OK, in fact this is about the last few weeks in security this time – but in future it will be most time about looking back at the previous week.
The permanent threats: Chinese hackers, Anonymous,…
Not a single week goes by without news about attacks from various groups. This includes Chinese hackers that are alleged to have attacked the Wall Street Journal or Anonymous that claimed that they have successfully attacked the US Federal Reserve. In the latter incident, it took four days from the announcement by Anonymous until the official statement of the US Federal Reserve. An additional cyber-attack hit the US Department of Energy, according to another news article.
There have been numerous articles about these attacks since, with different parties in the U.S. linking them to official Chinese agencies and the Chinese Army, while China denies these accusations citing a lack of proof.
Attacking the big ones
In this context, the recent attacks on Apple, Facebook, Twitter, and Microsoft (and possibly several other companies) also gained a lot of public interest. U.S. investigators assume that these attacks were driven by Eastern European cybercriminals rather than being Chinese state-sponsored, according to recent news articles.
Kaspersky kills Internet access for Windows XP users – accidentally
A recent Kaspersky antivirus update this month disabled Internet connectivity for Windows XP users at least partially. There is a workaround and a fix available; however, it takes some manual action to solve the problem – no surprise given that the Internet access does not work as expected anymore. Unfortunately, there is no prominent direct link to the information on this issue at the home page of Kaspersky.
Path app ignores privacy again
An article on CNET unveiled another privacy issue in the social network Path. Information about location data might slip out even when access to the location is disabled. Given that Path had some trouble with the FTC (U.S. Federal Trade Commission) recently and had to pay a fine, this new issue comes at the wrong time for them. It also again sheds light on the ignorance or incompetence of start-up companies when it comes to security and privacy – probably both. It will be interesting to see when the growing awareness and concerns of users finally leads to the consequence of not using such services anymore.
EU Commission introduces Cyber Security Plan
The EU Commission this week announced their Cyber Security Plan to strengthen resistance against cyber-attacks and cybercrime. The plan includes the idea of a European Cyber Defense Policy. It also includes the concept of an “attack notification obligation”. The latter led to some intense discussions because some companies do not want to inform the public about these issues. As of now, virtually all large organizations have experienced some form of attack. However, as of now, this is only discussed behind closed doors between the CISOs of these organizations. An attack notification obligation would change that and provide far more information to the officials. On the other hand, it will increase cyber security concerns in the broad public – which might be seen as a positive effect given that it might also increase caution.
A lot of router security issues
Last week, there were again several news articles about security issues of routers and other network devices, including D-Link. At least D-Link delivered some firmware patches, while other devices remain insecure. Which raises the question: Do you have patch management for the firmware of all your devices in place? Another interesting question: Which of the hardware vendors has a well-defined approach for security alerts and security patches in place? The bad news, when following this issue over the past few weeks, is that most vendors are neither willing nor capable of providing patches fast and in a simple-to-apply way. It is long past time for hardware vendors to start working on such an approach – and it is long past time for customers to have a complete patch management plan in place, from firmware up to applications.
Are stronger passwords really THE trend?
In its Deloitte TMT Predictions (Technology, Media & Telecommunications), the company predicts the end of “strong password only security”. The solution proposed is multi-factor authentication, and a little bit of password vaults. However, most of the text focuses on using stronger passwords, longer than eight characters. My colleague Craig Burton recently made the statement: “There is no such thing as a password muscle you can strengthen by training.” Which is to say: People are limited when it comes to keeping passwords in mind, and recommending the use of longer and more complex passwords is not the ideal solution. You do not get better when you have to keep many long and complex passwords in mind; you just consider workarounds like noting them down or re-using always the same password.
When talking about multi-factor authentication, I would rather say that this has been a topic for a “trend” some years back. Yes, we will observe some more implementations. However, multi-factor authentication by itself is not sufficient. Some two years ago, I blogged about the RSA SecurID incident. My recommendation at that time was to think about versatile authentication, combined with multi-factor authentication. Not that this concept was absolutely new back then…
Clearly, there is a trend towards approaches for strong, simple, and flexible authentication, beyond passwords. However, just talking about multi-factor authentication and password vaults is not sufficient. What organizations should evaluate are versatile authentication and, as the next and logical step, context- and risk-based authentication and authorization. That is the real trend. It is about understanding the bigger picture. Look at this to understand the future of authentication and authorization, not at a point approach.
In this context, it is definitely worthwhile to attend EIC 2013 – the future of authentication and authorization and the trends we observe will be an important part of the agenda.