Posts

Showing posts from 2011

You need authentication

I am constantly amazed at the lassez faire attitude that the majority of businesses, large and small, have about their online security.  Those that require their users / members to log on will provide a user name and password log in to verify their identity – and that’s it.  I suppose that if the large players like Amazon and iTunes can get away with it then the smaller guys think that’s all they need to. The reality is that if the big boys get a hit – they have the firepower to deal with it.  But SME’s just need one bad hack and they are out of business.    2011 is going down as the year of the ‘Hack’ (  http://www.infosecurity-magazine.com/view/22481/year-of-the-hack-/?utm_source=twitterfeed&utm_medium=twitter)  with many high profile victims like SONY, RSA and Epsilon losing millions of their users personal information.    Despite this there seems to be the attitude that ‘ it cant happen to me’ .    I have just read about the latest phishing scam targeting Amaz

The future is bright and it is mobile (in fact it is here !)

There are so many pundits out there who have finally jumped on this bandwagon.   But lets be honest,  five and a half (or is it now closer to six)  billion people,  can’t be wrong – the mobile revolution is finishing its transition from what have been predominantly voice services to broad-band data services.  The devices that we used to just talk on are now full blown computers and we use them for everything – although we do actually still use them to talk on as well too!.  ( See my previous blog:   http://rossmac2310.blogspot.com/2011/10/human-evolution-and-mobile.html ) There are so many exciting threads to this trend : the Internet revolution in Africa and other emerging markets,  the plethora of new services being created every day that add value to our everyday existence and the emergence of real competition in the mobile handset space.   I applaud Microsoft ( and Nokia) for their exciting new partnership and a handset that will create a real challenge to the incumbent behe

Authentication in ' context'

con·text /ˈkäntekst/ The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed. authenticate [ɔːˈθɛntɪˌkeɪt] vb (tr)   to establish as genuine or valid What does context have to do with authentication? When you log on to a web site and enter your user name and password so as to ‘authenticate’ yourself all you are presenting are self reported credentials to the site.  If you present the correct credentials then the site accepts you as - who you say you are.   It takes you at face value.  It identifies you.  Liken it to a knight of old arriving at castle and announcing himself.   When you log on to a web site and it asks you to log in with a user name and password – you are in effect – announcing yourself – identifying yourself.   What happens if someone steals your password?   Then they can log on as you – the site is none the wiser – the thief has presented the correct credentials.  The credent

HUMAN EVOLUTION AND THE MOBILE

We in the southern part of the UK have started to see our Indian summer start to slowly fade as we get into this first week of October.    It has been a wonderful but disorientating week with temperatures in the high 20’s (80’s F) – and clear blue skies - I could have sworn this was Jo’burg in Summer.   All that was missing was the swimming pools ! Well I know that parts of the mid-West have also had some great weather.  Indeed in the good ol’  US of A October has become known as  National Cyber Security Awareness month.    Who would have thought ten years ago that a whole month would be ‘honoured’ with such a strange moniker.     Well I guess 10 years ago no one would have predicted that we would have become so utterly dependent on the Web – our every waking and in some instances sleeping moments have some Web connection.    E-mail, social-media,  telephony,  shopping, business, entertainment, gaming  – just about anything you can think of - we can now do on the ‘Net.     And

SIX MONTHS ON AND EPSILON STILL DONT SECURE THEIR USERS

In April this year,  Epsilon Data Management LLC  (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement, " On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only ." ( http://www.fastcompany.com/1744738/the-epsilon-breach-should-you-be-angry-worried-or-bored ) When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet.  Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again ( http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century ) Epsilon required their customer

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002

SECURITY SANS FRONTIERS

In many countries around the World, access to the Internet is seen as a basic right, and so it should be.    Those countries which have done so to date include :  Estonia, France,  Spain,  Greece  and Finland,  which was actually the first to do so in June 2010.  ( http://www.publicserviceeurope.com/article/642/internet-access-should-be-a-human-right)  I In fact the United Nations recently declared Internet access as a human right. ( http://www.itproportal.com/2011/06/04/un-declares-internet-access-as-a-human-right/ ) Obviously the next challenge is to build the infrastructure and provide the means of access.    But that is the subject of a separate discussion. So the “World”  has woken up to the importance of closing the digital divide and has also realized the importance of the Internet, and access to it,  to the functioning of society.   Amongst the many momentous events of the last twelve months which have included epochal scenes such as the Arab Spring, the new Financial c

ANONYMOUS / LULZSEC /ANTI-SEC ARE DOING MORE GOOD THAN HARM !

I know,   I know – I hear the howls of protest even before finishing this first sentence.   “What about all the innocent lives exposed by the irresponsible publication of peoples names in positions of authority or in sensitive roles. ?”    But where does the fault lie ?  With those doing the breaking and entering?   Or those not providing adequate protection??  It is liked leaving your house locked without an alarm system, going on holiday, and coming back and finding it broken into.   Don’t be surprised.  You have no one to blame but yourself.  “ But these are criminals ! “  – I hear the sounds of self righteous chest thumping.    Maybe, but what they have done – I hope – is scare the s**t out of anyone who has anything (data) that is accessible via the Web  - and into ensuring that their ‘security’ ( if any ) - is rapidly upgraded.    This ranges from personal users who have Gmail accounts to corporations and Governments who are custodians over much of your and my personal data

DOES YOUR WEBSITE HAVE A LOG IN ?

Well - you’re probably thinking - this is going to make a fun read !!   Does my website have a log in ??  Well damn right it does ( you’re saying to yourself) – we can’t just let any old passer by onto our site!! I mean look at all these big cheeses being hacked like RSA , SONY and even the CIA !! But if users have to log in - that means they need to register and they need to remember yet another user name and possibly -  but not necessarily - another password.    Well - that means that customers desert in droves !  Or does it? Are customers put off when they have to log in ?  Well I guess a lot has to do with whether the service you offer is valuable enough.   Lets see – Twitter, Facebook and Gmail just to name a few at random – you would expect to see some kind of ‘identification ‘ process going on.  And indeed you do.  And now to make it all that much easier – SSO (Single Sign On) ,  OpenID and now BrowserID courtesy of Mozilla ( amongst others ) make our lives much easier when

HACKING - A 50 DAY LOVE ( LULZ) FEST ( or safe sex for the masses)

Image
So Lulz have ( supposedly ) fallen out of love with us after only 50 days !!   WOW -  that was a short and sharp,  whirlwind romance.    One hell'uve steamy affair.    One day SONY,  the next day the IMF,  the next CIA – no one - was safe from her charms. This little slut(z) came into our lives for a bit of fun and has left us breathless and embarrassed with no-where to hide .  Why ?  Because she wanted to show that with a little bit of seduction –by showing a little cleavage /  a bit of leg – she was able to conquer all before her.   Like Helen of Troy – no one could resist her charms. She made us realize that we don’t actually know what protection is all about.   The protection we are  supposed to use  – was either damaged / wrongly spec’d or else we just could not get it 'on' quick enough.   Sure -  she may have laid some of our secrets bare – and many were left red-faced with no-where to hide - but we actually got off lightly.   But that was her game plan.  Show

MOBILE MONEY - A SOLUTION READY TODAY

Google have just announced with some fanfare that they have created a mobile money eco-system.   Android users can now use their devices fitted with NFC chips to make payments at selected Points of Sale in the US.   This will only be launched on a limited scale some time in the Summer.  It is not actually ready yet. ( http://googleblog.blogspot.com/2011/05/coming-soon-make-your-phone-your-wallet.html ) There is no doubt that those of us in the ‘advanced’ West will value the utility of being able to swipe our phones (which have become extensions of our very beings) when we buy coffee  - the Starbucks app has been out for a while – ( http://www.starbucks.com/coffeehouse/mobile-apps ) or when we make our day to day purchases.   It will be  ‘cool’ just as it is cool today to flash an NFC enabled credit card at an NFC enabled POS when making small value purchases. However I would argue that the utility,  of the full functionality of mobile money transactions, will only be fully appreci

REPUTATION MORE VALUABLE THAN CASH (ASK SONY)

The recent attack (it seems by Anonymous) on SONY which compromised the personal details of almost 100m of their gaming customers has caused massive damage to the SONY brand.   According to Interbrand in 2009 SONY’s brand value was $12bn.   You can safely assume that it will have taken a hit in the order of billions of dollars.  ( This excludes any legal action and the resultant loss.)  The same could be said of Epsilon and RSA who like SONY did not have a major financial breach but their good names have been severely compromised.   The loss to brand value as well as enterprise value could be massive due to the loss of future business.    (There is a report circulating citing research done on RSA’s customers of whom more than half stated that they would not be renewing their contracts. )    If not obvious before,  then now,  executives charged with the stewardship of large valuable corporations must realize how fragile that value is when faced with the multitude of challenges;   be t

TECHNOLOGY AND OUR KIDS

I am increasingly struck by the broad range  of reactions to the  continuous flow of technology that never seems to stop bombarding us from all sides - sometimes seeming to overwhelm.    There are those who embrace it as though it is a new source of strength echoing Kevin Kellys view that we “evolve’ with technology and that it is a source of good. http://www.readwriteweb.com/archives/what_technology_wants_kevin_kelly_theory_of_evolution.php There are others who believe that it is an insidious negative fog that is slowly strangling the creativity out of our youth as they while away their lives in front of TV’s ,  online playing interactive games or Tweeting and ‘connecting’ via social networks.    Jaron Lanier says that ‘ technology reduces our humanity’  - promoting the hive mentality over individual expression. ( http://www.jaronlanier.com/ )  I have to say that, whenever I find my daughter watching a mindless sitcom (aimed at teenagers although she is only 8) I find myself firml

Why is Cloud Security such a big Challenge ?

Cloud security is a big challenge because the big vendors have made us believe it is so. In reality it is not a big challenge.  There are solutions out there that solve the problem. Remember that cloud security is really about securing the access points – the doors (and windows if applicable) to your house (of data). The walls are obviously secure and impenetrable but if your front (or back door for that matter) is secured with nothing more than a ‘standard’ lock then any thief can quickly pick the lock and get in. For "standard lock" read – "user name and password."  And the reality is that most applications that are accessed via a standard user name and password ‘lock’ are hosted in the Cloud.     So what is needed is something much stronger but which is easy to implement and easy to scale. It helps not to use a  two-factor authentication  (2FA)  solution that requires you to carry around a dongle – because it just cannot scale economically. And because traditiona

WHAT IS SECURITY BY OBSCURITY AND WHY HAS RSA STUMBLED?

The breach at RSA just goes to show that security by obscurity never works. And you are probably wondering just what is ‘security by obscurity’ ? Lets use a simple metaphor that is familiar to us all to help explain the concept. We have all at one time or another left a spare key under the doormat, just in case we are locked out of the house, or we leave it for someone else to use to get in.   Well,  simply put, that is - security through obscurity. The theoretical security vulnerability is that anybody could break into the house by unlocking the door using the spare key from under the mat.    Add to that scenario the reality that any burglar worth his salt will check out the most obvious hiding places, and so we, the house owner, run a  greater risk of a burglary by hiding the key in this way, since the effort of finding the key is likely to be less effort to the burglar than breaking in by another means. We have in effect added a vulnerability  (the fact that the key is stor

PRIVACY IN THE FACEBOOK ERA

So how do you value your privacy in the Facebook age ?  I was reviewing some of my old blogs from last year and found this one I did in July last year.  It is even more relevant now than it was then.  So if you did not read it before then please check it out.    Next blog will be on gaming - watch this space. Does it matter to you that the calls you make, the emails you send, your credit card transactions, the Internet sites you visit, the images of you travelling to work, your social networking posts are now stored at data centres in the Cloud and retrievable by myriad marketers, Government agencies and companies ?    None of whom you ever entrusted with your information in the first place. Your digital footprint is a permanent record of your every move. Data is the pollution of the Information age. Everything we do generates data, and a secondary spin-off of Moores law is that every year it gets cheaper to store and process this data. So rather than sort through our e-mails and

INTERNET GROWTH OVER THE NEXT FIVE YEARS

Image
Who would have predicted that a social networking site called Facebook would pick up 600m users in 7 years?   Who would have imagined that mobile phones would become such a core part of our daily lives in both  rich and poor countries.? To try and make some sense of the statistics here are a few simple graphs based on information from a variety of sources that in general corroborate each other. GLOBAL POPULATION:  This is projected to grow from the current 6.8bn to about 7.2bn during the next five years.   The majority of growth to take place in EMERGING markets. MOBILE PHONE PENETRATION :  The huge growth experienced over the last 15 years is set to continue,  in EMERGING markets in particular ( while in mature markets where penetration is over 100%  - older generation phones are being replaced by Smart-phones).    Current mobile phone users number in the order of 4.9bn people  ( or 72% penetration of the global population ) and in five years from now there will be OVER 6

WILL SOCIAL MEDIA CHANGE CHINA ?

Surely this has got to be the obvious question in light of the tectonic shifts reshaping the Maghreb? Is the end game (of this social media phenomenon),  not the demise of the last autocratic regime of any substance ?   ( there are others that will go – but are they as important ? No.  ) There are so many factors at play in the next scene of this incredible drama.   Saudi Arabia has made an offer to buy Facebook  for the ‘princely’ sum of $150bn and hence remove any threat it may pose to stirring unrest in the country.  (  http://abna.ir/data.asp?lang=3&id=228583 ) ( BIG JOKE !!!)  Seems like an expensive mistake by King Abdullah if Zuckerburg and Co are foolish enough to be bamboozled by Goldman Sachs into accepting the offer.    If he thinks that FB is the only way that revolutions are coordinated then he is being badly advised. You only have to read Bernard Henri Levy’s excellent analysis of what transpired in Egypt leading up to the uprising to understand the extent of t

MOBILE or M-COMMERCE COMES OF AGE ?

What is mobile commerce you may well ask?   Well mobile payments comprise two categories – 1) payments for digital (virtual) goods usually done online and 2)  payments for physical goods usually done at a POS.   The latter usually being of larger transaction value.   So  when will we use our mobiles (in any real number) to make these day to day payments and also use them for online banking ?    My view is that this will be driven by both;  1) the adoption of  technologies like NFC by the handset manufacturers and the POS manufacturers and the merchants;  and 2)  the acceptance by users of these new technologies .    I suspect that the latter will take longer  - as people are naturally cautious about adopting new  technologies particularly when money is involved. The major handset manufacturers have started building NFC chips into their handsets as the GSMA have finalized the specification for NFC on GSM phones.   Apple recently ‘leaked’ the news that the iPhone 5 will be NFC enable