Like the sprouting of poisonous mushrooms after a heavy rain, the latest
international “mugging” of Israel in the world media has been followed by a
concerted cyberattack on Israeli Web sites by hackers, crackers and (mostly)
script kiddies from around the world.
Taking advantage of programming
loopholes left open by oblivious system administrators, the hackers were able to
reach hundreds of sites, marking them up with anti-Israel graffiti, or just
leaving their “calling cards,” mostly in the form of expletive
deleteds.
Fortunately, most of the pages that were hacked were front pages
for businesses, organizations, etc. – nothing that couldn’t be fixed
with a
little effort by Web programmers. But what if instead of front pages the
hackers
had attacked e-commerce, database, government or corporate sites with
sensitive
information? As experience has shown, even the most secure sites aren’t
always
so secure; couldn’t a dedicated group of hackers pooling their resources
cause a
major problem for the Israeli economy, at least temporarily? What if
they made a
major effort to bring down a major banking site, a government database
or the
Bank of Israel? I think it would be safe to assume that some of the more
sophisticated anti-Israel hackers out there are working on just such a
plan.
And unfortunately, the models of security used by most sites – even
the most secure ones – lend themselves to hacking, says Ittai Weissberg,
founder
and CEO of Israel’s Otenti.
“Most authentication for secure Web sites is
not dynamic but static, meaning that the user must identify himself or
herself
when challenged by a server using a password or token [such as a smart
card],”
he says. “While there may be several security layers that try to ensure
the
authenticity of the response, passwords and smart cards are not changed
all that
often, so hackers have time to work on cracking them. Even the most
sophisticated security systems are, in essence, sitting ducks.” Otenti’s
Access
product is one of the most advanced implementations of “out-of-band”
authentication – a system that presents the challenge and accepts the
response
on a medium other than the object of authentication.
For example,
subscribers of several Israeli cellphone companies, including Orange,
use
out-of-band authentication when they want to retrieve their account
statements.
You get an e-mail telling you your bill is ready, you click on the link
and log
onto the company’s secure server. Then you are sent an SMS with a secret
code
you are supposed to type on the site, and you can then download your
bill.
It’s a lot more secure than “in-band” authentication, where all
challenge and authentication is done using the same channel.
But why stop
at SMS messages, Weissberg asks: “What the cellphone companies do is
fine, but
they, of course, make use of their own phones to do the authentication.
While
that makes sense for them, it doesn’t always make sense for many other
sites.
Sites not associated with cellphone-service providers can’t be sure that
users
have phones they can use to send their messages out on, or that users
even have
cellphones at all. Other sites and organizations use things like smart
cards,
USB tokens, etc.
But all those things can be lost, stolen, or even hacked
as well.” Once again, the time factor comes into play: The more time
hackers
have to work on an authentication system, the more likely they are to
figure out
a way to hack it, regardless of how secure it is. And if you need to
authenticate yourself at more than two or three sites, you need to
either carry
multiple cards and tokens, or remember all sorts of complicated
passwords.
Other organizations use biometric for authentication, but even
biometric isn’t foolproof, as fans of many TV spy shows are probably
aware.
It’s better, Weissberg says, to use Otenti’s authentication system,
which makes it far more difficult for hackers to get hold of the data
they can
use to invade secure systems. Instead of using specific objects as
authentication devices, Otenti’s system uses just about anything – any
device,
hardware or software that you can communicate with – to send temporary
out-of-band authentication codes. Hackers who want to invade a system
using an
individual’s account have to figure out what device the user has chosen
for this
round of authentication.
Will customers use the Web, cellphone, landline,
Facebook account, or plain old PC for authentication? While hackers have
they
ability to tap into any of these devices, it’s a lot of work – too much
for even
a sophisticated hacker team to handle. Unless they’re willing to
dedicate all
their resources to hacking into all these devices all the time,
performing
analyses on all the data going through all the pipes – and are able to
analyze
the information and figure out the security codes in a matter of
seconds, and
use them to invade the system during the short window that the
authentication
process is active – they will not be able to find their way into the
sensitive
security sites they seek to crash or compromise.
“While I can’t say that
it’s impossible that a site won’t get hacked using Otenti security, it’s
safe to
say that such an outcome would be virtually impossible,” Weissberg
says.
Otenti’s system is currently installed in several Israeli medical
centers and on a major government Web site and database, and the company
is set
for a major campaign to promote its products both here and abroad in the
coming
months.
One attractive feature of Otenti is its low cost, Weissberg says.
Since there is no hardware purchase involved, the costs are low “for
organizations of five to 5 million.” (Several of the biggest security
companies
providing authentication make most of their money from hardware, smart
cards,
etc., he says.) “Otenti’s solution is also perfect for the cloud,
enabling users
to securely access their data on servers on remote servers,” Weissberg
says.
“Wherever you are, what ever you do, you can be confident that your
identity can
be verified safely and securely.” With Otenti, the anti-Israel crowd
will have
one less way to attack us.