Threat | Bach Seat

Tag Archive for Threat

RB | April 17, 2024

Comments Off

Artificial Intelligence – Impact on Passwords

Artificial Intelligence-Driven Strategies for Password Protection Artificial intelligence (AI) is revolutionizing our lives. Brookings, says it is transforming every walk of life, including cybersecurity. In this blog post, we will explore how emerging AI technologies affect password protection. We also discuss strategies to enhance the security of our personal and professional data.

AI adds additional complexity to the security landscape. ISC2 found that 75% of cybersecurity professionals reported that artificial intelligence is already being used to launch cyberattacks and other malicious criminal acts. The threats include advanced password-cracking techniques like brute-force attacks and social engineering. Furthermore, AI-generated phishing attacks can deceive users into revealing sensitive information. Here are some strategies to bolster your defense mechanisms and protect your digital assets.

Enhanced Security Measures for Passwords

Let’s take a pragmatic look at some advanced security protocols:

Adapting CAPTCHA

CAPTCHA was originally designed in 2000 at Carnegie Mellon, to distinguish humans from bots. It is evolving to stay effective amidst developing threats. The efficacy of traditional puzzles is diminishing as bots become more sophisticated. Google has revised the original CAPTCHA to reCAPTCHA.

Traditional CAPTCHAs face vulnerabilities including accessibility issues, automation bypass, user frustration, and limited effectiveness. Google’s reCAPTCHA addresses these by employing advanced risk analysis, adaptive challenges, and improved accessibility features. It also supports integration with Google services, enhancing security against automated attacks while ensuring a smoother user experience.

Multi-Factor Authentication (MFA) Adoption

You can fight artificial intelligence based attacks by implementing MFA and 2FA. These mechanisms offer an additional layer of protection beyond passwords. They require users to provide multiple forms of authentication such as biometrics or security tokens. This extra layer of verification significantly reduces the risk of unauthorized access, even if one factor is compromised. While effective, the implementation of MFA requires careful consideration of usability and security trade-offs.

Single Sign-On (SSO) Solutions

Another way to fight artificial intelligence is to implement a single sign-on (SSO) user authentication solution. SSO’s enable seamless access to multiple applications using a single set of credentials. While convenient, SSO implementations must be carefully configured to balance ease of use with security considerations. SSOs require careful configuration and monitoring. Single sign-on solutions pose risks like a single point of failure. If an SSO is compromised, access to multiple systems is jeopardized

Passwordless Authentication to fight Artificial Intelligence hacks

Here are some alternative authentication methods:

One-Time Passwords (OTP)

A one-time password (OTP) can be a defense against artificial intelligence based attacks. OTP is an automatically generated string of characters that authenticates a user for a single transaction or login session. OTPs offer temporary authentication codes delivered via email, text, or authenticator apps. While effective, the reliance on external communication channels introduces potential vulnerabilities.

Magic Links

Sites set up with magic links are another way to fight artificial intelligence threats. Magic links ask users for an email address, not a password. Then the application generates a link with an embedded token and sends it via email. The user then opens the email, clicks the link, and is granted access to the given app or service. Magic links provide an alternative to traditional username/password authentication by leveraging email verification.

While user-friendly, this method may introduce security risks associated with email interception. They are weak because email accounts remain prime targets for phishing and credential-stuffing attacks. An attacker who gains access to a victim’s email account can fraudulently use magic links to access other applications.

Biometric Authentication

Biometric solutions, such as fingerprint or facial recognition, offer convenient and secure authentication. However, the reliance on hardware and platform compatibility may limit widespread adoption.

Biometric authentication relies on specialized hardware like fingerprint scanners or facial recognition sensors, leading to dependency on device compatibility and reliability. Ensuring consistent performance across various platforms and mitigating vulnerabilities in hardware are essential to maintain security and user trust.

Navigating the Transition

While the transition to passwordless authentication holds promise, it presents practical challenges and considerations:

Technological Investment

Adopting advanced authentication methods requires investment in new technologies and infrastructure. Organizations must weigh the benefits of enhanced security against the costs of implementation and maintenance.

User Acceptance

User acceptance plays a crucial role in the adoption of passwordless authentication methods. Organizations must prioritize user experience and provide adequate support and education to facilitate the transition.

Regulatory Compliance

Compliance with industry regulations and standards, especially in Europe, may influence the adoption of passwordless authentication methods. Organizations must ensure alignment with regulatory requirements while enhancing security measures.

rb-

In conclusion, the battle against artificial intelligence based cybersecurity threats is already here. Some steps can taken to fight these challenges. Many of the new protections require changes to the business as usual. By carefully evaluating the benefits and considerations of alternative authentication methods, organizations can navigate this transition effectively and safeguard their digital assets in an increasingly complex threat landscape.

Related article

What does 2024 have in store for the world of cybersecurity? (World Economic Forum)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2024, Artificial intelligence, Business, Password, Threat

RB | May 26, 2015

Comments Off

Another Hole in Internet Armor

Another hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

Researchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

To prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPN attack There is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

If you have a web or mail server, they recommend – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way.

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

Critical Encryption Bug Affecting Millions Might Have Enabled NSA’s Attack on VPNs (wccftech.com)

Category: Uncategorized | Tags: 2015, AAPL, Apple, Cisco, CSCO, Diffie–Hellman key exchange, Encryption, HTTPS, IBM, IPsec, MITM, MSFT, Nicrosoft, OpenSSH, Security, SMTPS, SSH, Threat, TLS, University of Michigan, VPN, Wi-Fi

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Bach Seat