DARPA Developing Active AuthenticatiCognitive Fingerprintson with

The Defense Advanced Research Projects Agency (DARPA) is researching new biometrics-based authentication methodologies that take into consideration how a specific user uniquely processes information when they interact with technology.

“The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard,” DARPA said.

“Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.”

The Active Authentication program DARPA has initiated will try to mitigate this issue by developing new ways of validating the identity of a user through the use of software based biometrics, one or more intrinsic physical or behavioral traits that can be associated with a specific individual.

“This program focuses on the behavioral traits that can be observed through how we interact with the world,” DARPA explained.

“Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a cognitive fingerprint.”

The agency says that the first phase of the program will focus on researching biometrics that do not require the additional hardware like a fingerprint or retina scanner, but instead focus on unique characteristics that can be captured through current technologies that can map out these unique identifiers through patterns of behavior.

“These could include, for example, how the user handles the mouse and how the user crafts written language in an e-mail or document. A heavy emphasis will be placed on validating any potential new biometrics with empirical tests to ensure they would be effective in large scale deployments,” DARPA said.

Subsequent phases of the program will look at creating an authentication solution that integrates a combination of biometrics to create a better authentication platform that is could be used on a standard a Department of Defense desktop or laptop.

“The combinatorial approach of using multiple modalities for continuous user identification and authentication is expected to deliver a system that is accurate, robust, and transparent to the user’s normal computing experience,” DARPA said.

“The authentication platform will be developed with open Application Programming Interfaces (APIs) to allow the integration of other software or hardware biometrics available in the future from other sources.”

 See more at :  http://blog.norsecorp.com/2015/02/27/darpa-developing-active-authentication-with-cognitive-fingerprints/#prettyPhoto

Why SMEs are an attractive target for cyber criminals?

SMEs are a bigger target than they think

Most SMEs don’t realise the extent of the cyber security threats they face. We hear it over and over again, and recent government research confirms it: asked if they agreed with a number of common cyber security misconceptions, 78% of SME respondents to a Cyber Streetwise survey believed at least one. Two thirds of them (66%) didn’t even think their business was vulnerable at all.

In fact, PwC/BIS’s most recent Information Security Breaches Survey found that 60% of small businesses had suffered a security breach. Make no mistake: if you’ve got a website, you’re vulnerable.

Why your website is vulnerable

Your website is just a commodity. It doesn’t matter who you are or what you do – your website, and the information that can be accessed from it, is worth money to someone on the black market.

Even if you don’t store financial information such as customer payment details, the data you do hold – such as employee payroll details, proprietary data or client information – has a value to someone. Hackers will rifle your databases and pull all the information they contain.

Dell SecureWorks’ recent Underground Hacker Markets report examined the underground economy and found that the black market is booming.

Business information can be sold to competitors. Contact information can be, and is, collated with other stolen data and used to hack other accounts. Spammers want lists of email addresses. Some hackers want information on specific users or IP addresses. Some want to spread malware. All such information is traded online.

Moreover, the number of stolen credentials now for sale has inevitably led to prices dropping considerably, meaning they are increasingly easy to come by: 2014’s large-scale attacks saw one billion data records compromised – one for every three Internet users worldwide. Many of these were entirely unencrypted and ripe for immediate exploitation.

Hacking generally isn’t a one-off event, either: it’s a chain. Your website will be attacked, and once everything useful has been taken from you, the hackers will install malware that will infect your site visitors, so that their information can be stolen as well.

The cyber attack spreads, gathering more and more information as it goes. Eventually it’ll hit a big target. Your website may not be obviously valuable in itself, but as a means of attacking a bigger company in the supply chain, it’s a great asset. Many massive hacks on large companies have been perpetrated as a direct result of an exploit on smaller third-party suppliers.
How your website is vulnerable

Known vulnerabilities

Many SME websites use common, off-the-shelf CMS platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by hackers. Criminals use bots to crawl the Internet, looking for these vulnerabilities and amassing information.

When they find a vulnerability, they exploit it. When they don’t, they record as much information about the website as they can, and wait for a vulnerability to come to light that they can return to exploit later.

Automated attacks are cheap and easy to run, and by their nature are indiscriminate, looking only to exploit known weaknesses – not specific sites. Every website is equally at risk, including yours.

When a critical vulnerability is announced, the criminals will already be working quickly to exploit it before it’s patched. If you’re using unsupported or vulnerable versions (such as WordPress, Adobe or Windows, to use three recently affected examples), then your website will be compromised unless you act quickly to install a patch or update. In October last year, for example, Drupal announced that users who hadn’t patched their CMS platform within seven hours of a bug’s discovery should presume their websites had been hacked.

For this reason, SMEs are often at greater risk than their larger counterparts: although every Internet-facing organisation essentially faces the same threats, big organisations have the resources to support IT teams who are better prepared to deal with automated attacks, implement better patch management and software update programmes, and use regular penetration testing and vulnerability scans to determine the strength of their networks and web apps.

Weak passwords

Passwords also remain a common point of intrusion. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are employed by lazy users.

Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that: “What makes stolen account credentials so valuable to cybercriminals is the extent to which users reuse their account names and passwords across different sites and services”.

If another website has been compromised and login details have been stolen, criminals will automate attacks using the username/password combinations they have gained to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast.

This is why it is important to change all default passwords to strong passwords: you can be vulnerable simply because someone else from an entirely different company has chosen a poor password.

Microsoft continues: “according to a 2011 study of 6 million user-generated passwords, 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software and commodity personal computer hardware.”

A seven-character password comprising upper- and lower-case alphanumeric characters has 3,521,614,606,208 possible combinations (i.e. 627). Assuming an attacker’s password cracking tool can make 1,000 attempts per second, it would take up to 40,759 days (111.7 years) to defeat, which is significantly longer than any attacker is likely to bother with. Add punctuation marks and special characters and the inherent security of a password increases dramatically.

A brute-force dictionary attack may be more successful if the password is based on an actual word, even if “leetspeak” (replacing letters with numbers – e.g. “p455w0rd”) is used, but – again – attackers will give up after a set number of failed attempts.

Of course, a password is a single authentication factor. No matter how strong it is, if it becomes widely known, it’s no barrier to access.

For even greater security, you should consider two-factor authentication, where a password must be combined with some other authentication factor such as a one-time password or secret question. Think of your bank card and PIN combination as an example: you need both factors to access your account.