Posts Tagged ‘security’

Did you know that one of the largest “hack” attacks in internet history occurred in 2016 when signals generated by tens of thousands of baby monitors, webcams and like devices across America and Europe were hacked in a way that took down broad swaths of the web?

Yes, baby monitors.  These simple internet-hooked devices lack the security of your PC or phone and make them vulnerable to attack.  And there are no fewer than eight million of these devices in existence, according to editors at Bloomberg BusinessWeek.

A fellow named Louis Parks, who runs a small Connecticut company called SecureRF Corp., says he has the answer.  His firm sells software aimed at safeguarding the IoT (Internet of Things) – in a really efficient fashion.  So efficient in fact, that his software runs very clean on some pretty weak hardware.  It’s all in the math, he says, which “allows us to work with smaller numbers and simpler processes.”

Apparently, it’s a lot of math.  Most security relies on exchanges of public and private “keys,” those very large numbers that are used to generate shared secret codes that authenticate that you are who you say you are, and which encrypt modern-day communications.

It turns out that many smart devices (IoT things) are easy to hack because they “don’t have the battery life to handle powerful chips, and they struggle to use standard keys.”  Instead, they rely on passwords that don’t secure traffic between themselves and the internet.

SecureRF’s software manages with its sophisticated underlying math to require calculation of only 8-bit number to provide secure encryption, versus the 256 digits required with standard software.  The benefit, it says, is that its security software can then run 100 times faster – and on lower-power chips – than conventional software, all while using just half the memory.  The result is the ability to run securely on far less security-sophisticated devices.  Like baby monitors.

SecureRF has licensed its technology to others, like Intel and ARM.  They’re focused less on the chip itself, and more on the communication between chips.  They’ve quietly spent over ten years researching ways to defend various types of mobile communications and the devices that depend on them, including RFID and near-field communications.  They shifted their attention to IoT devices in recent years and are counting on the fee paid by chip makers – starting at just a few cents per chip.

That’s an added layer of “protection” for baby monitors for which their creators likely never envisioned the need.  And it’s all in the math.

Read Full Post »

In the post-Equifax hack world, it would be easy to give up the ghost and just assume you’re going to get hacked at some point  Easy, but of course not prudent.  Thankfully, there are a few things you can do to make stealing your information harder – at least via your password-ing skills – without making your life harder too.  Here are a few we’ve found in our readings on the topic.

First, let’s start with the misguided notion that passwords must be ultra-complicated in order to be hack proof.  Not so say the experts.  While T!sK8%gB$x@ may be effective, its complexity is not necessarily… necessary.  The idea that passwords must be convoluted started with some 2003 guidelines from the National Institute of Standards and Technology that insisted you need a random combination of letters numbers and symbols.  Turns out, that wasn’t as effective as they thought it would be.

While you should still avoid easily guessed passwords, a strong password can in fact be logical and easy to remember.  Start with this bit of advice, courtesy of blogger and Internet radio host Kim Komando: A password should simply be able to withstand 100 guesses.  According to Komando, experts tell us that the bad guys can “guess” a password correctly about 73% of the time.  Worse, they can access other accounts of that user thereafter with mostly just slight variations on the original password.  (Come on, admit it… you do it too.)

Note too that dedicated hackers turn to your media feeds (Facebook, Twitter and Instagram) to scour info about you that may be useful.  That should rule out using numbers from your birthday, or pet names or other special favorites that could be easily deduced.

Today’s experts suggest that instead of complex, difficult to remember combinations, try using a phrase (or a “passphrase” in the parlance) that is easy to memorize but hard for others to crack.  Maybe your favorite cookie is a macaroon and your grandmother was a stenographer in Buffalo.  Ilovemymacaroonstenographerinbuffalo would be mighty difficult to guess, wouldn’t it?  Or you might use a phrase in which you take the first character of each word, and perhaps pump it up with just a couple numbers (or symbols), like: 18fsasyaofbfutcann63.  That’s the first words of the Gettysburg address (Four score and seven years ago our fathers brought forth upon this continent a new nation, framed by the year of the address, 1863.)  You may not like our phrase, but surely you can find one of your own.

All that said, the newest NIST guidelines now suggest passwords of as many as 64 characters, and even allow spaces.  Most of us still use the minimum required, usually about 8 characters, including numbers and special characters.  That’s not the most hack-proof approach, and it’s true that stretching it out will increase the safety of your password but, really… 64 characters?  Here again, stringing together a chain of words that only you could logically know and construct with a couple special characters thrown in, is about the only way to get there.

One final tip: If it ain’t broke, don’t fix it.  You don’t need to change your passwords that often.   When a password expires, explains NIST’s Paul Grassi, “it isn’t a motivator to create a brand new password, it’s a motivation to shift one character so you can remember the password” — thereby, of course, defeating the purpose of the change in the first place.

If you’ve created a truly strong password, set it and forget it – well, not literally, but you know what we mean – stick with it unless you’ve been notified of a breach of security.  And when in doubt, use two-factor authentication, whereby the site pings you back with a text message or email, and you can receive notifications on changes.

The solutions really aren’t all that difficult or complex.  The weak link here is that we are all, after all, such creatures of habit.  And we all know it.

Read Full Post »

Despite our frequent and recent reminders about how everything is moving to the cloud, Robert McMillan, a reporter with the Wall Street Journal recently pointed out an unexpected security problem in the cloud.  As more companies unplug their own data centers and rent from the likes of Amazon and Microsoft, they are discovering that they’re accidentally leaving their corporate date exposed for all the world to see.

It seems that configuration errors made while using cloud-storage services are common, according to security experts, and often occur when users set access permissions so someone outside the company can see the data.  As Vincent Liu, a partner at computer security consulting firm Bishop Fox notes, “More data has been lost due to poor configuration than anything else on the cloud.”

One nonprofit foundation has tracked nearly 175,000 examples of misconfigured software and services in the cloud this year.  While Gartner projects that the market for cloud-computing services will grow 17% this year, with cloud infrastructure leading the way, these are the very basic computer storage and networking services that are particularly prone to configuration problems.

Cloud computing initially caught on as part of cost-saving effort by corporate IT strategists that provided an end-around for what Mr. McMillan refers to as “stodgy corporate information technology departments.”  Often they found it quicker simply to purchase cloud resources directly from someone like Amazon or Microsoft almost instantly.  Rather than waiting for their IT departments to deliver timely information, they could test out new programs in minutes, with time bought on, say, their Amazon accounts.

The issue is that most cloud users don’t have the expertise to keep things secure.  Such projects have become unsanctioned “shadow IT” projects.  There was a lack of plan or governance model.  Recently, IT departments are said to have begun to understand better when a company’s assets are online, when they need to be patched, and how they interconnect.

To correct these potential pitfalls, Amazon has introduced a new service to help companies stay on top of their infrastructure.  Microsoft, utilizing its popular Azure platform, says it has several services to help clients protect sensitive data.  (One of the speakers at Microsoft’s recent “Directions” conference which we attended in Orlando last week told us that the company spends $2.2 billion dollars on cloud security alone.)  As a company spokesman noted in the Journal, “we continue to invest heavily in new innovations that build on our strength in cloud security.”

Security experts say one thing that might help is for cloud providers to help companies better determine when an employee is using a corporate credit card to purchase a new Amazon or Microsoft service.  As Mr. Liu notes, “Provisioning is now in the hands of someone sitting in a cubicle who has a credit card and a web browser.”

Scary thought indeed.


Read Full Post »

… “123456”.  And that’s a problem, according to Security Keeper, Inc.  For years, tech firms have been trying to limit the damage hackers can do by cracking conventional passwords.  They’ve tried two-factor authentication for Gmail, iris scanning, fingerprint ID… and yet phishing and scamming schemes not only persist, they become larger, more audacious, more widespread and more costly.

Our firm has witnessed more than one of our ERP clients compromised by ransomware in the last year.  And while weak passwords aren’t necessarily the only way in to networks, they don’t help.  A product manager at Yahoo! once put it succinctly: “Our vision is to kill passwords completely.”  This was noted in a recent article on computer security in Bloomberg Businessweek (June 2017).  “In the future we’ll look back on this time and laugh that we were required to create a 10-character code” with mixed case, numbers and symbols, according to Yahoo’s Dylan Casey, VP of Product Management.  And the day can’t come soon enough for most of us.

To move in that direction, new ideas are emerging.  Yahoo lets email users unlock their accounts solely through a push notice sent to their smartphones, no password required.  Others are following similar “smartphone-as-skeleton-key” approaches, or are expanding the use of biometrics as unique identifiers, in lieu of passwords.  Samsung is about to allow Galaxy S8 owners authorize mobile payments (in the U.K. for now) utilizing the phone’s iris scanner.  Microsoft and Lloyds Banking are experimenting with allowing users access to online accounts using a webcam photo of their face.

Microsoft also offers fingerprint authentication via smartphone, with plans soon for desktops and laptops.  According to Alex Simons of Microsoft, “You’ll be able to take your phone, walk up to your Windows 10 PC and just user your thumbprint to log in.”  Barclay’s bank is experimenting with identify verification over the phone using vocal records.

While none of these security measures is perfect (you can fool the S8’s facial recognition for example by holding up a photo of the right person’s face), still… they’re big steps in the right direction.  As in all things tech, it’s only a matter of time.

Michela Menting, a security researcher at ABI Research still believes it will be tough to get those last holdouts from using their 123456 though “until we have embedded devices in ourselves that can act as that password.”  Scary thought.  Welcome to the future.

But we’ll close with this factoid from USA Today: 37% of Americans keep a piece of paper with all of their passwords somewhere they deem safe.  (Want to bet it’s more than that?)


Read Full Post »

backdoor keysAn article in January 11th’s Wall Street Journal by tech columnist Christopher Mims does a very good job of breaking down the arguments surrounding allowing secret government “backdoors” into encrypted messages that we post every day from our various devices.  He makes his point clear at the start of the article when he says “I’m going to say this as plainly as possible… If we compromise our computing devices in a misbegotten attempt to stem criminal behavior or terrorism – as some… have suggested – then we deserve what will follow.”

It’s tempting, he notes, to think that if only companies like Apple, Google (now Alphabet) and Microsoft would create backdoors to all our encrypted data, that only law enforcement or the government knows about, they could take action when needed.

It’s a complicated topic, and our space is too brief to give justice to Mims’ full screed, but he makes a strong case.  We already live in a world where our defenses are breached regularly he begins, noting how the Chinese government could probably compile a dossier on the web-browsing habits of every U.S. citizen.  “State actors are outgunning besieged corporate IT departments,” he notes, leading to hundreds of millions of dollars of damages annually.  Hence his comment from our title that no encryption is good enough.

As a result, many tech-providing companies today are using encryption even they cannot decrypt.  And the fact is, as Mims points out, you can’t ban math – which is to say, encryption is well understood by a lot of players these days.  The notion that the FBI won’t be able to foil a terrorist plot if a messaging app is encrypted is an arresting one, but it defies the larger logic.  Sophisticated attackers will always move to whatever channels are available to them, and there will always be channels available.

Former NSA Director Michael McConnell recently wrote: “If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.”

Basically, that amounts to what today is called “lawful hacking,” which says that there are “vulnerabilities in the system, and it is better to exploit those than to build in other weaknesses,” as outlined by a group of academics in a recent paper on cryptography and security.  It’s an acknowledgement that our PCs and phones are in fact inherently quite insecure.

It’s a debate that will likely rage on for a good long time among well-intentioned people.  And a byproduct of course of our advancing technologies, which sometimes, aren’t so advanced as we’d like to think.

Read Full Post »

A fascinating, if slightly abstruse, article by Lee Gomes appeared in the Digital Tools column in Forbes’ March 29 edition under the title “Computing’s Killer Problem.”  Its implications are fascinating, so I’ll try to synthesize here.  For the full article, go here.

Basically, Gomes posits the notion that much of what we do with computers, including basic Internet and transactional security, is based “not on anything we know for sure, but on essentially just a good guess.”  It starts with a fundamental computer science problem known as P=NP.  The question of course is whether P equals NP, but the explanation of each is a bit tricky, so hang in there.  And by the way, solve it, and you’re eligible for a $1 Million reward.  Here goes…

P stands for the collection of math problems a computer can solve in a reasonable amount of time.  But, being defined by Math Guys, it’s a bit more specific than that.  P stand for Polynomial.  A problem that gets just a little harder as the numbers get bigger is deemed solvable in polynomial time.  The opposite if Exponential, where the time to solve “quickly grows unreasonably large.”

NP stands for problems that can be verified in a reasonable length of time.  Thus, the equation asks if P and NP are the same.  Gomes gives the example of factoring.  It’s easy to verify that two numbers multiplied together produce a third; 10 x 20 = 200 for example.  This is true even for very large numbers – it’s easy.  But going the other way, as in starting with the end number and finding the factors that make it up, can take a large amount of time, especially if the number is large enough.  With a large enough number, it could take trillions of years, he notes.

I’ll spare some complexity that you can read in his article, but the bottom line is that most math researchers think that P and NP are not the same.  Why does this matter?  Because encryption routines, for example, “hang on the difficulty of factoring large numbers,” where no fundamental shortcut has ever been found (and math geeks have been looking for centuries).  Therefore, encryption routines can be presumed to be safe in terms of taking enormous time to solve.

But what if they’re wrong?  What if P=NP?  Then problems on the NP side (quick verification) are also on the P side (quick finding of a solution).  This would mean in theory that a quick factorization was possible after all – you’d just need to be clever enough to find it!  And that would put security and encryption on some very unsure footing, wouldn’t it?

Gomes claims no need for panic, since “most experts think P and NP aren’t the same.”  But no one knows for sure.  Certain people could lose sleep over this.

On the upside, researchers have also uncovered the fact that a large group of hard computer problems, despite external appearances, turn out to be essentially similar.  Examples include mapping the most efficient route for a travelling salesperson and a protein folding problem to predict the shape of a molecule.  A solution to one apparently would work for the other according to a Northwestern Univ. professor. 

But only if P=NP -– precisely what we don’t know.  Dare I say it?  Go figure.

Read Full Post »