The Problem with SMS-based Authentication

As mobile phones became more sophisticated, their usage shifted from being communication oriented to application oriented. But phone numbers were never intended to be used as secure identifiers – their purpose is to simply act as subscriber identifiers during call routing. When applications use phone numbers in their login processes, it can give attackers and hackers an advantage.

Here are a few ways in which your OTP can be intercepted by hackers:

  1. Man in the Middle attack

This is a type of eavesdropping attack in which a hacker places himself as a proxy or relay between the OTP sender and receiver. For the sender and receiver, the communication will seem like it is happening only between those two, whereas it is actually passing through an impersonator. Black hat hackers often hack into financial websites and place high-level codes which will allow them to intercept messages between banks and users, making it convenient for him/her to access an account.

  1. Malware attack

Ready-to-download malware which can easily hack into a user’s mobile devices are available online. In addition to grabbing your SMS content, these can also access other areas of your phone like your gallery and directory to extract more personal information. In fact, a few of these malware are disguised as mobile applications like fitness trackers, timers, alarm clocks, etc.

  1. SIM cloning attack

Investigative agencies use SIM cloning attacks to monitor and track suspects. However, SIM cloning modules are easy to find and purchase by anyone if they look hard enough. Using this, a user is cut off from his/her mobile network and calls and messages are redirected to the new SIM in the attacker’s phone. To carry out a SIM cloning attack, the SIM being cloned has to be of the GSM type.

  1. SMS-C hack attack

All messages are required to pass to SMS-C servers placed in a mobile service provider’s network. Only after being processed by the SMS-C servers is the message transmitted to a mobile phone. If hackers manage to hack SMS-C servers, they can very easily gain access to all the messages entering and exiting the network. SMS-C servers are often protected by high-end security solutions which are hard to break through. However, it is not impossible.

  1. Brute force attack

In brute force attacks, any and all combinations of numbers are tried to get the right OTP. If the number of entries is limited, brute force attacks can become ineffective in gaining access to an account, simply due to the number of combinations available. It also helps if the OTP is 6 digits instead of 4 digits as the combinations required to successfully execute a brute force attack increases by a factor of 100. Due to such a poor success rate, brute force attacks are not preferred by hackers.

For organizations, there is no reliable way of finding if your employees’ numbers have been compromised. To ensure that your network is secure, we suggest looking for a less-risky option for authenticating your users. You could go for an improved multi-factor authentication method like using the biometrics of a person to verify his/her identity. While there are more sophisticated attacks which can hack a biometric authentication system, it would be almost impossible to recreate a person’s thumbprint or retina blood pattern.

With Akku from CloudNow Technologies, you can easily create a fool-proof identity and access management system by integrating multi-factor authentication using biometric scanners in your login process. To make a significant improvement to your network security by enforcing biometric multi-factor authentication, get in touch with us now.

The Importance of Single Sign-on for Educational Institutions

Let’s admit it: schools and universities today are not what they used to be back when we were growing up. Digitization has swept over almost every aspect of educational institutions. Classrooms have become “smart”, with blackboards being replaced or supplemented by LED screens. Students can simply log in to portals from where they can access information about grades, access lessons from learning apps, and more. Teachers don’t use physical attendance registers today; they mark the daily attendance of their students on tablets – data from which triggers automatic, customized messages to the parents of students who are absent from class.

With such revolutionary change taking over educational institutions, they are also under the rising threat of becoming the target of hackers. Therefore, it is important to ensure enhanced security across the network to prevent student and parent information from being exploited. What’s more, there are cases of students themselves becoming hackers these days – attempting to manipulate grades, using their fellow students’ information to bully them online, and engaging in other malicious activities.

Here are some ways in which a single sign-on solution can not only enhance security but also improve the efficiency of administrators in your educational institution.

Easy Provisioning and Deprovisioning

Every year, a set of students graduate and a new set of students are enrolled. This means that creating accounts and providing access to student portals is a never-ending process. More importantly, denying access to a student who no longer studies at the institution must not be overlooked.

With an SSO, administrators can view – in a single dashboard – all of the apps related to a particular user account and take action quickly and effectively without having to provision/deprovision accounts individually across apps or portals.

Instant Access to all Apps

A survey conducted in the USA showed that 25% of class-time is spent in troubleshooting and teachers trying to help students log in to their respective learning applications. In most cases, the use of multiple applications, and therefore multiple credentials, is the main problem here.

A single sign-on solution, as the name suggests, eliminates the need for multiple credentials, and with it, reduces the time taken to remember and correctly enter them. This also reduces the number of stray passwords, prevents users from writing down passwords and using other methods to remember credentials that are prone to compromise, and also reduces the time taken in resetting forgotten passwords.

Secure Password Policy Enforcement

Students of today may be sharp, but technology is sharper and acts as a double-edged sword. This is why, when it comes to protecting your network from brute-force attacks and other modern security threats, a strong password policy is essential. After all, a compromised password of a student could compromise the security of the entire network in more ways than one.

An SSO typically acts as the identity provider (IdP) to all the applications or portals used within the institution and, therefore, can be used to set up and enforce a strong password policy. This will ensure that passwords created by users of the institution’s applications meet a certain set of requirements with regard to length and complexity.

SSO and Beyond – Akku

Akku, by CloudNow, is an identity and access management solution that includes a powerful SSO functionality. But SSO is only one of many in a slew of features packed into this IAM solution.

Akku can also help you ensure safer interactions on the internet with filters, harness the power of YouTube for teaching/learning, use multi-factor authentication to restrict access to confidential data and more.

For more information on what Akku can do for your institution, get in touch today!

Hashing And Salting – The What And How

“irgvctxmsr” – sounds like gibberish, doesn’t it? But if you were to decrypt this string using a mono-alphabet shift cipher where each letter has been shifted to the right by 4 numbers, you would see that it spells “encryption”!

Protecting critical data and information by encrypting them was first performed by Julius Caesar in 120 BC. The art of encryption has been through several modern shifts, and currently most of the data on the internet is protected using sophisticated encryption algorithms like AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adlemen), ECC (Elliptic Curve Cryptography) and PGP (Pretty Good Privacy).

Deciphering an encrypted message requires a key. Nowadays, messages are encrypted using public keys and decrypted using private keys. The private keys are shared privately between two trusted parties. Losing a private key can be disastrous, as encrypted messages can then be read by anybody with access to the private key.

Password Hashing

While encryption is a two-way function and is primarily done with the intention of being decrypted, password hashing is a one-way function. Hashing allows us to use a mapping function to map data of any size to a fixed length. The resultant output is called the hash value. Technically, hashing is reversible – however, the computing power required to get the original message makes it impossible for the original message to be decoded. Simply put, encryption protects the data in transit while hashing is used to authenticate the data and lets you know if it has been tampered with.

Here is how it works – consider that you have a digital document that you have digitally signed and uploaded to your website for another person to download. Now, you will run a hash function on the document and another one on your digital signature and encrypt the resulting hash values. Once a designated person downloads the document, the browser decrypts the hash values using a key and runs the same hash function on the document. If the resulting hash values are the same for the sender and receiver, it means the document and signature have not been tampered with.

Modern hashing algorithms include SHA (Security Hashing Algorithm), RIPEMD, WHIRLPOOL, and TIGER.

Salted Passwords

Salting is the process of adding an additional layer of security to the hashing process by adding a unique value to the end of the password and hashing the new password. By adding even one letter to your password and hashing it, you can change its hash value and make it harder for interceptors to find your password. For example, if your password is “V67gHD92”, you can add a unique character or string to the end of it and make it something like “V67gHD92SPICE”. Here, the word “SPICE” is called the salt.

Salting a password protects any data from brute force attacks in which bots attempt every possible combination of letters and numbers until the password is cracked. However, if the attacker knows your salt, the entire process of salting becomes worthless.

In this day and age where network and information protection requires meticulous planning and dedicated resources, we at CloudNow Technologies want to make things easy for you. Our network security solution Akku is designed to protect your network against sophisticated and high-level attacks. To know more about how we can help you protect your network, get in touch with us now.

3 Important steps to improve network security against brute-force attacks

A brute-force attack is a type of cybercrime which involves automated hacking activity using bots. The primary aim of a brute-force attack is to crack a password in order to gain access to a user account in an unauthorized manner. Using the automation tool, an attacker repetitively attempts different alpha-numeric combinations at considerable speed – thousands per second – until the user’s password is determined and the account is unlocked.

With the advent of the cloud and the rapid innovations in technology, a brute-force attack has emerged as one of the most common types of outsider attack against web applications.

Here are three steps that will go a long way in improving the security of your network against brute-force attacks:

Enforce a strong password policy

A password is the first line of security when it comes to preventing unauthorized access. A strong password policy, therefore, can ensure that your users set up passwords that are strong and not easily compromised. Here are some important aspects you can regulate by setting up a password policy:

  • Password Length

A brute-force attack typically works by continuously trying every possible combination using numbers, letters and special characters. The shorter the password length, the fewer the combinations and the easier it is to crack. If the password length is known (or is fixed), again, it becomes easy for the attacker to attempt combinations of that particular length, although it will take longer depending on its length.

  • Password Complexity

A dictionary attack is a subset of the brute-force attack, which attempts to crack a password by trying all English words and then trying them with multiple combinations of other words and numbers. If users are setting simple passwords because they are easy to remember, they will also be easier to crack.

  • Password Expiry

Periodically, the system must prompt the user to change their password so that any possible ongoing attack can be effectively guarded against. Moreover, this practice will also mitigate undetected breaches of privileged accounts.

Use multi-factor authentication

Multi-factor authentication puts an additional layer of security between the brute-force attacker and your data. With MFA, even if the password has been correctly identified by the bot, the attacker will be unable to proceed because the system will require either an OTP or a confirmation from a different device (such as a smartphone app).

Another way to set up an additional layer of security at the login point would be to use a captcha – a box showing warped text or images and require manual entry of a response. This will effectively keep out a bot that is executing automated scripts.

Set up an account lockout policy

Set up a policy wherein you can detect and block suspicious login attempts. Locking an account after three failed login attempts, or attempts to login from a different country or an unlikely hour can prevent intruders from entering into the system. To resume work, the authorized user will need to seek administrator intervention to unlock the account.

You can also set up a progressive delay lockout wherein an account is locked for a fixed period of time after a certain number of failed login attempts. The lockout period can progressively increase with the increasing number of failed attempts and helps keep out brute-force attack bots long enough to make them ineffective.

Akku is an Identity and Access Management (IAM) solution that comes equipped security features to accomplish all the steps described above. Whether you are working with cloud-based or on-premise apps or a combination of both, Akku can help you protect your data from brute-force attacks. Contact us today.

What is Zero Trust Security?

As organizations increasingly place their data and applications across multiple locations on the cloud, zero trust security is rapidly gaining ground as the network security model of choice among enterprises.

Zero Trust Security is a security model in which a user, irrespective of whether he/she is within or outside the network perimeter, requires an additional verification to get access into a network. There is no particular technology or software product associated with this security model. It simply requires an additional security layer to verify users. This could be anything from biometric verification like thumb-print scanning, or a digital signature verification. Of the two, biometric verification is preferable as it can neither be recreated nor hacked.

Traditionally, organizations have been using what is referred to as the castle-and-moat approach to network security. In this model, the network is the ‘castle’ which is protected by security solutions as a ‘moat’. With this approach, part-of-the-network users were blindly trusted and allowed to enter the castle. However, as companies grew, their data and applications grew with them and the need to split them and store them in multiples silos rose. It also became easier for hackers to gain entry into a “protected” network by accessing a single user’s credentials.

Instead of the castle-and-moat model, adopting the zero trust security model and adding an additional layer of security to a network has been shown to prevent instances of data breaches.

Principles behind zero trust security

1. Trust no one: The model assumes that all the users of the network are potential attackers and hence, no users or systems are to be automatically trusted.

2. Least-privilege access: The users are given access based on a need-to-use basis and nothing more. This can eliminate each user’s exposure to vulnerable parts of a network.

3. Microsegmentation: The entire network is split into segments, each with its own authentication process.

4. Multi-factor authentication: Access to the network requires additional evidence that the user is legitimate.

The network of an organization is its gold mine and most organizations are increasing their spend on network security. Implementing a zero trust security model can go a long way in protecting your network from breaches.

Akku from CloudNow is an intelligent security solution which helps you enforce a zero trust security policy. To know more about its features and how it can benefit your organization’s network security, get in touch with us now.

Protect your Business from Privilege Abuse with IAM

Privilege abuse – that is the security threat that your business’s IT team is most worried about. According to a survey conducted in March 2014 among more than 4000 IT security executives, over 88% of them fear that users who have access to the organization’s applications and data are the ones who are most likely to compromise it and lead to a security breach.

Privilege abuse, or privileged user abuse, refers to the inappropriate or fraudulent use of permitted access to applications and data. This could be done, either maliciously, accidentally or through ignorance of policies. In addition to causing financial losses, such insider breaches also damage the organization’s reputation, sometimes irreparably.

Continue reading Protect your Business from Privilege Abuse with IAM

Why is multi-factor authentication indispensable?

Ever heard of the butterfly theory? A single flap of a butterfly’s wings in Australia has the potential to cause a tsunami in Indonesia. Similarly, a minor tweak in your IT infrastructure has the potential to make every node of your network vulnerable to serious attacks, irrespective of their relationship. To ensure that network security remains as streamlined as possible through any number of changes to your IT systems, it is crucial to add a virtually unhackable component to your network security.

Continue reading Why is multi-factor authentication indispensable?

Why data breaches happen & what you can do to stop them

War seems to have taken a new form in the Information age. Large corporations have reported increased data breaches in the last couple of years and the number is all set to increase in 2019.

Continue reading Why data breaches happen & what you can do to stop them

The IAM Imperative: Through An SMB’s Eyes

Today’s MNCs were once small or medium businesses (SMBs). Small and medium businesses are the proving ground for emerging technology, as they have tight budgets and require specific, targeted functionality that suits their style and processes. Once products and solutions pass this litmus test, they start becoming more mainstream, being absorbed more widely by companies and consumers.

Continue reading The IAM Imperative: Through An SMB’s Eyes

Password Managers can be Hacked. Now What?

On average, every person has 7.6 accounts – that’s a lot of user IDs and passwords for an individual! Remembering the user ID and password for all these accounts is obviously very cumbersome, and third party service providers have capitalized on this to provide password management services. A password manager is essentially a single repository for all your credentials. Two very popular password managers are LastPass and Dashlane. These are applications which will store your credentials in a “secure” database. However, they haven’t been spared by hackers, who breached their security to get access to thousands of user credentials.

Continue reading Password Managers can be Hacked. Now What?