Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/7/2014
08:10 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

3 Places to Enable 2-Factor Authentication Now

Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.

Two-factor authentication (2FA) -- using something like a security token, an authenticator app, or a code sent via SMS to your phone to supplement a password -- is hardly new. Indeed, you may already use 2FA to provide remote access to your company’s webmail, VPN, or administrative tools. Yet, despite broad availability of 2FA and an increasing awareness of the limitations of passwords, many organizations still fail to implement 2FA for securing high-value external services, such as their social media accounts, domain name registrations, and cloud/web hosting services.

There have been numerous examples in the past year of organizations’ Twitter, Facebook, and other social media accounts being hacked through stolen credentials and used for shady purposes. Given how strongly social media can represent a brand, it’s no surprise that the effects of these hijacks have ranged from embarrassment to fanning political flames to sending the stock market plummeting briefly. (The effects for the IT security people who failed to protect their accounts likely ranged from sleepless nights to termination from their jobs.)

A compromised user account was also responsible for the hijacking of domain names belonging to The New York Times and Twitter last year. A stolen domain name gives the attacker control of a business’s web traffic (i.e., its customers and prospects), its incoming email, and more. In the case of last year’s attack by the Syrian Electronic Army (SEA), the NYT was effectively offline for a time, and both Twitter and the NYT can be thankful that the SEA didn’t use the opportunity to spread malware or otherwise harm their customers.

In perhaps the most extreme case of a compromise gone awry, a company called Code Spaces was recently put out of business after losing control of its Amazon Web Services account. Once the attackers had access to the AWS account, they were able to delete all the company’s servers and data. While this may be an edge case, it’s not hard to imagine a company’s website getting deleted or a critical cloud server getting rooted due to a poorly selected or protected password.

Fortunately, all of the major social media services and many business-focused domain name registrars and hosting providers offer two-factor authentication. One objection I’ve heard from IT professionals is that they need to share access to an account, and 2FA systems are designed by nature to require a single person to have the authentication token or device. Of course, sharing accounts is a bad idea in the first place, and using it as an excuse to avoid 2FA just makes it worse. There are services that allow a company to set up multiple 2FA-protected user accounts that can all control one or more authorized social media accounts. And it’s not uncommon for registrars and hosting providers to offer multiple user logins, each protected by 2FA and each with a different level of access to the account.

If your organization’s social media, domain, or hosting account isn’t secured with 2FA today, add it to your to-do list now. And if your vendor doesn’t offer the security features you need, it’s time to find a new vendor.

Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
8/9/2014 | 2:33:31 AM
2 is not always stronger than 1 in the real world
2 is larger than 1 on paper but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Being a strong password helps a lot against the attack of getting the stolen hashed passwords back to the original passwords.  The problem is that few of us can firmly remember many such strong passwords.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...