Thursday, 30 April 2015

Biometric Identification Leads Yahoo! to Your Ear

The stated goal of biometric identification is to eventually render password management and security irrelevant.  The challenge faced by scientists is to come up with a financially viable group of technologies that can be used across multiple platforms, from mobile devices to laptop computers.  Yahoo! thinks part of the eventual solution will be your ear.

Reports say that Yahoo! is currently working on technology that would allow a mobile phone to be unlocked just by placing it to the owner's ear.  The phone's touchscreen is already capable of acting as a sensor that could map various locations on the ear to make a correct identification and, if they cannot make the ear work, they are working on mapping the palm of the hand, using the fist, or even identifying a phone owner by his or her grip.

Yahoo! has named their biometric project 'Bodyprint'.  Initial trials with 12 participants have achieved results of 99.98% accuracy in identifying body parts and a 99.5% accuracy rate for identifying individual users.  The ear scans were accurate 99.8% of the time.  Such strong and positive results suggest that the company is onto something that could eventually become quite successful.

According to the Yahoo! research team, the Bodyprint project was born out of a necessity to create biometric identification that was both effective and inexpensive.  While fingerprints have been used as biometric ID markers for years, the highly sensitive equipment needed to make it work is too costly for the average smartphone - that is why it's only found in top-of-the-line phones sold to a limited audience. Fingerprint scanning has no viable commercial purpose because it is cost prohibitive.

Working with other body parts is much more feasible because of the area and capability of the smartphone touch screen.  Its large size means it does not have to be as sensitive; it can map and compare larger surface areas in less detail, yet still come up with an accurate result.

Added Personal Security

Supporters of the kind of research Yahoo! is doing say that body part recognition may be better in the long run because it adds an extra layer of personal security.  Fingerprints, for example, are easily lifted from nearly any surface a person touches - there have already been cases where mobile phones have been hacked by stolen fingerprints.  Using a body part that does not leave a detailed mark makes it harder for hackers to do their jobs.

Body part recognition is also seen as more secure and private compared to facial recognition.  Although facial recognition has been in development for IT services for a while, security experts are wary of storing the data involved on cloud servers where it could be easily accessed for nefarious purposes.  Data centres would be especially vulnerable if their facial recognition data were breached.  Body part recognition makes it possible for security to remain more local and without as much personal data floating around.

Our parting comment:  should ear scans come become part of everyday life, be sure to wash behind your ears!



Thursday, 23 April 2015

PayPal Pushing Biometric Identification Technologies

One of the world's largest electronic payment processors is leading the charge toward new biometric identification technology that will eventually eliminate the need for usernames and passwords.  PayPal, the former eBay subsidiary, insists they have no practical use for biometric technology at the current time.  They say they are pushing to move things forward because they want to be the ‘thought leaders’ in the industry.

Although the field of biometric identification is wide open, the things PayPal are looking at focus on natural body identification methods that would involve embedded silicon chips, brain implants and ingestible ID products powered by stomach acid.  Other companies are looking for ways to take advantage of biometric identification without the need for synthetic components.  For example, Microsoft is working on retina scanners and facial recognition.

The advantage of natural body identification by way of implanted or ingested devices is that identification can be achieved by combining a number of natural elements including heartbeat and vein structure.  Multiple biometric markers are seen as more reliable than single markers, such as footprints and retina scans.

There is little doubt of the commercial viability of biometric identification for both communications and financial transactions.  The infrastructure already exists to make use of such identification methods; it is only waiting for the methods to catch up with already available networks.  PayPal hopes to be a leader in the development process.

User Names and Passwords Doomed

At the risk of sounding clichéd, it is not a matter of if usernames and passwords are doomed, it is simply a matter of when it eventually happens.  No matter how many times people are warned about using exceptionally weak usernames or passwords, they continue to use things such as 123456 and qwerty.  As long as this trend continues - and it will - cyber criminals will have easy access to millions of accounts all across the world.

Unfortunately, even complex usernames and passwords can be broken using sophisticated computer algorithms capable of going through millions of combinations in a short amount of time.  That leaves us with no other choice but to develop biometric identification, thus removing user name and password data from the equation.

Even as PayPal and other companies forge ahead with biometric identification, it is not fool-proof.  In fact, there are many concerns.  Right off the bat, biometric identification would depend on hardware and software being a lot more dependable than it is now.  Second, any biometric identification method would require the data collected during the identification process to be translated into machine language code and that code can always be breached and used for illegal access.  The security segment will have to adapt along with biometric identification.

One final concern is one of what will happen to currency when biometric identification becomes the norm.  There are legitimate fears of a cashless society relying on the good graces of government for monetary stability.   That may not necessarily be a good idea…



Thursday, 16 April 2015

Report: Workers Last Line of Defence for Phishing Schemes

A surprising research report from Verizon paints a grim picture regarding phishing schemes and corporate computers.  According to the report, workers are the last line of defence for phishing schemes, yet they fail at a rate of 25%.  Leading report author Bob Rudis believes proper training can reduce that number to 5%.

Verizon's research suggests that it takes a mere 82 seconds for a new phishing scheme to capture its first victim.  The numbers come from an analysis of nearly 80,000 security events among thousands of companies.  Furthermore, a 25% success rate among scheme perpetrators means they are fooling 25 out of every 100 employees into opening scam e-mails.  Once opened, perpetrators have all sorts of access to computer data and keystrokes.

The largest companies that employ tens of thousands of people essentially have an incredibly large security hole looming within their walls.  Rudis says the key to closing that security hole is training workers in how to spot phishing e-mails before these are clicked through.  It is not enough for companies to rely on the IT services and security departments to catch every security threat before any of them make it to the individual worker's inbox.

Rudis went on to say that the time difference between ensnaring victims and companies recognising they have been victimised is substantial.  Verizon's research data suggested that at least half of the phishing victims had clicked on the offending e-mails within one hour of receipt; it could take a company days or weeks to detect compromised systems.  In that time, the damage that perpetrators could do is unthinkable.

Training, Training and More Training

In the age of globalisation and cloud computing, it is naïve for a company to operate under the assumption that bad things only happen to the competition yet far too many companies conduct daily business this way.  They also assume that their workers have the knowledge and experience to recognise phishing scams easily at first sight however Verizon's research clearly demonstrates this is not so.

Perpetrators are becoming increasingly sophisticated in the methods they use to gain access to corporate and personal computers therefore management and security experts can no longer assume the average worker is capable of spotting potentially unsafe emails.  Workers have to be trained in the tell-tale signs of a phishing scams in order to change their thinking.  Something as simple as using the mouse to roll over links prior to clicking can go a long way toward thwarting the attempts of cybercriminals.

Rudis says that better training of employees can, and should, be coupled with security departments continuing to develop hardware and software solutions.  All three together can drastically reduce the ongoing threat of phishing scams.  That said, phishing attempts will not cease as long as there are cybercriminals around to perpetrate them.  The digital age brings with it the ever-persistent threat of cybercrime; a threat that will continue to evolve along with the state of internet and networking technology.




Wednesday, 8 April 2015

Obama Signs Executive Order to Combat Cyber Attacks

US President Barack Obama signed a new executive order on April 1 (2015) designed to strengthen his government's ability to wage war against cyber attackers by way of sanctions.  Critics of the move wasted no time in citing the fact that the order was signed on April Fools' Day.

The order gives the US Attorney General, Secretary of State and Secretary of the Treasury power to impose economic sanctions against those who would launch cyber-attacks in the US.  However, the attacks covered by the order would have to threaten America's national security, economic stability or foreign-policy position.  Obama has promised that the authority granted by the order will not be used to stifle free speech at home or abroad.

In signing the order, Obama said that cyber-attacks are among the most serious threats to America's economic and national security.  The aim is to use the power of the previously-mentioned federal agencies to bring a halt to cyber-attacks by crippling the ability of the attackers to do business.  Enforcement of the order would result in attackers being named, their US assets being seized and a ban on their participation in the US economy put in place.

Obama has gone one step further by allowing the sanctions to be applied to commercial operations and governments alike.  The Chinese were mentioned specifically, due to their reputation for establishing state-owned companies that profit from trade secrets stolen from their Western counterparts.  Obama hopes to shut down such companies by not allowing them to sell goods and services in America.

Questions Abound

As with any Executive Order coming out of the White House, plenty of questions abound as to whether or not this order is enforceable in US or international courts.  The US Constitution explicitly prohibits unlawful search and seizure of private property among citizens and private businesses, so the government would have to prove its case in court in order to justify seizing assets.  However, that may not stop the administration from applying sanctions anyway.

There is also the question of applying the sanctions against an individual data centre that may have been compromised by hackers who use it to launch their attacks.  Will the data centre owner be held liable for criminal activity it has no control over?

Lastly, no amount of reassurances from Mr Obama will convince his detractors that there are no plans to use the executive order to stifle free speech.  In a day and age where social media has turned the internet into a data communications free-for-all, it is far too easy for governments to keep track of what people are saying and doing.  If America's National Security Agency is willing to spy on its citizens by demanding sensitive data from mobile phone companies, what is to stop them from using the new executive order to silence critics?  The president need only declare national security concerns to flex his muscles.



Tuesday, 7 April 2015

Clean Up This Spring

April is here which means it is official - despite the relentless gale force winds and rain, Spring has officially sprung!  As we begin to draw a thick line under the last quarter, it’s time to start actioning some of our plans for the next.

Time for a tidy up
As we all know, aside from chocolate, traditionally Spring is a time for new beginnings, sweeping away the cobwebs and starting a-fresh.  The same can be said for your facility:  take a look around - are things up to scratch?

Unless the answer was a resounding yes, it is definitely time to put some plans in place to do something about it.

Why do I need my room clinically cleaned?
Modern day computer equipment is increasingly sensitive to environmental conditions.  In fact, recent studies have shown that 75% of storage and hardware failures are caused by environmental factors.

Concerns include:
·        Room temperature
·        Humidity
·        Carbon dust
·        Concrete dust
·        Rust
The build-up of dust can threaten to have a major impact on your computer room’s operation and efficiency; an understanding of the causes and effects of possible contaminants in the environment - on the sensitive equipment housed within your facility - is vital for ensuring the continuity of the working practices.

Causes of contamination

1.      Gases – chlorine, hydrogen sulphide and sulphur dioxide are all examples of gaseous contaminants that act as reducing agents and when combined with water form weak acids and can corrode electronic equipment.

2.      Hydrocarbons – these airborne contaminants such as petroleum, paraffin and lubricating oils are a result of incomplete combustion of fossil fuels and oxidation of plastics and rubbers. These substances are highly flammable and can bring about the deterioration of electrical components.  Thankfully however these contaminants can be combatted by putting an efficient air filtering system in place.

3.      Dust particles – as aforementioned, varying dust particles can exist in your computer room and can be abrasive, corrosive, flammable or absorb moisture.
·        Carbon dust – almost unavoidable, carbon dust can occur from exhaust fumes, tobacco smoke or even printer toner and these contaminants sneak their way into your facility via personnels’ clothing or open doorways. These particles can be conductive, combustible and act as a reduction agent.
·        Construction debris – created during construction, remodelling work and general erosion.  These particles are highly abrasive and can cause damage to equipment through close contact.
·        Humans – aside from bringing in external contaminants, humans can leave their own organic fibres behind after entering the computer room.  Shockingly humans shed 1 million skin cells within just 40 minutes, not to mention the stray fibres coming from clothing or hair loss.  Unfortunately also unavoidable, these fibres clog equipment and pose fire risks.
·        Paper dust – created by the movement of paper and packaging within the room. Highly flammable, the paper dust is attracted to the magnetic field generated by the electronic equipment.

What constitutes clinically clean?
A clinically clean environment can benefit your organisation by increasing your computer room’s reliability; reduce failure rate and, in turn, generate greater productivity.
In simple terms: in order for a facility to be ‘clinically clean’ this involves the removal of all the above contaminants from the room environment.  All areas of the room, including sub-floor, need to be addressed with antistatic foam, lint free cloths and water-free antibacterial cleaning products.

Maintaining the Clean
After an internal audit and ‘deep clean’, a process of on-going preventative cleaning is recommended however there are also small things one can do to minimise the contaminants getting back in.   One effortless and cost-effective solution, and often the simpler the better, is to simply cover each foot that enters the computer room with one-time use disposable shoes.  Fashion forward - perhaps not – but, nevertheless, the disposable shoes are a positive step in the right direction (no pun intended!) in helping to create a dust-free environment.

Guest blog by Ashleigh Soppet, Marketing Manager, www.2bm.co.uk



Thursday, 2 April 2015

Cyber-Attacks Continue: GitHub and BA Latest Victims

With every cyber-attack that makes the news, we are reminded just how vulnerable datacoms are.  The latest round of attacks has targeted a number of big names, including British Airways and software developer site GitHub.  Although the recent attacks hit as many as five organisations, officials do not believe that these are in any way related.  That is of no comfort to those affected.

The BA attack involved limited customer information and rewards accounts.  According to the BBC, one affected customer claimed that his points account was used to book hotel accommodations in Spain while another had his entire balance wiped out through multiple deduction transactions.  Some of the illegitimate transactions occurred two weeks before the attack was identified.

Officials from BA say the attack may have compromised email addresses, phone numbers and passwords however they say that most of the illegitimate activity centred on using frequent flyer accounts to access benefits.  BA says that it is not aware of any attempt to obtain credit card information or travel histories.

As for GitHub, the attack they suffered appears to be political rather than monetary.  GitHub is a website used by millions of software developers to share and test their code.  They were hit with a distributed denial of service attack (DDoS) that officials say was the worst in the organisation's history.  An investigation suggested the perpetrators were targeting software developers providing tools that Chinese internet users could use to circumvent government censorship.  Security consultant Alan Woodward told the BBC that China might be responsible for the service interruption.

Of these two attacks, the one launched against GitHub should raise the most concern.  Where thieves targeting BA might be individuals or members of an organised crime network, a government specifically targeting a website and software service it does not approve of has serious ramifications for the future of worldwide networking.  We should be as worried about government interference as we are about infrastructure vulnerabilities.

All Part of the Game

There is no denying that cyber-attacks are a part of the game that we will never be able to eliminate therefore, while each attack reminds us of our vulnerability, those same attacks should be further motivation to develop better protections.  We can confidently say that is exactly what is happening.

We can guarantee that the IT teams at both British Airways and GitHub are already at work to develop strategies to prevent future attacks.  Some of those strategies will involve hardware implementation at the local level while others will relate to security strategies and software deployments.  Nevertheless, rest assured that security specialists will never rest in their ongoing war against cyber-crime.

From the local web hosting company to the enterprise data centre, all must remain diligent to protect sensitive data from those who would attempt to steal it, yet we must also remain diligent against those who would seek to silence others whose opinions and ideas they do not agree with otherwise cyber security is only half-complete.