Friday, 30 November 2007

Data Breaches Costing Companies More Than Ever

A recent article on outlines that data breaches within companies are costing them more on average in 2006 than in 2005. As a result, most companies security measures’ only increase after these breaches. Instead of losing resources from a costly and time consuming data breach, why not take more a preventative measure to securing your data, network, and other assets?

Monday, 26 November 2007

25 Million Records Lost in the UK

The recent loss of 25 million records in the UK has the potential to be traumatic. For instance, with many families putting their trust in the same banks, the potential to have one’s identity stolen has now increased significantly even though the UK government is sure the data has not landed in the wrong hands.

The gigantic mistake was made by junior officials at HMRC, who had ignored security procedures according to the chancellor. These days, one can only be truly at ease in the UK if 2FA, not a static password, is protecting their most invaluable asset – their identity.

Thursday, 22 November 2007

Social Networking and Two-Factor Authentication

There is a new social networking site out there (surprise, surprise). It’s called Anne’s Diary and it is specifically for girls between the age of 6 and 14. What makes this social networking site different is that it utilizes biometric technology to ensure the safety of its younger users from pedophiles and hackers. Although this site utilizes one-time passwords to activate accounts, it does not make use of them past that.

It intrigues me to see how the security of social networking will pan out in the near future. As relationships continue to become extended from real life to online, the chances of significant others, friends, family etc. wanting to hack into someone’s social networking account increase immensely. This is why the use of 2FA should be mandatory in the future of social networking. I am not saying biometrics is a weak authentication method but rather it is too hard to roll out on a mass scale. 2FA on the other hand, is not.

As Web 2.0 continues to evolve, 2FA (not biometrics) is the easiest and most secure method to protecting users in the social networking age.

Tuesday, 13 November 2007’s Reaction to Phishing Attacks

A recent letter by Parker Harris (EVP Technology at outlined to customers what they and the company should be doing to prevent future data breaches. Short of posting the letter in its entirety I noticed a few important points Mr. Harris addressed regarding 2FA technology.

Primarily, makes a promise of “collaborating with leading security vendors and experts on specific threats.” Perhaps a more important point, recommends that its’ customers “consider using other two-factor authentication techniques including RSA tokens and others.”

Sometimes it takes a major data breach for a company to realize that their current security measures are inadequate. This is an unfortunate but often a necessary occurrence. One by one, businesses are realizing the hard way that 2FA is a requirement in their security measures. is the latest company to realize this, will you be next?

Don’t let a security breach determine your company’s interest in 2FA. Research it today. Secure your world.

Friday, 9 November 2007

It can even happen to the stars…

Grammy winning songstress Alicia Keys recently had her MySpace page linked to a malware server in China. With the addition of a background image, anyone who visited Alicia’s MySpace page and clicked anywhere on this background will cause the browser to load a fake media codec, which is really a disguised Trojan.

It is currently not known how widespread this hack is within MySpace but this exemplifies how web surfing exploits can happen to anyone, even if they are simply browsing their friends on a social networking site.

Although it is not known how the hackers accessed Alicia Keys’ page, a 2FA solution for login definitely would have prevented them from accessing it in the first place.

Thursday, 8 November 2007

Data Breach of

You may have seen that a employee became a recent victim to a phishing scam that resulted in turning over the company’s customer database. As a result, the scammers have been using the names and e-mails to spread an extensive malware attack throughout the company, supposedly sent by the Federal Trade Commission!!!!

Once again the need for users to be educated on what to look for when confronted with a phishing scam. The best security measures in the world cannot compensate for the threat of uneducated users and the inevitable data loss that can follow. But good awareness/education combined with a form of Two Factor Authentication can start to reduce the risks that businesses face.

Tuesday, 6 November 2007

Strip-tease for Hacking

Everyone has seen them, those silly little jumbles of letters you need to decipher and type in frantically to buy tickets to events, to create a new e-mail account, or to complete many other internet functions that normally hackers have a heyday on. In fact, these are called CAPTCHA systems and are utilized to distinguish humans from machines.

With a very innovative approach, online scammers have created a virus where an appealing woman will unexpectedly appear on your computer. However, that is not all, as the woman continues by promising to take off an article of clothing each time a jumble of letters is completed. The catch is that the program restarts before the woman can completely undress to possibly persuade users to try the program multiple times.

It is not quite known if scammers are using these cracked CAPTCHA passwords on the fly; however, they are using them to crack anti-virus software and there is a worry that this scam will spread to financial institutions.

As the dark forces of scammers continually become more inventive, online security must evolve over and above that. And no, a strip tease is not required…

Thursday, 1 November 2007

Urgency to Fix Online Privacy

These days, good online privacy translates into good business. I recently read an article on that outlined the new “urgency” to fix online privacy. With this, at the meetings of International Association of Privacy Professionals, larger non-tech companies are searching for privacy solutions that actually work. I have known this for years but companies seem to be figuring out now that as the world gets smaller due to increased technology, the frequencies of online security breaches are higher and more imminent.

In my humble opinion, 2 factor authentication would be a great alternative for CPO’s to help lull this newfound “urgency” to secure online privacy.

Two-factor authentication Newbie Cheat Sheet

Two-factor authentication? What's that?
During the past month I have had a number of meeting to discuss security and a number of times senior management have asked what is Two Factor Authentication.

Well that's a question more and more people are asking at the moment as they hear about their bank adopting this new way of authenticating who you are. So Here is a cheat sheet for everyone who is still unsure.

But I know who I am...
I am very please to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?

Well I use my password.
Which is?

Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.

Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens – little gizmos, if you like, no bigger than a key-fob ( which generate the random numbers for you. They're good for around as long as it take to log-in - and then they're done-and-dusted.

What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat or hack). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the 6 or 8 digit number – which is far more reliable than a password written on a Post-it note.

Tuesday, 25 September 2007

Botnets pound eBay to guess user passwords

According to an interview with security experts on eWeek, eBay is under attack from a massive botnet that is trying to brute force guess user passwords.

Another argument for strong passwords, and indeed, 2 factor authentication.

Thursday, 6 September 2007

Considering RSA or using RSA?

I have lost count to the number of times I have planned to take time out to put my personal views down on paper in relation to the down sides on Buying R$A or being a user. So I have finally taken all of my views and more importantly have gathered all of the feedback that I have gained during the past 5 years from clients that are looking at purchasing R$A or looking to swap their R$A solution out for a alternative, more compelling and cost-effective solution over the RSA Solution

Many organizations realize the value of strong authentication. RSA Security has built much of their business on SecurID, a token-based strong authentication system that replaces password-only authentication with one-time passcodes for secure network access and positive user identification.

But SecurID is not the only option out there. There are far greater products that offer a more secure, cost-effective system that’s easier to use and easier to manage. If you’re a SecurID customer, you might be surprised by how many thousands of pounds or dollars you can save, perhaps tens of thousands both right now, and over the life of the purchase by switching.

Wouldn’t you like to stop repurchasing tokens every three years? SecurID tokens have an expiration date on the back. Once you pass that date, you might as well throw your token away. It can’t be used again, it can’t be reactivated you have to spend more money on another token.

For far less than the cost of buying another round of list-price RSA tokens you can get a complete deployment of an alternative solution that is a far more flexible.

To be continued…………………………

Thursday, 30 August 2007

I have been Warning of this for years!!

People have been looking at me in funny ways for the past 5 years, as when I state that the next wave of crime is going to be based on hacking of a security camera/computer system and physical security. My warning has just become reality.
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""

Monday, 20 August 2007

What do YOU need out of two-factor authentication?

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. A number of companies are looking at smartcards internally for VPN access and then looking at moving to smartcards for domain logon, too.
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!

Outlook Passwords in less than 10 sec's

That’s right. I hate to tell you but if you give me 10 seconds alone with your computer I’ll not only get your user name and passwords to every mail box you have set up in Outlook and Outlook Express, but I’ll also be able to see every single login you have saved in your Internet Explorer auto-complete settings.

And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.

Cracking your password

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!
  • Your partner, child, or pet’s name, possibly followed by a 0 or 1
  • 123 or 1234 or 123456.
  • “password”
  • Your city, or college, football team name.
  • Date of birth - yours, your partner’s or your child’s.
  • “god”
  • “letmein”
  • “money”
  • “love"
  • Typing your email address into google to find your hobby

Statistically speaking that should probably cover about 70% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do or someone else does.

Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan