Cyber Access Control | MFA Enterprise Password Management | Access Smart

Archive for Logical Access Control (LAC)

Kill Biometrics

“Kill Biometrics” is as silly as “Kill Passwords”

Biometrics is no more secure than passwords. Maybe lessSounds silly, right? It is. And it’s just as silly to say “kill passwords.” Here’s why. Currently, there are only three recognized “factors” – something you Know (password or PIN), something you Have (technology), and something you Are (biometrics). There are two more coming (location and behavior), but adopting those could take a while. Killing any one factor accomplishes nothing. It simply limits your security resources. Factors don’t need to be killed, they need to be secured and combined with other factors. Read More→

Biometric Fanatics Missing the MFA Point When They Kill Passwords

Why do biometric fanatics want to “Kill Passwords?”

Kill passwords want solve cyber crime. It will make it worse.

When biometric fanatics evangelize “Kill Passwords!” in favor of biometrics they create a false security narrative. Replacing one form of Single Factor Authentication (SFA) with an alternate form of Single Factor Authentication adds nothing. It simply trades one factor for another. The whole security argument against any Single Factor Authentication is that the hacker only needs one piece of information to break in.

While biometric fanatics like to tout the weaknesses found in knowledge based authentication, (and I readily admit there are some), there are also a number of inherent weaknesses in biometrics. In this series of short blog posts, I will outline those weaknesses. My ultimate goal is for the reader to understand that if we go down the “either/or” cybersecurity path in choosing biometrics over passwords, everyone loses. The smart and secure cybersecurity solution is the “and” path, also known as Multi-Factor Authentication (MFA). Read More→

Passwords are Protected by the U.S. Constitution!

Did you know: The U.S. Courts have deemed that passwords are protected under the U.S. Constitution?

united-states-constitutionU.S. Courts have ruled that passwords are considered free speech since they are considered “knowledge”. Therefore, under the Bill of Rights, 5th amendment , no person is required to disclose information that could incriminate themselves. DNA and biometrics, on the other hand, are not protected by these same rights. What’s more, Private Keys are not protected by the Constitution since they are computer generated and not considered  an individual’s “knowledge”. Read More→

Cybersecurity NAICS Codes Maybe Coming Soon

Government CybersecurityCybersecurity NAICS Codes Lobbying

On February 9, 2016 President Obama announced that $19B should be placed in the 2017 budget for cybersecurity. Being a Cybersecurity SMB this seemed like a dream come true, but having already been on the GSA Schedule for almost two-years, my phone has not been ringing off the hook with Government interest. So I asked around and found out that many agencies did not know how to find cybersecurity products.

That same month, February 2016, I started a grassroots lobbying campaign to help government agencies find and acquire cyber security products and services. My idea seemed simple, have NAICS, SIN, and SIC procurement codes assigned specifically to cybersecurity products and services. Well, I might have achieved success. Here is the sequence of resent events.

On Feb. 27, 2016, I wrote the following letter to Senator Tom Carper (DE) as wells as many other Senators, Congressmen, Congresswomen, agency leaders, and even President Obama. I also posted articles in LinkedIn, and asked help from companies like Microsoft through their Voices for Innovations group. Here is a sample of one such letter:

Dear Senator Carper,
As the Ranking Member of Homeland Security and Government Affairs, I want to discuss President Obama’s February 9, 2016 announcement regarding Cybersecurity National Action Plan (CNAP). I appreciate that his vision includes both the immediate need to plug holes in the current infrastructure as well as a long term strategy which moves us away from the Band-Aid approach and toward keeping our nation and its people strong and secure.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product already on the GSA Schedule, I have an important concern. Currently, there are no NAICS codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products he is mandating.

One federal agency, (agency’s name removed per their request for security reasons), has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect their 700 high value servers. Our product, Power LogOn, saved them both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that the agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for a small company to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services outlined in the CNAP. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just me.

President Obama stated that Multi-Factor Authentication will be central to our new National Cybersecurity Awareness Campaign. As the large corporations in this country now scramble to create products to serve that purpose, my business has a 10-year track record of excellent performance and customer satisfaction with agencies and industries including…Government, hospitals, medical offices, education, insurance companies, law enforcement, county governments, Native American Tribal Nations, and more.

The reason the GSA Schedule is so important to your CNAP plan is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. This means agencies can be secured immediately. Having a multi-factor authentication password manager removes the end user from the position of Network Security Administrator by removing their need (and ability) to generate, remember, type, manage or even know their passwords. This also reduces the burden on IT administrators who no longer have to waste time resetting forgotten passwords because they can now be centrally controlled. And by leveraging the government’s existing infrastructure investments, Power LogOn also saves taxpayer’s a significant amount of money.

I have been in this industry for over 25 years and I have a book coming out next month that outlines how to implement cybersecurity authentication solutions. My only other question is: How can I and my business contribute to CNAP and the vision for our nation’s cybersecurity?

Thank you for your time and consideration.
With warmest regards,

Cybersecurity Procurement Inquiry on OMB by Senator Carper:

An article in e-Commerce Times, “Feds Prep for Cybersecurity Buying Spree” on April 18, 2016 there was this sections:

Pressure on OMB

Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.

“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.

“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.

The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.

“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.

“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.


Cybersecurity RFI from the GSA:

Finally, on April 11, 2016, The GSA posted an RFI (Solicitation Number: QTA00DF16DPI0002) help GSA identify current offerings available, improve the visibility of those offerings, and determine gaps that need to be filled regarding Cybersecurity products and services. We replied to the RFI. Here is one of our answers to Question 3:

 3. What are the advantages and/or disadvantages of how the government currently purchases cybersecurity products and services?
Currently, there are no Schedule 70, NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. Many cybersecurity companies have to list their products under very general codes. For example, while we are listed on the GSA Schedule, the best NAICS matches the GSA office has for our cybersecurity products and services are:

• 511210 – Software Publishers,
• 334119 – Other Computer Peripheral Equipment Manufacturing, and
• 541512 – Computer Systems Design Services.

None of these are obvious cybersecurity categories. The SIC and SIN codes are no better.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIC and SIN codes would stream line the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes which often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes would help to even the playing field for small businesses.

Government agencies need cybersecurity NOW. The outrageously expensive and time consuming solutions of the past cannot be implemented fast enough to keep pace with the onslaught from rogue cyber threats. Passwords are still widely used throughout the government and switching over to new authentications would be time consuming and costly. The government needs security today that can be implemented within a few days, and saves money. When passwords are compromised, all the expensive back end security in the world becomes instantly useless. Securing the front end or “virtual front door” is essential.

Access Smart allows government agencies to quickly add a new application to their existing PIV/CIV/CAC without re-calling, re-issuing, or re-programing the credential. That is why our product won a FIPS 201 waver. And because security is of high importance to Access Smart, Power LogOn was tested and received a FIPS 140-2 verification from the NIST independent test lab InfoGard.

Our Power LogOn product authenticates the user when the computer is first turned on, before the operating system fully boots-up. Power LogOn continues to authenticate the user during computer usage: when requesting logon onto a website, application, network, or cloud. This extra layer of security protects data while enhancing the user’s convenience. Making passwords convenient for the user insures they will not (or cannot) circumvent security for convenience.

Cybersecurity Scores One for the Little Guys!

How much I and my lobbying actually played into these events its anyone’s guess. Granted, I like to think I had a part. While I could not have been successful in my lobbying campaign without the assistance of a lot of people both known and unknown, I feel like I chalked one up for us little guys in helping the U.S. Government.

Finally, the real winners are the many business whose products will now be visible to the Government and Government Primes because cybersecurity products and services will become easier for agencies to identify and procure off the GSA Schedule.


Asymmetric vs. Symmetric Authentication: Which is Best?

Alternative to PKI

On paper and in theory, asymmetric authentication answers all cybersecurity concerns. But, is not the panacea that all the hype has made us believe. What make asymmetric ciphers “safe” is not the algorithm, key length or patents. It’s the ability to protect the Private Key. Once that Key is compromised the rest of the security flies out the window.

Asymmetric Keys are only as secure as the infrastructure, the technology, and the human element used to protect them. Bruce Schneier stated that, “The error of [my book] Applied Cryptography is that I didn’t talk at all about the context. I talked about cryptography as is if it were The Answer(tm). I was pretty naïve.”


The Complexity: Asymmetric authentication is a complex and involved infrastructure. The more complex an infrastructure is, the more places for a hackers to exploit. Certificates and Keys have brought serious complexity to network security. They require special Advanced Mathematics, Key Generators, Certificate Authorities, Registration Authority, Validation Authentication, Revocation Lists, Cryptographic Accelerators, Special Hardware (secure hardware modules and smartcards), specialized training, and more. Security is only as good as its weakest link, and there are a lot of links when it comes to networks and computers. Asymmetric authentication only adds to it. Complexity tends to create confusion, unknown parts, and mistakes. Keys are often mismanaged at best and, at worst, completely un-managed. The average corporation employing PKI has over 20,000 different cipher Keys and Certificates, and over 50% of those corporations’ IT administrators don’t know where all the Keys are located within their own network. This lack of knowledge allows hackers to easily inject their own certificates into networks, undetected by IT.

In a recent Ponemon Research: 2015 Cost of Failed Trust Report, it states: “Research shows the digital trust that underpins most of the world’s economy is nearing its breaking point, and there is no replacement in sight. Security professionals rank a Cryptoapocalypse-like event, a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight, as the most alarming threat.”


Registration/Certification Authentication (RA and CA): With the increase in identity theft, it’s not always about the victim’s credit card. It’s about stealing a person’s good reputation so hackers can then use that information to request certificates into an RA to start their attack.

If stolen identities are used or the CA gets hacked, bogus certificates are issued. In 2011, a Dutch CA was breeched when a hacker impersonated an RA. The fraudulent certificates affected the operating systems, applications, and browsers of such industry giants as Google, Microsoft, Yahoo, Mozilla, and others.

One of the components that allowed Stuxnet to infiltrate the Iranian nuclear enrichment system in 2010 was the use of what Windows thought was a valid certificate. This certificate weakness example demonstrates an administrative problem and not whether certificate-based systems offer viable authentication.


Key Storage: Where do you keep the Private Key is important. Debbie Deutsch and Beth Cohen in their June 17, 2003 article, “Public Key Infrastructure: Invisibly Protecting Your Digital Assets,” summed up the security of the Private Key as follows:

PKI operation depends on protecting the Private Keys. Sometimes keys are generated by a computer and stored in memory and on disk. This is acceptable for everyday security. However, it is possible for someone to break into the computer—perhaps in person, perhaps over a network—and retrieve the Private Key. As a result, very sensitive information or resources need greater protection. Specialized hardware peripheral devices can provide stronger security by generating Keys, signing, and decrypting information, so the Private Key never leaves the device. Protecting the Key then becomes a matter of protecting the device from unauthorized use. It may be carried by its owner, locked up, password protected, etc.

Here’s another example: Cloudflare, a popular off-site storage hosting service, launched “The Heartbleed Challenge” on April 11, 2014. They tasked the hacking community to use the “Heartbleed” virus to steal the private Secure Socket Layer (SSL) keys off their servers running the Open SSL framework. The results of the challenge surprised even Cloudflare.

Nine hours later, software engineers Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server’s Private Keys. Cloudflare announced that it is possible to expose the SSL private encryption keys. Both Indutny and Mattila sent numerous pings (2.5 million and 100,000 respectively) requesting the Private Key. The next day, two other hackers were able to get in. It seems that when a server reboots, there is a period of time when these keys are vulnerable, and Cloudflare rebooted the server about six hours into the challenge.


The Insider: In a recent article I read it was surprising to see that 20% of employees are willing to sell their company’s logon passwords on the black market for $1000 or less. So does that mean asymmetric ciphers protect against the insider threat? No. It you have untrustworthy employees who are looking for more money, or are disgruntle, they will always find ways to hurt the company. The trick is to limit their knowledge and keep a record of logon activities. Asymmetric and symmetric authentication is irrelevant since both are able to hide secrets and create reports.


Key Storage: When a customer pays for a purchase with an ATM or Debit card, they type in a PIN. PINs are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks before it reaches the customer’s bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper Key for its next leg in its journey. That PIN can be grabbed by an IT person inside the network.

The security of the entire process depends on by whom and how well these HSMs are configured and managed. The most common method criminals are using to get the PIN numbers is to trick the application programming interface (or API) of the hardware security module (HSM) into providing the encryption key. This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.

In a Cambridge University paper published in 2003, a researcher presented how attacks, with the help of an insider, would yield PINs from an issuer bank’s system. Then in 2006, two Israeli computer security researchers devised a much more sophisticated attack that also required the assistance of an insider. With access to the HSM and the API, knowledge of the HSM configuration, and knowledge of the network’s architecture, it is possible for a hacker to acquire bank PINs.

Brian Phelps, Director of Program Services for Thales Group, emphasizes that the problem is how systems are configured and managed. “It’s a very difficult challenge to protect against the lazy administrator,” Mr. Phelps said. “Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations—supporting legacy applications may be one example—which creates the vulnerabilities.”


Hacking the other parts: Smartcards are also used to generate and store Private Keys. Because of their mobility, they offer a good alternative to a server-based HSM. When the Sykipot, a zero-day Trojan, was combined with a keylogger malware, thieves were able to steal a smartcard’s PIN and read the stored certificate. While the smartcard was never actually cracked, Sykipot capitalized on a weakness found in the computer’s operation system and applications that allowed the hacker to take control of the smartcard as if he were the owner.

The U.S. Department of Defense (DoD) uses one of the most advanced and expensive PC/SC x.509 deployed multi-factor smartcard infrastructures to date. In 2011, the DoD claimed that Chinese hackers infected their computers with the Sykipot virus and stole the PIN numbers of many government employees’ smartcards. With these PINs, the hackers were able to use the stored certificates to access files and networks. The DoD has yet to publicly disclose what information was accessed or the sensitivity of the data.


Surrender All Your Key: Well, I think most of us are aware of the Apple-DOJ-FBI fight to get the encryption keys to unlock (backdoor) the Apple iPhone. This is not the first time such an attempt has been tried by the government. Remember the “Clipper Chip?” There has also been the argument to make a global “Key Escrow” of Private Keys. This would splits up a Private Key into two parts. If you get half of it then the time to break the other half is cut exponentially. Where the escrow Keys are stored will now also be a target.

In July, 2013 where the United States Department of Justice (DOJ) demanded, and then subpoenaed, a privately held company, Lavabit LLC, surrender the private encryption keys of their 410,000 customers. What is particularly disconcerting about the Lavabit case is that the DOJ believes that it can take away the privacy of innocent civilians in order to investigate one nefarious suspect.

Putting the privacy rights argument aside, there is a vulnerability with the security of Private Keys. The logic follows that a subpoena assumes that an IT administrator has the ability to gain access to the Private Keys. Access confirms that the Private Keys are vulnerable. Since the Keys are vulnerable, they will be targeted by hackers, organized crime, nation-states, hacktivists, and others. If they are targeted, they are susceptible to compromise. If compromised, the security of that PKI installation is destroyed.

Cost: One of the biggest barrier for companies to deploy asymmetric authentication is the costs. Some of the expenses include more backend server hardware, advanced smartcards, training of the IT staff and building up relationships with RAs and CAs. Furthermore, the long term expense is what really hurts: employee turn-over.

Companies are constantly having old employees leave and new ones come in. A certificate is “Non-Transferable.” So if the company bought a cert for $150 and then the employee leaves within 6-month, now the company has to start all over again to purchase another key. The costs includes HR/IT time to gather and submit the information, the cost from the RA and CA, new credential, and so forth, Depending on the industry and size of the business, this could become a very substantial expense of time and money.

Finally, so few operating systems, websites, and applications actually use asymmetric keys or certs to logon. The more common approach is to use the cert to access the computers LDAP or Active Directory (AD). The AD actually stores the URL address, user name and password. So all the cert does is authenticate into the AD, symmetric authentication is not eliminated from the system.


Wrap-up: Do you abandon one authentication for another simply because it looks good on paper? No. If a flaw in the architecture is discovered, do you discredit the overriding strength of a technology or authentication philosophy? No, you fix it. Do you adopt a whole new authentication when the rest of the industry and components aren’t ready for it? Maybe / maybe not. The Rip ‘n’ Replace strategy causes more security problems because companies cannot justify the cost, security patches are introduced, and often the whole infrastructure is not understood or analyzed for weaknesses. Building upon existing infrastructures and developing a migration strategy will get cybersecurity moving faster and more securely.

Passwords (symmetric authentication) are also not going away for one obvious reason: They are one of the three legs to multi-factor authentication. By killing passwords you are reduce authentication from three-factor to only two. Something no security pundit would ever endorse. Plus, passwords are the only factor that can be changed quickly and inexpensively. Something of great importance when it comes to cybersecurity.

My purpose here is to educate readers to understand both the good and bad about every solution. Passwords have been made the scapegoat of the cyber industry when in reality they are a very secure form of authentication. If Private Keys and biometric templates were managed as poorly as passwords have been, then they too would be constantly criticized. The solution is to fix the password management side of the equation.

When it comes to cybersecurity, there are no silver bullets, one size fits all. Rather it is a layering effort. Put in enough layers and then frequently change some of the parameters (like passwords) can build a very strong front door. The doorway is only part of a cybersecurity strategy. There also has to be intrusion detection, anomaly monitoring, rapid response and many services added behind the firewall.

So often it takes time, and often too much time, to get everyone on board. This gives the hackers the advantage. People need help yesterday, but the best we can do is fix the problems of today. Instead of the security industry trashing one technology over another, it is better to understand all the security avenues from the user’s perspective, and that they all have merit. Technology is best when it solves a targeted problem; it fails when it searches for one. As I always say, “When security is cumbersome, no matter how technically advanced it is, employees will always circumvent security for their own personal convenience.”

Finally, as a shameless plug for my new book Making Passwords Secure: Fixing the Weakest Link in Cybersecurity, I discuss these and many more issues in much greater detail.

I think Bruce Schneier summed it up best in his introduction in Secrets & Lies: Digital Security in a Networked World where I quote. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”