Security Stuffs

Your Credentials are Showing..

Credentials are highly sought after data, only second to financial account information.  Read the Verizon DBIR – http://www.verizonenterprise.com/DBIR/2015/.  It’s in there somewhere..

Everyone is a target. You might not be the real target, but who are your customers? Hackers == Slimy Used Car Salesmen: They’re all looking for the easiest way to a buck and you, Mr Customer, could very easily be an unwilling participant for either of those people.  Looking at the hacker use case, your credentials can be monetized either directly or indirectly, depending on the account.

SSL/TLS is really great, but isn’t enough by itself.  It’s great for ensuring the identity of the far end and integrity on the wire, but in the browser (where much of the malware lives these days) those credentials are in the clear. Because they can be seen in the browser, they can be seen by malware and all of a sudden your credentials are for sale on BuyMyCreds.com.

“But Brent, I have 2-Factor Authentication. Who cares if they have my credentials? They don’t have my token, right?” Maybe. Is 2FA required in every case for every application all the time? Exactly. No one uses the same password for nearly everything, either.  No, your Anti-Virus isn’t likely going to notice..  Let’s agree you are at risk, yes? NO?! WTH..

Form Post Example

Look here! Them there’s your credentials. What’s nice (for hackers) is that it’s fairly trivial for Javascript to punt a copy of them somewhere at the same time you’re using them to login.  They’re easy to find because they’re labeled so damn well.

 

Using WebSafe with Access Policy Manager

Combining two technologies, Access Policy Manager and Websafe, F5 can protect the sensitive application parameters while in motion on the network and in the browser. This works without making any changes to that broken ass homegrown application you’ve somehow built a business around.  APM allows for a single place to define policy across multiple applications and provides authentication services.  Using Application-Level encryption and Transaction Protection components, Websafe makes sure the authentication process can happen without exposing user credentials to those naughty hackers.

 

But Does it Blend?

Even reasonably secure operating systems run into bugs. Take, for instance, the latest Apple bug that allows the export of information right out of Keychain. Those are your locally cached passwords, certificates, WiFi passwords and other super-s3kr3t stuff.  Leveraging Websafe can help ensure data stored in the keychain would be unusable to the hackers.  It’s like a win/win or something.

Tired of typing.  Keep it classy.

Leave a Reply

Your email address will not be published. Required fields are marked *