Tag Archive for 2FA

| May 8, 2016
Comments Off on Wearables – Growing Enterprise Risk

Wearables – Growing Enterprise Risk

Wearables - Growing Enterprise RiskMarket research firm Tractica predicts that the high levels of interest will drive worldwide shipments of wearable computing devices for enterprise and industrial from 2.3 million in 2015 to 66.4 million units by 2021 and could reach 75.4 billion by 2025. This means there will be a total of 171.9 million wearables in the wild by 2021.

The report at FierceMobileIT cites a large number of trials or deployments with a diverse set of wearables across a variety of industry sectors for the growth.  Tractica research director Aditya Kaul explained the prediction,

diverse set of wearablesIn the past year, the enterprise and industrial wearables market has moved into an implementation phase, with the focus shifting from public announcements to the hard work that needs to be done behind the scenes to get wearables rolled out at commercial scale.

Tractica noted a range of new IoT use cases are emerging for workplace wearables. The new uses are focused on application markets like; retail, manufacturing, healthcare, corporate wellness, warehousing and logistics, workplace authentication and security, and field services.Estiamted wearbable device shipments

The market research firm believes the primary wearable device categories will be; smartwatches, fitness trackers, body sensors, and smartglasses, There will also be other niche categories that will play a role for specialized use cases.

Internet of ThingsThe report does concede that in terms of unit volumes and revenue, enterprise and industrial wearables are still a very small part of the IoT overall market. Wearable’s share of the total market will grow over time, according to Tractica.

Wearables proliferation does not bode well for IoT or enterprise security. A recent survey of 440 IT pros by IT networking company Spiceworks found that enterprise wearables are most likely to be the cause of a data breach out of all Internet of Things devices connected to a workplace network.

IoT most likely to be source of a security threatAccording to FierceMobileIT, the survey found that 53% of IT pros believe wearables are the least secure of all IoT devices. Overall, 90% of those surveyed think IoT makes workplace security more difficult. Spiceworks also found that only one in three of those surveyed are preparing for the tidal wave of these devices.

IoT security threatThe number of companies allowing wearables on the network has jumped from 13% in 2014 to 24% in the current Spiceworks survey. That’s a significant jump, and especially worrisome for the two-thirds of organizations putting off a proper security protocol. 41% of those surveyed said that their organizations have a separate network for connected devices, 39% allow them on the corporate network and 11% don’t allow IoT in any capacity.

Enterprise IoT devices aren’t the only reason IT pros should worry, as Andrew Hay, CISO of DataGravity, told FierceMobileIT at the RSA conference this year. Workers are bringing consumer-grade IoT devices into enterprise environments, too. In other words, IT pros don’t have a choice at this point but to seriously consider security measures for IoT.

rb-

I first covered IoT security holes in 2011. In 2014, I wrote about HP research which found on average 25 security flaws per device tested. If these stats are right, there will be almost 4.3 billion security flaws in the wild.

Some of the security flaws HP pinpointed in wearables during 2015 included:

  • Mobile interfaces lack two-factor authentication or the ability to lock out accounts after login failed attempts.
  • Watch communications to be easily intercepted.
    • Firmware is transmitted without encryption.
    • Half of the tested devices lacked the ability to add a screen lock, which could hinder access if lost or stolen.
    •40% were still vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| May 21, 2013
Comments Off on Hotmail is Dead

Hotmail is Dead

Hotmail is DeadHotmail is deadMicrosoft (MSFT) has completed the transition from Hotmail to the new Outlook.com. The Hotmail replacement has more than 400 million accounts. According to a blog entry at Office.com most Hotmail users will not notice much difference. They can continue to use those accounts as long as they choose and can claim an Outlook email address whenever they like.

HotmailWriting in the company blog, Dick Craddock, Outlook.com’s group program manager said that Hotmail had more than 300 million active accounts that had to be moved. MSFT completed the epic live upgrade in only six weeks. The upgrade from Hotmail to Outlook.com required communicating with hundreds of millions of people, upgrading all their mailboxes, and making sure they preserved every email, calendar, contacts, folders, and personal preference.

The new Outlook email client has several different features from Hotmail, such as two-factor authentication, an updated calendar, and app as well as integration with cloud service Skydrive and Skype. it allowed users to connect easily with Facebook (FB), Twitter, and LinkedIn (LNKD).

GigaOm reports that MSFT will even allow collaboration with Google users. They report that:

.Outlook.com logo.. if you’re reading an email from a Gmail user, you can reply with a chat icon from your Outlook.com inbox. Or, if you and your Google-oriented buddy are collaborating on a document in Microsoft Skydrive (as opposed to, say, Google Drive), you can send an instant message to your Google contact with the click of a button. Microsoft is also rolling out Google Chat integration.

All of these new features haven’t thrilled everyone, Mr. Craddock is quoted in the IBT, “Of course, whenever a widely used consumer service makes any substantial change, there will always be some folks that don’t like it, and that shows up in the feedback…”

Microsoft logoHotmail was one of the first web-based email services. Founded by Sabeer Bhatia and Jack Smith it was launched on July 4 1996 as “HoTMaiL”. Microsoft bought the web email service in 1997 for an estimated $400 million, and it was rebranded as “MSN Hotmail”.

Outlook.com was launched in February 2013.  It’s based around Microsoft’s Metro design language, and closely mimics the user interface of Microsoft Outlook.

rb-

AmazedFor anyone who has ever had to be involved in a hot email upgrade, you should recognize the technical feat moving Hotmail to Outlook.com really was despite occasional problems. During most email system upgrades, anything that can go wrong will go wrong. There will be power or network issues that will interrupt the mailbox transfer across the wire, there will be users with 32 Gb of email messages, there will be people who file their active messages in the trash can (yes, I’ve seen it) there will be strange shared calendars and accounts that just won’t transfer unless you move them item by item to find the corruption.

Kudos to MSFT for migrating Hotmail to Outlook.com, lets see if it matters in the face of Google’s (GOOG) Gmail and Doc’s.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
  Recent Entries »