Featured Posts

<< >>

AT&T Already Profits from Net Neutrality

In further proof that no matter what – the huge corporations always win, AT&T (T), one of the most vocal opponents to net neutrality has already started to profit from it. FierceTelecom is reporting that AT&T’s new reclassification under Title II of the Communications Act as part of new net neutrality rules are working in the mega-Bell’s favor.

Password Pain Continues

Despite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact the research found that 40% of IT decision makers admit that passwords are their only IT security measure. The IT leaders also believe it will

Few Americans Have Changed Behavior post-Snowden

Edward Snowden’s revelations of the US Government’s spying programs has changed the world. The data collection programs have impacted US business ability to sell abroad. Recent regulations introduced in China have knocked Apple (AAPL),Cisco (CSCO), McAfee and Citrix (CTXS) out of growing markets. Lisa Vaas, at Sophos’ Naked Security blog points us to a recent  Pew Research Center

ZOUP! POS Breached

Another day, another data breach. Zoup! the restaurant known for its soup, salad and sandwiches is the latest retailer to have consumer credit card information hacked according to MLive . From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – to bad so sad, “… in the days

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems. When Apple Pay was first unveiled by Apple (AAPL) in October 2014, it

AT&T Already Profits from Net Neutrality

AT&T Already Profits from Net NeutralityIn further proof that no matter what – the huge corporations always win, AT&T (T), one of the most vocal opponents to net neutrality has already started to profit from it. FierceTelecom is reporting that AT&T’s new reclassification under Title II of the Communications Act as part of new net neutrality rules are working in the mega-Bell’s favor.

The article says regulator’s cited Title II to justify a ruling for AT&T. The FCC ruling said AT&T should be awarded damages for being overcharged by two Michigan based rural telcos for interstate access services. Now the FCC has to set how much money AT&T should receive from East Lansing based Great Lakes Comnet (GLC) and Westphalia Telephone Company (WTC). The FCC wrote in its order, “We agree with AT&T.”

Initially, AT&T asked for a $12 million refund and wants to avoid paying an additional $4.3 million that Westphalia and Great Lakes claim the telco owes them. The author explains that the FCC argued that AT&T was billed unlawfully because of Section 201(b) of the Communications Act. This is the part of Title II that says: “All charges, practices, classifications, and regulations for and in connection with such communication service, shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.”

Ironically, during the run-up to net neutrality decision,  AT&T, Verizon (VZ), Comcast (CMCSA) and other telcos claimed that regulation would hurt their profits, which seems like mis-information BS. The FierceTelecom article reports that the FCC said that it won’t set specific price caps or tell service providers what they can charge for service, consumers can complain to the FCC if their provider is overcharging them for service.

FierceTelecom also points to an Ars Technica report, that Verizon (VZ), another outspoken critic of applying Title II to broadband services, ironically used its common carrier status for POTS services to build its FiOS fiber-to-the-home (FTTH) network. Besides leveraging Title II to get access to utility poles and rights-of-way to string up fiber, Verizon raised consumer phone rates to fund the fiber build.

rb-

This could be written-off as unintended consequences or is it? Is the goobermnet in bed with the Telco’s and all the net neutrality hub-bub was just a show?

Quoting MLive

the leaders making our laws, writing our budgets and setting the agenda are not widely seen as effective … there’s a serious and alarming lack of leadership …

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Password Pain Continues

Password Pain ContinuesDespite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact the research found that 40% of IT decision makers admit that passwords are their only IT security measure. The IT leaders also believe it will take 5 years to see a significant shift in organizations’ reliance on passwords. The author says this is a worrying revelation, considering how many security breaches are the result of compromised credentials.

SecureAuthThe researchers found that entertainment, hospitality and leisure industry is taking the most risks with its data as 65% of respondents from this sector admit their organizations only use passwords as a security method. (rb- No wonder they keep getting hacked!)

The author claims that SeaureAuth found that 45% of public sector organizations only use passwords. (rb- Another reason to limit how much data they collect on citizens)

PasswordsDespite companies relying on passwords alone, the survey revealed that 63% of respondents believe their current authentication methods are effectively protecting valuable assets. The survey also revealed that firms worry about protecting different resources:

  • 29% say protecting the company’s VPN is critical
  • 28% believe protecting on premise applications is a top priority
  • 20% stated protecting Cloud and SaaS is the most important, and
  • 18% said mobile takes precedence.

Nick Mansour, Executive Vice President of Worldwide Sales at SecureAuth explained,

As the skills of hackers continue to evolve, organizations are going to have to wise up to new methods of information access security, such as adaptive authentication which can leverage real time threat intelligence, biometrics and even behavioral analysis.

Microsoft Windows 10 Frighteningly only 44% of SecureAuth respondents have plans to change or enhance their security model in the next two years. The forthcoming Microsoft Windows 10 can help firms evolve their authentication processes. Help Net Security reports that Windows 10, includes a new feature called Windows Hello. Windows Hello will allow users to authenticate themselves using biometrics. The SecureAuth study reports that only 28% of IT decision makers believe that businesses will biometrics in 5 years’ time.

The article reports that Microsoft (MSFT) considers Windows Hello authentication more secure than using passwords – so secure, in fact, that it can be used in government organizations, the defense, financial, and health care industry. Microsoft’s  Joe Belfiore wrote

Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all

Facial recognitionMr. Belifore says Windows Hello will work with existing fingerprint readers.  Windows Hello will also work with facial or iris detection by combining special hardware and software; “The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.”

Mr. Belfiore also introduced Windows Passport, a programming system that can be used to provide a more secure way of letting you sign-in to sites or apps. The article explains that unlike with passwords, with which you authenticate yourself to apps, sites and networks, Passport allows Windows 10 to do that in your stead: again, without sending up a password to their servers. Mr. Belfiore says:

Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with ‘Passport’, you will be able to instantly access a growing set of websites and services across a range of industries

rb-

Couldn’t Redmond pick a name other than Passport? Reminds me of the Hotmail days.

There is of course the age-old problem of what to do if your biometric signature is stolen. You can easily change your iris with a sharp stick, but that does not seem very efficient.

What so you think?

Will Windows 10 biometrics take off?

View Results

Loading ... Loading ...

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

Few Americans Have Changed Behavior post-Snowden

Few Americans Have Changed Behavior post-SnowdenEdward Snowden’s revelations of the US Government’s spying programs has changed the world. The data collection programs have impacted US business ability to sell abroad. Recent regulations introduced in China have knocked Apple (AAPL),Cisco (CSCO), McAfee and Citrix (CTXS) out of growing markets.

government surveillanceLisa Vaas, at Sophos’ Naked Security blog points us to a recent  Pew Research Center survey that documents the impact of TLA spying and data collection on the home-front. Most Americans (87%) have heard about the National Security Agency’s (NSA’s) surveillance programs since Snowden began leaking documents nearly two years ago. The Pew research found that nearly one third of American adults have taken steps to protect their information from government surveillance programs that monitor phone and digital communications.

Out of those surveyed who are at least somewhat aware of the NSA’s surveillance programs (30% of adults),

  • 34% have taken at least one step to keep their information hidden or shielded from the government.
  • 25% are using more complex passwords
  • 17% changed their privacy settings on social media
  • 15% use social media less often
  • 15% have avoided certain apps
  • 14% say they speak more in person instead of communicating online or on the phone
  • 13% have uninstalled apps
  • 13% have avoided using certain terms in online communications

surveillance programsWhen it comes to how well the courts are balancing the needs of law enforcement and intelligence agencies with citizens’ right to privacy:

  • 49% say courts and judges are not balancing those interests;
  • 48% say they are.

The article says the public approves of monitoring plenty of people, including foreign citizens, foreign leaders, and American leaders:

  • 82% say it’s acceptable to monitor communications of suspected terrorists;
  • 60% believe it’s acceptable to monitor the communications of American leaders;
  • 60% think it’s OK to monitor the communications of foreign leaders;
  • 54% say it’s acceptable to monitor communications from foreign citizens;
  • 57% say that the monitoring of citizens’ communications is unacceptable;
  • 65% – think it’s OK to monitor people who pepper their communications with words such as “explosives” and “automatic weapons” in search engine queries;
  • 67% think it’s OK to monitor people who visit anti-American websites.

Social media privacyAmericans are split about just how much we should worry about surveillance – particularly when it comes to their own digital behavior.

  • 39% describe themselves as concerned about government monitoring of their activity on search engines.
  • 38% say they’re concerned about government monitoring of their activity on their email messages.
  • 37% express concern about government monitoring of their activity on their cell phone.
  • 31% are concerned about government monitoring of their activity on social media sites, such as Facebook or Twitter.
  • 29% say they’re concerned about government monitoring of their activity on their mobile apps.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

ZOUP! POS Breached

ZOUP! POS BreachedAnother day, another data breach. Zoup! the restaurant known for its soup, salad and sandwiches is the latest retailer to have consumer credit card information hacked according to MLive . From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – to bad so sad, “… in the days ahead, we will work hard to preserve your trust.”

Zoup!Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI based Zoup! will not be contacting customers who were affected by the cyber-attack.

The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.”

Data LeakThe MlLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the card-holder’s name, card expiration date and verification code.

POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.

HummmmCEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks of paid attention to US CERT or warnings they would have been prepared.

The company set-up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.

rb-

I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.

1.  Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2.  Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3.  Avoid using POS systems to browse the web (or anything else on the Internet).

4.  Make sure your POS is a PCI DSS compliant application (ask your vendor)

5.  Use password management software like LastPass to generate secure passwords. (LastPass allow you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

Apple PayWhen Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint systemeWeek.com provided a good overview of how the Apple Pay’s approval process works:

  • The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
  • Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
  • If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
  • Apple checks to see if the card is already on file in iTunes, verifying it through a match
  • But most cards aren’t already in iTunes – so Apple sends card data, phone data and iTunes account info to the card-issuing bank
  • If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

According to reports, criminals have been setting up iPhones with stolen personal information, which has been tracked back to accounts that were compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014 and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up.  Other banks may ask the customer to call a toll-free number where a customer-service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe some day this will keep merchants from holding card data but for now seems like the banks need to get their act together.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.