Risk
10/9/2012
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%

RSA Launches Database Breach Prevention Tool

Distributed Credential Protection randomizes, scrambles, and splits passwords between two servers to help block criminals or hacktivists from stealing username and password databases.

EMC's RSA security division Tuesday announced the forthcoming release of Distributed Credential Protection security software, which is designed to run on virtual appliances and secure stored passwords by scrambling and then splitting them between two different servers. The product is meant to help prevent the types of username and password breaches that have plagued organizations such as LinkedIn, eHarmony, and Zappos

"Over the past few months, there have been so many smash-and-grab server attacks, versus identity attacks on the front end, and this is really targeting the smash-and-grab attacks," said Rachael Stocktton, senior manager of data protection product marketing for RSA, speaking by phone. She said the product will be available for purchase by the end of 2012.

Distributed Credential Protection involves a software agent that gets installed on a virtual appliance running on a server. Two different servers are required, and the software scrambles, randomizes, and then splits stored passwords between the two different servers. Both servers can be running in an onsite data center, in a separate data center, in the cloud, or in some combination thereof. According to Stocktton, "it's a customer's choice about ... how they want to deploy it," and from a responsiveness standpoint, "it's about the same level of performance that you get from an SSL connection."

But businesses that purchase the RSA product won't get to select which hashing algorithm they'd like to use. "We have not designed the product with a selection of algorithms," said Damon Hopley, senior manager of data protection product management, speaking by phone. "We do a fair amount of cryptography work--as you know--at RSA, and we think we've picked a fairly good approach."

[ NIST has been looking for the next-generation cryptographic standard. Learn more: SHA-3 Secure Hash Algorithm: New Face Of Crypto. ]

Arguably, taking these password-security configuration choices out of the hands of users is essential for helping businesses keep their stored passwords secure. According to Enterprise Management Associates managing research director Scott Crawford, the trouble with password security is that too often, IT or information security departments fail to implement encryption correctly or to make it strong enough. "Recent, high-profile breaches have highlighted the inadequacies of some implementations of credential protection techniques such as hashing and salting," he said in a statement.

How does RSA's new password security tool secure passwords? Hopley said the tool employs "XoR blind compares, strong random number generators, and elliptic curve Diffie-Hellman to arrive at answers." Using blind compares means that the software never reconstructs a stored password--or "secret," because that would create a potential security point of failure that an attacker could target. Instead, it verifies the passwords while leaving them encrypted.

"By doing XoR, you end up with two differing random numbers that set up a mathematical equation where, as long as the secret you used to register is what you attempt to log in with, both servers will end up with answers that are identical," Hopley said. "So we're never reconstructing the secret. We just arrive at an answer."

From a defense standpoint, regularly changing seeds--random numbers--are used to scramble the stored data, and the seeds change in sync between the two servers. As a result, any attacker who wants to steal passwords from a password database that's running Distributed Credential Protection would have to steal the data from both password servers at the exact same moment.

Hopley emphasized, however, that businesses must look to more than just the password-database security tool when planning a password security program. "It's one of a number of layers that people will need to put in place," he said. "Defense in depth is an ongoing necessity in security."

But at the same time, he said, CIOs now acknowledge that server compromises are a "when, not if" proposition. "A few years ago, you could walk into a customer and say 'server compromise is a fact of life,' and some would agree with you," he said. "But in the past few years, it's changed to the point where everyone will agree with you."

Accordingly, when attackers do make it to a password database, "how do you make it a recoverable event?" said Hopley. "And that's where this technology comes in."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

CVE-2014-3543
Published: 2014-07-29
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity referenc...

CVE-2014-3544
Published: 2014-07-29
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3545
Published: 2014-07-29
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.