Why most security fails and LiveEnsure® does not ?
Mon, Dec 10 2012 03:36
| mobile telephony, password, cloud security, one time password, security, Zeus, mobile, internet security, online security, identity theft, cyber crime, two factor authentication, authentication, hack, hacking
| Permalink
Mary Meeker informs us that there are now 1.1bn Smartphones (17% of all mobile phones) and these are driving Internet growth with a total of 2.4bn people now connected to the Internet.
Mary Meeker Internet trends
The universe for hackers just grows and grows. One of the most lethal of these attacks is Zeus (ZITMO) – which is aimed squarely at Smartphones.
The Zeus attack is an example of several attacks now being launched that are based wholly on anticipated behavior, especially as it relates to social media, single-sign-on and BYOD.
A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer.
The Eurograbber campaign, as it has been named, used custom versions of Zeus and Zeus in the mobile (ZITMO) Trojans to bypass the two-factor authentication measures to compromise customer bank accounts, Darrell Burkey, director of IPS products at Check Point Software Technologies, told SecurityWeek. The attack intercepted SMS messages sent to customers to confirm financial transactions. Zeus campaign
The attack is successful on Android, since that is an open platform. Not successful on iOS, since it is not.
The main approach is to triangulate something happening on a computer (PC/laptop tablet) with something happening on the phone. A One Time Password (OTP) is sent to the phone via SMS. An API exists on the phone that allows interaction with SMS - and so this data can be forwarded to the hackers own device where he can log-in ‘as the user’ - even though he may be thousands of miles away.
This attack is merely a capture and replay attack, just focusing on grabbing the disparate OOB elements and marrying them "out of context". The site knows no better because it is expecting the correct OTP to be presented – and it is. The site has no idea where it is coming from. (This is true of all such OTP solutions relying on ‘secrets’ being sent back to the site.)
This attack is not trivial but it is preventable. By LiveEnsure®– here is why:
a) The LiveEnsure® flow is reversed. Hackers cannot initiate a login and then snag an SMS from the phone when sent and apply it themselves.
b) LiveEnsure® doesn’t use SMS at all – LiveEnsure® relies on email and then only for registration - which this attack (by design) must happen after registration to work.
c) The LiveEnsure® agent is impervious to Trojans - on any platform - since it is a dynamic event in a separate memory space from the browser or calling application (or Trojan for that matter)
d) With LiveEnsure® nothing is sent from the app or phone to the site, which means anything the hacker steals cannot be used back at the site, it has to be used on the phone which they don't have.
e) What is used on the phone is not sent back to the site for verification, it is sent to LiveEnsure® - which only expects what it expects, and cannot be fooled by captured information (from a fragile channel)
f) That is why LiveEnsure® measures ‘location’ - if the hacker and the real user are not standing side by side in front of the screen…... then whatever they might steal (but cannot anyway) would be contextually invalid.
LiveEnsure® is about context, not credentials. This attack is merely a capture and replay attack, focusing on grabbing the disparate OOB elements and marrying them "out of context".
It's exactly what LiveEnsure® is designed to thwart.
Comments (1)
SITES DONT GIVE A DAMN ABOUT YOUR SECURITY
Mon, Sep 3 2012 02:10
| linkedin hack, ID theft, password, 2FA, cloud security, one time password, data privacy, mobile, Epsilon, online security, internet security, identity theft, cyber crime, authentication, dropbox, hacking
| Permalink
The sheer volume of reportage on hacking is overwhelming. The sites being hit are the ones that you and I use every day. Some provide useful information, some, valuable services and others perhaps just news or trivia. We use them multiple times a day – sometimes without even being fully aware that we are, like DropBox. We use these sites to store personal and business information, to connect us with potential clients, employers and employees, to help us choose insurance providers, to send us our groceries and some, to just play on. Dropbox allows us to seamlessly log in by re-referencing a cookie they have planted on our computer to ‘verify’ our identity. LinkedIn also uses the same technique when we log in.
A user name and password.
How secure is that ?
Well, not very, given that both of these sites have been hacked and your and my personal information has been exposed to the dark hacking underworld.
And make no mistake the hacking world is - dark and very scary. Read Misha Glenny’s Dark Market to find out just how dark and scary. (DARK MARKET)
Some of the hacks that have taken place over the last 12 months range from gaming applications (SONY HACK 100M IDENTITIES AT RISK ); to banking (CITIBANK) to security companies themselves (RSA) to dating sites like (eHARMONY) to military suppliers (LOCKHEED MARTIN) to email marketing companies (EPSILON) not to mention the storage (DROPBOX) and social network (LINKEDIN) sites quoted above. No one is immune.
How does that make you feel? You have entrusted your personal data to these sites. What happened if yours was the email address that was stolen, that yours was the personally identifiable information that was used to create a new persona that was then used to buy a car or a house. That was then found guilty of credit card fraud and that was then criminalised. What if you had to then spend months or even years trying to clear your name? What if your identity was used to buy child pornography and you were arrested and sent to jail wrongfully? These things do happen and they have happened.
You are at risk because the sites you use don’t take your security seriously.
What have DropBox and LinkedIn done since being hacked? DropBox now offer two factor authentication – as an option not mandatory. LinkedIn have salted their passwords. Wow. !!! All they are concerned about is the fact that the user experience should be untouched for fear of losing customers. In other words they have thumbed their noses at you and said they will do the bare minimum and no more. It is your problem.
They don’t care and will continue to treat your personal data with flagrant disregard until they themselves suffer serious consequences like a hefty fine or threat of closure or licence revocation. It seems that even negative publicity is not sufficient to make these companies do the right thing.
But maybe if enough of their customers i.e. you, started making enough noise - demanding that security be improved then perhaps they will start to listen. The Arab Spring started with a single defiant cry that become a massive chorus. Do you want to be part of that chorus or are you too fearful to push for change?
Time to take the bull by the horns and demand better security. Take to the streets if need be. We live in a time of dramatic change. Embrace it.
WHY SECURITY MATTERS? (or LET’S START A ‘PASSWORD SPRING’ ! )
Sat, Jul 21 2012 02:44
| linkedin hack, 2FA, data privacy, internet security, online security, SAAS security, identity theft, regulation, cyber crime, authentication, two factor authentication, hack, hacking
| Permalink
You would be forgiven for thinking that perhaps most people have become somewhat nonchalant about online security and that the prevalence of hacks has made most of us somewhat immune to the dangers.
Indeed I would say that some sites have become almost cavalier about their attitude to their member’s security. The recent hacking of LinkedIn certainly did not elicit the kind of response I would have expected, indeed hoped for, as a member. I get the impression that it was something of an irritant that they hope won't come again – and are certainly not bothering with beefing up security. Far too much hassle.
So is their reaction reflective of their members lack of interest – I think not, as one of their members has tried to sue them for failing to provide adequate security. (http://articles.latimes.com/2012/jun/21/business/la-fi-tn-linkedin-5-million-hack-20120621) LinkedIn have said that they will salt their passwords in future to make them more secure. This is industry standard that they should have done in the first place.
The reality is that reliance on passwords ( salted, hashed or plain ! ) is fundamentally useless against the strength of the tools available to hackers today. So why do so many sites continue to rely on them. ? And why do corporations continue to use them for allowing access to their networks. ?
Do we need the Cyber equivalent of 9-11 to wake everyone out of their stupour ? God forbid that should happen. Maybe it will take some form of regulatory action to force sites that carry any personal or financial data to use at least two factor authentication; and they should be fined if they continue to rely on just passwords for ‘security’. Perhaps the regulation should only apply to sites of a certain scale – perhaps over one million members then it becomes mandatory.
I don’t know the answer – what I do know is, that as someone who has my credit card and personal information on more than one site out there – I am very unhappy with the woefully inadequate measures that those sites have in place to protect me and my data. It needs to change.
If you agree then add your voice and maybe if enough people make enough noise something will happen !! This may be the beginning of a ‘password spring.’ ;-) Power to the people. !
TRUST
Sun, Mar 18 2012 11:13
| trust, data privacy, mobile telephony, mobile, online security, internet security, technology, palmtree technology, cloud security, internet, authentication, hacking
| Permalink
Trust/trəst/ : Firm belief in the reliability, truth, ability, or strength of someone or something.
The foundations of the working of human society are built on trust. This has been so since the beginning of recorded history. As our communities evolved from hunter gatherer groups into agricultural chiefdoms, and ultimately modern states their operation, increasing complexity and success relied not only upon our cultural evolution as posited by Robert Wright in Non-Zero (Non Zero) but also upon trust. Trust is integral to our ‘culture.’
The birth of capitalism and the rapid economic and technological growth of the last five centuries began with the pooling of capital used by investors to underwrite a ships trading expedition called the ‘contratto di commenda’ . Such ventures could not have happened without the inherent trust that the investors had - that the expedition’s captain would return the profits to the investors.
Today we could not conduct our modern lives without trust. We go about our day with confidence that our utilities will be delivered, that the bus or train we ride on will get us safely to our destination, that the coffee shop we visit maintains acceptable levels of hygiene, that our ISP and our email providers will keep our data confidential. Ah... now that brings up a point. Can we indeed trust our Cloud providers to maintain our privacy and keep our data secure. They may mean well - but can they really do it.? If RSA – that 500 lb security behemoth cannot even keep its servers secure from hackers then who can ? (RSA hack) So while we trust our providers to do the best they can – can they actually deliver ?
An interesting revelation for me at the recent Global Mobile Congress in Barcelona was the results of a particular piece of market research suggesting that users trust their mobile operators. I guess that comes from many years of generally good, reliable service which has gradually gotten cheaper. But now that data is overtaking voice as the biggest service on the networks - with it comes our mobile Web access and so I would suggest that our faith in MNO’s will start to erode. The migration of hackers and malware from fixed to mobile is happening at the same rate that mobile access is proliferating. (Mobile malware)
There is much FUD out there when it comes to security on the Net and with it an undermining of trust. After all without real security who can you trust? Does all of this mean that the trust evolved and developed over millennia is now in danger of being eroded completely.
We in our modern connected societies have become ever more suspicious particularly of those in whom we should have ‘trust’ i.e. the State. (Silent State) The State has become ever more intrusive into our daily lives and our privacy, which we (maybe not the generation Y’ers) hold dear, is compromised. The same holds true for the Internet age mega corporation – Google and Facebook. Who proudly pronounce the death of privacy. (Zuckerberg says privacy is dead )
But I digress. Trust is the lubricant of the modern economic engine. Not privacy. If we are to maintain and increase economic growth we need to regain trust particularly when it comes to online transactions. Simply because online is where much of our economic activity is going. We need to find ways in which we can confidently engage online with trust.
A Single Sign On (SSO) which simplifies the process of accessing so many of the services we use on a daily basis – particularly social media – does not constitute anything more than basic identification. Confirmation of self reported credentials. Neither the site, nor the user can be confident that the other party is legitimate. But SSO is great – because it works (most of the time) and it is easy to use.
Imagine if you could log on and authenticate the session as easily as using an SSO? Imagine if both the site and the user could proceed with a session (transaction / communication/ engagement ) confident that the other party was 100% legitimate and that the communication was secure? (LiveEnsure)
That would bring trust back to the Internet. That would allow us to realize the full potential that the Internet has to offer. That full potential being - much stronger economic growth at a time when the World is in desperate need of good news for its economy !
The future is bright and it is mobile (in fact it is here !)
Sat, Nov 5 2011 03:34
| connectivity, lulzsec, mobile telephony, mobile, online security, Internet of things, Anonymous, internet, cyber, security, Internet future
| Permalink
There are so many pundits out there who have finally jumped on this bandwagon. But lets be honest, five and a half (or is it now closer to six) billion people, can’t be wrong – the mobile revolution is finishing its transition from what have been predominantly voice services to broad-band data services. The devices that we used to just talk on are now full blown computers and we use them for everything – although we do actually still use them to talk on as well too!. ( See my previous blog: http://rossmac2310.blogspot.com/2011/10/human-evolution-and-mobile.html)
There are so many exciting threads to this trend : the Internet revolution in Africa and other emerging markets, the plethora of new services being created every day that add value to our everyday existence and the emergence of real competition in the mobile handset space. I applaud Microsoft ( and Nokia) for their exciting new partnership and a handset that will create a real challenge to the incumbent behemoths – Android and Apple ( oh and six months ago I would have mentioned BB in the same breath – not anymore…) Check out this video from MS providing their vision of the future - its pretty cool. (http://www.youtube.com/watch?v=a6cNdhOKwi0)
That increased penetration of the Internet enhances economic performance, is now empirically proven - and so any and all technologies that achieve that end should be pursued with alacrity. The strides in technology over the last decade when 3G first became de rigueur ( driven then mainly by the hardware fraternity keen to flog their wares ) have been immense and helped along irresistibly by the launch of the iPhone in 2007.
What is perhaps even more daunting/ exciting is the prospect of what will happen in the next ten years when network effects magnify the impact exponentially. By 2020 it is forecast that there will be 50bn connected devices ( it is also called The Internet of Things). These devices will form the basis of an intelligent network fabric encircling us and interacting with us in so many ways – many as yet unimagined. Enhancing our lives and optimizing our use of resources and thereby addressing the pressing challenges of poverty, global warming and water shortages. The interconnectedness of our societies and interdependencies created, will further reduce the prospect of cross-border conflicts and therefore channel taxpayers dollars away from arms towards health, education and infrastructure. It really is a future to be excited and positive about.
I do believe that many of the limitations that the Internet has today which make so many people suspicious of ‘doing stuff ‘ online will be eliminated. We will feel secure about transacting and it will be a seamless process to verify our transactions and our communications. Consumers will drive businesses who will in turn drive the policy makers to ensure that online security be addressed comprehensively. The recent London Cyber Conference represented the end of the old era of weak intergovernmental decision-making. The imperatives and the importance of tackling this problem will probably be brought home by some kind of a CNN moment (bigger than Stuxnet) and this will bring everyone to their senses. The future Internet cannot operate insecurely and so sense will ultimately prevail. The efforts of Lulzsec and Anonymous have been well intentioned and should not be belittled despite some of their amateurish bravado.
To get a sense of what this future really holds – take time to watch this video. It is very, very exciting. Here’s to the next 10 years.
HUMAN EVOLUTION AND THE MOBILE
Mon, Oct 3 2011 03:18
| unbanked, remittances, telephony, mobile telephony, mobile, online security, mobile money, paytoo, security, payments, online gaming
| Permalink
We in the southern part of the UK have started to see our Indian summer start to slowly fade as we get into this first week of October. It has been a wonderful but disorientating week with temperatures in the high 20’s (80’s F) – and clear blue skies - I could have sworn this was Jo’burg in Summer. All that was missing was the swimming pools !
Well I know that parts of the mid-West have also had some great weather. Indeed in the good ol’ US of A October has become known as National Cyber Security Awareness month. Who would have thought ten years ago that a whole month would be ‘honoured’ with such a strange moniker.
Well I guess 10 years ago no one would have predicted that we would have become so utterly dependent on the Web – our every waking and in some instances sleeping moments have some Web connection. E-mail, social-media, telephony, shopping, business, entertainment, gaming – just about anything you can think of - we can now do on the ‘Net.
And it is has all now migrated to the mobile.
We don’t move without our smart-phones attached to us like newly evolved limbs –extensions of our arms and hands like permanent deformations. Each mutation reflecting our individual taste –our particular phase of evolution.
Some of us are Apple boys – coveting the very latest offerings from the Cupertino emporium with breathless anticipation ( like tomorrow Tues 4th – iPhone5 day ) - while those Droids amongst us turn their noses up at such blatant snobbery.
They, the heroes of the ‘’working man’ of open source - embrace the democratic power that Android brings to the masses. (Compatibility, hardware issues and viruses aside) Then there are the die-hards – the traditionalists - those who haven’t evolved as much. They still ‘carry’ themselves like our predecessors of the last decade with ‘ancient’ devices made by Nokia, RIM and Microsoft. Some of them pride themselves on using their phones only for calls and text messages. There are those who swear by their Blackberry buttons desperate to hang on to this dying function which is destined to wither away like a non-functioning limb. ( I predict that two case studies in business schools in 2012/3 will be the demise of RIM and Groupon and how these success stories faltered and failed)
What this mobile revolution is doing is making the Internet more accessible as WIFI/WiMax and LTE become more ubiquitous and as we embrace these devices to do that most important of human activities – payments. I predict that some aspirants will fall by the wayside but that a few smart technologies will come to define this next evolutionary period. Those who can make payments simple and secure and usable will go a long way to solving the biggest challenge of the 'new mobile era'.
Perhaps these newly evolved limbs will be defined not only by their form factor and the services we consume but also how we pay for them.
SIX MONTHS ON AND EPSILON STILL DONT SECURE THEIR USERS
Mon, Sep 19 2011 10:36
| Epsilon, SAAS security, online security, internet security, 2FA, cyber crime, two factor authentication, authentication, hacking
| Permalink
In April this year, Epsilon Data Management LLC (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement,
"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."
When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet. Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again
(http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century)
Epsilon required their customers to log on to their systems using a user name and password with which to ‘authenticate’ themselves. This was clearly inadequate as a hacker managed to breach their system and obtain a treasure trove of customer information.
What this meant was that the customers of Epsilons customers i.e. the big brands, were ( and still are ) exposed to spear phishing attacks. They can be targeted by the hackers with e-mails that will look like they legitimately come from those global brands which include the likes of :
Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books and Lacoste…etc.
Currently ( 6 months later ) Epsilon announced ( from their website ):
“ Further, Epsilon has enhanced user security by implementing two-factor authentication. Two-factor authentication is a security process that requires two means of identification to gain system access, adding significant additional protections beyond conventional strong password requirements. Two-factor authentication, currently in place for employees, will be extended to all clients in Q3 2011. “
At the time of writing (19 Sep 2011) Epsilon clients are still only using a username and password to log-in.
(https://portals.epsilon.com/c_links.nsf/names.nsf?Login)
Makes you wonder - doesn't it ?
Comments (1)
ANONYMOUS / LULZSEC /ANTI-SEC ARE DOING MORE GOOD THAN HARM !
Sun, Aug 7 2011 10:29
| ID theft, 2FA, password, one time password, OpenID, security, privacy, lulzsec, internet security, online security, SAAS security, cyber crime, two factor authentication, authentication, hacking
| Permalink
I know, I know – I hear the howls of protest even before finishing this first sentence.
“What about all the innocent lives exposed by the irresponsible publication of peoples names in positions of authority or in sensitive roles. ?”
But where does the fault lie ? With those doing the breaking and entering? Or those not providing adequate protection?? It is liked leaving your house locked without an alarm system, going on holiday, and coming back and finding it broken into.
Don’t be surprised. You have no one to blame but yourself.
“ But these are criminals ! “ – I hear the sounds of self righteous chest thumping.
Maybe, but what they have done – I hope – is scare the s**t out of anyone who has anything (data) that is accessible via the Web - and into ensuring that their ‘security’ ( if any ) - is rapidly upgraded. This ranges from personal users who have Gmail accounts to corporations and Governments who are custodians over much of your and my personal data.
Who today has not heard of the hacking of SONY (and other gaming companies), RSA, IMF, Citi-Group, Lockheed Martin and myriad government agencies (particularly local police forces.) ?? (http://www.cio.com/article/687364/AntiSec_Hackers_Dump_Data_After_Hacking_Police_Websites?source=rss_security)
There must be millions of tweets every day carrying a story or an angle of yet more hacks / breaches, of yet more venerable institutions – by, invariably, the Anonymous/Lulzsec/AntiSec ( ALA) contingent (or their pretenders). Even the mainstream media is replete with such stories. Perhaps the exposure has been a little excessive and we are starting to suffer from ‘hacker’ fatigue. It is becoming a little tiresome.
Therein lies the danger.
Is the good ( yes – I think on balance the awareness raising is good ) not going to be diminished through the excessive exposure, the desensitization ( boiling frog syndrome ) and the resultant complacency?
That is my main concern. These ‘hacktivists’ are not the best marketers in the world and they have the habit of rubbing everyone up the wrong way. But their cause has merit.
Yes I believe that security practitioners and their clients should be raising their game or else run the risk of :
a) being embarrassed (largely the damage that has been caused) by the ALA’s; or
b) of actually being hacked by some serious bad guys and thereby incurring considerable economic damage.
What the ALA’s have shown is that the millions spent on security by Governments and Corporations has been spent badly. The security solutions out there particularly the so-called two-factor authentication solutions whether token or dongle based (OTP), java-script based, SMS based or even just password based are fundamentally flawed and it is time for a new evolution of authentication solutions. If your website is ‘protected’ by a user name and password or SSO / Open ID (or even one of the aforementioned) then you owe it to your customers and shareholders (citizens - in the case of Government agencies) to review your security.
Lest you becoming the laughing stock of Lulzsec.
HACKING - A 50 DAY LOVE ( LULZ) FEST ( or safe sex for the masses)
Mon, Jun 27 2011 10:17
| lulzsec, online security, identity theft, seduction, hacking
| Permalink
So Lulz have ( supposedly ) fallen out of love with us after only 50 days !! WOW - that was a short and sharp, whirlwind romance. One hell'uve steamy affair. One day SONY, the next day the IMF, the next CIA – no one - was safe from her charms.
This little slut(z) came into our lives for a bit of fun and has left us breathless and embarrassed with no-where to hide . Why ? Because she wanted to show that with a little bit of seduction –by showing a little cleavage / a bit of leg – she was able to conquer all before her. Like Helen of Troy – no one could resist her charms.
She made us realize that we don’t actually know what protection is all about. The protection we are supposed to use – was either damaged / wrongly spec’d or else we just could not get it 'on' quick enough. Sure - she may have laid some of our secrets bare – and many were left red-faced with no-where to hide - but we actually got off lightly. But that was her game plan. Show us up for the hypocrites that we are. We all espouse safe-sex – but when in it comes to the nitty-gritty – we just can’t wait for the action – we rush in without thinking of the consequences after those first heady gropes.
I have received a number of phishing e-mails in the last few weeks – typical of those that nabbed the unsuspecting victims at the afore-mentioned institutions. See 2 examples below.
Notice the difference in quality and sophistication – the first – a bit rough and ready –lots of lipstick and make-up – in your face seduction. Bad spelling. Street corner stuff. But appealing to the curious ....
This one is much more low key and professional – attractive to a different kind of man. A man who seeks discretion and subtlety in his ladies.
But just as effective !
What you should not do when faced with such temptation – if you want to retain your dignity – is click on the document icon or the link respectively. Why? Because all manner of nasties will be unleashed onto your device exposing your most intimate parts to the seductress - who actually just wants to steal your wallet/ID/Passport etc while your trousers are down. !
So is this Lulz fest really over. ? I doubt it. The pickings are just too rich and besides - what else is there for a Lulz to do ?
REPUTATION MORE VALUABLE THAN CASH (ASK SONY)
Thu, May 5 2011 08:17
| online security, identity theft, reputation, OpenID, cyber crime, two factor authentication, authentication, hack
| Permalink
The recent attack (it seems by Anonymous) on SONY which compromised the personal details of almost 100m of their gaming customers has caused massive damage to the SONY brand. According to Interbrand in 2009 SONY’s brand value was $12bn. You can safely assume that it will have taken a hit in the order of billions of dollars. ( This excludes any legal action and the resultant loss.)
The same could be said of Epsilon and RSA who like SONY did not have a major financial breach but their good names have been severely compromised. The loss to brand value as well as enterprise value could be massive due to the loss of future business. (There is a report circulating citing research done on RSA’s customers of whom more than half stated that they would not be renewing their contracts. ) If not obvious before, then now, executives charged with the stewardship of large valuable corporations must realize how fragile that value is when faced with the multitude of challenges; be they natural (tsunamis/earthquakes) or man-made (criminal / terrorism/fraud) or just good old competition.
In respect of cybercrimes such as phishing and pharming attacks which can lead to either direct financial loss (draining of bank accounts/ theft of credit card details) or reputational damage (per the above) I contend that the latter constitutes a far greater threat than the former. ( There are those who would argue that the value of an email address exceeds that of a credit card number in the parallel world of the cybercriminal.) In respect of individuals this would be in the form of ID theft where personal credentials are used to commit fraud thereby damaging (perhaps irreparably) that persons reputation. We have seen from the above examples of just how, a corporation's reputation can be impacted. A person or a corporation would much rather that money was stolen than their reputation was damaged; as the latter is very difficult to rebuild and, if so, invariably takes a long time.
The need for strong authentication in situations where today simple ‘identification’ is used (such as applications using - user name and password / Single Sign On / OpenID) has become an urgent imperative. Even then those authentication solutions need to be affordable, usable and effective. Multi-factor solutions such as OOB tokens, OTP keys and browser-based javascript fingerprinting have relied on the browser, user acumen and ‘security by obscurity’ to function.
I believe we will see a steady trend of individuals and corporations demanding better security in the form of two factor authentication (as a minimum) from their business partners / suppliers and customers. We have seen many large corporations fall from grace very quickly for many reasons (Arthur Andersen / Enron / WorldCom / Lehman Brothers / Bear Sterns ).
No corporation can afford to crash or be severely damaged, because they were hacked, because they did not take their online security seriously.
One swallow does not a summer make
Fri, Sep 17 2010 10:00
| data privacy, mobile, online security, internet security, password, palmtree technology, digital footprint, social media, #liveensure, one time password, security, authentication
| Permalink
Experts from Gartner have said that the recent 'froth' of M&A activity in the security space does not constitute a 'trend'. While 'one swallow does not a summer make' I would contend that this is in fact a trend and that it set to hold for at least another year.
Why?
Well first of all the 'froth' was in fact more like a large set of Atlantic rollers breaking on the Cape coast!!!
Consider the number of deals that have taken place in the last 6 months ( see previous blog) crowned by the recent announcement by HP of its acquisition of Arcsight for $1.5bn.
(http://www.ft.com/cms/s/2/e7ace394-bec1-11df-a755-00144feab49a.html)
Secondly see this article also in the FT on how ;
You have to say that security is a growth industry and why would the 'Trend' not continue ???
Have a great weekend.
Why?
Well first of all the 'froth' was in fact more like a large set of Atlantic rollers breaking on the Cape coast!!!
Consider the number of deals that have taken place in the last 6 months ( see previous blog) crowned by the recent announcement by HP of its acquisition of Arcsight for $1.5bn.
" Hewlett-Packard has agreed to buy high-end technology security company ArcSight for $1.5bn to profit from its customers’ increasing concerns about protecting their data from hackers.
The cash offer of $43.50 a share for Silicon Valley neighbour ArcSight was more than 50 per cent above where the company was trading before reports last month that it was courting buyers. It values the equity at $1.5bn, or six times projected annual revenue."
(http://www.ft.com/cms/s/2/e7ace394-bec1-11df-a755-00144feab49a.html)
Secondly see this article also in the FT on how ;
" More companies expect to increase spending on technological defenses against security breaches than had forecast such a boost in any of the previous five years, a global survey of more than 12,000 executives shows."
(http://www.ft.com/cms/s/2/6c0aa96e-bf76-11df-965a-00144feab49a.html)
When considered alongside the news today that :
ORLANDO, Fla., Sept. 9 /PRNewswire/ -- PandaLabs, Panda Security's
anti-malware laboratory, has discovered that hackers are creating 57,000
new websites each week that exploit approximately 375 high-profile brand
names worldwide at any time. These findings are based on a three-month long
study conducted by PandaLabs of its global malware database. Notably, eBay
and Western Union-related URLs comprise 44 percent of all malicious sites,
with Visa, Amazon, Bank of America and PayPal also heavily targeted by
cybercriminals.You have to say that security is a growth industry and why would the 'Trend' not continue ???
Have a great weekend.
MOBILE INTERNET CYCLE DRIVING PRIVACY SECURITY SOLUTIONS
Wed, Jul 28 2010 03:15
| data privacy, mobile, online security, internet security, password, #liveensure, one time password, security
| Permalink
With over two billon Internet users and five billon mobile phone users these global networks bring people ever closer together. These technologies which include broadband (terrestrial) and 3G (wireless) allow for more and more data to be carried. We have entered the next Tech Cycle which is called the Mobile Internet. It was preceded by four tech cycles starting in the 1960’s with the Mainframe cycle. Approximately every decade thereafter we have had a new cycle; Mini-computers - 70’s; PC’s - 80’s and desktop Internet - 90’s.
The Mobile Internet cycle triggered by the launch of the iPhone will see mobile internet access overtake fixed access by 2014. This will be driven by smart phone take up and 3G/4G rollout. We are already at the critical point of over 1bn 3G users. Other drivers are video ( YouTube); Social networking (Facebook) and VOIP.
Much of this take up is occurring in emerging markets; there are 5 babies born every second - but there are 30 new mobile phones subscribed to every second.
The majority of these users do not have a bank account and so there is and will be a huge need for financial services such as (remittances/money transfer/payment services) to be done via the mobile.
In addition this increasingly connected global community is accelerating its usage of the Internet for commerce, communication, entertainment, trade, governance and so on -- in fact we are rapidly approaching the time that ALL human activity and interaction will 'somehow' be connected to the Internet.
Online fraud and identity theft have become the scourge of the Internet and are mitigating the efficacy of this Mobile Internet ‘revolution’. Now that Facebook has 500m members and issues of privacy and data protection are exercising the minds of Governments and corporations the need for broad based secure identity management and authentication solutions is escalating.
The current practice of using user names and passwords for ‘identification and authentication’ are seen as inadequate and vulnerable to hackers. New solutions are called for !
The Mobile Internet cycle triggered by the launch of the iPhone will see mobile internet access overtake fixed access by 2014. This will be driven by smart phone take up and 3G/4G rollout. We are already at the critical point of over 1bn 3G users. Other drivers are video ( YouTube); Social networking (Facebook) and VOIP.
Much of this take up is occurring in emerging markets; there are 5 babies born every second - but there are 30 new mobile phones subscribed to every second.
The majority of these users do not have a bank account and so there is and will be a huge need for financial services such as (remittances/money transfer/payment services) to be done via the mobile.
In addition this increasingly connected global community is accelerating its usage of the Internet for commerce, communication, entertainment, trade, governance and so on -- in fact we are rapidly approaching the time that ALL human activity and interaction will 'somehow' be connected to the Internet.
Online fraud and identity theft have become the scourge of the Internet and are mitigating the efficacy of this Mobile Internet ‘revolution’. Now that Facebook has 500m members and issues of privacy and data protection are exercising the minds of Governments and corporations the need for broad based secure identity management and authentication solutions is escalating.
The current practice of using user names and passwords for ‘identification and authentication’ are seen as inadequate and vulnerable to hackers. New solutions are called for !
PERSONAL INFORMATION - ONLINE CODE OF PRACTICE
Mon, Jul 12 2010 03:36
| data privacy, mobile, online security, internet security, password, #liveensure, one time password, security, authentication
| Permalink
If you found my previous post somewhat disconcerting then have a look at this link which is the UK Information Commissioners Guide to the new legislation. " The code explains how the Data Protection Act applies to the collection and use of personal data online. It also provides good practice advice for organisations that do business online and are therefore subject to the DPA."
http://www.ico.gov.uk/ebook/ebook.htm
and if you want more in depth information about the legislation itself then have a look at this video from Stewart Room. It makes it somewhat more accessible.
http://www.ico.gov.uk/ebook/ebook.htm
and if you want more in depth information about the legislation itself then have a look at this video from Stewart Room. It makes it somewhat more accessible.
YOUR PRIVACY IN A VERY PUBLIC AND CONNECTED WORLD
Sat, Jul 10 2010 11:37
| data privacy, mobile, online security, internet security, password, digital footprint, social media, #liveensure, one time password, security, authentication
| Permalink
So how do you value your privacy in the Facebook age ?
Does it matter to you that the calls you make, the emails you send, your credit card transactions, the Internet sites you visit, the images of you travelling to work, your social networking posts are now stored at data centres in the Cloud and retrievable by myriad marketers, Government agencies and companies ? None of whom you ever entrusted with your information in the first place. Your digital footprint is a permanent record of your every move.
Data is the pollution of the Information age. Everything we do generates data, and a secondary spin-off of Moores law is that every year it gets cheaper to store and process this data. So rather than sort through our e-mails and delete the ones we don’t need – we just keep them all – it is easier and cheaper to do so. The same thing happens with all of our data now.
Most of ‘your’ data actually belongs to someone else. All of your G-mails, everything you post on Facebook, all of your Amazon transactions – this information belongs to those companies who then harness this information to maximize their advertising revenue and to optimize the selection of products they want you to buy. The data gathered usually has a primary purpose such as the airlines frequent flyer programs where your travel needs are customized (your seating requirements and meal choices ), while its secondary purpose is to target you with a holiday special to some exotic destination, once sold to a 3rd party marketing company.
The data we generate has value – whether to a company seeking to sell us more product or to a Government agency who is trying to track a terrorist cell. The utility of this data depends on its accuracy – so what may be useful to a marketing company such as your age, salary band and postal code will be insufficient for a National Security Agency . Companies are able increasingly to use this data to control their customers. Think about iTunes and the iPhone and how Apple has managed to control the whole eco-system end to end from the device to the content to the retail process. This is not necessarily a bad thing – users are happy to have this managed for them especially as technology becomes increasingly sophisticated and complex.
But what happens when you lose control of your data ? When your information is unwittingly exposed to the world. This is a failure of security. But do you care? This is where the issue of the new generation gap becomes relevant. The Internet generation gap. The younger generation seem to be far more relaxed about their information being made public. They are living their lives ‘in public.’ What they did last night at a party is posted onto Facebook either by themselves or their friends. For the whole world to see. This is ‘normal.’
So what seperates these ‘digital natives ‘ (those who have grown up with the Internet, with cell-phones, in the digital age with ubiquitous connectivity) from those of us who grew up when vinyl was still de rigueur , who watched TV according to a schedule; Generation X’ers who grew up in the pre-celebrity era – when football stars were paid a living wage, when videos and CD’s were mainstream. Bruce Shneier believes this divide – this generation gap can be classified as the divide between those who ‘get ‘ Twitter’ and those who don’t. Age is not the measure; your level of acceptance and comfort with the nuances of social media, your fluency with social media, is.
The social norms of the digital natives are created by their environment, the world they were born into. Privacy in the pre-Internet age arose from the inefficiencies of prevailing technologies – telephone calls and letters were difficult to track. Now this has changed and because of the massive processing power of Googles’ search engine and other technological innovations privacy has been significantly diminished. Anyone can Google you and find you on Facebook/Twitter/Googlemail and through your friends and friends of friends they can discover a lot about you. Ask any major HR department when they interview job candidates how they do their ‘checking’ on candidates. There is not even a measure of privacy through obscurity, because even the sheer volume of data out there, is no match for the processing power of search algorithms.
In the past you categorized your friends into different groups with whom your socialized – family, school friends, work colleagues, clubs and so on. There was a natural compartmentalization between these ‘Groups’ - today it is difficult if not impossible to section off your friends into such groups. To control your privacy now you have to explicitly engage with the privacy policy on the social media site / email provider or whatever service you seek online. Many people will accept the default settings just so that they can get on with it – inadvertently leaving big holes in their privacy.
However regulators and law makers are starting to get firmer and they will have to force providers to allow users to opt in rather than to blindly accept default privacy settings. This should prevent some of the recent privacy debacles like the introduction of Google Buzz and Facebooks’ recent efforts at changing its privacy policies which saw the wholesale disclosure of peoples private information including their emails.
A good example of how the Regulators are starting to get to grips with these issues is the Code of Conduct recently published by the Information Commissioner in the UK – linked below. But remember that privacy and security do not equate. Security is about you controlling your information. It is up to your to take back control of your data and not to leave it to others. You need to start thinking more about security and how it can be used to protect your data.
But more of that another time.
LINK TO INFORMATION COMMISSIONERS CODE OF CONDUCT - http://bit.ly/boDtlp
Does it matter to you that the calls you make, the emails you send, your credit card transactions, the Internet sites you visit, the images of you travelling to work, your social networking posts are now stored at data centres in the Cloud and retrievable by myriad marketers, Government agencies and companies ? None of whom you ever entrusted with your information in the first place. Your digital footprint is a permanent record of your every move.
Data is the pollution of the Information age. Everything we do generates data, and a secondary spin-off of Moores law is that every year it gets cheaper to store and process this data. So rather than sort through our e-mails and delete the ones we don’t need – we just keep them all – it is easier and cheaper to do so. The same thing happens with all of our data now.
Most of ‘your’ data actually belongs to someone else. All of your G-mails, everything you post on Facebook, all of your Amazon transactions – this information belongs to those companies who then harness this information to maximize their advertising revenue and to optimize the selection of products they want you to buy. The data gathered usually has a primary purpose such as the airlines frequent flyer programs where your travel needs are customized (your seating requirements and meal choices ), while its secondary purpose is to target you with a holiday special to some exotic destination, once sold to a 3rd party marketing company.
The data we generate has value – whether to a company seeking to sell us more product or to a Government agency who is trying to track a terrorist cell. The utility of this data depends on its accuracy – so what may be useful to a marketing company such as your age, salary band and postal code will be insufficient for a National Security Agency . Companies are able increasingly to use this data to control their customers. Think about iTunes and the iPhone and how Apple has managed to control the whole eco-system end to end from the device to the content to the retail process. This is not necessarily a bad thing – users are happy to have this managed for them especially as technology becomes increasingly sophisticated and complex.
But what happens when you lose control of your data ? When your information is unwittingly exposed to the world. This is a failure of security. But do you care? This is where the issue of the new generation gap becomes relevant. The Internet generation gap. The younger generation seem to be far more relaxed about their information being made public. They are living their lives ‘in public.’ What they did last night at a party is posted onto Facebook either by themselves or their friends. For the whole world to see. This is ‘normal.’
So what seperates these ‘digital natives ‘ (those who have grown up with the Internet, with cell-phones, in the digital age with ubiquitous connectivity) from those of us who grew up when vinyl was still de rigueur , who watched TV according to a schedule; Generation X’ers who grew up in the pre-celebrity era – when football stars were paid a living wage, when videos and CD’s were mainstream. Bruce Shneier believes this divide – this generation gap can be classified as the divide between those who ‘get ‘ Twitter’ and those who don’t. Age is not the measure; your level of acceptance and comfort with the nuances of social media, your fluency with social media, is.
The social norms of the digital natives are created by their environment, the world they were born into. Privacy in the pre-Internet age arose from the inefficiencies of prevailing technologies – telephone calls and letters were difficult to track. Now this has changed and because of the massive processing power of Googles’ search engine and other technological innovations privacy has been significantly diminished. Anyone can Google you and find you on Facebook/Twitter/Googlemail and through your friends and friends of friends they can discover a lot about you. Ask any major HR department when they interview job candidates how they do their ‘checking’ on candidates. There is not even a measure of privacy through obscurity, because even the sheer volume of data out there, is no match for the processing power of search algorithms.
In the past you categorized your friends into different groups with whom your socialized – family, school friends, work colleagues, clubs and so on. There was a natural compartmentalization between these ‘Groups’ - today it is difficult if not impossible to section off your friends into such groups. To control your privacy now you have to explicitly engage with the privacy policy on the social media site / email provider or whatever service you seek online. Many people will accept the default settings just so that they can get on with it – inadvertently leaving big holes in their privacy.
However regulators and law makers are starting to get firmer and they will have to force providers to allow users to opt in rather than to blindly accept default privacy settings. This should prevent some of the recent privacy debacles like the introduction of Google Buzz and Facebooks’ recent efforts at changing its privacy policies which saw the wholesale disclosure of peoples private information including their emails.
A good example of how the Regulators are starting to get to grips with these issues is the Code of Conduct recently published by the Information Commissioner in the UK – linked below. But remember that privacy and security do not equate. Security is about you controlling your information. It is up to your to take back control of your data and not to leave it to others. You need to start thinking more about security and how it can be used to protect your data.
But more of that another time.
LINK TO INFORMATION COMMISSIONERS CODE OF CONDUCT - http://bit.ly/boDtlp
© 2013 LiveEnsure | Home | About Us | Support | Contact | Terms | Legal | Privacy