Ross Macdonald

TRUST

2012-03-18T11:13:00.001-07:00

Trust/trəst/ : Firm belief in the reliability, truth, ability, or strength of someone or something.

The foundations of the working of human society are built on trust. This has been so since the beginning of recorded history. As our communities evolved from hunter gatherer groups into agricultural chiefdoms, and ultimately modern states their operation, increasing complexity and success relied not only upon our cultural evolution as posited by Robert Wright in Non-Zero (Non Zero) but also upon trust. Trust is integral to our ‘culture.’

The birth of capitalism and the rapid economic and technological growth of the last five centuries began with the pooling of capital used by investors to underwrite a ships trading expedition called the ‘contratto di commenda’ . Such ventures could not have happened without the inherent trust that the investors had - that the expedition’s captain would return the profits to the investors.

Today we could not conduct our modern lives without trust. We go about our day with confidence that our utilities will be delivered, that the bus or train we ride on will get us safely to our destination, that the coffee shop we visit maintains acceptable levels of hygiene, that our ISP and our email providers will keep our data confidential. Ah... now that brings up a point. Can we indeed trust our Cloud providers to maintain our privacy and keep our data secure. They may mean well - but can they really do it.? If RSA – that 500 lb security behemoth cannot even keep its servers secure from hackers then who can ? (RSA hack) So while we trust our providers to do the best they can – can they actually deliver ?

An interesting revelation for me at the recent Global Mobile Congress in Barcelona was the results of a particular piece of market research suggesting that users trust their mobile operators. I guess that comes from many years of generally good, reliable service which has gradually gotten cheaper. But now that data is overtaking voice as the biggest service on the networks - with it comes our mobile Web access and so I would suggest that our faith in MNO’s will start to erode. The migration of hackers and malware from fixed to mobile is happening at the same rate that mobile access is proliferating. (Mobile malware)

There is much FUD out there when it comes to security on the Net and with it an undermining of trust. After all without real security who can you trust? Does all of this mean that the trust evolved and developed over millennia is now in danger of being eroded completely.

We in our modern connected societies have become ever more suspicious particularly of those in whom we should have ‘trust’ i.e. the State. (Silent State) The State has become ever more intrusive into our daily lives and our privacy, which we (maybe not the generation Y’ers) hold dear, is compromised. The same holds true for the Internet age mega corporation – Google and Facebook. Who proudly pronounce the death of privacy. (Zuckerberg says privacy is dead )

But I digress. Trust is the lubricant of the modern economic engine. Not privacy. If we are to maintain and increase economic growth we need to regain trust particularly when it comes to online transactions. Simply because online is where much of our economic activity is going. We need to find ways in which we can confidently engage online with trust.

A Single Sign On (SSO) which simplifies the process of accessing so many of the services we use on a daily basis – particularly social media – does not constitute anything more than basic identification. Confirmation of self reported credentials. Neither the site, nor the user can be confident that the other party is legitimate. But SSO is great – because it works (most of the time) and it is easy to use.

Imagine if you could log on and authenticate the session as easily as using an SSO? Imagine if both the site and the user could proceed with a session (transaction / communication/ engagement ) confident that the other party was 100% legitimate and that the communication was secure? (LiveEnsure)

That would bring trust back to the Internet. That would allow us to realize the full potential that the Internet has to offer. That full potential being - much stronger economic growth at a time when the World is in desperate need of good news for its economy !

Mobile World Congress - sensory overload

2012-03-04T15:12:00.000-08:00

The mobile ecosystem is alive and well and flourishing and reflects its current status as the globally dominant (and growing) industry that is becoming increasingly integrated into every aspect of our lives. The Barcelona extravaganza which is notable for two things. Firstly its sheer size – upwards of 60 000 delegates dwarfing anything ever held in Cannes ( when I last visited the show) and secondly, the absence of the largest company in the sector – Apple. Never known to follow the crowd – Apple rightly or wrongly uses its own platform ( in San Francisco) to make its announcements and thereby retains its mystique or displays its sheer arrogance – depending on your perspective.

That Mobile will continue to permeate every aspect of modern life is beyond doubt. The first phase of GSM where voice was the killer app has now been replaced by data and most particularly Internet access and mobile applications. So Mobile expands beyond the MNO realm and extends into Broadband where WIFI connectivity has become a key strategy for MNO’s to relieve the burden on their networks. We now live in a truly connected world with almost as many mobile connections as there are people on the planet which recently hit the 7bn mark. In addition there are over 1bn Broadband connections and this is growing at over 30% per annum. The global mobile industry generates $1.5trillion in revenues and almost $200bn is invested in Capex every year. ( GSMA )

The increased access to the Internet is vital to the expansion of knowledge and thereby our ability to solve the seemingly intractable problems facing humanity. Watch this fascinating TED talk on how we can solve these problems with the spread of education, knowledge and ideas all accelerated by the Internet. (http://www.ted.com/talks/peter_diamandis_abundance_is_our_future.html)

Here’s to the next year of every increasing connectivity and new ideas.

The Huawei horse

Time for a new Magic Quadrant

2012-02-01T15:34:00.000-08:00

You have all heard of the Magic Quadrant. An industry benchmark by which the, mostly, established players like to measure themselves against each other. To quote Wikipedia (that repository of all Internet wisdom ;-))

“the Magic Quadrant aims to provide a qualitative analysis into a market and its direction, maturity and participants, thus possibly enabling a company to be a stronger competitor for that market.”

The axes of the ‘Quadrant’ are ‘ability to execute’ and ‘completeness of vision’ and the methodology used to apply the ranking remains a closely guarded secret (or mystery depending on how you look at it.)

The MQ applies to many niches in the tech sector. I want to consider the User Authentication MQ. Notably because the space is getting much media attention these days. Hackers !

Wikipedia says that the aim of the analysis it is to “ ..enable a company to be a stronger competitor for that market “ . So you would look at all the players and see ‘ which player you should aspire to be most like.’

However there is a small problem in the realm of User Authentication. The companies highlighted in this category represent a very diverse spectrum of enabling technologies all aimed at authenticating users. They range from the industry behemoths like RSA and Vasco to smaller, newer and exciting players like Phone Factor.

So lets understand exactly what it is that these companies do. They protect their staff, their data, their customers and business partners from the unwanted attentions of hackers who are constantly trying to gain access to their systems and their data. So presumably in order to get into the Magic Quadrant you have to be top of your game? These guys represent the elite of the Authentication industry.

The solutions that they sell (in an industry now worth about $2bn) all fall nicely into one of the following three broad categories:

• Device recognition –Java Script browser scraping and literal device info recognition
• Certificates, Cookies, Soft Tokens – downloaded to the device and re-referenced
• OTP, Images/Challenges – dongles, PIN generators, SMS OOB

Considering the industry is replete with all manner of technical wizardry why is it that our headlines continue to read like a hackers dream ( and a CIO’s nightmare). Only last week Zappos was hacked.

What it means is that these solutions are not working. Yet these companies manage to continue convincing their customers that with ‘their’ solution they are safe!

I wonder what CNN moment it will take before businesses and Governments realize that they have been led a merry dance. Another SONY? Epsilon? Or possibly some large critical national infrastructure failing under an attack leading to a disaster like a train or airplane crash or power grid failure. God forbid.

Lets hope sense prevails before we get there. Get Live Ensure. Many are starting to drink the Kool Aid and are seeing the light. Join them.

Maybe it is time for a new MQ.?

Link: http://www.gartner.com/technology/reprints.do?st=sb&id=1-18UHKYY&ct=120118

The World in a weird place or ( The Truman Show)

2012-01-15T16:14:00.000-08:00

The world is in a very weird place.

After having read some research (http://divinecosmos.com/start-here/davids-blog/1023-financial-tyranny) about how we have all been hoodwinked by the US Fed to the tune of $26trn ( yes - that is trillion not billion ) I am beginning to wonder whether we aren’t all on the set of some giant Truman Show (without the great weather and white picket fences !)

So according to this research, which I would have dismissed as some kind of latter day Zeitgeist conspiracy theory if I had not clicked through some of the links and seen an article written by a US Senator ( not that that should somehow give it legitimacy given the intimate role of members of the US Govt in this tragedy), economic power globally rests in the hands of a very tightly knit group of corporations and institutions – mainly banks. Hence the bailouts. Believe me TARP was a tip of the ice-berg. That was like Sunday School collection money.

So in brief the Federal Reserve ( a private company independent of the US Govt ) prints money and lends it to the US Treasury for use as currency and charges interest. It also prints the money and then lends it to foreign banks.
Now I bet you didn’t know that.

In fact since 2008 to the tune of $16 trillion. To the likes of Barclays, Deutsche, RBS, UBS plus of course the usual suspects like Goldmans, Citi, BOA, Morgan Stanley and Merril Lynch who each received over $1trn. In fact it is all well documented in an audit (http://sanders.senate.gov/newsroom/news/?id=9e2a4ea8-6e73-4be2-a753-62060dcbb3c3) of the Fed conducted by the GAO ( General Accountability Office) which is the first time the Fed has ever been audited.
Bet you didn’t know that either !

“ The GAO audit also revealed that many of the people who serve as directors of the 12 Federal Reserve Banks come from the exact same financial institutions that the Fed is in charge of regulating.

Further, the GAO found that at least 18 current and former Fed board members were affiliated with banks and companies that received emergency loans from the Federal Reserve during the financial crisis.

In other words, the people "regulating" the banks were the exact same people who were being "regulated." Talk about the fox guarding the henhouse!...

For example, the CEO of JP Morgan Chase served on the New York Fed's board of directors at the same time that his bank received more than $390 billion in financial assistance from the Fed….

Getting this type of disclosure was not easy. Wall Street and the Federal Reserve fought it every step of the way. “

And you wonder why the Occupy movement is so popular?

So who is right ? The 99% who want the 1% to pay a fair tax rate. Or the 1% who want to maintain their Uber wealth by keeping their tax rates low. The problem is - it is the 1% who control the economic power and hence the media and hence the politicians. Make your own deductions how this election is going to go. That is of course unless the common man stands up and makes his voice heard and his vote count. It happened in North Africa and the Middle East. Maybe it will start happening in the most unlikely places.

The White House has woken up to SOPA. Is it because Schmidt can muster more resources than Murdoch? Or has sense finally hit home.

So as I was saying the world is in a very weird place.

They are even talking about war with Iran. Who are the new Cheneys, Rumsfelds and Wolfowitz’s.
Better pray that they had no heirs.

Was that Jim Carrey I just saw…

The End of Passwords

2012-01-01T14:22:00.000-08:00

Finally it seems … the penny has dropped. Passwords are a poor substitute for real online security. There is more and more ‘chatter’ about it. Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google. The talk is of new biometric solutions such as facial and hand movement recognition. Even IBM is talking this way. (http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/)

I agree with the notion that passwords are a dying breed but not that biometrics will become vogue. They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) . Why are passwords defunct? Basically they are difficult to remember and they are easy to steal.

The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise !) and which will leverage the emergent technologies like smart-phones and tablets. These technologies enable mobile based solutions like SMS out of band and character recognition solutions as well as wireless solutions like NFC. In fact these technologies have created a challenge for the enterprise with these devices being brought into work by employees frustrated with working on antiquated PC’s.

What is Nirvana ? The user not having to remember anything apart from having his smart-phone on him. Well it seems that people are more inclined to leave their keys or wallet at home than their smart-phone. So all you will need is something that you already have and one which you wont leave at home.
The first step is to log in to the site with your email address (as the identifier). You then engage with a QR code that is delivered to the screen of the device you are logging in on ( even your smart-phone).. A line of sight interaction – you have to present your phone to scan the QR code on the screen. There is no wireless interface a la NFC which is vulnerable to interception. The phone delivers the scanned code back to the site, closing the loop ( triangulation) thereby proving your identity and allowing you to transact.

Nirvana exists. It is called Live Ensure. (http://www.liveensure.com)

Happy New Year.

You need authentication

2011-12-05T07:12:00.001-08:00

I am constantly amazed at the lassez faire attitude that the majority of businesses, large and small, have about their online security.

Those that require their users / members to log on will provide a user name and password log in to verify their identity – and that’s it.

I suppose that if the large players like Amazon and iTunes can get away with it then the smaller guys think that’s all they need to.

The reality is that if the big boys get a hit – they have the firepower to deal with it. But SME’s just need one bad hack and they are out of business.

2011 is going down as the year of the ‘Hack’ ( http://www.infosecurity-magazine.com/view/22481/year-of-the-hack-/?utm_source=twitterfeed&utm_medium=twitter) with many high profile victims like SONY, RSA and Epsilon losing millions of their users personal information. Despite this there seems to be the attitude that ‘ it cant happen to me’. I have just read about the latest phishing scam targeting Amazon users ( http://bit.ly/tXBENH ) – warning you that your account is about to expire and that you need to re-register. In the process handing over your precious information and opening up your Amazon account to the hacker. There is also one going around for PayPal and Apple at the moment. Yet they persist with user name and password. Incredible.

I suspect there is a bit of the “ it wont happen to me “ but also I believe that most SME owners think that they just can’t afford a proper solution because the image created by the industry is that you have to be a big corporate to have ‘proper’ security. It clearly is not true. There are more and more solutions now targeting the ‘low’ end of the market. While some are ‘samey’ to the big guys there are one or two which are really quite unique. What should you look for in such a solution ?

It needs to be easy to get. You shouldn’t have to call someone – have someone visit you – do some kind of an IT project. It should be a SAAS service available on line and easy to integrate.

It needs to be easy to use. Your users should not have to get some ‘thing’ - be it a token ( physical or otherwise ), a dongle, a card reader, a USB key or even a cookie or some kind of software download. Ideally your users should rely on something they already have like their smart-phone or their laptops as part of the solution.

It should not cost a lot. Ideally some kind of ‘Pay as you Go’ solution which means that you don’t incur any unnecessary expenditure upfront in getting the product in place.

If you are going for something that is more complicated than that then you are making your life difficult. Check out http://www.liveensure.com

The future is bright and it is mobile (in fact it is here !)

2011-11-05T15:34:00.000-07:00

There are so many pundits out there who have finally jumped on this bandwagon. But lets be honest, five and a half (or is it now closer to six) billion people, can’t be wrong – the mobile revolution is finishing its transition from what have been predominantly voice services to broad-band data services. The devices that we used to just talk on are now full blown computers and we use them for everything – although we do actually still use them to talk on as well too!. ( See my previous blog: http://www.liveensure.com/blog.php?id=3493622962031166405)

There are so many exciting threads to this trend : the Internet revolution in Africa and other emerging markets, the plethora of new services being created every day that add value to our everyday existence and the emergence of real competition in the mobile handset space. I applaud Microsoft ( and Nokia) for their exciting new partnership and a handset that will create a real challenge to the incumbent behemoths – Android and Apple ( oh and six months ago I would have mentioned BB in the same breath – not anymore…) Check out this video from MS providing their vision of the future - its pretty cool. (http://www.youtube.com/watch?v=a6cNdhOKwi0)

That increased penetration of the Internet enhances economic performance, is now empirically proven - and so any and all technologies that achieve that end should be pursued with alacrity. The strides in technology over the last decade when 3G first became de rigueur ( driven then mainly by the hardware fraternity keen to flog their wares ) have been immense and helped along irresistibly by the launch of the iPhone in 2007.

What is perhaps even more daunting/ exciting is the prospect of what will happen in the next ten years when network effects magnify the impact exponentially. By 2020 it is forecast that there will be 50bn connected devices ( it is also called The Internet of Things). These devices will form the basis of an intelligent network fabric encircling us and interacting with us in so many ways – many as yet unimagined. Enhancing our lives and optimizing our use of resources and thereby addressing the pressing challenges of poverty, global warming and water shortages. The interconnectedness of our societies and interdependencies created, will further reduce the prospect of cross-border conflicts and therefore channel taxpayers dollars away from arms towards health, education and infrastructure. It really is a future to be excited and positive about.

I do believe that many of the limitations that the Internet has today which make so many people suspicious of ‘doing stuff ‘ online will be eliminated. We will feel secure about transacting and it will be a seamless process to verify our transactions and our communications. Consumers will drive businesses who will in turn drive the policy makers to ensure that online security be addressed comprehensively. The recent London Cyber Conference represented the end of the old era of weak intergovernmental decision-making. The imperatives and the importance of tackling this problem will probably be brought home by some kind of a CNN moment (bigger than Stuxnet) and this will bring everyone to their senses. The future Internet cannot operate insecurely and so sense will ultimately prevail. The efforts of Lulzsec and Anonymous have been well intentioned and should not be belittled despite some of their amateurish bravado.

To get a sense of what this future really holds – take time to watch this video. It is very, very exciting. Here’s to the next 10 years.

(http://www.youtube.com/watch?v=R7cuatm_bqw)

Authentication in ' context'

2011-10-20T15:01:00.000-07:00

con·text/ˈkäntekst/

The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed.

authenticate [ɔːˈθɛntɪˌkeɪt]
vb (tr)
to establish as genuine or valid

What does context have to do with authentication?

When you log on to a web site and enter your user name and password so as to ‘authenticate’ yourself all you are presenting are self reported credentials to the site. If you present the correct credentials then the site accepts you as - who you say you are. It takes you at face value. It identifies you. Liken it to a knight of old arriving at castle and announcing himself. When you log on to a web site and it asks you to log in with a user name and password – you are in effect – announcing yourself – identifying yourself.

What happens if someone steals your password? Then they can log on as you – the site is none the wiser – the thief has presented the correct credentials. The credentials are by definition – static. They remain valid whether you do so from one of many devices unless of course the site is using a device recognition credential – a cookie, a Javascript based device identification or certificate solution. But again that credential is also static as it is re-used again and again no matter what the ‘context’.

A hacker can harvest your credentials by one of many methods be they social engineering, key logging, Trojans, Man in the Middle or Browser attacks and so on. The hacker can re-use those credentials in a different ‘context’ (e.g. from another device in another country) but still be regarded as ‘valid’ by the site.

This is where most so called authentication solutions even two factor authentication solutions fail. They ‘work’ irrespective of the context. Even when an OOB OTP is sent via SMS and the PIN is entered into the browser the same vulnerability exists. A hacker can intercept the PIN and replay the session in real time posing as the ‘real’ person. In other words the OOB pin can be used on a different browser or even session, device or IP address from which they were requested. In other words – a different context.

So why is context so important.? Context is a function of three elements:

• time (i.e. the moment of authentication – when it happens, the session ) ;

• Method/mode is the context of origination and transmission – things that dial into the location of the source i.e. the device. Hence the popularity of some device based solutions. Most of which fail because they rely on persistent data ( cookies or Javascript or downloaded software ) because they are easy to fool or copy.

• Meaning is the literal value, or meaning of the credentials. This is usually the total sum of the traditional login: User name and password; sometimes ‘beefed’ up perhaps with a time element (timeout) and source (ssl handle, cookie). This is the value of the token or OTP/OOB, the value of the challenge response, etc., i.e. the "thing you know". The site controls the value, the user must know it, get it and repeat it back. ( A shared secret ) which is usually the only unique element to the mix, as the other two are re-used, or known.

The timing of the event is important because the session commences only when all of the key players/participants in the authentication puzzle come together in context for the act of ‘authentication’. The key constituents are: the user, the device, the site and the session.

Only when all of these parties (the correct /valid parties) come together i.e. in the right context - can true authentication take place. None of these elements or even values associated with them like U/P, cookies, JVscript fingerprint or certificate should be able to be used in isolation in another session. In other words in another context differentiated by time or device. They all need to come together dynamically and uniquely for each session ( context) to ensure integrity.

So a proper authentication solution is one where all elements (and more) are combined into a single context - whereby any of the elements in isolation, or out of context, are meaningless. In addition any element inspected in isolation should not be the key to unlocking or accessing (or guessing) any of the others. They should be dissociative.

Finally none of the elements from this or any other context are re-used, at least in their native form. It's okay to re-use a password, or re-challenge the device , but it has to be different by nature of it's membership in the context, and not meaningful outside of that (which is the source for most MITM, MITB, social engineering, phishing/ pharming, etc).

HUMAN EVOLUTION AND THE MOBILE

2011-10-03T15:18:00.000-07:00

We in the southern part of the UK have started to see our Indian summer start to slowly fade as we get into this first week of October. It has been a wonderful but disorientating week with temperatures in the high 20’s (80’s F) – and clear blue skies - I could have sworn this was Jo’burg in Summer. All that was missing was the swimming pools !

Well I know that parts of the mid-West have also had some great weather. Indeed in the good ol’ US of A October has become known as National Cyber Security Awareness month. Who would have thought ten years ago that a whole month would be ‘honoured’ with such a strange moniker.

Well I guess 10 years ago no one would have predicted that we would have become so utterly dependent on the Web – our every waking and in some instances sleeping moments have some Web connection. E-mail, social-media, telephony, shopping, business, entertainment, gaming – just about anything you can think of - we can now do on the ‘Net.

And it is has all now migrated to the mobile.

We don’t move without our smart-phones attached to us like newly evolved limbs –extensions of our arms and hands like permanent deformations. Each mutation reflecting our individual taste –our particular phase of evolution.

Some of us are Apple boys – coveting the very latest offerings from the Cupertino emporium with breathless anticipation ( like tomorrow Tues 4th – iPhone5 day ) - while those Droids amongst us turn their noses up at such blatant snobbery.

They, the heroes of the ‘’working man’ of open source - embrace the democratic power that Android brings to the masses. (Compatibility, hardware issues and viruses aside) Then there are the die-hards – the traditionalists - those who haven’t evolved as much. They still ‘carry’ themselves like our predecessors of the last decade with ‘ancient’ devices made by Nokia, RIM and Microsoft. Some of them pride themselves on using their phones only for calls and text messages. There are those who swear by their Blackberry buttons desperate to hang on to this dying function which is destined to wither away like a non-functioning limb. ( I predict that two case studies in business schools in 2012/3 will be the demise of RIM and Groupon and how these success stories faltered and failed)

What this mobile revolution is doing is making the Internet more accessible as WIFI/WiMax and LTE become more ubiquitous and as we embrace these devices to do that most important of human activities – payments. I predict that some aspirants will fall by the wayside but that a few smart technologies will come to define this next evolutionary period. Those who can make payments simple and secure and usable will go a long way to solving the biggest challenge of the 'new mobile era'.

Perhaps these newly evolved limbs will be defined not only by their form factor and the services we consume but also how we pay for them.

SIX MONTHS ON AND EPSILON STILL DONT SECURE THEIR USERS

2011-09-19T10:36:00.000-07:00

In April this year, Epsilon Data Management LLC (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement,

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."

(http://www.fastcompany.com/1744738/the-epsilon-breach-should-you-be-angry-worried-or-bored)

When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet. Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again
(http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century)

Epsilon required their customers to log on to their systems using a user name and password with which to ‘authenticate’ themselves. This was clearly inadequate as a hacker managed to breach their system and obtain a treasure trove of customer information.
What this meant was that the customers of Epsilons customers i.e. the big brands, were ( and still are ) exposed to spear phishing attacks. They can be targeted by the hackers with e-mails that will look like they legitimately come from those global brands which include the likes of :

Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books and Lacoste…etc.

(http://www.itpro.co.uk/632566/the-fallout-from-the-epsilon-breach)

Currently ( 6 months later ) Epsilon announced ( from their website ):
“ Further, Epsilon has enhanced user security by implementing two-factor authentication. Two-factor authentication is a security process that requires two means of identification to gain system access, adding significant additional protections beyond conventional strong password requirements. Two-factor authentication, currently in place for employees, will be extended to all clients in Q3 2011. “

(http://www.epsilon.com/News%20&%20Events/Press%20Releases%202011/Epsilon_Unveils_Innovative_Security_Enhancements_to_Global_Email_Marketing_Platform%20/p1118-l3)

At the time of writing (19 Sep 2011) Epsilon clients are still only using a username and password to log-in.

(https://portals.epsilon.com/c_links.nsf/names.nsf?Login)

Makes you wonder - doesn't it ?

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

2011-09-08T04:33:00.000-07:00

If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key. ( I was tempted to refer to them as ‘ large UK bank’ - but it is so obvious who it is – no point in pretending. )

A lot of money has been thrown at this campaign – I would guess millions. (http://www.youtube.com/watch?v=Jx0Z5CiQMIw) Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots. So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator - but basically a technology that has been around for about a decade. This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! (http://www.bankingtech.com/bankingtech/article.do?articleid=20000201121) You do the math!

This same technology has been used by HSBC itself and many other banks for most of the noughties. But all to no avail. Has online banking fraud stopped ? No.

So why pursue a strategy- that has been proven to be wrong. As they say – a sign of madness is doing the same thing over again and expecting a different result.

Technically the product is flawed. And it is cumbersome. Watch this video to see just how cumbersome !! (http://www.youtube.com/watch?v=iOOWiQS5pUQ&feature=related) and also (customers don’t want another ‘thing’ to carry around and potentially lose) , but - most importantly it is vulnerable to being hacked by a Man-in-the-Middle or Man-in-the-Browser attack.

After identifying yourself with a user name and password you are then asked to enter the One Time Password (OTP) back into the browser. The browser being the vehicle that you are trying to secure and establish trust over. But here you are entering your ‘million dollar’ PIN into an insecure browser. This is security by obscurity at its finest.

Also – as to be expected many customers don’t like it – forums have been set up where rants (and some raves ) are shared (http://forums.moneysavingexpert.com/showthread.php?t=3296224)

I have not even mentioned the carbon footprint of manufacturing these devices and then shipping them to 4m customers around the world. This number will grow by about 20 % per year as people lose them and they need to be replaced. So who foots the bill ? YOU and me - the bank's customer foots the bill. How? In increased bank charges. And when you do get hacked – and many will – the bank has to make good the loss – again at the cost of YOU the customer. Even higher bank charges.

Surely there are solutions out there that can be delivered over the web as a SAAS solution – obviating (in this case ) the multi-million pound investment in tokens and postage and packaging. Surely there are solutions that offer a higher level of security and ones that are much easier to use and ones which are cheaper. Of course there is.

Live Ensure ( http://www.liveensure.com).

Maybe if you know someone at HSBC you should tell them about it.

SECURITY SANS FRONTIERS

2011-08-11T08:57:00.000-07:00

In many countries around the World, access to the Internet is seen as a basic right, and so it should be. Those countries which have done so to date include : Estonia, France, Spain, Greece and Finland, which was actually the first to do so in June 2010. (http://www.publicserviceeurope.com/article/642/internet-access-should-be-a-human-right) I

In fact the United Nations recently declared Internet access as a human right. (http://www.itproportal.com/2011/06/04/un-declares-internet-access-as-a-human-right/)

Obviously the next challenge is to build the infrastructure and provide the means of access. But that is the subject of a separate discussion.

So the “World” has woken up to the importance of closing the digital divide and has also realized the importance of the Internet, and access to it, to the functioning of society. Amongst the many momentous events of the last twelve months which have included epochal scenes such as the Arab Spring, the new Financial crisis ( Greece / Euro) and most recently the London riots - what has also made headlines globally has been the spate of cyber attacks and hacking which have damaged (and embarrassed) some very large corporations like Sony and RSA and large Governmental and NGO’s like the CIA and the NATO. This has been coupled with the emergence of online activism dubbed ‘hacktivism’ (the online equivalent of protesting in Tahrir square) – lead by the likes of Anonymous and Lulzsec. These high profile events and the associated media coverage has raised the issue of online safety, security (and privacy) and exposed just how vulnerable users of the Internet ( i.e. all of us ) are, to becoming victims of cybercrime ranging from phishing, pharming, ID theft and, in the case of businesses, DDoS.

So it is all very well giving people access to the Internet. Once they have access they need to be safe. There is the risk that we create another ‘ digital divide’ . This time the divide between those who can afford adequate online security and those who cannot. We have called this the ‘security divide’. There are those who are well informed about online security (most people reading this article would fall into that category) and those who haven’t a clue (the majority of people out there.) But there are also those who do understand the issues but cannot afford the prices being charged by most security vendors.

In the spirit of trying to bridge the ‘ security divide’ we have embarked on a program of making LiveEnsureTM available, to those organizations (who themselves have become soft targets for hackers ) like charities, not-for-profits, social enterprises and indeed small start-ups, for free.

We have called this initiative ‘ security sans frontiers’. If your organization requires its users to log-in or if it takes donations online (in other words if you need to protect your users by ensuring your site does not get hacked) and you think your organization qualifies then please sign up at http://www.liveensure.com today. Access to the Internet is and should be a basic human right but so too should safe access to the Internet be.

ANONYMOUS / LULZSEC /ANTI-SEC ARE DOING MORE GOOD THAN HARM !

2011-08-07T10:29:00.000-07:00

I know, I know – I hear the howls of protest even before finishing this first sentence.

“What about all the innocent lives exposed by the irresponsible publication of peoples names in positions of authority or in sensitive roles. ?”

But where does the fault lie ? With those doing the breaking and entering? Or those not providing adequate protection?? It is liked leaving your house locked without an alarm system, going on holiday, and coming back and finding it broken into.

Don’t be surprised. You have no one to blame but yourself.

“ But these are criminals ! “ – I hear the sounds of self righteous chest thumping.

Maybe, but what they have done – I hope – is scare the s**t out of anyone who has anything (data) that is accessible via the Web - and into ensuring that their ‘security’ ( if any ) - is rapidly upgraded. This ranges from personal users who have Gmail accounts to corporations and Governments who are custodians over much of your and my personal data.

Who today has not heard of the hacking of SONY (and other gaming companies), RSA, IMF, Citi-Group, Lockheed Martin and myriad government agencies (particularly local police forces.) ?? (http://www.cio.com/article/687364/AntiSec_Hackers_Dump_Data_After_Hacking_Police_Websites?source=rss_security)

There must be millions of tweets every day carrying a story or an angle of yet more hacks / breaches, of yet more venerable institutions – by, invariably, the Anonymous/Lulzsec/AntiSec ( ALA) contingent (or their pretenders). Even the mainstream media is replete with such stories. Perhaps the exposure has been a little excessive and we are starting to suffer from ‘hacker’ fatigue. It is becoming a little tiresome.

Therein lies the danger.

Is the good ( yes – I think on balance the awareness raising is good ) not going to be diminished through the excessive exposure, the desensitization ( boiling frog syndrome ) and the resultant complacency?

That is my main concern. These ‘hacktivists’ are not the best marketers in the world and they have the habit of rubbing everyone up the wrong way. But their cause has merit.

Yes I believe that security practitioners and their clients should be raising their game or else run the risk of :

a) being embarrassed (largely the damage that has been caused) by the ALA’s; or

b) of actually being hacked by some serious bad guys and thereby incurring considerable economic damage.

What the ALA’s have shown is that the millions spent on security by Governments and Corporations has been spent badly. The security solutions out there particularly the so-called two-factor authentication solutions whether token or dongle based (OTP), java-script based, SMS based or even just password based are fundamentally flawed and it is time for a new evolution of authentication solutions. If your website is ‘protected’ by a user name and password or SSO / Open ID (or even one of the aforementioned) then you owe it to your customers and shareholders (citizens - in the case of Government agencies) to review your security.

Lest you becoming the laughing stock of Lulzsec.

DOES YOUR WEBSITE HAVE A LOG IN ?

2011-07-17T16:03:00.000-07:00

Well - you’re probably thinking - this is going to make a fun read !!

Does my website have a log in ?? Well damn right it does ( you’re saying to yourself) – we can’t just let any old passer by onto our site!!

I mean look at all these big cheeses being hacked like RSA , SONY and even the CIA !!

But if users have to log in - that means they need to register and they need to remember yet another user name and possibly - but not necessarily - another password. Well - that means that customers desert in droves ! Or does it?

Are customers put off when they have to log in ? Well I guess a lot has to do with whether the service you offer is valuable enough. Lets see – Twitter, Facebook and Gmail just to name a few at random – you would expect to see some kind of ‘identification ‘ process going on. And indeed you do. And now to make it all that much easier – SSO (Single Sign On) , OpenID and now BrowserID courtesy of Mozilla ( amongst others ) make our lives much easier when accessing these services. (http://www.hexus.net/content/item.php?item=31189)

Does your service justify such a feature.? Do you hold personal data, do you transact, is yours a mobile app that is personalized ( eg Groupon/Living Social)

More and more websites, corporate applications, mobile applications and cloud applications require that users log in and identity themselves; and if you are one of them you should be thinking of all the ways you can to make it as easy as possible. Here’s why . (http://www.netwitsthinktank.com/internet/nonprofit-engagement-why-website-logins-matter.htm)

Going forward I believe that users will actually demand that websites provide more in the way of security. When we leave our personal credentials on websites like Amazon and Apple we expect that the information is kept secure. However recent experience with the likes of SONY and Epsilon have shown that hackers have found these defences to be woefully inadequate. And now our information is easy game and identity theft is rampant.

Live Ensure is a security solution that wraps around any form of log-in whether protected with an additional authentication layer or not and provides ‘ Swiss Vault ‘ security against identity theft. Why not check it out – it may just save your business. I am sure SONY wished they had ! ( http://www.liveensure.com )

HACKING - A 50 DAY LOVE ( LULZ) FEST ( or safe sex for the masses)

2011-06-27T10:17:00.000-07:00

So Lulz have ( supposedly ) fallen out of love with us after only 50 days !! WOW - that was a short and sharp, whirlwind romance. One hell'uve steamy affair. One day SONY, the next day the IMF, the next CIA – no one - was safe from her charms.

This little slut(z) came into our lives for a bit of fun and has left us breathless and embarrassed with no-where to hide . Why ? Because she wanted to show that with a little bit of seduction –by showing a little cleavage / a bit of leg – she was able to conquer all before her. Like Helen of Troy – no one could resist her charms.

She made us realize that we don’t actually know what protection is all about. The protection we are supposed to use – was either damaged / wrongly spec’d or else we just could not get it 'on' quick enough. Sure - she may have laid some of our secrets bare – and many were left red-faced with no-where to hide - but we actually got off lightly. But that was her game plan. Show us up for the hypocrites that we are. We all espouse safe-sex – but when in it comes to the nitty-gritty – we just can’t wait for the action – we rush in without thinking of the consequences after those first heady gropes.

I have received a number of phishing e-mails in the last few weeks – typical of those that nabbed the unsuspecting victims at the afore-mentioned institutions. See 2 examples below.

Notice the difference in quality and sophistication – the first – a bit rough and ready –lots of lipstick and make-up – in your face seduction. Bad spelling. Street corner stuff. But appealing to the curious ....

This one is much more low key and professional – attractive to a different kind of man. A man who seeks discretion and subtlety in his ladies.

But just as effective !

What you should not do when faced with such temptation – if you want to retain your dignity – is click on the document icon or the link respectively. Why? Because all manner of nasties will be unleashed onto your device exposing your most intimate parts to the seductress - who actually just wants to steal your wallet/ID/Passport etc while your trousers are down. !

So is this Lulz fest really over. ? I doubt it. The pickings are just too rich and besides - what else is there for a Lulz to do ?

MOBILE MONEY - A SOLUTION READY TODAY

2011-05-28T09:19:00.000-07:00

Google have just announced with some fanfare that they have created a mobile money eco-system. Android users can now use their devices fitted with NFC chips to make payments at selected Points of Sale in the US. This will only be launched on a limited scale some time in the Summer. It is not actually ready yet. ( http://googleblog.blogspot.com/2011/05/coming-soon-make-your-phone-your-wallet.html)

There is no doubt that those of us in the ‘advanced’ West will value the utility of being able to swipe our phones (which have become extensions of our very beings) when we buy coffee - the Starbucks app has been out for a while – (http://www.starbucks.com/coffeehouse/mobile-apps) or when we make our day to day purchases. It will be ‘cool’ just as it is cool today to flash an NFC enabled credit card at an NFC enabled POS when making small value purchases.

However I would argue that the utility, of the full functionality of mobile money transactions, will only be fully appreciated by those living in less developed countries - where few have bank accounts and credit cards but many have mobile phones.

I was delighted and surprised to hear that the SWIFT conference in Mumbai being held this week has its focus on the unbanked. (http://www.swift.com/events/2011/Innotribe_Mumbai/index.page) SWIFT is the organization that provides a platform for banks (inter-alia) to automate and standardize financial transactions including transfers – hence the SWIFT code for bank accounts. So it is a big and brave step that they have taken into what must be, for them, uncharted territory.

Having grown up in the mobile phone industry in the 90’s and been fortunate to have seen some pretty cool innovations in that space – what stood out for me at the time was the inability of mobile banking to take off (despite best efforts from us as a mobile operator and the maturity of the technology). My observation was that the failure was primarily political – it was a turf war between banks and MNO’s. Banks did not want the MNO’s to get too close to their business for fear of losing control of their customers.

Well that was a long time ago and since then things have moved on. Companies like Monitise (http://www.monitise.com/) have demonstrated that the banks have adapted and realize they need to be part of the new order. However they serve a limited segment of the potential global market. Their customers all have bank accounts and all that Monitise and other aspirants are doing, is creating a new channel.

What about those ( more than) 3bn mobile phone users who don’t have bank accounts?? (Reliable statistics show that only 2bn of the more than 5bn mobile phone users globally are banked.) These are generally poorer people who live in emerging markets in Africa and Asia. They live in a cash economy with very high transaction costs. A large proportion of their income comes from remittances from the richer Western countries. The cost of these transactions are outrageous although competition is forcing these prices down (Western Union – http://www.westernunion.com ) The inefficiency in this financial system is deleterious to an already weakened economic order.

The challenge thus, is to provide a financial ecosystem that can bridge the sophistication of the banked with the needs and wants of the unbanked. Such a system should leverage existing networks and infrastructure so as to reduce costs of implementation and ultimately transactions costs. By using the mobile phone as the instrument for storing value (e-wallet) and its networks for sending the money one can achieve many of these objectives.

How does one translate cash into ‘e-money ‘ and visa versa. This is a function of the partner networks that can be leveraged – these are the so- called pay in and pay out points where the user can do just that, put money in or take cash out. Of course ideally this should be integrated with the ‘advanced’ banking systems so that bank accounts, credit cards and debit cards can also interact with the system.

M-Pesa, (http://enterprise.vodafone.com/products_solutions/finance_solutions/m-pesa.jsp) is a great success story out of Kenya which demonstrates the ingenuity of a people whose culture and needs are not burdened by vested interests. However M-Pesa is relatively restricted in its reach and its scope of services.

Surely the ideal solution is one which taps into the users requirement for low cost calls ( he has a mobile phone already and hence wants to keep costs down), and also provides the ability for the user to make and receive payments, transfer money, pay bills and remit funds internationally - all off a single account (e-wallet). One that can be linked to credit cards and bank accounts but is also linked to ubiquitous networks of pay in and pay out points. And one that is also linked to a branded card that can be used to make payments, draw cash from ATM’s as well as make online payments.

Well as it happens there is such a solution. It is provided by a company called Paymotech and it goes by the name of Paytoo (http://www.paytoo.com/). Unlike Google which is still trialing its mobile payment service Paytoo is now live across the US and is accessible at thousands of outlets. Paytoo has also implemented its services in countries like Nepal where in partnership with the central bank the Nepalese Diaspora can now remit funds to their families back home at an affordable rate. There are numerous other relationships in place ( check out their website) that demonstrate the efficiency and ingenuity of the Paytoo system. Paytoo have a Mastercard BIN which allows them to issue branded prepaid cards. They are also a global MVNO leveraging the Vodafone network – allowing Paytoo users to use their mobile phones abroad without incurring roaming charges. And there is much much more.

Perhaps SWIFT need look no further than Paytoo for a solution.

REPUTATION MORE VALUABLE THAN CASH (ASK SONY)

2011-05-05T08:17:00.000-07:00

The recent attack (it seems by Anonymous) on SONY which compromised the personal details of almost 100m of their gaming customers has caused massive damage to the SONY brand. According to Interbrand in 2009 SONY’s brand value was $12bn. You can safely assume that it will have taken a hit in the order of billions of dollars. ( This excludes any legal action and the resultant loss.)

The same could be said of Epsilon and RSA who like SONY did not have a major financial breach but their good names have been severely compromised. The loss to brand value as well as enterprise value could be massive due to the loss of future business. (There is a report circulating citing research done on RSA’s customers of whom more than half stated that they would not be renewing their contracts. ) If not obvious before, then now, executives charged with the stewardship of large valuable corporations must realize how fragile that value is when faced with the multitude of challenges; be they natural (tsunamis/earthquakes) or man-made (criminal / terrorism/fraud) or just good old competition.

In respect of cybercrimes such as phishing and pharming attacks which can lead to either direct financial loss (draining of bank accounts/ theft of credit card details) or reputational damage (per the above) I contend that the latter constitutes a far greater threat than the former. ( There are those who would argue that the value of an email address exceeds that of a credit card number in the parallel world of the cybercriminal.) In respect of individuals this would be in the form of ID theft where personal credentials are used to commit fraud thereby damaging (perhaps irreparably) that persons reputation. We have seen from the above examples of just how, a corporation's reputation can be impacted. A person or a corporation would much rather that money was stolen than their reputation was damaged; as the latter is very difficult to rebuild and, if so, invariably takes a long time.

The need for strong authentication in situations where today simple ‘identification’ is used (such as applications using - user name and password / Single Sign On / OpenID) has become an urgent imperative. Even then those authentication solutions need to be affordable, usable and effective. Multi-factor solutions such as OOB tokens, OTP keys and browser-based javascript fingerprinting have relied on the browser, user acumen and ‘security by obscurity’ to function.

I believe we will see a steady trend of individuals and corporations demanding better security in the form of two factor authentication (as a minimum) from their business partners / suppliers and customers. We have seen many large corporations fall from grace very quickly for many reasons (Arthur Andersen / Enron / WorldCom / Lehman Brothers / Bear Sterns ).

No corporation can afford to crash or be severely damaged, because they were hacked, because they did not take their online security seriously.

TECHNOLOGY AND OUR KIDS

2011-04-11T15:05:00.000-07:00

I am increasingly struck by the broad range of reactions to the continuous flow of technology that never seems to stop bombarding us from all sides - sometimes seeming to overwhelm. There are those who embrace it as though it is a new source of strength echoing Kevin Kellys view that we “evolve’ with technology and that it is a source of good. http://www.readwriteweb.com/archives/what_technology_wants_kevin_kelly_theory_of_evolution.php

There are others who believe that it is an insidious negative fog that is slowly strangling the creativity out of our youth as they while away their lives in front of TV’s , online playing interactive games or Tweeting and ‘connecting’ via social networks. Jaron Lanier says that ‘ technology reduces our humanity’ - promoting the hive mentality over individual expression. (http://www.jaronlanier.com/)

I have to say that, whenever I find my daughter watching a mindless sitcom (aimed at teenagers although she is only 8) I find myself firmly in the second camp. Her technological interaction also includes time online playing Moshi Monsters or Club Penguin. I find myself caught up in an incredible dilemma – I am a tech-fan – I have spent most of my working career advocating and enacting the power of technology as a force for change and hopefully for good – mobile phones in Africa and the Middle East; ICT in South Africa and online security globally. I am undoubtedly firmly in the Kelly camp – and yet I find it so difficult to reconcile this with the impact I see it having on my children. My daughter in particular. The mindless absorption of ‘sitcom pornography’ ( which seems to be the only way to describe it ) is the technological equivalent of ‘eating white bread’ as my colleague Christian Hessler so eloquently described it to me. You are going through the act of eating – it is filling but there are no 'nutrients'. It is mindless, 'nutritionless', a waste of time and is inculcating bad values and getting them into the wrong sort of habits.

Or am I being, as my family like to mock me, a grumpy ‘old’ man. Should I just accept that the world has changed and that our children, as digital natives, are wired differently and interact with the digital world seamlessly? Or is the right approach that of the ‘Tiger parent’ who does not allow their kids any ‘free’ time and who structure activities 24 x 7?

I guess I want a balance and I want my kids to spend more time outside playing in the garden and feeling the dirt under their fingernails. Maybe I am just wishing for them the childhood I had growing up under sunny skies in South Africa and not the gray drab monotony that is London. I guess you can’t have everything. I am just grateful they are happy, healthy and wonderful people. I guess I will continue to vacillate between being a tech fan and a Luddite.

Why is Cloud Security such a big Challenge ?

2011-03-27T14:41:00.000-07:00

Cloud security is a big challenge because the big vendors have made us believe it is so. In reality it is not a big challenge.

There are solutions out there that solve the problem. Remember that
cloud security is really about securing the access points – the doors (and
windows if applicable) to your house (of data). The walls are obviously secure and impenetrable but if your front (or back door for that matter) is secured with nothing more than a ‘standard’ lock then any thief can quickly pick the lock and get in. For "standard lock" read – "user name and password."

And the reality is that most applications that are accessed via a standard user name and password ‘lock’ are hosted in the Cloud.

So what is needed is something much stronger but which is easy to implement and easy to scale. It helps not to use a two-factor authentication (2FA) solution that requires you to carry around a dongle – because it just cannot scale economically. And because traditional 2FA solutions are easily hackable through Man in the Middle/Web Browser attacks.

So what is needed is a solution is one that is easy accessible and implementable, i.e. a SaaS solution; one that is easy to scale (does not require the end user to carry around some kind of device like a dongle or USB key) and one that is strong (is immune to traditional hacks).

Check out this video: http://www.youtube.com/watch?v=L...

And you will see that Cloud security is not such a big challenge

WHAT IS SECURITY BY OBSCURITY AND WHY HAS RSA STUMBLED?

2011-03-18T17:40:00.000-07:00

The breach at RSA just goes to show that security by obscurity never works.

And you are probably wondering just what is ‘security by obscurity’ ?

Lets use a simple metaphor that is familiar to us all to help explain the concept.

We have all at one time or another left a spare key under the doormat, just in case we are locked out of the house, or we leave it for someone else to use to get in. Well, simply put, that is - security through obscurity.

The theoretical security vulnerability is that anybody could break into the house by unlocking the door using the spare key from under the mat. Add to that scenario the reality that any burglar worth his salt will check out the most obvious hiding places, and so we, the house owner, run a greater risk of a burglary by hiding the key in this way, since the effort of finding the key is likely to be less effort to the burglar than breaking in by another means. We have in effect added a vulnerability (the fact that the key is stored under the doormat) to the system, and one which is very easy to guess and exploit.

In the case of computer code or RSA algorithms the assumption is that the algorithm cannot be broken – that the burglar wont find the key under the mat. Alas we have just found out how fatally flawed that logic is. And boy it could not have happened to more iconic an institution than RSA. The very same RSA that invented the public and private key algorithm (based on factoring of primes) that has formed the foundation of Internet security for the last 25 years. But at the end of the day it is still security by obscurity.

Enter Kerckhoff and his principle. http://en.wikipedia.org/wiki/Auguste_Kerckhoffs
http://artofinfosec.com/335/crypto-kerckhoffs-principle/

“ Assume your enemy has the details of your system “

If your security relies on some level of operational system "secrecy" to work, it is just a matter of when, not if, the system will be compromised. The problem with traditional shared secret tokens, (not to mention cost, deployment and custody issues) is that they do nothing to establish context of the mutual authentication i.e. the establishment of trust between the parties. They are merely additional layers of "secret passwords", regardless of how those factors are generated or delivered. http://www.schneier.com/crypto-gram-0205.html

The application most used by the RSA SecureID token, being the generation of a “One Time Password” which is then entered into the browser; is reliant upon the integrity of the browser, the very vehicle for which trust has not yet been established. This constitutes a fatal flaw in the ‘design’ of the system.

The primary issue involved in this breach is the wide applicability of the "secret" elements that were compromised. In a properly architected authentication system, any security failure should be at worst, a one-in-a-row event. In this case – assuming the hackers indeed have succeeded in ‘stealing the password’ ( the seed to the key generator) they can exploit the vulnerability of all of RSA’s customers. Not just one or two.

Being the ‘chosen’ security vendor to “ 90% of the Fortune 500 “ ( per RSA’s website) leads to hubris and hubris leads to complacency. The World now operates at Internet speed. Just ask the Tunisian and Egyptian ( and who knows more) Governments about that. No one can assume that their position is safe. The rise of Hacktivism (http://bit.ly/gcqhxe) means that security has now risen right up the agenda and for RSA to be seen to be stumbling at such a crucial time could prove to be very damaging.

Fortunately there are nimble and agile upstarts like http://www.liveensure.com who are showing the industry that innovation is alive and well and that solutions (that work) are available and they are affordable too.

Other references:

http://slashdot.org/features/980720/0819202.shtml

PRIVACY IN THE FACEBOOK ERA

2011-03-16T02:47:00.000-07:00

So how do you value your privacy in the Facebook age ? I was reviewing some of my old blogs from last year and found this one I did in July last year. It is even more relevant now than it was then. So if you did not read it before then please check it out. Next blog will be on gaming - watch this space.

Does it matter to you that the calls you make, the emails you send, your credit card transactions, the Internet sites you visit, the images of you travelling to work, your social networking posts are now stored at data centres in the Cloud and retrievable by myriad marketers, Government agencies and companies ? None of whom you ever entrusted with your information in the first place. Your digital footprint is a permanent record of your every move.

Data is the pollution of the Information age. Everything we do generates data, and a secondary spin-off of Moores law is that every year it gets cheaper to store and process this data. So rather than sort through our e-mails and delete the ones we don’t need – we just keep them all – it is easier and cheaper to do so. The same thing happens with all of our data now.

Most of ‘your’ data actually belongs to someone else. All of your G-mails, everything you post on Facebook, all of your Amazon transactions – this information belongs to those companies who then harness this information to maximize their advertising revenue and to optimize the selection of products they want you to buy. The data gathered usually has a primary purpose such as the airlines frequent flyer programs where your travel needs are customized (your seating requirements and meal choices ), while its secondary purpose is to target you with a holiday special to some exotic destination, once sold to a 3rd party marketing company.

The data we generate has value – whether to a company seeking to sell us more product or to a Government agency who is trying to track a terrorist cell. The utility of this data depends on its accuracy – so what may be useful to a marketing company such as your age, salary band and postal code will be insufficient for a National Security Agency . Companies are able increasingly to use this data to control their customers. Think about iTunes and the iPhone and how Apple has managed to control the whole eco-system end to end from the device to the content to the retail process. This is not necessarily a bad thing – users are happy to have this managed for them especially as technology becomes increasingly sophisticated and complex.

But what happens when you lose control of your data ? When your information is unwittingly exposed to the world. This is a failure of security. But do you care? This is where the issue of the new generation gap becomes relevant. The Internet generation gap. The younger generation seem to be far more relaxed about their information being made public. They are living their lives ‘in public.’ What they did last night at a party is posted onto Facebook either by themselves or their friends. For the whole world to see. This is ‘normal.’

So what seperates these ‘digital natives ‘ (those who have grown up with the Internet, with cell-phones, in the digital age with ubiquitous connectivity) from those of us who grew up when vinyl was still de rigueur , who watched TV according to a schedule; Generation X’ers who grew up in the pre-celebrity era – when football stars were paid a living wage, when videos and CD’s were mainstream. Bruce Shneier believes this divide – this generation gap can be classified as the divide between those who ‘get ‘ Twitter’ and those who don’t. Age is not the measure; your level of acceptance and comfort with the nuances of social media, your fluency with social media, is.

The social norms of the digital natives are created by their environment, the world they were born into. Privacy in the pre-Internet age arose from the inefficiencies of prevailing technologies – telephone calls and letters were difficult to track. Now this has changed and because of the massive processing power of Googles’ search engine and other technological innovations privacy has been significantly diminished. Anyone can Google you and find you on Facebook/Twitter/Googlemail and through your friends and friends of friends they can discover a lot about you. Ask any major HR department when they interview job candidates how they do their ‘checking’ on candidates. There is not even a measure of privacy through obscurity, because even the sheer volume of data out there, is no match for the processing power of search algorithms.

In the past you categorized your friends into different groups with whom your socialized – family, school friends, work colleagues, clubs and so on. There was a natural compartmentalization between these ‘Groups’ - today it is difficult if not impossible to section off your friends into such groups. To control your privacy now you have to explicitly engage with the privacy policy on the social media site / email provider or whatever service you seek online. Many people will accept the default settings just so that they can get on with it – inadvertently leaving big holes in their privacy.

However regulators and law makers are starting to get firmer and they will have to force providers to allow users to opt in rather than to blindly accept default privacy settings. This should prevent some of the recent privacy debacles like the introduction of Google Buzz and Facebooks’ recent efforts at changing its privacy policies which saw the wholesale disclosure of peoples private information including their emails.

A good example of how the Regulators are starting to get to grips with these issues is the Code of Conduct recently published by the Information Commissioner in the UK – linked below. But remember that privacy and security do not equate. Security is about you controlling your information. It is up to your to take back control of your data and not to leave it to others. You need to start thinking more about security and how it can be used to protect your data.

But more of that another time.

INTERNET GROWTH OVER THE NEXT FIVE YEARS

2011-03-07T01:34:00.000-08:00

Who would have predicted that a social networking site called Facebook would pick up 600m users in 7 years? Who would have imagined that mobile phones would become such a core part of our daily lives in both rich and poor countries.?

To try and make some sense of the statistics here are a few simple graphs based on information from a variety of sources that in general corroborate each other.

GLOBAL POPULATION: This is projected to grow from the current 6.8bn to about 7.2bn during the next five years. The majority of growth to take place in EMERGING markets.

MOBILE PHONE PENETRATION: The huge growth experienced over the last 15 years is set to continue, in EMERGING markets in particular ( while in mature markets where penetration is over 100% - older generation phones are being replaced by Smart-phones). Current mobile phone users number in the order of 4.9bn people ( or 72% penetration of the global population ) and in five years from now there will be OVER 6.6bn users (or about a 91% penetration of the forecast global population).

INTERNET PENETRATION: This is set to increase from the current 2bn users (both PC’s and mobile) to about 4.3bn internet users in about five years. So the growth in Internet penetration will be dramatic. Driven mainly by a rapid growth in MOBILE penetration and the ongoing rollout of broadband into residential markets globally. Mobile access to the Internet will increase from the current 840m to about 2.5bn users over the next five years. This includes both Smart-phones as well as tablet devices. In EMERGING markets where penetration is lowest we can expect the quickest take up. I anticipate that Africa will experience an INTERNET revolution over the next ten years in the same way that it experienced a MOBILE revolution over the last fifteen years.

Finally - THE INTERNET OF THINGS
The number of devices are that are connected to the Internet is expected to pass 5 billion this year according to IMS research (this includes digital picture frames, cameras and e-book readers) and predictions are that by 2020 the number of connected ‘things’ will surpass 22 billion. So these devices will become an integral part of the Internet and will communicate with each other as well as with humans to varying degrees. The INTERNET will connect 'things' in a woven fabric encircling the earth. Check out this video from IBM .

Enjoy.

WILL SOCIAL MEDIA CHANGE CHINA ?

2011-02-27T15:30:00.000-08:00

Surely this has got to be the obvious question in light of the tectonic shifts reshaping the Maghreb?

Is the end game (of this social media phenomenon), not the demise of the last autocratic regime of any substance ? ( there are others that will go – but are they as important ? No. )

There are so many factors at play in the next scene of this incredible drama. Saudi Arabia has made an offer to buy Facebook for the ‘princely’ sum of $150bn and hence remove any threat it may pose to stirring unrest in the country. ( http://abna.ir/data.asp?lang=3&id=228583) ( BIG JOKE !!!) Seems like an expensive mistake by King Abdullah if Zuckerburg and Co are foolish enough to be bamboozled by Goldman Sachs into accepting the offer. If he thinks that FB is the only way that revolutions are coordinated then he is being badly advised.

You only have to read Bernard Henri Levy’s excellent analysis of what transpired in Egypt leading up to the uprising to understand the extent of the ingenuity of a determined disenfranchised population to rid themselves of their ‘leaders’. (http://www.huffingtonpost.com/bernardhenri-levy/egypt-year-zero_b_828455.html)
By combining the power of telephony with that of the Internet they created ‘speak2tweet’ to circumvent the Web police. The rest as they say ‘ is History’.

Surely the same could happen in China. Although this applies to Iran and Saudi Arabia not to mention the myriad other Maghreb /ME countries where dissent is fomenting from Jordan to Yemen to Morocco and even Qatar - China is far more interesting.

This would be the prize.

In one fell swoop we would have almost 20% of humanity freed from the oppression of an autocratic undemocratic regime. Who knows what would replace it but one would hope that it would be a system – not a liberal Western democracy – but some hybrid that allows for more personal freedoms and participation in the political process.

China cannot maintain a 9 or 10% growth rate and thereby generate the wealth that takes people out of poverty on an indefinite basis. The environmental burden on the land and the air is not sustainable, the clamour for higher wages gets ever louder and there have been many job losses in the cities because of the financial crisis. During 2009/10 over 50m lost their jobs in the cities on the East coast and returned to the farms inland. Thus there were 50m fewer providers and more mouths to feed with less food. China will struggle to feed its population if it does not colonize sufficient land in Africa (particularly) to supplement its current sources. Hence the indecent haste with which it is currently doing deals across Africa, to not only tie up commodities to feed its industrial engine but also, to secure arable land. (Only about 15% of China’s land is arable and it reduces as the population grows)

So what are the authorities in China doing about this ? In addition to becoming the Worlds 21st Century Colonizing power - China is making a huge investment in transport infrastructure inside China to ensure that food can be delivered efficiently. Rail and air infrastructure in particular is the main focus. There has also been a massive investment in shipping cargo capacity to ensure that they can move the goods (commodities including food) back to China from their economic colonies. The NPC (National Peoples Congress) is to be held on 5 March in Beijing and no doubt economic issues will be high on the agenda. However I suspect that they will also discuss the events of the last few weeks and months in the Arab world and what it could mean for China.

There was an anonymous call for protests in China but the police have so far pre-empted any action. (http://www.guardian.co.uk/world/2011/feb/27/china-jasmine-revolution-beijing-police). This is no doubt a portent of things to come.

The Telegraph reported that :
"We invite every participant to stroll, watch or even just pretend to pass by," said a letter published on Boxun, a foreign-based website that is banned in China. "As long as you are present, the authoritarian government will be shaking with fear". It was the second weekend in a row that protests were planned.
(http://www.telegraph.co.uk/news/worldnews/asia/china/8350709/Heavy-handed-reaction-to-Chinas-Jasmine-protests.html)

So will the power of social media come to bear on the World’s largest oppressive regime and how long will it take.? Will the economic growth of the last 30 years together with the massive connectivity of mobile phones and Internet become the double-edged sword that leads to the demise of the Chinese political machine that has managed the economic growth so well and so tightly.

Watch this space. This promises to be a bigger year than 1989 – in more ways than one.

MOBILE or M-COMMERCE COMES OF AGE ?

2011-02-16T04:36:00.000-08:00

What is mobile commerce you may well ask? Well mobile payments comprise two categories – 1) payments for digital (virtual) goods usually done online and 2) payments for physical goods usually done at a POS. The latter usually being of larger transaction value. So when will we use our mobiles (in any real number) to make these day to day payments and also use them for online banking ? My view is that this will be driven by both; 1) the adoption of technologies like NFC by the handset manufacturers and the POS manufacturers and the merchants; and 2) the acceptance by users of these new technologies. I suspect that the latter will take longer - as people are naturally cautious about adopting new technologies particularly when money is involved.

The major handset manufacturers have started building NFC chips into their handsets as the GSMA have finalized the specification for NFC on GSM phones. Apple recently ‘leaked’ the news that the iPhone 5 will be NFC enabled and all the big names – Samsung/Nokia/Motorola/Ericsson/ZTE have announced NFC phones for launch this year. Google are very optimistic about the prospects for mobile commerce. (http://www.mobilemarketingwatch.com/google-ceo-says-nfc-mobile-payments-will-prove-profitable-13258/)

Users will take a bit longer to get used to scanning their phones (not Oyster cards) at the readers on the Underground or at retail checkouts. It is mainstream in Japan and will become the same in the rest of the World. (http://www.nma.co.uk/news/japan-leads-global-mobile-commerce-market/3023422.article) The mobile device has become (and will increasingly continue to become) the medium where we consume advertising now more focused and bespoke to our individual requirements. Gaming manufacturers recognise the power of the mobile platform for their products and with the increasing trend towards social gaming have become another very important commerce layer on the mobile.

Security is an issue. Hackers have recognized that the adoption of mobile commerce is growing rapidly and they have turned their attention to this platform for the spread of malware, ID theft and online fraud. However this will be a much bigger challenge for them because of the diversity of platforms (unlike in the desk/laptop world where 75% of Operating Systems are Microsoft). Anti-virus software will be less important than appropriate authentication solutions which will enable trusted transactions to take place. These solutions will of necessity need to be light weight and not require the user to interface with any additional physical devices like dongles/ card readers/ USB keys etc which proliferate in the desktop world.

Of course mobiles will be used for more than just banking – remittances, money transfer and voucher redemptions will become mainstream. Expect smart-phones to get even smarter and to form a greater and greater proportion of all phones as the old ones die out and are replaced. By 2014 50% of mobile phone users will be using their phones to make payments according to Juniper – so the trend is strong and it is here to stay.

WHAT IS GOING ON AT INTEL ?

2011-02-15T03:00:00.000-08:00

So last year Intel splash out almost $8bn on (one of their largest ever acquisitions) on McAfee in their quest to keep abreast of the rapidly moving Internet security market. One of their motivations was :

“But Intel will take it one step further. The McAfee deal will see the integration of security into hardware, into the chips powering much of our computer-driven world. It also bolsters Intel's attempts to become more than a chip maker as it develops its own consumer devices and offering of IT services. “

(http://www.bbc.co.uk/news/business-11025866)

And yet today they announce :

“Phishers are getting so good and so numerous that even the most technically adept of online bankers should think twice before typing in that password. Even if it's a legit site, databases can be infiltrated and passwords can be cracked. Time for something more, then. Intel is working on it, teaming up with Symantec and Vasco on what's being broadly termed Identity Protection Technology, or IPT.”

(http://www.engadget.com/2011/02/15/intel-working-with-symantec-and-vasco-for-ipt-hardware-based-se/)

So you have to say: Was the McAfee deal fatally flawed ? Has Intel become schizophrenic ? Is the security market potentially so lucrative that you become totally promiscuous and jump into bed with anyone who says yes ? Maybe the RSA conference is going to be where these strands all come together ?? Who knows?

To cap it all this week Intel Capital announced that they have invested in a small security company called SecureKey. We don’t know how much – but it would have been extremely modest relative to the McAfee deal. The point is that SecureKey is nothing more than a re-hash of old technology – key fobs / USB keys. It is also limited in its application to users of smart cards. So all of this stuff that you have to carry around with you for security. All very expensive, non-scalable and insecure. Check it out for yourself. (http://www.securekey.com/)

You have to say: what are the boys at Intel thinking ? Maybe there is another announcement coming at RSA which will help us all make sense of this – but I suspect not.

Watch this space.