Featured Posts

<< >>

Password Pain Continues

Despite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact the research found that 40% of IT decision makers admit that passwords are their only IT security measure. The IT leaders also believe it will

Few Americans Have Changed Behavior post-Snowden

Edward Snowden’s revelations of the US Government’s spying programs has changed the world. The data collection programs have impacted US business ability to sell abroad. Recent regulations introduced in China have knocked Apple (AAPL),Cisco (CSCO), McAfee and Citrix (CTXS) out of growing markets. Lisa Vaas, at Sophos’ Naked Security blog points us to a recent  Pew Research Center

ZOUP! POS Breached

Another day, another data breach. Zoup! the restaurant known for its soup, salad and sandwiches is the latest retailer to have consumer credit card information hacked according to MLive . From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – to bad so sad, “… in the days

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems. When Apple Pay was first unveiled by Apple (AAPL) in October 2014, it

What the FREAK !

Earlier this month news broke that Google, Apple and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. in fact the origin of the FREAK back goes back to the 1990’s and government meddling. Paul Dirkin at Sophos’ Naked

Password Pain Continues

Password Pain ContinuesDespite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact the research found that 40% of IT decision makers admit that passwords are their only IT security measure. The IT leaders also believe it will take 5 years to see a significant shift in organizations’ reliance on passwords. The author says this is a worrying revelation, considering how many security breaches are the result of compromised credentials.

SecureAuthThe researchers found that entertainment, hospitality and leisure industry is taking the most risks with its data as 65% of respondents from this sector admit their organizations only use passwords as a security method. (rb- No wonder they keep getting hacked!)

The author claims that SeaureAuth found that 45% of public sector organizations only use passwords. (rb- Another reason to limit how much data they collect on citizens)

PasswordsDespite companies relying on passwords alone, the survey revealed that 63% of respondents believe their current authentication methods are effectively protecting valuable assets. The survey also revealed that firms worry about protecting different resources:

  • 29% say protecting the company’s VPN is critical
  • 28% believe protecting on premise applications is a top priority
  • 20% stated protecting Cloud and SaaS is the most important, and
  • 18% said mobile takes precedence.

Nick Mansour, Executive Vice President of Worldwide Sales at SecureAuth explained,

As the skills of hackers continue to evolve, organizations are going to have to wise up to new methods of information access security, such as adaptive authentication which can leverage real time threat intelligence, biometrics and even behavioral analysis.

Microsoft Windows 10 Frighteningly only 44% of SecureAuth respondents have plans to change or enhance their security model in the next two years. The forthcoming Microsoft Windows 10 can help firms evolve their authentication processes. Help Net Security reports that Windows 10, includes a new feature called Windows Hello. Windows Hello will allow users to authenticate themselves using biometrics. The SecureAuth study reports that only 28% of IT decision makers believe that businesses will biometrics in 5 years’ time.

The article reports that Microsoft (MSFT) considers Windows Hello authentication more secure than using passwords – so secure, in fact, that it can be used in government organizations, the defense, financial, and health care industry. Microsoft’s  Joe Belfiore wrote

Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all

Facial recognitionMr. Belifore says Windows Hello will work with existing fingerprint readers.  Windows Hello will also work with facial or iris detection by combining special hardware and software; “The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.”

Mr. Belfiore also introduced Windows Passport, a programming system that can be used to provide a more secure way of letting you sign-in to sites or apps. The article explains that unlike with passwords, with which you authenticate yourself to apps, sites and networks, Passport allows Windows 10 to do that in your stead: again, without sending up a password to their servers. Mr. Belfiore says:

Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with ‘Passport’, you will be able to instantly access a growing set of websites and services across a range of industries

rb-

Couldn’t Redmond pick a name other than Passport? Reminds me of the Hotmail days.

There is of course the age-old problem of what to do if your biometric signature is stolen. You can easily change your iris with a sharp stick, but that does not seem very efficient.

What so you think?

Will Windows 10 biometrics take off?

View Results

Loading ... Loading ...

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

Few Americans Have Changed Behavior post-Snowden

Few Americans Have Changed Behavior post-SnowdenEdward Snowden’s revelations of the US Government’s spying programs has changed the world. The data collection programs have impacted US business ability to sell abroad. Recent regulations introduced in China have knocked Apple (AAPL),Cisco (CSCO), McAfee and Citrix (CTXS) out of growing markets.

government surveillanceLisa Vaas, at Sophos’ Naked Security blog points us to a recent  Pew Research Center survey that documents the impact of TLA spying and data collection on the home-front. Most Americans (87%) have heard about the National Security Agency’s (NSA’s) surveillance programs since Snowden began leaking documents nearly two years ago. The Pew research found that nearly one third of American adults have taken steps to protect their information from government surveillance programs that monitor phone and digital communications.

Out of those surveyed who are at least somewhat aware of the NSA’s surveillance programs (30% of adults),

  • 34% have taken at least one step to keep their information hidden or shielded from the government.
  • 25% are using more complex passwords
  • 17% changed their privacy settings on social media
  • 15% use social media less often
  • 15% have avoided certain apps
  • 14% say they speak more in person instead of communicating online or on the phone
  • 13% have uninstalled apps
  • 13% have avoided using certain terms in online communications

surveillance programsWhen it comes to how well the courts are balancing the needs of law enforcement and intelligence agencies with citizens’ right to privacy:

  • 49% say courts and judges are not balancing those interests;
  • 48% say they are.

The article says the public approves of monitoring plenty of people, including foreign citizens, foreign leaders, and American leaders:

  • 82% say it’s acceptable to monitor communications of suspected terrorists;
  • 60% believe it’s acceptable to monitor the communications of American leaders;
  • 60% think it’s OK to monitor the communications of foreign leaders;
  • 54% say it’s acceptable to monitor communications from foreign citizens;
  • 57% say that the monitoring of citizens’ communications is unacceptable;
  • 65% – think it’s OK to monitor people who pepper their communications with words such as “explosives” and “automatic weapons” in search engine queries;
  • 67% think it’s OK to monitor people who visit anti-American websites.

Social media privacyAmericans are split about just how much we should worry about surveillance – particularly when it comes to their own digital behavior.

  • 39% describe themselves as concerned about government monitoring of their activity on search engines.
  • 38% say they’re concerned about government monitoring of their activity on their email messages.
  • 37% express concern about government monitoring of their activity on their cell phone.
  • 31% are concerned about government monitoring of their activity on social media sites, such as Facebook or Twitter.
  • 29% say they’re concerned about government monitoring of their activity on their mobile apps.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

ZOUP! POS Breached

ZOUP! POS BreachedAnother day, another data breach. Zoup! the restaurant known for its soup, salad and sandwiches is the latest retailer to have consumer credit card information hacked according to MLive . From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – to bad so sad, “… in the days ahead, we will work hard to preserve your trust.”

Zoup!Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI based Zoup! will not be contacting customers who were affected by the cyber-attack.

The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.”

Data LeakThe MlLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the card-holder’s name, card expiration date and verification code.

POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.

HummmmCEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks of paid attention to US CERT or warnings they would have been prepared.

The company set-up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.

rb-

I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allow you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

Apple PayWhen Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint systemeWeek.com provided a good overview of how the Apple Pay’s approval process works:

  • The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
  • Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
  • If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
  • Apple checks to see if the card is already on file in iTunes, verifying it through a match
  • But most cards aren’t already in iTunes – so Apple sends card data, phone data and iTunes account info to the card-issuing bank
  • If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

According to reports, criminals have been setting up iPhones with stolen personal information, which has been tracked back to accounts that were compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014 and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up.  Other banks may ask the customer to call a toll-free number where a customer-service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe some day this will keep merchants from holding card data but for now seems like the banks need to get their act together.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

What the FREAK !

What the FREAK !Earlier this month news broke that Google, Apple and Microsoft are vulnerable to a new bug poetically called – Factoring RSA Export Keys – FREAK. The cause of the FREAK bug is not new. in fact the origin of the FREAK back goes back to the 1990’s and government meddling.

encryptionPaul Dirkin at Sophos’ Naked Security blog explains that FREAK, is a risk to all users because an attacker can trick you and the server into settling on a much weaker HTTPS encryption scheme than from the 1990’s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption, a ghost from an earlier US Gooberment attempt to break encryption. In the 90’s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for everyday, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.

No-one should be using export grade keys any more – indeed, no-one usually does – but many clients and servers still support them according to Sophos. Somehow, it is 2015 it never seemed to matter that the 1990 code was still lying around.

Govermnet mandatedIf attackers can monitor the traffic flowing between vulnerable devices and websites they could inject code which forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months tho crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s (AMZN) cloud in 2015. It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.

Now that your security has been compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).

FactoringAdditionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,”  With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third party.

The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov. University of Michigan computer scientists J. Alex Halderman and Zakir Durumeric, told InfoSecurity that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.

The good news, according to Sophos: Users of Chromium/Chrome and Firefox are OK.

The bad news – the bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug is known to exist in:

  • OpenSSL‘s TLS implementation (before version 1.0.1k), which includes Google (GOOG) Android‘s “Browser” browser, and therefore probably Samsung‘s (005930) derived browser known as “Internet.”
  • Apple (AAPL) SecureTransport puts OS X software at risk, including Safari.
  • Microsoft (MSFT) Windows Schannel TLS library puts Windows software including Internet Explorer at risk.

You can check to see if your browser is vulnerable to the FREAK attack on a UMich page here.

You can also check on your favorite website on this UMich page.

rb-

“Export grade” encryption was largely abandoned by 2000 because it was a bad idea. silly idea. It hurt the US software industry and Americans who bought an inferior product. It is still a dumb idea in 2015. As the Gooberment want to cripple the latest generation of encryption by putting backdoors into encrypted messaging. They seem to have won with Google. Google has dumped plans to encrypt communications by default in Androir.

In the short-term, if you are worried, use another browser Firefox or Chrome.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.