Jason Hart

The never-ending saga of passwords. When is enough enough?

2012-01-19T12:25:00.000-08:00

It’s not even the end of January and already we’ve seen some pretty big security humdingers. From the Facebook worm through to Zappos, it would appear the hackers are constantly one step ahead. But even though Zappos affected 24 million customers, the biggest security talking point of 2012 to date has to be the Stratfor database

For hackers, it was simply the Christmas gift that kept on giving. Having hacked the Texan-based database over the festive break, those responsible saw a seemingly never-ending run of headlines dominate the national agenda. For the UK, the game-changer was when The Guardian revealed that 221 British defence staff had been exposed as part of the hack. There were red faces all around. For whilst it is believed that staff would have different passwords to access more sensitive Whitehall information, it once again showed how easily static passwords can be snaffled, exposed and someone’s identity potentially stolen.

Yet passwords aren’t a new security ‘phenomenon.’ Indeed they’ve been around since the advent of the PC. The problem is that people don’t take them seriously enough. With headlines dominated by cyber crime, companies have invested in protecting their firewall. Put simply they’ve locked their houses, but left the windows open. It doesn’t matter how sophisticated your antivirus is, if a hacker has passwords then they can assume an authorised identity to wreak untold damage.

You might be reading this, thinking really are passwords all that important? Well, let me ask you a few questions. How do you secure users access to corporate information? How do you secure your IT systems? How do you check who is authorised to access what information? How do remote workers access the network? Yes, you guessed it – passwords. The reason that passwords are such a vulnerability is because human nature dictates that not only will the password not be selected at random but have a personal connection to the user (something that any hacker can deduce within seconds), but that for ‘ease’ they will use the same password and log-in for every application. Once you have one password, the entire corporate network opens up before you. And who is going to stop you? As far as the system is concerned you’ve been authenticated.

The advent of tablet PCs and smartphones is only exacerbating the situation. Most users store email and company sensitive information on mobile devices without giving it a second’s thought. Access to this data allows them to work on the move and keep pace with their colleagues during the working day. But what many people don’t realise is that most smartphones will automatically log you on to free Wi-Fi. Brilliant, who doesn’t love free Wi-Fi? You might think it’s easy and convenient, but for hackers free Wi-Fi spots make accessing sensitive information like taking candy from a baby. They can set up a rogue spot and within seconds of you logging on have not only users corporate passwords, but also passwords for their mobile banking and Face Book account, amongst others.
In a world where hackers are scoring big-wins, companies cannot afford to secure access to their systems with static passwords. And neither can they afford to be exposed by third parties they work with that have less than robust security policies in place. At the time of the hack Stratfor defended itself and stated that the passwords had been encrypted but clearly this posed no obstacle for the hackers responsible. The only way to protect against such attacks is to implement one-time passwords and strong user authentication.

In the past many companies have dismissed two-factor authentication as too expensive to implement and manage or that it interferes with the user experience. Yet, that is no longer the case. The barriers of cost, complexity and management have been removed and now companies of any size can use it. For the price of a cup of coffee, businesses can now secure unlimited users, via multiple channels, whether that is through the cloud, smartphone apps or key fobs.

Stratfor once again demonstrates that despite all the hype of cyber security, passwords are a real threat to businesses around the world. How many more incidents must we read about before businesses move away from static passwords and start to better protect themselves and their customers against hackers?

Smartphones in the enterprise: A false sense of security

2011-11-22T01:05:00.000-08:00

Security has been about evolution. First came the PC, big and clunky it taught us about the importance of keeping the good guys in and the bad guys out. Then came the era of laptops and, well, losing them which showed – at the expense of some very red faces - the importance of ensuring secure remote access. And now comes the new generation; the smartphone. Surely by now we’ve learnt our lessons from the past and are well prepared for the next iteration of security challenges that the move to mobility will bring with it?

Well, not quite. In many ways, it feels like Groundhog Day, with the same mistakes being played out. The 2011 Get Safe Online campaign kicked off with a warning aimed at educating consumers about the security scams out there targeting their smartphone. But with more and more smartphones being deployed in the corporate environment, arguably it is businesses that have the most to lose.

Smartphones have become the bedrock of any remote access strategy. Easy to use and intuitive they enable staff to access email, download and work on attachments as well as access corporate weband cloud-based applications such as Salesforcewhilst on the move. But it is this very ease of use that lulls people into a false sense of security. Would you like it to remember your password for next time? Yes please. Would you like to enable automatic log on? Yes please. All these quirks designed to make our lives easier, only hasten the speed with which a hacker - or even someone that has found your lost device - can get into sensitive files or the corporate network and do damage.

For example, most mobile devices from tablet PCs to smartphones are set up to automatically search for and log onto the nearest WiFi hotspot. And who says no to free WiFi? But with some cheap equipment from a high street electrical store a hacker can set up a ‘fake’ WiFi spot and snaffle all the passwords they need to break into the corporate network using someone else’s identity in a matter of seconds. And as the lines between personal and professional use of smartphones start to blur, it is becoming even harder to mitigate the risks.

Most IT departments and security chiefs know that if their company rolls out iPhones, staff will download applications from the App Store. Until last week they were probably quite relaxed about this as Apple has a ‘quality control’ process in place before apps can be sold and downloaded. But the discovery of a rogue app has shown that Apple’s processes are foolproof. What looked like a harmless appwas actually designed to unleash chaos. And what of Android? Predicted by Ovum to gobble up a 25 per cent share of the enterprise market in next five years. Yet its Market Place has no rules or any way of governing what applications are uploaded onto its Market Place and made available to an unsuspecting public.

These are just two examples of how thecommercially valuable information sitting on smartphones is vulnerable to attack from different angles. Like it or not, if your organisation has smartphones you’ve also got some serious security blind spots. It’s hard to think that one small device could have big security consequences, but it does.In many ways it is like embarking on security education all over again. The trend towards bring your own device (BYOD) is further muddying the water, but businesses should make no mistake - it is their responsibility to secure their data.

Right now, companies can’t validate if people accessing the network are who they say they are. Instead they rely on static passwords to authenticate the person rather than one time use passwords which are unique and can’t be stolen. Traditional approaches to passwords are the weakest link in any security policy; companies shouldn’t continue to make the same mistake in the mobile world.

Spy Smartphone Software Tracks 'Every Move'

2011-10-31T16:08:00.000-07:00

Click for video
http://news.sky.com/home/technology/article/16099260

Tax rebates stolen by Revenue and Customs hackers – from today’s Sunday Times

2011-10-31T16:04:00.000-07:00

Fraudsters have found a way to hack into government tax records and divert refunds meant for others into their own bank accounts.

An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.

Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.

Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.

HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.

Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.

“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.

The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.

One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.

Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.

Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.

She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.

Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.

He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.

“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”

On hmrconline.com, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.

“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.

“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”

Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.

Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”

Spy Smartphone Software Tracks 'Every Move'

2011-10-30T16:16:00.000-07:00

11:14am UK, Sunday October 30, 2011

Sam Kiley, security editor

As marketing pitches you don't get much lower: "Track every text, every call and every move your spouse makes…"

Yes, software manufacturers have harnessed the green-eyed monster.

"A cell phone plays a role in almost every affair," said one producer of mobile phone spyware.

Another spelled it out: "When you begin to notice signs of a cheating spouse, the best way to catch that cheat is to spy on his or her cell phone using spy software.

"Such software is required because the cell phone has become the modern day keeper of secrets and its uses are as versatile and diverse as their makes and models."

But it is not just for jealous partners.

There is no way that a victim would know his phone had been comprehensively hacked.

Jason Hart, cyber security expert

Software designed to completely mine every secret on a smartphone can track its users, record their calls, copy their emails, read their text messages and bug the rooms the phones are sitting in.

Jason Hart, a cyber security expert with Cryptocard, explained how easy it is to turn a mobile phone into a pocket spy.

It starts with a little 'social engineering'.

By hacking the phone of someone the victim might trust, and learning something about them from reading their Tweets and Facebook page, the attacker will send a personalised email from a known account.

The user opens an email and a document, a picture, letter or pdf file.

A programme can be embedded in the attached document which takes the hacked user's phone off to a secret website site which covertly downloads spying software onto the smartphone.

Shortened weblinks are also a risk.

"Using Facebook and Twitter (and) getting an individual to click on a shortened link would actually take them to a website and automatically install malware," said Mr Hart.

"There is no way that a victim would know his phone had been comprehensively hacked."

Spyware 'can covertly operate all of a smartphone's functions from afar'

Attacks on smartphones shot up by 46% last year, and this year the percentage is likely to be in the thousands.

We loaded the commercial software onto my phone and very quickly Mr Hart was watching my emails come through.

The vendors of the software promised that he would be able to intercept and listen to my calls - we could not get that to work. But, as a bug, my phone was close to perfect.

The software meant Mr Hart could dial into my phone and it would secretly answer - broadcasting any conversation I was having near the handset back to him.

"Once a criminal or spy has got hold of software like this and loaded it onto your phone, there is very little indeed that you will be able to do either to detect or, or defend yourself. This is a total compromise," Mr Hart said.

Spyware can covertly operate all of a smartphone's functions from afar, turning it on and off, and stealing its secret contents.

Almost 500,000 new smartphones will be sold this year around the world.

Malware developers are running ahead of the industry's ability to develop tools which, in any case, would inevitably restrict how useful smartphones can be to a customer.

But, as losses to intellectual property theft are estimated to cost the UK £17bn a year, it is clear companies will be demanding an air gap between smartphones used for business - and smartphones used for everything else.

So, for the skiving worker, the truant teenager and the faithless spouse, there can only be a few words of advice - that phone isn't smart, it's a sneak.

Password Risks - Smart Phones at risk

2011-10-17T01:46:00.000-07:00

The world is facing a wave of cyber crime thanks in large part to our newly-found addiction to the smartphone.

An estimated 480 million smartphones will be sold this year. They are indeed wonders of technology.
Henry Harrison, from UK cyber security experts Detica, said: "This is a fully fledged computer that's sitting in your pocket." It can, and probably will, betray you as a result.
The flaw in the smartphone is that it is too useful and too user friendly - for users who trade convenience for security.

They collect our emails, store our bank details, we tweet and use Facebook on them. They are our bank vault, our confidante, our guide.
But as Cryptocard's Jason Hart demonstrated - they are our new Achilles heel.
Mr Hart purchased a cheap item of equipment from a high street electrical store and downloaded free software from the internet - all he needed to set up an "evil twin" Wi-Fi connection.

Criminals use these to harvest passwords and other sensitive data from smartphones or computers - often giving their Wi-Fi hotspots fake names familiar to punters at cafes and in airports.

Full story: http://news.sky.com/home/technology/article/16090250

Facebook Passwords

2011-10-10T01:52:00.000-07:00

FACEBOOK USERS EXPOSE PASSWORDS ONLINE

Social media users are increasing their chances of identify fraud, by providing clues to their online passwords.

A study by me commissioned by life assistance company CPPGroup Plc (CPP) has revealed that one third (32%) of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names. This information is often also used as a password or as an answer to a security question when users look to reset their online account log-in details.

In the study, details including the name of the user’s first school (64%), employer (46%), dates of birth (25%), children’s names (25%) and favourite football team (17%) were found to be visible on many people’s Facebook profiles.

As the most active social media users, those aged 18 to 24 with a Facebook account are the most likely to publicise their personal information – and often to complete strangers. This age group has on average more than 250 friends but 81%[i] say they do not trust all of their Facebook ‘friends’. Half (50%) have accepted a friend request from a total stranger and 9% would accept an invitation from someone they did not know if they were good looking or popular.

But it’s not just the 18 to 24 year olds who are making themselves vulnerable - users of all ages are putting themselves at risk. One third (33%) of all those with a Facebook account admit to accepting an invitation from people they had never met before, with 38%[ii] confessing they don’t know everyone they are friends with on the site.

Over half (52%) of the Facebook account holders questioned had received friendship requests from strangers. And despite recent media controversy around privacy and security on the site, one in twenty (6%) users allow anyone and everyone to see their entire profile.

Danny Harrison, CPP’s Identity fraud specialist is calling on individuals to not use personal information for online passwords or security questions.

“It isn’t a good idea to use personal information for passwords online. Sharing is the whole point of Facebook and other social media sites, so users are naturally going to promote their personal information online. The problem is this information could be used by fraudsters to reset passwords and access people’s online accounts. To compound the problem, there are tools available online that can capture keywords from a website, including a Facebook profile, and others which will trial variations of the identified keywords until a password match is found.

For this reason, we are advising people to not use personal information as a means to verify their online identity and facilitate access to their online accounts.”

Personal information most commonly used as passwords[iii]:
1. Interests
2. Hobby
3. Favourite football team
4. Favourite football player
5. Children’s names
6. First school
7. Pet’s name
8. Dates of Birth
9. The user’s name
10. Maiden name

For further details please refer to my white paper.

Sky News Live Web Chat

2011-10-07T16:22:00.000-07:00

Join Our Chat On Smartphone Security

Wifi can make smartphones potentially vulnerable to hackers

11:18am UK, Monday October 17, 2011

The growing number of iPhones, BlackBerrys and other smartphones provide an opportunity for cyber criminals to steal your data.

More than four million people in the UK have been the victims of identity fraud, with wifi access meaning secret passwords stored on your devices are vulnerable.

Ethical hacker Jason Hart answers your questions on how to keep your smartphone safe.

Just how easy is it to hack into your life?

2011-06-27T00:30:00.000-07:00

From Facebook to pins and passwords, invading our lives couldn’t be easier, finds Neil Tweedie

Last week I was asked by Neil Tweedie to demonstrate how easy it is for someone to hack into your life. After three questions about his family i tap away on my keyboard. Two minutes later - just two minutes - an email arrives in Neil's work inbox.

“I didn’t need all three answers, just the one,” explains the cyber security adviser. “Now I have control of your email and with it knowledge of your financial transactions, interests and friends. I can access your online accounts and use your credit card details to go shopping.”

Hacking is back in the news. This week Ryan Cleary was arrested at his home in Essex and charged with disrupting the website of Britain’s Serious Organised Crime Agency (Soca).

Agencies in the United States are also understood to be investigating whether he was involved in similar attacks on the United States Senate, the Central Intelligence Agency and Sony by an international hacking ring called LulzSec (short for Laugh Out Loud Security). Cleary is 19 and, according to his mother, a recluse, leaving his bedroom only rarely. But for hackers, the world, the cyber world, is their oyster. They can pay you a visit, harvest your most sensitive information, and disappear without trace.

For the full story please refer to: http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/digital-media/8597757/Just-how-easy-is-it-to-hack-into-your-life.html

E-bay phones blog post

2011-03-22T09:52:00.000-07:00

In conducting a recent experiment for CPP into personal data left on second hand mobile phones and SIM cards, I’ve revealed just how unaware users are of the amount and nature of personal information left on their old mobile devices – even when they feel their phone has been wiped.

Due to rapid technological advances, smartphones have much more memory and capability to save personal data, increasing the risk of identity fraud to users. This threat will only increase further if people continue to store data, including credentials like usernames and passwords, on their mobile phones.

Over half of the 35 used mobile phones and 50 SIM cards analysed contained personal information on them - 247 individual pieces of data in total. The information recovered included personal and at times, highly sensitive information which, fallen into the wrong hands, could put the previous owner at direct risk of identity fraud.

One thing that was clear from the investigation was that perhaps unsurprisingly - due to their increasingly central role in users’ day to day lives - smartphones hold much more personal information on them about their former owner compared to older mobile phone models. An analysis of one smartphone alone uncovered usernames, passwords, credit card information, videos, company information, photos, email addresses and notes - certainly enough information to start a social engineering attack. For a start, a fraudster would quite easily be able to take ownership and control of the previous owner’s email account, login to online shopping sites they had visited and purchase items fraudulently.

The worrying combination is this: most mobile phones do not allow a user to totally remove all personal content or user data, and the ability to recover deleted data from a mobile is a very simple process that can be undertaken with limited technical knowledge. For the purposes of this experiment, I used SIM card readers and software that can be easily accessed in the public domain.

These results highlight a clear requirement for heightened awareness amongst consumers about the need for digital security on their phones. An effective way for this threat to be reduced is by the use of Two Factor Authentication, meaning the user generates a onetime password on demand. The sooner a commodity based authentication service is available the sooner we are going to minimise the risk.

But until such an authentication is commonplace, what can consumers do to protect themselves from passing on their personal data in their old phones or SIMs? In the first instance, never keep an old SIM card – remove it and destroy it. Also, regardless of whether they intend to sell on their mobile phone, users need to be careful not to store vast amounts of personal information on their devices. The less data that’s on a mobile device in the first place, the easier it will be to wipe and protect the user. Other keys steps to help consumers protect themselves include:

• Restore all factory settings - This is the first step to take to conduct a top level clearance of data on the handset
• Delete any back-ups - Even if data stored on a smartphone, PDA or laptop is securely removed from the mobile device, that’s not to say it won’t exist on a back up elsewhere
• Log out and delete – It’s vital to log out of social network sites accessed on the phone as well as wireless connections, company networks and applications. Once logged out, delete passwords and any wireless connections.
• Various passwords - The use of the same ID/password combination on multiple systems, and storage of them on mobile phones should be avoided. If it is necessary to store these details on a phone, it’s best to try and use a picture reminder of the password.

Remember, if a phone is being sold on to a retailer, it should be wiped and the SIM card destroyed.

If you want more information on how to protect yourself or see how these experiments worked, please visit CPP’s blog

My Recent Wardrive

2010-10-11T14:26:00.000-07:00

Following my report on my Wardrives around Bristol, Cardiff, London, Birmingham and Manchester I came to an interesting – and frightening – conclusion. And there were two points to this conclusion: firstly people rely on WEP or its derivatives far too much, and secondly the great misconception that people have about hotspots being secure.

To my first point then...WEP encryption is not the security measure people think it is. Most do not know that cracking the encryption can be ridiculously easy; all you need is a gadget, some free software, wi-fi and a little patience. From there it’s just a matter of capturing users’ data – their username, password and details of the website they’re accessing.

And regarding the second point – with users’ assuming they’ll be secure when using a hotspot I’m afraid they could have a nasty surprise one day. A lot of hotspots have said encryption above and as well as cracking that encryption, there are other ways to ‘snoop’ on what people are doing – again enabling the criminal to capture their usernames and passwords.

Also, do you notice that I keep mentioning that in each case above it’s the hotspot user who is the one losing their identities? While the proliferation of free wi-fi, hotspots and criminals will not be letting up any time soon, there is one thing people can do to protect themselves – and the applications they access: and that is to have better password protection. For the user it could be a longer, stronger password and for businesses who want to protect their digital assets, it could be equipping your employees with two-factor authentication.

My response to a recent article in the Telegraph

2010-08-01T13:46:00.000-07:00

Man who published details of 100m Facebook users 'learning how to break passwords'

http://www.telegraph.co.uk/technology/facebook/7917373/Facebook-security-fears-after-private-details-of-100m-users-leaked-to-web.html

With regards to the Facebook security fears after 'private details of 100m users leaked to web'.

I wanted to very definite responded to this……nothing makes a password truly secure!

Static passwords are fundamentally insecure and signify the biggest security threat facing organisations today. Readily available software such as invisible keyloggers allows hackers to capture every name and password of any user on a network.

Invisible keyloggers have the capability to override the latest security software in order to steal user names and passwords, no matter how long or complex the user makes them. Hackers can and do use this software to extract and manipulate information from user’s e-mail addresses, social media accounts and even IT networks protected by a secure encryption protocol.

Passwords are the softest security target and until people and organisations start adopting strong authentication in the form of for instance two-factor authentication this problem won’t go away

Worrying only a small per cent of businesses use 2FA.

Business of all Sizes have to starting getting there heads of of the clouds and replace static Passwords with Two Factor Authentication

Tutorial 1 - Hacking The Email Password of a Pop Account

2010-06-18T14:38:00.000-07:00

Tutorial 1 - Hacking The Email Password of a Pop Account

I'm going to get straight into the first, and simplest attack you can carry out with Cain: Acquiring someone's email pop account password.

1. You need to be on the wireless network of the computer you are targeting.

2. You need to have Cain's configuration set up as in Tutorial 1.

3. The target must not be using ssl-pop (this is very unusual so you should be fine).

The following is a step by step guide to capturing the pop password (a lot of the early steps will be used for further tutorials):
Open Cain and go to the 'Sniffer' tab along the top row. Make sure you also turn on the sniffer, using the icon in the top left which looks like a little network card.
Right click in the empty grid below and select 'Scan Mac Addresses'. Choose 'All hosts in my subnet'.
A list of IPs, MAC addresses, computer names and (empty) user names will appear. If you know the computer name you want to target, great. If you need the user name however, simply right click on the computer you are interested in and select 'Resolve Host Name'.
Now you are ready to begin ARP poisoning your target. There are many explanations of poisoning but I will not go into it in detail here as it will detract from the tutorial. Essentially, you are telling the server that you are the target's computer, while telling the target that you are the server. In this way all traffic from the target is passed through you before reaching the server...and vice versa.
Click on the APR tab along the bottom left row of icons.
Make sure your mouse cursor clicks in the top one of the two empty grids. Then click on the blue plus arrow on the top row of icons.
You will be presented with a list of IPs, MACs and names in the left grid. Select the one which corresponds to your server, usually called 'Home' or the name of your internet provider's router. It should stand out.
Then in the right hand grid, select the computer you want to target. Click OK.
To begin ARP poisoning your target, click on the radiation type symbol in the top left, next to the sniffer symbol - which you will have turned on a while back.
You should now see traffic begin to accumulate in the grid underneath - if there isn't any then either your target is on a sneaky break and turned off their computer, or perhaps you have not selected the correct device as in Tutorial 1.
All that now remains is to wait until your target either checks their email through Outlook (or similar like thunderbird etc) or sends an email.
Now click on the tab called 'Passwords' on the bottom row. You will probably see lots of http entries popping up - don't worry about these for now.
Watch the 'pop3' and 'smtp' entries (you don't have to sit and watch constantly, you might get a bit bored!).
Sooner or later an entry will appear in one or both of those fields. It will contain the username and password of the pop email account.
This method has been tried and tested on many occasions as part of our network security probes. It's worked every time, and usually very fast, as people like to check their emails often.

As with any of these posts, if you are having trouble, leave a comment here and I will reply to you as soon as possible.

Jason Hart - his live 'hack me' challenge!

2010-06-18T13:59:00.000-07:00

Jason Hart - his live 'hack me' challenge! from e-Crime Wales on Vimeo.

An insight into work of the hacker.

2010-06-17T22:20:00.000-07:00

With recent news that hackers’ have attacked the German e-crime site Carders.cc resulting in members details being posted online, now seems a good time to look at just how hackers go about their business…

In a desire to reduce risk and meet compliance and audit requirements, companies invest in security technologies including firewalls, anti-virus and anti-spy/spam. The smart ones also implement security policies and controls in an effort to protect their network, assets, and business. Unfortunately all this can be defeated instantly because hackers too are harnessing new methodologies, technologies and resources. Hackers will try the easy route first, looking for the weakest links in your network, such as an out of date OS, an un-patched web server, or default configurations. But the easiest by far is getting your password.

While usernames are used in conjunction with passwords, they cannot realistically protect your data or business. Companies assign usernames systematically, often using standard first name/last name formats, making it a breeze for a hacker to find or guess a username. All that is left to protect your system is a vulnerable password and as such entry is ‘authorised’ there will be no sign of forced entry, and little chance of an alarm being raised; the biggest and most invisible threat facing us all. So, how exactly do hackers go about getting passwords?

The methods range from the ridiculously simple to highly technical. Guessing the password is ridiculously simple. A recent study of 32 million passwords showed just how ‘guessable’ passwords can be. ‘123456’ was in first position with ‘Password’ at fourth and nearly 50% of users, used names, slang words, dictionary words, or trivial passwords using consecutive digits, adjacent keyboard keys etc. A quick web search will present a hacker with a handy list.

Hackers rely on continued use of the password because it is so weak. Phishing and phasing attacks use “dummy” web sites to trick users into providing passwords and personal details. Social networks are now firmly established as a great resource for hackers who see them as the best Social Engineering Hacking tool.

A more technical approach may involve the use of traditional keyloggers, and sniffing programs, and all are available free on the internet. Typing ‘Password Hacking’ into Youtube will return over six-thousand videos demonstrating the password hack and so even the novice is off to work. With passwords so discredited, there are three key things to consider in response.

1. Password best practices state:

• They should contain at least eight characters
• They should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters. If there is only one letter or special character, it should not be either the first or last character in the password.
• It should not be a name, a slang word, or a dictionary word. Neither should it include part of your name or e-mail address.
• Passwords should be changed every 30 – 90 days

2. Check your infrastructure for unnecessary or out of date bug-riddled network devices, services, or applications? Conduct a regular network audit.

3. Educate users on password security, social engineering threats and some of the latest trends. They are users not security specialists. Do they know all of the above? Do they know not to use the same password across their social and business applications? You have a duty of care.

Good password practice will help, but two-factor authentication takes it to a new, much more secure level. Providing users with a PIN and a token which generates a one-time password, valid for a single use, will deprive hackers of their quiet and invisible entry into your network. Through a combination of implementing best practice, keeping your network infrastructure robust, and employees educated, the hacker risk can be mitigated and your confidentiality and integrity maintained.

Cloud Security

2010-02-18T15:47:00.000-08:00

Cloud computing is one of the most significant buzzwords in technology today. It provides organisations with access to applications and infrastructure, as and when it is needed, and without having to make upfront investments in software, or indeed the hardware to run it on. It provides the benefits of paying a predictable monthly charge (Opex) and makes access to technology services infinitely easier for organisations that may otherwise have struggled with the implementation, ongoing management and scalability problems, let alone the capital investment (Capex).

There is however a but; many Cloud-based services available today, can often lack the appropriate level and type of security protection required to prevent hackers accessing sensitive data stored, accessed, and transported through the Cloud. Even organisations that have shown a reluctance to take up Cloud computing may actually be using services based in the Cloud without realising it. For example, applications such as Salesforce and Google apps are Cloud-based, as are social networking services, including Twitter and LinkedIn.

Industry experts express concern that businesses joining the Cloud computing bandwagon to benefit from its impressive repertoire of benefits, may not be making an appropriate and necessary review of its impact on existing security policies. As one who focuses on security and was once and ethical hacker, I am concerned that moves to a virtual world, using Cloud-based technologies could end up being a disaster, unless businesses act fast. My concern centres on the number of vendors and providers who frankly are only paying lip service to security and are more caught up in the hype than the reality. Every service or platform I look at is still only secured by a traditional password, and that is just not sufficient to keep hackers at bay, and to guarantee confidentiality or integrity; consider the recent attacks on Twitter…

Because Cloud computing represents a revolution in IT management, it is a paradigm shift and this makes it even more critical that businesses review their security policies again. With more than 223 million records containing sensitive material compromised since 2005, according to Data Breach DB, a clearing house for data breach information, and the more recent attacks on Twitter in July 2009, businesses must make Cloud security a new priority.

The easiest way to conduct fraud online is through stealing a valid user name and password using tools like key loggers or old fashioned social engineering. You wouldn’t even know it had happened. Organisations need to review security policies and ensure that they are adequately protected. On average it takes less then a minute to gain someone’s username and password. There are many technology tools available today, as well as complementary services to boost security. We need to remember that business is about people, processes and technology and it is essential that all users are aware of the dangers and how to mitigate them. I strongly recommend that businesses take some simple and immediate steps to counter the threat of identity theft and hacking, and go through a process to ensure its data, its business, and its future is as secure in the Cloud as it should be in the Enterprise.

My recommendations for improving cloud security

1. Teach all end users safe internet skills
2. Perform a detailed vulnerability assessment
3. Ensure anti-virus protection is current and kept up to date on all devices
4. Use a firewall to protect every point in the organisation
5. Use VPN technology for secure connections and encryption for all information on portable devices
6. Deploy strong authentication for remote users, requiring a strong password, PIN, and separate token

Maximising Margins in Security and Convergence

2010-01-21T12:02:00.000-08:00

123456 why Passwords don't work and why customers are moving to services and 2FA and Living Hacking Demo

Sandown Park Race Course, 23rd February
York Race Course, 25th February

Wecolme to my Master Class Series.

2010-01-01T16:04:00.000-08:00

Please feel free to download and read my Master Class Series that go's beyond technology and product.

In this edition I Sees if an SSL VPN is Really Secure?

Looking at the increasing buzz around federated ID

Looking at identities at risk.

My Recent Articles in the Press

2010-01-01T12:19:00.000-08:00

What do you need to do today to achieve security?

Events

2010-01-01T11:39:00.000-08:00

Please click on the Link Below to see a list of all the events that I am due to present at:

http://twofactor.blogspot.com/p/events_21.html

e-Crime Wales Summit 2009 Highlights

2009-10-21T13:25:00.000-07:00

Creative Industries Workshop - Video

2009-10-21T13:22:00.000-07:00

Jason Hart: CRYPTOcard - Creative Industries Workshop from e-Crime Wales on Vimeo.

Interactive Q&A Session - Video

2009-10-21T13:18:00.000-07:00

Ecrime Q&A

http://streamingportal.multistream.co.uk/ecrimewales2009/eng_webcast_pres07.htm

The many faces of e-Crime Video

2009-10-21T13:15:00.000-07:00

The many faces of e-Crime, what are the risks to small businesses
http://streamingportal.multistream.co.uk/ecrimewales2009/eng_webcast_pres05.htm

Influenza A H1N1 and strong authentication?

2009-07-29T14:52:00.000-07:00

What is the relationship between influenza and strong authentication? – “Remote Working”

Or in techie speak - translates to the implementation of a remote access solution! If you are following or looking at government or business forums they recommend the use of implementing a number of measures. So what????

One of the measures that are being described is the implementation of remote working solutions to enable working from home.

In all cases no one is highlighting the possible risks to remote access systems by way of gaining access with weak username and passwords? So here's a clarification. Today there are a lot of remote access technologies. As SSL VPN, IPSEC VPN, Citrix, etc ...

But we have a big problem business have and should use Two Factor Authentication. But you say I can just use a username and static password? Technically yes!

But do you think this is a good idea. The risks are far too GREAT. It is so easy to steal or guess someone’s password. Please refer to a number of my blog postings on stealing passwords

The answer is very simple use Two Factor Authentication.

I think the next time the implementation of remote access is under taken business should think twice or consider MAS ICE by CRYPTOCard.

What is the bigger risk to you business H1N1 or an invisible person on your network stealing all of your IP??

Sexy Technology

2009-07-28T12:57:00.000-07:00

Some information that I thought you might find useful..

Please see the following article:-

http://searchsecurity.techtarget.co.uk/news/article/0,289142,sid180_gci1362723,00.html?track=NL-988&ad=717543&asrc=EM_NLT_8797460&uid=8792533

Even Twitter has issues with passwords – which I am sure we will see them address very soon – so customers are not alone:- "It's easy to be seduced by sexy technology, but if your password is compromised, then your security is blown."

The article highlights the need for two factor authentication and also puts forward a really good sales tactic:- "Smart CISOs could use a move to cloud computing as a good reason to ask for budget to introduce two-factor authentication."

Shame he did not mention that the ideal solution is cloud based authentication – never mind

UK cyber security

2009-06-25T03:36:00.000-07:00

“It is certainly welcome that cyber security is being given a higher level of attention at Cabinet, something that has been long overdue. What is sometimes frustrating for those of us in the industry is that security is a relatively easy thing to get right if effective frameworks are in place. This includes a robust legislative framework and the educational framework to promote exemplary information security practice throughout both public and private sector.

Awareness is the key, with ensuring that all businesses are made aware of the simplicity of gaining access to information a priority. The rise of social networking is one key development that raises many security issues, which must be carried out safely by staff and citizens alike. These are the wider issues that need to met by Government, away from the blitz of announcements and initiatives.”

Let me ask you one simple question:

2009-02-20T08:31:00.001-08:00

“How do you weigh up IT Security costs in your organisation?“

Sometimes, it's not just a number on an invoice. If your company suffered from a malious attack from a fraudster who stole important data or brought down critical business systems what would be the full cost to the business?

To start with there's the expenses of legal fees, call centers and lost employee productivity. There is also regulatory fines, a fall in share prices and customer losses to consider.
The fact is that the loss of sensitive data can have a dehabilitating effect on an organization's bottom line- especially if it is ill-prepared. A Forrester report published last year estimated the cost to be between $90 to $305 per record lost which does not include additonal marketing activities and discounts offered to rebuild customer loyalty. There are weekly media reports of these e-crimes. A Best Western Hotel was a recent case. Whilst the security breach has been closed, the after shock from this data loss goes beyond those whose personal data could have been compromised. Only 10 people affected?

How confident would you be at booking your next stay with them? So whilst departmental heads are looking to trim pounds off their budgets due to the economic climate, reducing your IT security budget to zero may cost more than you think.

Let me ask you one simple question:

2009-02-20T08:10:00.000-08:00

“Do you know the different between Identity and Authentication? ” Actually this can be quite a hard question to answer but put simply, identity is the state or fact of being the same one as described whereas authentication is to establish as genuine the facts presented. Clear as mud I'm sure!

So here's an example to help you: James Brown has a key to unlock and drive his car. The car can be unlocked as he approaches his car but only by his key. However, if Joe loses his key in the car park whoever finds it has the ability to unlock and drive that car...and could even copy that key. What has happened here is that the key provides an identity the car recognises or "fact of being the same." It has no way of questioning the validity of the user within the request.
Can you imagine if all you had for your bank account was your cash card, or to logon to your laptop, was a username? This is why PIN's and passwords are used to form part of the authentication process, but all too often we make them useless but simplfying them, writing them down or even letting others know it!

This is why two-factor authentication is not only becoming increasingly popular but standard for a growing number of industries and organisations serious about authentication. So if James Brown's laptop that was in the back of his car was protected with 2FA, the 'new owner' would have to know his user name, PIN and have his password token to 'be him' in order to authenticate to the server.

The benefits of authentication over identity are clear.

We Must Not Forget Older Methods of ID Theft

2008-03-18T06:54:00.000-07:00

These days, everyone has been indoctrinated to believe that ID theft can only occur over the Internet. But let us not forget some older (yet still effective) methods of ID theft. Fraudsters can victimize individuals if their wallet, credit card, or chequebook has been stolen or lost. Also, there has been a resurgence of telephone fraud powered by VoIP and there is still a threat, albeit small, that you can lose your identity through postal mail. Everyone should keep important cards out of our wallet and in a safe place as well as report lost or stolen credit cards immediately. Those are just a few tips on how to secure your world in addition to protecting your digital assets.

2008-02-20T16:07:00.000-08:00

As a former ethical hacker with seventeen years experience in the Information Security industry, Jason has used his knowledge and expertise to create technologies that ensure organisations stay one step ahead of the security game. Jason continues to raise the profile of Information Security risks and solutions, including the introduction of the term CSO (Chef Security Officer) within business.

Jason has published articles and white papers and has appeared on BBC, ITV, CNN, and CNBC as well as Radio 5 and BBC World News. His expertise has been cited in Time, SC, InfoSec, Computing and Computer Weekly magazines and in the FT, Guardian, Times and Evening Standard.

Prior to CRYPTOCard, Jason held senior positions within a number of organizations, including Ernst & Young's Information Security Assurance and Advisory Services practice. Jason has created and developed entire security frameworks as well as Information Security Assessment Methodology. Clients have included NHS, Government, as well as a large number of FTSE 100 organizations.

Have you been mis-sold security?

2008-02-18T04:31:00.001-08:00

Information security does not need to be complicated in order to be robust, nor does simplicity equate to an inferior defence. So, have you been mis-sold security?

A lot of the hyperbole stemming from many info security vendors suggests that, in order to be secure, you’ll need to re-mortgage your company premises to upgrade to the biggest, shiniest IT security infrastructure. The simple fact of the matter is that securing business-critical information, be it customer details, financial records or strategic data, boils down to one thing – access.

Aside from the technological argument, an equally important consideration to make when strengthening IT security is cost. Because IT security has no measurable ROI, with cost justifications made instead on the ability to avoid losing money or damaging reputation, prudence is desirable when making a security investment. I for one would argue that almost all security threats could be averted with only three things; antivirus software, a firewall and some form of two-factor authentication, the latter being the most critical because if you can retain control over access you are, by default, secure.

This is why the continued use of static passwords as the last bastion of information security, and the final word in determining user privileges and administrator access, represents a significant weakness to business defences. More companies are adopting or improving ICT process, specifically by providing remote access services to help them realise operational and competitive efficiencies for their business or to meet flexible working practice regulations, This is particularly important for SMEs, which account for over 99% of all UK companies and are the real growth area for remote access services. These changes mean that companies are opening more doors to their data and so the threat posed by malicious individuals and organised criminal gangs grows exponentially. They have access to the tools and intellect needed to launch brute-force attacks, create and disseminate key loggers, as well as myriad other password cracking or harvesting methods, to which static passwords represent merely a speed bump, not a roadblock.

For this reason, the cliché that “a chain is only as strong as its weakest link” is synonymous with budget-sapping IT security projects. Relying on an archaic access control mechanism not only goes against any best practice considerations, but also is downright foolhardy. As is often the case, the financial sector realised this fact early on, particularly on the retail banking side of things, and is now adopting strong two-factor authentication (2FA). This is visible in the form of both the ubiquitous Chip&PIN, and issuing one-time-password generators to online banking customers.

With 2FA the one-time passwords, generated every single time a user needs to log in, quash any attempts made by a hacker or unauthorised user to gain access to networks, applications and vital business information as they can’t be gleaned via a keylogger and can never be guessed due to their incoherent nature.

The reason that any security measures, no matter how elaborate and innovative, are prone to failure is because they are still reliant on those easy to crack, often predictable, strings of characters. To illustrate this point it is worth taking a trip back in time to the 1950’s, when there were just five computers in operation. Aside from being protected by all manner of physical defences, should a potential saboteur get through; they would be faced with the prospect of having to guess a password. Back then this was an effective and innovative line of defence.

However, as time advances so too does the actual and perceived threat. With the advent of firearms, the sword and spear became obsolete as an army’s only tool for defence. To keep ahead of the online arms race we too need to discard untenable security measures to avoid having to learn from our mistakes.

UK .gov Site Hacked

2008-02-12T07:00:00.000-08:00

Last week, a number of UK government websites got hacked. Yes, you read that right, UK government sites have been hacked. Interestingly enough, one of the sites was pointed to BBC’s website after the hack. This alludes to the idea that this was more of a deliberate hack and not random. I urge your organization to consider increasing your security measures. With hacks becoming more deliberate and targeted, every organization requires the security to stymie every attempt.

U.S. Government Requests to Spend $6 Billion on Security

2008-01-31T10:07:00.000-08:00

A few days ago, the Bush administration announced a plan to spend $6 billion in a year on cyber security. With the amount of debt the U.S. government has racked up over the years, some would say this is unreasonable. On the other hand, with cyber threats continually evolving and becoming more threatening (as we have seen in France), some say $6 billion may not be enough. What are your thoughts on this? Is the Bush administration making the right move? Where should encryption, 2FA, firewalls, etc. fall into this proposed spending? Please post your thoughts…

Manchester airport first to implement iris recognition

2008-01-29T06:48:00.000-08:00

Manchester has implemented what it claims is the UK's first biometric access control system based on iris recognition. The system officially went live just before Christmas, and is used to control access to secure parts of the airport for airport workers. Click here to find out more.

Bank Fraud Attempts Driven by “Vishing”

2008-01-24T10:12:00.000-08:00

Customers of three banks in the Eastern U.S. have been subjected to a new telephone phishing scam. In an attempt to retrieve personal account information customers receive an automated phone call, supposedly from their bank, asking them to call a toll-free number to renew their services need to be updated. For the customers that called the number, they were asked for account information.

Dubbed as “vishing”, a mix between “voice” and “phishing”, fraudsters use Voice over IP in their attempts to steal personal information. With email phishing become highly recognizable, vishing could be the next wave of fraud. As fraudsters become more creative in finding ways to obtain confidential information, companies must be equally creative and proactive to halt them in their tracks.

Another UK Data Breach

2008-01-22T07:14:00.000-08:00

In yet another data loss scandal in the UK, three million drivers’ records have been lost. Transport secretary Ruth Kelly has known since May that a hard disk drive had gone missing from a secure facility in Iowa City, Iowa.

As a preventative measure, Kelly said the department is now looking at utilizing electronic data transfer. However, many would argue that data breaches are more imminent with electronic data. If the UK government and transport department decide to use electronic means to deliver sensitive data, they both should seriously evaluate methods of securing those processes.

TJX Compensates for Data Breach

2008-01-17T10:42:00.000-08:00

To deter from a steeper bill in lawsuits, TJX has offered compensate Visa card users $40.9 million for a data breach occurring back in January. This move is supposed to “save” the company money from the waves of lawsuits that would come in if they opted not to compensate the Visa card users. What would have really saved them money is having a state of the art security standard implemented at the time of the data breach. You see, TJX was using an older security standard, the Wired Equivalent Privacy (WEP) encryption protocol, back in January.

Now TJX must compensate over $40 million as well as update their security measures, when all they needed to do was take care of the latter at the right time. For whatever reason, a $40 million mistake will hurt an organization – even TJX.

Passport Canada’s Lax Security

2008-01-15T06:33:00.000-08:00

Passport Canada is scrambling to reassure Canadian citizens that a recent data breach has been rectified. The breach occurred on the Passport Canada website where an applicant could simply change a few letters in their name in the URL field and access another individual’s application. This is yet another example on how relaxed security measures could result in catastrophic results. When will businesses and governments learn that security should be a priority? You would hope that the recent events in the UK will change attitudes towards strong security implementation.

Data Breaches Costing Companies More Than Ever

2007-11-30T05:50:00.000-08:00

A recent article on eweek.com outlines that data breaches within companies are costing them more on average in 2006 than in 2005. As a result, most companies security measures’ only increase after these breaches. Instead of losing resources from a costly and time consuming data breach, why not take more a preventative measure to securing your data, network, and other assets?

25 Million Records Lost in the UK

2007-11-26T05:58:00.000-08:00

The recent loss of 25 million records in the UK has the potential to be traumatic. For instance, with many families putting their trust in the same banks, the potential to have one’s identity stolen has now increased significantly even though the UK government is sure the data has not landed in the wrong hands.

The gigantic mistake was made by junior officials at HMRC, who had ignored security procedures according to the chancellor. These days, one can only be truly at ease in the UK if 2FA, not a static password, is protecting their most invaluable asset – their identity.

Social Networking and Two-Factor Authentication

2007-11-22T13:53:00.000-08:00

There is a new social networking site out there (surprise, surprise). It’s called Anne’s Diary and it is specifically for girls between the age of 6 and 14. What makes this social networking site different is that it utilizes biometric technology to ensure the safety of its younger users from pedophiles and hackers. Although this site utilizes one-time passwords to activate accounts, it does not make use of them past that.

It intrigues me to see how the security of social networking will pan out in the near future. As relationships continue to become extended from real life to online, the chances of significant others, friends, family etc. wanting to hack into someone’s social networking account increase immensely. This is why the use of 2FA should be mandatory in the future of social networking. I am not saying biometrics is a weak authentication method but rather it is too hard to roll out on a mass scale. 2FA on the other hand, is not.

As Web 2.0 continues to evolve, 2FA (not biometrics) is the easiest and most secure method to protecting users in the social networking age.

Salesforce.com’s Reaction to Phishing Attacks

2007-11-13T08:02:00.000-08:00

A recent letter by Parker Harris (EVP Technology at Salesforce.com) outlined to customers what they and the company should be doing to prevent future data breaches. Short of posting the letter in its entirety I noticed a few important points Mr. Harris addressed regarding 2FA technology.

Primarily, Salesforce.com makes a promise of “collaborating with leading security vendors and experts on specific threats.” Perhaps a more important point, Salesforce.com recommends that its’ customers “consider using other two-factor authentication techniques including RSA tokens and others.”

Sometimes it takes a major data breach for a company to realize that their current security measures are inadequate. This is an unfortunate but often a necessary occurrence. One by one, businesses are realizing the hard way that 2FA is a requirement in their security measures. Salesforce.com is the latest company to realize this, will you be next?

Don’t let a security breach determine your company’s interest in 2FA. Research it today. Secure your world.

It can even happen to the stars…

2007-11-09T12:17:00.000-08:00

Grammy winning songstress Alicia Keys recently had her MySpace page linked to a malware server in China. With the addition of a background image, anyone who visited Alicia’s MySpace page and clicked anywhere on this background will cause the browser to load a fake media codec, which is really a disguised Trojan.

It is currently not known how widespread this hack is within MySpace but this exemplifies how web surfing exploits can happen to anyone, even if they are simply browsing their friends on a social networking site.

Although it is not known how the hackers accessed Alicia Keys’ page, a 2FA solution for login definitely would have prevented them from accessing it in the first place.

Data Breach of Salesforce.com

2007-11-08T06:18:00.001-08:00

You may have seen that a salesforce.com employee became a recent victim to a phishing scam that resulted in turning over the company’s customer database. As a result, the scammers have been using the names and e-mails to spread an extensive malware attack throughout the company, supposedly sent by the Federal Trade Commission!!!!

Once again the need for users to be educated on what to look for when confronted with a phishing scam. The best security measures in the world cannot compensate for the threat of uneducated users and the inevitable data loss that can follow. But good awareness/education combined with a form of Two Factor Authentication can start to reduce the risks that businesses face.

Strip-tease for Hacking

2007-11-06T07:41:00.000-08:00

Everyone has seen them, those silly little jumbles of letters you need to decipher and type in frantically to buy tickets to events, to create a new e-mail account, or to complete many other internet functions that normally hackers have a heyday on. In fact, these are called CAPTCHA systems and are utilized to distinguish humans from machines.

With a very innovative approach, online scammers have created a virus where an appealing woman will unexpectedly appear on your computer. However, that is not all, as the woman continues by promising to take off an article of clothing each time a jumble of letters is completed. The catch is that the program restarts before the woman can completely undress to possibly persuade users to try the program multiple times.

It is not quite known if scammers are using these cracked CAPTCHA passwords on the fly; however, they are using them to crack anti-virus software and there is a worry that this scam will spread to financial institutions.

As the dark forces of scammers continually become more inventive, online security must evolve over and above that. And no, a strip tease is not required…

Urgency to Fix Online Privacy

2007-11-01T06:05:00.000-07:00

These days, good online privacy translates into good business. I recently read an article on zdnet.com that outlined the new “urgency” to fix online privacy. With this, at the meetings of International Association of Privacy Professionals, larger non-tech companies are searching for privacy solutions that actually work. I have known this for years but companies seem to be figuring out now that as the world gets smaller due to increased technology, the frequencies of online security breaches are higher and more imminent.

In my humble opinion, 2 factor authentication would be a great alternative for CPO’s to help lull this newfound “urgency” to secure online privacy.

Two-factor authentication Newbie Cheat Sheet

2007-11-01T06:02:00.000-07:00

Two-factor authentication? What's that?
During the past month I have had a number of meeting to discuss security and a number of times senior management have asked what is Two Factor Authentication.

Well that's a question more and more people are asking at the moment as they hear about their bank adopting this new way of authenticating who you are. So Here is a cheat sheet for everyone who is still unsure.

But I know who I am...
I am very please to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?

Well I use my password.
Which is?

pA55w0rd
Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.

Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens – little gizmos, if you like, no bigger than a key-fob (www.cryptocard.com) which generate the random numbers for you. They're good for around as long as it take to log-in - and then they're done-and-dusted.

What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat or hack). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the 6 or 8 digit number – which is far more reliable than a password written on a Post-it note.

Botnets pound eBay to guess user passwords

2007-09-25T07:53:00.001-07:00

According to an interview with security experts on eWeek, eBay is under attack from a massive botnet that is trying to brute force guess user passwords.

Another argument for strong passwords, and indeed, 2 factor authentication.

Considering RSA or using RSA?

2007-09-06T15:43:00.000-07:00

I have lost count to the number of times I have planned to take time out to put my personal views down on paper in relation to the down sides on Buying R$A or being a user. So I have finally taken all of my views and more importantly have gathered all of the feedback that I have gained during the past 5 years from clients that are looking at purchasing R$A or looking to swap their R$A solution out for a alternative, more compelling and cost-effective solution over the RSA Solution

Many organizations realize the value of strong authentication. RSA Security has built much of their business on SecurID, a token-based strong authentication system that replaces password-only authentication with one-time passcodes for secure network access and positive user identification.

But SecurID is not the only option out there. There are far greater products that offer a more secure, cost-effective system that’s easier to use and easier to manage. If you’re a SecurID customer, you might be surprised by how many thousands of pounds or dollars you can save, perhaps tens of thousands both right now, and over the life of the purchase by switching.

Wouldn’t you like to stop repurchasing tokens every three years? SecurID tokens have an expiration date on the back. Once you pass that date, you might as well throw your token away. It can’t be used again, it can’t be reactivated you have to spend more money on another token.

For far less than the cost of buying another round of list-price RSA tokens you can get a complete deployment of an alternative solution that is a far more flexible.

To be continued…………………………

I have been Warning of this for years!!

2007-08-30T15:03:00.000-07:00

People have been looking at me in funny ways for the past 5 years, as when I state that the next wave of crime is going to be based on hacking of a security camera/computer system and physical security. My warning has just become reality.
The FBI is investigating fifteen store robberies in eleven states, committed via phone and internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article, "A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened.""

What do YOU need out of two-factor authentication?

2007-08-20T16:19:00.000-07:00

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. A number of companies are looking at smartcards internally for VPN access and then looking at moving to smartcards for domain logon, too.
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!

Outlook Passwords in less than 10 sec's

2007-08-20T15:40:00.000-07:00

That’s right. I hate to tell you but if you give me 10 seconds alone with your computer I’ll not only get your user name and passwords to every mail box you have set up in Outlook and Outlook Express, but I’ll also be able to see every single login you have saved in your Internet Explorer auto-complete settings.

And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.

Cracking your password

2007-08-20T15:19:00.000-07:00

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. Most passwords are much easier to gain than you might think allowing access into your e-mail, computer, or online banking. After all, if someone was to gain one they would probably get into all of them!

Your partner, child, or pet’s name, possibly followed by a 0 or 1
123 or 1234 or 123456.
“password”
Your city, or college, football team name.
Date of birth - yours, your partner’s or your child’s.
“god”
“letmein”
“money”
“love"
Typing your email address into google to find your hobby

Statistically speaking that should probably cover about 70% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do or someone else does.