Why Two-Factor Authentication is Too Important to Ignore

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time. On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.  Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts. Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that...

When Remote Access Becomes Your Enemy

As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used. This arrangement makes sense: It saves enterprises time and money. Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician. About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected. Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point. Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software. It’s clear that these attacks and vulnerabilities are all part of a trend –...

What We’re Reading, Week of 11/5

Government Computer News – NIST spells out baseline security requirements for next-gen mobile devices CSO – Election sabotage: A threat much older than hacked e-voting InformationWeek – Malware Tools Get Smarter To Nab Financial Data SearchSecurity – Remote access Trojan evades detection using mouse...

What We're Reading, Week of 11/5

Government Computer News – NIST spells out baseline security requirements for next-gen mobile devices CSO – Election sabotage: A threat much older than hacked e-voting InformationWeek – Malware Tools Get Smarter To Nab Financial Data SearchSecurity – Remote access Trojan evades detection using mouse...

How can I make sure my VPN is encrypted and working properly?

*Editor’s Note: These columns originally appeared in TechTarget’s SearchEnterpriseWan.com By Rainer Enders, CTO of Americas for NCP engineering The simplest way to do this is to act like a hacker. Snoop around the network traffic, either on the device itself or a port on the network. In the case of IPsec, for example, you would see encapsulating security payload (ESP) frames (Protocol 50).  Yet, when you look inside the packet payload, you will only see garbled characters — no clear text at all. Network snooping tools are easily available on the Internet and are simple to use. Of these, Wireshark is probably the most popular tool. You may find this resource on how to do penetration testing on your VPN useful. Can I compare performance metrics of an MPLS VPN to another network? This is a very complex question that is difficult to answer without knowing the specifics. Performance assessments can range in effort and complexity. It is ultimately important to understand the underlying requirements, which will determine the parameters that are relevant to performance. So, first you want to define “performance:”  What are the relevant parameters, such as throughput, latency, packet loss and jitter? Once you measure the aforementioned metrics of your Layer 2 and Layer 3 MPLS VPN networks, you should be able to compare them...