Sidewinder takes a look beyond passwords
Passwords present a perennial problem to the IT manager. With a new Google-based tool making them even easier to discover, security expert Davey Winder suggests it is time to start looking at the bigger picture.
It might surprise you to learn that Google is an important part of the average hacker’s toolbox. Beyond its obvious use for researching the “mark” for a social engineering scam (and it is amazing how much detailed and personal information you can get about an trust and its employees from a few hours alone with a search engine) it is also used to gain more direct access to data and resources.
In the right hands, it can be a password cracking device. In fact, rather more correctly, it can be used as a password discovery device. Forget all the usual terms thrown around by security researchers when talking about website hacking, and instead just try searching for “inurl:passwd.txt” if you want to see just how much random login data can be revealed on Google.
“One way to get serious about password management is to reduce the number of passwords that you have to manage.”
Milking the Dead Cow
Admittedly, the results of such searches are fairly random. Enter stage-left the notorious hacker collective The Cult of the Dead Cow (they chose the name, not us…) and things take on a more sinister perspective. Its software, called ‘Goolag Scan’, implements around 1,500 customised Google search routines to bring password discovery firmly into the realm of the amateur hacker.
The Dead Cow folk claim the tool is meant to get people thinking seriously about security. I personally question the ethics of making something so potentially dangerous public. But I have to agree with them on one thing: if ever there was a right time to be looking at the bigger picture on access security then this is it.
Single sign on savings
One way to get serious about password management is to reduce the number of passwords that you have to manage. While this might seem to fly in the face of all the advice that’s been given about never re-using the same password twice, it makes sense when you think about it in terms of single sign-on (SSO) technology.
By only requiring just a single password to access all applications, wherever they are located within a trust network or outside it with a mobile solution, you can both reduce the risk of password compromise and save money.
“Microsoft IAG can sit at the perimeter of a network and, in conjunction with other solutions, control who has permission to access what data and from where.”
That is what the Liverpool Women’s foundation trust discovered when it implemented a single sign on system to replace as many as a dozen passwords with just one. It made savings of up to £20,000 per year in reduced calls to the IT helpdesk.
Tameside and Glossop Acute Services trust has also just started to roll out a single sign-on solution. No wonder, when a typical task, such as viewing digital x-rays through an electronic Picture Archiving and Communications System (PACS), required no fewer than four different applications and logins. Users would often either write down their passwords or forget them - and a single forgotten password would prevent access to the whole system.
SSO eliminates the multiple password problem, while making the overall system more secure. Using one password, which is more easily remembered, along with a “token” of some sort to authenticate the user, delivers convenience and security in one fell swoop.
“By using single sign on technology, you can both reduce the risk of password compromise and save money.”
Next Step: Intelligent Application Gateway
The whole area of identity and access management can be further enhanced by Microsoft’s Intelligent Application Gateway (IAG). This can sit at the perimeter of a network and, in conjunction with other solutions such as Microsoft Identity Lifestyle Manager (ILM) and Rights Management Services (RMS), control who has permission to access what data and from where.
This takes access control a step further than passwords can manage. It can determine, for example, whether someone working from home has the right levels of encryption on their laptop to allow them to download a confidential document - and prevent them from so doing if they do not.
IAG does this by using the Secure Sockets Layer of a web browser client - creating an encrypted link between the remote user and NHS network - and then applying an additional context-based access assessment on a “who are you, where are you and what do you want” basis.
As Andrew Lintell, Microsoft IAG Business Manager, told this site back in February: “What a consultant needs to see may well differ from what an anaesthetist or ward sister needs to see. You can also set a policy so that, for example, a ward sister can edit a document while the nurses working with her will only be able to read it.”
IAG can even avoid the panic that might otherwise occur when data is cached within a browser and so “hidden” on a hard disk until someone searches for it. By using a screen scraping technique, IAG ensures no data residue is left on the local disk. So nothing can be cached, lost or left behind with a laptop…
None of these techniques operate in isolation, but both IAG and single sign on share one characteristic that is rare among security systems: they seem to make the lives of the end user easier. And if the user is happy with the security regime, that’s half the battle won.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.