Hacking Humans 9.26.19
Ep 67 | 9.26.19

The usefulness of single sign on.

Transcript

Yaser Masoudnia: [00:00:00] Our research shows that over 50% of the applications that are used in different businesses, they are not covered by single sign-on. 

Dave Bittner: [00:00:08]  Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Good to have you back, Joe. 

Joe Carrigan: [00:00:27]  It's good to be back, Dave. I want to give a big thanks to Graham for sitting in for me last week. Thank you, Graham. 

Dave Bittner: [00:00:32]  Yeah, great to have him on, but it's good to have you back. We've got some good stories to share this week. And later in the show, I speak with Yaser Masoudnia from LastPass. We're going to talk about single sign-on. But first, a word from our sponsors at KnowBe4. 

Dave Bittner: [00:00:47]  So how do you train people to recognize and resist social engineering? There are some things people think. Test them, and if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show. 

Dave Bittner: [00:01:25]  And we are back. Joe, why don't you kick things off for us this week? 

Joe Carrigan: [00:01:28]  Dave, this week I'm talking about an article from Elliot Volkman over at PhishLabs. And it's a social media article. Social media has become part of our daily lives. 

Dave Bittner: [00:01:37]  Sure, yeah. 

Joe Carrigan: [00:01:37]  We use it every day. And not only that, but companies use it for their marketing. 

Dave Bittner: [00:01:41]  Right. 

Joe Carrigan: [00:01:41]  It's become a huge platform for how we operate in our lives. And it's fair to say that it's pervasive. What does that make it? Obviously, that makes it a target for bad guys. 

Dave Bittner: [00:01:50]  Right, sure, anywhere where there's a lot of people gathered together. 

Joe Carrigan: [00:01:53]  Right, there's going to be bad guys. Even if you have a large group of people gathered together in person, there's going to be pickpockets - right? - opportunists. And we have talked about some of these things before, but this article does a good job of summing up all the dangers in the social media arena. I have reordered these and put what I consider the biggest threats first. 

Dave Bittner: [00:02:09]  OK. 

Joe Carrigan: [00:02:10]  And the first one for social media is intelligence gathering. I think this is the biggest risk that social media presents. It lets people see things about us that they wouldn't otherwise be able to see. Like, for example, what was your first dog's name? Right? You may have posted that on Facebook at some point in time, and it's still available to people who want to find that out if you have that information public. That information may also be used at some point in time to reset a password for you. 

Dave Bittner: [00:02:35]  Right. 

Joe Carrigan: [00:02:35]  Right. 

Dave Bittner: [00:02:36]  Right. 

Joe Carrigan: [00:02:36]  So this kind of stuff can be used in account takeover, but it can also be used in social engineering you, right? Somebody could be impersonating, which is the next item on the list - is impersonation. But these two go hand in hand, impersonation and intelligence gathering. So if I want to impersonate somebody and get to you, I'm going to try to impersonate somebody you knew from long ago. It might be on your friends list. It might not be. But I'm going to look at your Facebook page or your Twitter account or your Instagram, and I'm going to find out information about you, and then I'm going to come, and I'm going to present myself as a very realistic impersonation that you might not be able to detect. 

Dave Bittner: [00:03:10]  Yeah. So you can find out where I went to high school... 

Joe Carrigan: [00:03:13]  Right. 

Dave Bittner: [00:03:13]  ...And call me up as my old buddy from high school or something... 

Joe Carrigan: [00:03:17]  Yup. 

Dave Bittner: [00:03:17]  ...Or I guess even better, someone who was not my old buddy from high school, just someone from my high school... 

Joe Carrigan: [00:03:22]  Correct. 

Dave Bittner: [00:03:22]  ...Because the less I knew them, I guess the less suspicious I'd be... 

Joe Carrigan: [00:03:25]  Right. 

Dave Bittner: [00:03:25]  ..Of what you might sound like all these years later. 

Joe Carrigan: [00:03:27]  Yeah, absolutely. The next one I think is kind of important on here is credential theft. We've talked about this on different platforms. We talked about it happening on Discord as well. You know, you might not think of that as a social media platform. Once a bad guy has stolen credentials from a social media account, they're going to use that to propagate the theft of credentials to all your friends, right? That's a very frequent tactic, right? So now that I have access to your account, I'm going to try to gain access to the accounts of all your friends, and I'm going to send the same kind of link out. And, actually, I got one of these on Facebook I think, like, a week and a half ago, two weeks ago. 

Dave Bittner: [00:04:02]  Yeah, I got one yesterday. 

Joe Carrigan: [00:04:03]  Yeah. 

Dave Bittner: [00:04:03]  Yeah. Hey, have you seen this video of you? 

Joe Carrigan: [00:04:05]  Right. 

Dave Bittner: [00:04:05]  Click here. 

Joe Carrigan: [00:04:06]  Yeah. 

Dave Bittner: [00:04:06]  Yup. 

Joe Carrigan: [00:04:06]  I got one that was very simple. It said, hey, did you do this? And it's a link. 

Dave Bittner: [00:04:09]  (Laughter) I do lots of things, Joe. I... 

0:04:13:(LAUGHTER) 

Dave Bittner: [00:04:16]  You have to be more specific. 

Joe Carrigan: [00:04:16]  Right. So I actually sent a message. I said, hey, did you send this? And the guy eventually responded and said, no, no, my account was hacked. Fortunately, I didn't click on the link because, generally, I don't click on links in these chats. This guy is my friend on Facebook, but I haven't talked to him in years, right? And asking me, hey, is this you? That's not something this guy would do. 

Joe Carrigan: [00:04:33]  The next kind of scams that happen on here are the romance scams... 

Dave Bittner: [00:04:36]  Right. 

Joe Carrigan: [00:04:36]  ...And to a lesser extent, the Nigerian prince scams, right? Very few people fall for these Nigerian prince scams. People still fall for them, but - you know, because it's still going on. 

Dave Bittner: [00:04:44]  Yeah. 

Joe Carrigan: [00:04:45]  If people didn't fall for them, they wouldn't be doing them. But the romance scams are the most insidious scam on these sites because they're going to take advantage of somebody's loneliness, and they're going to exploit that to get money out of these people. 

Dave Bittner: [00:04:56]  Yeah. 

Joe Carrigan: [00:04:56]  And I hate seeing these things happen to people. I really do. 

Dave Bittner: [00:04:59]  My wife gets probably one of these a week. 

Joe Carrigan: [00:05:01]  Does she? My wife also gets them frequently. But I do not. I generally don't. 

Dave Bittner: [00:05:05]  No, I don't either. 

Joe Carrigan: [00:05:06]  I get them on Instagram occasionally, but not on Facebook, not on Twitter - nowhere else. 

Dave Bittner: [00:05:12]  Yeah. The ones my wife gets are the textbook ones with some military person who's handsome and looking for - yeah, to take care of someone. I mean, it just pushes all the buttons. 

Joe Carrigan: [00:05:22]  Right. 

Dave Bittner: [00:05:23]  But, you know, she comes over with a picture of this handsome guy in a uniform, and she's like, what do you think? What do you think, dear, you know? 

0:05:28:(LAUGHTER) 

Joe Carrigan: [00:05:28]  She's going to leave you for him? 

Dave Bittner: [00:05:31]  Yeah, exactly. You know, getting lots of offers here, so... 

Joe Carrigan: [00:05:35]  Right. You better step your game up, Dave (laughter). 

Dave Bittner: [00:05:39]  Right, exactly. Mind your manners there, bucko. Yeah. 

Joe Carrigan: [00:05:39]  The last one that we really have no control over - and that's why I kind of put it last 'cause there's really nothing we can do - is just the data dumps that happen from these things. And it's usually not actually the companies. It's not, like, Facebook or Twitter. It's usually some affiliate company that has had a bunch of data. And we hear about these things happening from time to time where they've left an Amazon bucket unsecured on the web, and somebody just goes out and downloads the entire database. You know, there's nothing we can do about that. Really, the best way to protect yourself from a lot of these scams is - particularly the credential theft - is use two-factor authentication... 

Dave Bittner: [00:06:10]  Yeah. 

Joe Carrigan: [00:06:10]  ...Some manner of two-factor authentication. And to protect yourself from impersonation and information gathering, lock your permissions down. Make sure that nobody outside of your friends can see what's going on inside your account. 

Dave Bittner: [00:06:21]  Right, to take control over what's public-facing. 

Joe Carrigan: [00:06:25]  Right, exactly. And then with regards to the romance scams, be suspicious of anybody that reaches out to you on Facebook or any of these social media sites. It's probably a scam. People don't look for romance on these platforms. 

Dave Bittner: [00:06:36]  Yeah. 

Joe Carrigan: [00:06:36]  At least not people our age. Maybe younger people do. I don't know. Who knows? 

Dave Bittner: [00:06:41]  It's been awhile. Yeah (laughter). 

Joe Carrigan: [00:06:44]  It's been awhile. Yeah. It's been awhile since I've been in the dating pool, Dave. 

Dave Bittner: [00:06:45]  (Laughter) Right. Exactly. Exactly. Same. Same. All right, well, it's a good list, for sure. And, of course, we'll have a link to the article in the show notes. 

Joe Carrigan: [00:06:52]  Yes. 

Dave Bittner: [00:06:52]  My story this week has to do with people trying to drum up fear in order to sell you something. You know, I think we've seen statistics over the last several decades that, overall, communities have gotten safer. 

Joe Carrigan: [00:07:07]  Right. 

Dave Bittner: [00:07:08]  Right. Crime is down. 

Joe Carrigan: [00:07:09]  Yep, violent crime is way down. 

Dave Bittner: [00:07:11]  And there's a lot of reasons for that, and people have different opinions on what has caused that. 

Joe Carrigan: [00:07:15]  Yep. 

Dave Bittner: [00:07:15]  But I think there's agreement that the actual violent crime numbers are down pretty much nationwide here, at least in the U.S. 

Joe Carrigan: [00:07:22]  Yes. 

Dave Bittner: [00:07:22]  So this story was from the Press and Guide, which is from Dearborn, Mich. And they were talking about an email scam that was trying to convince local residents that crime is up in order to sell them security cameras. So this email has been making the rounds, been targeting local people and has been saying - they actually talked to the police chief in Dearborn. And he said, recently, some residents have reported receiving a suspicious email claiming Dearborn crime has increased 78% and residents should purchase security cameras. This is a scam email. I want all residents to know that this email did not come from the city of Dearborn or the city council. And he said, actually, crime is down 14% over the last year. 

Joe Carrigan: [00:08:03]  Right. 

Dave Bittner: [00:08:04]  You know, I think this is a good example of one of those things where, if you read it on the internet, it must be true. And it's easy to push those emotional buttons with people to try to scare them into purchasing something. Hey, did you know that crime is up 78%? And if you want to be a good person and protect yourself and your family, well, just click here. 

Joe Carrigan: [00:08:24]  Right. 

Dave Bittner: [00:08:24]  And we're either going to sell you a video camera, a security camera to protect yourself or - who knows where this link is going to go? 

Joe Carrigan: [00:08:32]  Yeah, absolutely. 

Dave Bittner: [00:08:32]  We're going to pretend like we're going to sell you a security camera. The other thing that I thought of that's a possibility here that I think is not unlikely but, you know, when you've been doing this as long as you and I have, these are the things you think about... 

Joe Carrigan: [00:08:43]  Right. 

Dave Bittner: [00:08:44]  ...Which is, somebody could sell you a video camera that is basically pre-set to be used in some sort of botnet or something. 

Joe Carrigan: [00:08:51]  Right. 

Dave Bittner: [00:08:52]  You know, sell you an insecure video camera. It's a sort of pre-pwned (ph)... 

Joe Carrigan: [00:08:56]  (Laughter) Pre-pwned security camera. 

Dave Bittner: [00:08:56]  ...Pre-pwned security camera. Yeah. 

Joe Carrigan: [00:08:59]  Dave, you just gave me a great business idea. 

Dave Bittner: [00:09:01]  (Laughter) I think the odds of that are extremely unlikely, but... 

Joe Carrigan: [00:09:05]  Right. 

Dave Bittner: [00:09:05]  I don't know. Anything's possible these days, right? 

Joe Carrigan: [00:09:06]  It is. You know, I have a couple of sayings about statistics. There are - one of them comes from an old high school teacher of mine. He said, there are lies, there are damnable lies, and then there are statistics. 

Dave Bittner: [00:09:16]  Yeah. 

Joe Carrigan: [00:09:17]  Another one comes from a friend of mine who said that when you ask a statistician what the statistics say, a good statistician says, what do you want them to say, right? 

Dave Bittner: [00:09:24]  (Laughter) Right. 

Joe Carrigan: [00:09:26]  These statistics might be complete and total bunk in here. You know, but, you know, generally, across the board in the U.S., violent crime is down over the long-term trend. 

Dave Bittner: [00:09:35]  Right. 

Joe Carrigan: [00:09:36]  There may be a small uptick in it right now. And in some places, like in Baltimore City, violent crime is up. But overall, the country is safer than it has been in the past. 

Dave Bittner: [00:09:45]  Yeah, just something to keep an eye out for. And again, a lot of this is just informing your friends, your relatives, your family members. That awareness that these things are out there... 

Joe Carrigan: [00:09:55]  Right. 

Dave Bittner: [00:09:55]  ...Will help inoculate them to these sorts of emotional appeals. 

Joe Carrigan: [00:09:59]  Yeah, this is a fear appeal. Two things drive these kind of scams - fear and greed. 

Dave Bittner: [00:10:04]  Right. Right. 

Joe Carrigan: [00:10:04]  This is fear. 

Dave Bittner: [00:10:05]  Right. It's a little of both. It's... 

Joe Carrigan: [00:10:06]  Right. 

Dave Bittner: [00:10:07]  They're trying to sell you a video camera, so there's some greed there on their part... 

Joe Carrigan: [00:10:10]  Right. 

Dave Bittner: [00:10:11]  ...Using the fear to do it. 

Joe Carrigan: [00:10:12]  Right. 

Dave Bittner: [00:10:13]  All right. Well, that's my story this week. It's time to move on to our Catch of the Day. 

0:10:17:(SOUNDBITE OF REELING IN FISHING LINE)  

Dave Bittner: [00:10:20]  Our Catch of the Day this week is a good one. This is an email. And the title of the email is, winning amount. It goes like this. It says, (reading) my name is Mark Zuckerberg, a philanthropist, the founder and CEO of the social networking website Facebook, as well as one of the world's youngest billionaires and chairman of the Mark Zuckerberg Charitable Foundation. 

Joe Carrigan: [00:10:41]  Wow. We are very lucky. We've gotten an email from the Mark Zuckerberg. 

Dave Bittner: [00:10:45]  Indeed - (reading) one of the largest private foundations in the world. I believe strongly in giving while living. I had one idea that never changed in my mind - that you should use your wealth to help people. And I have decided to secretly give $1.5 million to randomly selected individuals worldwide. On receipt of this email, you should count yourself as the lucky individual. Your email address was chosen online while searching at random. Kindly get back to me at your earliest convenience so I know your email address is valid. Email me at mzuckerberg2444@gmail.com. 

Joe Carrigan: [00:11:23]  (Laughter). 

Dave Bittner: [00:11:23]  Visit the webpage to know more about me, wikipedia.org/markzuckerberg, or you can just Google me, Mark Zuckerberg. Regards, Mark Zuckerberg. 

Joe Carrigan: [00:11:34]  (Laughter). 

Dave Bittner: [00:11:38]  So... 

Joe Carrigan: [00:11:40]  Who do you think this guy's trying to impersonate, Dave (laughter)? 

Dave Bittner: [00:11:43]  Yeah. You got an email from Mark Zuckerberg. Couple things struck me here. First of all, I think it's a little odd that Mark Zuckerberg would be using a Gmail account. 

Joe Carrigan: [00:11:50]  Yep. Right. 

Dave Bittner: [00:11:51]  (Laughter). 

Joe Carrigan: [00:11:52]  Well, he does want to keep this on the DL, Dave. 

Dave Bittner: [00:11:54]  Oh, that's true. You know, that's true. 

Joe Carrigan: [00:11:56]  He's secretly giving away $1.5 billion to lucky people. 

Dave Bittner: [00:11:59]  Secretly giving away. 

Joe Carrigan: [00:12:00]  Oh, man. 

Dave Bittner: [00:12:00]  Explain that to the IRS. 

Joe Carrigan: [00:12:02]  Yeah (laughter). Is this the first email in an advanced fee scam, do you think? 

Dave Bittner: [00:12:06]  Likely. 

Joe Carrigan: [00:12:07]  Yeah. 

Dave Bittner: [00:12:07]  Who knows? 

Joe Carrigan: [00:12:08]  Right. 

Dave Bittner: [00:12:08]  I think this is setting the hook. This is the first - once they get you to reply to this, who knows what path they're going to take you down. 

Joe Carrigan: [00:12:14]  Right. 

Dave Bittner: [00:12:15]  We just talked about greed. 

Joe Carrigan: [00:12:16]  Right. 

Dave Bittner: [00:12:17]  Here we go. 

Joe Carrigan: [00:12:17]  This is the greed. 

Dave Bittner: [00:12:18]  Greed. And... 

Joe Carrigan: [00:12:18]  I'm going to get $1.5 million from Mark Zuckerberg. 

Dave Bittner: [00:12:21]  Everybody knows this guy's swimming in dough. 

Joe Carrigan: [00:12:23]  Right. 

Dave Bittner: [00:12:24]  Right. He's got more of that filthy green stuff than he knows what to do with. 

Joe Carrigan: [00:12:28]  Right. 

Dave Bittner: [00:12:28]  So of course, he's going to give it away - so needless to say, not the real Mark Zuckerberg. 

Joe Carrigan: [00:12:34]  Yes, without a doubt. 

Dave Bittner: [00:12:34]  No, no. That one goes in the trash. 

Dave Bittner: [00:12:37]  All right, that is our Catch of the Day. Coming up next, I speak with Yaser Masoudnia from LastPass about single sign-on. But first, a word from our sponsors at KnowBe4. 

Dave Bittner: [00:12:50]  Let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly CyberHeist News. We read it. And we think you'll find it valuable, too. Sign up for CyberHeist News at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:13:37]  Joe, I recently had the pleasure of speaking with Yaser Masoudnia from LastPass. Actually, this is in response to a listener who wrote in, who was asking about single sign-on and had some questions about how useful that is. Basically, I think the thing we hear about with single sign-on is that aren't you just putting all your eggs in one basket? And I think there are a lot of misconceptions when it comes to single sign-on, so I thought, well, let's reach out to someone who knows all about this. 

Joe Carrigan: [00:14:02]  Right. 

Dave Bittner: [00:14:03]  Yaser is the head of identity access management at LogMeIn - they're the folks who make LastPass - so knows a thing or two about this stuff. Here's my interview with Yaser Masoudnia. 

Yaser Masoudnia: [00:14:13]  The initial problem that everyone's trying to solve with single sign-on is the fact that as we - at some point, we started the number of application that people use in daily work and also at work - it's growing. So the number of accounts that users need to manage are growing. And you'll have more apps, more accounts, more passwords and username-password credential that we need to manage. And there are obviously security risks around using one set of credential - a username, a password - across all the accounts. And it's always the question around how many passwords normal users using across all the accounts that they are logging in to, and how strong is the password and whether they take that or not. And then are all of these effective if the fact that if one of my passwords as a user is compromised, then, basically, the intruder would have access to that password - username and password, and they can use it across different accounts to access my information on my application. 

Yaser Masoudnia: [00:15:21]  The single-sign-on solution came to the market as a tool that companies can use for their internal users, and also later for their external, also, for eliminating the need of having multiple usernames and passwords. And use one set of credentials to log in to one solution or one tool, and from there, the user will have access to multiple applications or multiple accounts, and they won't need to enter their username and password separately for different accounts or need to manage different username and password for different accounts. 

Dave Bittner: [00:16:00]  From my understanding here, basically, I will log in to a single service, and then that service will take care of logging in securely to all of the different platforms and websites and things that I need to use throughout my day. 

Yaser Masoudnia: [00:16:16]  That is correct. 

Dave Bittner: [00:16:17]  I think a lot of people think that - isn't this the same sort of putting your eggs in one basket as you would have if you were just using a single password for all of your things that you logged in to? Can you explain the difference there? 

Yaser Masoudnia: [00:16:31]  That's not the correct perception. There are multiple points of contact or points of attacks that we need to discuss to address this question. The first is we're not using one set of username and password across all our portfolio of our applications that we use or - what is happening, the user will have one master username or, let's say, password that they use to log in to one account. And that account, through different integrations, will communicate with different applications to log the user in to their account. And there are - different vendors have different approaches, but there are ways that you can secure that access from one point of authentication or one point of access to the rest of applications. For instance, there are some applications that use SAML integration, so you authenticate the user once on the service provider side, and then the service provider can basically communicate through a certificate-based type of authentication to the application that the user wants to use and authenticate the user and give them access. That is, for instance, let's say, SAML integration, which is a form of XML integration. It provides certificate authentication that is way more secure than entering a username and password for the user. 

Yaser Masoudnia: [00:17:58]  There are other approaches for single sign-on. For instance, there are some applications where they don't offer SAML integration or SSO capabilities. In those cases, we can use capabilities like playing - replaying the password or what password management solutions do. And in case of, for instance, LastPass, what we do is users would have one set of username and password that would be their master password. And that master password encrypts all of the username and password that user uses across different applications and securely stores them in the vault. For instance, LastPass won't have access to the user credentials, the server. And no one would have access to the user's credentials because the user has the master password that's used to encrypt all of the information in the user's vault. And every time a user wanted to log in to one of those application, they use their master password, encrypt that information, and pass that information to the application. So for instance, in the case of LastPass, from the user's browser out, there is no access to the username and password that the user has for different applications, and that's why they call it zero knowledge because no one knows what it is. We at LastPass won't have access to that username, passwords for different accounts, and even master password. And the user is the only person who holds the keys to that kingdom. 

Dave Bittner: [00:19:30]  There's something that I hear pretty regularly in terms of pushback on using a password manager is, well, you know, I've got that master password, and doesn't that create a single point of failure? Doesn't that create a vulnerable place? If someone gets that master password, well, now they've got the keys to my whole kingdom. 

Yaser Masoudnia: [00:19:49]  It could be correct, but there are ways to secure that. For instance, you can protect your master password regularly. You - what we recommend always for our user to do is adding multifactor authentication on top of that master password so you won't rely on one factor, which is your master password, and use the multifactor authentication to have a more secure access to your account or to your vault. That is the key to having the key to the kingdom. 

Dave Bittner: [00:20:19]  What are the common misunderstandings that people have when it comes to single sign-on? 

Yaser Masoudnia: [00:20:25]  There are a few things. As you mentioned, one is, OK, that's the key to the kingdom, and if that's compromised, then it results in compromising all the accounts. That is not the case because there are ways to secure that, and that username and password is not used for across the different accounts in LastPass. There are tools that applications and LastPass allows the user to generate a strong password, very long password, for different accounts and store them on the vault securely so all of their accounts, all of my accounts, for instance, as a user will have a different credential and very strong credential, very strong password - 16-, or even longer, digit password - that I can use for different accounts, and I don't need to know them because LastPass simply manages that from that password across different devices that I use, and all of them are secured by my master password that I'm the only one who owns that. And then I put multifactor authentication on top of that to secure it. That's one misconception. 

Yaser Masoudnia: [00:21:33]  The other misconception is that, OK, if we deploy SSO, we can cover - with single sign-on, we can cover all the applications. That's not the case. So our research shows that over 50% of the applications that are used in different businesses - they are not covered by single sign-on. So you need additional tools. You need a password management to secure access to those applications. Now, for instance, at LastPass, we have SSO capabilities with 1,200 applications that we can do single sign-on through different single sign-on integration. But on top of that, you'll have the password management that allows you to cover other applications that you don't have - that they don't cover single sign-on. There are always applications, for instance, that they don't come out of the box with SSO integration. You need to pay more to get the SSO capabilities. And often, businesses, they don't buy more expensive license that comes with this, so the single sign-on. So you need to, again, have a password management. 

Yaser Masoudnia: [00:22:38]  And also, our research shows that IT - they don't have access - they are not able to manage all of the users of all of the accounts or applications that users use in their organization, so they cannot force single sign-on capability to those applications. And in those cases, password management would be a better tool to help the user to secure their access to the applications that are not managed with the IT team. 

Dave Bittner: [00:23:07]  So really, I guess the notion here is that between single sign-on and a password manager, that combination really covers all the bases. 

Yaser Masoudnia: [00:23:17]  Exactly. When the customers wanted to choose their single-sign-on solution and/or password management solution, there are a few things that I would recommend them to consider. One of those points is that if they can choose a solution that has strong single sign-on capabilities and password management capabilities, it allows them to use one when they have a simple integration and have one place to manage all the users' access and also force policies to the users and have monitoring capabilities that are on the user access from one place. If that solution comes with the multifactor authentication, that would be a better option so you can secure the way that user will have access to their single-sign-on or password management vault. So those are the things that help the customer to manage everything from one place, all of the user's access requirements from one place and make sure everything is done properly and secured. 

Yaser Masoudnia: [00:24:24]  They need to also verify how the vendor is managing the user's certificate and how - whether they're using encryption over their assertion. There are certain security elements that I would recommend that customers should take a look at and make sure the vendor is doing the right job in securing the keys to the other application, whether it's password management and use - stores different credentials or whether it use certificate for SAML integration and how it was secured and whether - who has access to those credentials. For instance, in the case of solutions like LastPass that has the zero-knowledge capabilities and no one within the organization or no one outside the user, basically, browser will have access to the keys to the kingdom. That's a great combo of capabilities that they need to make sure is in place.

Dave Bittner: [00:25:25]  All right, so lots of good information there. Do you feel like we have a good understanding of what single sign-on is and is not?

Joe Carrigan: [00:25:31]  Yeah, it's a way of reducing friction for users. And we've been doing this in the enterprise environment, where I'm all on board, where we will piggyback off of other authentication devices, like active directory or, in my case, what we actually piggybacked off of - I didn't do the development on this, but it was Livelink, which is a document management system. But you would sign in to Livelink to gain access to an application that we developed because it integrated with the workflows and everything. In the enterprise, I'm really a big fan of this. And LastPass offers this as another service. That's great.

Joe Carrigan: [00:26:01]  I'm not a fan of using authentication from sites like social media sites. Like, sometimes you'll see log in with your Google account or log in with your Facebook account.

Dave Bittner: [00:26:09]  Right.

Joe Carrigan: [00:26:10]  I don't want to do that, and it's not because I don't trust the security of their authentication mechanism at Google or Facebook. It's because I just don't want this other site getting my Google and Facebook information.

Dave Bittner: [00:26:22]  Because you don't trust Google or Facebook.

Joe Carrigan: [00:26:24]  And because I don't trust Google and Facebook, right.

Dave Bittner: [00:26:26]  (Laughter) Yes.

Joe Carrigan: [00:26:26]  A hundred percent true.

Dave Bittner: [00:26:27]  Yeah.

Joe Carrigan: [00:26:28]  That being said, I will use my Twitter account to authenticate things, but only for things that are related to Twitter, like my Bitly account, right? And I use that to generate links for my Twitter and other social media posts. I would definitely trust LastPass or a similar company with single sign-on more than I would trust these other social media companies because their business model is, we're going to take money from you to secure your single sign-on. And that's a service we're going to provide for you. And that's - our business model is, you pay us to do that, right? Our business model isn't, you're the product.

Dave Bittner: [00:27:02]  Yeah.

Joe Carrigan: [00:27:02]  And...

Dave Bittner: [00:27:03]  Their incentives are aligned...

Joe Carrigan: [00:27:05]  Exactly. 

Dave Bittner: [00:27:05]  ...With doing a good job on - this isn't some little side business for them. 

Joe Carrigan: [00:27:08]  Right. And it's funny that Yaser mentions, you know, the keys to the kingdom argument. I get this all the time when I talk about using a password manager, which LastPass is... 

Dave Bittner: [00:27:15]  Yeah. 

Joe Carrigan: [00:27:15]  ...Or a different one, if you want to use it. The last talk I gave, I said, the first thing you're going to do if you're going to do one thing is you're going to use multifactor authentication. If you're going to do two things, you're going to do multifactor authentication and use a password manager. And I get the question, what happens if the password manager is compromised, right? I said, well... 

Dave Bittner: [00:27:30]  Were you listening to thing one (laughter)? 

Joe Carrigan: [00:27:34]  Right. That's right. That's what I said. I said, you know, you got to remember that it's a big problem. But if you secure your password manager with a physical token, like a Ubiquiti, or even something like a one-time password that's time-based, then your chances of being compromised go down exponentially... 

Dave Bittner: [00:27:52]  Yeah. 

Joe Carrigan: [00:27:52]  ...Almost to zero. 

Dave Bittner: [00:27:53]  Yeah. All right - interesting conversation. Thanks to Yaser Masoudnia from LastPass for joining us. 

Dave Bittner: [00:28:00]  That is our podcast. Of course, we want to thank our sponsors at KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their CyberHeist News at knowbe4.com/news. Think of KnowBe4 for your security training. 

Dave Bittner: [00:28:19]  We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:28:28]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:28:41]  And I'm Joe Carrigan. 

Dave Bittner: [00:28:42]  Thanks for listening.