Endpoint // Authentication
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/7/2014
08:10 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

3 Places to Enable 2-Factor Authentication Now

Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.

Two-factor authentication (2FA) -- using something like a security token, an authenticator app, or a code sent via SMS to your phone to supplement a password -- is hardly new. Indeed, you may already use 2FA to provide remote access to your company’s webmail, VPN, or administrative tools. Yet, despite broad availability of 2FA and an increasing awareness of the limitations of passwords, many organizations still fail to implement 2FA for securing high-value external services, such as their social media accounts, domain name registrations, and cloud/web hosting services.

There have been numerous examples in the past year of organizations’ Twitter, Facebook, and other social media accounts being hacked through stolen credentials and used for shady purposes. Given how strongly social media can represent a brand, it’s no surprise that the effects of these hijacks have ranged from embarrassment to fanning political flames to sending the stock market plummeting briefly. (The effects for the IT security people who failed to protect their accounts likely ranged from sleepless nights to termination from their jobs.)

A compromised user account was also responsible for the hijacking of domain names belonging to The New York Times and Twitter last year. A stolen domain name gives the attacker control of a business’s web traffic (i.e., its customers and prospects), its incoming email, and more. In the case of last year’s attack by the Syrian Electronic Army (SEA), the NYT was effectively offline for a time, and both Twitter and the NYT can be thankful that the SEA didn’t use the opportunity to spread malware or otherwise harm their customers.

In perhaps the most extreme case of a compromise gone awry, a company called Code Spaces was recently put out of business after losing control of its Amazon Web Services account. Once the attackers had access to the AWS account, they were able to delete all the company’s servers and data. While this may be an edge case, it’s not hard to imagine a company’s website getting deleted or a critical cloud server getting rooted due to a poorly selected or protected password.

Fortunately, all of the major social media services and many business-focused domain name registrars and hosting providers offer two-factor authentication. One objection I’ve heard from IT professionals is that they need to share access to an account, and 2FA systems are designed by nature to require a single person to have the authentication token or device. Of course, sharing accounts is a bad idea in the first place, and using it as an excuse to avoid 2FA just makes it worse. There are services that allow a company to set up multiple 2FA-protected user accounts that can all control one or more authorized social media accounts. And it’s not uncommon for registrars and hosting providers to offer multiple user logins, each protected by 2FA and each with a different level of access to the account.

If your organization’s social media, domain, or hosting account isn’t secured with 2FA today, add it to your to-do list now. And if your vendor doesn’t offer the security features you need, it’s time to find a new vendor.

Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
8/9/2014 | 2:33:31 AM
2 is not always stronger than 1 in the real world
2 is larger than 1 on paper but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Being a strong password helps a lot against the attack of getting the stolen hashed passwords back to the original passwords.  The problem is that few of us can firmly remember many such strong passwords.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio