Posted by Scott Coby on Thu, Apr 02, 2009 @ 03:40 PM
Well, here we go again. Last month the security vendor, Kaspersky, had its site hacked by SQL injection, possibly exposing email addresses and up to 25,000 product activation codes. Last week we learned of the Dalai Lama's network being hacked by sources possibly in China using "social phishing" techniques on unsuspecting monks.
The widespread incidence of network infiltration by unauthorized individuals (hackers/crackers) poses an increasingly serious threat to data integrity and security. Although the NY Times article concentrated on "social phishing" via emails as a means to dupe unsuspecting email recipients and browser re-direction among other vulnerabilities, the defense or solution is relatively easily remedied through the use of updated anti spyware, anti phishing, and anti-virus software provided by companies such as Symantec and others. However, according to the IBM X-Force Threat Report released in June of 2008:
http://www-935.ibm.com/services/us/iss/xforce/trendreports, the greatest threat to web application security is now SQL injection. Exploitation of websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008, bypassing cross-site scripting as the leading web application vulnerability. IBM's recommended solution is the installation of web server patches to help prevent such attacks. Unfortunately, 74% of web applications reported had no patch available by the end of 2008, according to IBM. The IBM report also did not mention the additional need to properly "sanitize" all input data in web applications, nor did it mention any technologies available that can reduce or eliminate the need to host password fields in applications.
With the use of web proxies today, the IP address, identity, or location of a hacker is easily camouflaged. An anonymous SQL injection attack of purportedly "authenticated" user access represents a very serious security risk that has been virtually ignored by most IT Security professionals. As today's report indicated, there is a gaping hole in cyber security caused by the unauthorized use of passwords (including those obtained by rogue means). Hackers have a wide choice of freeware that can enable them to crack passwords, inject SQL strings into username and/or password fields, and generally cause havoc for application administrators trying to protect their web applications and databases.
To illuminate a possible solution to this huge problem, I suggest that the authors of the report cited in the Times (and readers interested) view a presentation given during the Oracle Web Expo two weeks ago.
http://tiny.cc/TriadOracleWM (Windows Media) http://tiny.cc/TriadOracleRM (Real Media)
Clearly, many of the vulnerabilities associated with SQL injection at the "front door" can be avoided if the user must be biometrically (unequivocally) identified and authenticated where no password field exists as a gateway.
Posted by Mark Cohen on Wed, Aug 20, 2008 @ 10:38 AM
Identity fraud is a crime that costs all of us. As measures have been increased in recent years to mitigate identity fraud, so too has the level of sophistication of the fraudulent acts. Persons that were dedicated to committing fraud had the upper hand for some time, but technology is now catching up to these predators.
The Case to Utilize Fingerprint Biometrics:
Fingerprint biometrics are a leading digital technology that can be utilized in digital identity authentication. Those in a point of service setting that use fingerprint biometrics do so by scanning a customer's ID through a system and instructing the customer to use a keypad to match fingerprints with a stored fingerprint identity. Fingerprint biometrics can help increase the chances that the person in front of you presenting an ID is that ID's true identity. The result is an ability to capture and link fingerprints to a single ID record, which will increase fraud prevention and help ensure fraudsters do not attempt to use multiple identities.
The Case to Implement Biometric Verification:
Those in a point of service setting pay for fraud twice, once stemming from the initial act of fraud and a second time as a result of cost of goods, services and even insurance rates increases. Biometric verification can help resolve the problem of ID fraud and provide the point of service person that the customer presented is the actual person represented on the ID. The benefit of a biometric verification is that legitimate multiple IDs can be linked to a single person through one unique biometric fingerprint record. The additional benefit is that this unique biometric fingerprint cannot be utilized in multiple fraudulent IDs.
Security Elements Needed for Acceptance of Fingerprint Biometrics:
A sound fingerprint authentication system needs to have inherent protection against a number of types of common attacks and other compromised situations:
- The system should enforce trusted attended enrollment to establish a chain of trust as to whose fingers were enrolled for any given UserID. This cannot be accomplished by self-enrollment.
- The system should not allow any given fingerprint to be authenticated to identify more than a single User.
- The system should have a secure exception mode to support emergency access when no working device is available.
- The system should support a duress function for a limited subset of the User base.
- The system should adequately secure the biometric identifiers both at rest and in transit to prevent replay, man-in-the-middle and denial-of-service attacks.
- The system should be adaptable to a variety of authentication interfaces.
- The system should support interoperability of devices from multiple manufacturers.
- The system should allow for actual elimination of passwords, not just releasing them to an existing password-authentication mechanism.
Technologies and products do exist which enable secure biometric systems to be implemented that meet these criteria to significantly reduce identity fraud potential.
Posted by Shailesh Chirputkar on Mon, Jun 09, 2008 @ 10:30 AM
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. This vulnerability is present when user input is manipulated for string literal escape characters embedded in SQL statements or user input is not sufficiently filtered and thereby unexpectedly executed. With the aid of Web Proxy Tools, filtering cannot be guaranteed. SQL injection is, in fact, an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. This condition results in the potential manipulation of the statements performed on the database by the end user of the application which violates security policy. Such manipulation is difficult to detect since there is usually no error being reported when this happens.
The following line of code illustrate how this vulnerability can be executed.
statement: "SELECT * FROM users WHERE name = '" + userName + "';"
This SQL code is designed to pull up the records of a specified username from its table of users; however, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may be able to retrieve more than the code the sender intended. For example, setting the "userName" variable as a' or 't'='t renders this SQL statement by the parent language:
SELECT * FROM users WHERE name = 'a' OR 't'='t';
Biometrics in general can prevent attacks like this, so long as the biometric system can replace the password and use of a password field. Any Biometrics system that does not take a user name or password as an input parameter and is able to resolve the identification of users can be effective as a preventative measure against this type of attack. A fingerprint biometrics system like TEAMS® counters this type of attack as the TEAMS® authentication method does not utilize a password or password field for identification purposes. Therefore, wherever the TEAMS® authentication method is employed, the possibility of SQL Injection is eliminated.
The use of the TEAMS
® authentication method complements other protective measures taken to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6.
Posted by Scott Coby on Fri, May 30, 2008 @ 03:47 PM
If you had to choose between the use of passwords and personal identification numbers and not using any, which would be your pick? What if you could have extra security and added convenience by not using any passwords ever again? Surprisingly, this no-password technology is here and is growing rapidly. It is called biometrics, and you will travel this road in no time.
Biometrics involves the use of automated methods of recognizing an individual based on his physical or behavioral characteristics. Some common commercial examples are fingerprint, face, iris, hand geometry, voice and dynamic signature biometric authentication.
Looking back, do you remember the day you decided to switch from dial-up to broadband technology? Biometrics will have the same effect once adopted by the masses.
The decision to switch to broadband had two common denominators: speed and convenience.
In the password world, the same analogy applies. What if you could achieve higher security combined with added convenience and efficiency without ever using passwords? Is this a good justification for another major revolution? Perhaps not yet, because many react to implementing security only after experiencing a crisis.
The solution that could simplify password security issues is biometrics. Biometrics provides an additional layer of security, efficiency and convenience for both users and IT administrators alike.
Here are a few facts you should know about most biometric solutions:
In general, a biometric solution is non-intrusive. Using biometrics, the fingerprint image is extracted into a binary template, then converted into an encrypted template and either stored onto the hard drive or sent over the network to a matching server. Reverse engineering to convert this data back into the fingerprint image is virtually impossible. Recent advances in capture hardware, such as some of the newer fingerprint devices, are producing better images with a smaller mechanism at a lower price compared to just a few years ago while, at the same time some can detect "liveness" of the fingers to help prevent enrollment or authentication by a dead or fake finger.
An additional consideration should be the ability of a system to operate seamlessly in multiple application environments, and across multiple devices from different vendors. This is known as interoperability. To be truly interoperable, a biometric solution should be able to operate on many databases, web application servers and many biometric capture devices. One might say the system should have the equivalent to open source architecture, much the same as Java became an interoperable platform that served as a catalyst to the widespread use of Application Servers.
Posted by Scott Coby on Thu, May 08, 2008 @ 11:37 AM
We see today the inexorable movement to the adoption of biometric identification for the securing of many applications from logical and physical access to various forms of credentials such as driver's licenses, passports, and frequent flyer identification cards. How are we to interpret this shift to biometrics? Should we consider that such techniques are an invasion of our privacy? Are Michael Chertoff's statements that "a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world, they're like footprints. They're not particularly private" reflective of the beliefs of the populous at large?
It appears that the primary concern of all people should be the convenience and greater security that biometrics produces as well as the degree to which biometric templates are themselves secured. Any popular biometric identification system should include safeguards as to the integrity of its storage of biometric templates, strength of encryption, and resistance to be spoofed or hacked. By incorporating these features, the privacy of the biometric templates and attendant data of the system's users can be virtually assured. If these attributres are present, then the enhanced security provided by the use of biometric identification and biometric authentication can be confidently utilized to make our lives more secure and less vulnerable to attack.