The common advice — and practice — about passwords is wrong, says cyber security expert Hoyt Kesterson. The former chairman of the international committee involved in creating digital signature credential protocols, the current senior security architect for Scottsdale-based Terra Verde Services points out that oftentimes, being required to frequently change their password puts people in the position of having to write them down somewhere to remember them — and yet there are programs that make it very easy for computers to break them. In fact, tables have been generated that contain all possible combinations for seven- or eight-character passwords, so whatever “new” password a user creates already exists. Criminals may gain access to the files of a bank, credit card company or other authenticator — such as by an employee opening a perhaps innocent-looking email — and get into the virtual vault where passwords are stored. “The only thing of value is long passwords, or passphrases the user could easily remember. Not complexity, not frequent change,” Kesterson says. Most systems will allow long passwords even though they may ask for only seven or eight, but Kesterson says they deal with them in a way that defeats the effort: “They take a 14-character password and break it into two seven-character passwords,” he explains. Since those sequences are already known, criminals can simply try the finite combinations of the two sequences.
For individuals, passwords may be broken through social engineering — the attacker simply studying a person’s postings on Facebook or other social media sites.
Businesses that conduct transactions through wire fund transfers are susceptible to significant losses because of these password breaches. “By a variety of technical means, people can pretend to be a company and tell the bank to wire transfer funds,” Kesterson says. He recommends businesses use dual-factor authentication with their financial institution, for instance having the bank verify the transaction via both phone and computer. “It’s hard [for criminals] to compromise two devices at the same time.” While this is more expensive than single-factor authentication, a risk assessment by the business should also consider impact beyond just the loss of funds. Shares Kesterson, “It has put companies out of business.”
Kesterson also notes that a business’s IT staff may not have security expertise, pointing out that, usually, “the IT staff is just focused on getting the company’s job done.”
Paul Schaaf, special agent with the Phoenix Division of the FBI, describes three trends in security attacks: distributed denial of service, compromises of Web-based applications and credit card point-of-sale compromises. Phones and tablets are as susceptible as computers. “If it has code in it, it can be corrupted and written to,” Schaaf says.
Denial of service attacks result in a computer being simply overwhelmed by commands. “Hacktivist groups rent bot-nets (a bunch of computers),” says Schaaf, describing them as Internet bullies. Companies can get denial of service protection through their Internet service provider or can hire another company to provide it.
Compromises of Web-based applications, such as payroll service in the cloud, occur through viruses on individual computers. “They’re not hitting the application, but an individual account such as the person in a pizza shop who logs in.” Schaaf notes that two-factor authentication can thwart these attacks, a strategy that is also valuable when working with companies remotely. “To verify an IP address, have them send a code to your phone [for you] to type in.”
With credit card point-of-sale compromises, the malicious code is on the device at the check-out stand, and grabs account information when a credit card is swiped.
Another problem Schaaf identifies is ransom-ware, whereby the attack encrypts a person’s files and a ransom payment is demanded to decrypt them. ”They do a two-factor encryption. You have the public key, but they have the private key [that they introduced]. So back up your system, either off-site or in the cloud — and use a read-only copy.”
See also the Tech Notes article
“The FBI’s 10 Internet Safety Tips.”
Speak Your Mind
You must be logged in to post a comment.