Tag Archive for Password

| August 11, 2015
Comments Off on SmartWatches – Not Ready for Primetime

SmartWatches – Not Ready for Primetime

SmartWatches - Not Ready for PrimetimePundits predict that Apple iWatch sales will surpass iPad first-year sales. The experts expect Apple to sell 21 million watches in fiscal 2015. Many believe that the iWatch will drive wearable tech into the enterprise. With this kind of hype, security vendors have started to take a look at iWatch and other smartwatches.

wearable techFierceMobileIT reports that just in time for BlackHat, MobileIron released a report looking at the security risks smartwatches pose to corporate data. According to the enterprise mobility management firm, workers are increasingly using smartwatches to connect wirelessly to their smartphones and access corporate email, calendar, contacts, and apps.

MobileIron looked at the security of smartwatches that can be paired with iOS and Android smartphones accessing enterprise resources as well as the pairing apps on the smartphones. The author says the EMM vendor analyzed the Apple (AAPL) Watch, Motorola Moto 360, Samsung (005930) Gear 2 Neo, and Shenzhen Qini U8.

MobileIron logoThe Qini U8 had a pairing app that displayed some “suspicious behaviors” that could pose a risk to personally identifiable data such as access to downloaded and cached content and phone hardware data, judged MobileIron. The pairing app was downloaded from an unknown IP address in China and not the relative safety of the official Google Play store, which scans apps from malicious traits.

Another security concern noted in the article is the implementation of passcodes on smartwatches. Smartphone passcodes are usually time-based so that if the device is not used within a certain time period, the device is locked and access requires entering the passcode.

SmartDisck Tracywatch passcodes examined by MobileIron are proximity-based so that the device is locked when the smartwatch loses wireless connection with the smartphone. However, only the Apple Watch prompted the user to set up a passcode, suggesting that many users of the other smartwatches do not enable the passcode option.

In addition, smartwatches do not have enterprise mobility application programming interfaces to do policy enforcement on the devices. The Apple Watch stood out in terms of security by wiping enterprise apps from the device when its companion iPhone is quarantined or retired and the enterprise apps are removed from the phone.

smartwatches do not have enterprise mobility application programming interfacesIn terms of data encryption, there is no encryption on the Shenzhen Qini U8, while it is optional at the app level for the Motorola Mobility Moto 360 and the Samsung Gear 2 Neo. For the Apple Watch, encryption is enabled for the data on the watch and optional at the app level. The MobileIron report concluded, “As enterprises embrace these devices for enterprise applications …  we expect smartwatch vendors to place an even stronger emphasis on security.”

Not only has MobileIron recently scrutinized smartwatches so has HP. HP’s Fortify security unit tested 10 different smartwatches and found that all of them were vulnerable to cyberattacks.

HP (HPQ) did not say which brand of smartwatches it tested. However, FierceITSecurity reports that HP did test the devices and their Android and iOS cloud and mobile app components, indicating that the Apple Watch was one of those tested.

HP Fortify found that all the smartwatches they tested were insecure. Jason Schmitt, general manager of HP security at Fortify said

HP logo[Smartwatches] … will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks 

HP combined manual testing and automated tools to check the devices against the open web application security project’s Internet of Things Top 10 security risks. HP found that data collected on the smartwatch was often sent to multiple backend destinations (often including third parties). The researchers used HP’s Fortify on Demand to find many more smartwatch vulnerabilities (PDF, reg. req).

  • Broken watch100% tested were paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts.
  • 90% allowed watch communications to be easily intercepted.
    • 70% of the time firmware was transmitted without encryption.
    • Only 50% of tested devices offered the ability to add a screen lock (PIN or Pattern), which could hinder access if lost or stolen.
    •40% of the cloud connections were vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.

HP offered recommendations for consumers looking to use smartwatches more securely:

  1. Do not enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered (two-factor, etc).
  2. Enable passcodes to prevent unauthorized access to your data, the opening of doors, or payments on your behalf.
  3. Enable security functionality (passcodes, screen locks, two-factor, and encryption).
  4. Use strong passwords for any interface such as mobile or cloud applications associated with your watch.
  5. Do not approve any unknown pairing requests to the watch.

These security measures are also critical as smartwatches enter the workplace and are connected to corporate networks. HP recommends that enterprise technical teams:

  1. Ensure TLS implementations are configured and implemented properly.
  2. Require strong passwords to protect user accounts and sensitive data.
  3. Implement controls to prevent man-in-the-middle attacks.

rb-

As smartwatches become more mainstream, they will increasingly store more sensitive information such as health data, and enable physical access functions including unlocking cars and homes. HP’s Schmitt warns that,

Smartwatches … open the door to new threats to sensitive information and activities … vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.

All smartwatches collected some form of personal information, such as name, address, weight, gender, heart rate, and other health information. Given the account issues and weak passwords identified by MobileIron and HP, the exposure of this personal information is a concern. I am calling smartwatches not ready for prime-time.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 2, 2015
Comments Off on The Enemy Within at School

The Enemy Within at School

The Enemy Within at SchoolNaked Security reports on a hack that combines two of our favorite things on the Bach Seat, Florida, and lax data security at school. The way the Sophos blog tells the story, a 14-year-old Florida boy is charged with being a hacker by trespassing on his school’s computer system.

Florida school hacker

The charges came after he shoulder-surfed a teacher typing in his password and used it without permission to trespass in the network. The student then tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.

an offense against a computer system and unauthorized accessA Tampa Bay Times article says that an eighth-grader was recently arrested for “an offense against a computer system and unauthorized access.” This is a felony in Fla. Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school using an administrative-level password without permission.

A spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother. His sentence remains to be seen, But at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension. Sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports. Naked Security says this is the student’s second offense.

Old school securityWhen the newspaper interviewed the student, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said. It’s a well-known trick, the student said. He claimed the password was a snap to remember, it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.

The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank. He also reportedly accessed a computer with sensitive data – the state’s standardized tests (now we know why he is in trouble – NCLB! – Common Core!!while logged in as an administrator. Those are files he well could have viewed or tampered with, though he denies having done so. Sheriff Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun. Even though some might say this is just a teenage prank, who knows what this teenager might have done.

I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.

in typical HS-er logic, he told the newspaper:

If they’d have notified me it was illegal, I wouldn’t have done it in the first place. But all they said was ‘You shouldn’t be doing that.

Idaho school hacker

rented a cloud based botnet to launch a distributed denial of serviceAnother report from the other side of the continent comes from Engadget. They report that a teenager from Idaho took advantage of the latest trend in online criminal activity. He likely rented a cloud-based botnet to launch a distributed denial of service (DDos) against the largest school district in Idaho. The alleged DDoS took down the school district’s internet access according to media reports.

KTVB News reports that the 17-year-old student paid a third party to conduct a distributed denial-of-service attack/ The attack forced the entire West Ada school district offline. The act disrupted more than 50 schools, bringing everything from payroll to standardized tests (More high stakes testing – NCLB! Common Core!!) grinding to a halt. Unfortunate students undertaking the Idaho Standard Achievement test had to go through the process multiple times because the system kept losing their work and results.

State and Federal felony chargesThe report goes on to say that authorities have found the Eagle High student from their IP address. The students could now face State and Federal felony charges. If found guilty, the unnamed individual is likely to serve up to 180 days in jail, as well as being expelled from school. In addition, the suspect’s parents will be asked to pay for the financial losses suffered as a consequence of the attack.

rb-

Many school networks have bigger pipes than the business world. Some EDU networks I have worked on have had 10 GigE for years. In the rest of the online world, these incidents would serve as a wake-up call to network managers that hey, we might be at risk too, but not schools. Oh yeah – Passwords are Evil

Rightly or wrongly schools rely on the Intertubes for their core business – instruction, and NCLB high-stakes testing. However, they do not take steps to protect themselves. Administrators fight common tactics like periodic password changes, enforcing password complexity, or blacklisting common weak passwords. None bother with an anti-DDOS strategy let alone buying a tool to fight off a denial of service attack.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| June 25, 2015
Comments Off on Emoji Passcodes Replace PIN at ATM

Emoji Passcodes Replace PIN at ATM

Emoji Passcodes Replace PIN at ATMFollowers of the Bach Seat know that passwords are evil. I have written about dumb passwords again, again and again. Now a firm in the UK wants us to replace our ATM PINs with Emoji passcodes. The Verge brings us the latest theory to get users to use passwords better than “123456,” “password,” and “12345678.” EMOJI. Yes, those Japanese pictographs that anybody over 15 loves to hate. 

users just don't care about their passwords Intelligent Environments, a UK firm that makes digital banking software figured most users just don’t care about their passwords. So they created what it’s calling the “world’s first emoji-only passcode.” The world’s first emoji-only passcode offers a choice of 44 emoji that can be used to create a four-character PIN. The company told Verge the 44 emojis can create 3,498,308 possible permutations for non-repeating emoji passcodes. That compares to just 7,290 for a traditional non-repeating PIN.

Replace your ATM PIN with an emoji

The firm believes that everyone loves emojis, so why not replace those pesky digits with emojis?  Intelligent Environments is betting that forcing people to use emoji instead of numbers would also stop them from choosing weak PINs. Weak PINs are based on memorable events — birthdays and weddings for example — that might be easily guessed.

The company quotes Tony Buzan, inventor of the Mind Map technique. He adds that the idea, “plays to humans’ extraordinary ability to remember pictures, which is anchored in our evolutionary history.” Memory expert Buzan explains, “Forgetting passwords is because the brain doesn’t work digitally or verbally. It works imagistically.”

The author points out while it is a clever idea, certainly, but don’t get too excited yet. This is not the first PIN replacement we’ve seen. Implementing these ideas is always far more difficult than just coming up with them.

Intelligent Environments presser

Password dressIntelligent Environments’ press release is also a little too heavy on the hyperbole (it claims that “64 percent of millennials regularly communicate only using emojis” — really? Only using emoji?) and a little too light on actual industry support. Intelligent Environments’ managing director David Webber told BBC News that the company hadn’t patented the idea, meaning any bank that wants to introduce emoji PIN codes can do so. Although, there’s always the chance that security wouldn’t be increased as everyone picked what is objectively the best emoji passcode ever: four smiling poops.

rb-
There is some research that says this makes sense. But then there is the problem of getting systems to accept the emoji PIN. There are still websites out there that can’t handle a passphrase of more than 12 text characters, what is it going to do with emoji? Also, remember that there are still lots of ATM’s out there quietly running Microsoft’s Windows XP operating system more than two years after Redmond stopped updating the software.

The kids think they are so cool with their newfangled emoji. What about old-school?

: )

:-O

(-_-)

(^_^)

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| March 3, 2015
Comments Off on New Authentication ‘Fingerprints’ How You Move

New Authentication ‘Fingerprints’ How You Move

New Authentication 'Fingerprints' How You MoveWe all know that passwords are hideous things. They take up to much time and are not that effective. In fact, Gartner (IT) says that password resets represent 30% of help desk calls. Readers of Bach Seat know that the most common hacked passwords change very little from year to year.

remembering effective passwords is difficultGenerating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year (as I most recently covered here). Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.

So where there is chaos this is profit. A new area of research is to replace passwords with a users’ behavior. Mark Stockley at Sophos’ Naked Security blog, reports that researchers at West Point are working to get rid of passwords. The Cadets are working to produce a new identity verification system based on users’ behavior, described as a next-generation biometric capability. The research is being developed as part the active authentication program run by DARPA.

Thnext generation biometric capabilitye article explains that authentication has traditionally relied on users producing one or more of the following: something you know (such as a password or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.) The technology that West Point is working on called, behavior-based biometrics, adds another factor to the mix: something you do.

According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analyzing how the user handles a mouse or how they craft the language in an email. The contract document, reported by Yahoo Finance, describes the technology as a “cognitive fingerprint.”

cognitive fingerprint…when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint’

Cognitive fingerprints will offer significant advantages over existing forms of authentication. According to Sophos, the new technology has several advantages over passwords because they do not:

  • Require specialized hardware required by biometrics and
  • Rely on users remembering strong passwords, something humans are naturally bad at.

authenticate usersCognitive fingerprints should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.

Nancy Gohring at FierceITSecurity recently wrote about a similar approach to user behavior authentication. Alohar Mobile, now owned by Alibaba, has figured out a way to use the sensors in mobile phones to create a profile of the unique way that you walk, using that “fingerprint” for authentication. Sam Liang, Alohar’s founder, and CEO has claimed, “We have a system that allows the payment system to use the location tracking and the motion sensor to authenticate and detect fraud.”

Alohar logoAccording to Ms. Gohring, Alohar’s patent describes a host of unique biometric pattern patterns the firm can collect from the phone’s accelerometer and gyroscope to identify the person using the phone. They include:

  • The speed/cadence/pace at which the mobile user normally walks
  • The ‘bounce’ of the mobile device in a person’s pocket, bag or purse as they walk or run
  • The motion pattern when a person reaches for their mobile device in a pocket
  • How the user moves the device to their ear
  • Even the angle they hold the mobile device.

collecting data about a user's movementsAfter collecting data about a user’s movements, the system would create a profile of the user. When the person tries to use the phone to buy something in a store, the system would compare the user’s profile against the recent movements of the person using the phone, making sure they match. If they don’t, the retailer can ask the user for other forms of identification. The system could work similarly for e-commerce transactions.

The patent describes other uses for the profiling system beyond authentication. The article claims the inventor describes a scenario where if a user often goes to an elementary school or a daycare center, the service could send targeted advertising or information about kid-related events to the user.

collect even more dataIn the future, Mr. Liang hopes to be able to collect even more data from more kinds of devices, like fitness trackers and health monitors. He told FierceITSecurity, “In the future, the phone will be able to tell, are you happy or depressed based on the way you walk, the speed you move around, the way you swing the phone,” he predicted.

rb-

Biometrics has been waiting in the wings as the Next Big Thing in authentication for years. Transparent, behavior-based biometrics like those being developed by Alohar and West Point could give the nudge that’s needed to push biometrics into the mainstream, but Sophos’ Stokely argues there are two major obstacles to the widespread adoption of biometrics.

  • You can’t change your biometrics – How do you change yourself if your biometric password is compromised?
  • For all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.

Behavior-based biometrics will happen invisibly, while convenient but it will require us to be comfortable ceding that feeling of control too, says Mr. Stockley.

Behavior-based biometrics will draw the ire of privacy advocates for its invisible, seamless identification and roots in the military, as it may allow for wider monitoring of society.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 25, 2014
Comments Off on Internet of Things Full of Holes

Internet of Things Full of Holes

Internet of Things Full of HolesThe Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.

Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.

BI Global IOT Installed Devie projectionsThe InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.

HP tested IoT devicesHP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:

  • A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
  • 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
  • 80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
  • 80% raised privacy concerns about the sheer amount of personal data being collected,
  • 70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
  • 60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
  • 60% didn’t use encryption when downloading software updates.

Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.

IoT opens avenues for the attackers.While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.

HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”

Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.

One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.

rb-

I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.

The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.

It is also annoying that HP did not reveal the details on the products they tested.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »