Tag Archives: TFA

Cybersecurity is just too much trouble for the general public, claims study

8 October 2016

In report ‘Cybersecurity is just too much trouble for the general public, claims study’ published on 6 October at the Tripwire state-of-security blog, Graham Cluley cites from the NIST study Security Fatigue:

“Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”

We should not be surprised ‘that the public is suffering from “security fatigue” and a feeling of helplessness when it comes to their online security’. Most of the advice for end users in the information security domain is just puzzling. Let me make this clear with an example.

Renowned German Stiftung Warentest assessed 15 e-mail providers in the October 2016 edition of the Test magazine. Focus of the assessment was data privacy, ‘the protection of customers and emails against unwanted looks’. And, of course, usability. Table 1 below shows the Stiftung Warentest quality ranking.

Provider Quality Ranking (1)
Mailbox.org Tarif Mail 1.4
Posteo 1.4
Mail.de Plusmail 2.2
GMX Topmail 2.3
Web.de Club 2.3
Web.de Freemail 2.5
GMX Freemail 2.6
Telekom Freemail 2.6
Freenetmail Basic 2.7
Telekom Mail / Cloud M 2.7
1&1 Mail Basic 3.1
AOL Mail 3.1
Yahoo Mail 3.2
Microsoft Outlook.com 3.3
Google Gmail 3.4

Table 1: Stiftung Warentest rankings

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

At a first glance, the table suggests that it is sufficient to use one of these providers (all were rated from very good to average) and security is guaranteed.

Unfortunately, this assessment is very misleading. Email encryption is just one aspect of information security. It protects against cyber criminals, state-sponsored attackers or insider attacks because the information is not readable unless the attacker has access to the encryption key.

If an attacker is able to compromise a user’s account, e.g. through a password phishing attack, he might have full access to all emails, although they are encrypted.

To secure an account against phishing with frequent password changes and the use of individual passwords for different services, is not sufficient. And usability is bad, even if password managers are used. Two-Factor Authentication (TFA) or one-time passwords are the tools of choice to enhance security against phishing attacks.

Table 2 shows the Stiftung Warentest results updated with details about TFA availability.

Provider Quality Ranking (1) TFA available With soft token With SMS With hard token
Mailbox.org Tarif Mail 1.4 (2) Yes Yes Yes
Posteo 1.4 Yes Yes  
Mail.de Plusmail 2.2 Yes Yes Yes
GMX Topmail 2.3 No
Web.de Club 2.3 No
Web.de Freemail 2.5 No
GMX Freemail 2.6 No
Telekom Freemail 2.6 No
Freenetmail Basic 2.7 No
Telekom Mail / Cloud M 2.7 No
1&1 Mail Basic 3.1 Undef. (2)
AOL Mail 3.1 Yes Yes
Yahoo Mail 3.2 Yes   Yes  
Microsoft Outlook.com 3.3 Yes Yes Yes
Google Gmail 3.4 Yes Yes Yes Yes

Table 2: Rankings updated with details about TFA

(1)    Quality Ranking: 0.5 .. 1.5: Very good, 1.6 .. 2.5: Good, 2.6 .. 3.5: Average

(2)    It was not possible to determine whether TFA is available from the provider’s homepage

Only 7 of the 15 email providers allow the use of a second factor. The limitation to one aspect of information security creates puzzling results and a false sense of security. It is therefore no wonder that consumers show the ‘characteristics of security fatigue’.

TFA with soft tokens is under normal conditions activated within seconds, and very easy to use. From my point of view, service providers should create the needed attention and force the use of TFA. It is not sufficient to notify the users of new waves of phishing attacks.

Have a good weekend.


O2 not hacked – O2 customers victims of cybercrime

6 August 2016

On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.

All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.

Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.

Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.

From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …

Have a good weekend.

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

How to ensure strong passwords and better authentication

30 November 2015

Peter Wood’s ‘Five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft’ published recently on ComputerWeekly.com are really worth reading.

The checklist is a good starting point for a self-assessment, except for the tip on Two-Factor Authentication. I fully agree that privileged accounts and accounts used for remote access must be given special protection. But this will not stop attackers from theft of information once they got access to the company network e.g. through a phishing attack. In this case the attacker acts as an authenticated user with all the authorizations granted to this user.

If Two-Factor Authentication is required even for access to business critical information inside the company network a large bunch of attacks is no longer possible because the attacker has just no access to the second factor, e.g. the user’s smartphone and the authenticator app.

A 27 chars passphrase like ‘1sn’t th1s a good password?’ is definitely much safer than an 8 chars hard to memorize strong password. But the passphrase is as useless as the password once the attacker managed to get access to the network. In this case a second factor could make life more difficult for the attacker. In addition the chance of getting discovered increases dramatically.

Have a good week.

It was about time: Amazon introduces Two Factor Authentication

20 November 2015

Just in time for the Christmas sale Amazon introduced Two Factor Authentication (TFA) this week. Set up is as easy as for WordPress.com: Navigate to the Advanced Security Settings page, choose Authenticator App, Scan the bar code and Verify the Code.

Except if you are a customer from Amazon in Germany. The Advanced Security Settings page is not on available on Amazon.de. The same holds for Amazon.co.uk. Amazon seems to stagger the roll out, with focus on the US market because the Christmas sale starts earlier there.

Hopefully Amazon rolls out TFA in the next days also in Germany. Otherwise there will be no Christmas presents for the kids this year…

Have a good weekend.

11 Million Ashley Madison Passwords Already Cracked

14 September 2015

This LIFARS post from last Friday should shake up every service provider. It’s definitely time to make Two Factor Authentication (TFA) obligatory for all services which process personal details.

Microsoft Authenticator App

Microsoft Authenticator App

TFA is no longer a matter of technology. For example, Authenticator Apps are available for all phone operating systems and, really easy to use. Combined with even a weak passwords the one-time passcodes generated by the authenticator apps form a nearly unbreakable authentication method.

In my opinion it’s high time for service providers to make procedures for the use of TFA for their services technically available. And they should force users in their own interest to switch to TFA, if necessary by proper terms of use for their services.

With this, news like Ashley Madison Breach Reveals Ridiculously Weak Passwords are a thing of the past.

Take care! And learn how-to protect yourself against identity theft.

The new first line of defence?

22 November 2014

In his latest post at ComputerWeekly.com Warwick Ashford reviews the CyberArk Report ‘Exploits of Privileged Accounts Shift the Front Lines of Security’. His post is absolutely worth reading.‘

‘“One of the reasons for this is smaller, less well-defended organisations have become a prime target for attackers who are ultimately aiming at larger partners in the supply chain,” said Mokady.’

That’s definitely true. Perhaps you remember the Home Depot data breach? This breach was caused by stolen credentials of a third-party vendor.

‘“Securing privileged accounts represents the new first line of defence in the ongoing cyber battle companies are fighting,” he added.’

Very well said. But what really confuses me is that Udi Mokady talks about the new first line of defense. 

The majority of the big data breaches have been caused by stolen credentials. With a Two Factor Authentication (TFA) most of this breaches could have been prevented.

It’s definitely very important to secure privileged accounts. With admin privileges it is very easy to change log settings or tamper audit records. But it is definitely not enough to secure only privileged accounts. Because even with standard user privileges you may have access to business critical data to do your job.

Let me give you an example. Oracle Transparent Data Encryption and SQL*Net encryption and integrity checking are easy to implement measures to secure an Oracle database. This will prevent man-in-middle attacks, eavesdropping of the data traffic and direct access to the database files.

Sounds pretty secure, doesn’t it? Unfortunately it isn’t. Even an unprivileged user, and even more a malicious insider with stolen credentials, is able to install an oracle instant client and use Excel and ODBC to create a copy of all data he could use with his standard user rights.

With TFA enabled, at least on all business critical systems, and for all users, the probability of such an event is dramatically reduced.

Securing accounts with TFA is the very first line of defense.

In addition you should decide about granting privileged access on a per task basis. For business critical infrastructure and applications an administrator should receive an authorization and one-time-password for just one task. At log off the authorizations are dropped. In the best case the admin group for a windows servers is empty. Only the local admin could always logon, but his password is in a safe place.

The authorization process should be implemented with strict application of the separation-of-duties principle, and the permissions should be granted with strict Application of the principle of least privilege. Important: The employees who grant authorizations and privileges should never have the possibility to grant whatever privileges to themselves.

Moreover the consistent application of the principle of least privileges even for standard users and processes will significantly reduce the attack surface of your company.

Nothing really new, just the same old story.

Glacier near by Grächen, Switzerland

Glacier near by Grächen, Switzerland

Have a good Weekend.