Advanced security solutions for business
By Ilene Wolff
When Dug Song caught Jon Oberheide hacking his company’s computer network, he didn’t call law enforcement. Quite the opposite: In the interest of better cybersecurity, he offered the young hacker an internship at his company, Arbor Networks.
“I grew up in an age where the only way you learned computer security is by doing stuff like that,” he says.
Song, 39, an Ann Arbor, MI, entrepreneur, eventually sold the business and then partnered with Oberheide to co-found Duo Security, a computer security firm, in 2010.
Oberheide, who is 10 years younger than Song, is an expert in mobile security and has found ways to bypass both PayPal and Google’s two-step verification process. In addition to being Duo’s chief technology officer, he heads the company’s research function, DuoLabs.
“Jon is in many ways a younger version of myself,” says Song, who is CEO.
Duo, in Ann Arbor, provides cloud-based, two-factor authentication for users to access computer networks in a way that protects individuals, data and applications from breaches, credential theft and account takeovers. The two factors include a password (see sidebar, page 26) and a second authentication via the user’s cell phone, landline or a token available from Duo and other, similar firms.
More than 6,000 organizations in 100 countries use Duo’s two-step authentication service, including three of the top five social networks, as well as Etsy, Random House, Paramount Pictures, Box, Toyota, Yelp and Threadless.
Threadless, a crowd-sourced, Internet-based art and apparel company in Chicago, had lots of problems with another company’s two-factor authentication.
“Right off the bat we spent money on locally hosted hardware, and what was supposed to be a pretty painless procedure turned out to be a stressful endeavor, that’s for sure,” says Tristan Hammond, manager of the company’s IT infrastructure. Hammond says the kickoff for the previous vendor’s product took more than 25 hours.
In contrast, he says, implementing Duo took a matter of minutes, cost about one-third as much and required no new hardware purchases. In the two years since switching to Duo, Hammond says the only time he’s ever contacted by employees for authentication-related issues is when an employee buys a new phone and needs to set it up to work with Duo.
In addition to commercial enterprises like Threadless, Duo attracts clients in higher education, both on its own and via a partnership with Internet2, an advanced technology community.
“We currently have 32 subscribers to the enterprise-level offering (a site-wide license that includes faculty, staff and students),” says John Krienke, chief operating officer of InCommon, a project of Internet2, whose largest office is in Ann Arbor. “In addition, many, many more of our InCommon members are trying Duo on a smaller scale through the ad hoc pricing model.”
Interest from Silicon Valley
Duo’s popularity among clients is paying off: Press releases on the company’s website tout annual revenue growth in multiples of 100 percent. Song declined to disclose the private company’s current capitalization.
The website press releases also record unsolicited injections of venture capital into the company from the likes of Silicon Valley-based firms Google Ventures, Benchmark and True Ventures, as well as money from closer to home.
Despite the interest from Silicon Valley investors, Song says he’s intent on building a Michigan company and currently employs 100 people. Duo has sales offices on the West and East coasts.
Song attributes Duo’s steady growth in revenue and size to its “distinct culture of customer happiness and shared success.” He cites Zingerman’s Delicatessen, another Ann Arbor business that’s about three minutes away by foot from Duo’s offices at 617 Detroit St., as a role model.
“What Zingerman’s sells is not really food,” says Song. “They sell delight. We take that to heart and make sure our customer is not only happy but delighted.”
Also, Duo promises strong security and strong usability designed for the end-user and not just the buyer, says Song.
“We sort of have a mantra in the company that we wanted to use for marketing, but nobody will agree to it,” says Song: “Security sucks: Who has time for this?”
But Duo’s greater ambition is to democratize security: Its service is free to companies with 10 or fewer users.
Hackers Just Wanna Have Fun
Duo’s offices are democratic, as well, not to mention lighthearted. No one has a private office. Meetings are held in conference rooms with names borrowed from the murder mystery game Clue — for example, Mrs. Peacock or Professor Plum — and color schemes to match. Greeting visitors is a rack filled with skateboards and, as a tribute to the company name, a bicycle built for two in the lobby.
Near the skateboard rack, a chalkboard counts down an upcoming big deal: “Movin’ on Up in __ Days.” It’s Duo’s low-tech way to track the firm’s planned move — about a five-minute drive south from the current office — because they’ve outgrown their present space.
While these people like to have fun, they’re serious about what they are trying to do.
“We’re here to save the Internet,” Duo’s website proclaims, a message that ticks up in relevance with each news story about another cyber break-in.
“The way we look at it is, when teenagers can take down organizations at will, it really is not safe out there,” says Song. “The future of the Internet really relies on our ability to trust, and that trust is hard to come by when every other week we hear of a big breach.”
Passwords 101 from a Computer Security Expert
Know what the most commonly used computer password is? Password.
Surprised? Know what the second most commonly used computer password is? 123456.
In case you’re not convinced that more people need to take more care with their passwords, consider the following statistics from StopTheHacker.com.
It takes only 10 minutes to crack a lowercase password that’s six characters long. Add two extra letters and make a few uppercase, and that time-to-crack jumps to three years. Add just one more character and some numbers and symbols and it will take 44,530 years to crack.
Those kinds of statistics don’t surprise Mark Stanislav, security project manager and advanced research team member at Duo Security, an Ann Arbor, MI-based computer security firm that offers two-factor authentication (see main story).
Stanislav recommends a unique password for each website you use that’s at least 12 characters and a combination of uppercase, lowercase and special characters. So, no names of pets, birthdates, birth cities spelled backward or other easy-to-remember components.
“The less you know about the password, the better,” says Stanislav.
One solution he recommends is to use an online password manager such as LastPass (a Duo partner), 1Password or KeePass. All three offer free services, and all but KeePass (which is free and open-source) can be upgraded to add extra security frills.
Stanislav cautions users to stay away from public computers because they are too risky. He also advises not to fall into the trap of thinking your email is not at risk.
“Whenever you forget a password, where do you get your new one?” he asks. “Email.”