Frequency and intensity of successful malicious exploits of online data call for a pooling of information between impacted parties

2-Color-Design-Hi-Res-100px-widthWhen hackers obtain otherwise legitimate credentials to online sites and the data repositories they contain, the likelihood of success for their efforts to depart with data they do not own is much greater — perhaps unstoppable. Therefore it makes sense for parties impacted by these attacks to pool their information so a new level of defense can be promptly implemented against further successful exploits with the same credentials.

Unfortunately this is the condition apparently in place in March 2015. On Sunday, March 29, 2015 the online edition of the Wall Street Journal ran a story written by the Associated Press titled Some British Airways Frequent-Flier Accounts Hacked. Notable in the article is mention of what appears to be the method the hackers used to access the data: “The breach apparently was the result of a third party using information obtained elsewhere on the Internet”.

Then, through what looks like a brute force method of simply trying credential set after credential set against the access control method at the perimeter of the British Airways web site, the hackers eventually succeeded in their effort. Tellingly, the writers from the Associated Press note this attack is, apparently, the fourth such recent attempt. The other attempts compromised data owned by the “Hilton and Starwood” hotel brands and “United and American airlines”.

It is very hard to defend a data repository against requests for access based on legitimate credentials. Sure processes can be implemented to detect brute force access methods and to deny access — even to holders of legitimate credentials — when they are presented within the context of a brute force attack. But what if the “automated process” mentioned by the Associated Press amounted to a substantially more sophisticated tactic than a rapid, repeated completion of an online site access form? It would be much harder to detect a brute force attack should it transpire over days, or even weeks.

Regardless of how one argues data owners should defend themselves against these types of attacks, the substantial value of implementing data consortiums — literally groups pooling data about attacks — as a defense method should pass muster. One can argue law enforcement agencies already provide this type of knowledge “beyond the wall” and should be able to play this role. But there is another aspect to the potential of a data consortium for online data security, a similar opportunity to the concept of Key Risk Indicators (KRIs) as it has been applied to efforts to implement Operational Risk Management (ORM) solutions for global financial businesses. This application of a data consortium will not fall within the purview of a decision to look to law enforcement for “environmentally relevant” data about similar data security breaches. I have some experience with ORM solutions including KRIs and would be interested to speak with readers with an interest in hearing further about this notion. Please contact me to discuss.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved


No Technology Solutions on the Near Term Horizon for a Better Defense Against Online Hacking

ISVs with popular online computing offers (notably Apple, Google, and Microsoft) have each adopted and endorsed an “App” model. This writer has a lot of conceptual familiarity with Microsoft’s version of this approach. Microsoft has positioned its Office 2013 App Model as a better approach to online security, but is it really?

For readers unfamiliar with the broad technical structure of “Apps” and how it might enhance online security for consumers, the key principle is “isolation”. In theory, “Apps” transition a lot of computer processing from servers to clients. In other words, a lot of the activity handled in the past by the server is transitioned over to the PCs, smart phones, tablets, and even game consoles consumers use to process computing tasks online. The method of processing this activity is to instruct these computing clients to act on commands written in some version of the JavaScript programming language, or the latest version of HTML (HTML 5 at the time of this post).

In the case of the Office 2013 App Model, the jQuery function library is heavily used by developers to add procedures quickly, which already exist somewhere online, with all of the supporting libraries required for successful execution. But this practice poses several difficulties, a couple of which directly impact on online security for consumers. First, there are different versions of the jQuery function library. So, when an App is developed with one version, and another App is added to a computing environment (for example, Office 365), the potential for App conflict arises, which can result in degradation of service for the end consumer.

Second, inadvertently to advocates of this type of development, the App model’s reliance on a client-side method like JavaScript can be said to insulate the server, but, inadvertently, this approach shifts the burden of security over to the client. Since their are hundreds, if not thousands, and even millions of different clients in use to interact with one server (or many servers in a load-balancing scenario, which act as one server), there is a much higher likelihood of a security breach on a client machine. Once clients are successfully compromised, they can be added to bot networks and re-purposed for other types of malicious activity.

For better or worse, in late 2014 the best defense against malicious online activity remains best represented by a correct set of operational risk management processes, at least for large organizations of users.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Secure, Cloud SaaS Offers Require Closely Managed Two Step Verification Controls

As both the number and intensity of successful attempts to subvert popular cloud, SaaS offers increases, some prominent industry experts are calling for mandatory two-step verification procedures. But, if past history provides us with any reliable metrics on the usefulness of these added security controls, two-step verification methods need to be tightly managed if they are to provide a useful deterrent to subversive attempts.

Just two days ago a post was published to this blog on a related topic. This post addressed the recent, highly publicized successful effort of hackers to penetrate a celebrity’s account on Apple’ iCloud storage service. This post advocated a broader, perhaps mandatory, requirement of consumers of services like iCloud, OneDrive, Google’s Drive, etc. Any/all users of these services should be required to implement two-step identity verification methods.

It was, therefore, encouraging for us to review a short video interview with Tim Bucher, a respected authority on online security topics. This interview, titled Apple iCloud options buried: Expert, records very similar opinions, expressed by Bucher, to those voiced in the post to this blog.

But readers should be aware of a couple of instances, in the recent past, where two-step verification methods (including the RSA system Bucher describes in the interview) have been compromised.

Back in April, 2011, RSA’s SecurID system was, unfortunately, successfully hacked. Of course RSA has long since cleaned up the errors, and, to their credit, the fact an expert of Bucher’s authority makes reference to the system as a reliable safeguard is good news.

Back in 2013, Duo Labs identified, and subsequently publicized potentially dangerous problems with Google’s two-factor authentication system. Once again, these problems have been corrected.

The point of offering these examples is not to discourage readers from implementing similar trusted solutions, but, rather, to illustrate that any/all of these controls have vulnerabilities. When considered outside of the context of a sound attempt to implement an operational risk management policy truly capable of safeguarding online interaction with a cloud, SaaS offer, no control should ever be considered a completely infallible defense against hackers.

Readers may wonder just what constitutes “a sound attempt to implement an operational risk management policy”. Such an attempt is defined as an effort persistently enforced over any/all daily online computing instances. Any breakdown in the persistence of these procedures can, and, unfortunately, often does lead to successful subversive efforts.

Unfortunately, “dumbing down” doesn’t work when online computing is the activity at hand and the need is to safeguard confidential information.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Do Cloud App Consumers Really Want Merely a Simple Online Authentication System?

Anyone following media reports on the security consciousness of consumers of online apps, or the disinterest they exhibit in developing one, will likely be familiar with what this writer considers a long term trend to look for “something easy” to implement, even at the expense of any real promise of security. This trend was on display at the recent Google I/O 2014 Developer event. During the Android Apps for smart phone segment the audience witnessed a streamlined approach to device authentication. The presenter first noted how difficult it can be to repeatedly authenticate an Android smart phone via a PIN method, and then went on to show how the process can be circumvented by a new Android feature built on what could be called “proximity based authentication based on trusted, related devices”.

The presenter demonstrated a successful attempt to authenticate his smart phone via his Bluetooth smart watch. The phone had evidently been programmed to consider the smart watch a trusted object. So, bingo, with the smart watch strapped to his wrist, the presenter quickly gained access to the smart phone without any need to comply with the “complex” PIN method.

Anyone watching the web cast of this presentation will note the audience applause. So, it would appear, at least the app developer community favors this type of simple method of proving a user has a valid access to a device.

Fast forward a month after this event and read an article posted to the Wall Street Journal. This one, titled “The Password is Finally Dying Here’s Mine” was published on July 14, 2014 and was written by Christopher Mims. Mims presents this demonstration as an example of something with a real promise of data security: “It might seem foolish to replace an authentication token that you keep in your head (a password) with one you keep in your pocket (like a phone) but consider: The former can be obtained by hackers, and the latter you can shut down the moment it goes missing.”

This writer has a few questions: 1) Just because an online hacker isn’t wearing my Bluetooth watch, does this mean he/she can’t spoof it? 2) What about a “brick and mortar” thief, who steals my Bluetooth watch and my smart phone and my tablet? What’s to keep him/her away from my data?

Mims goes onto refer to a user’s ability to “wipe” a device, meaning a smart phone, etc. Readers may want to maintain a skeptical attitude of this claim, as well.

Bottom line, given the pervasive insecurity of online data communications, one would hope app consumers (at least smart ones) would favor security over convenience.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


With Highly Publicized Online Security Concerns Subdued, Microsoft is Poised to Move Forward

The Mashable blog has published a few articles on the online security flaws plaguing Microsoft’s Windows XP O/S. In Internet Explorer Gets Its Security Patch, and So Does Windows XP, Lance Ulanoff announced Microsoft’s intention to issue patches on Thursday, May 1, 2014, to fix the problems.

Numerous posts to other prominent blogs have debated the pros and cons of Microsoft’s decision to provide these fixes for a product (Windows XP), which, Microsoft has announced, has reached end of life.

In fact, there are very strong positives, as I see it, in Microsoft’s public announcements about this problem:

  1. In his post, Mr. Ulanoff claims Microsoft, itself, was the first authority to inform the public of the severity of these security holes, and to urge the public to stop using the products pending a fix
  2. Microsoft made an exception to its own policies for products reaching end of life, and provided the fix at no charge to anyone who still used Windows XP with “Automatic Update” set for the O/S and Internet Explorer Browser

If there is bad news, and someone has to announce it, better the culprit than anyone else. With this dictum in mind, I think Microsoft clearly took the right step with pt 1), above.

If a security hole is as dangerous as Microsoft claimed, and no less an authority than the U.S. Department of Homeland Security chooses to follow up with their own warning to the public, then the best strategy is to fix it, absorb any/all related costs related to developing and distributing the solution, and, hopefully, move beyond the issue. Per 2), Microsoft opted to follow this strategy, with, one would hope, positive results to come.

Better to assume the role of a “good citizen”, than to risk one’s reputation by trying to control costs, while rigidly adhering to a policy designed for normal circumstances, and not the kind of extraordinary conditions we found following the public revelation of the security holes.

In sum, I think Microsoft’s public posture through this event gets almost an 8 on a 10 point scale.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved



Should Online Security Procedures Run Independent of Users?

Recent disclosure of additional details about the highly publicized compromise of Target’s customer data repositories support an argument for less manual effort to operate methods of securing confidential, user specific data, across online communications. Is this argument plausible? and, if the answer is yes, then to what extent?

I think the best answer to this question is a qualified “yes”. Perhaps online security best practices should be revised. It may make sense to remove the user from the direct application of single sign on technology as cloud, SaaS processes are consumed. If the authentication step can be handled with greater precision, and success, by delegating the actual management of logging into, and then out of a host of applications to another piece of software — another SaaS dedicated to securing the exchange of online credentials between applications and specific users — then, this argument goes, we can have more confidence in at least this step in the online systems processing experience for typical SaaS users.

Identacor is an example of a SaaS targeted to the identity and access management market. These consumers need a better method of managing credential exchange between users and SaaS processes. I recently spoke with Sandy Dalal, CEO of Identacor. Anyone visiting the Identacor site will note the importance of a unique markup language, Security Assertions Markup Language (SAML), to the Identacor solution. As Dalal sees it, implementing Identacor on a SAML core directly satisfies a growing SaaS user requirement for a method of actually removing passwords, altogether, from an online authentication process. Once passwords are relegated to a less important role in the process, then the administrative burden is reduced, as well.

But Dalal explained Single Sign On (SSO) is simply a part of the solution Identacor offers to its customers. He let me know Identacor is ” . . . really in the business of managing [our customers’ online] identities. From the time an employee, or even an external partner joins your company, to the time they leave your company, in all the, sort of, life-cycle access security events transpiring from this association, we can help secure that . . . ”

Identacor has been built with hooks to popular human resources management SaaS offers (he mentioned Workday). He claims these hooks can be used to remove access rights to important, organization-specific applications, as required, as personnel transition out of a client’s company. These hooks operate entirely transparent to the user.

If, as it presently appears, poorly architected, managed, and, finally, implemented, operational risk management controls where at the center of the Target hack, then systems like Identacor are worth a close review by any business looking to remove some of the human factor from these online interactions.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved


Security Exploits are Prodding the Public to be More Defensive About Online Services

The stream of news about successful malicious attacks against online SaaS offerings — recently breaking at a non-stop pace — appears to me to be finally prodding the public to take, at a minimum, a more defensive stance about the information these services ask of them. This is, of course, good news for the public, and good news for ISVs offering security solutions for online data communications.

I make this claim based on the frequency of publication, by mass market media outlets like the New York Times, of articles on this topic. Nicole Perloth, a writer for the Times published an article on Sunday, January 12, 2014, titled Stop Asking for My Email Address. This article is noteworthy for a few reasons:

  1. The examples in the article are based on the in-store (brick and mortar) experience of retail customers (including the author, herself)
  2. Each example is accompanied with a security tip
  3. The author admonishes the reader to adopt tighter security measures, and to start exercising them right away

The first point — stories of the experience of retail customers in brick and mortar retail locations — promises more cognizance by average retail product consumers. The vast majority of these consumers still make their purchases at brick and mortar locations. These shoppers are less aware of what online data communications is all about in the Internet era, and even less likely to have a useful idea of the security required to safely use SaaS offers, including e-commerce enabled web sites. So these examples provide them with useful scenarios as they develop better personal data security behaviors.

The author’s illustration of just what it means when Target expands the number of consumers likely affected by the security breach to 70 million, “So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population.” (quoted from Nicole Perloth’s article, a link to which has been provided above in this post), is to be commended as only the least sensitive cut of readers are likely to maintain a “business as usual” attitude when the statistic is presented in this way.

The best method of protecting oneself from the threat of malicious subversion of cloud, SaaS offers certainly starts, and ends with oneself, my third point. I would have preferred reading how the author managed to gracefully decline the sales representative request for her email address, than to read the “secure” email address she ended up offering, but at least the seemingly “secure” email address is better than a more personal email address.

The important point, of course, is the negative impact a more security conscious consumer will have on the popularity of cloud, SaaS offers. I can’t help but think we will start to see some revenue misses in the next coming quarters from some of the more prominent players in this industry sector.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved


The Market for Cloud, SaaS Security Solutions Heats Up in the Aftermath of SnapChat and Skype Hacks

On Thursday, January 2, 2014, FireEye announced its acquisition of Mandiant. According to an article authored by Danny Yadron and published on the Wall Street Journal website titled CyberSecurity Deal: FireEye Buying Mandiant for about $1 Billion, the acquirer in this transaction is paying roughly ten times the $100 Million annual revenue Mandiant will book for fiscal 2013 (according to FireEye CEO Dave Dewalt, who is mentioned making this estimate in the Wall Street Journal article).

In a post to this blog published on the same day, I presented my notion about the likely condition of consumer sentiment about Cloud, Software as a Service (SaaS) offers in the wake of a well publicized, successful malicious attack on SnapChat, which occurred over the winter holidays, 2013.

Not noted in my post, but worth a mention, is another successful malicious attack on an online service — this time Skype was the victim — occurring over the same timeframe. My point is the volume of these attacks has achieved a critical mass, where consumers can be expected to lose their appetite for Cloud, SaaS offers for fear of exposure to malicious attack by cyber crooks.

So the transaction makes a lot of sense to me, and, further, provides credible support for my claim. I can only conclude the business segment of Cloud, SaaS consumers, which both of the parties in this transaction serve, is displaying a burning need for a security solution reliable enough to support continued use of these Cloud, SaaS offers. Why else would FireEye pay the high multiple required to close this deal?

Another point needs to be made here. This same business segment of consumers apparently wants to keep using these services, and appears to be willing to pay for security. So the low cost and convenience of Cloud, SaaS offers can safely be said to still represents a benefit consumers are willing to pay to achieve despite a list of successful malicious exploits, which is getting longer, day by day.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved


CloudShare May Offer A Better Environment for Data Security Threat Simulation

As data communications takes on an ever increasing set of mission critical roles for businesses of all types, and sizes, access to a method of simulating data communications problems, of all types (regardless of whether they arise from accidents, or from malicious activity) must be provided to any/all stakeholders within an organization as a cornerstone of operational risk management.

CloudShare is an example of the type of highly flexible, off premises, cloud computing solution capable of providing businesses with a “sanitary” method of simulating data communications disruptions. Any suitable venue for this type of testing must offer users

  • a method of precisely simulating “real world” office computing environments, including hardware, operating systems, and applications
  • support for team collaboration on projects
  • and rapid set up and tear down for targeted environments

CloudShare’s TeamLabs subscription offer meets, or exceeds each of the above criteria.

Stakeholders in this effort must include not only IT staff, but also key personnel from Line of Business (LoB) units. Online commerce activities, social media efforts, mobile messaging, are usually owned and operated by LoBs (with the blessing and support of IT). Regardless of the look and feel of any of these electronic activities, at the network layer each of them relies on healthy data communications. So the effort to safeguard data communications is a critical management activity for everyone with an interest in the success of these features of the business.

In August of this year, Gunter Ollmann authored an article, “The Increasing Failure of Malware Sandboxing, which was published on the Dark Reading website. Mr. Ollmann points out some limitations in the usefulness of “dynamic sandboxing” techniques, which have grown in popularity as data communications has become monolithic with Ethernet at the network layer and Hypertext Markup Language (and its siblings) at the presentation layer.

From an operational risk management perspective, “dynamic sandboxing” amounts to scenario testing. The points Mr. Ollmann makes illustrate the limitations of the usefulness of the scenarios depicted via this method. The rapid expansion of the Internet, together with the dramatic expansion of online data communications to include what I refer to as small, smart, mobile devices, have both pushed “dynamic sandboxing” rather far along a path to obsolesence.

Mr. Aviv Raff, in an article published on November 4, 2013, titled Cloud-Based Sandboxing: An Elevated Approach to Network Security makes a case for cloud-based sandboxing as a superior method of building truly useful scenarios for risk management. I concur with Mr. Raff’s point. To reiterate, an enterprise account at CloudShare can certainly be configured to provide a business with an opportunity to test various data communications problem scenarios safely, off premises, where they ultimately belong.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved


Will the October Cyber Attack on Adobe Systems Prompt a Change in Vendor Consumer Responsibilities?

On October 3, 2013, Brad Arkin, Chief Security Officer of Adobe® posted an Important Customer Security Announcement. This post included a summary of a successful attempt by a malicious entity (individual, team or organization) to compromise the security of Adobe’s websites. The attackers made off with application source code for a number of Adobe products.

They also made off with “. . . customer information . . . ” This information included ” . . . customer names, encrypted credit or debit card numbers, expiration dates, and other information . . . “. In response, Mr. Arkin noted, Adobe will take steps, including ” . . . notifying customers whose credit or debit card information [Adobe] believe[s] to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.”

The last item on this list, “the option of enrolling in a one-year complimentary credit monitoring membership where available”, in my opinion, may be a subtle, but nonetheless very important sign of something I’ve written about in the past with regards to cyber security, and the respective responsibilities of vendors and consumers. My argument has been that as the frequency and severity of these attacks increase, the ultimate responsibility for any losses will eventually shift to the consumer from the vendor.

Is it safe to surmise from this point that the consumer is going to feel the burden of any financial pain that may unfortunately result from this attack? Certainly Adobe will incur the expense of monitoring credit for a year, but there is no mention of Adobe compensating these consumers for any losses that may result from this attack.

I find further support for at least requesting further specificity from Adobe on these points with Mr. Arkin’s next declaration: “We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.” Just what does Adobe mean by “help protect customers’ accounts.”?

The repercussions of all of this, at some point, will likely diminish consumer and business appetite for cloud, SaaS offers. Thoughts?

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved