Google’s Responsibility and 2 Step Verification

April 24, 2012   Adam Quart   No comments

Google’s Larry Page has stepped up security measures as Google’s new CEO ever since Eric Schmidt stepped down in 2011.  Google, the most widely used search engine in the world, is popular among users because it is valuable for their users by showing them the most relevant search results when users are looking for something.  By offering such a great user experience, they have a very direct relationship with their users.  When a user wants to search an image or product, Google’s search algorithm “magically” compiles relevant search results.  In a swiftly changing industry, Google has managed to stay innovative.  Users don’t always like the changes, but some grow to love them.  When Google releases a product that isn’t up to par to user’s expectations or doesn’t work, they know that it’s easy for users to go to their competition which is a click away.  User’s have a lot of trust in Google with their searches and especially with their data in emails, documents, pictures, and accounts.

To retain the trust and ensure that user’s information is safe, Google invests in security and tools for users such as 2-step verification (also called two factor authentication) and encryption.  Their security efforts help thwart unauthorized access to user’s information and also increases trust with Google and their users.  Google also recently changed their privacy policies, which gained a lot of interest from users, but ultimately changes were made so that Google can create a more intuitive experience across their products and create a better user experience for its users.  Larry Page’s update within Google’s privacy policy was to create a more seamless experience across its services and products.  A way to create a more seamless experience is for users to stay logged in while using Google products such as Google Chrome, Google Docs, Gmail, Youtube.com, Google+, and Google Play.

Google’s implementation of security features like two factor authentication help improve the user experience by decreasing the likelihood of information and accounts being compromised.  One way a user can be verified using two factor authentication is by logging into their account using their login credentials and at the same time a one-time password is be sent to their mobile phone to be entered into the website where access is being granted to verify them.  This is a powerful way to authenticate users because not only do they use their login credentials to login (using a login and password), they are sent a one-time password to their mobile device which let’s Google know that they are who they say they are.  The great thing about this two factor authentication method is that most users always have their cell phone on them so verifying them doesn’t require the users to carry any additional hardware or software to install.  Users just need to be able to receive text messages through their mobile devices and they can receive a one-time password that hackers and intruders won’t even be able to access even if their logins are compromised.  With over 100 million users active on Google+ and over 3 billion searches on Google’s search engine per day, security is a concern for users and implementing 2 step verification is a great way to ensure that user’s information remains safe and Google can continue improving the experience for us all with all their products and services.

Read More

Basic Security Measures Overlooked with BYOD

March 19, 2012   Absolute Software Blog
security-measure-two-factor-authentication
ESET recently conducted a survey on the bring-your-own-device trend (BYOD) and the associated security challenges. Most companies currently lack policies that address the use of personal devices often leaving security to employees. As we’ve addressed before, personally-owned device activations are reaching an all-time high, so it should be no surprise that more devices are flooding the workplace.The ESET survey found that more than 80% of employed adults use a personally-owned device for work (smartphone, tablet, laptop). Personally-owned laptops and desktops are often used to access or store company information; 41% and 47% respectively. 24% use their own smartphone to access and/or store company information and 10% use tablets, showing an increase in the use of devices that could potentially introduce data security risks.What’s troubling, from this data, is the lack of security precautions in place.
  • about one third of BYOD devices have encryption for company data
  • less than 10% of people currently using their own tablets for work have auto-locking enabled (25% of smartphones auto-lock, 33% of laptop users auto-lock)
  • less than half of laptop users use both auto-locking and password protection. The numbers decrease for smartphone & tablet users.
As ESET notes, “less than half of all devices in the BYOD category are protected by the most basic of security measures” and this is troubling indeed. When companies are lax on their BYOD security policies and training programs, it’s up to employees to determine the security on their own devices: they are not making smart decisions. It’s also likely that many companies have no idea of the extent of BYOD device use, the types of data being accessed, or when that data goes missing.
Read More

How CISOs Boost the Bottom Line

February 19, 2012   Absolute Software Blog
According to a new white paper from the EC-Council, companies that employ a Chief Information Security Officer (CISO) have higher profit margins, generate more revenue and have increased productivity. This claim has been further supported by research done by SC Magazine.

“An effective CISO and well-run information security program can save a company almost 10% of total revenue… This saving in gross revenue is accredited to a decreased risk of data loss and theft.”

“Top 10 Ways to Lead a High-Performing Information Security Program” outlines how CISOs can help lead their companies to a more productive and profitable future by developing and implementing a high-performing information security (IS) program.

“Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardizing and automating procedures, and by taking a strategic role with the organization to make information security a part of a business process.” Affirms Jim Hurley, managing director of Symantec’s IT Policy Compliance Group.

The list was developed on the basis of a panel discussion at the EC-Council CISO Executive Summit held in December 2011. The list outlines ways to lead an effective program and how to avoid getting caught up with corporate issues that distract teams from carrying out their strategic functions.
Read More

Businesses Poorly Protecting Data

February 17, 2012   Absolute Software Blog

According to the results of the Trustwave 2012 Global Security Report, nearly 89% of breaches they investigated involved attempts at obtaining personally identifiable information (PII) such as credit card information or other customer data.

The report, based on 300 data breach investigations and 2,000 penetration tests performed worldwide last year by its own SpiderLabs, shows that cybercrime is changing and that some industries and data types are more at risk than others.

According to their data, the food & beverage industry accounted for the largest number of data breach investigations (44% of the 300 investigations) and that industries with franchise models were particularly at risk.

The report draws particular attention to the issue of passwords and how poor password practices are leading to unnecessary data breaches. According to their analysis of more than 2 million business passwords, the most common password used globally by businesses is “Password1″, which satisfies basic precautions of having a capital letter and a number within the password. Many companies are also failing to revoke temporary administrative accounts, leaving a way ‘in’ to the network using ‘valid’ credentials.

“An abundance of networks and systems were still found vulnerable to legacy attack vectors; many of these vectors date back 10 years or more,” Trustwave said. “Organizations are implementing new technology without decommissioning older, flawed infrastructure.”

In terms of detecting data breaches, only 16% of victimized organizations detected the breach on their own; in other cases, the breach was brought forward by a regulatory agency, law enforcement or the public. The average time after a breach but before detection was 173.5 days – a long time for data to be unsecured.

Read More

Hackers Make Unauthorized Trades in Online Brokering Accounts

January 25, 2012   Adam Quart   No comments
hacked-online-trading

In recent news, some clients of online stockbrokers in Australia have had their accounts compromised and they have been advised to change their user passwords.  Investigations are currently being conducted by the Australian Securities and Investments Commission.  The ASIC believe that the hacking attacks were organized, but they haven’t determined how client passwords are being compromised as of yet.  Hacking attacks like these could have been prevented if proper security measures were in place for the broker’s clients and their systems.  Using layered security measures such as multi factor authentication dramatically reduces the likelihood of online user accounts being compromised.

According to the ASIC, the hackers used the accounts to engage in trades that lost the clients money.  About a dozen share-trading accounts have been hacked across several brokers and the ASIC is cooperating with international authorities to trace proceeds reaped by the other party in each transaction.  The ASIC has also said that the attacks are not believed to be associated with the attacks that shut down online brokers E*TRADE and Directshares.

Representatives at E*TRADE and Directshares have recommended that their users who have online brokerage accounts keep their anti-virus and anti-malware software up to date on their PC devices.  E*TRADE was targeted by hackers late in 2011 to access a small number of online broking accounts to make unauthorized trades.  E*TRADE has stated that their systems was not the source of their security systems, but rather the user’s accounts were compromised.  E*TRADE has recommended users to change their account passwords and also to check their computers to make sure there is no malicious software that logs their keystrokes.  Users that have online brokerage accounts should also check their transaction history for unusual trades and to report any unauthorized trades to the authorities and their broker.

The user accounts that were hacked could have been protected from unauthorized persons accessing their account if stronger authentication measures were used to authenticate the users accessing the account.  Layered security such as multi factor authentication identifies users using multiple methods.  Two factor authentication is a form of multi factor authentication and could have been used to thwart the hacking attacks.  If two factor authentication were used to authenticate the broker’s online clients, the chance of the hackers accessing the data would minimal.  A user’s login, or something they know, and a user’s mobile phone, or something they have, are two factors that can be used to authenticate them.  The most secure way of authenticating someone through their mobile phone is to send a one-time password to the mobile phone because the user has the phone on them and is able to enter the one time password along with the login credentials to verify them.  In the case of the broker’s client’s accounts being hacked, the hackers would only have the login credentials and the access would have been prevented because they wouldn’t be able to receive the one time password sent through the mobile phone.  This type of authentication is a standard in industries such as banking and healthcare.  The best way to prevent these type of hacking attacks is to scan your computer for viruses, malware, and to incorporate two factor authentication as an additional layer of security to protect against unauthorized access.

Read More