Kevin Curran

Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. He is a regular technology contributor to TV, radio, trade and consumer IT magazines.

Security comes at the expense of convenience but it’s worth it

In 2015, hackers were invited to take over control of Little Bird – an unmanned military helicopter belonging to Boeing. They were given access to a section of the drone’s computer system and just needed to take over the onboard flight-control computer in the allotted six weeks.

They were unable to hack it and this caused the US military to sit up and take note. It turns out that Little Bird’s software programming used formal verification which is code written like a mathematical proof where each statement follows logically from the preceding one so that a program can be tested with the same certainty that mathematicians prove theorems.

Formal methods and formally verified software is not new. I myself took a module in it when studying as an undergraduate. No, the seriousness of software vulnerabilities has reignited an interest in applying rigour to the logic within code and this has led to interesting projects such as Microsoft’s Everest which aims to create a verified version of HTTPS, the protocol that secures web browsers and basically ensures our traffic is not captured en route to sites.

It is by no means the solution to a secure Internet. Writing a formal specification requires specific knowledge. Many logical operations can also be incredibly difficult to formalise. The actual specification can also be many times longer than the original code base.

In the rush to market, few companies can afford to ‘indulge’ in such a convention but perhaps much more mission critical software will embrace formal specifications and that can only be good for the industry.

The most effective way for hackers to gain a foothold on systems and install keyboard loggers or malware is to get people to click on links in phishing emails.

Importance of Two-Factor Authentication

A robust defence against these phishing emails is to use two-factor authentication. MetaCompliance of course are fully aware of the dangers of phishing and their MetaPhish product helps keep staff safe from phishing scams through automated training that increases their vigilance and ultimately aims to make staff aware of email threats.

In fact, it is not often that you hear success stories like Google announced this month where they said that none of their 85,000 employees who have been using two-factor authentication with security keys since 2017 have been subjected to phishing attacks within that time.

Two-factor authentication is where you need to know something (e.g. your password) and have something (e.g. a security key). Essentially, this means that even if an attacked manages to get your username and password for an important online account, they will not be able to login to that account without having access to a user’s security key.

Google themselves discovered that some multi-factor implementations which used text-message or app-based authentication had an average failure rate of 3%, but they found the U2F or security-key approach to have a 0% failure rate.

A popular USB security key is YubiKey which uses the Universal 2nd Factor (U2F) standard to store a unique access token. You just need to plug the key into a computer so as to authenticate yourself to a service which supports it such as Google, Dropbox, LastPass, Github, and more each day.

Google have just launched their own Titan security key for physical two-factor authentication. It is a small USB with a button that you tap instead of retyping codes to login to services. You can plug it in or use the Bluetooth feature and there is no need to connect a phone number for verification messages. It uses a FIDO alliance approved protocol. FIDO is the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication

Setting up two-factor on services such as Google is not a difficult task. You initially login to privacy and security settings and turn on two-factor authentication. You then sync your phone to receive a code.

It will ask you to sync your phone and will send you a code to set up your two-factor authentication. You then add the key to your account in settings, insert the key, tap the button on the key and also add recovery information so as to avoid future problems if lost.

Best practice at this time is to use two-factor authentication on important accounts. Yes, there is an inconvenience of needing physical access to the key but you can trust a computer for 30 days if you wish.

It may seem odd to be still reliant on a physical USB device in 2018 but it is ultimately the physicality that protects.

You see, access, compromise, escalation of privileges, exfiltration of data and snooping can all be done remotely by skilled hackers but until a teleportation device is invented and connected to the Internet, then that physical two-factor authentication device is not going anywhere and remains at your side protecting your account.