Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



Q&A: Is ‘FIDO’ on Samsung Galaxy superior to Apple Pay on iPhone?

By Byron V. Acohido

A day after Apple successfully hyped the ability for iPhone 6 users to biometrically authenticate the purchase of a Big Mac, using Apple Pay and Touch ID, Google rolled out Google Security Key, a new type of USB key based on the FIDO standard. Security Key can make your Gmail account nearly impossible to hack.

The two announcements are related. Both point the way to mainstream use of biometric sensors and other mechanisms for affirming you are who you say you are in digital communications and transactions.

LastWatchdog asked Brett McDowell, Executive Director of the FIDO Alliance to handicap the competition to dominate the next generation of authentication technologies.

LW: In plain language, what is FIDO?

McDowell: FIDO stands for Fast IDentity Online. It’s a new set of industry standards, much like WiFi, Bluetooth and NFC. Any device manufacturer, software developer or online service provider can build support for FIDO standards into their existing products and services to make online authentication simpler and more secure.

The fact that this is all being standardized means the FIDO ecosystem can grow and scale. Any new implementation of the standards that pops up on the Internet will be able to immediately interoperate with any other implementation.

FIDO standards allow online service providers the option to set their own policies about what kind of authenticators they are willing to trust. That includes PIN codes, voice or face recognition software, fingerprint reader, Iris scanners, etc.

LW: What is the key distinction between how Apple is moving to popularize biometrically authenticated consumer purchases vs. the course the FIDO alliance is on?

McDowell: Apple Pay is a payment application, and just like every other application, it requires authentication. The Touch ID sensor, which is used as the authenticator for other applications, including but not limited to Apple Pay, is quite relevant to a discussion about FIDO standards.

To level set, the FIDO Alliance is an … more

VIDEO: Why $3.6 million to prevent next Heartbleed isn’t enough

By Byron V. Acohido

A dozen tech behemoths — led by Microsoft, IBM, Google, Intel and Cisco — have stepped forward with cold, hard cash to prevent the next Heartbleed.

Each has pledged $100,000 annually for the next three years to a war chest earmarked to fund improvements of open source technology.

That’s a collective pledge of $3.6 million, through 2016, set aside in something called the Core Infrastructure Initiative, administered by The Linux Foundation.

VIDEO: Heartbleed threatens financial channels

By Scott Borg

There seems to be some confusion about what Heartbleed is good for. Heartbleed is primarily useful for retrieving information from webservers that reveals the details of those servers’ recent interactions with clients.

This allows attackers to steal the “handshake” information that is used to authenticate an interaction between a client computer and a webserver. In particular, Heartbleed allows attackers to steal the private keys and other long-term authentication codes that are used to set up  private, encrypted communication sessions.

Heartbleed can also allow the attacker to steal enough of the content of the server’s recent communications to capture account numbers and passwords. Together, these pieces of information can allow the attacker to impersonate a client computer without any need to invade that computer.

Criminals using Heartbleed would be able to arrange improper transfers of funds on a fairly large scale, unless the various kinds of authentication codes were changed in time. While Heartbleed can also be used to invade many types of client computers, such as Android phones, potential attackers don’t need Heartbleed to do that. Most Android phones, for example, can already be compromised, using any of several tools currently available from cyber-crime websites.

Sophisticated attackers taking advantage of Heartbleed will be after bigger, more lucrative game than cell phones and credit card numbers. A large portion of the web’s financial channels were potentially in jeopardy.

Fortunately, there were probably not many cyber attackers aware of the Heartbleed vulnerability before the patches for it started to be distributed. Perhaps even more important, there were not enough criminal attackers who understood enough about how financial transactions are carried out to take full advantage of the possibilities Heartbleed opened up.

This means that the biggest opportunities that Heartbleed created for stealing money were mostly closed up before they were much exploited. If there were some large diversions of funds accomplished by using Heartbleed, these will probably never be publicly acknowledged, because … more

VIDEO: A roadmap for triaging Heartbleed exposures

By Byron V. Acohido

The most worrisome aspect of Heartbleed arguably is the fact that  this gaping security hole is so pervasively embedded in the fabric of the  commercial Internet.  “There are a few protocols that dominate when it comes to the security and operation of the Internet as a whole, SSL/TLS is one of them.” says TK Keanini, CTO at Lancope.   “Everyone should have seen this coming.”

Companies and organizations ought to be scrambling over the next several days and weeks to triangulate and mitigate potential exposures relating to the wide use of the  OpenSSL encryption protocal recently shown to be dangerously squishy, from a security standpoint, observes  Dr. Mike Lloyd, CTO of RedSeal .  Top of mind should be the spectre of data thieves and cyber spies  hustling to exploit  the Heartbleed flaw in order to exfiltrate sensitive data, especially  private encryption keys, Lloyd says.

The potential for profound damage is such that a consensus is building in the security community that a  smart thing organizations should consider doing is stopping all transactions for a few days to do such an  assessment.

The mindset of IT security managers should be: “how fast can you identify unpatched machines and remediate them? Ideally you’d have a real-time map that can expose the vulnerabilities with a simple query or two to identify what’s been affected by Heartbleed, and what’s exposed,” Lloyd says. Extended exposures

So is this urgency warranted? Absolutely yes.

That’s because it’s not just web servers that are vulnerable, as widely reported this past week. Lancope’s Keanini points out that OpenSSL is also widely used to secure other types of network communication, which may or may not use a traditional browser.

This past week VMware and Cisco led a parade of device manufacturers releasing security patches to address Heartbleed in their devices. “Flaws in cryptographic libraries are much more wide spread than flaws in applications because these cryptographic libraries see so much re-use,” … more

VIDEO: Über nasty Heartbleed bug exposes fabric of the Internet

By Byron V. Acohido

KINGSTON, Wash. – An über nasty security flaw has arisen from the din to command the attention of the global security community, rightfully so.

The so-called “Heartbleed” flaw represents a path bad guys can use to tap into OpenSSL, the open-source implementation of the SSL and TLS protocols that are used all across the Internet to encrypt sensitive data.

“This is a very serious vulnerability. It allows attackers to see a portion of the contents of memory of the vulnerable server,” says Matt Willems, LogRhythm Labs engineer. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.”

John Miller, Security Research Manager at Trustwave, observes that the Heartbeat flaw was spawned when OpenSSL was tweaked more than two years ago. He says it makes sense that criminals took notice prior to good guy researchers at Google and a small security firm, codenomicon, identifying the flaw this week.

“Attackers may have already exploited the vulnerability, stealing passwords, payment card information and other sensitive data without the end-user or business even realizing it,” Miller says. “And, unfortunately, this attack will most likely have a long tail.”

By impersonating the server, attackers can decrypt traffic moving in and out of a business’ network to steal sensitive data. Even worse, they can grab private encryption keys, opening a Pandora’s box of exposures, says Jean Taggart, senior security researcher at Malwarebytes.

With possession of private encryption keys, an intruder can “impersonate the victim, and set up an undetectable man-in-the-middle attack,” says Taggart. “This is a huge issue that impacts the fabric beneath secure communications on the web.”

Small business exposure

Attackers can take advantage by decrypting traffic moving in and out of a business’s networks to steal sensitive information or gain access to users’ accounts. Small businesses that contract out hosting services, in particular, may be unaware of data leaking through the Heartbeat … more

VIDEO: Last Watchdog’s video commentary from RSA 2014

By Byron V. Acohido

In the midst of doing video interviews with 10 different tech security vendors, Last Watchdog’s Byron Acohido met with  MSLGROUP’s Tiffany Darmetko at RSA Conference 2014 to discuss the backdrop to the week-long event.

RSA was bigger and richer than ever. Big name vendors like Symantec, Fireeye, Microsoft and Kaspersky commanded giant exhibits in the north building of San Francisco’s Moscone Convention Center where, in years past, key note speeches and break out sessions were housed. Some of the vendors reportedly spent six-figures to rent and run exhibits. The south hall exhibit floor was just as packed as in years past, with all the other vendors. And Moscone’s west hall was used to house break out sessions.


VIDEO: Can Shape Security revolutionize Web defense?

By Byron V. Acohido

Shape Security. Remember that name. The Silicon Valley start-up emerged from stealth mode this morning to publicly unveil details of its plan to revolutionize cybersecurity.

If Shape can deliver, its technology could radically disrupt the engine that drives cybercrime: botnets.

Related video: Shape Security creates first “botwall’

A botnet is a sprawling network of thousands of infected PCs or Web servers, referred to as bots. The top dozen or so cybercriminal rings command massive botnets honed to automate and scale up the delivery of spam scams, the carrying out of denial-of-service attacks, the booby-trapping of legit websites and the hijacking of online financial accounts.

Botnets can’t be stopped largely because the bad guys have mastered a technique, called polymorphism, by which they continually tweak the underlying malicious code to stay a step ahead of the latest security updates.

Shape’s co-founders came up with the notion of using polymorphism against the bad guys. Shape’s technology doesn’t bother trying to detect botnet activity. Instead, it continually scrambles the exchange of information taking place between a Web server and a Web site visitor, be it a legit user or a malicious bot.

Gartner banking security analyst Avivah Litan credits Shape for breaking new ground. “You’ve got to hand it to them, they did something revolutionary, and you don’t see revolutionary technology very often,” Litan says. “No one ever comes up with new ideas in security. It’s always variations of old ideas and incremental changes.”

Shape has attracted cream-of-the-crop brainpower. Co-founder and CTO Justin Call, principal inventor, helped create the network security tools at security vendor Oakley Networks, which defense giant Raytheon acquired in 2007.

Co-founder and products vice-president Sumit Agarwal was the product chief at Google who helped port Google maps to the Android mobile device platform, and build AdWords into a $6 billion business.

And strategy vice president Shuman Ghosemajumder led development at Google of the systems the search giant uses to … more