It’s 2017 and while traditional password-based authentication is still widely used, security experts have long realized that traditional passwords are not enough to keep malicious intruders out. Even with requirements for password length, sophisticated complexity, and frequent changes, even the best password is still only one piece of information that’s required to gain access.
I would like to thank you for your continued support, trust, and partnership on our journey to a world where every organization, regardless of size, has the enterprise class security and compliance posture they deserve. With your valuable feedback, our dedicated team of engineers continues to enhance industry best Security Operations and Analytics Platform, SOCVue. Our Global SOC security engineers leverage SOCVue 24x7 for incident detection and analysis, incident response and remediation guidance to mitigate risk.
DarkNet.org.uk reported earlier this week that information on 4 million Time Warner Cable customers had been exposed in an apparent misconfiguration of an Amazon S3 bucket. You may recall in July it was widely reported that 14 million Verizon customers and 3 million WWE fans had been similarly exposed by a misconfigured S3 instances. Forbes also reported that month that Dow Jones has suffered a similar misconfiguration issue, exposing data on 2 million customers. In each of these cases, the data leak could easily have been prevented through proper configuration of the S3 buckets. In these cases, simple human error created the security gaps that allowed the leak of sensitive data. In each case the error was found by a third party who observed the issue and reported it to the company.
As regular readers of the EiQ blog know, we’re suspicious of the Internet of Things (IoT), the massive collection of Internet-connected devices that don’t fall into the traditional “computer” category. From “smart” energy meters, to in-car technology, to Internet-connected home appliances, the IoT is an incredibly broad spectrum of technologies that can gain value – in some cases, significant value, in other cases, more dubious – by connecting to other devices and networks.
This week marked the annual descent of thousands of security professionals, hackers, security product vendors and journalists into 100-degree-plus weather in Las Vegas for the venerable Black Hat conference. This week in Vegas always includes three significant security events: the community-minded B-Sides security conference early in the week, the deeply technical DefCon conference later in the week, and the most mainstream event – Black Hat – wedged in the middle. All three events provide a forum for those involved in the security industry to get together and share exotic vulnerabilities and attack vectors, talk about the politics related to security (such as privacy and government monitoring), and in the case of Black Hat, see what tools and technologies vendors are coming up with to improve the security posture of organizations.
Picture this: you walk up to an ATM that’s the same brand as your bank. The ATM itself is in a well-lit area, there are lots of families walking around, and there’s even a police officer right on the corner. Everything seems safe, right? You slide your card into the ATM, conduct your transaction, and conclude your business as normal.
In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.
Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.