Tag Archives: 8

Tech

8 cutting-edge technologies aimed at eliminating passwords

Leave a comment

In the beginning was the password, and we lived with it as best we could. Now, the rise of cyber crime and the proliferation of systems and services requiring authentication have us coming up with yet another not-so-easy-to-remember phrase on a near daily basis. And is any of it making those systems and services truly secure?

One day, passwords will be a thing of the past, and a slew of technologies are being posited as possibilities for a post-password world. Some are upon us, some are on the threshold of usefulness, and some are likely little more than a wild idea, but within each of them is some hint of how we’ve barely scratched the surface of what’s possible with security and identity technology.

The smartphone
The idea: Use your smartphone to log into websites and supply credentials via NFC or SMS.

Examples: Google’s NFC-based tap-to-unlock concept employs this. Instead of typing passwords, PCs authenticate against the users phones via NFC.

The good: It should be as easy as it sounds. No interaction from the user is needed, except any PIN they might use to secure the phone itself.

The bad: Getting websites to play along is the hard part, since password-based logins have to be scrapped entirely for the system to be as secure as it can be. Existing credentialing systems (e.g., Facebook or Google login) could be used as a bridge: Log in with one of those services on your phone, then use the service itself to log into the site.

The smartphone, continued
The idea: Use your smartphone, in conjunction with third-party software, to log into websites or even your PC.

Examples: Ping Identity. When a user wants to log in somewhere, a one-time token is sent to their smartphone; all they need to do is tap or swipe the token to authenticate.

The good: Insanely simple in practice, and it can be combined with other smartphone-centric methods (a PIN, for instance) for added security.

The bad: Having enterprises adopt such schemes may be tough if they’re offered only as third-party products. Apple could offer such a service on iPhones if it cared enough about enterprise use; Microsoft might if its smartphone offerings had any traction. Any other takers?

Biometrics
The idea: Use a fingerprint or an iris scan — or even a scan of the vein patterns in your hand — to authenticate.

Examples: They’re all but legion. Fingerprint readers are ubiquitous on business-class notebooks, and while iris scanners are less common, they’re enjoying broader deployment than they used to.

The good: Fingerprint recognition technology is widely available, cheap, well-understood, and easy for nontechnical users.

The bad: Despite all its advantages, fingerprint reading hasn’t done much to displace the use of passwords in places apart from where it’s mandated. Iris scanners aren’t foolproof, either. And privacy worries abound, something not likely to be abated once fingerprint readers become ubiquitous on phones.

The biometric smartphone
The idea: Use your smartphone, in conjunction with built-in biometric sensors, to perform authentication.

Examples: The Samsung Galaxy S5 and HTC One Max (pictured) both sport fingerprint sensors, as do models of the iPhone from the 5S onwards.

The good: Multiple boons in one: smartphones and fingerprint readers are both ubiquitous and easy to leverage, and they require no end user training to be useful, save for registering one’s fingerprint.

The bad: It’s not as hard as it might seem to hack a fingerprint scanner (although it isn’t trivial). Worst of all, once a fingerprint is stolen, it’s, um, pretty hard to change it.

The digital tattoo
The idea: A flexible electronic device worn directly on the skin, like a fake tattoo, and used to perform authentication via NFC.

Examples: Motorola has released such a thing for the Moto X (pictured), at a cost of $10 for a pack of 10 tattoo stickers, with each sticker lasting around five days.

The good: In theory, it sounds great. Nothing to type, nothing to touch, (almost) nothing to carry around. The person is the password.

The bad: So far it’s a relatively costly technology ($1 a week), and it’s a toss-up as to whether people will trade typing passwords for slapping a wafer of plastic somewhere on their bodies. I don’t know about you, but even a Band-Aid starts bothering me after a few hours.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Microsoft

Microsoft Patch Tuesday targets multitude of Internet Explorer faults

Leave a comment

Untreated, Internet Explorer vulnerabilities could lead to remote code execution exploits

Microsoft is issuing critical security bulletins this Patch Tuesday that affect all versions of Internet Explorer and deal with an exploit that attackers are actively working.

Internet Explorer 6, 7, 8, 9 and 10 are the recipients of a patch that can prevent an exploit that enables remote code execution in the browser. This affects all Windows operating systems except XP.

“We always recommend upgrading to the latest version of any software,” says Paul Henry, security and forensic analyst with Lumension, “as that’s typically the most secure. If your system is compatible with IE 10 and you’re not running it already, upgrade now.”

The vulnerabilities being addressed may include one found in IE8 running on Windows XP machines that was dealt with yesterday by a hot-fix patch issued separately to deal with a zero-day attack that was actually being exploited in the wild against U.S. government agencies, Henry says. The same vulnerabilities are rated only moderate for machines running server rather than desktop operating systems.

“The patch will include fixes for other, less critical remote code execution vulnerabilities affecting Office and Lync,” says Lamar Bailey, director of security research and development for Tripwire. “These important vulnerabilities run the gamut, impacting DoS, spoofing, elevation of privilege and information disclosure.”

A second bulleting deals with another IE vulnerability believed to be one disclosed in March at the annual Pwn2Own hacking competition. It raised some eyebrows when the problem was not dealt with on Patch Tuesday last month. “Usually Microsoft releases Pwn2Own bug fixes in April, but this year other bug fixes must have been higher priority,” says Andrew Storms, director of security operations for Tripwire.

The rest of this month’s 10 bulletins are ranked important, a step down from critical, and like the two critical ones, three others address problems that can lead to remote code execution exploits. They affect mainly Office “The most widely installed is probably Bulletin 7, which is for Word 2003 and Word Viewer,” says Wolfgang Kandek, CTO of Qualys. “Bulletin 6 covers the Microsoft Publisher included in Office 2003, 2007 and 2010, and Bulletin 5 is for Microsoft’s instant messaging modules – Communicator 2007 and Lync 2010.”

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com