Chris Drake, long time security expert who has been coding back before I was born joins, me on the podcast to talk about the secure authentication option he has created called CryptoPhoto for Joomla.
Chris talks all about his experience and stories that he has been exposed to over the years as a white hat hacker and business owner. The disaster stories and his own success stories.
Good news from the acceptance of the new RFP for the hosting of the demo site that Joomla provides. If you go to demo.joomla.org. you can get to a free website for a certain period of time to try out Joomla. Congratulations go to SiteGround, who have won the RFP, what that entails also is that they will be introducing Joomla.com. Where users can go to get free hosting of a website on a subdomain of Joomla.com. This is similar to that of wordpress.com.
We are running a new campaign here at Joomla Beat, #90DaysOfJoomla. Peter has just returned from the ProBlogger conference on the Gold Coast, QLD. It was interesting to learn about how people drive traffic and build value. From there the idea of a campaign to educate and teach the Joomla community and others out there to have a better understanding of Joomla. We are encouraging everyone else to join in, by using the #90DaysOfJoomla. Check it out on Facebook, Google+, and Twitter.
Chris started back in 1982 in security, where he was writing games and decided he needed copy protection for them. He didn't do all that well at school, because he was more interested in computers, then worked hard at night school to get into university.
From there he did a lot of hacking, but he assures us it was all white hat. He made himself known to Netscape by finding many backdoors, resulting in a cease and desist letter rather than a t-shirt when they had a find a bug, win a t-shirt competition. Chris spoke at HIP 97 hacker conference on backdooring and practical ways to attack P2P. More recently a TEDx talk on security in Noosa, QLD. Chris boasts quite a resume that he has built up over the past 32 years.
Last year, 70% of businesses that were surveyed had a serious hacking incident where machines have been damaged and confidential information had been stolen. The companies surveyed were critical infrastructure companies, such as water, power and internet providers. Out of hacking attacks that are taking place, 91% is caused by phishing.
Basically there is a better than 50% chance you will be hacked by phishing this year, doesn't matter who you are. Phishing, can involve a fake email which then opens up a page where they steal your password. More often than not, it will install malware onto your computer, which allows for remote controlling of your computer. Which then will steal your password or whatever it is they want to do with your computer and password. It is called a man in the browser attack, e.g. there is a small group in Brazil called the Boleto Bandits, each year they take $4 billion in cash from doing exactly what was just described.
In the USA, 30% of machines have malware on them. The least infected country in the world is Switzerland, that 1 in 5 machines is infected. That is still a high rate!
Chris attended a security conference in Australia where an antivirus vendor took the stage for a talk and started with “the war is lost”. Basically there is so much malware that they can’t keep up. At the moment, there are 315 thousand new pieces of malware created each day.
The idea of using the two step 1980’s authentication technology to protect people in the wake of what is happening on the internet these days, is not going to work. One of the reasons why this technology has come out is that the RSA patent has become public domain after 20 years. So now this antique technology is available for free.
The most well known is Google authenticator, it is a product you can install on your smartphone and it will give you a number which changes every 30 seconds and then when you are logging in to your website it will ask for that number.
The Big Problem
What do you do with all these numbers that are given to you? Putting the number into your browser isn’t secure, as we know from the stories above. You don’t know what is in your machine, or in your browser. There could be a man in the browser, malware or anything.
Chris makes an interesting point about how many people have had money stolen from them through internet banking. In Australia the banks will give you the money you have had stolen but only once. As an individual you have one opportunity, but if you are tricked again they won’t. A new thing on the banks radar is people who pretend they have had money stolen, online banking security is complex.
You never know how secure a Wifi connection is, especially on public computers. Rogue Wifi is massive problem. With public wifi there is a SSL strip which can be altered. E.g. If you are in an airport, and you want to do some internet banking, you navigate to your banks website but the people who are running the Wifi have substituted an SSL strip attack in there, this is called proxying, to intercept everything sent from that computer, so they can collect all the information you send to the bank with. But to you and the bank it appears to be protected by SSL.
You need to put information somewhere, and most commonly now it is in the cloud. Amazon is a huge example of this. A scare story of this was when someone phished the password from a guy who used Amazon for his business and they logged into his Amazon cloud account. They changed his password, then sent him a blackmail notice for 1 bitcoin (AU$600) from him. He said no, so they deleted his instance, which destroyed his business.
How Can Users Protect Themselves
How do you solve the issue, when so many different attacks are taking place. What Chris has done is taken a real world type solution, e.g. when you give your friend money you don’t just give it to anyone in the street, you wait until you see them and recognise them. What this system does is use mutual authentication, so when you log in through the system using CryptoPhoto, a photo is shown and you’ll find that same photo on a secure token that you have and tap on that photo and it logs you in.
How to use CryptoPhoto
It is easy to find, as it comes as an extension in the Joomla Extension Directory (JED). Register on the CryptoPhoto website. Put in your username and password. Log in on your website, then the next screen you see is a photograph. At the same time your smartphone will beep and it will show you a range of photos, you tap the one that you see on your computer screen. It works on all popular smartphones.
For big companies there is a charge, but for small Joomla users, it is free.
How Does it Differ from Other Security
The photo changes every time. The user will have the app installed on their smartphone. The app itself has the photos built into the app and every user has a different set of photos.
There is some on the website, but they are in the process of updating the website. Fairly self explanatory.
Play around with the Code samples/API on the website. Check out the demonstrations, plug ins, etc.
Find out More