The consumerization of the mobile and bring-your-own-device trends continues to gain exponential momentum in 2014. According to an infographic published this week in Information Week, 90% of employees use mobile phones at work, and 35% use personal tablets at work. Furthermore, employees use an average of 21 different apps at work. Although email remains the most often used, document-centric apps, including file sharing are now used by more than one in every five employees.
InfoWorld goes a step farther in an article this week, calling CIOs and business leaders to proactively embrace the two trends rather than just reacting to the inevitable employee uptake. InfoWorld cites potential benefits from employee productivity to better communication and engagement with customers.
At Ohanae, we agree that comprehensive adoption of bring-your-own-device (and bring your own cloud services!) and mobile have significant advantages for the business. But, it’s important to adopt technologies that will protect the business against data loss, account compromise, and device theft or misuse.
Cloud Privacy Protection incorporates a suite of capabilities to allow BYOD, mobile, and user selected cloud-based file sync & share in a secure environment. Cloud Privacy Protection includes protection for data in transit to and at rest in the cloud file sync & share provider. It also includes secure file sharing between collaborators, regardless of the mechanism of sharing. Finally, it includes protection for user credentials — the credentials that provide access to raw storage of encrypted data.
With Ohanae’s suite of cloud privacy protection capabilities, enterprises can feel secure in embracing new trends that embrace cloud storage, pervasive mobile use, and bring your own device tablets and laptops.
Tuesday, July 29, 2014
Wednesday, July 23, 2014
Two Factor Authentication Strength
Recent articles have suggested that password strength in some situations is not important. For instance, a recent Network World article asserted that the weakest and most well known password “123456” could have a place in an overall password strategy.
Another area where weak passwords are sometimes advocated is in combination with a two factor authentication (2FA) scheme. Two factor authentication combines two different pieces of information in order to establish access for a user. Typically, the two pieces come from two of the categories: something the user knows, something the user has, and something the user is. In most common, widely used schemes, the two factors are something the user knows (either a password or a PIN) and something the user has (a magnetic card, a secure token, or a specific device).
Adding a second factor certainly increases the security of a system. One could argue that you could decrease the first factor to offset that gain if the original system was secure enough. Taken to the extreme, if the second factor was stronger than the first, you could make the first trivially easy and still be better off. In that case, you would essentially be using a single factor system, just with the stronger factor.
Those are the keys to determining how much relaxation of one factor you can accommodate by adding a second factor: how strong is the second factor, how resilient is the system, and how independent are the two factors? How important is increasing the overall security of the system?
The classic two factor authentication system - a bank card and associated PIN works well. Both factors are strong. The card requires theft of a physical item to compromise it. The PIN (although only a 4-6 digit code) is usually strong because there is a lack of automated methodologies for attacking the PIN — it requires manually entering codes over and over at a banking machine. Furthermore, limitations on the number of wrong entries in a time period prevent effective brute forcing of the PIN. Systems are typically resilient — because there are not other attack modes beyond actual use of the card.
However, the card system can be compromised by poor choices. For instance, selecting trivial PINs like 1234, 0000, or other easily determined information makes it so that theft of the card is the only real attack required. Trivial PINs turn the two factor system in one factor, where possession of the card is the only block. Similarly, writing the PIN on the card so that the two factors are no longer independent (by compromising the card, you gain the PIN) also negates the benefits of the two factor system.
The final question is how important is increasing the overall security of the system. At Ohanae, we feel that passwords should always be strong, secure, and unique. If you need a password, then you want the best — whether it’s to secure less important websites, or as one piece of a multi-factor authentication scheme. Password compromise inevitably leads to information that can make secondary identity attacks easier and more successful. Your identity, accounts, and data integrity rest on preventing all attacks, and a weak password can be the proverbial weakest link that unravels the strongest chain of protection.
Ohanae’s cloud privacy protection solution gives users on all their devices the ability to quickly and easily use strong, secure, unique passwords on each website and application they use.
Another area where weak passwords are sometimes advocated is in combination with a two factor authentication (2FA) scheme. Two factor authentication combines two different pieces of information in order to establish access for a user. Typically, the two pieces come from two of the categories: something the user knows, something the user has, and something the user is. In most common, widely used schemes, the two factors are something the user knows (either a password or a PIN) and something the user has (a magnetic card, a secure token, or a specific device).
Adding a second factor certainly increases the security of a system. One could argue that you could decrease the first factor to offset that gain if the original system was secure enough. Taken to the extreme, if the second factor was stronger than the first, you could make the first trivially easy and still be better off. In that case, you would essentially be using a single factor system, just with the stronger factor.
Those are the keys to determining how much relaxation of one factor you can accommodate by adding a second factor: how strong is the second factor, how resilient is the system, and how independent are the two factors? How important is increasing the overall security of the system?
The classic two factor authentication system - a bank card and associated PIN works well. Both factors are strong. The card requires theft of a physical item to compromise it. The PIN (although only a 4-6 digit code) is usually strong because there is a lack of automated methodologies for attacking the PIN — it requires manually entering codes over and over at a banking machine. Furthermore, limitations on the number of wrong entries in a time period prevent effective brute forcing of the PIN. Systems are typically resilient — because there are not other attack modes beyond actual use of the card.
However, the card system can be compromised by poor choices. For instance, selecting trivial PINs like 1234, 0000, or other easily determined information makes it so that theft of the card is the only real attack required. Trivial PINs turn the two factor system in one factor, where possession of the card is the only block. Similarly, writing the PIN on the card so that the two factors are no longer independent (by compromising the card, you gain the PIN) also negates the benefits of the two factor system.
The final question is how important is increasing the overall security of the system. At Ohanae, we feel that passwords should always be strong, secure, and unique. If you need a password, then you want the best — whether it’s to secure less important websites, or as one piece of a multi-factor authentication scheme. Password compromise inevitably leads to information that can make secondary identity attacks easier and more successful. Your identity, accounts, and data integrity rest on preventing all attacks, and a weak password can be the proverbial weakest link that unravels the strongest chain of protection.
Ohanae’s cloud privacy protection solution gives users on all their devices the ability to quickly and easily use strong, secure, unique passwords on each website and application they use.
Monday, July 21, 2014
Password Manager Security
A recent CSO Online article summarized the findings of a UC Berkeley research team, finding that five browser based password managers contained security flaws that could lead to the compromise of login credentials they were protecting.
The research team’s work outlines an evaluation of password managers against their primary directive of ensuring that stored passwords are only accessed by the authorized user and the website that the password is for. Unfortunately, their evaluation found all five password managers contained flaws in their implementation.
In order to evaluate the password managers, the research team looked at five main attack vectors.
In the password managers surveyed, each provided a cloud based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud.
Ohanae does not store passwords in the cloud, or on local devices. Other credential information (domain and username) are stored on the local device, and passed through the cloud (for synchronization with other devices), but is encrypted during transmission and while stored.
Passwords are generated on demand only on authorized devices by a user with the master passphrase. This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted.
Finally, the master passphrase is only used, and not transmitted, even between devices of the same user — using Ohanae’s patent pending technology to ensure that sensitive passwords and pass phrases are retained and used only on authorized end devices.
Many of the password managers surveyed used bookmarklet technology to allow web browsers on popular mobile computing platforms (iOS and Android) to directly retrieve credentials from their stores. Due to the untrusted execution environment of bookmarklets, they require special handling to ensure that only secure APIs are called.
Ohanae does not use bookmarklet technology. We use secure browser extensions where available (primarily on our PC and Mac implementations), and rely on user copy and paste for insecure environments (such as most mobile operating systems).
Furthermore, since we only provide username and password to login forms, we do not add any additional data to form submission which would allow any type of fingerprinting operation.
The researchers also mention vulnerability of password managers to phishing attacks. In particular, allowing attacker websites to open dialogs which ask for the password managers username and password. Since the Ohanae application does not run inside the browser, it is easy to differentiate an attacker prompt (in a web UI) from the valid client login prompt.
Finally, at the time of this writing, Ohanae software does not provide a mechanism for sharing passwords between users. However, this feature is part of our product vision and roadmap, and we’ll pay close attention to the UCB research team’s recommendations in this area.
Ohanae believes, as the research team states that “password managers provide tremendous security and usability benefits at minimal deployability costs”, and we appreciate the time and effort the research team has spent to analyze typical attack vectors and the current state of the password manager art.
Ohanae is committed to providing industrial strength security in all three parts of our complete cloud privacy protection offering: securing login credentials, securing data in-motion and at-rest in cloud storage providers, and securely and collaborative sharing data.
The research team’s work outlines an evaluation of password managers against their primary directive of ensuring that stored passwords are only accessed by the authorized user and the website that the password is for. Unfortunately, their evaluation found all five password managers contained flaws in their implementation.
In order to evaluate the password managers, the research team looked at five main attack vectors.
- The password manager must maintain the integrity of the master account and password, making it impossible for an attacker to impersonate a valid user and retrieve credentials.
- The password manager must securely store the list of credentials. The storage mechanism must ensure confidentiality, integrity, and availability of the database. In particular, attackers should not be able to learn, modify, or delete credentials.
- If the password manager provides sharing of credentials between users, then appropriate safeguards must be taken to maintain collaborator security.
- The password manager must not operate in a way which allows user fingerprinting to happen. This would allow multiple, coordinated attacker websites to deduce identity information based on information passed between the websites by the password manager.
In the password managers surveyed, each provided a cloud based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud.
Ohanae does not store passwords in the cloud, or on local devices. Other credential information (domain and username) are stored on the local device, and passed through the cloud (for synchronization with other devices), but is encrypted during transmission and while stored.
Passwords are generated on demand only on authorized devices by a user with the master passphrase. This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted.
Finally, the master passphrase is only used, and not transmitted, even between devices of the same user — using Ohanae’s patent pending technology to ensure that sensitive passwords and pass phrases are retained and used only on authorized end devices.
Many of the password managers surveyed used bookmarklet technology to allow web browsers on popular mobile computing platforms (iOS and Android) to directly retrieve credentials from their stores. Due to the untrusted execution environment of bookmarklets, they require special handling to ensure that only secure APIs are called.
Ohanae does not use bookmarklet technology. We use secure browser extensions where available (primarily on our PC and Mac implementations), and rely on user copy and paste for insecure environments (such as most mobile operating systems).
Furthermore, since we only provide username and password to login forms, we do not add any additional data to form submission which would allow any type of fingerprinting operation.
The researchers also mention vulnerability of password managers to phishing attacks. In particular, allowing attacker websites to open dialogs which ask for the password managers username and password. Since the Ohanae application does not run inside the browser, it is easy to differentiate an attacker prompt (in a web UI) from the valid client login prompt.
Finally, at the time of this writing, Ohanae software does not provide a mechanism for sharing passwords between users. However, this feature is part of our product vision and roadmap, and we’ll pay close attention to the UCB research team’s recommendations in this area.
Ohanae believes, as the research team states that “password managers provide tremendous security and usability benefits at minimal deployability costs”, and we appreciate the time and effort the research team has spent to analyze typical attack vectors and the current state of the password manager art.
Ohanae is committed to providing industrial strength security in all three parts of our complete cloud privacy protection offering: securing login credentials, securing data in-motion and at-rest in cloud storage providers, and securely and collaborative sharing data.
Subscribe to:
Posts (Atom)