The Future of Authentication – More Secure but More Difficult

The IRS is changing from using a homegrown userid and password based authentication system to a third party single signon type of system run by ID.ME.

Given that the IRS doesn’t have a great track record for security, your first inclination might be “can’t be any worse than what they had before”.

The short version of the answer is that it seems to be better, but it is also much more effort to set up your account the first time. After that, it is really no different than any other system signon with two factor mandatory.

Hence the rub.

Do I want access that is more secure?

Or do I not care about security (until my stuff is stolen); it has to be convenient?

I signed up for an ID.ME account a couple of months ago. Not only does the IRS use it but a couple dozen states use it too.

Unlike me, when Brian Krebs signed up for an account, he blogged about the experience. I will capture what he said about it.

The problem that most web sites have is that they don’t really know that you are you. If someone goes to your bank and, assuming you have not signed up for online banking, they sign up as you (to steal all your money, of course), all they need is a few bits of information that is likely widely available and poof, they are you and they can steal your cash.

The IRS is trying to do it right for a change. Pretty novel.

The sign up process starts out pretty normal. Enter an email address and pick a password and confirm that you got the confirmation email that they sent you.

Next you **MUST** pick a multi-factor authentication mechanism. They support everything from a text message to a FIDO key. I chose one of the several authenticator apps that I use.

Next you have to upload a copy of a government issued ID like a driver’s license.

Then you have to take a selfie of yourself holding your ID.

If the computer can match the two images you move into the next step.

You have to provide them with a phone number. Unfortunately, it does not accept Voice over IP phones. That is all that I have. I gave up my last landline a year ago. This forces you into an alternate authentication loop.

Now you have to go to a live video chat on your phone or computer. You get to start all over and re-upload the documents. This just seems like stupid programming and doesn’t provide any additional security, so maybe they will fix this. In this scenario you have to upload TWO other forms of ID like a Social Security Card or birth certificate. This is the same drill you go through when your employer completes your i-9.

Now you get to wait. The system says that you have to stay connected while you wait. Brian’s screen said the wait time was 3 hours and 27 minutes. This is only an estimate.

Brian, like me, tends to like to make waves so after he say that wait time he sent a “love note” to ID.ME’s founder. Even though this was like ten o’clock at night the threat worked and he got a call from a technician in a few minutes. He resolved the issue and Brian got his ID.

Even in this best case, this is a lot more work than a normal account signup, but it is also more secure. You also have to trust this private company with your information. In the worst case, it is a big pain.

A lot of this can be chalked up to growing pains and are totally resolvable. But some of this is the price of having a higher level of confidence in who is signing up.

For higher security systems, like the military, you have to show up in person. This is certainly more convenient than that. I need to renew my Global Traveler card. In order to do that I have to make an appointment – in my case the first appointment is FOUR MONTHS in the future and then drive myself out to the airport – an hour each way. This is definitely more convenient than that.

For higher security situations, systems like ID.ME are probably the future.

One thing that ID.ME did right is that if you need an account for say the IRS and your State government, one ID is sufficient. All you need to do is authorize ID.ME to share your information with the second entity and you are good to go.

You can ask them to delete your information if you want, at any time, but that inconveniently will also delete your account.

When Brian asked them about their security, they were a bit general – which is understandable – but it definitely sounds like they are taking a lot more care than most web sites. Credit: Brian Krebs

Governments Struggle to Deliver Secure Online Services to Citizens

As times change and as a function of the pandemic response, governments are trying to deliver more services online. Unfortunately, governments rarely get to hire the best or the brightest software developers or security architects because they cannot match what the private sector can offer.

Auth0 recently released the findings of its Public Sector Identity Index. Here are some of their findings.

The first question is how do citizens authenticate themselves to your digital services.

online citizen services

Not surprisingly, the overwhelming answer was userid and password, probably the least secure method possible other than no authentication at all.

While the report says that a little more than 60% use two factor authentication, it is less clear to me whether that means that the site OFFERS 2FA or the site REQUIRES 2FA. Google, for example, offers it but at the moment, for the most part, does not require it. The results include responses from not only U.S. IT and business leaders, but also those in the U.K., Australia and New Zealand. Different countries probably have different adoption rates.

So what are some of the key findings?

  1. Less than one in five are extremely confident in the security of their current authentication solution.
  2. Four in ten are building their own identity authentication solution. I am sure they will do that perfectly and securely. NOT!
  3. Most (75%) plan to expand their digital offerings over the next couple of years and almost the same number are concerned about citizens’ privacy as well.

If we just look at U.S. responses, ensuring that citizens trust their government’s digital services comes in at 71%, but only 56% of those same people have confidence in their ability to deliver it.

Forrester says that what the public sector does is hugely important because it makes up 30% of the global GDP. Credit: Helpnet Security

It’s To Protect The Children

Law enforcement has been trying since at least the 1990’s when they jailed and tried to convict Phil Zimmerman for creating an open source encryption program called PGP, to put the encryption genie back in the bottle.

The problem is that encryption is math and math doesn’t care about politics.

If some governments were to ban encryption, there would be other countries where people who really wanted encryption could get it. And, while the math is hard, there are enough books published, enough algorithms available, that smart hackers could write their own.

Governments have been trying for decades to get software developers to create new math – math that allows for strong encryption but also gives law enforcement a master key to look at whatever they want to look at.

After all, if the TSA can’t even secure the physical keys that they use to open people’s suitcases at the airport, how likely is it that they can secure a master encryption key or keys.

So the solution is to scare people – or at least try to scare them.

Fear is a common tactic. Car makers who don’t want people to be able to repair their own cars said that allowing people to do that would embolden sexual predators (Massachusetts, 2017).

They are counting on people being fearful and not knowledgeable. Occasionally it works.

Britain is trying to scare people into giving up their right to privacy. At this point, we do not know whether it will work or not.

Rolling Stone is reporting that the UK government, at taxpayer expense, has hired the world famous advertising agency M&C Saatchi to create a major scare campaign.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

The UK Home Office said that they hired Saatchi to bring together organizations that “share our concerns about the impact end-to-end encryption would have on our ability to keep children safe“.

It is fair to say that encryption does make bulk data surveillance harder, but there already is a lot of end-to-end encryption already in place. Open source software like Telegram and Signal and commercial software like Whatsapp are just a couple of examples.

The government says that the plan is to create this media blitz “to make the public uneasy”. In other words, scare them into accepting even more surveillance than they are already under.

One slide from a campaign deck says that most of the public has never heard of end-to-end encryption, adding that “this means that people can be easily swayed”.

They also said that the campaign must not start a privacy vs safety debate, but I don’t think that objective is possible.

The opening phase of the government’s scare campaign is expected to start within days.

However privacy advocates plan to start their own campaign too.

This battle is not going to end anytime soon, but the best defense is an educated public.

If you have questions, please reach out to us.

Security News for the Week Ending January 14, 2022

Hackers Sending Malware Filled USB Sticks in the Mail

Old, tried and true techniques continue to work as hackers have been sending malware-filled USB sticks in the mail and UPS to defense, transportation and insurance companies, hoping someone did not do their security awareness training and plugs the drive into their computer. It just shows that hackers do not need to keep inventing new tricks; the old ones continue to work. Credit: Gizmodo

Norton Installs Cryptomining Software on Users’ Computers

Norton and its sister company Avira, both owned by the same parent, are installing cryptomining software as part of the default install. Norton turns it on automatically since they get 15% of anything you earn, Avira has it off by default. If Norton was still on your approved list (it went off our list years ago), you should probably remove it. Credit: Brian Krebs

White House Hosts Open Source Security Summit

In the wake of the Log4j and other open source software attacks, the White House hosted a summit this week with the likes of Akamai, Amazon, Apache, Apple, Cloudflare, Facebook, Google, IBM and others to discuss how to improve open source security. While no “results” have been announced yet, the fact that the summit was called and led by Anne Neuberger is an acknowledgement that “Houston, we have a problem”. With open source used throughout the IT world including critical infrastructure and many times that software is either not maintained at all or maintained by volunteers – there is no easy solution as there are millions of open source packages. Stay tuned; we might be able to do something for a few of the larger, more important packages. Ultimately, it is both the responsibility and liability for the companies that use open source and that should not be much comfort to anyone. Credit: Data Breach Today

Canon’s Printer DRM Comes Back to Haunt Them

Consumer printer makers make most of their money selling you toner and ink, so years ago they came up with the idea of putting chips in the cartridges to try and stop you from using low cost supplies. But now they can’t get chips so they are making cartridges without the chips, causing their customers’ printers to alarm. As a result, Canon is telling their customers how to break their own DRM. Not to worry though, Canon says they will go back to trying to hurt their competitors when the chip market eases up. Credit: Gizmodo

Car Makers Say Giving Owners Data From Their Cars Will Embolden Sexual Predators

Car owners have been trying for years to force car makers to give them the tools they need to repair their own cars. One of those tools is the data that their cars generate. If car owners could repair their own cars, car makers would lose billions of dollars in revenue. Massachusetts voters overwhelmingly voted in a right to repair law in 2020, even though car makers spent $26 million explaining why letting people repair their own cars was bad, even claiming it would embolden sexual predators. Now they are saying the law is unconstitutional. Anything to try and stop the revenue drain. Credit: Vice

Researcher Demonstrates How to Melt Power Lines in New York

Actually, they just used New York as an example, but the researchers literally melted the copper power lines. Once the power lines were vaporized, well, there was no more power.

The good news is that this was just a demonstration, but definitely a scary one.

Worse yet. The device the team hacked – it was the overload protection device. So, the device that was added to the electric grid to protect it became a traitor and attacked the grid – or at least watched quietly while the attack took place.

Start by realizing that there is no such thing as hardware any more. Yes there are metal things, but to make them work requires software. This software is what the team at Red Balloon attacked.

Schneider Electric, which makes this protection relay, has now released a patch for the bug.

Of course, getting it installed; well that is a different story.

The researchers tested two other protection relays but did not find anything significant in those two.

Credit: Yahoo News

An engineer at cybersecurity firm Mandiant said that even if a relay like this failed, power could be back up and running to affected customers within hours. I think this guy should stick to software, because he clearly does not understand hardware (the guy, Chris Sistrunk, is a technical manager at Mandiant and focuses on industrial control systems).

Here is where his thinking breaks down.

**IF** all that happens is the hacker causes one relay to fail, then yes, you can replace that relay quickly and fire up the power to the network behind it.

But what if, as in the demonstration, the overload causes miles of wire to melt. Does he really think that they can replace that wire in a few hours? I don’t think so.

As always, the devil is in the details.

I see announcements from CISA every week – dozens of them – for patches to industrial control system software and firmware.

Likely, many of those systems will never be patched because system operators are scared that if they do patch them, they will not come back online. This is not a completely unreasonable concern.

We are not just talking about electric. Water, sewer, natural gas, chemical plants, refineries and on and on. We already saw this with the Colonial Pipeline attack. It does not take much.

Bottom line, critical infrastructure managers need to work hard to stay ahead of the hackers.

The Layers of Effective Endpoint Security

As hackers become smarter, generate more and more effective attacks and users continue to work from almost anywhere, IT teams have to get smarter about effective endpoint security. This is going to take a layered approach. This includes moving towards zero-trust. Here are some recommendations.

  1. Signature and heuristic-based detection – this is what most traditional endpoint protection solutions have used for years (AKA anti-virus and anti-malware). This is, historically, where endpoint protection stopped. Now it is where it starts.
  2. Contextual detection – this is where machine learning comes in. Even with unknown malware, ransomware and other bad stuff, looking at the context of what is being done can allow you to detect activity which is out of the ordinary.
  3. Anti-exploit technology – this is where you do continuous monitoring to block zero-days, fileless malware and more. This requires technology that can track all actions taken by all processes to look for anomolies.
  4. Add the cloud to the mix – Now that you have all of this data, across all of the endpoints of the enterprise, including the end users, servers, the corporate cloud and the public cloud, what do you do with that data. You need a set of tools that can analyze that data in real time, mix in threat intelligence from other sources and likely, even, throw in a pinch of human analysis and then feed that back into each endpoint so that it can adjust it’s protection techniques. (note that the referenced article at the end says that only one vendor does this. That is actually not true. I am sure that only one vendor does it in the very particular way they do it, but that doesn’t mean that many other vendors don’t do the same thing in their own way).
  5. Threat hunting service – this is where the humans come in and it takes specialized expertise. People who look at this data coming from the endpoints and making sense of it. It is certainly possible that you are the only company on the planet that is being hacked in a particular way – but I seriously doubt it. Even if that were true, the techniques used by hackers are often reused, allowing an experienced threat hunter to detect those patterns.

Doing this is not simple and, unfortunately, not cheap. We have reviewed a lot of tools and have found the best and the brightest. And the most cost effective. You can also do this incrementally, because you are going to have to integrate IT business processes to make this effective.

However, if you don’t start, you will never get there.

The hackers are not going to wait for you. Unfortunately.

Credit: CSO Online

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed