Posts

Showing posts from 2012

Why most security fails and LiveEnsure® does not ?

Image
Mary Meeker informs us that there are now 1.1bn  Smartphones  (17% of all mobile phones) and these are driving Internet growth with a total of 2.4bn people now connected to the Internet. Mary Meeker Internet trends The universe for hackers just grows and grows.    One of the most lethal of these attacks is Zeus (ZITMO) – which is aimed squarely at Smartphones. The Zeus attack is an example of several attacks now being launched that are based wholly on anticipated behavior, especially as it relates to social media, single-sign-on and BYOD. A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer. The Eurograbber campaign, as it has been named, used custom versions of Zeus and Zeus in the mobile (ZITMO) Trojans to bypass the two-factor authentication measures to compromise customer bank accounts, Darrell Burkey, director of IPS products at Check Point Software Technologies, told Se

Systems Integrators in a SAAS world

Picture the scene.   You are a SAAS provider.  Your products works for SME’s as well as large corporates.   You know you will need to sell through the channel to get to the larger enterprises.   You engage with the ones who have the best profile for your offering.    You have a great first round – they love your stuff – they say “ we want to sell your service .”    But first…………. we have a few questions.   Now you roll back the clock.   Sigh.   You are in a time warp as you read the questions :  • Where is [ product/service  name]  hosted ?  • Please give us Network, Application and Security Architecture diagrams • What is the models for enterprise clients to sign up?.  • What toolkits are available?  • How will we be able to assist our clients with implementation ?  • How do we monitor and support our clients ?  • Is your product IP protected? • Please provide reference clients. • Please give us white papers • Typical project plans, with list of activities f

CYBER LESSONS FROM SANDY

Whether in the 'real' world or the Cyber world there are real threats and dangers and there are perceived threats and dangers.   Sandy has just taught us about the reality of the force of nature when an extreme event occurs.    Destruction has been wrought on an unprecedented scale.  While we know that physical harm can be effected through  cyber-terrorism/war such as Stuxnet – the reality is that the hype about Cyber war is just that – hype.   These events, like Sandy, are rare.   I contend that the sources of much of the scare-mongering  (about the ‘threat’ of Cyberwar )  are more often than not , entities/organizations/newspapers / journals that have a vested interest in the proliferation of FUD about the weakness of our Cyber defences.    Don’t get me wrong – I am just as concerned as the next guy about cyber security – all I am saying is – lets get some perspective on the matter.   The defences that were put up against Sandy were found wanting – not because they were

NatWest mobile banking fail and why real innovation in security is needed

Not a good week for NatWest innovative banking services.  NatWest Get Cash fraud   ( Get Cash Pulled ) A combination of a simple phishing attack and a fundamentally insecure service led to many users of the Get Cash service ( a sub set of the NatWest mobile banking app – powered by Monitise) being defrauded of cash from their accounts.    The system allows users to get cash from an ATM by keying in a ‘secure cash code’ into the terminal.    The assumption is that once you have logged in to your app you are legit and so you ping the system for the code.   A user name and password level of security – that’s it!.   No better than 99% of all apps on the Net today.    Needless to say the service was shut down once the fraud started becoming rampant.    Does the drive for customer convenience completely outweigh basic security rules. ?   The problem with this kind of solution and others that rely on the presentation of self reported credentials i.e. user name and password are tha

SITES DONT GIVE A DAMN ABOUT YOUR SECURITY

The sheer volume of reportage on hacking is overwhelming.   The sites being hit are the ones that you and I use every day.   Some provide useful information, some, valuable services and others perhaps just news or trivia.   We use them multiple times a day – sometimes without even being fully aware that we are,  like DropBox.   We use these sites  to store personal and business information, to connect us with potential clients, employers and employees, to help us choose insurance providers, to send us our groceries and some, to just play on.   Dropbox allows us to seamlessly log in by re-referencing a cookie they have planted on our computer to ‘verify’ our identity.   LinkedIn also uses the same technique when we log in.    A user name and password.  How secure is that ?    Well,  not very,  given that both of these sites have been hacked and your and my personal information has been exposed to the dark hacking underworld. And make no mistake the hacking wor

DROPBOX DROP THE BALL ..

My last blog touched on the DropBox hack.   It seems that they have now decided to rectify the situation.  ( DropBox Fix security )  But many clients have been left wondering.  How at risk was I and now am I ?   I wonder how much it has impacted their reputation ?    Do you entrust your personal and/or corporate data to them or to any of the other Cloud services out there.  The better known ones are Google Drive,  Evernote, Box,  YouSendit, Sugarsync,  MS SkyDrive and Egnyte.   If so then you should be concerned.   Why?  Because all of these services rely on you proving who you are merely through the provision of a user name and password.    Why is that so bad?   Because nowadays you can get password breakers off the Internet that will crack most passwords in seconds. ( Password cracker ) .   New sites are being hacked every day with serious consequences for the them and their users (i.e. you) – LinkedIn,  eHarmony etc etc.  That means your personal and corporate informat

DROPBOX HACK – WHY YOU SHOULD CARE ?

DropBox is flying as a company.  More and more of us are entrusting our data to their servers in the Cloud.    I am one of those.  The service is great, it works and it works from multiple devices.  However there is just one thing.  It is not secure.  Read about their latest breach here. ( http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/ )  and also here ( http://gigaom.com/cloud/dropbox-yes-we-were-hacked/ ) I have been going on about passwords and their manifest weakness for months here and in other media.   DropBox have come back to their customers saying that they promise to do more – better passwords – better security …..blah blah blah. So what kind of solution should they use? Well first of all they have millions of customers.  So whatever they go for is going to have to be easy to deploy and should not require the distribution of some kind of hard token OTP generator a la all of the ‘big’ names  (some of whom of have already been hacked

WHY SECURITY MATTERS? (or LET’S START A ‘PASSWORD SPRING’ ! )

You would be forgiven for thinking that perhaps most people have become somewhat nonchalant about online security and that the prevalence of hacks has made most of us somewhat immune to the dangers.    Indeed I would say that some sites have become almost cavalier about their attitude to their member’s security.  The recent hacking of LinkedIn certainly did not elicit the kind of response I would have expected, indeed hoped for,  as a member.   I get the impression that it was something of an irritant that they hope won't come again – and are certainly not bothering with beefing up security.  Far too much hassle.   So is their reaction reflective of their members lack of interest – I think not,  as one of their members has tried to sue them for failing to provide adequate security.  ( http://articles.latimes.com/2012/jun/21/business/la-fi-tn-linkedin-5-million-hack-20120621 )   LinkedIn have said that they will salt their passwords in future to make them more secure.   This i

TRUST

Trust /trəst/   :   Firm belief in the reliability, truth, ability, or strength of someone or something. The foundations of the working of human society are built on trust.  This has been so since the beginning of recorded history.   As our communities evolved from hunter gatherer groups into agricultural chiefdoms, and ultimately modern states their operation, increasing complexity and success relied not only upon our cultural evolution as posited by Robert Wright in Non-Zero ( Non Zero )  but also upon trust.   Trust is integral to our ‘culture.’  The birth of capitalism and the rapid economic and technological growth of the last five centuries began with the pooling of capital used by investors to underwrite a ships trading expedition called the ‘ contratto di commenda ’ .  Such ventures could not have happened without the inherent trust that the investors had - that the expedition’s captain would return the profits to the investors.  Today we could not conduct our modern li

Mobile World Congress - sensory overload

Image
The mobile ecosystem is alive and well and flourishing and reflects its current status as the globally dominant (and growing) industry  that is becoming increasingly integrated into every aspect of our lives.    The Barcelona extravaganza which is notable for two things.  Firstly its sheer size – upwards of 60 000 delegates dwarfing anything ever held in Cannes ( when I last visited the show) and secondly,  the absence of the largest company in the sector – Apple.   Never known to follow the crowd – Apple rightly or wrongly uses its own platform ( in San Francisco)  to make its announcements and thereby retains its mystique or displays its sheer arrogance – depending on your perspective. That Mobile will continue to permeate every aspect of modern life is beyond doubt.   The first phase of GSM where voice was the killer app has now been replaced by data and most particularly Internet access and mobile applications.  So Mobile expands beyond the MNO realm and extends into Broadband

Time for a new Magic Quadrant

You have all heard of the Magic Quadrant.  An industry benchmark by which the, mostly, established players like to measure themselves against each other.    To quote Wikipedia (that repository of all Internet wisdom ;-)) “ the Magic Quadrant aims to provide a qualitative analysis into a market and its direction, maturity and participants, thus possibly enabling a company to be a stronger competitor for that market. ”   The axes of the ‘Quadrant’ are ‘ability to execute’ and ‘completeness of vision’ and the methodology used to apply the ranking remains a closely guarded secret (or mystery depending on how you look at it.)   The MQ applies to many niches in the tech sector.  I want to consider the  User Authentication MQ.  Notably because the space is getting much media attention these days.   Hackers !  Wikipedia says that the aim of the analysis it is to  “ . .enable a company to be a stronger competitor for that market “ .   So you would look at all the players and see ‘ whi

The World in a weird place or ( The Truman Show)

The world is in a very weird place.  After having read some research ( http://divinecosmos.com/start-here/davids-blog/1023-financial-tyranny ) about how we have all been hoodwinked by the US Fed to the tune of $26trn ( yes  -  that is trillion not billion ) I am beginning to wonder whether we aren’t all on the set of some giant Truman Show (without the great weather and white picket fences !)  So according to this research,  which I would have dismissed as some kind of latter day Zeitgeist conspiracy theory if I had not clicked through some of the links and seen an article written by a US Senator ( not that that should somehow give it legitimacy given the intimate role of members of the US Govt in this tragedy),  economic power globally rests in the hands of a very tightly knit group of corporations and institutions – mainly banks.   Hence the bailouts.    Believe me TARP was a tip of the ice-berg.  That was like Sunday School collection money.   So in brief the Federal Reserve

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise