SMBs Need 2FA Also

I’m sure you’ve heard about the numerous cyber attacks on big businesses like Target, Chase Bank, Equifax, and Sony, and other large organizations like the U.S. Government.  These are big enterprises that have the resources to make their systems as secure as possible, yet they still can’t stop hackers from taking advantage.

Small- and medium-sized businesses get less media attention but they are also targets of these attacks.  Most have insufficient security and the results of a cyber attack can be devastating.

Consider this: In 2011, small business hacks represented fewer than 20 percent of all attacks; nowadays the number is close to 50 percent.

While large companies make the headlines, the reality is one-in-three documented data breaches occur in smaller businesses. And the aftermath is often grim. About 60 percent of small businesses close their doors within six months following a cyberattack, according to Brian Kearney, chief underwriting officer for Travelers Small Commercial Accounts.

Smaller businesses obviously can’t match what their large enterprise counterparts are able to spend on cybersecurity. Still, there are ways to compensate for any budgetary limitations and put in place a comprehensive defense before cybercriminals target you. (source)

SMBs need to be vigilant and face the fact that cybersecurity isn’t just for big businesses.  Resources and budgets may not be the same, but there are other ways smaller companies can implement strong security measures.

One of the simplest methods is to implement a robust two-factor authentication system like GreenRADIUS.  Smaller companies don’t need to be overwhelmed with cybersecurity – GreenRADIUS is easy-to-use for both users and admins.  It is also easy to deploy and even easier to maintain.  Contact us today to learn more.

 

 

Standards for Complex Passwords, Now Useless?

There are a lot of ways to create “complex” passwords – use different passwords for different accounts, do not use names and special dates, use a combination of letters, numbers and characters, etc. Having a complex password increases password strength, but is it enough to keep your accounts secure?

Bill Burr, the person credited with inventing these password standards, now admits that they’re basically useless.

In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.

The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journalrecently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” (source)

 

There are various methods hackers use to steal passwords, and their tactics are getting more and more sophisticated everyday. There are phishing pages, mass theft, key loggers, brute force attacks, the list goes on. A complex password may take longer to crack, but in the end, a strong password is not enough.

To keep your accounts safe, use a second layer of security like two-factor authentication (2FA). With 2FA, users log in with a username, password, and a second factor to validate their login, like a security token or a phone authentication app.

Our 2FA solution, GreenRADIUS, is an easy-to-use, on-premise solution that is safe and simple for IT staff and end users. Because it is a self-contained virtual appliance, deployment is convenient and maintenance is easy.  With a strong 2FA solution like GreenRADIUS, businesses can overcome the weaknesses of password-only logins.

UK Parliament Hit By Cyber Attack

Late last week, the UK Parliament was under a “sustained” cyber attack.  Of course, the hackers were exploiting a known weakness common to many organizations — single-factor authentication which relies solely on passwords.

The parliamentary authorities said hackers had mounted a “determined attack” on all user accounts “in an attempt to identify weak passwords”.

A parliamentary spokeswoman said they were investigating the attack and liaising with the National Cyber Security Centre.

She said: “We have discovered unauthorised attempts to access accounts of parliamentary networks users…

“Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network.

“As a precaution we have temporarily restricted remote access to the network.”

International Trade Secretary Liam Fox said: “We have seen reports in the last few days of even Cabinet ministers’ passwords being for sale online.

“And it’s a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber security.” (source)

Whether your organization is an enterprise, SMB, not-for-profit, or government agency, you and your accounts are cyber targets.  With a robust two-factor authentication solution like GreenRADIUS, you can add a strong security layer to your organization that is easy for both users and administrators.  Contact us to learn more.

 

The Most Popular (and Worst) Passwords

A recent study of five million leaked passwords from enterprises in 2016 revealed the most popular ones among users.

Tops on the list was “123456,” which makes up about 4% of the sample set, followed closely by “password.”  In its entirety, the list shows that users continue to favor simplicity and convenience over security of their accounts. (source)

It’s hard to imagine that 4% (!) of users have that one password.  But, as we’ve mentioned before, users tend to be the weakest link when it comes to the security of an organization.

Other passwords that made the list:

  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess

With two-factor authentication and a robust solution like GreenRADIUS, the problem of weak passwords is virtually eliminated.  One-time passwords with YubiKeys or Google Authenticator along with GreenRADIUS keep sensitive networks, records, and data secure, even if user passwords are hacked or leaked.  For users and admins alike, GreenRADIUS is both simple and convenient while maintaining a strong security layer for networks, servers, websites, and more.  Contact us today to learn how GreenRADIUS can keep your organization secure.

Cloudbleed – More Bad News For Using Passwords Alone

A new internet security vulnerability was announced last week, and it is “a scary big deal“.  Cloudbleed, the name given to this vulnerability, has led to a potentially wide-spread leak of passwords and other data all over the internet.  And, while announced just last week, the leak could have started as early as September 2016.  Websites that use Cloudflare are affected, and that numbers in the thousands, including Uber, Fitbit, and others.

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it. (source)

In this case, no matter how complex a password was, they are vulnerable.  And as usual, two-factor authentication (2FA) is recommended.

As we’ve argued in the past, you might as well enable two-factor authentication on everything, too, since it’s your best first defense against hackers. (source)

Implementing 2FA within your organization does not have to be difficult.  In fact, with GreenRADIUS, implementation can take as little as 15-30 minutes.  And our customers find it easy to manage and easy to use for both admins and users.  Contact us today to learn more.

Phishing Scheme Allows Access to Los Angeles County Confidential Records

Last month, charges were filed against a hacker who used a phishing scheme in May 2016 to potentially access over 750,000 confidential health and personal records in Los Angeles County.  As this incident shows, phishing emails are still incredibly successful and have a high rate of employees falling for this type of cyberattack.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email.  The message tricked 108 employees into providing usernames and passwords to their accounts, some of which contained confidential patient or client information, officials said.  (source, emphasis mine)

Over 10% (ten percent!) of employees provided their usernames and passwords(!) to their accounts.  That is an astonishing rate, and should be a warning to security professionals everywhere.  Users are generally the weakest link in the security world, and unfortunately, Los Angeles County became another victim.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

In response to the attack, officials said they have strengthened security measures on county email accounts and enhanced employee training to guard against a growing number of cyber intrusions.

Sadly, the “enhanced employee training” may not be enough.  Even if only one percent of employees provided their credentials, that is usually more than enough for a cybercriminal to do damage, damage to the individuals whose records were accessed and damage to the reputation of the organization, among other things.

With two-factor authentication deployed organization-wide, however, phishing schemes are virtually no longer a threat.  Even if an employee provides usernames and passwords, cybercriminals will not have access to the user’s second factor, such as a YubiKey or Google Authenticator (both of which are supported by GreenRADIUS, our two-factor authentication solution).  And generally, once cybercriminals become aware that two-factor authentication is in place, they will move on to an easier target that does not have 2FA.

With a robust solution like GreenRADIUS, businesses and organizations can implement an affordable, easy-to-deploy, and easy-to-manage two-factor authentication security layer.  Contact us to learn more.

GreenRADIUS enhancements for 2017? It’s up to you!

2016 has been an exciting year for GreenRADIUS.  Apart from security-related updates and bug fixes, your feedback has been the basis of over 50 new features and improvements to GreenRADIUS during the year!

The top 3 new features added to GreenRADIUS in 2016:

  • SAML 2.0 Enterprise 2FA Single Sign-On (SSO) to cloud services such as Salesforce, G Suite and Office 365
  • 2FA over the LDAP authentication protocol (in addition to using RADIUS)
  • 2FA support for 802.1x authentication (for NAC and WiFi)

Want to see more?  Click here to my previous post.

We have some exciting announcements coming soon.  However, what is coming in addition in 2017 is really based on your input.  For example, based on your feedback, in 2016, we added logs for all admin events.  Now, we are in the process of collecting logs from all of the different modules to syslog so that we can support SIEM central logging requirements.  We will also add archiving and log aging.

Please let us know what you need next from us.

  • Would you like to see 2FA support for a pure Microsoft RDS solution or a more general 2FA enabled gateway/remote access service that can support multiple environments?
  • What would you like to see in a cloud service version of GreenRADIUS?
  • Do you need support for Azure AD or G Suite Directory Services?
  • How would you like GreenRADIUS to work in a hybrid cloud environment such as with Azure AD?
  • With SAML 2.0 added, do you also need OAuth support?
  • Is there something else that you would like to see from us?

Please provide feedback by using our contact form or simply email us at info@greenrocketsecurity.com.  Those that provide input and suggestions by January 31, 2017 will have a chance to win 10 YubiKey 4s!

Thanks!

Top 10 New GreenRADIUS Features and Improvements in 2016

It was a busy, but successful 2016 for us!  The following list of new GreenRADIUS features and improvements in 2016 were almost all based on customer feedback and requirements.  So we would love to hear from you whether you are already a customer or are looking to add two-factor authentication to your security infrastructure.

  1. SAML 2.0 Enterprise single-sign-on (SSO) to cloud services such as Salesforce, G Suite, and Office 365
  2. 2FA over the LDAP authentication protocol
  3. 2FA support for 802.1x authentication (NAC and WiFi)
  4. User portal for self-service registration of mobile tokens and, if needed, allowing self-resync of OATH HOTP/TOTP tokens
  5. On-board OpenLDAP server replication
  6. Option to prompt for OTP instead of having to append OTP to password
  7. Certificate management through the GreenRADIUS console
  8. View and filter audit logs and new filtering options in reports
  9. Management of on-board firewall through the GreenRADIUS console
  10. Diagnostics capabilities

 

 

Password Guessing Is Becoming Easier And Easier

With all of the leaked passwords that have been made available recently (passwords from services such as Yahoo and LinkedIn), cyber-criminals have access to vast data sets of passwords that make it easier to crack passwords in general.

Security researchers in the UK and China published a paper last month detailing a system for targeted password guessing that is highly effective and claiming that the threat is “significantly underestimated”.

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes.

Using a targeted password-guessing framework named TarGuess, the researchers achieved success rates as high as 73 per cent with just 100 guesses against typical users, and as high as 32 per cent against security-savvy users. (source, emphasis mine)

As has been noted previously here and here, passwords alone are not enough to protect sensitive networks and data.  This new study simply underscores this fact.

By implementing a robust two-factor authentication solution, such as GreenRADIUS, organizations can add a strong security layer that virtually eliminates password vulnerabilities.  GreenRADIUS is easy to deploy and simple to maintain.  Contact us to learn more.

 

 

Even 16-character “random” passwords are vulnerable

I recently came across an interesting article that describes how a group of hackers approached a challenge by Ars Technica to crack 90% of 16,499 hashed static passwords in an amazingly short time!

Though I definitely knew about most of the techniques used in the challenge (the article is from 2013), what surprised me was that even seemingly long (16 char) passwords built from very random patterns can be hacked in as little as hours already a few years ago.  This makes it even scarier today where we have faster and cheaper systems that can be used to mimic what was used in the challenge.  The conclusion to draw from this is that long, complex passwords alone do NOT protect you.

Only static passwords combined with OTPs (One-Time Passwords), i.e. two-factor authentication (2FA), stand up to the challenge of keeping your login secure.

The challenge also shows that password manager applications which tout that long complex password launched from a password manager app solves the problem is completely inadequate today.  They really need to be updated to use 2FA to protect internet-reachable assets going forward.

The following list is a summary drawing from the information in the article of why 2FA is needed to protect logins:

  • Even seemingly random 16-char passwords can be broken in a matter of hours with cheap hardware
  • Wordlists and large lists of hacked passwords give even the unsophisticated hacker a base to crack from
  • Salted hashes make it significantly more difficult to crack, but it is just a matter of time to crack even with salt
  • Applied analytics techniques for the most common way to enter passwords (Capital at the start, lower in the middle and symbols and numbers at the end) helped make cracking faster
  • 2FA does not lend itself to attacks described in the article because hackers cannot use brute force or recalculated lists to attack
  • With 2FA, even seemingly weak first-factors (i.e. passwords) become secure when combined with an OTP (One-Time Password)

2FA saves the day once again!