Tuesday, September 23, 2014


World first cyber security training centre opens in Bristol: Hass & Associates Online Reviews

Posted in ,
From left, Brian Lord OBE, managing director for cyber at PGI, Karen Bradley, Minister for Modern Slavery and Organised Crime, and Vice Admiral Sir Tim McClement, chairman of PGI, during the live hacking demonstration at the PGI launch of the Bristol training centre

A world-first cyber crime fighting training centre opened in Bristol aiming to help businesses government agencies and even police forces keep ahead of this growing threat.

The centre, run by Protection Group International, was opened by Organised Crime Minister Karen Bradley, who said it was a “major step forward” in the ongoing fight against cyber crime.

She said: “To stay one step ahead of the cyber criminals, we need to ensure enough people in all sectors of the economy have the right skills to understand and take action against the threat they pose.

“PGI’s innovative training facility is an excellent example of how British know-how and capability can help governments and businesses around the world protect themselves in cyberspace.”

The £5-million centre in Aztec West is the first of its kind and already employs 50 people recruited from specialist fields.

Chief executive Barry Roche told the Post Bristol was the perfect site for its new facility.

“Bristol rose to the top of the shortlist very quickly because of the talent pool in the South West,” he said. “Bristol has a long technology heritage as well as fantastic transport links. It is the right place.”

Customers range from large corporate firms to public sector organisations such as councils and police forces and foreign governments.

The 4,000 square metre facility includes three classrooms and a dedicated network, giving people the chance to work in a so-called sandbox – a safe environment where they can play around without fear of damaging their own network.

Barry said training courses for IT and CYBER SECURITY professionals are “very technical”. But there are also courses for chief executives and board members, with facilities to host board meetings on site at the same time.

He said it was often at the highest level of an organisation that awareness and understanding of cyber crime was lowest.

“The need for organisations to protect themselves against cyber crime has never been greater,” he said. “Regulators, customers and employees all expect their data to be kept secure and the burden of accountability rests squarely with those responsible for maintaining that security.

“Whether you’re a board member, IT manager or IT professional, ensuring that you’re not the weak link when it comes to CYBER SECURITY is a business-critical issue.”

Barry is a former Royal Marine while managing director Brian Lord is the former deputy director of Government listening base GCHQ in Cheltenham, where he ran the intelligence and cyber crime operations.

Brian said the threat was as much the people as the technology.

“Attackers exploit human vulnerabilities and the weaknesses inherent in IT systems and infrastructure due to human errors in coding, design, maintenance or procurement,” he said. “Consequently, a strong cyber security programme should also consider human factors from the vulnerability of the systems’ users to the motivations guiding attackers.”


Thursday, September 18, 2014


Hass & Associates Online Reviews: The Naked Truth About Internet Security

Posted in ,
At ProgrammableWeb's API conference next week in London (Sept 24-26), my keynote session will identify patterns in some of the recent cybersecurity transgressions, what could have been done to stop them, and why Internet security is currently a trainwreck.

It Will Fappen To You. It's Only a Matter of Time.

It was apparently a wake-up call for the general public when, in what is now being called the "Fappening," headlines revealed that hackers were able to publish nude photos belonging to celebrities like Jennifer Lawrence that were thought to be both private and secure in Apple's iCloud. Though Lawrence very bravely acknowledged that the photos were indeed of her and not Photoshopped fabrications, make no mistake about it; for her and the other impacted celebrities, it was the ultimate digital violation of their privacy.

For Apple, which was on the verge of announcing Apple Pay -- a means by which iPhone 6 users would be able to make NFC-based contactless payments at supporting merchants -- the timing could not have been worse. When it comes to handling personal payments, nothing matters more than trust. Just ask Home Depot and Goodwill; two big national brands suffering an erosion of trust after hackers gained access to the credit card data of hundreds of thousands of their customers.          

Likewise, thanks to the revelation that the so-called hackers gained unauthorized access to celebrity iCloud accounts, Apple's trust took a hit. But, in the scheme of things for Apple, it's really more like a flesh wound. Compared to other vendors of personal technology, Apple has enjoyed a relatively stellar track record when it comes to security. Meanwhile, fearful that it could happen to them, iCloud users everywhere scrambled to change their passwords, remove any sensitive content from their iCloud accounts, and reconfigure their iOS devices so as not to automatically upload newly taken photographs and video to Apple's iCloud.

But for many of us who are closer to the nuances of Internet and digital security, this was not a wake up call. This was just another successful hack in a long line of transgressions that collectively point to (1) the lengths to which hackers with nefarious intent will go to achieve their objectives, (2) the fundamental problems with the way the Internet is secured, and (3) how APIs are increasing the Internet's vulnerable surface area and what API providers must do about it. After all, while Apple will very likley regain the trust of most of its customers, a transgression of this nature could mean death for a smaller brand. The stakes are not to be underestimated.

While Apple has, in its press release regarding the incident, admitted that celebrity iCloud accounts were victimized by a targeted attack, it has also said that the attack was not a result of a breach in the security of its systems and infrastructure. While the meaning of "breach" is like "beauty" (it's in the eyes of the beholder), Apple, for its part, has not disclosed the exact details of the transgression (transparency is still a major problem in our industry) and so much of what is public at this point still falls into the journalistic bucket of speculation. Nevertheless, if true, the currently prevailing non-Apple account of the celebrity iCloud incident offers some very visceral clues as to the lengths that  hackers will go to achieve their objectives.

Not So Fast Sonny!

Allegedly, at the heart of the incident was a missing safeguard (called a rate limiter) that would have prevented the hackers from employing a "brute force attack" whereby an infinite number of passwords are tried for a given iCloud account until one finally works. By now, most Internet users have bumped into a rate limiter. After several incorrect user ID and password attempts, a Web site starts to treat you with suspicion. Some sites like Google's Gmail will start by using technologies like captcha to prove that you're human and that you're not a computer that's automating repeated attempts in rapid succession. Other sites will disable your account for some period of time like 10 minutes or an hour after which you can come back for another limited round of attempts. Still, other sites, particularly financial institutions, will lock the account until a human makes personal contact with a customer service representative.

In Apple's case, part of the issue has to do with how users typically only have one user ID (an "Apple ID") and password -- called a single sign-on (SSO) ---  for accessing the entire constellation of Apple's online services. From iTunes to iCloud, the keys to the kingdom involve one set of credentials. As far as we know, wherever these credentials can be supplied, Apple had rate limiting in place. Well, all except for at least one (allegedly); where the credentials must be supplied in order to interface with the API for Apple's Find My iPhone service. Going back to Apple's press release and depending on your interpretation of the word "breach," exploiting such a vulnerability may not technically constitute a breach. If, for example, the lack of rate limiting through the Find My iPhone API was a deliberate choice by Apple's engineers, then the hackers simply took advantage of Apple's design decision.

With no rate limiting on that one entry point into the kingdom, the hackers only needed to create a bit of software with no other purpose than to try a nearly infinite number of Apple ID/password possibilities through that entry point. Not only did they create that software. They called it iBrute and made the source code for it public on the site Github.com so that other hackers could try it out or even worse, improve it. With no safeguard in place, it was only a matter of time before several keys to the kingdom -- each for a different Apple account (one of which was Jennifer Lawrence's) -- would be discovered.

Once hackers discover a vulnerability like this one, it's a race against the clock. Sooner or later, if a company like Apple has its security act together, it will discover such vulnerabilities on its own and close them off. So, with the clock ticking, what's a hacker to do? What else but try the most commonly used passwords? For this, the hackers allegedly turned to what's commonly referred to as the RockYou database. It's a publicly available database containing the passwords for over 14 million user accounts of the RockYou social gaming service that were revealed when that service was hacked back in 2009.

If there was ever a time to say "we're only human," this is it. One of the not so dirty little secrets of digital security is how "Password" and "123456" are the two most common passwords. In fact, there's even a list of the top 25 passwords. But with a list of the passwords to over 14 million accounts (a very projectable sample of humans), coming up with a relatively accurate list of the top 500 or 1000 passwords that people use isn't too difficult either. The hackers apparently did this too. By now, if you've read this far, you're asking "What about the celebrities' email addresses (which is what Apple uses for Apple IDs)? How were they discovered?"  My answer, even if for only a moment in time, this information is relatively discoverable, especially for celebrities.

There's no telling how long the hackers used iBrute to dig for the passwords for targeted Apple IDs. But once they had them, it would have been a mountain of work to login to the celebrities' iCloud accounts and pour through all of their photos looking for anything sensitive. With the clock still ticking, they would need something that off-loaded the photos to local storage before any of those IDs and passwords changed. For that, the hackers allegedly turned to the same software that law enforcement agencies use to download photos in bulk; a product called Elcomsoft Phone Password Breaker (EPPB) that Wired referred to as the Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud. According to Wired, "EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com." Once the hackers had all of the images on their own hard drives, there was nothing standing between them and a very embarrassing event for both the celebrities and Apple.

Circumstancial Evidence

Again, it's important to note that Apple has not confirmed the majority of these details nor has it disclosed a technical account of the matter that refutes them. Since the attack, Apple has apparently applied rate limiting to the Find My iPhone API entry point. In an article published on Sept 1, 2014, TheNextWeb.com reported how various developers, using their own Apple accounts, confirmed iBrute's ability to exercise a brute force attack through the Find My iPhone API. According to the report, Apple introduced rate limiting at 3:20am PT that day, effectively neutralizing iBrute's method of attack. In an interview with the Wall Street Journal, the company's CEO Tim Cook suggested that "celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."  The WSJ article went on to say that "Apple will broaden its use of an enhanced security system known as two-factor authentication" and also said that Cook claimed that "none of the Apple IDs and passwords leaked from the company's servers."

In its press release, Apple implored users to activate an optional version of the two-factor authentication that it offers to account holders. More specifically, the release said "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification." As explained in this how to, Apple's, two-step verification (a consumer friendly name for "two factor authentication" or "2FA") prevents everyone but the person in possession of a pre-specified trusted device (the so-called second factor; a phone, an iPad, etc.) from logging into a 2FA-secured account.

But Apple's 2FA advice is problematic for two reasons. First, since API-based interactions are automated interactions that often involve two machines talking to one another, API-based authentications are rarely secured with a second factor. If any forward-looking good comes of the so-called Fappening, perhaps it will be a conversation among API economy stakeholders as to how exactly and when to secure API-based interactions with two-factor authentications.

Second, as noted in an article published by TechCrunch about the Fappening (see Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams), several security researchers have long noted how Apple's 2FA scheme doesn't cover all entry points into the Apple kingdom.

In May 2013, Ars Technica published an article (see iCloud users take note: Apple two-step protection won’t protect your data) referring to research done by the developers of EPPB that said "In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device...In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information."

Circling back to Apple CEO Cook's references to phishing attacks, the company has yet to offer evidence that such attacks took place in advance of the Fappening nor has evidence of such an attack gone viral on any of the social networks (which most likely would have happened). Phishing is a technique whereby hackers with nefarious intent use email to lure unsuspecting users to enter their user IDs and passwords into Web pages that look official, but that are actually impostors. These emails are a form of social engineering that often preys on current events. After news of the celebrity photos struck fear into millions of Apple's customers, it didn't take long for phishers to strike. The email pictured below, received by my wife on Sept 2, 2014, states that "your Apple/iCloud Account has been momentarily restricted until you can validate your Apple and iCloud information." However, when I moused-over the links in the email and inspected the sender's address, my browser revealed that they pointed to a domain other than Apple's; a domain where my wife's Apple credentials would most certainly have ended up in the wrong hands, had she entered them.


Tuesday, September 9, 2014


Fighting Words: Criticism Of Video Games And Gamers Hass & Associates Online Reviews

Posted in ,
The video game industry is still talking about the violent threats made against Anita Sarkeesian, a video game critic, who alerted the police last week and went into hiding, according to her Twitter posts.

In a column, I wrote about the questions Sarkeesian raises in her critiques such as how do video game makers treat female characters at a time when women are playing games more than ever.

Some may be puzzled why Sarkeesian’s critique caused such a stir, as she refers to in her tweet Monday (above) when talking with the police. Sarkeesian received vitriol, and not just from the person who threatened her, for pointing out the obvious, The New Statesman writes.

I’m not a gamer, but I have kids who play. There seems to be an insider culture of mostly young male players who want to keep their game world safe from both female players and any criticism that might diminish their enjoyment.

In reporting the column, I was surprised by accounts of women who feel they have to hide their gender while playing social games or face abuse. Or, if they play as female, they are called on to prove their abilities, something male players do not face.

Sarkeesian connects the content of video games to the behavior of video gamers:

So what will it take to change the video game industry, the games and the gamers? After all, the gaming audience is broadening and becoming more diverse, with women in particular gravitating to MOBILE GAMES. Shouldn’t video game companies want to appeal to this audience?

James McQuivey, an industry analyst at Forrester, told me that it may take awhile for the gaming industry to change:

The best way to break this habit is to promote alternative ecosystems of GAME DEVELOPMENT, which is exactly what mobile gaming is and we do see more diversity in mobile gaming. But so far the industries haven’t collided sufficiently that the more expansive culture of mobile gaming has helped the console gaming business rethink itself.


Monday, September 8, 2014


Hass & Associates Online Reviews: Tips for Safe Online Shopping

Posted in ,
BILLINGS - From major companies like Home Depot, Target and Albertsons -- to everyday people -- data breaches are becoming more and more common. If you are shopping or banking online, experts have a few tips to keep your data safe.

If you're using a phone, start by assigning a passcode, and turn off your Bluetooth and Wi-Fi when you're not at home. Using different passwords for every account is also a good idea, according to CNN Money. Before entering your card details online, make sure there is a lock symbol in the task bar, which ensures the connection is secure.

Stockman Bank Vice President of Operations Rhonda Moore says if fraud is involved in online purchases, with a debit card, the money in your account becomes unsafe, but with a credit card, the money belongs to the credit card company.

"If you're going to be shopping online with your debit card, you should also have online access to your bank account, so you can make sure the charges are all valid and they're all yours," she said.

Staysafeonline.org suggests the following tips:

"Keep a clean machine: Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats.

Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

Unique account, unique password: Separate passwords for every account helps thwart cybercriminals.

When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it's best to delete or if appropriate, mark as junk email

Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine."

If you notice something suspicious on your statement, immediately call your bank or credit card company, Moore said.

Next, delete emails and personal messages with any banking information, and change all of your passwords.


Friday, September 5, 2014


Hass & Associates Online Reviews: Expert Reaction, Business Implications Of The Icloud Hack

Posted in ,

What ramifications will businesses and Apple itself face following the celebrity leaks.

The dust has barely begun to settle following the massive celebrity 'nude photo' leak over the weekend, yet allegations and claims are flying here, there, and everywhere.

Fingers are being pointed at suspect iCloud security despite no concrete evidence of exactly how theimages became public in the first place (that is, apart from the original 'leakers' confession of obtaining the images from iClouds)

Firstly, it has to be unlikely that iCloud itself sustained a large attack, especially as the service is 128-bit encrypted both ways of delivery.

What is much more likely was that this was an attack of social engineering, an exploitation which works by manually deciphering information about the target ie. email addresses, date of birth, secret question answers, to try and attempt a spoof access to an account.

Of course this does raise issues about the surrounding security of iCloud against social engineered attacks, but businesses should have a much higher level of security than your regular Hollywood celebrity.

Steve Jones, head of R&D at UK penetration tester RandomStorm, said: "Although Apple's encryption of the data itself is considered robust, Apple could apply AES 256 bit encryption to the images. This would put the majority of hackers off, or really slow them down.

"However, access to the celebrities' images could have been gained through more indirect means, such as guessing the celebrities' passwords, or by finding their email address and then correctly answering traditional security questions.

"Apple could improve the security of iCloud by enforcing the use of much stronger, unique passwords and by introducing two factor authentication to iCloud accounts, to ensure that access is from the correct device and/or account owner."

Weak passwords could be what is at the heart of this leak, and if your business is not operating at a level where it is creating stronger passwords than a layman then things needs to change.

Paco Hope, Principal Consultant at software security company, Cigital, also argues that iCloud is not in itself risky for businesses if used correctly. "Businesses build security in by using secure software to access their data. The choice of cloud provider is just part of that overall picture. This hack means nothing with respect to the security of iOS: iOS devices were merely the cameras in this situation. No one should change their position on iOS versus Android versus Windows based on this incident."

Furthermore, large firms such as Apple obviously have trained and dedicated in-house security teams which are constantly patching and working around flaws in the armour. Rik Ferguson, VP of security research at Trend Micro, said: "A wide scale 'hack' of Apple's iCloud is unlikely. Even the original poster is not claiming that."

Steve Jones further argues that the security responsibility does not solely lie with the cloud storage provider. He said: "Businesses observing this hack should already understand that any digital asset that is valuable, whether it be employee login details, customer data, patient records, financial details, or intellectual property, is a target for cyber thieves and needs to be protected appropriately.

"This also means that businesses cannot delegate information security to their cloud service provider. If your business is faced with a determined assailant you need to put in place your cyber fire drill: change the rules on your firewall to shut the ports until further notice, move the assets, hide the assets and block access until you have had time to assess which vulnerability was exploited."

Mike Ellis, CEO at ForgeRock, also argues that it is indeed businesses that need to be more aware of cloud security. He said: "Big businesses as well as large, trusted government organisations need to manage vast and growing numbers of employee and customer digital identities.

"Global brands and large organisations that fail to take the right steps to address the growing complexity of identity relationship management risk not just a big dent in their reputation and trust, as iCloud is surely likely to face, but serious commercial or social consequences too as customers switch to more trusted brands or switch off entirely altogether. This example is just the tip of the iceberg and must be addressed sooner than later."

But Egemen Tas, VP of Engineering at Comodo Group, highlights some of the ramifications he thinks businesses with lapsed cloud security face. He said: "Cloud service providers should realise that they are expected to be as liable as a bank would be when it comes to catching fraudulent activities or having security and compliance procedures in place.

"Banks have legal compliancy requirements and regulations hence they have ways to combat similar threats to the cloud. Why shouldn't cloud storage providers have similar legal regulations and liabilities? Just like we are more than one password away from our personal online banking accounts, we should be more than one password away from our cloud storage accounts. Having one password on our cloud accounts is not enough to combat attacks of this nature."

This breach, no matter who to blame, ultimately still alerts businesses to the risk of cloud storage, but this unforunate opportunity should be used to highlight areas where improvements can be made and cloud security awareness can be heightened. Alex Raistrick, from Palo Alto Networks comments: "The recent scandal involving leaked photos of celebrities stolen from Apple's iCloud storage facility serves to highlight that security is still one of the greatest barriers preventing cloud computing from reaching its full potential. However, amid the negativity there are now more opportunities than ever for channel partners who specialise in cloud security to move in and toughen up security, particularly on previously 'trusted' platforms."


Thursday, September 4, 2014


Hass & Associates Online Reviews: FBI Investigates Possible Breach of JPMorgan

Posted in ,
Cnet.com reported on 27th August, 2014 stating that FBI (Federal Bureau of Investigation) of America is investigating a breach of data in JPMorgan and may be in many other banks. According to Forbes, a renowned American financial magazine, JPMorgan is the largest bank in the US and sixth largest in the world.

Sources said that the investigators probing the matter believe that hackers might have breached with the help of malware although reach and timing of the hack is scant and two to five US banks might have been affected.

Cybercriminals have been targeting banks since long who are after financial data of customers. Cnet.com published news on 27th August, 2014 quoting Trish Wexler, Spokeswoman of JPMorgan, as saying "Financial Services Company Fights Hackers Continuously."

Bloomberg.com published news on 28th August, 2014 quoting Wexler as saying "It is unfortunate that companies of our size get cyber-attacks almost every day and so we have many layers of defense to thwart any threats and continuously monitor fraud levels."

In the meantime, security researchers scanning JPMorgan's network found that malicious software on computers in India and Hong Kong is capable of stealing sensitive and banking data. This review was different from the attacks being investigated by FBI.

Bloomberg.com published news on 28th August, 2014 quoting one of the researchers as saying "they found office of JPMorgan in Hong Kong infected in July 2014 with Zeus Trojan horse malware which can steal banking credentials. Also an office in India was found infected in last week (fourth week of August) with Sality malware which can compromise Web servers and steal data."

According to media in the US, Russian hackers are believed to be behind the attacks. Online news website Bloomberg quoted two persons probing the matter as saying "FBI believes that the attacks were in retaliation of sanctions by US against Moscow over its support of secessionist rebels of Ukraine."

Moreover, many US banks were attacked online early this year including J.P. Morgan Chase, Wells Fargo, Bank of America, HSBC (Hong Kong and Shanghai Banking Corporation) and Citigroup and government officials believe that these attacks originated from Iran.