Posts Tagged ‘security’

Despite our frequent and recent reminders about how everything is moving to the cloud, Robert McMillan, a reporter with the Wall Street Journal recently pointed out an unexpected security problem in the cloud.  As more companies unplug their own data centers and rent from the likes of Amazon and Microsoft, they are discovering that they’re accidentally leaving their corporate date exposed for all the world to see.

It seems that configuration errors made while using cloud-storage services are common, according to security experts, and often occur when users set access permissions so someone outside the company can see the data.  As Vincent Liu, a partner at computer security consulting firm Bishop Fox notes, “More data has been lost due to poor configuration than anything else on the cloud.”

One nonprofit foundation has tracked nearly 175,000 examples of misconfigured software and services in the cloud this year.  While Gartner projects that the market for cloud-computing services will grow 17% this year, with cloud infrastructure leading the way, these are the very basic computer storage and networking services that are particularly prone to configuration problems.

Cloud computing initially caught on as part of cost-saving effort by corporate IT strategists that provided an end-around for what Mr. McMillan refers to as “stodgy corporate information technology departments.”  Often they found it quicker simply to purchase cloud resources directly from someone like Amazon or Microsoft almost instantly.  Rather than waiting for their IT departments to deliver timely information, they could test out new programs in minutes, with time bought on, say, their Amazon accounts.

The issue is that most cloud users don’t have the expertise to keep things secure.  Such projects have become unsanctioned “shadow IT” projects.  There was a lack of plan or governance model.  Recently, IT departments are said to have begun to understand better when a company’s assets are online, when they need to be patched, and how they interconnect.

To correct these potential pitfalls, Amazon has introduced a new service to help companies stay on top of their infrastructure.  Microsoft, utilizing its popular Azure platform, says it has several services to help clients protect sensitive data.  (One of the speakers at Microsoft’s recent “Directions” conference which we attended in Orlando last week told us that the company spends $2.2 billion dollars on cloud security alone.)  As a company spokesman noted in the Journal, “we continue to invest heavily in new innovations that build on our strength in cloud security.”

Security experts say one thing that might help is for cloud providers to help companies better determine when an employee is using a corporate credit card to purchase a new Amazon or Microsoft service.  As Mr. Liu notes, “Provisioning is now in the hands of someone sitting in a cubicle who has a credit card and a web browser.”

Scary thought indeed.


Read Full Post »

… “123456”.  And that’s a problem, according to Security Keeper, Inc.  For years, tech firms have been trying to limit the damage hackers can do by cracking conventional passwords.  They’ve tried two-factor authentication for Gmail, iris scanning, fingerprint ID… and yet phishing and scamming schemes not only persist, they become larger, more audacious, more widespread and more costly.

Our firm has witnessed more than one of our ERP clients compromised by ransomware in the last year.  And while weak passwords aren’t necessarily the only way in to networks, they don’t help.  A product manager at Yahoo! once put it succinctly: “Our vision is to kill passwords completely.”  This was noted in a recent article on computer security in Bloomberg Businessweek (June 2017).  “In the future we’ll look back on this time and laugh that we were required to create a 10-character code” with mixed case, numbers and symbols, according to Yahoo’s Dylan Casey, VP of Product Management.  And the day can’t come soon enough for most of us.

To move in that direction, new ideas are emerging.  Yahoo lets email users unlock their accounts solely through a push notice sent to their smartphones, no password required.  Others are following similar “smartphone-as-skeleton-key” approaches, or are expanding the use of biometrics as unique identifiers, in lieu of passwords.  Samsung is about to allow Galaxy S8 owners authorize mobile payments (in the U.K. for now) utilizing the phone’s iris scanner.  Microsoft and Lloyds Banking are experimenting with allowing users access to online accounts using a webcam photo of their face.

Microsoft also offers fingerprint authentication via smartphone, with plans soon for desktops and laptops.  According to Alex Simons of Microsoft, “You’ll be able to take your phone, walk up to your Windows 10 PC and just user your thumbprint to log in.”  Barclay’s bank is experimenting with identify verification over the phone using vocal records.

While none of these security measures is perfect (you can fool the S8’s facial recognition for example by holding up a photo of the right person’s face), still… they’re big steps in the right direction.  As in all things tech, it’s only a matter of time.

Michela Menting, a security researcher at ABI Research still believes it will be tough to get those last holdouts from using their 123456 though “until we have embedded devices in ourselves that can act as that password.”  Scary thought.  Welcome to the future.

But we’ll close with this factoid from USA Today: 37% of Americans keep a piece of paper with all of their passwords somewhere they deem safe.  (Want to bet it’s more than that?)


Read Full Post »

backdoor keysAn article in January 11th’s Wall Street Journal by tech columnist Christopher Mims does a very good job of breaking down the arguments surrounding allowing secret government “backdoors” into encrypted messages that we post every day from our various devices.  He makes his point clear at the start of the article when he says “I’m going to say this as plainly as possible… If we compromise our computing devices in a misbegotten attempt to stem criminal behavior or terrorism – as some… have suggested – then we deserve what will follow.”

It’s tempting, he notes, to think that if only companies like Apple, Google (now Alphabet) and Microsoft would create backdoors to all our encrypted data, that only law enforcement or the government knows about, they could take action when needed.

It’s a complicated topic, and our space is too brief to give justice to Mims’ full screed, but he makes a strong case.  We already live in a world where our defenses are breached regularly he begins, noting how the Chinese government could probably compile a dossier on the web-browsing habits of every U.S. citizen.  “State actors are outgunning besieged corporate IT departments,” he notes, leading to hundreds of millions of dollars of damages annually.  Hence his comment from our title that no encryption is good enough.

As a result, many tech-providing companies today are using encryption even they cannot decrypt.  And the fact is, as Mims points out, you can’t ban math – which is to say, encryption is well understood by a lot of players these days.  The notion that the FBI won’t be able to foil a terrorist plot if a messaging app is encrypted is an arresting one, but it defies the larger logic.  Sophisticated attackers will always move to whatever channels are available to them, and there will always be channels available.

Former NSA Director Michael McConnell recently wrote: “If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.”

Basically, that amounts to what today is called “lawful hacking,” which says that there are “vulnerabilities in the system, and it is better to exploit those than to build in other weaknesses,” as outlined by a group of academics in a recent paper on cryptography and security.  It’s an acknowledgement that our PCs and phones are in fact inherently quite insecure.

It’s a debate that will likely rage on for a good long time among well-intentioned people.  And a byproduct of course of our advancing technologies, which sometimes, aren’t so advanced as we’d like to think.

Read Full Post »

A fascinating, if slightly abstruse, article by Lee Gomes appeared in the Digital Tools column in Forbes’ March 29 edition under the title “Computing’s Killer Problem.”  Its implications are fascinating, so I’ll try to synthesize here.  For the full article, go here.

Basically, Gomes posits the notion that much of what we do with computers, including basic Internet and transactional security, is based “not on anything we know for sure, but on essentially just a good guess.”  It starts with a fundamental computer science problem known as P=NP.  The question of course is whether P equals NP, but the explanation of each is a bit tricky, so hang in there.  And by the way, solve it, and you’re eligible for a $1 Million reward.  Here goes…

P stands for the collection of math problems a computer can solve in a reasonable amount of time.  But, being defined by Math Guys, it’s a bit more specific than that.  P stand for Polynomial.  A problem that gets just a little harder as the numbers get bigger is deemed solvable in polynomial time.  The opposite if Exponential, where the time to solve “quickly grows unreasonably large.”

NP stands for problems that can be verified in a reasonable length of time.  Thus, the equation asks if P and NP are the same.  Gomes gives the example of factoring.  It’s easy to verify that two numbers multiplied together produce a third; 10 x 20 = 200 for example.  This is true even for very large numbers – it’s easy.  But going the other way, as in starting with the end number and finding the factors that make it up, can take a large amount of time, especially if the number is large enough.  With a large enough number, it could take trillions of years, he notes.

I’ll spare some complexity that you can read in his article, but the bottom line is that most math researchers think that P and NP are not the same.  Why does this matter?  Because encryption routines, for example, “hang on the difficulty of factoring large numbers,” where no fundamental shortcut has ever been found (and math geeks have been looking for centuries).  Therefore, encryption routines can be presumed to be safe in terms of taking enormous time to solve.

But what if they’re wrong?  What if P=NP?  Then problems on the NP side (quick verification) are also on the P side (quick finding of a solution).  This would mean in theory that a quick factorization was possible after all – you’d just need to be clever enough to find it!  And that would put security and encryption on some very unsure footing, wouldn’t it?

Gomes claims no need for panic, since “most experts think P and NP aren’t the same.”  But no one knows for sure.  Certain people could lose sleep over this.

On the upside, researchers have also uncovered the fact that a large group of hard computer problems, despite external appearances, turn out to be essentially similar.  Examples include mapping the most efficient route for a travelling salesperson and a protein folding problem to predict the shape of a molecule.  A solution to one apparently would work for the other according to a Northwestern Univ. professor. 

But only if P=NP -– precisely what we don’t know.  Dare I say it?  Go figure.

Read Full Post »