Vladimir Katalov is working in ElcomSoft from the very beginning. He created the first program the password recovery software line has started from: Advanced ZIP Password Recovery.
Now he coordinates the software development process inside the company and develops strategic plans for future versions.
What do you see as the biggest security threats today?
It is definitely a human factor. There are a lot of technical measures today: you can install the words’ best firewall, antivirus, anti-spyware; implement an extremely good security policy; provide a few complex levels of authentication to protect your critical data — and still do not get the appropriate security level simply because the human nature remains the same, most of today’s attacks are still based just on that.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
The balance between security, privacy and convenience. You can get only two of three, but not all together — e.g. security and privacy, but such solution will not be convenient. Or you can trade the privacy for security plus convenience. Finally, privacy plus convenience usually means no or bad security.
In your opinion, how important are passwords in the overall security architecture?
Extremely important. Of course, there are a lot of other solutions such as smart cards, biometric etc, but passwords is the most convenient and so widely-used type of authentication in most systems and applications. The intruiders always attack the “weakest link”, and that could be just one weak password for the minor rarely-used program you did not care about because you thought it is not so important.
According to recent case studies, 75% of people use the same, single password for all applications they work with — which means that bad guys can get it easily, for example, from email client on instant messaging program, and gain access to all your data, even those that you though is unbreakable (such as PGP).
What challenges do you face in the marketplace? What do you see as your advantages?
We see most vendors constanly increasing the level of security in new versions of their software — e.g. using new crypto algorithms (and/or longer encryption keys), providing some special measures to slow down the brute-force attacks etc. But as already noted, the human factor is still there. It does not matter what algorithm is being used, if you select an easy to guess password such as your phone number or your favourite football team. Or we don’t care how long your password is, if vendor has left some kind of backdoor, or used the fixed (constant) key to encrypt your data, even if password verification itself is slow and complex. And for those passwords that are still hard to break, we have solutions such as our “Distributed Password Recovery” software that can use the power of thosands computers to do the job.
We have extremely good security analysts and reverse engineers in our team, and of course, we carefully optimise the code to use all advantages of modern CPUs, including multi-core and SMP systems.
What do you see your clients most worried about?
They keep their data secure (or you can call that “privacy”) so nobody else will be able to break it (with or without our software), but at the sime time, need a solution for a bad day when the password will be lost or forgotten. Obviously, they cannot get both.
We also have a special category of customers such as forensics, government and law-enforcement agencies, and what they worry about is how to get the password “yesterday”.