Media outlets are today reporting: The leaked NSA report shows 2-factor authentication has a critical weakness: You (preceding links the Mashable story). IT security experts from Balabit, Cyphort, STEALTHbits Technologies, VASCO Data Security and Imperva commented below.
Csaba Krasznay, PhD, Product Evangelist at Balabit:
“As we know, passwords are dead, but it seems that e-mails should be retired as well. The teenager generation knows something as they are rarely use e-mail. Instead, instant messaging, e.g. Snapchat or Facebook Messenger have already replaced the “old way” of messaging. We can see the same trends in tech companies where Slack is preferred, or in the security community, where encrypted clients, e.g. Signal are widely used. The reason behind that is that we can build trust much easier through those channels. However, that attack is quite annoying as it hurts one of the major principles of cybersecurity: use at least two factors of authentication on an independent channel. Such man-in-the-middle attacks can be easily identified, if the user knows at least the basics of security awareness. What is the consequence? The security community should work on more user-proof authentication technologies.”
Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort:
“As I wrote in 2016, passwords are the new exploits (https://medium.com/@nickbilogorskiy/no-more-secrets-why-passwords-are-the-new-exploits-abeeef0bc55e). In the age of stolen passwords, a compromised credential is the easiest way in.
Multi-factor authentication raises security bar significantly from using only a password and should always be enabled by default.
However, it will only work if you do not give away your 2-factor authentication code to attackers through phishing.
When I worked at Facebook and fought Koobface malware gang, I noticed them use a similar attack pattern. Whenever possible, attackers rely on human weakness and social engineering, the lowest hanging fruit, rather than hacking the technology. When Facebook put up CAPTCHAs to make it harder for the Koobface worm to propagate , attackers simply relayed those CAPTCHAs to already infected users, locking their machine until victims resolved them.
Good security should combine something you know, something you have and something you are, and you must guard all those 3 pieces closely and try not to give them away to an unauthorized party. No matter how hard you try through, breach can rarely be prevented if the attacker is sophisticated and motivated enough, so always be prepared for breach recovery – backup data often and invest in incident response.”
Jonathan Sander, CTO at STEALTHbits Technologies:
“Having a headline that says 2FA has a flaw is playing with fire. Buried in the pieces with that headline is the reminder that people should absolutely still use 2FA. Let’s make sure we’re clear on this: everyone should turn on 2FA (aka multi-step, two-step) on every service that offers it if they want the best possible security. The thing the NSA report proves is that you can get to anything that is only protected by a human’s common sense. Humans are almost always going to be fooled by a sophisticated enough attack. We’re all too busy, too distracted, and too inundated with small technology choices every day not to be vulnerable to the type of spear phishing the report describes. Let’s remember what ‘spear phishing’ means. This is an attack crafted by a team of experts that is specifically aimed to fool one person at a few opportune moments to get at some resource to which they have access. Do you think you would beat a whole team of cyber bad guys at the security game at a moment when you didn’t even know you were facing off against them?”
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“Reworking a common saying is appropriate here… “2FA doesn’t compromise personal data, people do.” As social engineering attacks evolve and become ever more sophisticated, the weakest link is clearly each of us, the human element. Research shows that business professionals receive over 100 emails per day and about 1% have some “risky” element associated with them. So this issue isn’t going away anytime soon. One answer lies in layered security aligned with the level of exposure (i.e. Use of additional authentication factors including biometrics, which can’t be given away), for example and extensive training for employees to spot signs of social engineering. Perhaps not to the point of being “paranoid as hell,” but certainly scrutinizing each message like they never have before.”
Morgan Gerhart, Vice President at Imperva:
“The insider threat landscape usually breaks down into three pieces: malicious insiders, negligent insiders and compromised insiders. Malicious insiders are those disgruntled workers, who misuse their access to sensitive data for profit or simply for “revenge.” The most notorious example is Edward Snowden. In this case, the individual that leaked the NSA report to the media would be considered a malicious insider.
Negligent insiders jeopardise sensitive data by innocent mistakes or bad practices. These usually boil down to misconfigured servers (e.g., use of default or weak passwords), backups or test servers that contain sensitive information but are not protected like production servers, or simply taking your work home – for example saving corporate data on personal devices or cloud services.
Last, but not least, is the “classic” compromised insider, where hackers compromise insiders that have internal access to the network and assets (files servers, databases, applications, etc.). Once an attacker has access to internal resources, it’s only a matter of time before he gains access to sensitive data. It is unfortunate, but most organisations focus on securing their borders. The main problem with this is, that there are no real borders to secure.
Another previous example of an insider attack would be the Wikileaks affair which involved Bradley Manning, an army private and U.S. intelligence analyst with Top Secret security clearance. Private Manning had “access to an unprecedented amount of material” and was convicted of leaking 251,287 classified cables. The files were stolen over time. One time Private Manning bragged to a friend saying he would “come in with music on a CD-RW labelled with something like ‘Lady Gaga’ … erase the music … then write a compressed split file. No one suspected a thing.” He said that he had “unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months.”
Careless insiders are the most common of all but are, by far, not the most concerning ones. Misconfigured access control systems and misplaced data dumps are by far more dangerous, less common and much more difficult to recover from.
To mitigate the risk, corporations should ask themselves where their sensitive data lies, and invest in solutions that directly monitor who accesses it and how. According to reports, the leaker was identified because of strong audit trails of who accessed what. They can invest in solutions that help them pinpoint critical anomalies that indicate misuse of enterprise data stored in databases, file servers and cloud apps and that also help them to quickly quarantine risky users in order to proactively prevent and contain data breaches. This approach works across careless, compromised and malicious insiders.”