Now, after passing Pentagon tests, the devices are actually approved for use.

Before authorizing any devices for use in security-conscious military environments, the military requires a very specific and detailed implementation and deployment plan. A large part of that is the creation of policy for approved use as per DoD Directive 8100.02, which says that cellular devices are not allowed into areas where classified information is discussed, stored, or processed without written approval.

And until that happened for the Apple devices, the hundreds of thousands of phones and tablets were in administrative limbo.

“Most of them have not been deployed and are still sitting in a warehouse,” a source I talked to a month ago said. “They haven’t yet been able to build an implementation guide on how to use them.”

Today’s decision, however, paves the way for the U.S. military to actually use the devices in secure areas, and potentially expand their purchase order. It marks a turning point away from BlackBerry devices, which have been considered more secure, and which to date have formed the vast majority of government-issued mobile phones.

The problem with clearing smartphones for use in top secret environments is that they are, essentially, full of radios: Bluetooth, WiFi, cellular.

“With standard consumer devices, there’s no way to prove that the Wi-Fi is turned off,” my source told me.

One solution the DoD had previously implemented for iPads was to hand them off to a second party after delivery from Apple to crack open the cases and “snip the Wi-Fi radio” to disable it, and then close them up again. Apparently, the DoD reached a special agreement with Apple to maintain warranty eligibility, which would normally be voided after opening the case.

Today’s approval, however, is for a version of iOS 6 that has likely been customized by Apple and certified by military technologists to ensure security compliance without actually having to snip wires.

Interestingly, according to Bloomberg, the military plans to create its own app store for military applications, which would allow DOD personnel to use commercial hardware but employ tested and approved applications.

photo credits: The U.S. Army via photopin cc, Devindra Hardawar/VentureBeat

It seems privacy issues related to Google Glass are drawing government attention. A committee in the U.S. Congressional Privacy Caucus sent a letter to Google chief executive Larry Page asking just how the company plans to protect both people wearing the device and the people it records.

The group was particularly interested in the idea that Google Glass can use facial recognition to deliver a wearer information about the people nearby. Mostly, the caucus wanted to know if this facial recognition can be turned off or opted out of by a specific person.

The committee also brought up Google’s past with privacy issues, including the recently settled case where Google collected data from unsecured Wi-Fi networks as a part of its Street View project. Google agreed to pay a $7 million fine as a result of that lawsuit, though it has obviously left the U.S. government wary of Google’s privacy protections.

The letter was signed by eight of the Privacy Caucus’ members, and was led by Rep. Joe Barton (R-TX).

As All Things D notes, Google Glass product director Steve Lee explained that privacy and “social implications … of Glass, of people wearing Glass, has been at the top of our mind.” He went on to explain that Google will likely not deviate from the current privacy policy it has set up — another concern of the Privacy Caucus.

Letter to Google from Congress privacy group regarding Google Glass privacy

via All Things D; Google Glass image via Jolie O’Dell/VentureBeat

This post originally appeared on the blog of startup guru Steve Blank.

I grew up in New York City and for a few years heaven on earth for me was going to Boy Scout camp in the summer near the Delaware River.  The camp had all the summer adventures a city kid could imagine: hiking, fishing, canoeing, etc. But for me the best part was the rifle range.  For a 12-year old kid from the city shooting target practice and skeet with a .22 rifle meant being entrusted by adults with something you knew was dangerous – because they were beating gun safety into our brains every step of the way.

From the minute we walked onto the shooting range to even before we got to touch a gun, we learned basic rules of handling weapons I still haven’t forgotten. You screwed up and you got yelled at and if you did it again you got escorted out of the rifle range.

While target practice and skeet shooting were fun, safety was serious.

Over the years I would learn how to shoot an M-16 in basic training in the military, go through a basic combat course to go to Southeast Asia (when we acted like this was a lark, our instructor stopped our drill and said, “For your sake I hope the guys shooting at you were screwing around in their combat course.”  It got our attention.)

When I bought the ranch, herds of wild boar still roamed the fields. While we were putting in the miles of fencing to keep them out, I bought much heavier weapons to deal with a charging 400-pound boar and hired an instructor to teach me how to safely use them.  Each time, gun safety was an integral part of training with new weapons.  For me, guns and gun safety became one and the same.

Hacking and Cyber Security

For consumers, online surfing, shopping, banking, and entertaining ourselves have become an integral part of our lives. And with that has come identify theft, hacking, phishing, online scams, bullying, and predators online. As well as a loss of privacy.

But for businesses, the threats are even more real. Go ask RSA, Northrop, Lockheed, Google, Amazon and almost every other company with an online presence. Intellectual property stolen, customer data hacked, funds illegally transferred, goods stolen, can damage a company and put them out of business.

I think we’re missing something.

In the last 20 years 3 billion people have gained access to the web. Yet for most of them safety online remains a problem for other people. It pretty clear that for a company going online today is equivalent to playing with a loaded gun. The analogy of comparing the net with guns might seem stretched, but I think it’s an apt one. Guns have been around for hundreds of years, to provide food as well as wage war, but it wasn’t until the 20^th century that gun safety rules were codified and taught.

I think we need the equivalent of gun safety training for online access.

We now know the basic tools online hackers use. We know enough to harden sites to stop the simple hacks and to educate employees about basic social engineering and phishing attempts. It’s time to teach Cyber Security as integral part of the high school and/or college curriculum – not as an elective. Companies need to make Cyber Security education an integral part of their on-boarding process.

The Air Force Academy basic Cyber Security course is a good place to start (Stanford and other schools have similar syllabi.) The class consists of basic networking and administration, network mapping, remote exploits, denial of service, web vulnerabilities, social engineering, password vulnerabilities, wireless network exploitation, persistence, digital media analysis, and cyber mission operations.

Lessons Learned

• The web is not a benign environment
• Companies, high schools and colleges ought to make a basic Cyber Security course a requirement of getting online access.

Steve Blank is a retired serial entrepreneur now teaching entrepreneurship at UC Berkeley, Stanford, and Columbia.

Photo credit: JSmith Photo via photopin cc

After flying a drone “a few feet away” from a family home in Seattle, one man claims he was doing research well within his legal rights. The camera-clad drone, however, spiked justified concerns about the privacy of the family who lives there.

A woman in Seattle explained to the Capitol Hill Seattle Blog (CHS) that she heard a buzzing noise outside her home that she assumed was a weed-whacker. Instead, it turned out to be a flying drone with an attached camera, hovering near her third-story window. She spotted a man on the sidewalk outside of the house controlling the drone. Her husband did what any normal person would do: he asked the man to cut it out, but he refused saying it was within the law to fly the drone and that he was conducting research. The couple subsequently called the police, who decided not to come once as the man decided to leave the area.

“We are extremely concerned, as he could very easily be a criminal who plans to break into our house or a peeping-tom,” she said, according to CHS.

The Atlantic points out that a 1946 Supreme Court ruling considers all airspace to be a public highway. But airspace or not, I assume you can’t take pictures of someone’s home through their windows without permission. If someone had a very long stick with a camera at the end and held it over your fence, you’d likely not consider that legal either. It’s yet another example of the dire situation we’re in trying to keep legislation up with technology.

Commenters on the CHS blog post speculate that the drone could have been used by a local paper’s reporters to demonstrate how “useless” they are. Others suggest it could have just been a weirdo.

Drone image via Don McCullough/Flickr

Identity Thief, the movie

The immigration reform measure that the Senate began debating this week would also create a national biometric database of American adults, according to Wired.

Immigration reform is a hot topic, but the bill before the Senate adds another layer of policy debate on top of it. Many have called for national identification systems in the past, but privacy groups oppose the step. Among the fears: As happened in the Holocaust, the system could be used to single out minorities for persecution.

The bill mandates a “photo tool,” or a massive federal database to be maintained by the Department of Homeland Security. It would contain names, ages, Social Security numbers, and photographs of everyone in the country with a driver’s license or state-issued photo ID. Employers would have to look up every employee in the database upon hiring them. The clause calling for the database is meant to curb hiring of undocumented workers.

But privacy advocates fear it will be used for all sorts of things, like registering at polling places, buying a gun, opening a bank account, and other tasks.

“It starts to change the relationship between the citizen and state; you do have to get permission to do things,” Chris Calabrese, a congressional lobbyist with the American Civil Liberties Union, told Wired. “More fundamentally, it could be the start of keeping a record of all things.”

Apple is putting law enforcement requests on hold, according to one judge. The company has created a waiting list for all the “unlock this device” requests it receives.

After repeat attempts to unlock a suspected drug dealer’s iPhone 4S, the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) reached out to Apple for help, as reported by CNET. Apple complies with law enforcement requests, like most big tech companies, to unlock devices or supply data. But, according to Judge Karen Caldwell handling the case, the ATF was told it would have to be placed on a waiting list along with all the other requests Apple receives.

The agent involved explained in an affidavit that it would be up to seven weeks before the request was fulfilled meaning Apple has its hands full with law enforcement aid. But it makes sense as smartphone data can be a pivotal part of the discovery process in a law suit.

Text messages, Facebook messages, emails, pictures, location-data and more would be available to anyone who had the unlocked phone. In the case of a drug dealer, law enforcement would of course want to look for any messages about transactions, or anything that could lead to further arrests in a drug ring.

Of course, this becomes a sticky matter when it comes to whether warrants are involved or not. It could then be considered an unreasonable search and seizure.

This might be a testament to how secure iPhones seem to be. This might also be a testament to how law enforcement might want to invest in more technical resources.

Apple HQ image via matteoartizzu/Flickr

PerspecSys, the Toronto-based cloud data protection company, has closed $12 million in its second round of funding. The company plans to use the capital injection to further develop global sales and marketing efforts and continue product development.

The company supports a variety of popular cloud-based applications, such as Salesforce.com and Oracle CRM On Demand, while using validated encryption solutions from companies like Voltage Security, McAfee, SafeNet, Symantec, and RSA.

Research firm Gartner predicts some $42 billion will be spent on cloud-based security from 2013 to 2016.

Already, PerspecSys claims to have three of the world’s largest financial institutions and one major multinational conglomerate as clients.

“While the cloud continues to deliver amazing benefits to companies worldwide, it also continues to pose some major hurdles,” said David Canellos, chief executive of PerspecSys.

“Businesses are struggling to balance critical data residency, compliance, privacy and security requirements that come with cloud adoption against the need for full application functionality and ease of use. Our focused efforts over the last four years have produced the most advanced gateway in the industry, delivering the only data protection solution that passes the strictest European and US regulatory requirements,” he said.

This round of funding was co-led by new investors Paladin Capital Group and Ascent Venture Partners. They were joined by return backer Intel Capital and other institutional investors. Total investment in PerspecSys now totals over $20 million.

Photo Credit: PerspecSys Inc.

The multiplayer servers for EA’s hit shooter Battlefield 3 are not fully functional due to a Distributed Denial-of-Service attack.

Developer DICE is attempting to counter the attack by updating and improving its servers. In posts on its message boards, DICE says it doesn’t know why its game is under attack, and it will continue to work to get the game working properly.

“We have been working around the clock to mitigate the impact of an ongoing denial-of-service attack on our Battlefield 3 game infrastructure over the last several days,” reads a post from the DICE team. “While the motives are unclear, the focus of the attack has been interference with network communications preventing access to multiplayer gameplay.”

We’ve reached out to EA to ask if it knows who is responsible for the attack. We will update with its response.

The studio went on to assure fans that this blunt-force attack has not compromised user data.

A DDoS attack is when a person or a group of people use software to make repeated requests on a server. If enough requests are made, it will overwhelm the server and cause it to begin spitting out errors. It doesn’t require any hacking skills, but a coordinated attack like this does need a lot of different PCs all running the software at the same time.

That suggests this is either a group of people or that someone is hiding the code for the attack in other software.

“As a part of our efforts to resolve these issues, we’ve conducted rolling restarts of Battlefield infrastructure to apply some updates,” the Battlefield forum post reads. “Thank you for your patience and support while we work to get everyone back and playing Battlefield 3 as soon as possible.”

DICE promises to provide more updates as it makes progress.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

Development testing service Coverity’s annual scan report, which is based on data from almost 500 software projects with a total of over 450 million lines of code, says that almost 230,000 defects were found and fixed. And while the average defect density per thousand lines of code was almost identical between open source and proprietary, there was an interesting diversion in the results.

Open source projects, Coverity says, tend to have .69 bugs per thousand lines of code, virtually the same as proprietary software, which tends to have .68 errors per thousand lines. But large closed-source projects — over one million lines of code — tend to have 33 percent fewer errors than small closed-source projects, with .66 errors over each thousand lines of larger projects compared to .98 in smaller projects. And small open source projects have a massive 70 percent fewer errors than large open source software, with only .44 defects compared to .75.

The difference, according to Coverity, is that small open source projects are labors of love by individual developers or small teams, who carefully comb through their code to reduce errors. Large open source projects, on the other hand, tend to lack standardized processes to ensure code quality, and so the error rate increases.

In commercial or closed-source software, developers experience almost the opposite conditions. Large projects tend to have well-defined formal testing processes, which ensure higher code quality, and small projects tend to be hasty, quick endeavors that show the effects of growing pains, as no standardized testing is in place.

In other words, if you’re looking for bug-free apps, look for a small open source project or a large proprietary piece of software, because those have the best chance of having few defects and high overall code quality.

All of the data in infographic form:

photo credit: gui.tavares via photopin cc

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

That’s going back to the future, according to Monetate: going back to a time when all commerce was personal.

But there is a yin and a yang here.

While we may want personalized experiences, and we want websites to be smart — to know us, essentially, and act as an intelligent, solicitous person might — privacy is part of the picture. A good third of us don’t want our website activity tracked, and a quarter of us don’t want the websites we shop to personalize our experience at all.

Monetate has four tips for online retailers:

1. Use marketing automation technology and big data to assist with personalization
2. Target segments with relevant content based on what you know about them
3. Don’t think of channels, think of customers first
4. Be in it for the long haul, not the quick win

All the data, in visual form:

photo credit: crsan via photopin cc

The White House has reportedly created the position of Chief Privacy Officer and tapped Twitter legal director Nicole Wong to fill it.

Twitter hired Wong in November 2012, only a few months after it first released its Transparency Report — a list of government take-down requests that often highlights privacy and censorship issues in the industry. The company often has to deal with these issues as its user data is often desired in court cases and other situation.

She will work alongside the current chief technology officer under the Obama Administration Todd Park. Park is rightfully focused on the security and privacy industry and user data becomes more accessible and valuable to others both in and outside of the Unisted States.

Todd succeeds the country’s first CTO Aneesh Chopra, also appointed by President Obama.

Wong is also an interesting pick because she knows the ins and outs of how big technology companies like to use that data themselves. She’ll bring what seems like a rounded experience and knowledge of U.S. law to the White House tech team.

Wong previously worked at Google, which is also known for its transparency reports. She spent time choosing between which take-own requests requests to fulfill and which to throw out.

via CNET; Nicole Wong image via Twitter

West Virginia legislators, led by Gary G. Howell (R), hoped to ban motorists from using Google Glass while driving in March. And as it has been revealed that Glass wearers could take a picture just by winking, pundits talk about Google Glass creeping them out, bars that no Glass-wearing geek would enter start banning Google’s wearable computer, and Las Vegas casinos have declared the device persona non grata. Pit bosses, apparently, have cold sweats about poker games being recorded and transmitted and players getting relayed instructions via Glass’ built-in bone subduction speakers.

Really, you wouldn’t have thought a proposal to Borg the entire human species would have met with such resistance.

Seriously, however, almost any individual thing Glass does now has been possible in the past.

Source: Steve Mann

Steve Mann’s computer-assisted vision system.

Memoto, the camera that hangs around your neck and takes a picture every 30 seconds, blew through its Kickstarter campaign goal by a factor of 10. It’s tiny, unobtrusive, and has no on-off switch — a voyeur’s delight in public bathrooms, pools, and who knows where else. Head-mounted cameras are nothing new.

Motorola Solutions — the part of Motorola that Google doesn’t own — demoed its wearable computing and head-mounted mobile computer to our own Dean Takahashi last year. And glasses with cameras are available from multiple manufacturers.

It’s probably the full-meal-deal package that Glass presents that is the problem — and the fact that it houses all of its startling capability in probably the first somewhat attractive device which someone not on the Star Trek convention scene might actually wear.

We’ve already seen the panic and anger that always-potentially-on technology can cause when Steve Mann, who wears a computer vision system, was assaulted in a Paris McDonald’s for failing to take the device off, even though it is permanently attached to his head. Glass promises to ignite that same fear, worry, and concern over privacy, multiplied by millions of potential wearers.

“Welcome to a world through Glass,” Google says in its introduction to what Glass does. “Record what you see. Hands-free. Even share what you see. Live.”

There’s no doubt that Glass is awesome, cool, and empowering, but every power that an individual gains is a power that might infringe on others … and a power that governments tend to want to control.

“This is just the beginning,” Los Angeles privacy lawyer Timothy Toohey told the NY Times. “Google Glass is going to cause quite a brawl.”

photo credit: Dunechaser via photopin cc

The Pentagon pointed an accusing finger at China today in its annual report to Congress, saying the country and its government are trying to gain insight into U.S. secrets.

Specifically, the report says China is hacking into U.S. computer systems to grab data that will improve its own technology. It is also looking to get a read on how the U.S. government feels about China internally, according to the Wall Street Journal. It’s a strong statement for the Pentagon, which is very direct about the use of hacking in its report.

“China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs,” said the report.

Security firm Mandient identified a group of hackers from China’s People’s Liberation Army called PLA 61398, which has been launching a number of damaging cyber attacks on the U.S. It has been linked to hacks on a number of technology companies as well as media such as the New York Times.

Last week, it was revealed that PLA 61398 is suspected to be behind a wide-scale attack on QinetiQ, a U.K.-based defense contractor with a U.S. subsidiary. Those brought on to research the QinetiQ case said they were able to find traces of the hackers in all corners of its business. The cyber criminals stole what Bloomberg reports as the equivalent of 3.3 million excel spreadsheets.

The data lifted included drones and robotics plans.

Pentagon image via michael baird/Flickr

Security heavyweight McAfee has agreed to acquire network firewall business Stonesoft for $389 million in cash, the company announced today.

Helsinki, Finland-based Stonesoft offers a portfolio of firewalls, SSL VPN solutions, and prevention systems that are suitable to help both small and large businesses. It has more than 6,500 customers worldwide.

McAfee is most interested in Stonesoft’s next-gen firewall technology, and it’s saying that combining Stonesoft’s offerings with its own cloud-based Global Threat Intelligence service will give its customers even better network security.

“With the pending addition of Stonesoft’s products and services, McAfee is making a significant investment in next-generation firewall technology,” McAfee President Michael DeCesare said in a statement. “These solutions anticipate emerging customer needs in a continually evolving threat landscape. … We plan to integrate Stonesoft’s offerings with other McAfee products to realize the power of McAfee’s Security Connected strategy.”

Pile of money via HamsterMan/Shutterstock

Consumer antivirus maker Avast has acquired Secure.me, a Facebook-focused personal security startup.

“I am overwhelmed that our vision has reached its destination,” wrote Secure.me cofounder Mario Grobholz on the company blog. “The deal with Avast is the most crucial milestone in our company’s history.”

Secure.me launched in November 2011 as a way parents could keep their eyes on their offsprings’ Facebook activity, including outgoing and incoming messages, wall posts, and status updates.

Secure.me also searches for preset or user-created search terms, sending notifications when the terms pop up in Facebook content. And its photo recognition technology keeps a virtual eye out for pictures with specific people in them, whether or not that person has been tagged in the photo.

Then, last fall, the company launched App Advisor, a program to protect all Facebook users — not just kids — from third-party applications in the mood for personal data.

But with mixed business success and no immediate opportunities to take investment, the Secure.me team started looking around for other opportunities. Grobholz said his team will continue to focus on personal data security at Avast.

Avast was founded in Prague in 1988 by researchers Pavel Baudiš and Eduard Kučera. The terms of the acquisition were not immediately disclosed.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Samsung’s Knox security software gained a little bit more legitimacy today when the Department of Defense approved Samsung Galaxy S4′s running the protections for use in the government.

Getting your phone into the hands of Pentagon employees is likely not the easiest task. The Knox software keeps specified data separate from the rest of your phone. That way if it gets hacked, the criminal won’t immediately have access to your sensitive information. This is important for separating things like private documents, apps, and accounts that you might access through the phone. The data is also encrypted. You can also use Knox to set up a VPN.

“We are very pleased to announce that the U.S. Department of Defense has approved Samsung Knox-enabled devices for use in DoD networks,” said JK Shin, president of Samsung Mobile, in a statement. “This approval enables other government agencies and regulated industries such as health care and financial services to adopt Samsung Galaxy smartphones and tablets.”

It seems the technology is good enough for the government, which likely scrutinizes all the devices that come through its doors. But while choosing the most secure devices is an important task, the government doesn’t want to get stuck with just one kind of phone, according to a statement. Blackberry is the phone of choice at the Pentagon with around 470,000 users. Apple’s iPhone comes in second place, with Android bringing up the rear.

This isn’t surprising given that Android has a reputation for contracting more malware given its open marketplace nature. You can download Android apps from many sources (and not just the App Store, like in Apple’s case), so there’s more opportunity for something malicious to slip through.

But it seems the government is looking to expand its horizons, according to the company’s announcement. It doesn’t want to get stuck with one type of technology and miss out on learning about different kinds of phones.

hat tip CNET; Pentagon image via gregwest98/Flickr

According to one police chief, yes.

District of Columbia police chief Cathy Lanier says that carriers benefit from phone theft, going so far as to insinuate that they are somehow complicit in the underground economy of stolen mobile devices.

“The carriers are not innocent in this whole game,” Lanier told the NY Times. “They are making profit off this.”

Our own reporter, Christina Farr, was recently robbed of her iPhone 5 at knife-point in downtown San Francisco. Police who took her statement were “nonchalant,” simply having far too much experience with similar crimes. San Francisco and New York Police have launched special initiatives and teams to curb mobile crime in response to the influx of thefts.

But what about carriers?

The contention seems to be that carriers should be doing more to identify stolen phones as they enter the underground resale market, often on auction sites like eBay, and are activated by new owners. Carriers have established a national stolen phone database that works by tracking stolen phones’ IMEI numbers, a International Mobile Station Equipment Identity that identifies a mobile device independently of the owner and can be used to block network access to a device that has been reported stolen.

One problem, however, is that full integration is not scheduled to take place until November. Australia, for example, had similar technology in place country-wide a full decade ago, in 2003. In addition, many Verizon and Sprint devices don’t yet have IMEI numbers.

Carriers say that the full database will help prevent crime, that they do care about cell phone theft, and that it is not just an excuse to sell another phone or register another subscriber.

Image credit: Dave Hosford/Flickr

Ten drones joined the Navy today in its first drone squadron. The unmanned aircraft are joined by other manned aircraft to resurrect a retired helicopter squadron known as “The Magicians.”

The drones are Fire Scout MQ-8B helicopters, built by Northrop Grumman, that the Navy plans on arming. Currently, they can target individuals and send back images and video to a home base to alert those controlling the drones as to what is going on. They’ll likely be used in missions deemed extremely dangerous that the military will want to keep humans away from.

The Magicians squadron was retired in 1992 after 19 years of service and is today reborn with eight manned aircraft joining the drones. The drones will be armed and deployed in a year. Currently, both the Army and Air Force have their own drone programs.

Fire Scout MQ-8B drones can take off and land on ships, though we’ve seen a variety of bugs including one that brought a drone down in its attempt to land, as the Associated Press notes. Two of these drones crashed last year in separate instances. In 2010, one drone disconnected from its control base and flew into restricted airspace over Washington, D.C. Washington was warned of the meandering drone before it deployed fighter jets.

Commander of naval air forces Vice Admiral David H. Buss assures that these issues have been fixed.

Drone image via Northrop Grumman

Chinese cyberspies stole a good majority of U.K.-based defense contractor QinetiQ‘s wealth of U.S. military research, according to Bloomberg. The theft happened over a three-year period in which QinetiQ seemed to make all the wrong moves.

We’re all aware cyberespionage is a growing threat in the United States, where military secrets are of high value. This group, known as the Comment Crew, hacked its way into QinetiQ’s North American division’s systems in 2007. The defense contractor was originally notified of the breach by a Naval Criminal Investigative Service employee who found two infected computers at QinetiQ’s McLean, Va., headquarters. The discovery was tangential to another Naval Criminal Investigative Service project that revealed a great many more compromised defense contractors. But this information was left out of the report to QinetiQ.

Bloomberg chronicles what happened from there. It looked at internal QinetiQ emails as revealed by Anonymous’ hack on HBGary, revealing a string of poor decisions. Security firms HBGary, as well as Terremark and Mandient, came in to deal with the intrusions. But HBGary’s monitoring software slowed employee computers down so much they actually removed it with permission from their IT departments.

Richard Clarke, the former special adviser to George W. Bush, explained to Bloomberg that this could wind up being a huge embarrassment if we ever get into a conflict with China. “We try out all these sophisticated weapons systems, and they don’t work,” he explained.

Mandient revealed the Comment Crew to the masses earlier this year as a specialized group of hackers working for the People’s Liberation Army. Comment Crew is otherwise known as PLA 61398.

One of the ways the Comment Crew got into further systems was by stealing passwords and simply logging in as if they were employees working remotely. Mandient had pointed out this to QinetiQ, suggesting a fix, which might have been two-factor authentication. QinetiQ did not act on the advice.

Furthermore, when future attacks were uncovered –such as one reported by NASA — the company continued to treat them as isolated events instead of as an organized attempt to steal what eventually would be secret military data on drones, robotics, and more. Bloomberg reports the amount as being close to 3.3 million Excel spreadsheets.

Terremark senior vice president Christopher Day spoke to Bloomberg, saying,”There was virtually no place we looked where we didn’t find them.”

Last May, QinetiQ was given a new contract from the U.S. Transportation Department for $4.7 million.

We have reached out to QinetiQ for comment on the report and will update this story upon hearing back.

QinetiQ robot image via QinetiQ

Cloud identity management company Ping Identity says that between those six or more corporate passwords and all the personal passwords we maintain, the average person has to remember 15 passwords. That’s probably a recipe for disaster, given the total information onslaught we face every day, which is why the majority of us — 61 percent — reuse passwords from site to site.

That’s what security companies call “password negligence,” and the results are costly.

Too many passwords and not enough memory contributes to 39 percent of all malicious hacking attacks, which can cost large enterprises $5.5 million each.

One solution, of course, is corporations requiring users to change their passwords every 30 to 60 days. That’s more secure, theoretically, but people often reuse an old password. Or, worse, if they’re worried they won’t be able to remember the new password, they may write it down.

The end result, unfortunately, can be less security than before the change.

All the data is below, in visual form:

photo credit: Simon Lieschke via photopin cc

Mani Gopalaratnam is head of innovation at business process outsourcing company Xchanging.

BYOD has been talked about ad nauseam, but now there’s a trend surfacing that will start to push BYOD out of the picture in the next few years. Corporately Owned, Personally Enabled (COPE) devices are the next big thing, and within the next three years, projections indicate 70 percent of global organizations will adopt it.

BYOD is a concept that was floated first in Asia, where CIOs were quick to embrace the trend, but also quick to realize its implications: challenges in securing corporate data, an increased need for IT resources and support, increased costs, difficulty maintaining network performance, and challenges in managing devices and applications.

Companies like BlackBerry, which was ahead of the curve in adopting BYOD, were also the first to try out COPE pilots, where the goal was essentially to show customers this model was a better, less risk-laden option for enterprise mobility than was BYOD.

BYOD vs COPE

The biggest difference between BYOD and COPE is the management of personal data on the device.

Employees own their devices with BYOD, hence Bring Your Own, which gives organizations less control over how they are being used. It goes without saying that this leads to massive potential for security issues. It also puts an organization in peril, especially with the sales force owning their own phone numbers.

With COPE, the end user has more flexibility, but the organization still has control over costs, security, and other areas of potential risk such as legal and HR implications. For example, corporations can dictate what carrier the organization uses and what devices can sit on the network but may, for example, allow users to indicate what apps they want on their phone, or may offer employees a device catalog to select from. This gives employees options, while also minimizing the need for IT to manage an overwhelmingly mixed range of devices

COPE also gives organizations the power to monitor policies and devices, beyond simply selecting which ones can be distributed. If the device is stolen, the company can send a wipe command. Organizations can also conduct automatic checks on malware and dangerous applications, sending warnings about certain apps to the device owner in order to proactively avoid potential issues.

Migrating to COPE

When helping our clients migrate to COPE, we’ve found a number of ways to aid organizations in further maximizing the benefits.

Some best practices to consider include:

• Take advantage of the ability to recycle devices as part of the contract. Alternatively, to keep costs down, buy in bulk. By doing so, you can negotiate substantial discounts.
• To take that one step further, beyond minimizing just the device costs, outsourcing enterprise mobility contracts also enables organizations to make the best use of resources and budgets. You can negotiate usage-based plans, for example, to minimize unnecessary spend.
• Understand the benchmarks from cost benefits, usage statistics, and device performance so you have a framework from which to measure and learn.  Benchmarking is important when making a transition in your mobility model, as it provides a measureable way to evaluate costs, usage, performance. and more. It enables executives within your organization to see the tangible benefits of a COPE model by clearly indicating the improvements in productivity, efficiency, and overall business execution from a numbers perspective.
• Be aware of potential hidden costs. While there are more hidden costs associated with BYOD than with COPE, costs to look out for include device management and maintenance, personal service partitioning and impacts, and migration expenses, among other things.
• Due to dramatic improvement in device software upgrades, it’s vital to ensure the internal systems are able to work with the latest software versions. This can have a bearing on how well COPE adoption can take place without a huge hidden migration cost.

While COPE enables organizations to better control corporate assets — over information, as well as tangible control — it also boosts employee satisfaction. This, in turn, results in a surge in employee productivity (evident from the days of BlackBerry) due to the shortening of decision support.

So while today BYOD buzz continues to dominate enterprise mobility discussions, you’ll soon start to see COPE fazing it out as more organizations realize the benefits and flexibility that can be achieved though this alternative model.

Mani Gopalaratnam heads the architect team at Xchanging, Inc. (XCH: LSE), a $1B business process and technology services provider and integrator. He is also Head of Innovation for the company and CTO for the region of Asia Pacific. To learn more, visit www.xchanging.com.

I spent the morning at the Waterloo, Ontario Institute for Quantum Computing, one of the world’s top quantum computing and nanotechnology labs. In a brand-new 235,000 square foot, $160 million dollar facility that, inside, looks like the starship Enterprise, I met Alice and Bob.

They weren’t very talkative, of course — they’re computers.

“In quantum cryptography, you’re sending information from A to B … we call A ‘Alice’ and B ‘Bob,’” says Martin LaForest, PhD and a senior manager at IQC. “The eavesdropper, naturally, is Eve.”

Source: John Koetsier

“Bob” receives quantum communications

One part of the vast facility is given over to Vadim — last name not given — who hacks commercially-available quantum communications devices like these two from ID Quantique for fun and profit. The fun is the success, and the profit is that ID Quantique lets him keep Alice and Bob, and even sends him more machines — as do other quantum cryptography companies.

“He’s sort of offering a service to the community,” LaForest says. “If you think you have a good quantum key distribution system, give it to me … and I’ll give it my best shot. And so far, he’s very good.”

Modern cryptography is based on our inability to quickly solve challenging mathematical problems, such as the factoring of very large primes. Theoretically almost any security solution available is hackable over time, but realistically you might need months, years, or even decades to crack some of the top 128-bit and 256-bit encryption algorithms available today.

That’s not possible with quantum cryptography.

“If you want to crack quantum communication, you have to do it in real time,” says LaForest. “When you try to observe it, you perturb it … and you can’t copy it because copying is the same thing, give or take, as looking and copying.”

LaForest is referencing the physicist Schrodinger’s cat example. As Schrodinger famously said, you cannot definitely know much about a quantum state, because the act of observing the state changes it. He illustrated that point with a cat in a box which has a 50/50 chance of dying based on the decay of one radioactive particle: a quantum phenomenon. You cannot check whether the cat is alive or dead, because checking changes reality, and so the cat exists in an indeterminate state, neither alive nor dead.

Source: John Koetsier

Alice is the starting point for quantum communication

And yet, it is still possible to hack quantum cryptography, as Vadim demonstrates every month or so.

Alice and Bob communicate via connected photons — particles of light that have been “entangled” in a process even Einstein called spooky — and that communication can’t be intercepted without the intended recipient knowing about it.

But once the message has been received, it’s another matter.

“Vadim is trying to find the implementation flaws,” LaForest told me. “This is one of the challenges right now — the protocol is secure … but its physical implementation might not be. You can have faulty detectors, or you can play tricks with the electronics.”

Which makes the work of Eve — or Vadim — very challenging indeed.

But that work, LaForest says, does not go unrewarded by commercial users of quantum encryption systems:

“It’s important to note: The commercially available boxes are secure. Most of the time, Vadim finds the problems in what they call the research system, and in the commercial system, those bugs are already fixed.”

Mozilla is pissed. The company sent a cease-and-desist letter to the makers of government spying software FinFisher, saying it is using Firefox’s branding to “lie and mislead as one of its methods for avoiding detection.”

Mozilla wrote a blog post about the issue yesterday, saying Gamma International, the creators behind FinFisher, are “tricking people into thinking” the spyware is FireFox by using “Firefox.exe” as FinFisher’s filename, as well as providing Firefox source code to anyone who looks at the underlying code. The company worked with Citizen Lab to determine the fraud, which found multiple accounts of this happening in the wild. This includes a spyware attacks in Bahrain and Malaysia as well as in a promotional demo of the spyware.

FinFisher is known in the security community as a surveillance product that governments buy to spy on specific targets. As Ars Technica notes, it’s rumored that governments also use it to spy on its own citizens. The United States, Australia, Britain, Canada, Germany, India, and many more are said to use FinFisher.

“As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users, and the continued success of our mission,” Mozilla privacy and public policy lead Alex Fowler said in the blog post. “We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy.”

Mozilla assures people that the browser software itself has not been compromised and is in no other way associated with FinFisher. The company says that this isn’t the first time people have abused its brand, using it for malware schemes.

Firefox photo via pelican/Flickr

The list of consumer brands adding two-factor authentication to their consumer accounts under the halo of protecting them from password thieves is growing daily. Apple, Microsoft, WordPress, and Evernote are some of these company to jump on the two-factor authentication bandwagon and trumpet the new levels of safety they’re offering their end users.

What most end users don’t realize is that the biggest benefit of implementing two-factor authentication is often just a public relations one.

There are a variety of two-factor authentication solutions available, and many of these can be just as vulnerable as password-based access systems. For starters, what makes the password so broken is the fact that the shared secret (the password) is stored right where it’s subject to attack (the website). Deploying many types of two-factor authentication doesn’t fundamentally change this model. In most two-factor authentication deployments, a user will be asked to share something else with a site (such as texted code), which will then be stored, again, where it’s subject to attack. Instead of fortifying the security, we’ve actually increased the amount of user information that’s shared.

That second device — the ‘something you have,’ as it’s commonly referred to in two-factor authentication descriptions — should improve security. But there are both usability and security elements working against it:

Usability

Deploying two-factor authentication means issuing tokens or embedding cryptographic keys in user devices, and both of those approaches require user participation. Experience to date has shown that, in cases where two-factor authentication is provided as an option, most users won’t use it —  the security is not worth the pain of the experience. Consumer usage rates are in the low single digits in opt-in models.

If two-factor authentication is suddenly required, many existing website users would find themselves without the necessary means to log in (such as a smartphone or a dongle). That’s a non-starter for consumer sites because it leads to their two least favorite things: increased cost via clogged support queues and declining customer satisfaction and traffic. So they default to the opt-in model and no one uses it.

Security

Most two-factor authentication technologies generate a one-time code for users to then provide to authenticate their identity. But this common implementation is not immune to today’s threats or emerging ones. Cyber thieves use Trojan-horse malware, for example, that tricks a person into approving an attacker’s transaction without knowing it. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.

Third-party authentication tokens are also dependent on the security of the issuer or manufacturer. Case in point is the March 2011 breach of RSA SecurID tokens. Companies that issued RSA’s two-factor dongles were simultaneously relying on RSA’s internal security. Telecom-based technologies, such as text messaging (SMS), lean on the security of the mobile provider, which is chosen by the user. A service using SMS, such as Facebook’s two-factor authentication, can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages.

The swift reaction of many consumer sites to embrace two-factor authentication and their efforts to protect customer information are highly commendable. But this is a complicated problem that can’t be solved by ‘turning on two-factor.’ Until we address the foundational problem of secrets being shared between consumers and the sites they love, we can’t truly safeguard their information.

Jim Fenton is the chief security officer for OneID and is responsible for security design of the OneID identity system as well as oversight of the company’s corporate information security.

Two-factor authentication image via Shutterstock

Actually, it’s not that difficult, according to mobile security company Fixmo’s CEO, Rick Segal.

“Despite the Bush years of let’s go play in another war, there’s a very tight, close alliance between Canada and the USA,” Segal says.

He can get away with saying that sort of thing more than most Canadians, because the CEO of this Toronto-based startup is a ex-patriate American who has spent the last 15 years in Canada. He’s building his business in Ontario because, he says, of the tax credits for high-tech companies, the influx of talent from the most-populous Canadian province’s 50+ universities, and the ability of Canadian governmental agencies to give him personalized attention in his efforts to break into new markets.

Such as sponsoring him to attend expensive international conferences like the one where he met “some NSA folks.”

Fixmo makes mobile security products that allow organizations to safely offer BYOD (bring your own device) policies that don’t imperil sensitive data and networks. The company, which had just three employees just a few years ago, offers an encrypted sandbox, digital fingerprint technology that can detect tampering to your mobile operating system, and compliance breaches like the installing of unauthorized apps on both iOS and Android. Built with 256-bit encryption, two-factor authentication, and remote wipe capability, Fixmo’s products are sold largely to governments.

And, interestingly, they’re built on software originally developed by the NSA.

“The US government and security agencies tend to view Canada as one of its own,” Segal says. “Eyebrows don’t get raised when a Canadian company does business with NSA … there’s no ‘it’s a foreign country’ kind of thing going on.”

It started — as so many things do — in Vegas.

While attending the wireless industry trade show CTIA in March 2011, Segal met the men in black who represent the NSA’s Technical Transfer Program, which is in place to commercialize technologies and products developed inside the agency. Interested in Fixmo’s existing security products, the NSA decided the company was a good bet to do business with.

After developing a relationship that resulted in a technology transfer in which Fixmo licensed agency-developed security code, Segal started building shippable products based on the NSA technology. Fixmo’s products, the company’s sales literature highlights prominently, “have been developed as part of a cooperative research and development agreement with the U.S. National Security Agency.”

That commercialization has culminated in the sale of those products back to the three-letter agencies.

“Seventy percent of our customers are government agencies like the NSA, FBI, and Homeland Security,” Segal says, noting a contract with the US air force that completed last week. “One of our clients has 700,000 seats.”

The company’s other clients include businesses in the financial services and healthcare industries, both sectors in which privacy, security, and compliance with corporate policies are paramount.

photo credit: DonkeyHotey via photopin cc

Disclosure: I’ve been invited by the government of Ontario to explore the startup ecosystem in Toronto, Waterloo, and elsewhere, and this post is part of that series, and Ontario has paid for this trip. My reporting, however, is my own.

It seems even Twitter is a little shaken up about the recent rash of major media account hacks. The company sent out a letter to publications saying it expects more hacks and provided tips on how to keep Twitter accounts safe.

In April, hackers broke into and tweeted from the Twitter accounts of CBS, NPR, and the Associated Press. The hackers posted messages that accused the U.S. government of “being in bed” with terrorists, and in the Associated Press’ case, faked an explosion at the White House.

That one bogus AP tweet caused the Dow Jones Industrial Average to drop 1 percent almost immediately, highlighting just how much people trust Twitter as a breaking news resource. Undoubtedly this puts a lot of pressure on Twitter, and it’s trying to make sure publications know that this is a problem that isn’t going away just yet.

“We believe that these attacks will continue and that news and media organizations will continue to be high value targets to hackers,” said in the memo, which was posted by Buzzfeed.

A group called the Syrian Electronic Army, a proregime hacking collective, took credit for the hacks, though they are far from the only people trying to get attention through these means. The hackers, according to Twitter, are mostly able to get access through phishing attempts alone. These are tricks that hackers use to get regular people to simply give up the login information.

Twitter urges companies not to share their passwords in email or over the Internet and to limit the amount of people who have access to the account.

It also seems to be grasping at straws, telling publications to designate one computer from which people tweet. Those who tweet from this computer, however, should not access the Internet in other ways (such as for email) lest they expose themselves to malware. It seems a little outlandish for the pace of breaking news today. “Hold on guys, just filed my story. Need to ask Jimmy down at the copy desk to tweet it out next time he’s on the Twitter laptop.”

The company also asks publications to use two-factor authentication on their email addresses and to otherwise use strong passwords. Twitter specifically called out LastPass and 1Password as good methods of storing individual passwords for all your accounts (since often a good password for every site you use is hard to remember).

Of course, we’ve heard the rumors that Twitter is working on its own two-factor authentication, and we’re happy about that. But as PhishMe chief executive Aaron Higbee explained shortly after the AP incident: two-factor authentication won’t always save you. Businesses really need to put their employees through some kind of phishing trainings to show them what a phishing attack looks like, how convincing they really are, and best ways to avoid them.

Check out the letter:

Please help us keep your accounts secure. There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that
news and media organizations will continue to be high value targets to
hackers.

What to be aware of:

These incidents appear to be spear phishing attacks that target your
corporate email. Promoting individual awareness of these attacks
within your organization and following the security guidelines below
is vital to preventing abuse of your Twitter accounts.
Take these steps right now:

Change your Twitter account passwords. Never send passwords via
e-mail, even internally. Ensure that passwords are strong- at least 20
characters long. Use either randomly-generated passwords (like
“LauH6maicaza1Neez3zi”) or a random string of words (like “hewn cloths
titles yachts refine”).

Keep your email accounts secure. Twitter uses email for password
resets and official communication. If your email provider supports
two-factor authentication, enable it. Change your e-mail passwords,
and use a password different from your Twitter account password.

Review your authorized applications. Log in to Twitter and review the
applications authorized to access your accounts. If you don’t
recognize any of the applications, contact us immediately by emailing
______@twitter.com.

Help us protect you. We’re working to make sure we have the most
updated information on our partners’ accounts. Please send us a
complete list of all accounts affiliated with your organization, so
that we can help keep them protected.

Build a plan. Create a formal incident response plan. If you suspect
your organization is being targeted by a phishing campaign or has been
compromised by a phishing attack, enact the plan.

Contact us immediately at ______@twitter.com with the word “Hacking”
in the subject. Include copies of suspected phishing emails.

If you lose access to an account, file a Support ticket and email the
ticket number to ______@twitter.com.

Moving Forward:

Review our security guidelines to help make sure your accounts are as
secure as possible.

Talk with your security team about ensuring that your corporate email
system is as safe as possible. A third-party provider that allows for
two-factor authentication might be a safer solution.

Strong security practices will reduce your vulnerability to phishing.
Consider the following suggestions:

Designate one computer to use for Twitter. This helps keep your
Twitter password from being spread around. Don’t use this computer to
read email or surf the web, to reduce the chances of malware
infection.

Minimize the number of people that have access. Even if you use a
third-party platform to avoid sharing the actual Twitter account
password, each of these people is a possible avenue for phishing or
other compromise.

Check for signs of compromise. Checking your email address and
authorized apps weekly or monthly can help detect unauthorized access
and address the problem before access is abused.

Double-check the email address associated with your Twitter accounts:

https://twitter.com/settings/account

Review the apps authorized to access your accounts:

https://twitter.com/settings/applications

Change your password regularly. Changing your Twitter password
quarterly or yearly can reset the clock if a password has leaked.

Using a Password Manager integrated into your browser can help prevent
successful phishing attacks.

Third-party solutions such as 1Password or LastPass, as well as the
browser’s built-in password manager, will only auto-fill passwords on
the correct website. If the password manager does not auto-fill, this
might indicate a phishing attempt.

Password managers make it much easier to use a very strong password.
Very difficult passwords will discourage memorization, which will
greatly reduce the chances of being phished.

Be certain to set a master password, since otherwise passwords may be
stored unprotected.
Don’t hesitate to email us if you need assistance.

Owl image via Shutterstock

Daily deals company LivingSocial is sending out an email to 50 million of its members today saying that the company has been hacked. It assures the public that the hackers did not access any credit card information.

Living Social announced the hack through an email to the affected people today as well as in an internal email to employees that emphasized the systems that were affected. Currently, only names, birthdays, email addresses, and encrypted passwords were collected by the criminals. Encrypted, or hashed, passwords can be unencrypted by the hackers with the right tools, so you should be sure to change you passwords if you used your LivingSocial one for any other accounts.

When asked when this breach originally occurred and if it was connected to a Java exploit or a phishing attack, a company spokesperson said LivingSocial is not yet ready to discuss those details.

Tim O’Shaughnessy, LivingSocial’s chief executive, explained in the email to employees that the hack did not touch the servers that hold credit card information nor the servers that store merchant financial or banking information.

LivingSocial is reaching out to everyone except those who live in Thailand, Korea, Indonesia, and the Philippines. A spokesperson for the company explained that customer information for anyone in those countries is stored on a separate, untapped server, “so there was no impact on them from the attack.”

In the aftermath of attacks like these, hackers often attempt to using phishing attacks to gain even more information. LivingSocial assures customers that it will never ask for personal or account information in an email. If you see an email asking for anything of this nature, assume that’s it’s a fraud and don’t respond. If you’re concerned about your account, go directly to the website and check out your account from there.

Here is the email sent to LivingSocial employees, which the company supplied us with:

LivingSocial image via justgrimes/Flickr

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Last week I bought 13 laptops from WalMart.com. All were pretty cheap, between $500 and $700, but 13 of them added up to a rather hefty $8,000 bill on my MasterCard.

There were only two problems: I didn’t buy them, and they weren’t being shipped to my house.

I’d been hacked. Somehow, somebody in Sacramento, Calif., was going to get 13 Dell Inspirons at my expense. Lucky them … and unlucky me.

But not only unlucky me — a staggering one in four Americans report being a victim of identity fraud, according to a new study by Jumio, a leading credit card validation service for web and app-based commerce. And 83 percent of us worry about identify theft.

Source: John Koetsier

Fraudulent WalMart.com orders charged to my account

That’s a problem, because commerce is increasingly going mobile. Two-thirds of us own a smartphone and/or a tablet, and most of us plan to use them to buy things in the near future. A full 48 percent of us use our mobile devices to check something as sensitive as our bank balances. But as we do, we’re opening ourselves up to even more avenues of fraud and scamming.

“Users may be willing to accept risk now in favor of convenience, but this tolerance will weaken as fraud continues to grow,” Daniel Mattes, founder and CEO of Jumio, said in a statement. “The industry needs to get on board to protect our customers as much as the customers themselves need to take greater precautions.”

Investigators in my case suspected a phishing attack, in which you get an email purportedly from an online store that leads you to a fake but real-seeming site that then takes your credentials, but I had not clicked on any real or fake WalMart emails.

And so the only greater precautions that would have been useful would have been perhaps using unique passwords for each e-commerce site I use.

The problem of online and mobile security is a growing one. According to VISA, mobile commerce fraud was $2.7 billion in 2010, $3.4 billion in 2011, and $3.5 billion in 2012. And Cybersource says almost a third of all retailers experienced mobile fraud in 2012.

So what’s the solution?

Perhaps biometrics. Apple is said to be building a fingerprint sensor into the next iPhone model, the iPhone 5S. And Jumio’s survey says that 74 percent of us don’t feel that simple username/password security is sufficient. It certainly didn’t protect me — I was only fortunate enough to notice 13 thank-you-for-your-order emails from Walmart.com.

But biometrics won’t be available on every device, and won’t be an industry-standard smartphone feature for some time to come, if ever.

Meanwhile, according to Jumio, 69 percent of us would feel more comfortable sharing our personal information online, and buying via mobile, if there were more secure ways of storing that data online.

Source: Jumio

Mobile purchasing and banking activity

“For mobile to reach its full potential, the industry needs to adopt more consistent and accurate ways to identify and authenticate consumers,” Mattes said. “Only then will we be able to truly combat fraud.”

The question remains: How exactly that should be done?

The mechanisms for catching fraud after the fact, and protecting consumers from the consequences, are mostly in place. MasterCard canceled my credit card, WalMart canceled the transactions, and no harm was done. And big data solutions that the big credit card issuers including VISA and American Express employ to track consumers’ spending habits and suspend cards if odd or suspicious spending patterns start to emerge limit losses when the fraud proceeds successfully.

But that’s not the case every time: web and mobile security has a last-mile problem that isn’t going away any time soon.

photo credit: ToastyKen via photopin cc

The Cyber Intelligence Sharing and Protection Act (CISPA) is likely to fail if it goes to a vote on the Senate floor, according to comments made today by Sen. Jay Rockefeller (D-W.Va.), the chairman of the committee on commerce, science and transportation.

CISPA is a bill that would enable major companies to share cyberthreat data with the government (and each other) to prevent attacks on their networks. Many critics have spoken out against CISPA because it doesn’t specify what information can be shared and what it will be used for beyond preventing cyberattacks. CISPA passed a vote in the House last week despite threats of a presidential veto.

“We’re not taking [CISPA] up,” Rockefeller told U.S. News. “Staff and senators are divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. They’ll be drafting separate bills.”

CISPA isn’t technically dead, because the Senate hasn’t brought the bill to a vote. And even though there’s promise of carving CISPA’s various cybersecurity issues into separate bills, it could easily morph into something that’s very much like the original piece of legislation that was passed by the House.

It’s worth noting that this is the second go-around for CISPA. Last year the bill also passed successfully in the House — and the Senate version of CISPA bill even had the White House stamp of approval. Yet the Senate is also where CISPA met its demise the first time, so maybe there is some hope that Rockefeller’s comments will hold true. Still, the White House is still pushing for some type of cybersecurity legislation to pass into law, and the Obama administration has even laid the groundwork for companies to voluntarily start participating in a CISPA-style coalition.

After a rash of major Twitter account hacks, rumor says the company will be releasing two-factor authentication. While this is a great extra protection, it’s not the panacea many are looking for.

Over the past two weeks, three major news outlets — NPR, CBS, and the Associated Press — have all had their Twitter accounts hacked. In the AP’s case, hackers took over the account and tweeted about a bogus explosion at the White House. Following that breach, many called on Twitter to introduce that golden security measure: two-factor authentication.

We saw something similar when a journalist was hacked through Apple, prompting the company to figure out two-factor authentication for iCloud. The rumor now is that Twitter is going to release its own version of two-factor authentication. For that, we say, thank you, Twitter! But as PhishMe chief executive Aaron Higbee points out: that’s not the be-all, end-all solution to the problem.

“You would think this is obvious, but there seems to be a lot of undeserved criticism directed towards Twitter simply because AP employees fell for a phishing attack,” said Higbee in an email to VentureBeat, “Calling on Twitter to provide two-factor authentication doesn’t solve the AP phishing incident, nor would a long, frequently-changed password. That’s not to say it’s not worthwhile. Twitter should make an effort to offer two-factor for those that want it.”

The AP confirmed that the hack was preceded by a phishing attempt in a post about the incident.

Brian Krebs provides an excellent overview of why two-factor authentication could fail in such cases. Summarized, people set up phony phishing websites where targets are tricked into submitting their login credentials, which might include two-factor authentication codes. These codes often expire, but for many consumer sites, they are left connected for days because companies don’t want to create a barrier to entry.

Many of these spoofed websites are done really well. In the case Krebs writes about, hackers made a fake Citibank portal that served up error messages just like the real website would if incorrect credentials were supplied. That’s sophisticated and difficult to detect for us regular folk.

Higbee suggests that Twitter open up its own “group tweet” abilities so employees don’t have to share the same login credentials for an official company account. But education on phishing for all types of company employees could help too.

A group of pro-regime Syrian hackers called the Syrian Electronic Army took credit for all of the Twitter breaches, though we haven’t been able to independently confirm this is the case. The group has not mentioned any phishing in its congratulatory touting, but often targets publications based on their coverage of the conflict in Syria. If you’re one of those, it’d be wise to alert your employees to phishing attacks now.

Phishing image via Shutterstock