Feds Back Projects to Bolster Online ID Verification
This week in security news: The federal government is issuing grants to fund projects that will enhance online privacy and identity verification; VirginMobile has taken steps to strengthen its password security following revelations that it was woefully weak and Microsoft rushed out a patch for a zero-day flaw that had been discovered a week before.
09/24/12 5:00 AM PT
When Paul Steiner published his 1993 cartoon in The New Yorker with the caption, "On the Internet, no one knows you're a dog," little did he know it would become a mantra among security professionals, especially those concerned about authenticating identities on the Net.
The job of finding ways to identify dogs in cyberspace has been assigned to the National Strategy for Trusted Identities in Cyberspace, better known as NSTIC. And last week the agency announced the award of US$10 million for five pilot projects aimed at improving authentication, security and privacy on the Net in industries ranging to healthcare to education to online payments.
"Our strategy is for the private sector to work in partnership with the government to create an identity ecosystem," Jeremy Grant, the head of NSTIC's National Program Office, explained to TechNewsWorld. That ecosystem, he said, would be a marketplace of different solution providers where any citizen could choose from a variety of credential providers and obtain a strong credential for online activity.
"This is quite a sea change because NSTIC will help in leading the way for a collaboration between commercial, government and citizen interest unlike ever before," Geoff Slagle, the American Association of Motor Vehicle Administrators's director for Identification Standards, told TechNewsWorld.
The pilots will be attempting to bring NSTIC's paper strategies into the real world. "The pilots take the vision and principles in our strategy and translates them into solutions that will be in the marketplace," Grant observed.
Grants for the five pilot projects were awarded to:
- The American Association of Motor Vehicle Administrators: $1,621,803 to lead a consortium to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce.
- Criterion Systems $1,977,732 to allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience.
- Daon, Inc.: $1,821,520 to demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem and will employ user-friendly identity solutions that leverage smart mobile devices to maximize consumer choice and usability.
- Resilient Network Systems: $1,999,371 to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology.
Virgin Mobile Password Snafu
Password practices at Virgin Mobile's website were criticized last week for their lack of security.
Kevin Burke, a developer at API designer Twilio, publicly aired his concerns about the password practices at the site after a month of trying to wake up Virgin to its problems.
Account holders are forced to use a six-digit number for a password, he explained. There's only a million possible combinations for such a password, which would be child's play for a hacker to crack, he maintained.
Worse yet, Virgin did not have a limit on the number of consecutive unsuccessful tries that could be entered at the site, making it even easier to "brute force" an account's password. Once Burke made his concerns public and the media began spreading them across the Internet, Virgin added a failed-try limit to its site.
That limit scheme, though, is defective, according to Burke. "If you tried five wrong passwords in a browser, which sends the same cookies with every request, Virgin would lock you out and tell you to contact support," he explained to TechNewsWorld.
"However," he continued, "you could get around this by clearing your cookies or not sending cookies in the first place."
"In essence, Virgin was asking me to tell them how many times I'd failed to log in in the past," he added. "Without cookies, you could try as many wrong passwords as you wanted until you guessed the right one."
Microsoft Pushes IE Patch
Following recommendations by a chorus of security experts that users stop using its Internet Explorer web browser because of a Zero Day vulnerability discovered in the software last week, Microsoft pushed out a patch last Friday to address the problem.
In addition to the public vulnerability, the patch also addressed four flaws privately reported to it, the company explained in a security bulletin.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," the bulletin noted. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user."
While vulnerabilities in Internet Explorer used to be common, in recent times Microsoft has done a good job of tightening up the software's security. For example, it has been two years since a Zero Day vulnerability has been discovered in the browser, according to Tony Bradley, writing for PCWorld.
- Sept. 17: Hacker group calling itself NullCrew posts to the Internet some 4,000 names and a handful of passwords they claim were stolen from the University of Cambridge Press. The university denies any breach took place.
- Sept. 17: Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates agrees to pay $1.5 million to U.S. Department of Health and Human Services for violating information security rules of agency.
- Sept. 18: U.S. Court of Appeals allows case to proceed against AvMed Health Plans, of Florida, for 2009 data breach resulting from theft of two laptops from one of the company's facilities. Personal information for some 1.22 million people may have been compromised by the breach.
- Sept. 18: Kentucky-based Cabinet for Health and Family Services notifies some 2,500 clients that a phishing attack on an email account on its system could have compromised their personal identifying information. Officials of the provider said they were "pretty confident" the information hadn't been accessed by the intruders, but were required by state law to send out the notification.
- Sept. 18: A group calling itself Afghanistan Hackers posts to Pirate Bay website tile containing tens of thousands of user names and passwords from BitTorrent tracker RevTT.
Upcoming Security Events
- Sept. 25: Security Awareness -- Maybe It's Not About the Users. 2 p.m. ET. RSA webcast. Free with registration.
- Sept. 27: Foundational Cyberwarfare (Plan X) Proposer's Day Workshop. 9 a.m.-4 p.m. ET. DARPA Conference Center, 675 N. Randolph Street, Arlington, Va. Closed to media and public. Unclassified session in the morning. U.S. DOD Secret clearance needed to attend afternoon session.
- Oct. 1: Launch of "S&TI Flash Traffic," a monthly summary of R&D activities for 14 high risk nation states -- states with high levels of hacker activity or acts of cyber espionage -- published by Taia Global. Annual subscription $250 until October 1, $500 thereafter.
- October 3-5: 2012 National Cybersecurity and Innovation Conference. Baltimore Convention Center, 1 West Pratt Street, Baltimore. Sponsored by SANS. Registration: US$1995.
- Oct. 7-13: Forensics Prague 2012. Angelo Hotel, Prague, Czech Republic. Sponsored by SANS. Course prices range from Euro 650 to Euro 3,895.
- Oct. 9-11: Crypto Commons. Hilton London Metropole, U.K. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
- Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
- Oct. 18: Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Early Bird, $295 (by Sept. 18); Standard, $395 (by Oct. 17).
- October 20-21: Ruxcon 2012. Melborne, Australia. Registration: AUS$350.
- October 22-23: Cybersecurity Conference. Grand Hyatt, Washington, D.C. Managed by 1105 Media. Expo Admission: Free. Conference Registation: US$295 for government employees; US$495 for others.
- Oct. 25-31: Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
- Nov. 3-6: Information Security Forum Annual World Congress. Chicago.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration starts in Sept..