People are still your best defense

spellingOK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident.  It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank.  Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make.  (Not that losing $80 million is a great outcome).

Aside

OpenAuth/OpenID flaw – ok, now what?

It seems like the latest big security story is a newly discovered flaw in the OAuth and OpenID protocols which allow users to authenticate to third party web sites using their account on another web site like Google, LinkedIn or Facebook.  Apparently, it is relatively easy for attackers to create an attack via a phishing email with a link to a site which then asks the user to authenticate (to the fake site) using their Google account (or any other identity provider which supports OAuth and OpenID).  The authentication pop up will look legitimate – it will actually seem to point to the identity provider’s web site, but it will, in fact, deliver the unsuspecting user’s credentials to the attacker.

So what do we, as security professionals, do with this information?  Given the “behind the scenes” nature of the issue, and the fact that there is no cue to the user that a particular site is trying to use the flaw to gather credentials, we are stuck with telling our users to “be more careful” about using their Google/Facebook/LinkedIn etc. credentials to log in to sites.  Well, that’s pretty darn vague.  I guess the best advice to give people would be not to set up any new site credentials using OAuth/OpenID  until the problem has been fixed.

This is a classic example of the tradeoffs we make between security and privacy.  While logging in to multiple sites using credentials from a “trusted” provide makes life easier for the web user, he or she also risks having the security of all of their accounts linked to that ID compromised when that one provider suffers a security breach or there is a problem with the underlying technology.   This is one of the many reasons we need to move away from password authentication and  come up with easy to use 2 factor login methods to reduce the risk associated with weak/stolen passwords.

OpenAuth/OpenID flaw – ok, now what?

Keep your users informed with SANS’ OUCH! newsletter

 

SANS recently published the latest edition of their “OUCH!” security newsletter for end users – this month’s topic is Yes – You Actually ARE a Target! – something that we usually have to remind users about on a regular basis, in spite of the regular coverage of hacks, data breaches and other cyber shenanigans which are always afoot these days.

OUCH is a good (and free) resource to augment your organization’s Security Awareness efforts.

SANS OUCH Newsletter

www.securingthehuman.org 

Keep your users informed with SANS’ OUCH! newsletter