The OPLIN 4cast

People who work with Internet security have for some time advocated the use of “two-factor authentication” instead of a simple password control over access to sensitive or private information. Nobody likes to make things harder than we think they need to be, however, so adoption of two-factor authentication has been fairly limited. But last week, that may have begun to change, as Microsoft announced that two-factor authentication will be available (though not necessarily required) for all Windows products and services.

• Microsoft rolling out two-factor authentication across its product line (ZDNet/Mary Jo Foley) “Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim’s password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.”
• Microsoft Account gets more secure (Official Microsoft Blog) “This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info. More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, or accessing files on another one of your computers through SkyDrive.com. For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.”
• Apple ID: Frequently asked questions about two-step verification for Apple ID (Apple Support) “Two-step verification simplifies and strengthens the security of your account. After you turn it on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key.”
• AP Twitter hack sends stock market spinning (New York Magazine/Kevin Roose) “In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now. Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.”) But after today’s data point, it can’t wait any longer.”

Factor fact:
Good two-factor authentication combines a Knowledge Factor (something the user knows) with a Possession Factor (something the user has).

Last week’s revelation that millions of LinkedIn passwords had been stolen was just the latest in a long line of data breach stories. While public libraries don’t store millions of passwords or credit card numbers, they do store a lot of patron data, and things as mundane as people’s street addresses are beginning to be considered sensitive information by some security experts. With luck, your library ILS vendor has not made the same mistake that LinkedIn made and stored sensitive user information with relatively weak encryption. But if the worst should happen and your library system gets hacked, what’s the best way to respond? Are there lessons to be learned from the misfortune of previous data breach victims?

• Dissecting LinkedIn’s response to the password breach (PC Magazine/Fahmida Y. Rashid)  “‘We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach,’ a LinkedIn spokesperson said in an email. She was unable to provide any other details. I was very concerned about LinkedIn’s focus on members at ‘greatest risk.’ How do they define this?”
• Zappos data breach response a good idea or just panic mode? (Network World/Ellen Messmer)  “…online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.”
• Heartland CEO on breach response (BankInfo Security/Tracy Kitten)  “…[Bob Carr, CEO of Heartland Payment Systems] says information sharing is key, especially among other payments processors. ‘Don’t minimize the impact,’ Carr says. ‘Share information. … The bad guys might be in somebody else’s system, so it is good for everyone to communicate.’ Although a great deal has changed since 2009, when Heartland’s breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run.”
• Data breach response plans: Yours ready? (Information Week/Mathew J. Schwartz)  “Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. ‘I’ve seen organizations that totally jumped the gun–We’ve got to do it– and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,’ Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. ‘We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.’”

Breach facts:
The three breaches mentioned above affected: 6.5 million LinkedIn users; 24 million Zappos customers; and 130 million Heartland credit card accounts.
[And one more fact: OPLIN's plan for Security Incident Response is included in our overall Information Technology Security Management plan.]

Malicious attacks on websites continue to make the news. Whether it’s Anonymous exposing a whole country’s control and data systems or hackers stealing huge amounts of data last weekend from Zappos, the pace of malicious activity on the web has certainly not slowed down. While these big-news attacks generally use rather traditional hacking methods, the nasty people on the web have also been busy developing new attack vectors, and you might want to be aware of them.

• Developer sneaks fake apps into Android market (SecurityNewsDaily/Matt Liebowitz)  “Behind their innocent facade, the cloned apps hid a secret weapon – they compromised customers’ smartphones by using them to send premium-rate text messages to the tune of about $20. ‘The texts are notifications that the user has been charged around $5, but you end up getting 3-4 of them in one shot,’ DroidGamers wrote. ‘A free download just became a $20 purchase.’”
• Hackers spread malware via children’s gaming websites (BBC News)  “‘I believe that children’s computers are more vulnerable to attacks because they are usually in worse shape – in other words the owners are less likely to have the latest security updates installed,’ said Mr Vlcek [AVAST Software chief technical officer]. ‘The child may also be less suspicious that something wrong is happening than an adult would be.’”
• Cyber-criminals target mobile devices with QR codes (SecurityWeek/Brian Prince)  “‘This is the first time we have seen a QR code used in an active spam campaign,’ Patrik Runald, senior manager of security research at Websense, told SecurityWeek. ‘Because QR codes are the ultimate URL obfuscator, with the right social lure, QR codes can become increasingly more successful in driving users to websites hosting malware targeting the mobile device.’”
• Security flaw in printers could expose businesses to hackers (Huffington Post/Janean Chun)  “Keith Moore, HP’s chief technologist, also disagrees that the threat of security breaches through printer hacking could already be widespread. Moore points out that the researchers didn’t use passwords on the printers they tested and adds that no consumers have reported similar incidents. ‘There has been no data at all that any of this has been exploited. So we’re looking at the theoretic possibility, in a lab, to see if that can ever occur in a real world situation.’”

Cyber attack fact:
This sobering 11-minute video of a TED talk by Ralph Langner reminds us that cyber attacks may not always come from criminals.

Late in the afternoon on Black Friday, the oplin.org website was hit by an apparent Denial of Service (DoS) attack. DoS and DDoS (Distributed Denial of Service) attacks overwhelm a website with so many requests for connections that the webserver is too busy with this “junk” traffic to respond to legitimate traffic. As a result, it looked like the OPLIN website, and all the services that run on the same server – like the 4cast – were offline for a couple of hours until we stopped the attack. Why was oplin.org targeted? Good question, since it’s a pretty innocuous website, but certainly the timing of the attack suggests that we may have been an innocent victim of a general increase in DoS attacks that happens around the holidays.

• E-commerce, retail websites alert for DDoS attacks this holiday season (eWEEK/Fahmida Y. Rashid)  “DDoS attacks increased by 30 percent in 2010, and the number is expected to be higher in 2011, according to Gartner estimates. The attacks have also been escalating in size and complexity in 2011, according to Paul Sop, chief technology officer at Prolexic. Attackers generally are throwing more packets, using more bandwidth and targeting the application layer, Sop said. E-commerce businesses aren’t the only ones that have to worry about DDoS attacks during this holiday season, as hospitality, gaming and shipping services should also be on high alert for DDoS attacks, Sop said.”
• Corero advises retailers of risks associated with DDoS attacks during holiday shopping season (BusinessWire)  “DDoS attacks bring victim websites to a crawl or halt, using network flooding techniques that have been in use for more than a decade, and more recently, insidious application-layer attacks which are very difficult to detect. Online commerce depends on sites that are responsive and always available. Frustrated customers will quickly abandon an unresponsive site and go to another.”
• Firewalls can’t keep up with DDoS attacks (PCWorld/John E. Dunn)  “The survey of 1000 medium and large organizations in ten countries found that up to 45 percent of respondents experience such attacks on a regular basis, a mixture of application and network-layer incursions. About half rated denial of service attacks as highly effective with 79 percent saying they still relied on firewalls to deflect them despite 42 percent finding that such devices were ineffective against conventional attacks at the network layer.”
• Happy holidays: 5 ways to use DoS testing to thwart cyber extortion (BreakingPoint/Pam O’Neal)  “…online businesses still fear these threats, with little confidence in the DoS mitigation and security measures put in place to protect them. This is especially true for Internet retailers, the latest victims of hacker-extortionists. Internet retailers have a small window to ‘get it right’ when it comes to hardening their resiliency to DoS or DDoS attacks. And the post-Thanksgiving Cyber Monday is part of that small window.”

Method fact:
Kaspersky Labs reports that the “HTTP flood” method, which simply sends a huge number of HTTP requests to the targeted site over a short period of time, accounted for 88.9% of all DDoS attacks in the second quarter of 2011.