Tag: cybersecurity

Interview With John Whaley – UnifyID by Safety Detectives

Posted on by Natalie Morgan
John Whaley: Founder and CEO of UnifyID

Aviva Zacks of Safety Detectives sat down with John Whaley, Founder and CEO of UnifyID. She asked him about his company’s challenges and solutions.

Safety Detectives: What was your journey to cybersecurity and what do you love about it?

John Whaley: I went to MIT for undergrad where I majored in computer science and learned about how security is implemented in the real world. During my Ph.D. at Stanford, my thesis was on the static analysis of source code to automatically find bugs, security flaws, and security holes within the software.

I founded my first company out of Stanford which was in the security space, and now I’ve started a second company in the space as well.

SD: What motivated you to start UnifyID?

JW: What I found was that every time you type a key on the keyboard, it sends a network packet, the content of which was encrypted, but you could look at the timing between the packets and then, based on that, you could determine the timing of a user’s keystroke as they typed. So we built a demo of this solution for a security conference.

It turns out that if you know the timing of somebody’s keystrokes, then you can figure out with fair reliably what it is that they are typing because, as you move your fingers around a keyboard, the spacing between them and the duration of the time between keystrokes can leak the information about what you are typing.

We used Wireshark in the demo to capture a packet trace between the client and the server for some of these major products. Then we dumped that packet trace into a tool that would look at the timing between each of the packets, and then based on that, try to make a prediction about what the user was typing.

SD: What have been some challenges?

One of the challenges we had in building the demo was the fact that everyone has their own unique way of typing. And so, you could train a model that would work well for one person, but it wouldn’t necessarily work well for other people. That’s where we first got interested in noticing habits and idiosyncrasies that we could use for identity authentication. I noticed that passwords were a real challenge. Moving forward, we knew that the password alone was not going to be the way that people would be authenticated. While the password is not completely going away yet, we are starting to see its limitations and the need for additional authentication factors to provide secure digital experiences.

SD: Which industries use UnifyID and why?

JW: We have a lot of interest from the financial services industry because fraud is very costly in that area; they have a need for high security but there’s also a need for seamless user experience. The other areas are cryptocurrencies and crypto exchanges. Any type of case where there is a sharing economy where you need to authenticate not only the user, but also the worker, because the worker may not be a full-time employee of the company, and they want to make sure that the correct person is the one making a delivery or walking your dogs.

In many cases, people use our technology for streamlining physical access: for unlocking doors and cars for example, where you want security and you also want a seamless user experience.

SD: What do you feel is the worst cyberthreat today? 

JW: The biggest cyber threat continues to be the attacks that go after the end-user. We’ve reached a point now where firewalls are no longer easy targets. It is now much easier and much more lucrative to go after individuals and try to steal their identity during the authentication process by tricking them into authenticating. This way the attacker hijacks the individual’s session to take over their account and then either transfer money out or use the hijacked account as a launch point for new attacks.

When I was young, hackers were hobbyists who were hacking for fun to prove something. There was not a lot of money in it, and it was not particularly malicious. Fraud is now a cybercrime and cyberattacking is now a large industry. There is a lot of money in it. The attacks have gotten very sophisticated. Attackers will steal someone’s identity, wreck their credit, and use that to launch different types of attacks to try to extract money out of even more people.

Until now, humans have always been the weak link in security—getting tricked into either clicking through a phishing site, entering their password in the wrong place, or getting socially engineered over a phone call. WIth UnifyID’s behavioral biometrics technology based on motion and the way each one of us behaves, humans become a strong link in security just by behaving the way they usually do.

“Suddenly there is a much greater need to remotely authenticate people…”

John Whaley

SD: How important is multifactor authentication in the light of COVID-19 and the increase of employees working from home?

JW: The number of attacks has increased by almost 800% since the start of COVID-19. In the recent past, you were able to implicitly be authenticated due to the fact you were physically at the office, which takes security measures to let you into the building itself. Now, with everyone working remotely, suddenly there is a much greater need to remotely authenticate people as now a larger number of us works remotely.

One of the additional drivers for hacking is the current economic situation. In the current world environment, more and more people are out of work and lacking positive economic prospects. These conditions could drive more people to engage in hacking.

Interview originally published on Safety Detectives.

Global Security Survey Across 700+ Organizations

Posted on by Grace Chang

In this brave new world of emerging protectionism and continued globalization, privacy and security seem at odds. In our market survey across 730 individuals and a similar count of organizations, security concerns ranked 10 very important (0 not at all) on startlingly 50% of those surveyed.

Scale of Security Concern
UnifyID survey question on security (0 not at all concerned to 10 very important).

UnifyID, a service that authenticates you based on unique factors like the way you walk, type, and sit is a revolutionary new identity platform for seamless security. Understanding the need for data privacy and ownership, product ease of use, and multifactor security, UnifyID has crafted a solution to address the pain of remembering passwords for authorized access in online and offline use cases.

In a deeper dive across 70 organizations and in 40 hours of interviews, we discovered that people care a lot about easier access at work but also at home. “It would be great if you can take stuff off my plate: several cell phones for different countries, computers, iPads, smart software in my car and home that can all actually talk to each other so that I don’t use the same password or long passwords every time I do a software update–this would save me several days every year I take to manage the access to these independent tools,” says Marco, an enterprise software COO.

Global Security Interest - Interviewed
70 organizations and 40 hours of interviews across various backgrounds.

In another interview with John, an undergraduate aerospace engineer, “Personally, I’m just excited to make new technology a part of my life. UnifyID complements my life with easier access to all of the sites I visit and makes my life easier and exciting to see the technology of the future as part of my life. Other than protecting my identity, it’s really cool to use this technology to make a big difference in people’s lives.” 

These interviews were a special treat to meet people from different cultures, backgrounds, and walks of life. We had an incredibly unique chance to hear more on what specifically about security is most important to our users’ day-to-day lives. “As a small company, you have the opportunity to touch more people than Coca-Cola! A guy living in Istanbul is really interested in what you’re doing right now, 10k kilometers away. I’m sure more than 100k people are very excited about what 6 people in San Francisco are doing,” remarked a manager at Coca-Cola at the end of our call.

Our challenge is unique in that we’re not just addressing large corporations but real people including our friends and family. Though the political tides may be changing, taking back your rights to security and privacy is a paramount task we don’t take lightly. If you’d like to join us in this journey to taking down passwords, please sign up for beta or feel free to drop us a note anytime.

Survey Demographics

Survey Demographics: Age

Survey Demographics: Gender

Survey Demographics: Ethnicity

Survey Demographics: Education

Credential Stuffing; How PRC almost hacked my Steam

Posted on by Lef Ioannidis

Recently we’ve witnessed some pretty big password leaks. First 6.4m unsalted passwords leaked from LinkedIn, then 500m passwords leaked from Yahoo, which today turned to 1 billion accounts. This is truly scary even if you haven’t been using your Yahoo account. To see why let us go back a couple of months when I almost fell victim to a credential stuffing attack from China.

First of all, “Credential stuffing” is a fancy name for password reuse. All it takes is somebody with very intermediate computer security knowledge, looking up the password dumps from Yahoo or LinkedIn (widely available), then trying the same exact credentials on as many different sites as possible, until there is a match. In my case, I logged into my Steam account and saw something like this:

screen-shot-2016-09-29-at-1-48-50-pm
Steam, how it looks like when you have been hacked

Unfortunately, Steam does not specify if this is a credentials stuffing attempt, but it was only a week after the big LinkedIn leak. I may also have been reusing the same password for my LinkedIn and Steam, so all the pieces fit. Steam was very helpful in telling me the following:

  1. Somebody had tried to access my account from PRC.
  2. He had both my username and password.
  3. His attempt was blocked since I’ve never accessed Steam from PRC.
  4. I needed to change my password to regain access to my account.

At that time I deeply appreciated all those otherwise annoying security features. Facebook asking me to identify my friends, Google sending me text messages and now Steam using geolocation to see where my impersonator lives. I quickly updated my password on Steam and 5-6 other websites.

My new password was the same as the old one, with the last letter changed from a ‘d’ to an ‘e’, meaning this was the 5th time I updated my Steam password for one or another reason. The rest of the password was pretty good in terms of entropy. Caps, lower cases, numbers, and symbols, randomly generated as well as pronounceable, using pwgen, a great CLI tool for generating strong, memorable passwords.

screen-shot-2016-09-29-at-3-30-06-pm
pwgen producing secure, memorable passwords

But this is not great overall. It’s only one step in the right direction for attackers to realize how hard it is to remember a password, which is why users opt to postfix their existing ones with predictable components, such as an increasing identifier. I’ve read posts about people using the same password everywhere and instead prefixing it with the site name. So if your main password is “d34db33f” then for Amazon it will be “amazon_d3adb33f”, for Chase “chase_d3adb33f” or something along those lines.

I believe I have a good understanding of the security concepts behind passwords and I think I’m doing better in terms of passwords that 99% of the people out there since my password is not “password” or “123456” (proof). On the other hand, here I found myself coming up with predictable password patterns. Then it came to me, the bigger issue exposed by credential stuffing attacks and password reuse:

Either we all do passwords right, or nobody does.

Either nobody gets hacked, or we may as well all be, as long as users can’t help but use the same passwords and predictable patterns over and over again.

So what does it mean for everyone to do passwords right? If you want to be really safe, you’ve got to be a bit paranoid and lean completely on the side of security versus convenience.

  1. A password should be completely unpredictable (should not include pet names, date of birth, middle names, children names, childhood heroes, favorite books, in fact, no English words at all).
  2. A password should have capital letters, lowercase letters, numbers, symbols and be at least 16 characters long (for 128-bit keys).
  3. A different such password for each website, changed every 3 months, with no logical correlations between them.

It is indeed impossible to be truly secure using passwords. How about password managers then? Letting them handle the complexity of passwords. Not a bad idea on first thought. Just tie all passwords to the user’s machine. But then you get this:

4e5cfd3a8e031
The problem with password managers, you’re not your laptop

Password managers basically escalate the problem of cyber security to a problem of physical security of your devices. If I can get my hands on an open laptop, I can access pretty much any website, as long cookies are enabled or a password manager has been used. And that’s pretty terrible.

In the end, there is no solution that takes care of every aspect of identity security today. It’s either what you know (password), what you have (device) and now we’re finally moving into the age of what you are.

Photo
TechCrunch Disrupt 2016, we won runner-up in Disrupt Battlefield.

At UnifyID, we think of the human as the central point of identity management. Think about every bit of information that makes you, You. How large is your stride, do you walk fast or slow, how long are your arms, which floor is your house at, how fast do you drive to work? This is all information that we feed into our machine learning system as input. The output is binary. Either it is you, or it isn’t. Since we only require 1-bit of information at the time of authentication, we can log you in with one click.

screenshot_2016-12-14_15-09-09
One-click secure login with UnifyID

Our system works with existing password infrastructures. We generate a large, random password for every website you are logged in, and secure it with You as the key. In fact, we don’t even need to know that password. Part of it stays with you and part of it lives in our servers. This way, even if your devices get stolen, even if we get hacked, you’re safe. There’s no single point of failure in the UnifyID system.

In addition, UnifyID works across devices. Your computer knows about your phone, and they share the same credentials. Remember that time when you left your laptop unattended for 5′ and your facebook wall got full of questionable posts? Not anymore. We can detect when you stand up and walk away. In fact, we can do that for every website, banks, e-shops, federal websites. Take your identity with you when you leave the room.

Here at UnifyID we take your security seriously. Passwords are an inconvenience and they will soon go the way of the floppy drive. Machine learning and implicit authentication can help you, and we know exactly how. Sign up for our private beta!