Hyper-V: The Killer Feature in Windows Server 2008 It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »   Download the Windows Server 2008 Trial With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »   Reduce Complexity and Costs with Microsoft Identity and Access Solutions Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »   Virtualization from the Data Center to the Desktop Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles •Protect Your Passwords -- Part 1 •Hello 'Certified Server,' Goodbye Spam •Getting the Most Out of Firefox •Should You Disable Windows Scripting Host? •Can Patch-Management Companies Survive? •Vote and Get A Free CoffeeCup •Why Can't Microsoft Catch Its Own Bugs?

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •e-SoftEasy Business Analytics - Create Reports/Charts From Databases •Mazu Profiler - Network Behavioral Analysis Engine Provides System Baselining and Alerting •GridVision Enterprise - Enables the Deployment and Management of InfiniBand-Based Grids •ReadyNAS - NAS Boxes And Rack Units for SMBs •Acronis Recovery - Wizard Driven Backup and Recovery for Databases more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Meet the HP ProLiant DL385 G5

Protect Your Passwords -- Part 2
December 21, 2004
By Brian Livingston

We know how to make the Internet secure. Now the question is, "Will we do it?"

I wrote in this space last week about "Pass2Go," a piece of software that resides on a key-sized USB Flash drive. The device stores all of the username/password combinations that log you into the various Web sites and secure servers you use. When you remove the drive from the USB port, your passwords are no longer available to anyone else who may use that computer.

This is better than storing your passwords within Microsoft's Internet Explorer browser (whose password encryption was cracked long ago) or the Mozilla Foundation's Firefox (which stores passwords in an ordinary file unless you set up a "master password").

But Pass2Go -- or any device that relies on passwords -- is insufficient to allow you to safely log on to your accounts when you're away from your desk. The answer to the problem is here, today. But will people use it?

The Problem With Passwords

To be sure, storing your passwords in a removable device using Pass2Go is preferable to writing them on sticky notes and gluing them to your monitor. The problem isn't how you remember your passwords, but the fact that you have to use them at all.

• Using A Nonsecure PC On A Nonsecure Network. If you use a PC at an Internet café, a library, a college, or any other public location, you have no easy way to guarantee that that machine isn't infected with a Trojan-horse program. Such a program could be watching for passwords and sending the information to a hacker at a remote location or a dishonest employee of the shared-PC service.

• Opening The Veil. The username/password combinations that are stored by Pass2Go are, it's true, unreadable when you insert your Flash drive into a USB slot. But as soon as you type your "master password," any Trojan horse on the Internet café's machine can copy the information by monitoring the keyboard. The Trojan can also capture the screen to learn what information may be displayed.

• The Savvier They Come, The Harder They Fall. A variety of companies have invented USB Flash drives that can be configured to require a registered user's fingerprint before releasing any username/password combinations to a browser login form. One such product is the Lexar JumpDrive TouchGuard, a $70, 256 MB drive. Your fingerprint makes a very good "master password." But a Trojan horse on an Internet café PC can still monitor your keystrokes and capture the screen as soon as your finger has opened the passwords on your Flash drive.

Carrying your passwords around in a Flash drive isn't a secure way for you to use public-access PCs to log in to your accounts. Passwords themselves are the problem. The solution is at hand, and it may free us from having to remember passwords at all.

Two-Factor and Challenge/Response Authentication

What's better than strong passwords? The answer lies in two-factor authentication and challenge/response authentication. These are big words for some simple concepts:

• Two-Factor Authentication relies upon "something you have" and "something you know." The most successful example is bank cards and PINs (personal identification numbers). A thief might steal your bank card, but it's unlikely that he'd guess your PIN before the card was swallowed up by a cash machine after three incorrect tries.

• Challenge/Response Authentication. Bank cards are merely a piece of plastic with a magnetized strip that contains your account information. But USB Flash drives (and similar technologies, including "smart cards") can do much more than just store bytes. They're also capable of carrying and using digital certificates. A secure server can issue a digital "challenge" that only a smart device can correctly respond to.

I've been calling devices such as these "USB keys," because they make it as easy for you to log in to a secure server as it is to start your car with a car key.

U.S. Bancorp Signs Up For USB Keys

Verisign Inc. is one of several companies that are beginning to sell USB keys, technically known as secure authentication tokens, to banks and other enterprises.

Verisign recently announced that U.S. Bancorp, the sixth-largest U.S. financial services holding company, would start giving secure USB tokens to its commercial banking customers. In my opinion, this is the first step toward all financial institutions requiring two-factor authentication for any online customer communication.

The company's Unified Authentication USB Token, shown at the bottom of the photo to the left, can hold up to seven digital certificates, according to Mark Griffiths, vice president of security services for Verisign.

The Multipurpose Next-Generation Token, shown at the top of the photo, also displays a 6-digit number when the user pushes a button. The number is one of a series that a secure server will accept as a valid password, in combination with a user's 4-digit PIN.

One-Time Passwords And Multiple-Use USB Keys

For many business applications, such as remote access to e-mail, a one-time password is sufficient security to let an end user log in from an Internet café. Even if a Trojan horse is monitoring all of a PC's keystrokes and capturing everything on the screen, a hacker wouldn't be able to use the discovered password, since it would work only once.

For more sensitive applications -- such as online banking -- the challenge/response capabilities of USB keys provide much better security. No Trojan-horse program could understand the long digital strings that make up a secure challenge, much less formulate the exact arrangement of bytes that would make up the calculated answer.

A hacked public terminal might still be able to capture the text of your e-mails, your bank balance, or whatever else you display on the screen. But it would be impossible for the hacker to log in to your e-mail account and send e-mails under your name -- or log in to your bank account and send all of your money to Russia.

Conclusion

Verisign's Griffiths says a rollout of secure tokens -- including the use of Verisign's 24/7 back-end server that can lock out lost and stolen Flash drives -- will cost a company only $25 to $35 per year per user for 5,000 users. That sounds to me like a bargain, if it eliminates the use of passwords and any eavesdropping on them by hackers.

Unfortunately, there's no program at the current time that allows an individual consumer to purchase a USB Key and then demand that his or her bank start supporting it as a form of identification.

Until that day comes, I recommend against using a public terminal to log in to your e-mail account without one-time passwords -- and against logging in to your online bank account without full challenge/response authentication.

Wait, you might say. If this catches on, what will keep consumers and corporate travelers from having to carry around a fistful of different USB keys to log in to different servers?

A standard is on the way that will allow a single key to work on all servers. That'll be the subject of my next column on Jan. 11, 2005, after the holiday break.

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed