N E X T H OR I Z O N s
a u t h e n t i c at i o n
using a proven two-factor authentication mechanism was all the result of one bad file and poor judgment on the part of one RSA employee. The take-away is it could’ve happened to anyone and we’ve entered the era of using social engineering to make employees unwitting participants in elaborate hacks. RSA is calling the attack an advanced persistent threat (APT) and fingers are pointing at Operation Aurora, something that Google experienced last year and claimed it had originated from China. Wherever its origin, the APT is a sophisticated attack that is making RSA throw up its hands not in defeat, but in recognition that “a new defense doctrine” is called for. In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens? SecurID tokens comprise complex cryptographic algorithms. To steal a few seeds is not enough to get access to all the goods. The tokens generate one-time passwords every 30 or 60 seconds. A hacker would need to do more than intercept the password. He would have to know the token's serial number or clone one, and he’d need ready access to the token’s authentication server, which must match its code with the one generated by the token. Once these two align, access (typically by remote VPN) is possible. Once a SecurID token is compromised, it must be replaced. And to provision millions of new ones cannot be a simple feat.
Security experts weigh in “Aspects such as deployment, manageability and superior authentication are just a few things that set SMS-based authentication apart,” said Cedric Jeannot, founder of data encryption company I Think Security in Waterloo, ON. Bank of America uses two-factor SMS authentication whenever a customer wants to make a change to their account, such as setting up a new bill payee. It simply sends a one-time password to the account holder’s cellphone. This is also the model that Brainloop uses on its document security application, in use by the likes of BMW and Deutsche Telekom. Like tokens, the
cto forum 21 november 2011
The Chief Technology Officer Forum
In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens? PIN is valid only once and expires after a fixed time. “SMS is a viable alternative to tokenbased authentication on the grounds that SMS is much easier to manage and relatively inexpensive,” said Markus Seyfried, CTO at Boston-based Brainloop. There is also comfort in carrying around a device that nearly everyone already owns. And when you lose it, you notice it immediately, unlike a token that may only be used randomly. More than that, once a token is reported missing, the authentication server administrator will need to be alerted, causing some delay in its being invalidated. “Users tend to notice the loss of their cell phone very quickly and can react by remotely blocking the SIM card. Because of that, mobile devices are more flexible and a secure part of the data protection infrastructure than token technology,” said Seyfried. On April 1, Uri Rivner, head of new technologies, consumer identity protection at RSA, wrote a blog, Anatomy of an Attack, that got to the root cause stemming from the SecurID fiasco. He described phishing emails sent to office employees with the email subject reading “2011 Recruitment Plan.” Ironically enough, the email was identified by the spam filter and thrown into the junk file but the employee retrieved it and opened the attached Excel .XLS file anyway. “The spreadsheet contained a zero-day exploit that installs a backdoor through a [ former] Adobe Flash vulnerability (CVE2011-0609),” Rivner wrote. Identifying this phishing attack as a typical APT, the malware installed a remote administration payload that allowed the attacker to control the endpoint. “In our case, the weapon of choice was a Poison Ivy variant set in a reverse-connect
[mode] that made it more difficult to detect,” wrote Rivner. Eventually, the attacker sought out users with higher security clearances. “Requiring users to carry a security token now that SMS-based authentication is available is outdated and, in many cases, reduces the security offered through a properly designed text messaging process," said Scott Goldman, CEO of TextPower, based in San Juan Capistrano, CA, which develops text messaging services for utilities and B2C organisations. One value of SMS-based authentication is that the SMS is sent, most of the time, from a central entity; the cellphone is just the receiving end. “For security tokens, in most cases, each device is autonomous. RSA’s SecurID does not connect to the Internet to update its numbers. There‘s a seed, a loading time, and a pre-defined algorithm that generates numbers based on that seed. This is an embedded system. If the algorithm or the seed is compromised, there is no way to update the tokens; they must be collected and new ones distributed,” said Jeannot. Carly Ann Campo of Envoy Data Corporation, a distributor of smart cards and tokens, takes a contrarian view on the security front yet touts low TCO. “SMS-based tokens are a bit more insecure because the system generates the one-time password and sends it over the air, giving rise to the possibility of unauthorised individuals intercepting the data. A software-based or hard token generates the OTP on the device itself, isolating the data to the physical device. However, for some businesses, the marginal security difference is trumped by the low cost to operate and replace. SMS-based solutions are intuitive due to the commonplace familiarity associated with mobile devices