Laptop devices and Two-Factor Authentication

10 Apr

OK, I recently bought a new laptop and decided to go ahead and spend the little bit of extra cash for the bio metric finger print reader on the device thinking I could increase the security of my device. Considering my profession I figured increasing security might be a good idea and hey it looks all techy too. Well that is all and well until I decided to implement the system into a two-factor configuration. And so it begins…

Two-Factor Authentication is a security principle behind improving security by requiring multiple authentication mechanisms. There are three factors available; Something you have, Something you know, and Something you are. Bank cards work off of this model requiring two-factors: something you have (the card) and something you know (the pin). I wanted to setup my laptop similar: something I am (finger print) and something I know (password). The laptop I purchased supports the ability to do both right? A finger print reader and windows password management; Well wrong.

Here is the deal not all biometrics are created equal. Although the system does have the capability of performing two-factor authentication, the software for the finger print reader does not support such functionality. Speaking with HP on this matter they can either support one or the other thus only allowing for single-factor authentication. This is because the finger print system simply stores your password in a password vault and sends it to windows when it detects your finger print.

Moral to the story don’t be fool into thinking you have any stronger security just because you have biometrics: finger print reader, facial recognition, voice recognition, etc. Truth is you still have single factor authentication with a possible higher false positive rate. In other words if you use a strong password I would probably have a better chance of faking out your bio metric device than figuring out the password.

If you are with a company that is interested in enforcing two-factor authentication make certain your vendor supports it and don’t just assume that if it has a bio metric device that it will perform two-factor authentication. This is really just a marketing ploy to make users feel more secure and cool because they have a new high tech gadget.

What more information on multi-factor authentication


24 Aug

So I am reading up on all the news I’ve missed while my head has been down into the computer doing whatever it is I do because really I don’t even know and I run across this article, (RankMyHack – A ‘Hot or Not’ for hacker,  l33tdawg). Now I have to say I love the idea. No not because I think it is a fun game although … or do I.  No because what better way to discover all the hacked sites out there than to get the hackers to tell you about them. Now personally if I was a hacker I would never trust anything like this but I have trust issues anyway. Come on how many times do you hear about a hacker getting caught all because he or she can’t keep their mouth shut. If you have been around me any time at all I am sure you have heard me say “The only safe secrets are those in your own head and the government is working on a way to get those out as well.” (BTW this is why I say that) So now let me provide some anonymous entity all the proof they need to prove that I hacked some site. I think not! But I am sure someone will or it appears someone already has and this is why I wished I’d come up with this. Why didn’t I come up with this. I seen the movie “Hackers”. This exactly what they did except they didn’t utilize a global web site for the competition. Geez.

So all the research you can stand just for grading the difficulty of a hack. Why not? It helps identify vulnerable sites, how they were compromised, and any new unidentified threats in the wild. It allows people to identify site compromises (not all hacks are obvious), come up with some sort of mitigation for identified vulnerabilities (although for the site owner its a little late), and build trends to work from going forward. Now I have no idea if the site maintainers are doing any of this but it has a potential upside.

Although I have to say I don’t feel that there is any way which the grading system can be a fair assessment. Why? Well the degree of difficulty is very dependent on who is performing the hack. Lets take these 3 examples:

  • Example A – current employee. If the hacker is a current employee they already have certain access privileges which another individual might not have. Maybe even direct access. This definitely makes the hack easier than if it was performed by Joe Blow who isn’t employed by the company. (Disclaimer – Joe Blow is a figurative person in this example and is in no way a reference to any real Joe Blow in existance)
  • Example B – prior employee. If the hacker is a prior employee then most likely they have proprietary information about security practices, monitoring, and barriers. They may even know some of the loop holes. They might have been able to collect credentials for access to systems that would not be turned off prior to them leaving. BTW current employees have potential for this as well.
  • Example C – local company. If the hacker can get a job with the company, easily make local phone calls that don’t appear to be odd ( oh yeah there is Google Voice now I can always appear local) , walk down to the office for some dumpster diving (jumping into a dumpster in order to find papers with account numbers, names, passwords, etc.), talk to employees, etc. this is an advantage.

Yes I suppose a really good hacker might move or take a job with the company just to hack their site or obtain information but this does increase the difficulty. So without knowing all the steps required to be taken in order to perform said hack how do you grade the difficulty? It appears this site simply sets the difficulty rating based on the prestige of the company which they set. This yields to another problem. If your company is lucky enough to rank for high points you now have a bulls eye on your forehead; lucky you. This site now effectively has the power to call on massive attacks against any company with a computer. So where do I put the million point target today? <LOL> I can’t help it.

In order to gain a better understanding of how this site works I signed up for an account. Supplying them with an email address (anonymous of course) and random user id. They send an email to my account for verification purposes  which I have not received yet. So either they are back logged or broken, possibly from the volume of hits after the press release, or maybe it is all bogus. I don’t know at this time but it has made for some interesting conjecture. Anyway if I find out any else interesting I will be glad to post an update.

Signing off until next time.


Hello World!

11 Aug

Well I am starting a blog to try this out so bear with me, I’m learning. I am a security professional so most of my posting will be about security, a little of it will be able life in general, and even less about me because frankly I just don’t like talking about myself. I am a father of three so expect some references to my children and things that happen there but mostly know where my life experiences are coming from. Really that is the only reason I gave you any background at all. And if you want to know anything or to discuss further anything please feel free to contact me.

I was notified recently that one of my accounts may have been compromised

11 Aug

So as the title says I was recently notified, well about a week ago now, that one of my online accounts (I’m not going to say which one mainly because I don’t want this to be a bashing forum and don’t think that it is pertinent to the post) “may” have been compromised. For the non-security folks out there that is hacked. I stressed the “may” because in security we don’t always know for sure if something has been broken into but we might have high suspicions base on anomalies such as a broken window might mean your house was broken into or it just might mean that you forgot your key and couldn’t get into your house. So of course when I got this information I was concerned and I followed the notifications instructions to change my password, verified that my computers and networks were secure (i.e. virus scan enabled, system patched, both network and system firewalls enabled, etc.), and checked for tell tell signs of security compromises such as random password reset requests in email (inbox, junk, spam, and deleted folders). As a security professional I felt fairly confident in at least my basic security measures but nothing is impossible so I followed the requested procedures. Not finding anything out of the ordinary and very much concerned that something might have slipped through the cracks. I followed the final option I had in the notification which was to open up a support ticket for additional information. Well here is where my beef is and it isn’t just with them because their security practices aren’t that different from everyone else. When I requested information pertaining to what events set off the alerts then so that I could compare them to my own activity to see if the system was sending out false positives (again a security term geez what am I a security geek — false positive an alert that is false. i.e. If I said your house was broken into when in fact it wasn’t.). Who know better about what I am doing than myself right? Well poppy cock! They could not or would not divulge that information. So I say why bother telling me at all. If you simply want me to do a password change then require one but not providing the necessary information to identify the root cause of the problem is just setting things up to continue down an already dark path.

OK the GOOD the BAD and the UGLY.

GOOD: I am glad they involved the user. This is the right thing to do because you can guess all day long as to what is going on but until you involve the person supposedly doing it you will never know. I wish all security teams did this and did it RIGHT. Too often a security incident happens and we just assume the worst or even ignore it. This is probably due to staffing limitations or whatever but we as professionals need to fully respond to all events of interest fully. This will allow for the security specialist to identify if the user needs additional training, if additional security measures need to be put into place, if the account has truly been compromised, or if maybe just maybe the security measures are too strict.

BAD: They found a user that is concerned and willing to help them identify what is going on provide the user with data or at least questions which can affirmatively prove or disapprove the security event. Really most users would have no idea of how to make certain their computers and network are secure and many don’t want to bother researching the event they just want to get back to what they were doing. Don’t make like this is top secret information it is my activity in your logs. One of the comments made to me in the ticket was “Please note that while we consider security of the greatest importance, we must not disclose specific details of the security protocol we use to protect accounts.”. Since when has security be obscurity worked? Now bare with me I am going to get a little geeky now. I can tell you what their security protocols are it is called a SIEM or SEIM or SEM or SIM or whatever the industry wants to call it today. Geez…OK coming down to earth now. For you normal people security be obscurity does not work. Employee’s leave and tell others, heck they stay and they tell others, information in this world leaks like Niagara Falls so don’t think you can have a secret and tell anyone much less an entire company. The only safe place is in your head and I hear that the government is working on a way to get that out too. If you are so interested SIEM are security event correlation systems. If you would like to know more you can read about them on Wikipedia. OK I ranted a little. My point is security specialists need to work with the proposed victims and … fooy just refer to my end point in the GOOD paragraph.

If security professionals keep blowing off events as false positives eventually one is going to slip through the cracks. Blips happen for a reason maybe ever so small but there is a reason and due to our lack of knowledge we ignore them. For instance that slight pain in your arm might just be a blood clot which could cause you to have an aneurism if ignored. Here’s your sign. Well that is what an attacker is hopping. That is why they attack at 3am in the morning, hoping you don’t want to get out of bed or won’t even see the event. What I am seeing today is that the serious attacks happen during office hours. Not sure if that is because all the infected laptops are in the office at that time or if it is because the attackers traffic blends in with the rest of the corporate traffic but none the less it is happening. But I think my point has been made here.

UGLY: Just to keep with my theme I still don’t know if an attackers has slipped through the cracks in my security. I have been given a sign that I would like to follow up on but I can’t get any details pertaining to if that sign is providing real information that is accurate. As  a user I am frustrated with the support I am receiving and feel that this company’s security practices are pointless. And as a professional I wonder where is the security industry headed if this is the type of reaction we are going to give to a security incident.

In conclusion I just want to say although we depend heavily on computers to do all the work there is no replacement for human judgement. We can’t just depend on a computer to analyze and make judgement calls because although it has some of the data it doesn’t have all the data and most likely never will especially when dealing with us slow stupid humans. 😉 I want t to challenge the security field to better involve users and research security events. Don’t just brush them under the rug because your over worked, or understaffed. I know what it is like being bombard by 1000s of events a day but we have got to find a way to fix the problem and not just put a band aid on it for another day. But with that in mind I also want to put a challenge out to all the security product designers to reduce the number of false positives your products are putting out. Anybody can be a nay sayer but few can make a positive impact.

Signing off until next time.



P.S. Just to update everyone on this ticket I had open and have since given up on. They did come back and give me a little more information. It seems they use location or more specifically IP tracking to trend your activity against. So if all of a sudden you change ISPs, start using your account from another ISP, etc. it locks the account. This was told to me in a round about way but all the same I got the point but the stood by their guns stating that the release of how they are identifying this would be a compromising there security efforts. I still say security through obscurity does not equate to a secure system and that identifying real threats with real clients that you should have  some base level of trust with should be more important than obscuring some basic security protocols.