Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Scariest End-User Security Question: What Changed?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 11:03:20 AM
Re: Too optimistic about multi-factor authentication 'by force'
That might work for me if my cat cooperates!
Bob Covello
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:58:57 AM
Re: Too optimistic about multi-factor authentication 'by force'
"I tried once and forgot the password" - GASP!

One person submitted this method of never losing the password: He had the password embossed on a dog tag that was then placed on the neck of his Doberman.  How's THAT for a level of security?

 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:49:40 AM
Re: Too optimistic about multi-factor authentication 'by force'
You make a good point about the Lost / Stolen / Broken / Drowned device. As for password managers, (embarassingly painful admission) I tried one once and then forgot the password. 
Bob Covello
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:45:37 AM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

I agree in part with the statement that "everyone" has a cell phone, but in the many years that I have been working supporting those mobile devices, the Lost / Stolen / Broken / Drowned devices exceeds the number of retained devices.

No one can afford to carry two phones simply to have a backup for authentication, but for a small fee, one can register multiple Yubikey devices on the same account. 

I hope you don't mind my constant mention of the Yubikey device, but it just seems to work perfectly when coupled with the correct password manager.

Password manager??  That is a topic of another discussion ...

 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:08:15 AM
Re: Too optimistic about multi-factor authentication 'by force'
Bob, I think the ubiquitous cell-phone is perfect as a Multi-factor authentication device. Everyone has one! What's your issue with them. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:05:50 AM
Re: Too optimistic about multi-factor authentication 'by force'
So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.

Clement, I can't disagree with your argument about the ROI on security investements. It's the reason Target backed backed off its endorsement of smart cards a decade ago. But just last week Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. Will anything change? I don't know but I certainly hope so. 
Bob Covello
Bob Covello,
User Rank: Apprentice
1/29/2014 | 12:18:24 PM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

Two things are different now: First is the amazing volume of compromises that we have been witnessing.
Second: up until a few years ago, most folks did not carry a 2nd Factor authenticator with them. 
I am not a strong supporter of the cell-phone as a multi-factor device, but one cannot deny the behavioral change it has caused. I am challenged to find anyone who is without a cell-phone.
(I prefer a one-time-password generator such as the Yubico Yubikey - smaller than a cell phone and way more durable, but not in universal use YET.)
Bob Covello
Bob Covello,
User Rank: Apprentice
1/29/2014 | 11:59:26 AM
Re: Too optimistic about multi-factor authentication 'by force'
Clement:

Thanks for your thoughful response.

I am confident that the USA will soon be changing their credit card technology, as there will start to be a public outcry.  The idea that a person cannot buy something as simple as a pair of socks at Target, or a glue stick at Michael's without putting their identity at risk will begin to have an impact.  There I go being an optimist again!

For any of the readers who are not familiar with Clement, he is a MASTER at security-related information.  His tireless efforts at educating others is legendary, and his web site is an essential tool for anyone who wants to pass any InfoSec Exam.  https://www.cccure.com/cart/

I am flattered and honored to be in such good company!

 
clementdupuis
clementdupuis,
User Rank: Apprentice
1/29/2014 | 10:44:02 AM
Re: Too optimistic about multi-factor authentication 'by force'
Good day Bob,

The problem is not one of technology, the problem is one of attitude toward security.

Security should be risk based, however today in the USA it is based on  total loss versus cost of doing things right.   So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.


The use of taken based authentication tools have been used in Europe for years, I am talking more than a decade in most countries.  It is only catching up in North America.

We bitch about card theft, but yet we still dont have chip enabled cards which would greatly help in such cases.   Once again cost of card replacement versus potential losses. 

Answering your question:  What has changed?  When I look at computer security nothing has changed and it is unlikely to change quickly in the future.  History is repeating itself over and over again.  You just change the name of the company that was the victim and the reminder of the text would still apply.


Best regard

Clement

 

 
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 10:32:31 AM
Re: Too optimistic about multi-factor authentication 'by force'
I think multi-factor authentication for consumers is a good idea, and mobile phones make it easier because that can serve as a second factor (the standard user-name/password is something you know, and the phone is something you have). The provider can send a text message with a code that the user can enter into a site, whether as part of the log-in or for something like requesting a password change. It's not perfect, but it's much more manageable for the consumer than having to juggle a bunch of hardware tokens or waiting for every computing device to come with a fingerprint reader.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.
CVE-2022-42308
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx_exchange registration code.
CVE-2022-42303
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a second-order SQL Injection attack affecting the NBFSMCLIENT service by leveraging CVE-2022-42302.
CVE-2022-42304
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a SQL Injection attack affecting idm, nbars, and SLP manager code.