People have been looking at me in funny ways for the past 5 years, as when I state that the next wave of crime is going to be based on hacking of a security camera/computer system and physical security. My warning has just become reality.
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""
Thursday 30 August 2007
Monday 20 August 2007
What do YOU need out of two-factor authentication?
Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. A number of companies are looking at smartcards internally for VPN access and then looking at moving to smartcards for domain logon, too.
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!
Outlook Passwords in less than 10 sec's
That’s right. I hate to tell you but if you give me 10 seconds alone with your computer I’ll not only get your user name and passwords to every mail box you have set up in Outlook and Outlook Express, but I’ll also be able to see every single login you have saved in your Internet Explorer auto-complete settings.
And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.
And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.
Cracking your password
If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!
Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!
- Your partner, child, or pet’s name, possibly followed by a 0 or 1
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth - yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love"
- Typing your email address into google to find your hobby
Statistically speaking that should probably cover about 70% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do or someone else does.
