Tag Archives: risk

Tooth tattoo

Leave a reply

toothtattooPrinceton is developing an electronic ‘tooth tattoo‘ for detecting bacteria. My money says development plans look something like this:

  • Version 1.5 sends a text to your phone telling you when to buy Altoids,
  • Version 1.8 will tell you how quickly you need to buy Altoids, and
  • Version 2.0 incorporates social media analysis and performs a risk analysis of likelihood of getting a date, thus potentially saving you a trip and having to get off of the couch. (Which in turn informs the Energy Conservation Module which sends you a free iTunes download and updates your thermostat.)

2014 attacks to be highly targeted & well-researched

Leave a reply

Security provider Websense says that  while the volume of attacks will decrease, there will be an increased use of highly targeted, well-researched attacks. These attacks, in turn, will be used as a stepping stone for subsequent malicious activity after stealing user credentials.

The firm also predicts that a major data-destruction attack will occur in 2014.  Further, according to this Websense report (and with the caveat that the firm sells related services), there will be an increase of related ransomware attacks in SMB’s. Other predictions include ongoing Java exploits, increased focus on attacking data in the cloud, and increased reconnaissance activity on executives via professional social networks such as LinkedIn.  The report also speculated increased attacks on the vendors and contractors of large companies with the thought being that these ‘support’ companies will have less sophisticated cyber defenses than their larger partners.

More small businesses doing their own technical support

Leave a reply

smallbizsurveyimageAn 800 participant survey conducted by the National Small Business Association shows more small businesses are managing their own IT and web sites.  Other differences noted between the 2013 survey and a similar survey conducted in 2010 include:

  • desktop usage grew by 11% (76% to 87%)
  • laptop usage grew by 17% (67% to 84%)
  • smartphone usage grew by 17% (57% to 74%)
  • growth in businesses allowing telecommuting – 16% (44% – 60%)
  • online bank account management grew by 10% (73% – 83%)

Notably there was a 12% drop in businesses using external service providers for technical support and a 15% increase in business owners providing their own technical support.  Similarly, there was an 11% drop in companies paying external providers for web support accompanied by an 18% increase in owners that do it themselves.  (I’m guessing WordPress and other blog frameworks had a lot to do with that.)  Social media presence also grew substantially with LinkedIn leading with a 20% increase.

Tis the season

Leave a reply

shoppingcartFrom the SANS Institute, things to look out for while shopping online this season:

Fraudulent website indicators:

  • no phone # for sales or support
  • website domain name is different from the domain name on company email and contact info
  • poor grammar and/or spelling on website
  • the website seems to be an exact replica of what you have used in the past, but the domain name is slightly different

Your computer’s hygiene:

  • current AntiVirus running
  • autoupdate on operating system
  • one account per user
  • different passwords for different sites
  • on a trusted network (one you run w/remote admin turned off)

Payment:

  • credit cards are better than debit cards
  • review your statements at least monthly
  • turn on alerts on your credit cards if available

Scams and fake sites will be blossoming this holiday season, so be on your toes ..

[shopping cart image: clker.com]

Risk-based authentication as alternative to chronically problematic password paradigm

Leave a reply

riskmeterAuthentication, the process of trying to prove that you are who you say you are to an online system, has primarily been driven by user ID’s, aka logins or user names, and an accompanying password.  In theory, the password is secret, only known by the user associated with it, and thereby by able to authenticate or provide proof of identity.  The problem is that there are a plethora of flaws to that.  Some of these include:

  • the password is not secret because the user shared it with someone else
  • the password is not secret because the user wrote it down on a yellow sticky note & stuck it to their monitor at work or school
  • the password is guessable and could be figured out if there were readily available, free password cracking tools available online
  • there are a million readily available, free password cracking tools available online
  • a password hacked on one site is used on another user site — because users use the same password across multiple different accounts & sites because it’s very hard to remember different complex passwords for many different accounts and sites
  • and on and on

An alternative is a newer approach that computes a risk score that is associated with login attempts (the authentication process).  A usage profile is developed based on several factors:

  • user ID
  • user device
  • geographic location
  • target system (what they’re trying to log onto)
  • time of day they typically log in
  • their IP address
  • typing speed

A user that tends to log into their company’s database on weekdays at a particular time of day from a particular workstation will generate a baseline profile.  An attempt to login to that database Sunday morning from a mobile device will generate a disparity.  This will signal the need for additional proof of identity (maybe a phone call or PIN) or perhaps disable the login entirely.

It seems some time in use and data to analyze effectiveness is called for, but if that looks good, this is pretty cool.  More here.  Even Bruce Schneier likes it!

riskbasedauthent

 

Malware more prevalent on college campuses … Shocking!

Leave a reply

universityDark Reading reports that universities are 300% more likely to have malware on their networks than their commercial and public sector counterparts.  Given the lack of standards or hard-to-enforce standards for many of the users on campus networks, this is not a huge surprise.  The academic culture of share-share-share (with some exceptions) can also contribute to this high malware prevalence. For many students and faculty, complying with a directive or guidance can be synonymous to bending down before The Man.

The Expiro family of malware is particularly prevalent in higher education.  The Expiro family of malware:

  • infects drives of all types — local, portable, network
  • installs malicious extensions to Chrome and FireFox browsers
  • attacks via web site visit “drive-bys”
  • activity includes copying/stealing user names, passwords, and web histories

I don’t see top down authoritative approaches to ever to enhance security on campus.  It just won’t fly.  But that doesn’t mean don’t bother either.  Core efforts to enhance security on campus need to include a robustly managed wired and wireless network backbone (what’s behind the wall), a lot of trust building effort with students, faculty, and staff, and a lot of education and accessible (easy to implement) guidance.  This requires time and staffing (ie $$), but it is the best opportunity to tame higher ed malware rates.

[Image: Clkr.com]

And she told two friends (and so on, and so on …)

Leave a reply
rule30

Internet of Things — iterating & compounding

The numbers and rates of growth that I’m seeing forecast for the Internet of things reminds me of that shampoo commercial in the 80’s where Heather Locklear touts the shampoo by telling two friends about how great the shampoo is. Each of those two friends in turn each tell two friends, who in turn tell two friends… and so on, and so on …

ZDNet just came out with coverage of an IDC report where the Internet-of-Things (IoT) is forecast to be a $8.9 trillion industry by 2020.  2012 spending on IoT was put at $4.8 trillion with a forecast compounded annual growth rate of 7.9%.  The financial term for that, I believe, is, ‘yowza!’

The IDC report further forecasts 212 billion connected networked things by 2020 of which 30.1 billion will be autonomous connected networked things.  To which an Australian might comment, ‘crikey!’

These are some big numbers. A bigger number, though, is the number of relationships, whether direct or indirect (transitive) between those things.  Remember, the number of relationships in a fully-connected network grows much faster than the number of nodes.  Something like:

# of nodes     # of relationships

2                      1 connection between them, aka relationships
3                      3 relationships
4                      6 relationships
5                      10 relationships
.
.
.
100                  4,950 relationships
.
.
.

n(n – 1)/2 is the number of relationships where n is the number of nodes or ‘things’ in IoT

Like I said, some big numbers.

and so on, and so on, and so on …

[Image: http://en.wikipedia.org/wiki/File:CA_rule30s.png]

Not a breach, but embarrassing

Leave a reply
image portion from @kdmsteam tweet

image portion from @kdmsteam tweet

Not a breach, but embarrassing.

As an example of risk of reputation damage, a group calling itself KdmsTeam has recently defaced the websites of two cybersecurity companies, Avira and AVG.

The likely approach was by taking over the domain accounts of each company via their domain registrar, Network Solutions.  Domain registrars issue and manage domain names for individual or company websites. This sort of attack is sometimes referred to as DNS hijacking.  Per International Business Times, KdmsTeam is a pro-Palestinian group affiliated with the hacker group Anonymous.  The group also hacked the popular messaging website, WhatsApp.

Some tweets in the past 24 hours from the group KdmsTeam:

kdmsteam tweet

kdmsteam tweet

kdmsteam tweet

 

All three sites, AVG, Avira, and WhatsApp were offline for a period of time to address the issue.  All three sites are up at the time of this post.