Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on
                            YouTube  Google Plus
September 2013       

Top of Mind

The End of Passwords?

Philip Lieberman, President & CEO - Lieberman Software

Like the regular ticking of a clock, I hear the siren song of “the end of passwords” coming from analysts and pundits on a regular basis either in person or via the media.

We have also been seeing the publicity caused by the email security of celebrities being compromised because the passwords they chose were deduced based on their public profiles.

In our business we see first hand how easily common credentials (the same password on many systems) and uncontrolled persistent access have caused password-based access to be compromised and used for unauthorized purposes (think Snowden).

Is it finally time to get rid of passwords? In September 2013 Apple released the iPhone 5S with a biometric sensor for fingerprint recognition as a way to remove the need for users to type in passwords on their smartphones. There is certainly a rich history of celebrities (and others) picking poor passwords for their email accounts that has led to embarrassing situations, not to mention the ongoing problems typing in complex passwords on a mobile device without a real physical keyboard.

Biometrics may indeed signal the beginning of the end of password entry for mobile users (at least Apple users), but passwords are not going away for the rest of the world and especially infrastructure. The use of biometrics for authentication opens up a whole new realm of personal privacy issues that may be even worse than passwords represent (thank you Gyle Iverson CEO of CloudVaults for the link).

How Do We Get Rid of Passwords?

Practically speaking, the issue is not so much that passwords are bad or inherently insecure; the core problem is with their sizes/uniqueness, disclosures, and lifetimes. When humans pick passwords and are required to manage them, we make a compromise between convenience and security; frequently erring on the side of convenience. This convenience bias opens us up to social engineering and potentially computational decoding of our passwords.

The obvious method we have taken to solve the password problem is to generate unique long passwords that are purely random and apply them to every account we are supposed to manage. The nature of our machine generated cryptographically complex passwords makes them infeasible to decode and their constantly changing nature means that there is minimal persistence of access (i.e. today’s password does not work tomorrow).

The idea that passwords are changed automatically after disclosure and also periodically even without disclosure, means that a Privileged Identity Management (PIM) password is essential a one-time-password (OTP). The idea of an OTP is that a credential/password is good for one time only and is limited as to when and how long it can be used. A secondary, but essential characteristic of a PIM OTP password is that it is not only limited in time, but also limited to only one machine where it will work. The per-machine limitation exists because each machine has unique credentials for its local accounts (no common credentials).

OTP on Top of OTP

It is a common reality that internal machines can get compromised with key loggers (that capture credentials) and remote control software. As such, every user name and password on the compromised machine is recorded and available to anyone with remote control of the system.

The only effective mitigation is to insert an extra step that requires the real user to provide an additional authentication element that cannot be recorded and replayed. Generally the extra element is a challenge such as a phone call, providing an SMS message delivered to their cell phone, or the code from a hard or soft token. In addition, smart cards can be used or a biometric reader can be used.

All of the other factors represent additional one-time passwords or one-time passcodes (OTPs) in addition to the normal password used to access a system.

In the case of access to a one-time password granted via a PIM system such as ours (firecall or break glass access), you would normally log into our system with a user name and password, whereupon you are challenged to provide a second factor such as described previously. In effect, you have to provide an OTP to get an OTP for privileged access.

New Release: ERPM Version 4.83.7

The new release of Enterprise Random Password Manager (ERPM) releasing in September adds a lot of new OTP or multi-factor authentication (MFA) options. The most basic improvement in this version is the support of generic RADIUS just for multi-factor authentication. This capability means that you can now use pretty much any provider of multi-factor authentication with ERPM. Set-up is really simple and takes less than 5 minutes. All you need to know is the address of the RADIUS server, shared secret password, and name format desired. Once configured, a user is first authenticated via their user name and password (or integrated authentication), their user name and additional requested challenge code is passed to the RADIUS server which then challenges the RADIUS server to approve or deny the request.

We have also added two new native multi-factor authentication providers including SafeNet’s cloud and on-premises authentication server and PhoneFactor. While you can use RADIUS with both SafeNet and PhoneFactor, we and security experts prefer the use of native integrations because they are more secure with less work.

Why are OTPs so Important?

The reality today is that anti-virus, firewalls, IDS/IPS, and other legacy technologies simply don’t work very well against sophisticated attackers. Real security means understanding what the landscape really is and realizing that any machine could be compromised and potentially become a jumping off point for both mapping your environment as well as for attacking it.

Our PIM solutions do a great job of getting rid of common credentials, managing service/application accounts, and also provide a limited lifetime to privileged credentials, but if a compromised system can be used to access our data, the outcome would not be good. To assure that only real users can gain full access to our software, we STRONGLY suggest that some additional form of authentication besides user name and password be used with our solutions.

To encourage the use of multi-factor authentication, we provide many native connectors to the leading providers at no additional cost. If you can’t afford or don’t want the hassles of a commercial solution or commercial tokens, we also provide a free solution based on OATH that allows the use of software tokens, hardware tokens and even texting via SMS the time limited token code to a user’s cell phone. If you want to try tokens, we even have a free hardware token offer from Yubico.

Going Beyond OTPs: Risk and Behavior

When you interact with our PIM, we generate a vast number of real-time events to both internal logs as well as external logging systems. Among the loggers are SIEM systems that not only incorporate our log output, but also aggregate the events occurring from other parts of your network.

The SIEM/logger can be configured to correlate the activities of users among multiple systems and determine if their behavior is risky or unauthorized. Given that privileged access is an important and potentially dangerous activity especially when unauthorized, we also consider the use of a SIEM with our product essential. Our latest version adds additional events and SIEM integrations.

We have also added and improved trouble ticket/CMDB integrations in this latest version to further assure that unauthorized access is limited or eliminated by making PIM a part of an enforced ITIL process.

The Future of Passwords: Summary

Passwords are not going away because they are ingrained into virtually every part of IT infrastructure. Our mission is to make passwords safe by making them unique, infeasible to crack, limited in lifetime, and only accessible for the right reasons, by the right people, and only for as long as they are needed. Even more important, our mission is to make the transition to a world of secure password easy and fast with minimal to no ongoing human effort to keep things secure.

The latest version of our PIM solution scheduled for release in September 2013 reinforces the tremendous effort we are performing to make your life easier and your environment secure. We are very proud of this release and look forward to your feedback.

What do you think? Email me at: You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • A Street Car Named Google. The following is a guest post by our integration partner, Viewfinity. Someone on the Viewfinity team spotted the Google Street View car on the way into work this morning. Several of us were excited because we’d never seen one of these elusive and sometimes controversial cars...

Events / Press / Analysts
  • Apple May Take Fingerprint Security Mainstream. The Street. Apple's new Touch ID technology may be the answer for consumers everywhere who have a tough time remembering passwords -- or whose fat fingers find tiny virtual keyboards annoying. For the security industry, this could be what finally boosts biometric technology to a mainstream audience.
  • Security Experts: Expect U.S. Cyberoffensive Efforts To Grow. Dark Reading. That the U.S. is stocking its cyberarsenal should come as little surprise, but recent revelations from documents leaked by fugitive Edward Snowden revealed just how much. Reports by The New York Times and The Guardian revealed that the National Security Agency (NSA) and its U.K. equivalent, Government Communications Headquarters (GCHQ), have engaged in a long-running and wide-ranging effort to defeat the encryption widely used on the Web, including SSL, VPN technologies, and new protections used on 4G smartphones.
  • Latest PRISM disclosures shouldn't worry consumers. USA Today. Should the latest disclosures of decrypting techniques used as part of the NSA's PRISM anti-terrorism surveillance program keep you awake tonight? Only if you do not believe President Obama and NSA Director Army Gen. Keith Alexander that any and all spying techniques are used strictly in very narrow circumstances to target suspected foreign terrorists, under a federal court review process.
  • Lieberman Software Finds When It Comes to State-Sponsored Cyber Attacks, We Ain't Seen Nothing Yet. Tech Zone 360. For anyone looking at recent headlines, it is more than crystal clear that state-sponsored cyber attacks are on the rise. Whether it be China, North Korea or a growing list of others, the use of online tools to compromise companies and government agencies is not just a fact of modern life but something many security experts have stated is the number one threat to national and enterprise security.
  • Over half IT pros believe business is losing cyber battle. Computer Weekly. Businesses are losing the battle against state-sponsored cyber attacks and things are unlikely to improve in the short term, according to a survey of senior IT security professionals. This was the view of 58% of nearly 200 respondents, polled by Lieberman Software at Black Hat USA 2013 by Lieberman Software.
  • Call of Duty. SC Magazine UK. With so much of the national infrastructure, from utilities to the internet itself, a potential target of attack, the Government is forging partnerships with the private sector to help protect the services we all rely on. But, in the wake of Edward Snowden, defence is no longer just a question of what can be done, but also of what is acceptable.
  • Cloud forensics - keeping tabs on your cloud provider. Cloud Pro. Keeping track of data in on-premise infrastructure seems easier to comprehend because for most people, it is considered to be in a physical location that’s easily locatable. But the cloud throws up interesting possibilities, as it is not always known where exactly that data is at any one given time.
  • New Payment Card Standards Go Beyond Compliance. TechNewsWorld. The new PCI standard won't be music to the ears for security hands who worship notion of the inviolate perimeter. "The new standard recognizes that perimeter breaches are a regular occurrence," said Philip Lieberman, CEO of Lieberman Software. "The only real mitigation is to have persistent controls within the interior that are both human and technological."

Tech Tip of the Month

Manage McAfee ePO Software Privileged Account Credentials

ERPM and RPM are the first products capable of enabling secure check-in/check-out of privileged account credentials directly from the McAfee ePO web-based interface, and the first to deliver identity and configuration data enrichment for ePO.

ERPM and RPM help you secure sensitive data by removing anonymous access to McAfee ePO software. The Lieberman Software products provide a model in which sensitive logins are controlled and passwords automatically revoked immediately after delegated IT personnel complete their work. Here's how.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.

Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |