Black Hat 2018: Reducing Attack Surfaces

Cat hacker wants to hack your email and banking app? Dream on, kitty!

The theme of reducing attack surfaces emerged repeatedly at Black Hat 2018. While many cyber security professionals acknowledge the risk exposure hidden in today’s proliferating collection of attack surfaces, not everyone is taking action. It can be a bit frustrating. Bemoaning the vulnerability of stored data and password repositories rings hollow when all you’re offering are more layers of protection for digital assets you more or less admit you can never truly protect.

Two companies I met at the show are actually turning surface reduction theory into practice. Others are also rising to the occasion, for sure. These two are worthy of highlighting, though, for strong innovations and a pragmatic approach to business development. In my experience, it takes both to succeed at the early stage. HYPR is taking on the challenge of decentralized authentication, which takes passwords and PINs out of the log in process. PreVeil is on a similar track, eliminating passwords and providing end-to-end encryption of email.

Addressing the Credential Re-Use Problem

How many more massive, costly and embarrassing data breaches will it take before the world concludes that system credentials are insecure? This was the context for the founding of HYPR. The company is tackling the threat of credential re-use by malicious actors, which is at the heart of many of the worst security incidents of recent years.

George Avetisov, CEO of HYPR

Once stolen (through phishing) or guessed (based on weak usernames, passwords and PINs), credentials allow hackers and fraudsters access to any data on the network that isn’t encrypted or extremely well-guarded. Targets of course include huge credential repositories. From there, the attackers can loot pretty much anything they want.

“The password store is the hacker’s favorite target,” said George Avetisov, CEO of HYPR. Their solution is to remove the password store altogether. “We take that juicy target off the board,” Avetisov added. “You can’t hack what’s not there. You can’t phish for credentials that don’t exist.”

 HPYR takes a decentralized approach, moving the equivalent of log in credentials to the user’s smartphone or other devices. There’s no intermediary in the middle, either, which can also serve as a locus for hacker eavesdropping and credential theft.

“You can’t hack what’s not there. You can’t phish for credentials that don’t exist.”

For example, with HYPR, a bank customer stores his or her credentials on the bank’s mobile app. When the user wants to conduct a banking transaction, the bank sends an authentication request to the device. The user then unlocks the app to complete the transaction. The key never leaves the phone. The bank stores no user credentials.

HYPR is now applying this approach to customers of clients like Aetna and Mastercard. PINs are their first use case. Avetisov believes HYPR could help with GDPR compliance as well. By removing passwords from the equation, it’s easier to secure customers’ private data.

What happens if a device is lost or stolen?  For this potentiality, the HYPR solution features revocability to secure the enterprise and user. If a device is misplaced, lost or stolen, the user simply reports its loss to the service provider, which revokes the public keys, rendering the device useless to anyone who finds it. The user then re-registers in accordance with the enterprise’s onboarding and “Know Your Customer” (KYC) policies. This process may require an email.

Protecting Email Repositories

You don’t have to be a presidential candidate to be concerned about breaches of email. It’s almost assumed, in some circles, that you should write emails with the assumption that they could be made public. Thus, we all start to sound like mobsters. “Hey, did you do the thing? You know, that thing we talked about.” “Yes, I took care of it.” “What about the other thing?”

“Taller walls are harder to breach, but as we see, they continually get breached nonetheless. We felt email security needed a fundamental rethink.”

This is no way to run a railroad. For Sanjeev Verma, Founder and Chairman of PreVeil, the vulnerability of email presented a challenge of imagination. “If you think you can protect something better with taller walls, you’re going to be disappointed,” he said. “Taller walls are harder to breach, but as we see, they continually get breached nonetheless. We felt email security needed a fundamental rethink.”

Sanjeev Verma, Founder and Chairman of PreVeil

Based on a model proposed in an MIT thesis, PreVeil assumes the attacker will get through to the email server. What’s important, though, is what happens once the attacker reaches the target. Their approach is to combine end-to-end email encryption along with a password-less authentication model. PreVeil is offered on a “freemium” basis.

PreVeil encrypts email at every stage of the message delivery and storage process. “If you can get to it, it’s essentially worthless,” Verma said. With PreVeil every account has a unique 256-bit encryption key on the user’s mobile device. Even the user can’t change it. The user doesn’t know it.  No other device can access the user’s email account. The user can only access the account from the right device. This precludes impersonators trying to access email from abroad or alien devices. To the end user, PreVeil appears as another email folder which encrypts its contents.

PreVeil also takes on the associated administrative challenge that comes with encrypting emails and getting rid of passwords. Their innovation here is what Verma calls an “approval group,” a collection of administrators who share responsibilities for one or more email accounts. When two out of three admins the approval group authorize a change to the account, it will happen. No single admin can do it all, by design. Similarly, the approval group can agree to decrypt email messages, as might be required in an evidence preservation scenario.

Photo Credit: lauracoughlin Flickr via Compfight cc