EzIdentity, Next Generation Authentication Platform

Time to move away from RSA SecurID

2011-04-27T19:11:00.000-07:00

"One survey indicates 44 percent of businesses are reevaluating their use of security tokens, with another 15 percent speeding up already planned evaluations of alternatives. In banking and financial services specifically, as many as 81 percent of respondents indicated that security concerns surrounding tokens have caused their organization to evaluate the use of out-of-band authentication, with 82% indicating their organization is likely to use phone-based authentication."

extracted from - http://www.banktech.com/risk-management/229402308

RSA Advanced Persistent Threat (APT)

On March 17, 2011, RSA announced ^[1] that a cyberattack on its systems was successful and resulted in the compromise and disclosure of information "specifically related to RSA's SecurID two-factor authentication products". While the full extent of the breach remains publicly undisclosed, RSA states that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

In a filing with the Securities and Exchange Commission (SEC) ^[2], EMC officially disclosed the breach to investors and regulators. EMC indicated it "does not believe that the matter described in the letter and note will have a material impact on its financial results." The filing was accompanied by a copy of their initial announcement, as well as a SecurCare Online Note ^[3], which was made available to their customers. This SecurCare note provides little additional detail, but advises actions that customers should take to protect their infrastructure. These actions fall into the category of best practices, and do not address new risks to infrastructure supporting a SecurID deployment.

Background on SecurID operation

As shown in Figure 1, the SecurID system can be implemented with either a physical hardware token (typically a key-fob or wallet sized card), or a software based token (with implementations for desktop and mobile devices). In either case, the authentication system relies on these tokens to produce a time-synchronized one-time password (OTP) that is unique to a given token and only valid for a brief time.

This function is performed through the use of a proprietary algorithm that uses the current time and an embedded device-specific 128-bit seed to produce a rotating code known as a 'tokencode'. A user authenticates by combining this tokencode with a PIN (Personal Identification Number) to produce a one-time password that is submitted to the server. PINs are not required in all implementations. PINs are created by the user on the first attempted use of a token after deployment or re-assignment. For this reason, PINs may not always be required.

Figure 2. SecurID authentication process

A back-end server (known as ACE/Server) holds these same seeds and algorithm, and can thus perform the same calculation to verify a password was generated from the current tokencode. This process is intended to verify that the client possesses a token, but more accurately indicates that they have knowledge of the appropriate seed and RSA's algorithm. The huge number of possible seeds and constantly changing nature of the tokencodes effectively thwart password guessing and interception attacks. It's generally accepted in cryptography that "If the cryptographic algorithm must remain secret in order for the system to be secure, then the system is less secure."^[6]This axiom is commonly known as Kerckhoffs's Principle. ^[7] The RSA SecurID algorithm is proprietary, but is known to many RSA partners. Efforts have also been made to reverse engineer the algorithm and perform an analysis of the underlying security. ^{[4] [5]} while not fully public, exposure of the algorithm is unlikely to affect overall system integrity.

However, seed secrecy is critical. An exposure of the seed to a third party may allow duplication of tokencodes, and by extension allow the guessing of PINs and one-time passwords.

Impact of the Breach on RSA customers

Due to RSA's public nondisclosure of specific details regarding the nature of the compromise, the impact of this breach on their customers remains largely unknown. However, based on this information and knowledge of SecurID's operation, it's possible to establish theories as to what information may have been compromised. These theories in turn help to formulate response plans.

The compromised information may have related to one or more of the following factors, each of which would potentially impact the integrity of the SecurID system to varying degrees:

§ Records of seeds used in hardware or software tokens manufactured to date

§ Relationship of those seeds to specific token serial numbers

§ Relationship of seeds or token serial numbers to specific clients

§ Information regarding RSA's SecurID algorithm that could expose mathematical and cryptographic weaknesses

§ Information regarding specific implementations of the algorithm that may reveal implementation weaknesses in specific products

§ Source code or other information regarding ACE server that may reveal vulnerabilities

Until further information is available, the prudent course of action is to assume the worst: that SecurID seeds have been exposed, their assignment to specific RSA customers is known, and the source code of ACE server and other products has been compromised and may reveal weaknesses.

EZMCOM Solution

In light of the RSA breach, EZMCOM’s superior software-based authentication form factors provides a better alternative to SecurID tokens at a reduced cost of ownership and 100% customer coverage with ease of use. We have already begun working with organizations that are looking to quickly move off of the RSA platform due to security concerns resulting from the breach. EZMCOM is uniquely positioned to enable rapid implementation and deployment. For banks, EZMCOM’s EzIdentity™ authentication platform can be used to roll out multi-layer, multi-factor strong authentication in just weeks. For enterprise, healthcare, and government organizations, EZMCOM offers off-the-shelf support for a wide range of applications and automated enrolment tools to expedite deployment to their employees. EZMCOM also offers stronger protection from new attacks such as Man-In-The-Middle (MITM), Man-In-The-Browser (MITB), a better user experience, and a lower TCO.

Security Primer of EZMCOM authentication clients

The fundamental approach of seed generation in EZMCOM’s authentication software form factors is dynamic and run-time based. This implies that the seeds are not pre-programmed and are not available at any point of time with participating administrators of Customer (e.g. Banks, Enterprises) or EZMCOM employees.

During the time of EZMCOM Token activation, its user receives via out-of-band channel a randomness (RND-1) generated by the EZMCOM server system. Another random component (RND-2) is generated on the EZMCOM Token side and along with RND-1 as a function of cryptographically strong PBKDF2 algorithm creates the Token seed in run-time. A registration code generated from EZMCOM Token client is then submitted to the server system. This allows the server system to have the RND-2 component for constructing the Token seed.

References

[1] - Open Letter to RSA Customers

[2] - Form 8-K filing, RSA

[3] - RSA SecurCare Online Note

[4] - Initial Cryptanalysis of the RSA SecurID Algorithm

[5] - Cryptanalysis of the Alleged SecurID Hash Function (extended version)

[6] - Secrecy, Security, and Obscurity

[7] - Kerckhoffs's Principle

2011 IT Security Predictions

2011-01-04T23:14:00.001-08:00

Coming from 2010, there is still many solutions and issues that will get more attention, check out my earlier post "Recap on 2010 IT security Predictions". This is more in continuation of earlier post. However it brings out the needed security for the new things that have happened

13. Google Mail vs. Facebook Email / Messaging service and Security? [New]
Google is going to get hit badly as every facebook user (which very likely is gmail user) will be moving away from gmail to facebook messaging. I personally feel it is not good for the user. It is always good to have certain things separate – social profile and email should be kept separate. Facebook will also follow advertisement revenue from you.

14. Identity Consolidation [New]
Too many password and too many credit cards, all need to be come together to have one id and one card. Google checkout, Paypal and now Facebook Credits all are coming in so still the security is short of it. Even if Google is promoting 2FA but hackers are cracking 2FA. Strong Security for Identity Consolidation is needed. OpenID is good but it is not there as one Globe ID. Consolidation is the key and it also leads to one point failure scenario.

15. Video Protection [New]
2011 will see exponential rise in video. Skype, iphone 4, ipad 2 (likely with video call feature), Wimax, android based tabs – all this will lead to more videos (calls or contents). Video call security is never considered till now but it will come into life as your videos will be going through many hops and compromise can happen at any level. Video protection needs some good products to come into market.

15. Tablet World but Is Open good? [New]
Android based tabs will flood the market. It is a open platform which makes it prone for malware, spyware, virus etc. Enterprises will have a nightmare managing them as people will have data everywhere. Tabs are going to become more popular so data protection, email protection, message protection, anti theft all these need to be considered for enterprise usage.

16. NFC is here but where is the security ?[New]
Google Android announced new phone model coming out with NFC support. There are few SIM manufacturers (like Taisys) which have got NFC enabled SIM offered for PrePaid Transactions. It is certainly the future but there is a inherent technologuy risk - anyone can manipulate data. All I need to do have a trans-receiver sit in like Starbucks. Without you even knowing your NFC card will be charged. This is a serious threat to this technology and products. Be sure of what you use NFC for?

17. Cloud is coming - Private Or Public ?[New]
Cloud is the next buzz word and it is great for large enterprises and SME as no need to invest on infra, desktop, applications. Every thing will be a service. Companies like Arcot, Tricipher have been bought over by CA and VMware. This clearly shows the Cloud Infra companies are certainly looking for strong identity protection. Private Or Public should not matter if the security is well taken care off. One of the issues will always be increase in the bandwidth usage and it might become a bottom neck as Cloud, Software as a service become more popular. Said that, many promising technologies are coming to address to the offer more bandwidth.

It will be another exciting year. Look forward to 2011.

regards,
vikram

Recap on 2010 IT Security Predictions

2011-01-04T21:49:00.001-08:00

Last year I made following predictions for 2010. Even thought 2010 was tough year for many and most of the CIO and CISO were looking for cutting cost still security did get a good boost. It is warming up what will come in 2011 and 2012 will be much bigger for security.

1. Virus / Malware will hit Mobile
Virus / Malware for mobile devices and smartphones will escalate as more apps are provided that facilitate users ability to do more things related to e-commerce, travel and financial apps. Given that many end users feel less vulnerable on their mobile devices it could be a steep learning curve to convince them they need to take similar protections as they would on their PCs. Guys making the malware will promote these virus and malwares software for your phones as free downloads of ringtones, games, utility apps. These apps will be say as spyware applications for PCs. With GPS enabled phones, it will be dangerous to get infected with these viruses.

[Realization – Yes. Many new viruses did come in but the impact is still that great mostly because the compromise and loss are still unknown and they are not mass scale. With PC anti virus maturity, most of the phone vendors have implemented good process to screen the applications (screening and code signing etc). It is not much of threat until user installed the FAKE application. With user education, later can still be resolved.]

2. Security as a Service
Security Tokens which have become Software driven in lieu of hardware will go subscription based from license procurement model. This will be enabled by the selling Security as a Service. This will be true for managed and hosted services where regulation compliance is a need and customer wishes to have 3rd party Security provider. The overall security as a service will cover better vulnerability management/reduction, application level firewall, strong authentication, robust encryption and closer attention to legal jurisdictions.

[Realization – Yes. This has also come into main stream. Google has released support for 2FA for their Google Apps. Along with that, everything that is moving to cloud which needs to have strong authentication and strong privacy control. 2011 will be much bigger year for Security as a service. Still strong authentication solutions are not giving the best suited simple, easy, effortless user experience. This is the GAP that need to be filled up. 2011 will be interesting year to see Saas to mature and enterprises using Cloud Services will certain go for Strong authentication based login.]

3. End To End Encryption
With the mobile workers and work from home mindset, remote access will become more crucial and at the same time, there will be a lot of data at the user side getting generated and will be under threat (of getting stolen or theft). Along with this, why should you trust the network - Wired or Wireless networks? End to end protection is going to get a big boost in 2010 to protect the data. For instance, insurance agents are doing business from their laptop and there is no protection of the end-customers private information on the system. Application to Application, end to end protection will be the basic need for all the e-business work flows above and beyond SSL certificate.

[Realization – Partly yes. Application based end to end encryption is certainly a need but an alternate solution – Out Of Band Authentication - is giving a better and stronger security solution as compared to end to end encryption. E2E is a good technical solution but backend system integration has been the show stopper for it whereas OOB is simpler to implement. Still OOB will not be able to protect from internal breach. End To End Encryption Or confidential data masking must be put in place. Companies like safe.net are betting on end to end encryption with their HSM based solution, it will good to see how well it does?]

4. Tested and Certified Software Will Have the Edge
Currently a lot of software and hardware products do not have security checklist as a must to pass. Now more push towards Certification and Compliance will come into action and making it a standard. BASIL, PCI-DSS, HIPAA are there but it will go to many other sectors. Procurement actions will require more robust testing of software and firmware to insure significant reduction of many of the vulnerabilities that we are dealing with today. Certification should become faster and cheaper for this too happen.

[Realization – Partly Yes. There has been increase in security awareness and adoption was increased. PCI-DSS and HIPPA certainly come out stronger in 2010. Basil 3 should also made good impact in coming years. Security Awareness and Security not be taken as afterthought are needed more as fraudsters are getting smart in tricking gullible users. Still a lot more emphasis needs to go in Security, Privacy education and ceritification. ]

5. Multi-factor Authentication becomes more popular
Event though Granter states that 2FA is not enough (which all the security gurus have been screaming for decade) still 2010 will be the year for wider adaption of two-factor authentication for the end users. With federation of the many various types of two factor authentication that are around today we will finally see strong authentication become the rule NOT the exception. However, it will not be limited to 2FA(what you know? and what you have?) , but it will become multi factor (where you are? what you see? and what you are?) questions also will become the identity authentication criteria to allow the authentication and access. It will certainly be driven by software (not hardware) to make it widely.

[Realization – Yes. Many companies and sectors are adopting multi factor authentication. Many new companies providing Multi factor authentication have coming alive. OATH had 10-12 members last year but now they have 30plus members that are taking public standard for OTP ahead in the market. Mobile phone based software application form of token is going to be a very popular token for coming years. Unfortunately hackers have become smarter to break One time password based authentication. OOB authentication Or PKI based end to end encryption will be needed. Web SSO (with SSL-VPN or without SSL-VPN) will also come into strong focus as each enterprise uses many applications that they wish to webify and take it to market. OTP, Web SSO, Federated Identity, Unified Single ID will be becoming more common words we will hear in 2011. All of this will be needed for cloud infra also. ]

6. Voice biometric for Password Reset and Getting new services activated
Password management is one of the biggest expensive support activity. Filling form, faxing them and waiting for weeks to get your PIN will change through Voice biometric. Forgot the PIN, call the support helpline, authentication your self and get the new PIN. Same will apply to new services where you will need Activation Code or PIN delivered from out of band with authentication.

[Realization: Yes & No. This never got into action in 2010. Few banks did roll it out and companies like PerSay did get market attention for a short time. The clients for voice biometric for looking at authentication for phone banking or customer support. It never really did well or will pick up in 2011 mainly due to two reason – First: Voice biometric is cracked (there are ways this technology can be broken – I will not cover that in this post but it is doable.) and Second reason is : business model is per Call, the billing is exponential as the more users and more transactions will come into play. It is good as there is no software or hardware involved to be issued to the end-user but cost-security does not favour this form of security.]

7. Social Networking Threats on rise
As more and more businesses turn to social networking sites to extend their customer reach and build brand awareness, sensitive data becomes even more available and vulnerable. This past year, the KoobFace worm spread like wildfire through several social networks including Facebook, MySpace, Friendster and Twitter. In October, a massive bot-based attack, Bredolab, affected three-quarters of a million Facebook users by sending fake password reset messages. No solution will come in 2010.

[Realization – No. I am just amazed to see people are just not worried about their privacy and security. There have been so many applications (for facebook, hi5, orkut that simply steal the users personal details. You click on Allow and your complete life is out in somebody’s hand. 2011 will be the same and people will still do the same thing. More Threats and Attacks will happen on / using Social Networking. It is like smoking where we know it is not good but we will still do it.]

8. Digital Signatures will go Mobile
Today we have two options to do Signing (to enforce Non Repudiation) - Software Signing (through your internet browser secure storage of Certificates) OR Hardware Signing (where Smart Card OR USB Key stores your Certificate). Both are good but restrictive in nature. What you carry with you once is a Phone. Your Keypair will be carried inside your Phone and you will use that for signing and verifying your transactions, documents and emails. It will be cost effective and not restricted in nature as compared to today's options.

[Realization – Yes. Infact I am proud to share: we, EZMCOM, are one of the first movers for complete out with Mobile PKI as a Service that will be enabled for all the banks and financial institutes in country in ASEAN. It gives higher risk appetite, legal binding, simple-effortless user experience (unlike hardware PKI token) and global roaming. In fact the model is “pay per use” making it very competitive in terms of pricing too. 2011 will be big year for this as it will go global. ]

9. Email Protection with DLP (Data Leakage Protection)
Email is the most widely used communication tool for businesses today. Email Signing to hold its legal value is become a need of the businesses. Also making your communication confidential will also become crucial. Solutions like PGP for desktop email encryption and signing are present but they will not fly any more. It will be enterprise level or ISP level email protection. Currently we have anti spam, anti virus for our email but not sufficient when it comes to internal breaches and legal conflict. Email Signing as well as DLP will come strongly in 2010-11.

[Realization – Not Really. Email Archival and DLP did get good attention and it was very much needed in 2010. Still Email signing / encryption is not coming into main stream yet. Why? Gmail does not want it as they cannot show advertisements. Blackberry offer it but you need to pay premium. Why will anyone give email security. I will be happy if free email encryption (SMIME) gets offered esp by gmail, it will be great service to all.

On the other hand for DLP, Only enterprise market are looking at DLP solutions. DLP is more to do with processes + people than technology. Simple way to bypass is to carry a camera (which all phones have now) and click the pictures of the documents from your screen. Controlling people in the world on web is not possible there are many simple or sophisticated ways to bypass security and steal the data.

What is needed in 2011 is collaboration tools like yammer and close network + application monitoring tools. We need to have happy employees that work closely so they do not steal. If somehow there is a PC compromised by external hacker(s) then application / network monitoring will be the right solution. In addition, if you have really private and confidential files and data then go for PKI Certificate based Encryption Tools (there are many good ones in the market now. 2011 might have this but i am blur on this one.]

10. Identity Management and Authentication and SSO will consolidate
Consolidation of the PIN, Token, Certificate along with web based SAML enabled single sign-on is going to give efficient, best TCO, least support mainly for private and public sectors. National ID cards will become crucial to enable many e-service, m-services and real services using one consolidated platform for Identity Management and Authentication. Federated Identity will become more popular in 2010.

[Realization – Not Really. 2011 might be the year for it after the long recession.]

11. Rise of Scareware
While free anti-virus products are great to decrease the growing amount of malware threats out there, users need to be cautious about rogue anti-malware products -- otherwise known as "scareware" -- that organized crime rings will use to take advantage of end-users and disable their computers. Scareware reared its ugly head this year through fake advertisements (malvertising) for antivirus onThe New York Times website.

[Realization – Yes. 2010 has seen many malware and scareware esp. As SMSes, emails and browser plugins. There is no stopping in 2011, it will continue and now a better and biggest enabler is Social Networking sites where more scarewares will be coming in. There is always a NEWS – good or bad / real or fake. Wikileaks is also whistleblower for good of the world. 2011 will many more surprises solets wait for it.]

12. No Privacy
Google, Facebook, twitter etc willensure you have no privacy alot. Your emails, blog, wall-to-wall comments, tweets will be used for social intelligence. Your location will be given away through your Nokia, Iphone, Blackberry. Please be aware of No Privacy World.

[Realization – Yes. 2010 started No Privacy and 2011 will be more No Privacy year. Every one will know where you are, what you are doing, whom are you with, what you are hearing, what you are texting / tweeting / facebooking . Your Pc and your phone are the spy on you. This is a double edged sword that is good (when it comes to shoping / getting deals / location based service – it is great) but it is bad (when every one in facebook / google will know what you are hearing / doing ?).

Decide you self are you private person or public person? ]

It will be great to hear out your comments. Do contact me at vikram @ ezmcom . com

True Out of band Authentication with PKI

2010-09-17T02:25:00.001-07:00

True Out Of Band Authentication

In today’s dynamic environment, fraudsters are continuously developing increasingly sophisticated ways to attack and circumvent security measures and the number of ‘Man-in-the-middle’, Trojans and other malicious software ("Malware") attacks are increasing steadily. Amid increasing attacks and an urgent need to protect customers online, BFSI institutions, B2C segment are turning to ‘Out-Of-Band Authentication’ where user’s identity is verified using a channel other than the one being used to facilitate the transaction.

We, at EZMCOM Inc, have announced the availability of their ‘Out-of-band Authentication’ solution with world’s first OOB with Non Repudiation. EZMCOM’s next generation EzIdentity Platform gives regulation guidelines compliant Multi Factor “Out of Band” authentication to protect from Man-in-the-Middle, Trojan attacks and give non repudiation using true PKI.
Unlike traditional ‘OOB’ methods, which limit the transaction to the user’s mobile phone, EZMCOM’s solution offers OOB through Web, through mobile app as well as voice call. Following shows the value of each -
· WebSIGN OOB converts Laptop /PC into virtual authentication tunnel between Server and Client. It uses our patented technology and has no software installation requirements.
· MSIGN OOB converts your smart phone into two way two factor, end to end encrypted and signed channel for authentication and digital signature. MSIGN is user friendly and convenient as it works on all Java, Blackberry, iPhone, Android OS based phones.
· VSIGN OOB is the voice based OOB authentication which uses “What you know - PIN” and “What you are – voice signature” for authentication. It is a reliable two way authentication form and needs no additional installation.

According to Our Product market survey, out-of-band transaction verification via a MSIGN and WEB SIGN are better value for money along with their ability to defeat man-in-the-browser attacks such as the Zeus Trojan. Above and beyond, Web Sign and MSIGN offer truly non repudiation especially for high value transactions based businesses (like corporate and trading). MSIGN and WEBSIGN both do digital signing using RSA 1024bit key pair issued by the Recognized Certificate Authority.

Our true Out-of-band Authentication is being widely acknowledged especially by banks & financial institutions. Two key reasons are – First: our offering is Mobile Operator & SMS independent. Second: Ability to have true legally binding non repudiation which no other solution in the world offers.

Banks and Certificate Authorities are embracing true OOB solution as they have the universal reach like SMS and have no/ minimal impact over customer behaviour. Verifying users details through phone (over SMS) is just not enough these days, due to the increasing call-jacking associated with online identity theft. EZMCOM offers not just 1, but 3 strong channels for authentication, making their platform the ‘Multi-factor, out of band authentication’ platform in the true sense.

For free evaluation and to learn more on our OOB, please contact us at sales@ezmcom.com.

Ezidentity solution for Bank Negara Compliance

2010-04-22T04:45:00.001-07:00

Check out this SlideShare Presentation:

Ezidentity solution for Bank Negara Compliance

View more presentations from guestecf51c5.

Prefect Substitute: Mobile Token for PKI USB Token

2010-03-25T07:11:00.000-07:00

Newly released MSign Technology that converts Mobile Sign into Secure Keystore for you to carry Digital Certificate and also allows you to sign your documents as well as transactions from your phone. We have compiled a list of keyfeatures that make your Blackberry Or Nokia phone a prefect replacement to conventional old time PKI USB token -

Msign gives anytime, anywhere mobile signing where user gives approval & signs transactions on their phone.
No dependency on PC / Laptop. No driver installation needed.
No Hardware token involved. No logistics. No Inventory Management. No Damage and replacement.
User can use multiple PCs as mobile sign application is on the phone is independent.
No need to share Token / PIN with others. Gives best protection with best experience with least user education.
Holds legally binding, Non Repudiation as Certificates are issued by Certificate Authority. It can work with multiple CAs from other countries too.
Cuts down on communication time and cost by auto alert and instant signing (accept and reject) option.

Mobile token makes a good candidate for replacing USB hardware token.

We are offering free trial for banks, government departments, enterprises as well as partners. Please feel free to contact us.

Mobile Sign Technology Added to EzIdentity Platform as MSign

2010-03-25T07:04:00.000-07:00

EZMCOM's Mobile Sign technology lets mobile phone users securely authenticate themselves, digitally sign documents & data and confirm legally binding transactions by entering a self-chosen PIN. The Mobile Sign offering uses two-channel, two-factor authentication based on Public Key Infrastructure (PKI), combining an over-the-air platform with a java software client on the phone. The software is used to secure online banking, mobile payments, e-commerce, governmental services and identity and access rights management for enterprise applications. EZMCOM's Mobile Sign digital signature is independent of Mobile Operators. And Bank / Enterprise deploys Mobile Sign Connector that interfaces with their Application(s) like Online Corporate Banking, Retail Banking. Mobile Sign Connector is pre-configured with Mobile Sign Gateway (deployed as a service with CA). Gateway provides Mobile Sign Client provisioning, Activation, Certificate Issuance and Usage. Gateway along with Connector uses digital signed SMS and Data between customer and bank making sure complete channel is protected and no Man-in-the-Middle attack compromises the transaction.

Mobile Sign Technology empowers - Bank with cost effective and simplified approach for conducting legal transactions. First, Bank does not need to issue PKI tokens & smart cards for carrying their certificates, with Mobile Sign technology, any smart phone becomes secure certificate store. Second, User is not bound to computer for approving transactions or signing documents, with Mobile Sign user can be anywhere till conduct banking and sign transactions & documents from their phone. Bank will be enabled with complete mobile wireless PKI certificate management and digital signatures. Today's consumers always have with them is their mobile phone, and they clearly express their desire to use it more and more for convenience in their daily life. Enabling people to conveniently sign legally-valid transactions is opening up a whole range of new applications for the mobile, at the service of citizens. This is enabled with EZMCOM's Mobile Sign Technology.

To know more, contact us.

2010 IT Security Predictions

2009-12-21T18:55:00.000-08:00

Wish you a happy holidays and happy new year. We have compiled a list of 12 predictions that we, as security company foresee in coming year of 2010. Please do leave your comments or email us if you are looking for the solution.

7. Social Networking Threats on rise
As more and more businesses turn to social networking sites to extend their customer reach and build brand awareness, sensitive data becomes even more available and vulnerable. This past year, the KoobFace worm spread like wildfire through several social networks including Facebook, MySpace, Friendster and Twitter. In October, a massive bot-based attack, Bredolab, affected three-quarters of a million Facebook users by sending fake password reset messages. No solution will come in 2010.

Time based OTP are not enough!!!

2009-09-21T09:13:00.000-07:00

Yesterday, 20 September 2009 another case got reported (click for linked article) where RSA SecureID time based One Time Password Token, provided to customer (account manager at Ferma - a construction firm), Mountain View, CA. But there was trojan on the computer initiated 27 transactions to various bank accounts, siphoning off $447,000 in a matter of minutes.

These RSA SecureID token were generating OTP based on 30s intervals still the trojan got to bypass it. OTP did what it wass suppose to do but the attack was beyond the protection level provided by the RSA token. In simply words - It was unable to protect in this form of Script in the Middle OR Trojan Attack where the transaction is intercepted and changed. Token is no protection to this form of attacks.

What all is missing -

The transaction did not have any integrity enforced. The transaction did not have "sign what you see" authentication layer.
There is no end to end encryption to protection the OTP or transaction details.
There was no risk based engine monitoring the change in behavior of users pattern. There was no alert or threshold check to tell the user that there is money getting drained out.

To address to above, authentication platform have to provide -

what you know? - userid and password
what you have? - Time Password (strong will be Challenge based OTP)
sign what you see? - Transaction Signing using Token Or Out of band
what is user's behavior? - Risk Based Authentication
with whom I am communicating? - End to End Encryption make sure only right parties can communicate.

To give a complete authentication platform that will compliment "what you know? - userid and password" comes from EZMCOM in form of EzIdentity platform -

1. EzToken - what you know?
2. EzSign - sign what you see?
3. EzCert - sign what you see with non repudaition enforcement (digital signature)
3. EzWatch - Risk based authentication (coming soon)
4. E2EE - End to End Encryption

We suggest to look more closely to your authentication requirement for your application(s).

We can help you out by our free authentication gap analysis for your application(s). Please get in touch with us -

Click here to Request a call
Drop me an email - vikram @ ezmcom dot com / skype out @ vikramsareen.

Have a great day.

2FA OTP for Web based Email (SquirrelMail Integration)

2009-09-11T00:05:00.000-07:00

One of the most used business tool is Email and web based email access is used by 90% enterprises globally. There are popular email solution available in market like Microsoft Outllook Web Access, Lotus, Free ones Gmail, Yahoo, Open source - SquirrelMail, SendMail etc.

Most of the confidential and restricted information and documents like proposals, quotations, agreements, invoices, partners / clients and potential customers details etc exchanged through these email.

Corporate cyber warfare is becoming more common where hackers are offering their services to companies to spy on you and also steal your confidential and private information. The easiest place to attack is your Email.

Most of the email solution, commercial or open source do not come with strong protection. It comes with only basic authentication where you provide userid and password to log into the web based email system.

This is where EZMCOM comes in and helps you to strengthen your email with strong identity protection by providing One time password protection to your email Id.

Using our EzToken (software and hardware tokens) you can add strong authentication to your email solution. We are taking the example of the SquirrelMail where we will show how easy it is to add Second Factor Authentication for this open source web based email solution.

There are 3 easy, quick steps to follow -
STEP-1: Modify the UI "$SQWEBMAIL_HOME/src/login.php" to ask for a 2nd factor (OTP) input
Example:

STEP-2: Add the following lines of code at an appropriate place in the file "$SQWEBMAIL_HOME/src/redirect.php"
/* Verify that username and OTP are correct. */
$otp = trim($otp); /* $otp variable receives the input value from the above modified login page */
$success = "0";
$otp_verification = verifyOTP($login_username,$otp);
if($otp_verification != $success) {
$msg = 'One-Time Password verification failed: ';
logout_error( _($msg . $otp_verification) );
exit;
}

STEP-3: Add the following function in the file "$SQWEBMAIL_HOME/functions/auth.php"
/**
* Verify OTP
* This function performs One-Time Password authentication
*
* @param string $username and $otp
* @return authentication result '0' for success, or failure return code
*/
function verifyOTP($username, $otp) {
/* initialize the below orgid to the EzIdentity group ID
displayed in provisioning portal. Default (1st group Id) is 3 */
$orgid = '3';
/* initialize the below URL to point to EzIdentity Authentication
server. Edit IP address, Port. Default value of http port: 9880 */
/* Note: Requires HTTP integration API plug-in to be installed in EzIdentity */
/* Note: Requires appropriate firewall access controls for access */
$url = 'http://IP:PORT/auth/ezidentity/verifyallotp.jsp';

$data = array ('strUserId' => $username, 'iOrgId' => $orgid, 'strOtp' => $otp);
$data = http_build_query($data);
$optional_headers = '';
$result = do_post_request($url, $data);
return $result;
}

Once you do the above mentioned 3 steps, you are enabled with Strong protection for your SquirrelMail.

Following are the user experience for the new strong authentication of SquirrelMail -

Screen 1: Login asking for OTP along with userid and password

Screen 2: Password and OTP validated to get successful login

Screen 2: Invalid OTP OR try to reuse the OTP again - Login failure

Similar to SquirrelMail, all the other popular email solutions can be configured to offer strong protection. In the back end you will have EzIdentity platform to manage the token and users and from your email solution, you will do the authentication.

With EzIdentity platform along with EzToken Software tokens, the total cost of ownership for rolling out strong authentication for your enterprise email solution is as low as USD 2 per user per month.

For details on the EzIdentity solution and for free trial, please contact us. We will be glad to assist you.

Mobile Phone Software Tokens - Why and What?

2009-08-02T22:54:00.000-07:00

Software tokens are future of the One Time Password tokens. The hardware tokens are difficult specially for retail / consumer commerce and internet banking. Software tokens are much simpler to manage and provision and they are able to offer following value proposition -

Strong two-factor authentication to protected services
Application available for all popular phone models.
Application available for download through the Apple App Store
One-tap token provisioning for the end user
Support for Login and Transaction signing.
Support for Roaming PKI using Transaction OTP.
Support for Software Development Kit (SDK) for application developers to integrate into their work flows and platforms. Also enables end to end encryption too using Pend Patent OTP based encryption algorithm.

EZMCOM EzToken support more than 800+ phone models including –

iPhone
Blackberry
Windows Mobile
Smart phone / Java Enabled Phones

Mobile phone provide convenient and cost-effective two-factor authentication to enterprise applications and resources. EzIdentity Authentication Platform, the software that powers EZMCOM Identity Protection Platform / Authentication System – are available for free of cost evaluation and purchase worldwide.

EZMCOM offers enterprises a wide range of user authentication options to help positively identify users before they interact with mission-critical data and applications through:

VPNs & WLANs
Email
Intranets & extranets
Web servers
Online publishing servers
Remote Access through Citrix and SSL-VPN etc gateways
Any Web Based System
Any RADIUS Protocol Supported network resources

The use of software tokens decreases total cost of ownership for organizations as they don’t require any physical shipping, can be revoked and automatically redeployed if the phone is lost, eliminating the need for replacement tokens. Additionally, having the software authenticator on a business critical device like the iPhone and Blackberry reduces the number of lost or forgotten tokens, decreasing the number of costly technical support calls.

Free download of iPhone OTP Token: EZMCOM EzToken Software Token App for iPhone is available at no charge from the App Store on iPhone and iPod touch or at www.itunes.com/appstore/. The required token seed is available for purchase worldwide from EZMCOM and partners. The EzToken Software Token for Mobile Devices is designed for enterprise users whose organizations have the EzIdentity system implemented.

Token Trends: What people search on google?

2009-07-02T21:14:00.001-07:00

While working on our EZMCOM website (getting launched soon), we were analyzing what are people searching for when it comes to authentication and security. We did few search comparison using google.com/insights and results were surprisingly pleasant for us.

We would like to share our interpretation on Authentication Token Trends with you. We searched the trend for following tokens from 2007 to till date -

hardware token
software token
usb token + pki token
sms token

(click to enlarge)

There were surprising results which came into light. People have been searching more on the PKI and USB Token than hardware token, this makes usb token as most ideal token for enterprises to use for authentication.

average search over 2.6 years

Second in race is software token followed with hardware token. It is always that hardware token is much better when it comes to security as it is hamper proof. However, the search results reflect complete possible of it where people are searching more on software token than hardware token.

Search Volume over 2.6 years (click to enlarge)

One of the interesting observation is also the region from where the searches are carried out. We realized that mostly the search comes from two regions - North America, Europe and India. The key reason would be:

America and Europe are ahead from others when it comes to regulations and compliance
India is R&D office for many security firms that must be doing the search of security products.

Please find the following results to share more on the details of the regions for each form of token as follows (click to enlarge the image) -

software token

usb token

hardware token

sms token

Why are we sharing the above with you?
Even though EzIdentity platform is offering all the 4 types of tokens and many more but there is a change in the direction of the choice of token that people seek.

The confidence from usb pki token is highest as it is a secure hardware device that carries your strong Private-Public Key pair. Making it impossible for any hacker to get into.

Following to this, software - why - becuase it is free of logistics + invenotry costs, reusable, real-time, easy to install and carry.

SMS and hardware do have good points in their favor but pki and software token make a better combination to roll out for your enterprise or commerce portal or government work flow.

Next Steps

Check out the insight results yourself - Click Here.
Visit us at www.ezmcom.com for more information

EzCert: EzIdentity Offering for PKI (Roaming and Conventional Approaches)

2009-06-22T07:37:00.001-07:00

EzIdentity offers an unique platform that brings One Time Password Tokens as well as Digital Certificate (PKI) under one platform. It is the only platform that offers Public Key Infrastructure in two forms -

Roaming PKI (new way of doing things)
Conventional PKI (the proven approach)

Our third layer that enforces non repudiation is called EzCert. This layer can be used with/without OTP authentication too if conventional PKI is needed. It brings regulation compliance in de facto and most cost effective manner.

Following part of this post covers how EzIdentity platform offers PKI options. The market need is demanding roaming PKI where the user does not need to carry Digital Certificate with him, he uses strong authentication to establish authenticity *(and servers performs crypto operations on behalf of user).

EzIdentity interfacing with any Certificate Authority like Verisign, Thwate (or any national CA) is straight forward. There can be dedicated or non-dedicated connection to the CA infrastructure. EzIdentity interfaces over Secure HTTP Or Secure Web Services with the CA for the following operations to manage the lifecycle of the certificates.

There are two options for enterprise or bank to go ahead with PKI. Roaming or Conventional. Lets look at them both respectively in terms of the work flow.

1. Roaming PKI Approach -

the work flow will be -

Step 1: The customer PFX is secured archived with EzIdentity and is issued a Security 2FA Token (hardware Or Software). Calling Application does not have any access to Token Secrets Or PFX.
Step 2: User logs into Application with Strong 2FA Authentication. Customer goes to transaction flow and wishes to sign the transaction.
Step 3: Application will ask for Strong Authentication again at transaction confirmation. If customer has Challenge Response Token then user can create MAC on his token otherwise normal OTP.
Step 4: Application will call EzIdentity to sign on behalf of user the “To be Signed Data” and Signature OTP. If OTP validation is successful then EzIdentity will sign transaction using user’s PFX.

2. Conventional PKI Approach -

the work flow will be -

Step 1: The customer carries his PFX on the token or flash drive. The PIN is already sent via SMS and person remembers or store it.
Step 2: User logs into Application with PKI based authentication. Customer goes to transaction (TX) flow and wishes to sign the transaction.
Step 3: Application will promote user to select Certificate from Token Or Flash Drive, Enter the PIN and perform digital signing. The signed data and PKCS signature is posted.
Step 4: Application will call EzIdentity with signed data and PCS signature to validate the certificate and verify the signature. If both are success then EzIdentity returns success to application.

EzIdentity gives an extremely cost effective solution when it comes to unified platform for OTP as well as Digital Signatures. This is the uniqueness that benefits to the enterprises in terms of platform management, support, training and roll-out.

Next Steps

Click here to Request a call
Email me at vikram@ezmcom.com
Visit us at www.ezmcom.com for more information

Making Money from Tokens

2009-06-12T09:40:00.000-07:00

Security is looked as sunken investment where security solution is a cost that is part of the operation cost for running the business or service. Now it is changing esp. for the retail and corporate online commerce and banking.

BFSI industries are looking at authentication and making the needed investments due to following three reasons -

Regulation across the globe is demanding all the banking and trading companies to implement Second factor Authentication.
Online interface is a must. you want to keep your customer, they demand online option and for free.
SMS is not reliable and costly affair when the volume and velocity of the users and their transactions grows exponentially. You cannot give SMS as only option.

Esp. Banks in Asia have started looking into offering choice to the customer. Starting in Singapore, India, Malaysia all the countries are looking at offering variety of tokens to their customers but interesting they are charging for these tokens.

Please have a look at the following two examples of Asian banks - OCBC from Singapore and AXIS Bank from India.

OCBC Bank - they have launched 3 different form of tokens - SMS based , Mobile Phone based (mobile banking along with OTP generator) and Hardware token.

choice of tokens

Mobile Token is Strongly Recommended

AXIS Bank - they have launched again 3 different forms of tokens - SMS based, Web Token (OTP generated for your browser - not an exe installer but java applet approach) and Hardware Token.

Netsecure - added authentication for
retail and corporate banking

hardware token for INR 800 per token
and replacement for INR 500

Web token for INR 150 pa

SMS Token for INR 150 pa

Above shows how banks are moving into generating revenue from a value added service to their internet banking. With this approach, monetizing the authentication token, there are changing the mind set on creating security as a sunken cost.

It is good for the customer too as they get to chose their token and also bank is able to offer not cheap security solution.

Next Steps

Click here to Request a call
Email me at vikram@ezmcom.com
Visit us at www.ezmcom.com for more information

Welcome note

2009-06-12T09:24:00.000-07:00

We welcome you to our new blog primarily focused on EzIdentity authentication platform. We will share a lot on the

salient features
use cases - value and business proposition
"behind screen" technologies
upcoming features
case studies
comparison with other technologies and platforms
achieving regulations and compliance
total cost of ownership and return on investment

We look forward to your feedback, comments, suggestions for us to make EzIdentity platform best suited for market need esp. yours.

Thanks for your support.

Yours truly,
vikram sareen,
Co-Founder, EZMCOM Inc.
www.ezmcom.com