Knowledge-Based Authentication for the Internet User

If you shop or bank online you probably noticed an additional security layer in addition to providing your username and password. I’m referring to the additional security questions that ask for your older sibling’s middle name, the name of your first love or even your favorite make of car. This additional layer of security is called Knowledge-Based Authentication.

The idea behind this form of authentication is that the questions are so very vague that no one except you should know your unique answers. Unfortunately, the answers to some questions can be found through online research such as your mother’s maiden name, your favorite movie or your younger brother’s favorite color. Online research can include genealogy websites, search engines and even social networking communities. As we make ourselves available for the whole world to see at social networking communities, we can provide a basic image of our personality, likes, dislikes, aptitudes, limitations, and strengths. If a malicious hacker targets us as an individual, odd bits of information put together can provide enough information where they can try possibilities till one is valid. This is the reason no one should post personal information that can be pieced together to identify your name, location or phone number.

Criminals can also get your information through keystroke loggers and spyware. Installing, updating and using anti-virus and anti-spyware software are very necessary protection when a computer is connected to the internet.

Getting duped by a phishing scam can provide the phisher with your logon credentials (including your personal answers) when you unknowingly respond and unintentionally provide your information at the phisher’s webpages. Phishers are getting more sophisticated in their duplication of websites and try to be as accurate as they can with imitating the interfaces of websites with high traffic. So, they may incorporate the second logon webpage that asks for your answers to security questions.

As internet users, we can help protect our information online by making it as tough as possible for malicious hackers and anyone who knows us to access personal information without permission. Knowledge-based authentication is to confirm you are the same person who originally registered and not an imposter who happens to have your username and password. Banks need personal identification such as mother’s maiden name, driver’s license number, proof of address or social security number when opening an account to verify that you are really you and not an imposter. But, they don’t need truthful answers to the security questions. The security questions at their website are for their network to help identify you as you and not an imposter. Use common everyday words for answers to security-authentication questions such as table, chair, word, or correct. Just be sure of two things: the answer makes no logical sense in response to the question and you use different answers to the same question at different websites just as you do with username/password combinations at different websites. Now, if someone tries to guess the answers, they won’t be able to. Who would think that my older brother’s middle name is chair?

Knowledge-Based Authentication for the Internet User

If you shop or bank online you probably noticed an additional security layer in addition to providing your username and password. I’m referring to the additional security questions that ask for your older sibling’s middle name, the name of your first love or even your favorite make of car. This additional layer of security is called Knowledge-Based Authentication.

The idea behind this form of authentication is that the questions are so very vague that no one except you should know your unique answers. Unfortunately, the answers to some questions can be found through online research such as your mother’s maiden name, your favorite movie or your younger brother’s favorite color. Online research can include genealogy websites, search engines and even social networking communities. As we make ourselves available for the whole world to see at social networking communities, we can provide a basic image of our personality, likes, dislikes, aptitudes, limitations, and strengths. If a malicious hacker targets us as an individual, odd bits of information put together can provide enough information where they can try possibilities till one is valid. This is the reason no one should post personal information that can be pieced together to identify your name, location or phone number.

Criminals can also get your information through keystroke loggers and spyware. Installing, updating and using anti-virus and anti-spyware software are very necessary protection when a computer is connected to the internet.

Getting duped by a phishing scam can provide the phisher with your logon credentials (including your personal answers) when you unknowingly respond and unintentionally provide your information at the phisher’s webpages. Phishers are getting more sophisticated in their duplication of websites and try to be as accurate as they can with imitating the interfaces of websites with high traffic. So, they may incorporate the second logon webpage that asks for your answers to security questions.

As internet users, we can help protect our information online by making it as tough as possible for malicious hackers and anyone who knows us to access personal information without permission. Knowledge-based authentication is to confirm you are the same person who originally registered and not an imposter who happens to have your username and password. Banks need personal identification such as mother’s maiden name, driver’s license number, proof of address or social security number when opening an account to verify that you are really you and not an imposter. But, they don’t need truthful answers to the security questions. The security questions at their website are for their network to help identify you as you and not an imposter. Use common everyday words for answers to security-authentication questions such as table, chair, word, or correct. Just be sure of two things: the answer makes no logical sense in response to the question and you use different answers to the same question at different websites just as you do with username/password combinations at different websites. Now, if someone tries to guess the answers, they won’t be able to. Who would think that my older brother’s middle name is chair?

Cyberattack on Google Said to Hit Password System

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

Related

• Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Readers shared their thoughts on this article.

• Read All Comments (123) »

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company’s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights advocates in China.

The accusations became a significant source of tension between the United States and China, leading Secretary of State Hillary Rodham Clinton to urge China to conduct a “transparent” inquiry into the attack. In March, after difficult discussions with the Chinese government, Google said it would move its mainland Chinese-language Web site and begin rerouting search queries to its Hong Kong-based site.

Company executives on Monday declined to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.

Google executives have also said privately that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.

Google continues to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.

Several technical experts said that because Google had quickly learned of the theft of the software, it was unclear what the consequences of the theft had been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse — a secret back door — into the Gaia program and install it in dozens of Google’s global data centers to establish clandestine entry points. But the independent security specialists emphasized that such an undertaking would have been remarkably difficult, particularly because Google’s security specialists had been alerted to the theft of the program.

However, having access to the original programmer’s instructions, or source code, could also provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google’s engineers.

“If you can get to the software repository where the bugs are housed before they are patched, that’s the pot of gold at the end of the rainbow,” said George Kurtz, chief technology officer for McAfee Inc., a software security company that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year.

Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, “It’s obviously a real issue if you can understand how the system works.” Understanding the algorithms on which the software is based might be of great value to an attacker looking for weak points in the system, he said.

When Google first announced the thefts, the company said it had evidence that the intrusions had come from China. The attacks have been traced to computers at two campuses in China, but investigators acknowledge that the true origin may have been concealed, a quintessential problem of cyberattacks.

Several people involved in the investigation of break-ins at more than two dozen other technology firms said that while there were similarities between the attacks on the companies, there were also significant differences, like the use of different types of software in intrusions. At one high-profile Silicon Valley company, investigators found evidence of intrusions going back more than two years, according to the person involved in Google’s inquiry.

In Google’s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.

They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees.

Lessons from Twitter's security breach

Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.

In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.

The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.

While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.

Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.

A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.

"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."

Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.

But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also that the reverberation in the media will be all the more sensational and lasting. And this isn't the first Twitter security panic to hit the press by any means. A number of celebrities' accounts were hacked in January, which the company blamed on an "individual" hacker rather than any of the various phishing scams that had been popping up occasionally on the microblogging service.

Security of Web apps under fire

Despite the breach, Twitter's executives say they have faith in the cloud and securing data online.

"This is more about Twitter being in enough of a spotlight that folks who work here can become targets," Stone's post read. "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Stone added that Twitter is communicating with its legal counsel--the company just hired former Google lawyer Alexander Macgillivray, conveniently--to figure out how to deal not only with the hacker but with people who share or publish the documents in question.

As for the log-ins though, it's a wake-up call to the importance of a good password, and having systems in place that make it hard for the wrong people to get in. And not all systems are created equal.

For instance, gaining access to someone's Yahoo account (which is how this all started) can be simple if you have access to one of their other e-mail accounts. Yahoo's process for password retrieval has several steps, with the primary one being the option to send a password reset to another e-mail account it has on file. There's also the option to say you can't access that e-mail account, which is likely the route the hacker went. Doing this takes you to a page where you have to answer a secret question (usually a pet name), the answer of which is penned during the account sign-up process.

Yahoo's password recovery screen.

After three unsuccessful tries at the secret question Yahoo pulls up a screen that gives you the choice to either validate your identity via a credit or debit card number, or go back to answering more questions. If you fail the personal question another five times your account is temporarily locked out from password retrieval for 24 hours, however logging-in with the proper credentials is still allowed.

On a Google Apps account, which Stone says Twitter is still using, it's not quite as simple. A Google representative told CNET News that the company's Apps service handles password recovery differently from how it does on other Google products. For instance, users have to ask for a password directly from their account administrator, instead of through Google. That administrator can also choose how long and complex passwords must be.

Even with this more stringent layer of security, some security experts have their doubts. People shouldn't expect free, online services to provide the same standard of security that they would get from their internal corporate system, said Peter "Mudge" Zatko, technical director of national intelligence at BBN Technologies who spoke to CNET News on Wednesday.

"It's pretty ridiculous. The data is not stored at your place; it's not in your control," and problems could arise if the service provider changes its policies or gets sold, he said. "Nothing is really free."

Users of Yahoo Mail and Google Docs need to understand the convenience-security tradeoff, and that they compromise sensitive corporate data if they put it on publicly accessible systems or use the same passwords for internal and external networks, Zatko said.

"These services are very much about convenience and providing convenience for their users and part of convenience is ease of accessibility," he said. "You can't make something easy to access and terribly secure at the same time. Those are diametrically opposed goals."

Cyberattack on Google Said to Hit Password System

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

Related

• Times Topics: Google Inc. | Computer Security (Cybersecurity)

Readers' Comments

Readers shared their thoughts on this article.

• Read All Comments (123) »

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company’s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights advocates in China.

The accusations became a significant source of tension between the United States and China, leading Secretary of State Hillary Rodham Clinton to urge China to conduct a “transparent” inquiry into the attack. In March, after difficult discussions with the Chinese government, Google said it would move its mainland Chinese-language Web site and begin rerouting search queries to its Hong Kong-based site.

Company executives on Monday declined to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.

Google executives have also said privately that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.

Google continues to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for Gmail service. The company also tightened the security of its data centers and further secured the communications links between its services and the computers of its users.

Several technical experts said that because Google had quickly learned of the theft of the software, it was unclear what the consequences of the theft had been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse — a secret back door — into the Gaia program and install it in dozens of Google’s global data centers to establish clandestine entry points. But the independent security specialists emphasized that such an undertaking would have been remarkably difficult, particularly because Google’s security specialists had been alerted to the theft of the program.

However, having access to the original programmer’s instructions, or source code, could also provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google’s engineers.

“If you can get to the software repository where the bugs are housed before they are patched, that’s the pot of gold at the end of the rainbow,” said George Kurtz, chief technology officer for McAfee Inc., a software security company that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year.

Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, “It’s obviously a real issue if you can understand how the system works.” Understanding the algorithms on which the software is based might be of great value to an attacker looking for weak points in the system, he said.

When Google first announced the thefts, the company said it had evidence that the intrusions had come from China. The attacks have been traced to computers at two campuses in China, but investigators acknowledge that the true origin may have been concealed, a quintessential problem of cyberattacks.

Several people involved in the investigation of break-ins at more than two dozen other technology firms said that while there were similarities between the attacks on the companies, there were also significant differences, like the use of different types of software in intrusions. At one high-profile Silicon Valley company, investigators found evidence of intrusions going back more than two years, according to the person involved in Google’s inquiry.

In Google’s case, the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.

They then transferred the stolen software to computers owned by Rackspace, a Texas company that offers Web-hosting services, which had no knowledge of the transaction. It is not known where the software was sent from there. The intruders had access to an internal Google corporate directory known as Moma, which holds information about the work activities of each Google employee, and they may have used it to find specific employees.

Lessons from Twitter's security breach

Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.

In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.

The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.

While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.

Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.

A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.

"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."

Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.

But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also that the reverberation in the media will be all the more sensational and lasting. And this isn't the first Twitter security panic to hit the press by any means. A number of celebrities' accounts were hacked in January, which the company blamed on an "individual" hacker rather than any of the various phishing scams that had been popping up occasionally on the microblogging service.

Security of Web apps under fire

Despite the breach, Twitter's executives say they have faith in the cloud and securing data online.

"This is more about Twitter being in enough of a spotlight that folks who work here can become targets," Stone's post read. "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Stone added that Twitter is communicating with its legal counsel--the company just hired former Google lawyer Alexander Macgillivray, conveniently--to figure out how to deal not only with the hacker but with people who share or publish the documents in question.

As for the log-ins though, it's a wake-up call to the importance of a good password, and having systems in place that make it hard for the wrong people to get in. And not all systems are created equal.

For instance, gaining access to someone's Yahoo account (which is how this all started) can be simple if you have access to one of their other e-mail accounts. Yahoo's process for password retrieval has several steps, with the primary one being the option to send a password reset to another e-mail account it has on file. There's also the option to say you can't access that e-mail account, which is likely the route the hacker went. Doing this takes you to a page where you have to answer a secret question (usually a pet name), the answer of which is penned during the account sign-up process.

Yahoo's password recovery screen.

After three unsuccessful tries at the secret question Yahoo pulls up a screen that gives you the choice to either validate your identity via a credit or debit card number, or go back to answering more questions. If you fail the personal question another five times your account is temporarily locked out from password retrieval for 24 hours, however logging-in with the proper credentials is still allowed.

On a Google Apps account, which Stone says Twitter is still using, it's not quite as simple. A Google representative told CNET News that the company's Apps service handles password recovery differently from how it does on other Google products. For instance, users have to ask for a password directly from their account administrator, instead of through Google. That administrator can also choose how long and complex passwords must be.

Even with this more stringent layer of security, some security experts have their doubts. People shouldn't expect free, online services to provide the same standard of security that they would get from their internal corporate system, said Peter "Mudge" Zatko, technical director of national intelligence at BBN Technologies who spoke to CNET News on Wednesday.

"It's pretty ridiculous. The data is not stored at your place; it's not in your control," and problems could arise if the service provider changes its policies or gets sold, he said. "Nothing is really free."

Users of Yahoo Mail and Google Docs need to understand the convenience-security tradeoff, and that they compromise sensitive corporate data if they put it on publicly accessible systems or use the same passwords for internal and external networks, Zatko said.

"These services are very much about convenience and providing convenience for their users and part of convenience is ease of accessibility," he said. "You can't make something easy to access and terribly secure at the same time. Those are diametrically opposed goals."

Mobile network cracked by hackers

Simple technology can be used to eavesdrop on the network used for most mobile phone calls and texts, security researchers have shown

The software used to make most phone calls has now been comprehensively hacked Photo: GETTY

By Matt Warman, Consumer Technology Editor 8:00AM GMT 01 Jan 2011

6 Comments

Security researchers have shown that the network used to make 80 per cent of the world’s phone calls is vulnerable to hacking, building on work demonstrated in previous years.

Karsten Nohl and Sylvain Munaut demonstrated their “toolkit” at the Chaos Computer Club Congress (CCC) in Berlin. They showed off an "end-to-end" hack, from identifying a phone to stealing its data, which completes work they showed last year indicating that it was easy to crack the GSM network’s security codes.

Simon Bransfield-Garth, chief executive of mobile phone security firm Cellcrypt, said that "Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack. A ‘policy of hope’ towards mobile phone security is not adequate." He said that voice services should be treated with the same caution as emails.

Most mobile phone calls worldwide are made using the GSM standard. GSM calls are protected by a 22-year-old encryption algorithm, known as A5/1. The algorithm, which was first cracked in 1999, is designed to prevent mobile phone calls from being intercepted by eavesdroppers. It works by forcing mobile phones and base stations to continually change frequencies. A typical phone conversation changes frequencies around 60 times.

The GSM Association has had a stronger algorithm, called A5/3, available since 2007 but few mobile network providers have made the upgrade.