Uncategorized

Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

Authentication startup AnchorID wins Finovate Best-in-Show

anchor-ID-logo

New York startup AnchorID has garnered the Best-in-Show award at Finovate Fall, which just wrapped up in New York. There, the company demonstrated its consumer authentication technology for websites and mobile apps, which is purportedly set to launch any time now (Fall of 2014, according to the company website). AnchorID is tackling the notorious multiple password management problem, following in the footsteps of companies like AgileBits and Dashlane. AnchorID looks to improve on these earlier-generation consumer SSO offerings by completely eliminating passwords - providing secure access to both websites and mobile apps via a proprietary smartphone app, and by letting the user choose which type of authentication token he or she wants to use. The explanatory video lists fingerprint and voice biometrics, PINs, and a simple Yes/No button - that is, proceed with the login or not - as options. The user has to pick a single user name (their "Universal Username"). Again, no passwords are involved - so the authentication factors are the user's Universal Username, the app/smartphone combination (presumably including some level of device identification), and the token value (biometric, yes/no, etc.) as selected by the user. The company says they don't gather any personal data about the user. Integration to the target website or mobile app is via AnchorID's API.

AnchorID was founded in January 2014 and, according to Crunchbase, has received two rounds of angel funding totaling US $510,000. They're coming into an extremely crowded and noisy market, so success will depend as much on execution as on their technology.

Congratulations to AnchorID on making Best-in-Show!

iPhone 6 Touch ID has already been hacked

TouchID-logo

That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)

Alipay gives some serious market cred to Nok Nok Labs and the FIDO standard

galaxy-s5-sensor

Nok Nok Labs has announced that Alipay will use Nok Nok's NNL S3 Authentication Suite to authenticate payment users on future versions of the Samsung Galaxy S5. The NNL S3 technology will provide access to the Alipay Wallet application via the Galaxy S5's fingerprint sensor (which I hope that Samsung has fixed by now). That's a major win for both Nok Nok Labs, a Silicon Valley startup in business since November, 2011 - and for the FIDO Alliance, of which Nok Nok Labs is a founding member. FIDO is an industry consortium, launched in 2013, that provides a standard implementation framework for "post-password" authentication. Its stated mission is to get rid of passwords as the world's default authentication method, and replace them with something more secure, standardized, and suited to the emerging, multichannel IoT world. NNL S3 is a FIDO-compliant authentication management platform for operation by service providers (including enterprises), that's technically agnostic to the endpoint form of authentication. So it supports not only fingerprint biometrics, as with the Galaxy S5, but also voice biometrics, face biometrics, secure elements, trusted platform modules, removable tokens, and others (of which there are many).

I think the announcement wasn't timed real well, as it was completely overshadowed by the Apple Pay launch a couple of days earlier. However, this is also a very significant step in the global evolution of mobile payments. Alipay, often referred to as "China's PayPal" (although it's more appropriate now to say that PayPal is America's Alipay), has an existing mobile user base of 100 million, and 80 percent of China's mobile payments market share. And with Samsung commanding 12 percent of the smartphone market in China, we're talking millions and millions of users out of the gate for the new Galaxy S5. As sexy as Apple Pay is, Apple and its posse of partners have some way to go before they get anywhere close to Alipay's market weight.

Via The Paypers (sic)

Rabobank to sign online banking transactions with VASCO's CrontoSign

crontosign

Rabobank is introducing VASCO's CrontoSign technology to sign online banking transactions. CrontoScan is basically a DIGIPASS token (Vasco's widely used OTP generator that authenticates users at login), with an added camera and new functionality. When the user sets up a transaction during a banking session, the bank server generates a color QR code, which is displayed on the user's computer screen. The QR code is a cryptogram of the intended transaction data. The user takes a picture of this with the camera on the token device. The device then decrypts the QR code and displays the transaction data as entered by the user, on the token device. The technology is claimed to be effective against MITM attacks (no security details are provided, so can't comment on that one way or the other, but it looks like a classic TAN technique) The CrontoScan technology was originally developed by Cronto, a UK startup which Vasco acquired in May, 2013. Cronto still maintains it's own website. The Rabobank version is branded as 'Raboscan'.

Via the Paypers (sic)