 15th December 2005 Databreach wrap-up reveals more shock figures showed that the data breach trend was accelerating with data taken from stolen laptops accounting for 50% of the breaches and the other 50% coming from data-at-rest breaches. Also at this time we penned Survivors guide to 2006 with Data Protection sitting at top spot.

On 3rd January, in ComputerWorld 2006 security predictions "Securing Data" landed up at #4 spot. This also appeared in Dimension Data's Predictions for 2006 . On 11th January 2006 EU data security failings highlighted that only 25% of companies listed corporate data as an asset on their balance sheets and most EU organisations were erroneously focussing their efforts on the network as opposed to the data.

So what do EMC get? They get the RSA brand, which is very strong in security circles. They get authentication technology. They get Public Key encryption libraries. And finally they get key management technology. The first fruits of this deal have already been announced today in EMC plans native encryption on storage arrays .

So there you have it. It all makes perfect logical sense why EMC would want to buy RSA. In fact I will bet that Symantec was in the bidding war for RSA too. But we will never find that out will we?

Scott Crawford sums it up nicely in his July 2006 Network/Systems Management Newsletter from ComputerWorld titled : The "experts" don't get the EMC/RSA union: "As it was, the ill-informed reaction of the market made its shortsighted disappointment look more like we still haven't learned anything from the day-trader mentality of the late '90s - and even less from the information security breaches of the past several months."

I couldn't agree more!

CATEGORIES: 1opinion, 1encryption, 1storage, 1aquisition