Tag Archives: hack

Cybersecurity: After Ashley, Sony, and Target

Abstract image of padlock against blue tech background.There have been several high profile cyber attacks over the last two years, some for financial gain, some out of malice, and some from hacktivists trying to right what they see as moral wrongs. Has anything changed since these security breaches? Do we take security more seriously now? Do company leaders pay more attention to technology and security?

Grey Hat Hacktivism

I wrote about grey hat hacktivism after the breach of the Ashley Madison website. Hackers threatened to publish the names of Ashley Madison members unless the site was taken down. They did this under the guise of moral outrage that the website was encouraging and enabling adultery by matching members. The hackers later published a few of the names, and then the full list. Whether the full list was published purposefully or accidentally is still unclear.

While the hack and the revelation of member names has interrupted many lives, Ashley Madison and its parent company, Avid Life Media, are still operating as usual. The CEO resigned last year after the breach, but the company states it “continues to have strong fundamentals with tens of thousands of new members joining AshleyMadison.com every week.” If the company claims are true then the hackers did not succeed in their objective. Hopefully it has caused people to be more careful about their own security and dealings on the internet. There is no evidence that Ashley Madison has changed its security policy to prevent future hacks.

Right on Target

In December 2013, Target was breached and 40 million debit and credit card accounts were exposed. In the aftermath, Target hired cybersecurity experts to probe the network and they found that once inside, hackers had access to every single cash register in every store. Target has taken steps to ensure this particular breach will not be repeated. It is thought that the initial entry came through a heating and air conditioning contractor who had a virtual private network (VPN) tunnel into Verizon for the purposes of exchanging contracts and work orders. Once the contractor was breached, the hackers had access to Verizon through the VPN and once in Verizon, they could go out to the point of sales systems to collect customer information. Even one weak link can cause incredible damage.

It is not clear how much customer information was actually used or sold but Target suffered, at least temporarily. Short-term earnings were down after customers lost confidence in the company. The CEO and CIO both resigned over the incident and Target has since worked to examine every aspect of their network for possible security holes. In short, security is serious business now, even at the highest levels.

Sony Hack

In November 2014, hackers breached the Sony Studios network and made public information about personnel, including salaries, unreleased films, and e-mail correspondence between Sony employees. They demanded that the upcoming movie, “The Interview” not be released. The movie was a spoof about North Korea, which led to the conjecture that the North Koreans were behind the hack. I will go on record as saying that I believe that the hack was an inside job, either by disgruntled employees or perhaps even orchestrated by the company to create publicity around a potentially bad movie. In any case, the movie was not released to theaters right away and Sony Pictures chief Amy Pascal was fired. It is not clear what Sony has done to shore up their defenses from further attacks but this is a case where limited and targeted inside information was exposed instead of customer information.

Thoughts

These are just three of the recent high profile attacks perpetrated for financial gain, moral outrage or embarrassment. High-level executives lost their positions and organizations lost credibility in the eyes of customers. Here are three take away messages for me:

  1. Security does matter and it should matter in the highest levels of an organization. In the old days, the shop proprietor locked the front door when she went home at night, but it is not that simple anymore. With the increase in cloud computing and storage, there are a lot more doors to secure. It is complex and it is important.
  2. Organizations need to evaluate their security threats from both the outside and the inside. Employees know the systems and networks better than hackers. Are they with you or against you? How do you know?
  3. Security matters to each individual. We need to be diligent about our own digital presence and tracks on the Internet. Are your transactions secure? Are you using solid passwords? Are you encrypting your personal information when necessary? We all have a personal responsibility in that regard.

Those are my thoughts. Let me know what you think.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

The Beauty of Blockchains

A rainbow of color blocks.Last year I wrote about the Bitcoin revolution and some of the implications to our financial, currency, and trading systems. At that time, a single Bitcoin was worth $1,100 but now is only worth $379. There are wild price swings and talk of dissent among Bitcoin developers, as outlined in a recent Wall Street Journal article. Whether Bitcoin or some other crypto-currency survives in the long run, I think the most interesting story is the blockchain technology behind the rise of Bitcoin and the wide-ranging uses for this development.

Blockchain Explained

A blockchain can best be described as a ledger or database that exists simultaneously on hundreds or even thousands of systems. All of these copies are cryptographically connected to ensure data security.

In the case of a Bitcoin, every time a coin or a fraction of a coin is used, that transaction is recorded on the ledger. The database or registry records who had the coin and who now has the coin, which prevents a coin holder from spending the same coin multiple times. Because this registry is replicated in several identical databases simultaneously, someone attempting to hack into a system to steal the coin would have to hack into all of the systems at the same time. Changing only one instance of the registry alerts the other systems of the fraud and blocks the transaction. If blockchains can be used for currency, what are other possible uses for this technology?

Title Chains

Anything that requires a title could make use of blockchains. When you purchase a home or a vehicle, you need to know the person selling that property really owns it. A title tracks ownership through the life of the property. When you purchase the property, you are added to the title. This process takes a lot of resources, both human and computer, and is not immune to fraud.

When I sold stock, I had to send my paper certificate to a broker to prove that I was indeed the owner. When I bought stock, the broker sent me a newly issued certificate to prove that I was the owner. Now the exchange is executed electronically, but it can still take up to three days to complete a transaction because of all of the systems and humans involved in the process. All of these transactions could be simplified by secure blockchain technology, which would be quicker and would reduce risk and amount of paperwork.

Developing Countries

I think that developing countries could benefit greatly by using blockchain technology. Many of them do not have a secure title transfer infrastructure which limits their ability to buy and sell goods and services. Blockchains can be registered in small increments, even cents, so they can be used by entrepreneurs wanting to sell locally and worldwide without employing costly brokers.

Thinking on a larger scale, if an entrepreneur wanted to start a company, they could sell fractional shares in the company with each share secured by a blockchain transaction. The computing infrastructure does not need to reside in the community or even in the country but could be anywhere in the world. The transaction costs can be a lot lower, thus ensuring that more of the profit is kept in the community and reinvested for future growth and opportunities.

Thoughts

I am excited by the fact that technologies such as blockchains can create new opportunities. Coupled with other emerging advances, such as green power and wireless communications, this has the potential to be a game changer. Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Beyond Passwords: The New Face of Authentication

Black and white drawing of two fingerprints.When the Heartbleed bug was discovered in April 2015 it cast a light on the problem of password vulnerabilities. Since then, or even before, IT departments have increased password requirements for both administrators and end users. Some organizations now require passwords of 13 characters or more that must contain certain combinations of letters, numbers and symbols, and must be refreshed as often as every six weeks. These requirements have led frustrated users to reuse the same password over multiple accounts or to write down the password and keep it in a supposed safe place. The increased vigilance is causing behavior that leads to less secure systems and accounts. What is the answer? Bill Gates declared the password dead in 2004 but they are still very much alive in 2016. For this blog post I set out to find acceptable alternatives to this problem.

Two Factor Authentication

While double identification does not remove the need for a password, it does make an account more secure. This is an option available now for Twitter and other accounts and can be set up in your profile. With this system, you enter the standard password and then enter a separate six digit code that is sent to your smartphone at the time of log in. It is a step towards more secure accounts and systems.

Cryptography

Google takes two factor authentication one step further with a device that uses public key cryptography. This is a small USB device that provides a second authentication for Google apps, Gmail, Dropbox, and other applications. You plug the device into a computer to verify your identity. Near field communication or low power Bluetooth will be used soon to eliminate the physical connection.

Biometrics

Apple and Samsung are adding biometric authentication to their newest smartphones and tablets. This eliminates passwords completely by identifying you from your fingerprint. It is as easy as placing your finger or thumb on the screen before unlocking your phone or apps and would keep a lost or stolen smartphone secure.

The Myris portable retinal scanner from Eyelock allows you to log in to websites and applications via a quick retinal scan. Once you establish an image of your retina through video capture, you simply glance into the USB device to gain access to applications.

The Nymi heartbeat scanner is in development now and is another way to authenticate users via biometrics. This is a bracelet that records your heartbeat and then uses that to identify you to systems such as computers, door locks, and retail computers that would normally require a PIN or password. The software developer kit is available now and the product will be out soon.

All of these are attempts to easily identify an individual by a unique pattern and not by a password they carry around in their head (or wallet). The next logical step would be to present DNA, but I am not sure yet how that can be captured.

Thoughts

Bill Gates may have been premature in declaring the password dead but I hope that he is on the right track. I struggle to remember all of my logins and passwords and I could use help. Have you found a reliable and safe alternative to passwords? Do you use or trust biometrics? Let me know your thoughts so that I can start using the password portion of my brain for better things.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.