Malware

SPOTLIGHT ON SECURITY

Apple Watch Could Be a Password Alternative

An Apple Watch app could free an enterprise from user names, passwords, physical IDs and badges. "If you think about enterprise security and security in general, what you find is that for something to be more secure, it has to be less convenient," said MicroStrategy President Paul Zolfaghari. "It's the opposite with the Apple Watch. You get greater security with a higher level of convenience."

With password tolerance levels at an all time low, alternatives to the pesky and insecure authenticators are beginning to abound. One of those alternatives could be the Apple Watch.

Even before Apple’s latest gadget began shipping last week, MicroStrategy announced it was extending its Usher enterprise security solution to the Apple Watch.

Usher, launched earlier this year, lets an enterprise use smartphones to authenticate its users and eschew user names, passwords and tokens. The solution has two parts: a back end that runs in the cloud, and an app that runs on mobile phones.

Usher on the Apple Watch allows it to act as a digital key that employees can use to log in to business systems, unlock devices, validate an identity and open entryways.

The Usher app uses all of the Apple Watch’s repertoire — glances, notifications and force touch — to perform its functions. It is designed to detect a variety of business systems through a wireless connection as users approach.

For example, as a user walks up to a workstation, a notification will appear on the watch to unlock the hardware, which can be done with a tap of the timepiece.

Security Plus Convenience

With Usher, an enterprise can remove the need for user names, passwords, physical IDs and badges, and replace them with a software key that can reside on a smartphone or the Apple Watch.

“That can be a transformational and important application for the enterprise, because it rids it of one of the real weaknesses in enterprise security,” said Paul Zolfaghari, president of MicroStrategy.

“What the watch does is give Usher one more level of convenience,” he told TechNewsWorld.

Actually, the watch may be better suited for authentication than a phone.

“The watch is designed for short interactions,” Zolfaghari explained. “A short but important interaction is the transaction that takes place when somebody is being granted authorization to do something.”

The watch has another benefit for the overseers of enterprise security.

“If you think about enterprise security and security in general, what you find is that for something to be more secure, it has to be less convenient,” Zolfaghari said.

“It’s the opposite with the Apple Watch,” he continued. “You get greater security with a higher level of convenience.”

Bad Password Hygiene

As if any more evidence were needed about the insecurity of passwords, LogRhythm released the latest in a long line of surveys finding that users continue to ignore good password hygiene — except in maybe one instance.

Only 19 percent of users created unique passwords for all their accounts, according to the survey of 520 full-time employees at organizations with 250 or more employees in a number of industries.

However, when it came to their personal banking accounts, 78 percent of the respondents said they used a unique password there.

Despite the apparent concern users have over their personal finances, there seems to be little change in their general attitude toward password hygiene.

“Weak and stolen credentials is still one of the most common threat vectors used by the bad guys,” said Mike Reagan, chief marketing officer at LogRhythm.

In addition to finding 81 percent of participants reused passwords in one way or another, the survey found that 79 percent of the respondents changed their passwords less frequently than once per month.

“The reality is that credentials are going to be stolen. The question is, what is the value of a credential to a bad actor?” Reagan said.

“The value of a stolen password drops precipitously when a person frequently changes passwords,” he continued. “If I’m changing my password every 15 days, I’m really limiting the value of my stolen credentials.”

Zombie Apps

Appthority waved a red flag last week over a what it sees as a growing problem in the mobilesphere: zombie apps.

Zombie apps are created when a program is removed from an app store but remains on a person’s device. Apps can be removed for any number of reasons — a developer pulls it because he doesn’t want to support it anymore, or the operators of the store toss it for violating their terms and conditions.

“When it’s removed from an app store and not from the devices, it’s the equivalent of announcing a product recall and not recalling the product,” said Domingo Guerra, president and cofounder of Appthority.

“It’s like saying, ‘We can’t sell this car anymore because it’s not safe,’ but not telling the people who are driving the car,” he told TechNewsWorld.

Because zombie apps are no longer supported by a developer, any flaws found in them by bad actors can be exploited without fear of being corrected. That can make them dangerous to a user — even more so than mobile malware.

“We looked at over 500,000 apps on enterprise devices,” Guerra said.

“Less than half a percent contained malware. More than 5 percent of iOS devices, and almost 4 percent of Android devices were dead apps,” he noted.

“We also found that every single enterprise has dead apps,” added Guerra. “That’s not true of malware.”

There would be a major corporate data breach this year that leverages a mobile device, Guerra predicted.

“We’re starting to see mobile devices replacing laptops and desktops in the enterprise. The [attack] surface vector is increasing tremendously because of that,” he explained. “We also seeing more and more work being done on mobile devices, so the value of the data on them is increasing.”

Breach Diary

  • April 21. A group of small banks and credit unions request injunction against completion of US$19 million settlement announced March 19 between Target and Master Card. Group claims settlement is designed to undermine its claims against the retailer for data breach that placed at risk personal and payment card information of 103 million customers.
  • April 21. Senate Majority Leader Mitch McConnell introduces bill to reauthorize Section 215 of the Patriot Act through 2020 without ending blanket surveillance of Americans by U.S. intelligence agencies.
  • April 22. H.R. 1560, the Protecting Cyber Networks Act, passes the U.S. House of Representatives on vote of 307-116.
  • April 23. H.R. 1731, the National Cybersecurity Protection Advancement Act, passes U.S. House on vote of 355-63.
  • April 23. Adobe grants extension to the end of May to finalize a settlement of consolidated class lawsuits resulting from data breach that compromised some 3 million payment card records.
  • April 23. Gen. David Petraeus sentenced to two years probation and a $100,000 fine for illegally disclosing classified information to his mistress, including code-word information, detailed discussions with the president, and the names of covert operatives.
  • April 24. Seton Family of Hospitals in Texas informs some 39,000 patients that their personal information may be at risk following data breach discovered by the organization Feb. 26.
  • April 24. Congressional Budget Office estimates cost of implementing the Data Breach and Notification Act passed by Congress April 22 will be $1 million. Those costs, however, will be offset by $9 million in revenue from collection of fines imposed by the proposed law.

Upcoming Security Events

  • May 2. Now that We Know: Technology, Law, Journalism and Policy after Snowden. 12:30-5 p.m. ET. Friends Center Convocation, Princeton University, Princeton, New Jersey. Forum sponsored by the Center for Information Technology Policy, the Program in Law and Public Affairs and the Woodrow Wilson School. Free with registration.
  • May 2. B-Sides San Antonio. Texas A&M, Brooks City Base, San Antonio, Texas. Fee: $10.
  • May 5. Preventing fraud in the Contact Center. 11 a.m. ET. Webinar sponsored by Contact Solutions, IDology and Pindrop Security. Free with registration.
  • May 5. Why DDoS Attacks Are A More Serious Threat Than Ever. 2 p.m. ET. Dark Reading webinar. Free with registration.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • May 9. B-Sides Boston. Microsoft 1 Cambridge Center, Cambridge, Massachusetts. Fee: $20.
  • May 13. SecureWorld Houston. Norris Conference Center, Houston, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • May 14. B-Sides Denver. Society Denver, 1434 Blake St., Denver, Colorado. Free.
  • May 15. B-Sides Knoxville. Scruffy City Hall, 32 Market Square, Knoxville, Tennessee. Fee: TBD.
  • May 16. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 27-28. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), 2 Galleria Parkway Southeast, Atlanta. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • May 30. B-Sides New Orleans. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Cost: $10.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels