A recent article over CSO Online by Taylor Armerding debates if password use might be outdated. According to Armerding, some experts believe that passwords are becoming obsolete and alternative forms of authentication such as biometrics should be used. Others argue that passwords are a solid form of authentication as long as they are used properly.

Even though Armerding enlightens us of arguments against passwords, I tend to agree with the pro-passwords camp and think this form of authentication is a long way from obsolete.

via CSOOnline.com

Despite all those “death to passwords” chants, some say it’s still a solid form of authentication — when users aren’t being stupid about theirs.

It’s 2012. The password is dead. Long live the password.

Perhaps the division in the IT world is not quite that stark, but there is indeed division. Some think it is past time to retire passwords, for what they say is the obvious reason: They don’t protect users, since they are so easily hacked. All the talk about making passwords more secure is ignoring the elephant in the room – they simply cannot be made secure. Besides, there are other, better, authentication options, like biometrics, since nobody has your fingerprints, eyes and DNA.

But others say not so fast – that biometrics are not duplicate proof, and that passwords would still be fairly effective if users didn’t make them so easy to hack and if password authentication systems were improved.

Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, “not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices.”

He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. “The only password security requirement was a password of at least five characters,” he says, “(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123,” plus common dictionary words.

Continued here.

#####

Please let us know what’s your take on this topic. Can passwords be “resurrected?” Today’s post image is from Information Technology and Services.

I didn’t mention it in my previous post “Usable Browser Privacy & Security” but another Firefox plug-in I normally use is the popular online LastPass password manger. Well, the other day I noticed a new feature but hadn’t seen much discussion of it within the security community. Yes, I use LastPass and find it very useful in managing many of my passwords for low to medium value websites. I use roughly three different computers on most days and having to regularly sync a password archive across them is cumbersome so the online aspect of LastPass is a welcome solution.

Although I probably wouldn’t store high value passwords using an online service like this, LastPass provides an simple way to use different strong passwords for every site you need to authenticate to. It allows good password practices while keeping the web easy to use. For this reason I recommend it to many of my non-technical family and friends as a more transparent way for them to follow good password practices without too much of a usability hit.

The key to LastPass’s security is the master password a user creates for their archive. Of course it goes without saying that they need to choose a really strong password here. While the implementation details are somewhat complex … basically LastPass stores all passwords as an encrypted blob on their servers. Even LastPass supposedly can’t decrypt it since they never receive your master password. When a user logs in the browser plug-in downloads their blob and decrypts it on their local machine using the master password.

Although using a strong master password is a good first step, perhaps using multi-factor authentication is best used due to this authentication’s importance. That’s where LastPass comes in with several existing multi-factor options. In the past these factors included one-time passwords, grids, Sesame, Yubikey, smartcards, and fingerprints. All these options were great but none were industry heavyweights that could provide some type of de facto standard.

Well that all change about a week or so ago when LastPass announced support for Google Authenticator!

via LastPass.com

We’re happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we’re happy to make good on that obligation to our users.

Continued here.

So be sure to update LastPass’s plugin or application to the latest version to take advantage of this new feature. And if you have non-technical family and friends, you may want to suggest them trying it out as well. Although they may need help setting it up, it’s MUCH better than them using the same easy-to-guess password across all their sites.

#####

I know many of us in the security community don’t trust online password managers like LastPass. However with support for multi-factor authentication, does this update add enough of a mitigation for it to be trustworthy? Let us know in the comments below. Today’s post image is brought to you be LastPass.com.

Here’s another addition of the Weekly Rewind, where we post out a quick summary of all our stories as well as the industry articles you seemed to like the most from the past week. If you missed anything or happened to be offline, we hope you find this post useful as a quick reference.

Our Blog Posts

Where You Want to Be This Week for 2011-09-19: Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, contact us or mention it to @grecs on Twitter. A very light schedule for this week, and all you need to do is just show up and be ready to talk shop. Anyway, here are your meetups for this week. (continued here)

The Value of a CISSP: Local blogger Laura Raderman put out a great post last week titled “(ISC)2 and the CISSP.” I think she’s right on point in expressing how a lot of us feel regarding the (ISC)2, the CISSP, and the value they add to the security profession. Basically … meh … but need it to keep the job… (continued here)

How to Win Followers & Influence Friends: I had the pleasure of presenting at the inaugural Reverse Space Conference (RSCon) this past Saturday. I hope everyone learned a few things… I also picked up a some additional tips from several of the attendees and am continuing to investigate other ways we can use Twitter more effectively to manage our careers. Thanks! For those that missed it, here is the title and abstract if you want to get a quick synopsis of what the talk was about. (continued here)

Will New Monthly “Continuous” Monitoring FISMA Requirements Work?: According to GovInfoSecurity as well as several other publications, starting next month federal agencies will be required to implement continuous monitoring as part of their obligations under FISMA. At a minimum “continuous” is defined as monthly. All of their reported data needs to be fed into the CyberScope system. Oh and for training and consulting on how to meet this new requirement, agencies are must attend CyberStat sessions. Just a things to ponder here… (continued here)

Mobile Security “Average” Practices: There have been a few articles over the past week describing some general suggestions on protecting mobile devices. Coincidentally, I’ve been doing some research on advice we could provide “average” everyday iPhone users on this topic and these articles confirmed much of what I’ve found. Yeah, we could consider using one of the newfangled commercial MDM solutions but for Mom and her personal iPhone this probably isn’t an option. Below you’ll find my favorite suggestions in priority order with some commentary. Note as with the original articles I’ve kept these suggestions high level as to not focus on any specific platform. (continued here)

Top 3 NoVA Infosec Blog Posts of the Week: It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter. As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. (continued here)

A Few News Items that Pissed Me Off: There were several stories this past few weeks that just sort of … well I’ll just say it … pissed me off. I know that’s not too professional of me but it just gets my blood boiling. Companies just seem to be doing the wrong thing lately. Whether it be changing their terms of service (ToS) or downplaying potential serious vulnerabilities, everyone is taking the sleazeball way out instead of standing up and fixing their security problems. (continued here)

Industry Articles

OS X Lion Passwords Can Be Changed by Any Local User: In OS X, user passwords are encrypted and then are stored in files called “shadow files” which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication. This means that only the user can change its password, or if needed, then an administrator can do this by first authenticating. Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. (continued here) [Grecs Note: OS X continues to have problems. That's why I'm waiting until 10.7.2.]

Hackers Break SSL Encryption Used by Millions of Sites: Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. (continued here)

Skype for iPhone Makes Stealing Address Books a Snap: If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device’s address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child’s play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book. (continued here) [Grecs Note: With two or three similar incidents this year, you'd think Skype would have cleaned all these up already.]

Infographic: Two Decades of Malware: In the last two decades, malware has evolved from a simple, contained software virus to an unstoppable plague that can spread to millions of smartphone users in one foul click. Last year, Trend Micro’s analysts found that consumers were being targeted by up to 100,000 threats–a number that has tripled to 300,000 threats this year. (continued here) [Grecs Note: I always love these infographics. Print them out and post them on your cube wall. They make great conversation starters.]

Security Duo Finds Another Pair of Vulnerabilities in Android: Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android’s vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don’t look to be all that secure. (continued here) [Grecs Note: The article includes a nice video showing their exploits in action.]

OnStar Tracks Your Car Even When You Cancel Service: Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service. OnStar began e-mailing customers Monday about its update to the privacy policy, which grants OnStar the right to sell that GPS-derived data in an anonymized format. (continued here) [Grecs Note: No need to comment here; check out my "A Few News Items that Pissed Me Off" post above.]

IPv6: The End of Security As We Know It: Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems. These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust. This is another topic I will be addressing in the coming weeks and months (so many security topics, so little time). (continued here)

There have been a few articles over the past week describing some general suggestions on protecting mobile devices. Coincidentally, I’ve been doing some research on advice we could provide “average” everyday iPhone users on this topic and these articles confirmed much of what I’ve found. Yeah, we could consider using one of the newfangled commercial MDM solutions but for Mom and her personal iPhone this probably isn’t an option.

Below you’ll find my favorite suggestions in priority order with some commentary. Note as with the original articles I’ve kept these suggestions high level as to not focus on any specific platform. That will be coming in a later post…

Configure to Lock Automatically & Require a Password to Unlock: I’m fairly paranoid so I configure it to lock after 5 minutes. And of course I use the password option versus a PIN. Some devices might not support passwords so you may unfortunately be stuck using a PIN. Pair this capability with a password/PIN-based failure auto-wipe feature and you should be good to go. Another great nugget of info encompassed in this suggestion is to set a PIN on your connected voicemail account to avoid being murdoched.

Regularly Back Up Your Data: This suggestion is especially important if you are using the password/PIN-based failure auto-wipe feature mentioned above. For most platforms just periodically syncing should take care of this for you. Be sure to also protect your backups as well … possibly encrypting them if your software supports that capability.

Accept All Mobile OS Patches: Whenever Apple, Google, or whoever puts out those patches, get them applied as soon as possible. It’s as simple as that…

Only Buy Apps from Recognized App Stores: Definitely a good starting point but I would also be cautious as malicious apps periodically do get through their vetting processes. If the app looks too good to be true … then it probably is. As with the OS, apply any app patches or updates as soon as possible.

Do Not Jailbreak Your Device: Yeah, you’ll loose out on doing a few cool things but for your average user I think using the built-in capabilities and sanctioned apps should be fine.

Monitor Bills for Irregular Charges: Although this isn’t directly something you do on or with the phone, this suggestion is the Mom-equivalent of reviewing those logs.

Some of the other tips that I thought were out of scope for this article included thinking twice about accepting app permissions (I don’t think most people even know what all the options are), employing security policies to protect employer-issued devices, being mindful of employees introducing personal devices into the office, and remembering that mobile devices are tiny handheld PCs (um … ok).

For additional details on each of these suggestions check out the following two articles.

• Smartphone and tablet security tips
• 5 Essential Mobile Security Tips

And don’t forget … I’ll be putting out a post soon specifically for iPhone users so be on the look out for that.

#####

So what do you think? Is the prioritization right given the “Mom” use case? Are there any other tips we should add? Also the post photo is by Which Mobile. See ya!

There was an interesting discussion that took place on one of the mailing lists I follow the other day with people trying to figure out if the password encryption used in Word 2007 is secure. As most of us know, older versions are easily cracked however the more recent versions are suppose to be more secure. In the discussion there were lots of guesses however no concrete answers.

Finally Bob Weiss, who does stuff like this for a living over at Password Crackers, Inc. up in MD, chimed in with a very informative response. Since I thought a wider audience might be interested in his answer, I contacted Bob and after a few edits he gave me permission to post it here. Enjoy!

#####

Word 2007 uses AES 128-bit encryption however the key is transmitted along with the document (otherwise you couldn’t open it). The key is itself encrypted and this is where the questions about the implementation come in.

Generally attacks against Word are not an attack against AES but rather an attack on the protection of the key. A key is created from the 50,000 SHA-1 hashed rounds of the password combined with the document_id. Then both the key and the hash of the key are encrypted using this new key. When the password is presented for decryption, the process runs again in reverse. The key is encrypted and hashed and this hash is compared to the hash of the key that was encrypted originally. If you gave the correct password, the key is correct and the file is decrypted. If you didn’t, then the key will not be correct. Right now, it is easier to attack the key protection scheme than the AES encryption.

So for the purposes of security analysis, you wouldn’t ask how strong is AES-128 but instead how strong is the algorithm protecting the AES key. The answer right now is … pretty strong. The 50,000 rounds of SHA-1 make a brute-force attack very slow or require significant resources. The state of the art is huge arrays of FPGAs to accelerate the testing; however, this hardware is very expensive and not fast enough to assure password recovery in a reasonable length of time. Unless a user chooses an easy password, but password strength is always a potential vulnerability.

So how secure is it? Let’s say that I would be comfortable locking something important in a .docx or .xlsx without any additional encryption. If you want, you can always wrap the file in another container such as .zip, .rar, .pgp, etc. Each of these is pretty secure as long as you use a strong password and that password is also stored securely.

#####

Robert Weiss is founder and owner of Password Crackers, Inc. He specializes in counter-cryptography and cryptanalysis. He can be contacted at pwcrack theatsign pwcrack dot com.

This past week CSO Online put out an update post on the National Strategy for Trusted Identities in Cyberspace (NSTIC) program that National Institute of Standards and Technology (NIST) set up this past spring. I hadn’t recently heard much about this effort until @manicode mentioned that blog post on Twitter.

RT @manicode .. NSTIC Director: ‘We’re Trying to Get Rid of Passwords’ http://j.mp/r80zZb //Wondered what was going on w/ this. #

According to the article they are “making progress” … so I guess that’s good. Another comment that really rubbed me the wrong way was “We’re trying to get rid of passwords.” Really? Why? They’re great as one factor. We just need to add a second factor to significantly increase the level of effort attackers must take to overcome traditional authentication schemes.

via CSOonline.com

The federal government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) program, set up this spring, is making progress against its goal of identifying and supporting more secure alternatives to simple passwords that the government as well as anyone else might use in authenticating to online applications.

“We’re trying to get rid of passwords. It’s time for something better,” says Jeremy Grant, senior executive adviser at the National Program Office for NSTIC, located at the National Institute of Standards and Technology. The federal government, he says, can lead in working with industry on better types of authentication for large-scale use that may be deemed preferable to passwords. The next step in this project involves setting up a steering committee with industry to foster consensus on standards and guidelines, with a slew of pilot projects expected next year, based on current budget expectations.

Continued here.

I was thinking about writing something up about this story and maybe providing a general description of what NSTIC is. But then @rybolov came back from the blogging grave to post a nice piece on this very topic over on his blog, The Guerilla CISO.

#####

OK, it’s been out a couple of months now with the usual “ZOMG it’s RealID all over again” worry-mongers raising their heads.

So we’re going to go through what NSTIC is and isn’t and some “colorful” (or “off-color” depending on your opinion) use cases for how I would (hypothetically, of course) use an Identity Provider under NSTIC.

The Future Looks Oddly Like the Past

There are already identity providers out there doing part of NSTIC: Google Authenticator, Microsoft Passport, FaceBook Connect, even OpenID fits into part of the ecosystem. My first reaction after reading the NSTIC plan was that the Government was letting the pioneers in the online identity space take all the arrows and then swoop in to save the day with a standardized plan for the providers to do what they’ve been doing all along and to give them some compatibility. I was partially right, NSTIC is the Government looking at what already exists out in the market and helping to grow those capabilities by providing some support as far as standardizations and community management. And that’s the plan all along, but it makes sense: would you rather have experts build the basic system and then have the Government adopt the core pieces as the technology standard or would you like to have the Government clean-room a standard and a certification scheme and push it out there for people to use?

Not RealID Not RealID Not RealID

Many people think that NSTIC is RealID by another name. Aaron Titus did a pretty good job at debunking some of these hasty conclusions. The interesting thing about NSTIC for me is that the users can pick which identity or persona that they use for a particular use. In that sense, it actually gives the public a better set of tools for determining how they are represented online and ways to keep these personas separate. For those of you who haven’t seen some of the organizations that were consulted on NSTIC, their numbers include the EFF and the Center for Democracy and Technology (BTW, donate some money to both of them, please). A primary goal of NSTIC is to help website owners verify that their users are who they say they are and yet give users a set of privacy controls.

Now on to the use cases, I hope you like them:

I have a computer at home. I go to many websites where I have my public persona, Rybolov the Hero, the Defender of all Things Good and Just. That’s the identity that I use to log into my official FaceBook account, use teh Twitters, log into LinkedIn–basically any social networking and blog stuff where I want people to think I’m a good guy.

Then I use a separate, non-publicized NSTIC identity to do all of my online banking. That way, if somebody manages to “gank” one of my social networking accounts, they don’t get any money from me. If I want to get really paranoid, I can use a separate NSTIC ID for each account.

At night, I go creeping around trolling on the Intertubes. Because I don’t want my “Dudley Do-Right” persona to be sullied by my dark, emoting, impish underbelly or to get an identity “pwned” that gives access to my bank accounts, I use the “Rybolov the Troll” NSTIC ID. Or hey, I go without using a NSTIC ID at all. Or I use an identity from an identity provider in a region *cough Europe cough* that has stronger privacy regulations and is a couple of jurisdiction hops away but is still compatible with NSTIC-enabled sites because of standards.

Keys to Success for NSTIC:

• Internet users have a choice: You pick how you present yourself to the site.
• Website owners have a choice: You pick the NSTIC ID providers that you support.
• Standards: NIST just formalizes and adopts the existing standards so that they’re not controlled by one party. They use the word “ecosystem” in the NSTIC description a lot for a reason.

From here.

#####

Well hopefully this status update from CSOonline.com and a review of what NSTIC is from @rybolov is of use to those wondering what happened to it. See ya!

I came across an interesting New York Times story by Randall Stross over the weekend that discusses how we should be replacing passwords with information cards and how so-called single sign-on (SSO) services (e.g., OpenID and I’m sure any commercial product SSO efforts as well) just don’t add the security we need. Here are the relevant snippets from the article:”The solution urged by the experts is to abandon passwords – and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.”

“We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials. OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”

Strangely enough, Microsoft seems to be involved in this new information card technology. It sounds a lot like Microsoft’s well-known CardSpace technology. As a matter of fact, Microsoft is part of a new Information Card Foundation (ICF) along with other heavyweights such as Equifax, Google, Novell, Oracle and PayPal. But then Microsoft is also a supporter of OpenID. How ironic…

The only issue I see with the way these information cards are them being desktop icons that you click to login as described in the New York Times story. When I’m logging into Windows at the beginning of the day, what do I do then? I won’t have access to these information card icons yet. Passwords anyone? Plus this doesn’t alleviate the problem of computers being infected with malware. If I can click it, a Trojan or virus can too. I agree with all the points about OpenID and other SSO efforts… but they’re such so darn convenient! There are a lot of questions that need to be addressed here and I’m sure we’ll all be learning a lot more about this technology as it evolves.

What do you think about this new authentication technology? Does your organization have plans to replace passwords with information cards? Here’s a link to the New York Times article.