Media outlets are today reporting: The leaked NSA report shows 2-factor authentication has a critical weakness: You (preceding links the Mashable story). IT security experts from Balabit, Cyphort, STEALTHbits Technologies, VASCO Data Security and Imperva commented below.
Csaba Krasznay, PhD, Product Evangelist at Balabit:
“As we know, passwords are dead, but it seems that e-mails should be retired as well. The teenager generation knows something as they are rarely use e-mail. Instead, instant messaging, e.g. Snapchat or Facebook Messenger have already replaced the “old way” of messaging. We can see the same trends in tech companies where Slack is preferred, or in the security community, where encrypted clients, e.g. Signal are widely used. The reason behind that is that we can build trust much easier through those channels. However, that attack is quite annoying as it hurts one of the major principles of cybersecurity: use at least two factors of authentication on an independent channel. Such man-in-the-middle attacks can be easily identified, if the user knows at least the basics of security awareness. What is the consequence? The security community should work on more user-proof authentication technologies.”
Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort:
Multi-factor authentication raises security bar significantly from using only a password and should always be enabled by default.
However, it will only work if you do not give away your 2-factor authentication code to attackers through phishing.
When I worked at Facebook and fought Koobface malware gang, I noticed them use a similar attack pattern. Whenever possible, attackers rely on human weakness and social engineering, the lowest hanging fruit, rather than hacking the technology. When Facebook put up CAPTCHAs to make it harder for the Koobface worm to propagate , attackers simply relayed those CAPTCHAs to already infected users, locking their machine until victims resolved them.
Good security should combine something you know, something you have and something you are, and you must guard all those 3 pieces closely and try not to give them away to an unauthorized party. No matter how hard you try through, breach can rarely be prevented if the attacker is sophisticated and motivated enough, so always be prepared for breach recovery – backup data often and invest in incident response.”
Jonathan Sander, CTO at STEALTHbits Technologies:
David Vergara, Head of Global Product Marketing at VASCO Data Security:
Morgan Gerhart, Vice President at Imperva:
Negligent insiders jeopardise sensitive data by innocent mistakes or bad practices. These usually boil down to misconfigured servers (e.g., use of default or weak passwords), backups or test servers that contain sensitive information but are not protected like production servers, or simply taking your work home – for example saving corporate data on personal devices or cloud services.
Last, but not least, is the “classic” compromised insider, where hackers compromise insiders that have internal access to the network and assets (files servers, databases, applications, etc.). Once an attacker has access to internal resources, it’s only a matter of time before he gains access to sensitive data. It is unfortunate, but most organisations focus on securing their borders. The main problem with this is, that there are no real borders to secure.
Another previous example of an insider attack would be the Wikileaks affair which involved Bradley Manning, an army private and U.S. intelligence analyst with Top Secret security clearance. Private Manning had “access to an unprecedented amount of material” and was convicted of leaking 251,287 classified cables. The files were stolen over time. One time Private Manning bragged to a friend saying he would “come in with music on a CD-RW labelled with something like ‘Lady Gaga’ … erase the music … then write a compressed split file. No one suspected a thing.” He said that he had “unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months.”
Careless insiders are the most common of all but are, by far, not the most concerning ones. Misconfigured access control systems and misplaced data dumps are by far more dangerous, less common and much more difficult to recover from.
To mitigate the risk, corporations should ask themselves where their sensitive data lies, and invest in solutions that directly monitor who accesses it and how. According to reports, the leaker was identified because of strong audit trails of who accessed what. They can invest in solutions that help them pinpoint critical anomalies that indicate misuse of enterprise data stored in databases, file servers and cloud apps and that also help them to quickly quarantine risky users in order to proactively prevent and contain data breaches. This approach works across careless, compromised and malicious insiders.”
http://www.informationsecuritybuzz.com/expert-comments/nsa-leaked-report-points-users-2fas-critical-flaw/