Blog

No tiresome proprietary Card Readers required!

Naturally, you need a Visa or Mastercard for in person payments but on the same contactless card you can, with CASQUE, also have Strong Customer Authentication. No need for cumbersome, proprietary card readers but instead have higher security assurance and much less hassle- see this short YouTube clip

High Grade IAM with FortiGate

There is no point in building Zero Trust infrastructure if the Identity Assurance method has vulnerabilities. CASQUE multi-factor authentication changes keys dynamically and transparently so there is nothing for a Hacker to target or for a complicit Insider to disclose.

CASQUE provides high grade, NIST level 3 Identity access to FortiGate’s “single pane” control of SD-WAN infrastructure. Server integration is out-of-the-box: CASQUE is a Fabric-Ready technology partner in the Open Fabric Ecosystem of Fortinet. Client installation is quick – simply add the Chrome Web Store CASQUE Extension. Universal client deployment – just need an Android or iPhone with the CASQUE contactless Smartcard App.

Zero Trust and other Platitudes

It is a much simpler task to expound the precepts of Zero Trust Architecture than to actually implement them. Consider a couple of the proposed seven tenets from NIST (Draft (2nd) NIST Special Publication 800-207)

Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes!

All resource authentication and authorisation are dynamic and strictly enforced before access is allowed”.

These seem eminently sensible but hide awkward conundrums.

The pandemic has accelerated the occurrence of flexible and remote working with the times, locations and types of client platforms of a worker changing from day to day. Behavioural patterns need to have a wider tolerance, more importantly, it does not suit the “agile” Organisation to have the Executive Sales Manager needing to phone the Administration Support team to visit a new location tomorrow and convince them he should be so allowed. So one result is increased administration overhead and the inevitable easing of profiles for the most privileged Users who then become the obvious target for hackers.

As the latest mobiles become powerful work horses and the focus of investment, Users will want to use them as clients. Combined with the “new normal” for flexible, remote working the way to ensure trust will be to “use multi-factor authentication (MFA)”. But what MFA to use?

It is ridiculous to have the same mobile as the means of authentication and its ludicrous to have to send passcodes to another separate mobile. 

The ultimate dichotomy in Zero Trust Architectures is that you have to trust that the access to the Policy Enforcer Administration is legitimate.

The need for a high grade MFA solution for mobiles will become an increasing requirement. The painful fact is that all current MFA methods have a common, inherent vulnerability; they rely on keeping fixed secrets so discovery by hackers or disclosure from complicit Insiders allow defences to be breached with impunity.

In an Edwardian Mill building in Lancashire, UK a team of four with Colonel (Retd) John Doody as advisor, have over a decade, developed CASQUE, a patented approach to Identity Assurance that does not have this fundamental infirmity. CASQUE is certified as suitable for secret under UK CAPS scheme and easily meets the highest assurance specifications (Level 3) from US NIST Digital Identity Guidelines.

CASQUE changes keys dynamically and is transparent to the User so there are no fixed secrets to discover or disclose and by removing reasons to deny access, provides a powerful deterrent. CASQUE is, in this respect unbreakable.TheDon’t be a Target Presentation summarises our solution and contains additional links to source documents, including a link to a Competitive Positioning Whitepaper. The CASQUE proposition relies on these principles:

[1] The need for high grade Multi-factor Authentication available on any Client (especially mobiles) with any operating system including “locked-down” clients will increase.

[2] The Customer (not Cloud Providers) should own and control access to their data resources so the capability for independent, federated, Identity Provision will become increasingly valued.

[3] The need to police the most privileged Users requires Identity differentiation of the highest Assurance level.

Notes:

[1] CASQUE needed 4 inventions, one is partly described in US and EU granted patent “A Scalable Authentication System”, the 3 others are kept as private know-how. There is no dependence on any third party IP.

[2] CASQUE has been certified at source code level under UK CAPS scheme as suitable for working at Secret and has successful installations in UK Ministry of Defence. 

[3] CASQUE has mutually tested integration with leading Network Gateway manufacturers such as CISCO, Fortinet, Pulse Secure and WSO2.

 

Secure Remote Collaboration

Remote and flexible working will become the “new normal” but greater security risks will intensify. We are pleased to announce our partnership with Collabor8online, a UK software company that adds CASQUE as a high grade assurance option to their powerful Cloud based collaboration tool. Collabor8online allows fine grained access to files on a User specific basis and is simple to use and control. The complete capability can be delivered as a managed service so you don’t have the chore of setup and installation – comprehensive capability with the benefit of unrivalled value for money.Please have a look at Collabor8online to view the rich collaboration features and, if you want to know why existing Identity Assurance products are vulnerable, view here. 

Interview in Websiteplanet

Basil Philipsz, CEO of Distributed Management Systems Ltd has been interviewed for Websiteplanet – “Home for all your Website Solutions”.

The interview is “Securing your Digital Operations with Identity Assurance” click here for the link

 

MFAs are not what they are cracked up to be

MFA products are not all that they are cracked up to be; a lot are cracked.Android malware can steal Google Authenticator 2FA codes!

A new version of the “Cerberus” Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts. In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say that by abusing accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C&C server.

A recent post described a Chinese hacker group caught bypassing RSA SecurID: SMS pass codes have long been deprecated:

If only there was a Multi-factor Authentication Technology that did not rely on having fixed secrets…

This document summaries the reasons for the competing positioning dispositions of various Authentication methods and their associated Identity Management capabilities.

Written with the admitted selected bias of the author but the arguments are sound and defensible – click to download.

Chinese hacker group caught bypassing RSA SecurID

Fox-IT say they found evidence that a group known as APT20, believed to operate on the behest of the Beijing government has been bypassing RSA two-factor authentication in a recent wave of attacks. “We have identified victims of this actor in 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech,” its report states.

The investigation asserts that the hack “stole” the SecurID Software Token and so managed to generate the one time codes and access the VPN connections with impunity. It does reinforce US NIST (Digital Identity Guidelines) placing OTPs like SecurID in the lowest Assurance Level.

Disappointing result for Dell’s Flagship Authentication product.

Of course, such an attack can never happen with CASQUE which fulfils the highest NIST Assurance Level and is certified by NCSC as suitable for Secret.