A recent article on eweek.com outlines that data breaches within companies are costing them more on average in 2006 than in 2005. As a result, most companies security measures’ only increase after these breaches. Instead of losing resources from a costly and time consuming data breach, why not take more a preventative measure to securing your data, network, and other assets?
Friday 30 November 2007
Data Breaches Costing Companies More Than Ever
Monday 26 November 2007
25 Million Records Lost in the UK
The recent loss of 25 million records in the
Thursday 22 November 2007
Social Networking and Two-Factor Authentication
There is a new social networking site out there (surprise, surprise). It’s called Anne’s Diary and it is specifically for girls between the age of 6 and 14. What makes this social networking site different is that it utilizes biometric technology to ensure the safety of its younger users from pedophiles and hackers. Although this site utilizes one-time passwords to activate accounts, it does not make use of them past that.
It intrigues me to see how the security of social networking will pan out in the near future. As relationships continue to become extended from real life to online, the chances of significant others, friends, family etc. wanting to hack into someone’s social networking account increase immensely. This is why the use of 2FA should be mandatory in the future of social networking. I am not saying biometrics is a weak authentication method but rather it is too hard to roll out on a mass scale. 2FA on the other hand, is not.
As Web 2.0 continues to evolve, 2FA (not biometrics) is the easiest and most secure method to protecting users in the social networking age.
Tuesday 13 November 2007
Salesforce.com’s Reaction to Phishing Attacks
A recent letter by Parker Harris (EVP Technology at Salesforce.com) outlined to customers what they and the company should be doing to prevent future data breaches. Short of posting the letter in its entirety I noticed a few important points Mr. Harris addressed regarding 2FA technology.
Friday 9 November 2007
It can even happen to the stars…
Grammy winning songstress Alicia Keys recently had her MySpace page linked to a malware server in
Thursday 8 November 2007
Data Breach of Salesforce.com
You may have seen that a salesforce.com employee became a recent victim to a phishing scam that resulted in turning over the company’s customer database. As a result, the scammers have been using the names and e-mails to spread an extensive malware attack throughout the company, supposedly sent by the Federal Trade Commission!!!!
Tuesday 6 November 2007
Strip-tease for Hacking
Everyone has seen them, those silly little jumbles of letters you need to decipher and type in frantically to buy tickets to events, to create a new e-mail account, or to complete many other internet functions that normally hackers have a heyday on. In fact, these are called CAPTCHA systems and are utilized to distinguish humans from machines.
Thursday 1 November 2007
Urgency to Fix Online Privacy
These days, good online privacy translates into good business. I recently read an article on zdnet.com that outlined the new “urgency” to fix online privacy. With this, at the meetings of International Association of Privacy Professionals, larger non-tech companies are searching for privacy solutions that actually work. I have known this for years but companies seem to be figuring out now that as the world gets smaller due to increased technology, the frequencies of online security breaches are higher and more imminent.
Two-factor authentication Newbie Cheat Sheet
Two-factor authentication? What's that?
During the past month I have had a number of meeting to discuss security and a number of times senior management have asked what is Two Factor Authentication.
Well that's a question more and more people are asking at the moment as they hear about their bank adopting this new way of authenticating who you are. So Here is a cheat sheet for everyone who is still unsure.
But I know who I am...
I am very please to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?
Well I use my password.
Which is?
pA55w0rd
Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.
Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens – little gizmos, if you like, no bigger than a key-fob (www.cryptocard.com) which generate the random numbers for you. They're good for around as long as it take to log-in - and then they're done-and-dusted.
What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat or hack). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the 6 or 8 digit number – which is far more reliable than a password written on a Post-it note.
During the past month I have had a number of meeting to discuss security and a number of times senior management have asked what is Two Factor Authentication.
Well that's a question more and more people are asking at the moment as they hear about their bank adopting this new way of authenticating who you are. So Here is a cheat sheet for everyone who is still unsure.
But I know who I am...
I am very please to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?
Well I use my password.
Which is?
pA55w0rd
Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.
Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens – little gizmos, if you like, no bigger than a key-fob (www.cryptocard.com) which generate the random numbers for you. They're good for around as long as it take to log-in - and then they're done-and-dusted.
What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat or hack). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the 6 or 8 digit number – which is far more reliable than a password written on a Post-it note.
Tuesday 25 September 2007
Botnets pound eBay to guess user passwords
According to an interview with security experts on eWeek, eBay is under attack from a massive botnet that is trying to brute force guess user passwords.
Another argument for strong passwords, and indeed, 2 factor authentication.
Another argument for strong passwords, and indeed, 2 factor authentication.
Thursday 6 September 2007
Considering RSA or using RSA?
I have lost count to the number of times I have planned to take time out to put my personal views down on paper in relation to the down sides on Buying R$A or being a user. So I have finally taken all of my views and more importantly have gathered all of the feedback that I have gained during the past 5 years from clients that are looking at purchasing R$A or looking to swap their R$A solution out for a alternative, more compelling and cost-effective solution over the RSA Solution
Many organizations realize the value of strong authentication. RSA Security has built much of their business on SecurID, a token-based strong authentication system that replaces password-only authentication with one-time passcodes for secure network access and positive user identification.
But SecurID is not the only option out there. There are far greater products that offer a more secure, cost-effective system that’s easier to use and easier to manage. If you’re a SecurID customer, you might be surprised by how many thousands of pounds or dollars you can save, perhaps tens of thousands both right now, and over the life of the purchase by switching.
Wouldn’t you like to stop repurchasing tokens every three years? SecurID tokens have an expiration date on the back. Once you pass that date, you might as well throw your token away. It can’t be used again, it can’t be reactivated you have to spend more money on another token.
For far less than the cost of buying another round of list-price RSA tokens you can get a complete deployment of an alternative solution that is a far more flexible.
To be continued…………………………
Many organizations realize the value of strong authentication. RSA Security has built much of their business on SecurID, a token-based strong authentication system that replaces password-only authentication with one-time passcodes for secure network access and positive user identification.
But SecurID is not the only option out there. There are far greater products that offer a more secure, cost-effective system that’s easier to use and easier to manage. If you’re a SecurID customer, you might be surprised by how many thousands of pounds or dollars you can save, perhaps tens of thousands both right now, and over the life of the purchase by switching.
Wouldn’t you like to stop repurchasing tokens every three years? SecurID tokens have an expiration date on the back. Once you pass that date, you might as well throw your token away. It can’t be used again, it can’t be reactivated you have to spend more money on another token.
For far less than the cost of buying another round of list-price RSA tokens you can get a complete deployment of an alternative solution that is a far more flexible.
To be continued…………………………
Thursday 30 August 2007
I have been Warning of this for years!!
People have been looking at me in funny ways for the past 5 years, as when I state that the next wave of crime is going to be based on hacking of a security camera/computer system and physical security. My warning has just become reality.
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""
Monday 20 August 2007
What do YOU need out of two-factor authentication?
Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. A number of companies are looking at smartcards internally for VPN access and then looking at moving to smartcards for domain logon, too.
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!
Outlook Passwords in less than 10 sec's
That’s right. I hate to tell you but if you give me 10 seconds alone with your computer I’ll not only get your user name and passwords to every mail box you have set up in Outlook and Outlook Express, but I’ll also be able to see every single login you have saved in your Internet Explorer auto-complete settings.
And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.
And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.
Cracking your password
If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!
Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!
- Your partner, child, or pet’s name, possibly followed by a 0 or 1
- 123 or 1234 or 123456.
- “password”
- Your city, or college, football team name.
- Date of birth - yours, your partner’s or your child’s.
- “god”
- “letmein”
- “money”
- “love"
- Typing your email address into google to find your hobby
Statistically speaking that should probably cover about 70% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do or someone else does.
