Townsend Launches 2FA To Thwart Cyber Attacks On IBM i
January 13, 2014 Alex Woodie
Townsend Security is unveiling a new security solution that enables two-factor authentication (2FA) on the IBM i platform. The offering requires users to properly enter a PIN code, sent via a mobile text or an automated voice call, before being allowed on the system. Alliance Two Factor Authentication will help companies defend themselves against privilege escalation attacks that are currently comprising otherwise secure IBM i systems, says company founder Patrick Townsend.
The growing technological sophistication of cybercriminals is forcing organizations to step up their security games to prevent falling victims to the digital marauders. The advent of keyloggers and other advanced pieces of malware are giving cybercriminals powerful ways to infiltrate some of the toughest security perimeters. Even the IBM i platform–which at one point gave users the feeling of being a safe and comfy retreat from the wicked world of open Windows machines–can no longer be considered protected, as hackers are increasingly finding ways to weasel their crooked little noses into the IBM i machines of some of the world’s largest companies.
Townsend launched the Alliance Two Factor Authentication to give IBM i shops an edge in their ongoing cyber warfare activities. One of the big security challenges organizations face today is this: Even if an organization has done everything by the book to secure its IBM i system, the presence of just one unprotected access point in the enterprise–whether it’s a PC or a router or a Web server–can lead to the comprise of the central server.
“In the IBM i world, we know that the i is very secure. If you put in your password wrong three times, it disables your user profile. That’s all great,” Townsend says. “But that doesn’t protect you at all if one of your users gets an infection on the PC, and that malware installs keyboard logging that captures your keyboard strokes as you log into the IBM i platform. Then they know the user ID. They know the password. All the security on the IBM i won’t help you a bit in terms of protecting your IBM i from that kind of case.”
This kind of attack isn’t just theoretical. Townsend says that, within the last month, he has worked with a large IBM i user in Europe whose system came under attack by cybercriminals. Malware was installed at some point, and it was used to execute a basic brute force dictionary attack against QSECOFR, QSERV, and QUSER user profiles. “This attack understood the IBM i platform. Attacks are happening and are being successful against the IBM i. It’s not because IBM has done a bad job in terms of security. It’s just that, with all these other systems out there, PCs and Macs, if they get infected, that can lead to compromise of an i platform.”
Townsend’s 2FA offering, which is available now and starts at about $10,000, can help thwart this kind of attack because it requires an additional level of authentication before somebody can be granted access to the system. This particular 2FA offering banks on the fact that the chances of a cybercriminal obtaining the user name/password and the phone of a user are very slim. (If you are concerned that security administrators and other users will be robbed of their phones or kidnapped, then you probably should be investing in some physical security as well.)
Alliance Two Factor Authentication runs entirely on the IBM i platform and leverages the telecommunication infrastructure of TeleSign, one of the leaders in this space, with 2.5 billion accounts under protection. If you have attempted to sign on to an electronic banking session on the Internet and been asked to enter on the screen a PIN code that was sent via SMS text message before being allowed access to your bank account, then you have most likely used the TeleSign service. Townsend customers must pay TeleSign a monthly fee for the service.
Townsend’s isn’t the only 2FA offering on the IBM i market. There are others based on RSA appliances and tokens that generate random numbers. There is also the biometric authentication technology developed by Valid Technologies, which combines fingerprint and retinal scanning with traditional IBM i user authentication methods.
While it may be tempting, 2FA isn’t a replacement for traditional password-based authentication. Users will still need to remember their passwords. The hope is it will augment and enhance the unsecure passwords that are often used.
The software features a standard 5250 interface for signing onto an IBM i server from a terminal or emulator; an API is also available for integrating the 2FA functionality into third-party applications. Upon entering the proper user name and password combination, the user is prompted to enter the PIN code that TeleSign sends them via SMS (the user’s phone number must first be logged into the system). Alternatively, for people working in areas without good cell access, TeleSign will call the phone number in the system and an automated voice will speak the PIN to the user.
Townsend expects his 2FA offering to be adopted at first by users with powerful user profiles, such as QSECOFR and those with ALLOBJ authority. There’s no reason that regular workers can’t use the 2FA capabilities as well. Considering that it is often the average Joe whose PC is compromised and becomes the point cybercriminals enter the enterprise, extending 2FA out to all users may not be such a bad idea.
This software won’t stop bad employees from pulling off inside jobs. But it will help tamp down on the ingress points that hackers are finding. “There’s still a great deal of work that needs to be done . . .among security systems,” Townsend says. “In looking at the forensics around data breaches, the initial breach often takes place on a peripheral PC more than twelve months before the main breach. It can originate on a user PC or Web server or peripheral device. It can be worked for a long time by people who are sophisticated.”