No stop to the "Ueber Breaches"

Latest member in the club of breached high profile companies: Symantec or to be fair, Verisign which now belongs to the Symantec empire. According to press releases Verising had a serious security breach back in 2010. According to Verisign no unauthorized access to critical servers has taken place. The question comes up how can Verisign, RSA and all those other companies be so sure about that no access to critical servers has taken place?!

Looking at the amount of data that those breaches potentially have exposed we might soon see the ultimate hack, using all that information gathered so far.

Read more: Verisign data breach 2010

1SSA - Security Consulting, Training and Products

Where are the clouds moving to...

...to every one's IT environment and not the outsourcing companies or at least not in the public cloud. The still sceptical industry is more and more leaning to the private cloud. The outsourcing industry that mainly benefited from the public cloud movement is still predicted to get a big slice of the market. However outages (Some hosting providers do not count outages less than 5 minutes), the still unresolved questions around privacy, the sometimes "interesting" SLAs that basically leave customers in the rain when things go wrong, do not necessary increase the trust in the public cloud and the outsourcing organizations offering public cloud services. The cloud technology will have its place in the IT universe without question, however it won't be the quantum jump that some cloud fanatics predicted. On the other hand probably up to the last second of cloud computing existence, assuming there is something else coming after it, vendors, hosting providers and software companies will fight over what cloud really is.

1SSA - Security Consulting, Training and Products

RSA security breach the new age of "Ueber breaches"

RSA a trusted name in the security industry had a major security breach. Just like a giant can die from a virus that is a billion times smaller RSA got taught a lesson about human weaknesses.

According to articles in the press a worker at RSA decided to retrieve an email from the spam folder which contained an Excel attachment. The individual opened up the Excel spreadsheet to just have an embedded flash file execute, running an exploit against Adobe's flash player, which in the recent past had several vulnerabilities with "zero-day" exploits being available. This allowed the attackers to install a backdoor and work their way through RSA's systems and network.

Security experts are now convinced that RSA had the "seeds" of their security tokens exposed. So far RSA has neither denied nor confirmed this scenario. The seeds allow an attacker to calculate the security code that RSA's hardware tokens display and use for two factor authentication.

The magnitude of this security breach is yet to be understood since the token business is one of the key business that RSA has. Thousands of customers around the globe have been using RSA's solution.

Such an "Ueber Breach" is the first one of its kind but for sure not the last one. In our information reach society, where companies are competing to gather more and more information about individuals, we will see more and more of such security breaches. The cloud technology being another factor that potentially will accelerate the rate of security breaches of that magnitude.

Read RSA's press release

1SSA - Security Consulting, Training and Products

Epsilon security breaches

I received at least four notifications from various companies that have my personal information, notifying me that my email address and potentially other information had been exposed to an unauthorized third party as a result of a security breach at their marketing partner, Epsilon. All being the same format and verbiage. Telling me that Epsilon legal was potentially the source for the text.

This breach might have some people ask themselves: So why would someone steal email addresses? This breach seem to be just the first step in a much larger scheme. Back in 2008 PWC's job web site was breached, stealing thousands of email addresses and passwords. Initially nobody could understand why someone would go after such a site till cases of Paypal attacks surfaced and got connected to the PWC case. The individuals that had gained access to the emails and passwords were using them to access sites like Paypal, exploiting the fact that we all like to re-use passwords.

Read the official Epsilon press release

1SSA - Security Consulting, Training and Products

Impact of Egypt's awakining on IT outsourcing

Egypt had the reputation to be a country with a well educated youth but a GDP that was one of the worst worldwide. Now that things are changing we will very likely see that increasing (I would wish that for the people in Egypt very much!). But what does that mean for you and your outsourcing efforts? Egypt is just another country following in the footsteps of countries like India were cost of living went up, salaries followed and eventually the cost of outsourcing went up too. The changes in Egypt might at the same time increase friction between various layers of the population: The new IT elite which is getting higher salaries and others that feel left behind. Time will tell if this friction will result in more unrest or if the country manages to find a social approach that ensures the stability of the country. Social economic and human factors are often underestimated in IT and particular in IT security resulting in significant risks to the business.

1SSA - Security Consulting, Training and Products

Egypt crisis and Outsourcing companies

Some people see Egypt as the new India when it comes to IT outsourcing. What most people do not know is the fact that a lot of the IT support from Indian outsourcing companies already comes from countries like Egypt. A country with a well educated young generation that speaks English. It might be that your IT outsourcing is not directly affected, since being hosted in India, but the IT expert in India might have trouble getting his workstation supported from the help desk sitting in Egypt.

It is just another lesson learnt of how outsourcing creates risks that are not well understood, particular when it comes to the chain of dependencies that a global economy creates. With the introduction of the cloud the picture even gets fuzzier.

Read more: Outsourcing firms logging out of Egypt

1SSA - Security Consulting, Training and Products

Updates: Mobile apps & Cloud based services

Mobile apps spying on you - It seems that there are two class action lawsuits that have been filled against Apple. Apple having tight control over apps that get posted on the iPhone app store has set itself up for this. Control also means responsibility and consumer feel cheated if they discover that Apple allows applications to spy on them.

Cloud based services and the risks - The latest victim of its cloud technology seem to be Skype, which had major outages right around the Christmas time. The service blames older clients to be the source for the outage. Those clients shutdown/crashed when receiving certain offline messages that arrived delayed. This just shows that cloud technology creates super complex systems that are not yet well understood and difficult to test for all scenarios.

Read more:
Two lawsuits target Apple, app makers over privacy concerns
Skype's mega-FAIL: exec cops to cause

1SSA - Security Consulting, Training and Products