1 in 3 Millennials believe risks to their online safety are set to increase dramatically

Identity and credential management firm Intercede has disclosed the findings of a newly commissioned survey which reveals how Millennials in the UK and US lack faith in the digital economy.

In a blow to e-commerce and service websites, more than 95% of the survey’s respondents said they did not feel as though existing safeguards were sufficient to protect their online identities and personal data.

Given the number of high profile breaches we’ve seen recently, from online traders to extra-marital affair websites, I’m hardly surprised.

Questioning 2,000 young people, Atomik Research captured the views of 16-35 year-olds on the topic of security, discovering that attitudes toward existing safeguards fell into the category of ‘uneasiness’.

Unsurprisingly, passwords were a particular area of concern:

With a quarter of Millennials regularly accessing more than 20 websites, apps or devices, verification methods were at the forefront of their minds. As a result of their experiences and, no doubt, exposure to a media which seems increasingly happy to report on security topics, only 6% felt that their data was adequately protected by the password systems they encountered.

According to another recent survey conducted by LaunchKey, most people would feel far happier if passwords went the way of the dodo, with 76% saying an alternative verification system – such as fingerprint verification – would leave them feeling far more secure.

Intercede CEO Richard Parris commented that:

It’s time for organisations to stop playing fast and loose with what, in a digital economy, are our most important assets – our identity and our data.

There seems to have been a collective consensus that Millennials will accept sub-standard security in exchange for online services. This clearly isn’t the case. The humble password should be consigned to the dusty digital archives where it belongs. To restore trust, smart companies need to look to stronger authentication techniques to ensure the future of digital commerce and information exchange and their own competitive edge.

When prompted for their thoughts on the future, including the increased reliance on mobile devices, nigh on 70% of the respondents said they thought security issues would become even more prevalent. Almost a third believe the risks to their online safety will increase dramatically in the future.

This, they felt, was largely upon the shoulders of business and government, with 54% claiming that a continued failure to protect personal data would have a negative impact on public perception and, hence, the trade in online goods and services.

An optimistic 44% of Millennials thought current levels of data sharing would drop off in the future though just over a third expect citizens will have to demand such cuts.

A small but not insignificant number of those surveyed suggested issues surrounding digital security and data sharing could lead to future political instability, something which isn’t perhaps as far-fetched as it sounds given the recent public furore over NSA spying and bulk data collection, as well as German attitudes toward Angela Merkel after it was discovered that their secret services had been in bed with their American counterparts.

Lubna Dajani, a communications technology expert and futurist, said:

Today’s Millennials have been digitally spoon-fed since birth, yet a general malaise is brewing among this demographic in terms of how safe their online data really is.

Millennials understand their personal information is a form of currency they need to part with to access online services. Yet they participate in this ‘digital trade-off’ in the belief that more can be done to protect their privacy. Millennials want more control over who should be able to access their information; businesses and governments should urgently review current security protocols, or risk the potential to drive innovation and growth.

I don’t doubt that Millenials will one day be in the position to influence the changes they wish for but, in the meantime, what will companies and government do to get the ball rolling in the right direction? Anything, anything at all?

Leicester. You will never find a more wretched hive of phone and device theftery

For many people, London is the UK.

Politicians arguably think it. Immigrants (legal or otherwise) have largely been told it. Job seekers pin their futures on it. And Londoners, by and large, know it.

So what’s going on with the latest device theft figures?

According to ViaSat, London is no longer head of the class when it comes to having your gadgets stolen.

Boo. Hiss.

We should keep that sort of thing local.

Sure, one of my kids has been mugged a couple of times, losing hard-earned birthday presents within 24 hours of receiving them, but here in London we have hardman cops who give the thieves what-for. Or so the local TV dramas seem to imply.

How on earth can we expect the sedentary constabulary of Leicestershire and the West Midlands to cope with such a crimewave? Do we really expect them to jump off their bicycles or leave the pub to solve a crime?

Shocking!

Using a series of Freedom of Information requests, ViaSat discovered that the theft of laptops, smartphones, tablets and other devices capable of storing personal or sensitive information amounted to 27% of all thefts reported to the Metropolitan and City of London police, well above the national average of 19%.

By way of contrast, 31% of all thefts in the West Midlands were reported to be such devices and, in Leicestershire, a whopping 51% of all such thefts were i-that or e-this in nature.

Compared with similar figures last year, London has dropped significantly down the rankings in terms of device theft, just as other areas have risen.

Why?

Maybe because everyone in London has already had everything nicked and there’s nothing left to take!

In all seriousness though, the data dragged up by ViaSat tells an interesting tale and makes a point often forgotten, namely that crime is a global phenomenon and no-one is isolated from that – we are all potential victims.

Thankfully the statistics – overall, device theft has declined by 34% over the last two years – still say it’s highly unlikely, but it does make you think – crime does not discriminate and, as we add ever more gadgets to our bags, pockets and backpacks, so the number of potential mugging targets continues to increase.

Given that the theft of devices is increasingly less about the value of the hardware and more about the perceived value of the data stored within it – Chris McIntosh, ViaSat UK’s CEO said:

The simple fact is that, for many thieves, the most tempting target isn’t necessarily the device itself, but what it contains. From access to your bank records; to blackmail; to flat-out identity theft, a lost or stolen device can still damage its owner long after it’s stolen. As the largest city in the UK, with the most visitors, London will have a disproportionate number of thefts. But as we can see from these results, wherever you are in the UK you need to not only be wary of your own devices; but make sure that anyone who records and stores your sensitive data does so responsibly and securely.

– the question has to be, what are you doing to protect your devices, your data and your identity? And would you even know if the latter two had been snatched?

Mcintosh rightly says much responsibility resides with data controllers:

With thefts of sensitive data still in the tens of thousands, there is still a significant amount of data at risk. While we as individuals should do what we can to ensure that data stored on our personal devices is protected to an appropriate level, we need to expect the same level of commitment from those we entrust our data to. Whether a doctor, a solicitor, a banker or a charity worker, they should be compelled to keep your information under lock and key.

But his point about individual responsibility is, in my opinion, equally pertinent.

Windows 10 facial recognition tech thwarts twin’s login attempts

The password is dead. Long live the gummi bear. Or something.

The humble password has been the de facto method of proving someone’s identity for ever.

Ok, maybe that’s a bit of an exaggeration, but everyone is familiar with the username and password combination as a means of logging onto a system – because it is just so common.

It’s inherently insecure though – maybe not so much in theory, but definitely in practice – because human nature and lack of security awareness dictates that many people will choose short and simple passwords because they prioritise convenience over effectiveness.

Thus there have been many attempts to replace passwords with more effective alternatives.

PIN numbers have been used in association with bank cards and smartphones but they are not necessarily any better, especially when an artificially low number of digits are forced upon the user.

So alternatives have been researched and, for many, that has led to experimentation with biometrics.

Not every one of these systems is foolproof though – fingerprint scanners can be fooled by the aforementioned gummi bears, retina scans tricked by acts involving extreme violence and vein readers overcome by quick-thinking bladesmiths.

But one area that shows at least some promise is facial recognition.

While Mastercard favours the selfie as a means of authentication, Microsoft has plumped for an altogether more straightforward integration of camera and operating system with the release of Windows 10.

With the right setup, people can login to the privacy-bashed OS by simply looking at their screen (smiles are optional).

Given that we are probably a few years away from seeing Face/Off type operations (face transplants are still relatively new), the only likely issue with such a system, you may think, would be the issue of identical twins being able to access each other’s accounts.

Not so though, according to The Australian, which took six pairs of identical twins and sat them in front of a Lenovo ThinkPad.

One twin was tasked with creating an account and registering their face with the system. The other would then try to gain access.

In all six cases, the second twin was unable to bypass the facial recognition technology.

While such a small pool of volunteers is nowhere near enough to draw too many conclusions, it does show that Microsoft’s Windows Hello system has some merit, possibly approaching claims that it offers “enterprise-grade security without having to type in a password.”

Whether the requisite Intel RealSense 3D camera is the answer to all your authentication needs is highly debatable, but I for one hope the continued dalliance with biometrics will lead to an alternative to the password which is both a stronger security solution and easier to implement and use.

Only then may we see the end to data breach dumps that highlight the continual failure of the industry to educate and encourage people to avoid using inadequate login credentials.

Plenty of Problems as another dating site attracts bad boys (or girls)

Ashley Madison this, Ashley Madison that. Everywhere you look, security news is about the breach at the infidelity site, almost to the complete exclusion of any other topics.

So it may come as a surprise to learn that the Avid Life Media site is not the only ‘dating’ website to attract the interest of hackers lately.

POF

British bastion of journalism the Daily Star reports how single people (because they’re the only sort who go on dating sites presumably) have been put at risk by a compromise at Plenty of Fish (if you want to hear some funny stories about some people I know and their collective experiences on that site come find me at a conference some time).

The problem with POF, it seems, is that the site has gone nuclear (Malwarebytes, the origin of the story, reports how the Google URL shortener goo.gl is loading the Nuclear exploit kit), installing keyloggers on visitors’ devices.

As you can imagine, that’s not good as it means whoever is behind the attack could view online banking details – which may be of concern if your chosen financial services company does not employ some form of two factor authentication as part of the logging in procedure.

As Jerome Segura of Malwarebytes says,

This type of attack does not require any user interaction. It does not matter if you haven’t browsed a dodgy site.

Typically it will sit on your computer and wait for the user to log onto a banking site. The malware will lay low until you perform something of interest.

Most people are not going to be aware that anything has happened. It is designed to steal people’s usernames and passwords when you log in to a banking site.

As a result, his advice is to look out for strange transactions and to tell your bank to be on the lookout for fraud. My advice would be to change your bank if your username and a static password are all that are required to mess with your online finances.

Beyond that though, why are dating sites in the news anyway?

OK, we know Ashley Madison attracted attention because the Impact Team does not agree with the morals behind extra-marital affairs. But why Plenty of Fish?

I think there are a few of reasons.

Firstly, there is the number of potential victims – POF claims it has more than 100 million members with many logging in multiple times per day – rich pickings indeed.

Then there is the fact that the vast majority are likely to be men (reports suggest 90%-95% of Ashley Madison’s user base is male) desperately seeking Susan, Mary, or whoever else tickles their fancy. Given the dumber sex’s propensity to equate cash spent with success potentially gained, there may be the feeling that many members are likely to actually have some cash in their accounts!

Thirdly, the fact that one dating site got hit and made the news may have been all that was needed to help the POF attackers decide upon which type of site to go after.

And, lastly, perception – maybe dating sites aren’t the new darling of the hackers’ minds but it just seem that way?

In any event, the indisputable truth is that anyone looking for love or any other type of chemical reaction is having a hard time of it right now but probably not in the way they hoped for.

If that sounds like you, or you just want to stay secure online in any event, think antivirus, operating system patches and ad blockers. Also consider web links and how you interact with them and, as I’ve already mentioned, consider the security surrounding your online bank account and whether or not that may need addressing.

Swatting comes to the UK as Mumsnet founder receives visit from armed boys in blue

If you thought SWATting – a situation in which armed law enforcement officers such as those in American Special Weapons And Tactics teams – are drawn to an unsuspecting victim’s address by a hoax call was a US thing, reserved for only the most well-known celebrities within the infosec profession, think again.

You don’t need to be Brian Krebs to find yourself on the wrong end of a gun.

Nor do you need to be living in the US it seems.

Mumsnet

In a double-whammy reminiscent of Krebs’ experience, Justine Roberts found her hugely popular Mumsnet site knocked off line at around the same time armed officers from the Metropolitan police paid her UK address a visit.

In the first incident, Roberts saw her 7.7 million member site crippled by a DDoS attack reportedly launched by whoever hides behind the now-suspended @DadSecurity Twitter account (if he or she thinks they can’t be caught because they are a hacker, they ought to think again).

In the second, Roberts herself received an unexpected call after someone dialled 999 and said a gunman had been spotted near her home.

Not content with attacks against both Mumsnet and its founder, the alleged attacker then went after another member.

In an email sent to members of the site, Roberts explained:

An armed response team turned up at my house last week in the middle of the night, after reports of an armed man prowling around.

A Mumsnet user who engaged with @DadSecurity on Twitter was warned to ‘prepare to be swatted by the best’ in a tweet that included a picture of a swat team, after which police arrived at her house in the middle of the night following a report of gunshots.

Needless to say, she and her young family were pretty shaken up.

Interestingly, Roberts told Mumsnet subscribers that home addresses were not likely to have been found via the site as “we don’t collect addresses”.

She also said she remained confident that passwords had not been accessed following the 11-12 August DDoS attack (they may well have been last year following Heartbleed though) but offered the following sound advice out as good measure:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that https:// is being used on login pages
DO use social login to avoid typing passwords
DON’T give out information to any organisations without verifying they are who they say they are

Instead, it appears the hacker may well have acquired data by phishing for it via a fake login page which ultimately may have led to as many as 11 accounts becoming compromised.

So what can we learn from this story?

Several things it seems –

  1. Swatting has just become a ‘thing’ here in the UK
  2. Even a big site like Mumsnet – which has 14 million+ visitors per month – can be susceptible to a DDoS attack
  3. Phishing is still rife and people do fall for fake login pages
  4. A determined hacker will find a way to attack you or your site, even more so if you make it easy for them
  5. There are some pretty messed up people out there

What have you done to defend yourself, your website and your business from those who would do you harm, or at least put you in harm’s way?

More proof that personal data has a monetary value as alleged data thief flees Ireland

Everything has a value.

That value is equal to what someone will pay for it.

And personal data is a particularly enticing prospect.

Especially when that personal data is financial in nature, such as credit union customer details.

Just imagine how much that would be worth to another credit union, other financial institutions, or an identity thief.

Or, as the Irish Independent reports, a rogue private investigator from Scotland.

Allegedly.

The online news story explains how the agent skipped out of Ireland when faced with a possible prosecution over data stolen from the Department of Social Protection.

Following a lengthy investigation by Assistant Data Protection Commissioner Tony Delaney, it appears as though the unnamed individual had hoovered up names and addresses which he then allegedly sold onto competing credit unions who, if true, could have found great value in such data no doubt.

The private investigator, who is said to have sold the personal information for not inconsiderate fees, was initially employed by the credit unions to track down bad debtors who had defaulted on their agreements.

However, the Independent says the investigator sensed his time was up and chose to leave his Dublin address for an alternative legal jurisdiction: the UK.

Furthermore, it appears the investigator took his stash of allegedly stolen personal information with him, prompting Delaney to share details of his investigation with his opposite numbers in Blighty.

Of course the accused’s new domicile does carry certain advantages in this case. If he is indeed guilty, the Irish authorities will be unable to effect a prosecution while he resides in Britain.

A spokeswoman for the Department of Social Protection said:

Every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way. The department assists the Office of the Data Protection Commissioner in all cases of suspected data breaches under investigation and puts substantial resources in place to deal with these.

Perhaps with one eye on a past in which private investigators were discovered to have been using social engineering to obtain people’s personal data on behalf more than 100 credit unions, the spokeswoman reiterated how the department had strong data protection and information security policies in place.

Whether that is equally true in this particular case or not I do not know as further details are unavailable but it does highlight how data has a cost.

Not only has a private investigator allegedly raked in the cash from selling information, credit unions have just as allegedly benefited from it too.

Then there is the cost associated with investigating the data theft and any fines that may, or may not, ensue.

And finally there is the cost to the people who’s data has apparently been sold on. Not so much a financial cost – they appear to owe money according to a legally binding agreement – but the human cost associated with having their private data accessed by an unauthorised individual. Who knows who it was sold to and to what purpose it will be put?

What are you doing to protect the personal data and other information within your organisation?

Immobilising the immobiliser – how researchers cracked ‘weak’ anti-car theft systems

The work of three security researchers, detailing how to hack car immobiliser systems, has finally been published, two years after a UK High Court judge ruled in favour of French defence group Thales and German auto maker Volkswagen, both of which had claimed the information could be used by criminals.

Now, however, Roel Verdult, Flavio Garcia, and Baris Ege from Radboud University in Holland, have published their findings which, they say, highlights the ease with which car anti-theft systems can be cracked.

Examining the encryption system used in the Megamos immobiliser, found in many popular brands of car, including Audi, Honda, Porsche and over 20 others  – which prevents a car engine from starting unless a passive RFID transponder embedded in the key is nearby – the researchers were able to reverse engineer the entire system.

cipher

This allowed Verdult, Garcia and Ege to identify several weaknesses, they say, including the design of the cipher used, the authentication protocol and the overall implementation of the system.

In their paper, which underwent edits before permission to publish was granted, the trio said they were able to exploit three different weaknesses with the only requirement being wireless communication with the system.

In one attack, they were able to exploit weaknesses inherent in the design of the cipher and authentication protocol:

We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions).

In the second attack, the researchers were able to take advantage of a weakness in the key-update mechanism of the transponder which allowed them to “recover the secret key after 3 × 2[to the power of sixteen] authentication attempts with the transponder”. This attack, they said, required minimal computational power and was successfully executed against several vehicles. From start to finish, the attack took only 30 minutes they said, though I suspect that in itself would be enough to put off the average car thief!

In the last attack, the trio took advantage of some manufacturers’ propensity to use weak crypto, using:

a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.

Mitigating against the attacks in the future is a relatively simple affair the researchers said, requiring little more than better ciphers for the transponders, something that would likely add less than a dollar to the cost of a new car. For older vehicles, the solution is not quite so simple, requiring the replacement of car key fob radio chips and the corresponding hardware in those vehicles that are affected.

Given recent news about car hacks and other other car-related issues, I can only hope that some manufacturers consider such a move as worthwhile before the whole industry gains a reputation for employing sub-standard security that is both embarrassing and potentially dangerous.

The death of tin foil? New anti-facial recognition tech set to launch in 2016

Security, security, security.

I love it, you need it, many people are talking about it. I could talk about it all the time.

But in this day and age there is another important topic coming up on the rails: privacy.

Prior to, but especially since, Edward Snowden came onto the scene, people have become increasingly aware of how their privacy is being invaded, both online and off.

I’m sure you’re all aware of the online issues – the actions of the NSA, GCHQ, et al., have been widely publicised – but what about in real, every day life?

Have you seen the roadside cameras designed to ‘improve safety’ by flinging fines at every speeding motorist? Or the CCTV cameras in your local shopping centre? Do you realise the UK has the most video surveillance per capita anywhere in the world?

If so, you may have already taken precautions. After all, the solution has been around for over a century:

tin foil

But if you’re slow to the party, then a new piece of tech may be of interest.

Designed by the National Institute of Informatics (NII) in Japan, Privacy Visor is for the discerning customer who cares about their civil liberties.

Equipped with special lenses, the £240 visor reflects and absorbs light in a way that thwarts security cameras which would otherwise engage facial recognition tactics to id the wearer.

Due to go on general sale next year, researchers suggest it is effective around 90% of the time.

IT World quotes NII researcher Isao Echizen who thinks the new device is rather nifty:

This is a way to prevent privacy invasion through the many image sensors in smartphones and other devices that can unintentionally photograph people in the background.

Speaking to The Wall Street Journal, Echizen gave a bit more detail as to why he thinks Privacy Visor could be the must-have gadget of next year, explaining how “We are often told not to unveil our personal information to others, but our faces are also a type of an ID. There should be a way to protect that”.

The latest device is a successor to prototypes first mooted back in 2012 which utilised 11 LED lights which could prevent facial recognition tech from identifying that a subject was even a person.

That early iteration ultimately proved to be unwieldy though, not to mention garish, and so the new, far more sylish model was born.

Whether it proves to be popular among privacy advocates or as derided as Google’s antithesis – Glass – remains to be seen.

So, will you be buying a pair for yourself, or perhaps as a present for the man who has to have every new gadget?

Or will you stick with the old tin foil?

No sophistication here: UK job recruitment network hacked, user’s info dumped on Pastebin

While many security pros and casual observers continue to read about the massive breach at Carphone Warehouse (as discussed on BBC radio by our very own Brian Honan — 7 mins in), which may have affected up to 2.4m of their customers, there is another potentially huge story bubbling away in the background.

The Employment Agents Movement (TEAM), the UK’s largest network of independent recruiters – no, I’ve never heard of them either – was apparently targeted over the weekend by a Saudi hacker.

Going by the name of JM511, the hacker appears to have broken with convention, completely tossing out the rulebook which says all major attacks must be sophisticated in order to be effective these days.

Instead, he (or she, we don’t which) relied upon an old-school SQL injection to gain access to the network’s database at jobsatteam.com.

Then, quelle surprise, he dumped all the information on Pastebin, revealing the usual data – names, email addresses, usernames, telephone numbers, that sort of thing.

Also, perhaps just as unsurprisingly, the hacker also published a whole load of passwords. Fortunately, many are encrypted, but the ones that are not make for some interesting reading.

I’ve not had time to go through all 2,500+ records but a quick gander reveals that several recruiters need some help when it comes to creating a strong password. Not heeding common advice which suggests mixing letters, numbers and characters, and definitely avoiding words, several opted to secure their accounts with the password “team”. I can only hope they haven’t reused such a weak password anywhere else online because, if they have, that would be very, very bad.

Oops.

Other password blunders include recruiters securing their accounts with a password that matches their surname – and, yes, some of those surnames are only 4 letters long and are also common dictionary words.

Oops.

Then there is a group of at least four recruiters from the same agency who have all used the same dictionary word to secure their respective accounts.

Oops.

And a similar number from another agency who used two dictionary words together and stuck the number one on the end.

Oops.

Normally at this point I would write something about how we could encourage such people to buy into their own security, by demonstrating how eradicating risky behaviour could help them, as well as the business they work for.

But it seems a bit too late for that so, instead, I’ll ask whether you have considered how your staff are approaching security. Do they lock their accounts down or make it easy for attackers to guess or otherwise compromise their login credentials?

If they need help or education, how will you provide it? Do you need security awareness training?

Once you’ve thought about that, you may wish to consider the fact that the TEAM website is still down today – “Under Maintenance,” so it says.

You may also want to consider the fact that JM511 has used his Twitter account to boast of other attacks against Knapp.com, Assa.au and others, all using SQL injection.

You have protected your corporate databases from SQL injection attacks, right?

While you ponder that, I’ll be busy looking to see how many recently attacked sites have apologised so far – because we all like to know how companies take our security seriously, and sleep well at night when the breached tell us how they are beefing their defences up long after the horse has bolted.

Well Done Neha !!

Advantages_winning

Information security is an exciting industry to work in. It has a lot of brilliant, talented, and intelligent people looking at ways to better protect our systems, data, and infrastructure. At BH Consulting we pride ourselves on being a part of this industry and for setting a high bar of excellence for ourselves.

So there was great excitement in the BH Consulting offices a number of weeks ago when our very own Neha Thethi was notified that she was a nominee in the 2015 Women in Security Awards. The nomination for the Academic Award recognises the great work that Neha has done for BH Consulting in developing and delivering our services and for her well regarded research into Cloud Security and forensics.

While Neha did not win the overall prize, that was won by Rachel Sitarz of Purdue University, we are delighted to see her achievements to date being recognised at an international level. Of course now that she has achieved this goal, the bar has been raised for next year :)