Stellar Startups

Keeping anti-Israel hackers off our Web.

By DAVID SHAMAH
Weissberg 311 (photo credit: Otentl)
Weissberg 311
(photo credit: Otentl)
Like the sprouting of poisonous mushrooms after a heavy rain, the latest international “mugging” of Israel in the world media has been followed by a concerted cyberattack on Israeli Web sites by hackers, crackers and (mostly) script kiddies from around the world.
Taking advantage of programming loopholes left open by oblivious system administrators, the hackers were able to reach hundreds of sites, marking them up with anti-Israel graffiti, or just leaving their “calling cards,” mostly in the form of expletive deleteds.
Fortunately, most of the pages that were hacked were front pages for businesses, organizations, etc. – nothing that couldn’t be fixed with a little effort by Web programmers. But what if instead of front pages the hackers had attacked e-commerce, database, government or corporate sites with sensitive information? As experience has shown, even the most secure sites aren’t always so secure; couldn’t a dedicated group of hackers pooling their resources cause a major problem for the Israeli economy, at least temporarily? What if they made a major effort to bring down a major banking site, a government database or the Bank of Israel? I think it would be safe to assume that some of the more sophisticated anti-Israel hackers out there are working on just such a plan.
And unfortunately, the models of security used by most sites – even the most secure ones – lend themselves to hacking, says Ittai Weissberg, founder and CEO of Israel’s Otenti.
“Most authentication for secure Web sites is not dynamic but static, meaning that the user must identify himself or herself when challenged by a server using a password or token [such as a smart card],” he says. “While there may be several security layers that try to ensure the authenticity of the response, passwords and smart cards are not changed all that often, so hackers have time to work on cracking them. Even the most sophisticated security systems are, in essence, sitting ducks.” Otenti’s Access product is one of the most advanced implementations of “out-of-band” authentication – a system that presents the challenge and accepts the response on a medium other than the object of authentication.
For example, subscribers of several Israeli cellphone companies, including Orange, use out-of-band authentication when they want to retrieve their account statements. You get an e-mail telling you your bill is ready, you click on the link and log onto the company’s secure server. Then you are sent an SMS with a secret code you are supposed to type on the site, and you can then download your bill.
It’s a lot more secure than “in-band” authentication, where all challenge and authentication is done using the same channel.
But why stop at SMS messages, Weissberg asks: “What the cellphone companies do is fine, but they, of course, make use of their own phones to do the authentication. While that makes sense for them, it doesn’t always make sense for many other sites. Sites not associated with cellphone-service providers can’t be sure that users have phones they can use to send their messages out on, or that users even have cellphones at all. Other sites and organizations use things like smart cards, USB tokens, etc.
But all those things can be lost, stolen, or even hacked as well.” Once again, the time factor comes into play: The more time hackers have to work on an authentication system, the more likely they are to figure out a way to hack it, regardless of how secure it is. And if you need to authenticate yourself at more than two or three sites, you need to either carry multiple cards and tokens, or remember all sorts of complicated passwords.
Other organizations use biometric for authentication, but even biometric isn’t foolproof, as fans of many TV spy shows are probably aware.
It’s better, Weissberg says, to use Otenti’s authentication system, which makes it far more difficult for hackers to get hold of the data they can use to invade secure systems. Instead of using specific objects as authentication devices, Otenti’s system uses just about anything – any device, hardware or software that you can communicate with – to send temporary out-of-band authentication codes. Hackers who want to invade a system using an individual’s account have to figure out what device the user has chosen for this round of authentication.
Will customers use the Web, cellphone, landline, Facebook account, or plain old PC for authentication? While hackers have they ability to tap into any of these devices, it’s a lot of work – too much for even a sophisticated hacker team to handle. Unless they’re willing to dedicate all their resources to hacking into all these devices all the time, performing analyses on all the data going through all the pipes – and are able to analyze the information and figure out the security codes in a matter of seconds, and use them to invade the system during the short window that the authentication process is active – they will not be able to find their way into the sensitive security sites they seek to crash or compromise.
“While I can’t say that it’s impossible that a site won’t get hacked using Otenti security, it’s safe to say that such an outcome would be virtually impossible,” Weissberg says.
Otenti’s system is currently installed in several Israeli medical centers and on a major government Web site and database, and the company is set for a major campaign to promote its products both here and abroad in the coming months.
One attractive feature of Otenti is its low cost, Weissberg says. Since there is no hardware purchase involved, the costs are low “for organizations of five to 5 million.” (Several of the biggest security companies providing authentication make most of their money from hardware, smart cards, etc., he says.) “Otenti’s solution is also perfect for the cloud, enabling users to securely access their data on servers on remote servers,” Weissberg says. “Wherever you are, what ever you do, you can be confident that your identity can be verified safely and securely.” With Otenti, the anti-Israel crowd will have one less way to attack us.