Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 31 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Knowledge is power to the hacker

by The Gurus
May 29, 2015
in Opinions & Analysis
Share on FacebookShare on Twitter

High profile security breaches are constantly in the news, due to the world’s biggest companies facing new and emerging threats on a daily basis. Brands like Apple and Starbucks are struggling to protect their customers as they build an online profile of their lives. According to Ofcom, 70% of UK internet users are happy to give away their details* which is drip feeding hackers with the power to make seismic security breaches.
Knowledge is power to the hacker – every day they are being equipped for their next attack, as users are trusting organisations with their personal information online.
One of the biggest threats is hackers exploiting how major internet browsers cache login credentials and simply assume it is the same person accessing their pages over and over again. If a business leaves its systems as open as this, a successful attack will lead to dire consequences.
When an individual user logs in to an account on a web browser, such as Internet Explorer or Google Chrome, they will be asked if they want their credentials remembered via a tick box. A pop-up will then appear asking the user to confirm this decision. If the user confirms, the browser will cache the credentials and use them every time the user returns to that account.
Google has gone a step further, allowing users to save their entire Chrome history and their bookmarks to the cloud, providing access from any computer or tablet when they sign in. This flexibility has sacrificed security, and a range of accounts or systems could be left vulnerable to attack. A hacker could be presented with relatively easy access to bank accounts, private online documents, or a secure corporate network through a VPN.
While this is a risk consumers are willing to take in return for simplicity and convenience, it should never be contemplated by businesses as it would risk their reputation and heavy fines for not protecting their systems.
By allowing browsers to cache credentials, users are left with their personal information being not only known by the system the user is trying to login to but also by the browser which processes the login request. It is like a butler owning a set of keys to the master’s safe. It is another person a burglar can exploit to open the safe when the user is absent.
The same principle can be applied to a range of security systems and this knowledge is power to hackers, as successful attacks have the potential to fully compromise companies.
What would happen if a security system had zero knowledge of the login credentials? Hackers are capable of the most complicated attacks without any help, so it is now time to stop giving them the code to the safe once they have broken in through the front door.
Two-factor authentication (2FA) ensures these credentials cannot work alone to access important information; however, getting this technology wrong is not worth contemplating.
Deployed and used correctly two factor authentication is the layer needed to protect ones digital identity. However, despite 2FA adding this protection, users can be left with a false sense of security as some systems they are logging in to request their credentials – only the first time of use.  The user only needs to fully authenticate once and they can come back to the system day after day with instant access. For example, an online retailer will ask customers to use 2FA to confirm their purchase but then allow them to return the next time to purchase more goods without asking for log in credentials.
While private users who find 2FA inconvenient may deem this to be safe, it is essential for the more security conscious to ensure credentials are physically entered every time a user logs in. Certainly for anyone who has been compromised before, this added protection is absolutely no issue compared to the travesty when your identity has been compromised.
In 2011 RSA Security had to replace 40 million of its SecurID tokens – nearly every one in existence at the time – after hackers attacked contractor Lockheed Martin. Users logged in with a username and password, with a random number on their token as the second factor to authenticate. This number changed every 30 to 60 seconds, controlled by an RSA algorithm. The hackers attained this algorithm, making the tokens worthless, and putting the entire system in jeopardy.
Automatically separating the records is a secure solution to such a breach. This is where one part is created locally on the customer’s server, while the second is generated using specific characteristics of the mobile device that make it unique, e.g. information about the SIM card, the CPU or equivalent. When the app generates a passcode, the end device decrypts the first half of the seed record and derives the second half accordingly. Since one part of the two seed record parts is never located on the employee’s mobile device, the security software excludes the possibility that attacking malware can steal this seed record. Since the seed record is derived in part from the phone’s own hardware fingerprint at time of enrolling, the security system clearly can’t have a copy of the seed.
The latest 2FA technology is built upon this ‘zero knowledge’ foundation. This means neither the user, nor the platform they are trying to access knows all of the information. Nor indeed does the information security company called in to protect that data. Splitting the seed record means no party has a 360 degree view of the credentials.
As the need for more online security increases, so does the user’s willingness to provide personal and important information. Sharing this knowledge has led to hackers learning more information than ever before, allowing them to capitalise on previously trusted systems. To ensure security, firms need to embrace solutions that remove this knowledge, and rendering the hacker powerless.
 
Steve Watts, co-founder of SecurEnvoy

FacebookTweetLinkedIn
Tags: CyberCyber Securitydatadata breachHackersinformation securitySecurEnvoy
ShareTweetShare
Previous Post

This Facebook Hack Allows You to Track Your Friends On Map

Next Post

451 Research Predicts Total Data Market to Hit $115 Billion by 2019

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information