Monday, May 30, 2011

PBS - Tupac Against the World & PBS

It seems that PBS is suffering from multiple attack vectors, ranging from potentially massive budget cutbacks, to accusations of being partisan, to the latest today from cyberattackers. Hackers "LulzSec" have managed to hijack the main PBS news hour website and proclaimed that Tupac Shakur is alive and kicking. Tupac has joined a long list of notable immortals sightings ranging from Elvis and Notorious BIG, to the latest: UBL. This type of hack highlights the "bragging rights" type of hacking. "Bragging rights" type of hacking is often motivated by mischief or proving that one can do it, as opposed those that are financially motivated. However, if steps are not put in place to prevent these relatively benign type of attacks, more pernicious ones will exploit the same loopholes, as well. Content entry into websites should be secured beyond just static username/passwords combos. PBS needs all the help it can get to ward off all the attacks it will face in these austere times.

Saturday, May 28, 2011

RSA SecurID Related Data Breaches: The Saga Continues

The New York Times has now chimed in on the Reuters' exclusive on data breaches and attempts on military contractors using RSA SecurID. There's no surprise that hackers and cyberattackers have been having a field day with the customer's of RSA SecurID. The surprise is how little has come to surface so far. And that is the truth of most cyberattacks. The victims are often not even aware of breaches. Digital intrusion can manifest itself in many forms, and oftentimes, unless companies have the right set of preventative measures in place, they are at the mercy of sophisticated attackers who can resort to many tools at hand, including browser poisoning, sql injections, and man-in-the-phone. It reminds me of the sewing-themed aphorism "a stitch in time saves nine." This is the state of mind CSOs and CIOs have to adopt. The old adages like "no one got fired for buying IBM/Microsoft" or "if it ain't broke don't fix it" no longer hold true for data security and integrity. Enterprises have to be proactive and go on the offense in this cat and mouse game played out with hackers. Hubris will lead to the severe loss of face, brand power, and of course money.

Those victims who have RSA SecurID should consider making a switch as soon as possible. It could be "the switch in time that saved nine" (a reference, of course, to the Supreme court position change in the 1930s).

RSA SecurID Breach Now Leads To US Military Contractors Breach

Not a day goes by without some announcement of a major data breach. Hackers and fraudsters are busy at work and they are clearly having a field day with their targets. Of course, the motivations for the data breaches range from bragging rights to financially motivated to the more sinister. RSA made the headlines in February when they announced that they were hacked into and compromised. It seems now that users of RSA SecurID are the next string of victims. And money does not seem to be the motivation here at all.

According to a Reuters exclusive, US military contractors are now caught in the headlights of hackers. The hackers are targeting military giants like Boeing, General Dynamics, Raytheon and Lockheed Martin. It seems that we will see more stories like this of users of RSA SecurID.

The only defense (sorry, could not resist the pun) companies have is to switch to alternatives that provide stronger security than that provided by RSA now. They should start to evaluate the move beyond one-time passwords and enter the realm of challenge-reponse-based authentication, verification, and validation.

Bank of America Breach - An Inside Job

Bank of America managed to take the data breach spotlight away from Sony. According to news sources, a Bank of America employee leaked account holder information to fraudsters. Armed with that data, the fraudsters managed to defraud more than 300 BofA customers, inflicting over 10 million dollars in damage.

While we traditionally worry about the emergence of sophisticated attack vectors like Man-in-the-Middle attacks, it's sometimes prudent to think that the threat of an inside job is always there for data breaches. Enterprises can take steps to authenticate internal processes, users, and transactions to mitigate such attacks. Some of our customers use SolidPass internally as well to validate and authenticate the transactions in addition to users, by invoking strong two-factor authentication like challenge-response and transaction data signing. This is a more comprehensive approach to security than just using one-time passwords. They have integrated it with CRM, ERP, and other internal systems.

Wednesday, May 25, 2011

iPhone iOS 4 Encryption Broken

Elcomsoft has just released a press release where they claim to have broken the iOS 4 encryption for the Apple iPhone. More details can be found at their blog.

Sony - Another Day, Another Breach

Sony has unfortunately been in the headlines lately for the wrong reasons. The consumer electronics/media giant has been under savage attack lately by persistent hackers. Sony made the headlines after hackers managed to attack the Playstation Network and other online entertainment services with account details of 100 million users last month. Following that, Sony has made periodic announcements of other breaches. They include the recent breaches at the Greek, Thai and Indonesian units of Sony. And hot off the presses is the news that Sony Canada has been the victim of cyberattacks. If a strong brand like Sony has fallen victim to such a sustained series of attacks, then lesser brands with less resources are at the mercy of attacks and may not even be aware of it. Cyberattacks can come in many forms and oftentimes the victims are not even cognizant of it. It reminds me of the data breach of the Australian government by unknown assailants. The Americans informed the Aussies that the government systems and emails were hacked into.

The key takeaway is that data security cannot be taken for granted and rather simple steps like requiring logins using security tokens can prevent phishing attacks. Stronger forms of two-factor authentication, that go beyond one-time passwords, like challenge-response-based logins also help mitigate Man-in-the-Middle type of attacks. Companies have to impose stronger security, but also have to keep in mind that ease of use is just as important. Software tokens and especially mobile tokens help bring convenience and usability to stronger authentication.

Tuesday, May 24, 2011

Apple - A Victim Of Its Own Success

The continued success and popularity of Apple and Macs has finally made it a tempting target for Malware authors. Windows users have become accustomed to all sorts of attacks and are more risk averse than the Mac users, who have had a justifiable false sense of security up to now. The party is unfortunately over for Mac users, and they can join the ranks of their fellow Windows compatriots into traversing the messy and ugly world of digital fraudsters.

Apparently a malware released for Macs, called Trojan.Fakefrag, is being disseminated through drive-by download attacks, a technique perfected for Windows and Internet Explorer users over the years. Trojan.Fakefrag is not your standard drive-by rogueware or scareware in that it pretends to cause the hard disk to collapse with the help of numerous persuasive messages asking infected users to buy a spurious anti-virus application.

It's hard to figure out the extent of the damage and how many Macs have been infected, but Apple is certainly taking their chances in affecting their profitability by refusing to help the victims. It's a timely wake-up call for Mac users and they should surf the web with the same caution as most Windows users have grown conditioned to.

Online users who use a Mac should demand stronger security from their banks, that goes beyond one-time passwords and use transaction data signing to protect against Man-in-the-Middle attacks.