Is anyone really surprised that two of the top security threats expected in 2010 have to do with social engineering and mobile media? Hackers live in the same world we do, and they naturally gravitate toward any media that is widely used. As social networking becomes more widely accepted – especially by businesses and civic organizations, and as mobile apps bring greater functionality and better usability, you better believe hackers will go after them.

Two of the ones I found somewhat surprising were shortened URLs (since fraudulent URLs look just like legitimate URLs when they’re shortened); and malware coming through sites with tricky URLs that look authentic but aren’t (like International Domain Names).

Scareware and computer hijacking are still on the list and probably always will be. Same song, different verse. It’s a fluid scheme, changing from season to season, but the motivation remains the same.

Another one we’re looking at? It isn’t part of the top 5, but its implications reach far and wide. Healthcare security. With more and more ways to manage health information online, that’s sure to be a target for breach in the near future.

When it comes down to it, hackers are as motivated by the laws of supply and demand as the free market is. Just as legitimate businesses look for new ways to earn income and meet needs, so do hackers. As long as there is money to be made, hackers will continue to find new methods to steal it.

Our job is to beat them at their own game – anticipating their next steps, preventing their success, and defending our clients’ information and assets.

Zack Whittaker’s post on whether we still need usernames/passwords is fueling an interesting debate at ZDNet.  The premise is familiar  – everyone is tired of storing their hundreds of passwords in an Excel sheet or a password management app.  Wouldn’t it be nice if all websites would just “join hands” so to speak, and create a magic unified ID access mechanism that would be simple, easy to use, super secure and not cost a zillion dollars to implement?

The debate on usability vs. security somehow always leans towards usability as the obvious choice (we all like “simple”).  Yet every day, all around us we are faced with the very same dilemma:

• Airport security. Yes, I want to just show my ticket at the counter and go straight to the airplane door … no frisking, please.  Unfortunately, not all people are getting on the plane just to travel from A to B.  Some of them try to carry explosives on board.  Our concern for safety will allow for more stringent access control to the planes.

• Government. The Bolshevik revolution started with the social ideal of universal equality.  The Communists believed that every man is inherently good, if he was only given the right tools and opportunities.  Give everyone an equal amount of food, money, clothes, housing, work, and paradise will descend upon us.  Of course, the masses should be defenseless because the State will protect them.  Being different or more gifted than others is also uncool, because you just make the others look bad (remember – universal equality).  If you had to live through that atrocious Communist experiment, would you rather have a meager, but stable and predictable existence where most of your basic needs are met, or would you chose total freedom and personal responsibility for your own success (and failures).  It is incredible, but usability (so to say) wins here too.  People want it easy when it comes to government – basic needs trump individual freedoms.  In a recent poll, 60% of Russians still regret the break up of the Soviet Union.

• Online Privacy. There’s been a major paradigm shift in how our society views personal issues.  We now easily discuss very private events and feelings with hundreds of our Twitter and Facebook followers.  Our trust in online privacy created a new (false) sense of security in believing that we still control the information. How much inconvenience would you bear (in terms of access security) to make sure that your social networking accounts are never compromised and misused?  My LinkedIn account is connected to many people I respect and appreciate.  The last thing I want is for someone to hijack my credentials and discredit my reputation or my network.

-       Zack Whittaker asks “How would you fix it?” (the password clutter vs. security issue).

I’d like to suggest that G.K. Chesterton’s response to the famous question “What is wrong with the world?” applies in this case.  Chesterton’s response was written in a form of a letter to “The Times” which initially posted the question:

Dear Sirs,
I am.
Sincerely yours,
G. K. Chesterton

What is wrong with the username and password?  I am.  The user is.  As long as the user has the ability to share authentication credentials, he is vulnerable to social engineering (phishing) attacks.  We assume (much like the Communists did) that the user is generally smart and responsible . . . we just need to build higher walls for the enterprise technology or web services (firewalls, etc.).  I agree that the usability has to remain high, and mutual authentication, specifically graphic passwords, is one of the few security approaches that increases access security, while targeting the weakest link – password shareability.  When using graphic passwords, the user has no ability to easily share his password by typing it, disclosing it on fake websites, sending it by email or even writing it down on a piece of paper.

Our use of technology in everyday life has changed how we live now, 45 years after the first mainframe computers were built.  Yet, we continue to use a 1960s access control mechanism.   Passwords have evolved into the 21^st century and it’s time to benefit from it.

The quip at the bottom of this password worksheet is priceless. Why try to remember what you could just write down?

Photo Credit: Antonion Lupetti, Flickr

The sad thing is that there are actually products like this still out there, encouraging people to write down and maintain a paper trail of their various passwords – especially for ‘important’ information. Those most likely to fall for it? Seniors, who are already taken advantage of by a host of crooks and scam artists.

All the more reason banks, e-commerce sites and other login-based websites owe it to their patrons to switch to image-based passwords that are near impossible to disclose (but also easier to remember than tradition alpha-numerics).

The FBI is advising small businesses – the same ones often operating on a shoestring – to use a dedicated PC for their online banking. It would seem that hackers are targeting small businesses, universities, and local businesses with keylogging malware – that is, software that records the keystrokes typically used to enter a password, credit card number, or other sensitive data.

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

We all think we’re pretty observant people. We notice things that are important to us – a friend’s new shoes, the boss’ new briefcase. If we sit down with one of those “Spot the difference” puzzles we can find 5 things.

In our own minds, we can all spot a criminal, a bad website, or a fraudulent scheme. When it comes down to it though, any decent law enforcement officer will tell you that people are generally unobservant. Ask witnesses what they saw and you’ll get contradictory answers from all of them, or ‘I don’t know… it was reddish car… I think…’ Some psychologists did an experiment showing how incredibly unobservant we are. Watch how every single person is tricked.

What does this teach us about preventing fraud online? Why are people still getting tricked into giving away their information to crooks? Here’s our list.

1. We’re unobservant. So, when I go to my bank website, if the look and feel is mildly similar to what I expect I’m likely to go ahead and try to login. Wouldn’t it be nice if my bank’s login process protected me from my tendency to be oblivious?
2. We’re trusting. In the experiment in the video, someone trusted told subjects to complete a task. They completed it. When the authority figured changed, they didn’t question. We don’t expect to be deceived, so we aren’t vigilant to protect ourselves.
3. Crooks look like us. There’s this little expectation we have to be able to judge a book by its cover. Ever seen a gorgeous woman on trial for something horrendous? Listen to people. “She can’t be guilty. She looks so… normal!” What they really mean is that criminals (and the websites they operate) should look mean and ugly and unprofessional. People who look like us are supposed to be like us. Websites that are attractive and well designed are supposed to be trustworthy. Or so we naively think.
4. We’re opportunists. Yes, we know that if it’s too good to be true, it probably is. That’s why we delete any Nigerian “I want to split my $5 million with you” emails that make it through our spam filters. That said, we’re trying to save time, save money, and find more efficient ways to do things. And we think others (like vendors, retailers, or whoever) are trying to do the same thing. So if a process suddenly becomes easier or we’re enticed with a discount or otherwise convenient offer, we want to believe. Why? Because we’re opportunists. And we’re trusting too.
5. It won’t happen to me. Identity fraud is something that happens to other people. I’m not in danger, and I don’t need to worry. I shred my bills, I don’t write down my passwords, and besides – people generally have my best interest in mind (remember? I’m trusting too).

Making it to the top of the BBC Technology page, a video posted on YouTube shows how the latest HP face recognition technology fails to “see” a black person.  The video is pretty funny to watch. Have you seen it? If not, here it is for your viewing pleasure.

In light of this interesting story, I wonder what fate awaits the author of this video should he be the proud owner of a Lockface USB security token.  The device itself depends on the ability of the webcam to recognize the person, which would serve as an authentication credential for site/system access.  However, if a computer you are using does not have a webcam (or fails to “see” you as in this video), defying all logic, the token reverts to a simple password entry . . . still wandering what the whole point is . . . why spend $110 for the privilege of typing your password? Especially when the guy who lifts it from you can revert to his well-honed tactics of password hacking.

We’re thinking Blippy may be just a proverbial blip on the radar. The passive social networking site (meaning, it updates your status for you) tells your friends how much you’re spending, and where. It  updates a twitter-like status about your credit card purchases.

The good:

• if you’re trying to save dough, this could be a positive means of accountability – you spend frivolously and your friends immediately know it.
• couponing and bargain-hunting gone wild. If your friend found something on sale, this could be a valuable alert.
• a marketer’s dream. This takes ‘keeping up with the Jones’s’ to a whole new level.

The bad:

• it requires you to store your credit card information and login information on their site. Um… is our memory for corporate financial data leaks really that short? Are we fool enough to divulge this? If so, maybe we deserve to have our identities stolen…
• surely no burglar, criminal, or otherwise mischievous soul would ever use this for ill. And if you believe that, I have a bridge to sell you.
• are we really so materialistic and driven by instant gratification that we need a whole new social networking site to help retailers manipulate our spending habits?

Here at Tricerion, we think a site like this has the potential for more harm than good. It would certainly be useful to hackers to gain access to the data stored there, and we haven’t seen anything from Blippy to allay our fears about their site security. Maybe we’re just overcautious (or maybe we just know who we’re fighting really well).

How about you? What do you think of Blippy? Would you blip (or is it bleep? maybe bleet?)?

Did you see this? Christian Harris put up a nice blog last week calling alphanumeric logins obsolete. Thanks for the shout-out Christian.

The same article tells us that identity theft is up 33.1%, according to CIFAS, and that’s before taking into account the increase in fraud that we expect over the holidays. It seems that come holidays, crooks get greedy, which corresponds with a year-end boost in opportunity.

Happy Christmas to all and to all good security.

Don’t you know that December is a great time to blog? There are end of year reviews, predictions for the next year, holiday hubub – this stuff nearly writes itself. Speaking of which, Earl Perkins at Gartner put up an interesting question the other week that prompted some soul-searching. He wants to know what identity access management companies (we’ll call them IAMs for short) think about.

He proposes, based on extensive knowledge of the market, that most IAMs are focused on one of two things – either purely securing access to data, or on the other hand, understanding all aspects of the access event. I think we’ve got something a little different going on here.

When I walk through the office the buzz I hear from my colleagues takes on three very distinct tones.

1. Usability. Yes, real security is why we’re in business. But perceived security is what sells solutions and makes them popular. If our clients’ customers are happy with what they see and how user-friendly it is, we’ll succeed. Of course, that assumes that we do a rock-on stellar job of actual security, but hey, in my office that’s a non-issue. What we’ve got rocks the house.
2. Staying ahead. We can stop man-in-the-browser attacks. We have a handle on phishing, in all its many varieties. Key-logging – done. Password-stealing malware? Bam! Take that! (as Batman would say). But what’s next? What are the criminals working on next, and how can we beat them to the punch? For us, it isn’t enough to protect our clients from today’s problems. We want to protect them from tomorrow’s too.
3. Your gramma, or Gram, as we like to call her. Can she use our product? Can she do it easily? Can someone trick her into using it to divulge sensitive information? Does this protect Gram? Does it do it in a way that will leave her satisfied at the end of her transaction, looking forward to her next online interaction? See, knowing that Joe Techie can use our system means nothing to us. He can do all sort of things online, and if he has issues he knows where to go for help. We want to make sure Gram is taken care of, happy with her interaction, and ready to tell all her friends that she doesn’t know what all this hullabaloo is about – her bank (or favorite online store) is easy to use and entirely worthy of her trust.

That’s what we talk about in our office. Well, that and the new curry place down the street. They’ve got a mean Tikki Masala. Ok, fine. So we also talk about which fair trade coffee we’re going drink this afternoon and who’s going to the cricket match this weekend. But that’s just us.

CA, Inc. issued a report last week detailing the top security threats of 2009, as well as predictions for 2010. What’s surprising?

Fake or rogue security software was the most prevalent threat of 2008. It seems criminals know that we as a population have a weakness for security products. We want to be safe, so they hit our vulnerability with security products that are far from secure. This malware product has the look and feel of McAffee, only it’s not quite right.

Email phishing seems to be on a decline, but phishing as a whole is increasing, with internet-based scams leading the pack. Our awareness campaigns to caution customers about email phishing paid off – the customers grew email-savvy, but the criminals grew more sophisticated.

As for 2010, CA expects to see an increase in Malvertising (advertising malware), threats to social networks, and – not so surprisingly – denial of service attacks like we saw this year in political showdowns in Moldova and Iran. Banking trojans are expected to be on the rise as well, and we’d be fool to think criminals would ever really back off financial institutions, since the carrot at the end of the stick is so big.