Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Showing results for 
Search instead for 
Do you mean 

Displaying articles for: 06-24-2012 - 06-30-2012

On the whole, with only about 1,000 machines infected today out of millions worldwide, the probability to exposure remains low, but just to be sure this old Flame doesn’t come knocking, there are precautions you can take as part of your security update regimes.


Biometrics, which uses unique markers such as fingerprints, iris or retina patterns, voice waves, DNA, or facial patterns, is a technology that’s been around for a few decades to enable identification, authentication, and access control. Currently, some banks employ “palm reading” security technology, such as Fujitsu’s PalmSecure, to recognize customers at ATMs, while other companies and even governments are investing heavily in similar “faceprint” tools.


One such company showing not only faith, but now a stake in the biometrics game is Facebook. Though Facebook had been licensing services from facial recognition firm,, for some time, it decided to up the ante and go for an all-out acquisition of the firm this month. The software facilitates photo tagging by scanning uploaded photos and then automatically identifying the faces of your friends who are in those photos so that you can more easily opt to tag them if you so choose. In a sense, it’s cool. In another, depending on how often your face is being tagged, it has the potential of becoming a bit of a privacy and management headache in terms of keeping up with which photos you do and don’t want to appear online.


Still, with Facebook now in the picture, it will be interesting to see what happens next. Have we seen a shift that will send biometrics more quickly into the mainstream? Will we start to see expanded use cases? Will facial recognition software eventually be as common as or even replace passwords? Will it become the way to authenticate you to your online banking connection, etc.? Or will it just bring more privacy concerns to the forefront?


In a world where security threats abound and identity theft is a growing concern, you can make a strong case for needing the best authentication practices or technologies available. But which side of the authentication and privacy coin does facial recognition appear on?

If you’re an IT professional like me who likes to stay in touch with and expand your network, you’re probably familiar with LinkedIn (LNKD), operator of the world’s largest Internet-based professional network with 161 million members spanning over 200 countries and territories. In early June, the company learned that the encrypted passwords of over 6.4 million subscribers had been compromised and posted online.


In response to this incident, LinkedIn Director, Vicente Silveira, in a blog, said, “To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event.” The company disabled passwords of those members believed to be at risk and sent them a message explaining how to reset their passwords. LinkedIn also stated that since the incident, it had enhanced its security measures (beyond SHA-1) by applying an additional layer of data protection know as “salting” to better secure members’ information.


Here’s how salting works. Before generating the hash (note: hash function is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string) for each user password, you would create a random string of characters of a predetermined length and prepend this string to each plain text password. As long as the string (aka. a "salt") is of sufficient length and sufficiently random, the resulting hash will almost certainly be different each time the hash function is executed. By randomizing the hashes, lookup tables, reverse lookup tables, and rainbow tables become ineffective. Because an attacker won't know in advance what the salt will be, he or she can’t pre-compute a lookup table or rainbow table to crack passwords. If each user's password is hashed with a different salt, the reverse lookup table attack won't work either. Furthermore, in case an attacker tries to use brute force cracking in order to obtain passwords, Mykonos Web Security may be used to help prevent that.


On the other hand, if a legitimate user is logging into the Web site, because the user’s password associated salt is stored in the user database along with the hashed password, the authentication server will take the user supplied password and apply the user’s salt to obtain the hashed password. If there is a match, the user will successfully be authenticated.


Certain LinkedIn users were so dismayed by the data breach incident that they filed a class action lawsuit against LinkedIn seeking over $5 million in damages because the company allegedly didn’t follow its privacy policy and lacked sufficient security controls, in this case, salting, to protect its user database. Let’s hope this incident will be instructive for LinkedIn and other online businesses regarding the importance of implementing advanced Web application and data security controls to prevent a data breach, and avoid potential financial losses and the loss of customers resulting from such breaches.


About Security Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kevin Walker
Vice President
Security CTSO, Engineering

Profile | Subscribe

Ritesh Agrawal
Software Engineering

Profile | Subscribe

Scott Emo
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Juniper Networks Technical Books