Like the sprouting of poisonous mushrooms after a heavy rain, the latest
international “mugging” of Israel in the world media has been followed by a
concerted cyberattack on Israeli Web sites by hackers, crackers and (mostly)
script kiddies from around the world.
Taking advantage of programming
loopholes left open by oblivious system administrators, the hackers were able to
reach hundreds of sites, marking them up with anti-Israel graffiti, or just
leaving their “calling cards,” mostly in the form of expletive
Fortunately, most of the pages that were hacked were front pages
for businesses, organizations, etc. – nothing that couldn’t be fixed
little effort by Web programmers. But what if instead of front pages the
had attacked e-commerce, database, government or corporate sites with
information? As experience has shown, even the most secure sites aren’t
so secure; couldn’t a dedicated group of hackers pooling their resources
major problem for the Israeli economy, at least temporarily? What if
they made a
major effort to bring down a major banking site, a government database
Bank of Israel? I think it would be safe to assume that some of the more
sophisticated anti-Israel hackers out there are working on just such a
And unfortunately, the models of security used by most sites – even
the most secure ones – lend themselves to hacking, says Ittai Weissberg,
and CEO of Israel’s Otenti.
“Most authentication for secure Web sites is
not dynamic but static, meaning that the user must identify himself or
when challenged by a server using a password or token [such as a smart
he says. “While there may be several security layers that try to ensure
authenticity of the response, passwords and smart cards are not changed
often, so hackers have time to work on cracking them. Even the most
sophisticated security systems are, in essence, sitting ducks.” Otenti’s
product is one of the most advanced implementations of “out-of-band”
authentication – a system that presents the challenge and accepts the
on a medium other than the object of authentication.
subscribers of several Israeli cellphone companies, including Orange,
out-of-band authentication when they want to retrieve their account
You get an e-mail telling you your bill is ready, you click on the link
onto the company’s secure server. Then you are sent an SMS with a secret
you are supposed to type on the site, and you can then download your
It’s a lot more secure than “in-band” authentication, where all
challenge and authentication is done using the same channel.
But why stop
at SMS messages, Weissberg asks: “What the cellphone companies do is
they, of course, make use of their own phones to do the authentication.
that makes sense for them, it doesn’t always make sense for many other
Sites not associated with cellphone-service providers can’t be sure that
have phones they can use to send their messages out on, or that users
cellphones at all. Other sites and organizations use things like smart
USB tokens, etc.
But all those things can be lost, stolen, or even hacked
as well.” Once again, the time factor comes into play: The more time
have to work on an authentication system, the more likely they are to
a way to hack it, regardless of how secure it is. And if you need to
authenticate yourself at more than two or three sites, you need to
multiple cards and tokens, or remember all sorts of complicated
Other organizations use biometric for authentication, but even
biometric isn’t foolproof, as fans of many TV spy shows are probably
It’s better, Weissberg says, to use Otenti’s authentication system,
which makes it far more difficult for hackers to get hold of the data
use to invade secure systems. Instead of using specific objects as
authentication devices, Otenti’s system uses just about anything – any
hardware or software that you can communicate with – to send temporary
out-of-band authentication codes. Hackers who want to invade a system
individual’s account have to figure out what device the user has chosen
round of authentication.
Will customers use the Web, cellphone, landline,
Facebook account, or plain old PC for authentication? While hackers have
ability to tap into any of these devices, it’s a lot of work – too much
a sophisticated hacker team to handle. Unless they’re willing to
their resources to hacking into all these devices all the time,
analyses on all the data going through all the pipes – and are able to
the information and figure out the security codes in a matter of
use them to invade the system during the short window that the
process is active – they will not be able to find their way into the
security sites they seek to crash or compromise.
“While I can’t say that
it’s impossible that a site won’t get hacked using Otenti security, it’s
say that such an outcome would be virtually impossible,” Weissberg
Otenti’s system is currently installed in several Israeli medical
centers and on a major government Web site and database, and the company
for a major campaign to promote its products both here and abroad in the
One attractive feature of Otenti is its low cost, Weissberg says.
Since there is no hardware purchase involved, the costs are low “for
organizations of five to 5 million.” (Several of the biggest security
providing authentication make most of their money from hardware, smart
etc., he says.) “Otenti’s solution is also perfect for the cloud,
to securely access their data on servers on remote servers,” Weissberg
“Wherever you are, what ever you do, you can be confident that your
be verified safely and securely.” With Otenti, the anti-Israel crowd
one less way to attack us.
Stay on top of the news - get the Jerusalem Post headlines direct to your inbox!