Doubling Up on Passwords Doesn't Stop Cyber-Criminals
Sunday, September 20, 2009 at 09:07 PM EDT
Iâ€™ve posted here before about the weaknesses inherent in using passwords for verifying the identity of system users, and about one of the approaches being taken to address those weaknesses: introduction of a second authentication method or device, sometimes called two-factor authentication. One particular method of implementing two-factor authentication uses a small electronic â€œtokenâ€, manufactured by RSA Security (a division of EMC), which generates a new one-time access code every 30 or 60 seconds. To access a system set up in this way, the user enters a User ID and password (â€something you knowâ€), and the access code from the token (â€something you haveâ€). Neither the password nor the access code alone are sufficient to gain access. Adding the second factor materially improves the security of the system.
Unfortunately, security technology is always involved in an â€œarms raceâ€ between attackers and defenders. According to a recent article in Technology Review, a new series of attacks has been seen that are aimed specifically at this two-factor security scheme.
Essentially, the malicious program â€œlistensâ€ for the entry of the security information, and submits its own, fraudulent transactions so that they fall within the time window in which the access code is valid. (Simplifying slightly, the generation of the access code is done using a cryptographic hash function of the User ID, the token serial number, and the time â€” the token contains a battery-powered clock.) RSA has responded, reasonably enough, that users should not expect the system to protect against all conceivable security risks:
The unpleasant reality is that, if an attacker is able to install, or trick the user into installing, software of the attackerâ€™s choice on a machine used for sensitive transactions, the possible defenses are very limited.
A few weeks ago, I posted a note on a report by Brian Krebs of the Washington Post that cyber-criminals were focusing their attention on small- and medium-sized businesses, and attempting to steal electronic banking credentials. This more recent attack is another example of that trend. One of the pieces of advice I gave then was:
One axiom of the IT industry is worth remembering. There is only one kind of software that never causes a system failure or security compromise: the kind that is not installed.
Technology Review quotes Joe Stewart, director of malware research for security firm SecureWorks of Atlanta, with some very similar advice:
In my earlier post, I did not specifically mention using Linux for this purpose, but it is something I have recommended to several clients Iâ€™ve advised. Linux has a few advantages for this: itâ€™s free; it is much more modular than Windows, so it is easier to remove unneeded components; and it has, in my opinion, a more straightforward and robust security model than Windows. In addition, of course, the bad guys are usually more focused on attacking Windows systems.
Security is a process, not a product; there is no security â€œsilver bulletâ€ than will slay all attackers auto-magically. Careful thought and planning are still vitally important parts of defense.
This article originally appeared on Rich's Random Walks.