Surety Business

Training and educational options for IT security professionals are seeing increasing cross-scheme accreditation between government and private bodies. In addition, the often-competing standards and conflicting terminology are gradually coming together, with the IISP (The Institute for Information Security Professionals) skills framework prominent. SC Magazine spoke to providers and consumers for their views on the current situation...and the way ahead.

When education and training body (ISC)²‘s “2013 Global Information Security Workforce Study” asked industry leaders if they were having problems recruiting, of course the answer was ‘yes'. Some 77 percent of government and 66 percent of private industry security execs said they had too few security personnel. And last month (February), a SANS Institute report said that organisations are being “severely hampered” in applications security because of skills shortages.

John Colley, managing director for EMEA and co-chair of the European Advisoy board for (ISC)² told SC, “There is significant demand for more people and the projections are staggering. But the Catch 22 is that demand is for experienced people. The newly qualified can't get a job without experience, and can't get experience without a job. We are working with academia to see how we can address the issue.”

Among leading academics addressing the problem is Professor Fred Piper, Information Security Group, Royal Holloway, University of London. He told SC: “There are now 40 to 50 MSc degrees that could claim to be cyber security, and as many that partially cover the topic. But that's not really what's needed to cover the skills shortages. In the private sector there is the CISSP (Certified Information Systems Security Professional) at a lower level - but there is a need for something between the two - and the National Occupation Standards for Information Security is now working with e-Skills UK to come up with something appropriate, aligned to the IISP Information Sec! urity Skills Framework.”

A matter of degrees

The IISP is currently setting up an accreditation process for training providers, aligned to its skills framework. In addition, GCHQ is introducing an accreditation scheme for Masters degrees in cyber security and this will also be aligned to the IISP skills framework. Piper notes that many believe that rather than cyber security first degrees, there is a need for students to first get a grounding in their core technology - engineering, computer science or mathematics - and then take up information security. “My personal view is that we will see fewer and fewer cyber security first degrees as computing, engineering and science degrees increase their strategic security components.”

Further, organisations are advised to employ recent graduates on the basis of their potential rather than their experience. This includes how the person approaches their work, ability to analyse and problem solve, build relationships, etc. “If you choos the right people, you can teach them the skills they need and that's the way forward,” says Colley. “Give people with the right potential the right training and they will deliver.”

To resolve the shortage, the (ISC)² suggests two options: Pay more (although the organisation admits that this just results in poaching staff from competitors and is a zero sum game that does not address the overall shortfall), or attract people from elsewhere and train them up in information security.

The latter option is seen as the most viable. “We can train people from within their vertical disciplines of IT, health, etc., if they have the right aptitude,” says Colley.



Is Your Data Safe After the Recent HootSuite Attack?

Users of HootSuite may have noticed service problems yesterday morning.

The problems were the result of a malicious attack by hackers, the company CEO Ryan Holmes says. But he assured users of the site’s free and premium services in an email Thursday that no customer data had been compromised.

“I’m writing today to let you know that the HootSuite Engineering and Security teams are working to mitigate the DOS attack and that there are no inherent security risks to your accounts, nor has any customer data been compromised.”

Holmes says the service interruption was the result of a denial of service (DOS) attack. The HootSuite attack occurred at about 9:45 a.m. EST on Thursday. On HootSource, the official HootSuite company blog, Holmes describes DOS attacks as “common, crude tactics used by hackers to temporarily disable websites.” Hackers apparently tried to flood HootSuite servers with requests until it shut down the company’s system, he further explains in his email to users.

HootSuite sent out this Tweet just before 1 p.m. on Thursday:

On HootSource, Holmes explained:

“While HootSuite users were for a short time unable to access the dashboard, service has now been restored, and no customer data was compromised. Only Web traffic to the dashboard and mobile APIs was affected.”

Also, if you had already scheduled posts ahead of time, the attack did not impact them. Holmes said the company is working to learn the source of the attack in order to block re-occurrences.

HootSuite is one of the best known social media manager tools available. It allows you to manage and view your numerous social media feeds all from a single, Web-based dashboard. The service allows you to schedule messages to be sent to your different feeds at the same time. It even works with RSS feeds from your company Website or blog. So when the website is updated, new messages are automatically sent to your social media pages.

image: HootSuite



Effective Tips to Improve Your Post-Sale Customer Experience

“I will only focus on getting the sale.”

If this is what you think can drive your eCommerce business, you’re on the wrong track. “Customer come back” should be your ultimate goal and engaging your customer after the sale is an important aspect of inbound marketing. A 5% customer retention rate can increase profits by 25% and even up to as high as 95%, according to Harvard Business School.

Why is Post Purchase Customer Engagement so Important?

According to Marketing Metrics the probability of selling a product to existing customers is around 60 to 70%, while the probability of selling to a new customer is only 5% to 20%.  Customer retention is an economically all-encompassing business strategy. It is more cost-effective to re-market your products to existing customers than it is trying to convert new ones. Existing customers have already demonstrated their interest in your products and are engaged with your brand for a prolonged period of time. The rule of thumb is that it is five times more expensive to acquire new customers - than to retain existing ones.

As your customers are deeply engaged with your brand, you are building your brand’s loyalty among them. This is the path to build a fan base that brings in new customers. A customer’s lifetime value is important for measuring your business success and it is important to optimize customer retention to increase the lifetime value of your customers.

Build Trust in Your Contact Page

Your customers always do a little bit of homework before they connect with you. So how do you create trust and make them come back to your site?

  • Evaluate the information you have asked for on your contact page. If you are not getting enough information, you can try to collect it later in the process.
  • To reduce confusion and invalid input errors set each field’s expectation very clearly.
  • Don’t pressure your customers for information. For instance, making irrelevant fields mandatory or forcefully asking your customers for their birth date will create discomfort.
  • Customers should know what will be done with their information and why they are being asked for it. Assure your customers that their email address will not be added to any marketing lists or shared with any other advertising partners.

Motivate Your Customers to Create an Account

Often, customers are forced to create an account during the checkout process. Don’t make it so difficult. Instead, offer a guest checkout option. Make it easy by asking for less information in the form fields. Don’t ask them repetitive questions like name, address or email because you already gather these during the actual purchase process.  And if you want them to create an account, you have to help them understand the benefits of actually having one.

Request that they sign up for your newsletter. But before you ask them to do so, explain the advantages of receiving your newsletter- things like product discounts, coupons, incentives, new product updates, etc. And then time your newsletter according to the lifespan of your product.

Use Strategic Post Purchase Surveys:

  • As you let your customers know that their products have been shipped and the purchase was successful, give them an option to say something about your products as well in the form of a testimonial or review. Those can then be used to engage customers and increase leads.
  • Ask customers to complete a quick survey about their experience. This gives you valuable feedback regarding ways you can to improve customer service.
  • Send email notifications with a link to let them know their reviews have been posted and show them where. 
  • Use the cross sell strategy and let customers know that you appreciate their purchase and are looking for other ways to help them.
  • Send a special offer or incentive to those who have recently purchased from you and inspire them to come back.
  • Start sending purchase anniversary emails that acknowledge your customers in a special way.

Design for Mobile Users

With evolving mobile audiences, designing for a mobile experience can make your contact form easier to use. Eliminate irrelevant input fields and do not make each field too painful to fill in from a mobile phone.

If you have a mobile app and send SMS alerts, encourage customers to download the app and sign up for the alerts to deepen your relationship. Utilize the benefits of behavioral targeting technologies to enhance the value and relevance of your messages. Use persuasive words like free, sale or discount to entice your customers to buy more.

Improve Your Thank You Page

Don’t forget to say “Thank you” to your customers on the first page your visitors see once they have completed their purchase. A thank you page is an ideal place to show your appreciation.

Continuous post-sale customer support plays a major role in retaining your customer. Conversion rate optimization is not just about getting customers. Use effective ways to deliver the best experience to your customers - after their purchase and well beyond it.

Customer/a> Photo via Shutterstock



SC Congress London: Met Police admits cybercrime mistakes

Mark Jackson, detective superintendent of the recently-established Met Police Cyber Crime Unit, has admitted that London's police are only just finding out how to tackle cyber-crime.

LONDON, UK - Speaking to Illena Armstrong, VP Editorial at SC Magazine, Jackson presented an honest assessment of the unit's ability to handle online fraud and cyber-crime and revealed how the new National Crime Agency (and the body underneath it - the National Cyber Crime Unit) is impacting on the policing of cyber crime.

Jackson described how he has seen a massive change in the way that cyber-crime influences police work. As a police investigator with 30 years' experience in dealing with drugs traffickers, murderers, kidnappers and other conventional criminals, he says that he has been on a steep learning curve making the switch to covering fraud and cyber crime.

“To say that cyber has been a big change for law enforcement would be an understatement,” he commented, during his SC Congress London keynote.

Indeed, when Jackson started investigating cyber-crime last year, he says that he encountered some police attitudes that seemed to suggest cyber-crime really wasn't that important

“The clocked ticked on over the last 12 months and I must say that we've been naive to say that no-one would be interested, or ask any difficult questions,” said Jackson.

And yet cyber-crime has quickly become a big issue. In his presentation, Jackson noted that fraud and cyber-crime had cost £81 billion to the UK economy in 2013 - up from £27 billion according to government figures from 2011 - and also revealed that the figures had increased 60 percent in HOCR (Home Office Counting Rules) crimes reported between April and September of last year.

“Online is the high street that hasn't been policed,” he continued. “Law and legislation hasn't caught up with this type of crime. Why go into the bank with a shotgun when [criminals] can do it online from home. If they're really unlucky and get caught, they go to prison for a short amount of time.”

His added that reporting cyber-crime was a “whole different process” and that the victims of cyber crime were not treated like those for a physical crime.  Whereas a stolen bicycle would be investigated, often nothing happened after reporting a cyber crime. There was also no way to report bulk crime, and banks were'n't going to make 3,000 reports for each cyber fraud in an attack. Jackson also pointed out the global nature of cyber crime, saying that there are “no international boundaries” for criminal investigators to adhere to. Tackling cross-border cyber-crime investigations was also raised as a difficulty at two other panels at SC Congress London as well as at the International Forum on Cybersecurity - by NCCU deputy director Andy Archibald - in Lille, France in January.

Cyber-crime takes priority, but skills gap remains

Jackson said that his group - which replaced the Police Central e-Crime Unit (PCeU) in November - is beginning to recognise that fraud and cyber have a ‘massive impact' on crime and frankly admitted that it was once a low priority - set at MOPAC7. According to this PDF document in April 2013 from the Metropolitan Police, MOPAC7 crimes include burglary, robbery, violence with an injury, theft of a motor vehicle and criminal damage.

However, things have started to gather pace in recent times with the National Crime Agency coming into effect on October 1, with the National Cybercrime Agency part of the group. The Met Police cyber head admitted that there are still discussions to be had on logistics and how these groups communicate with each other, but said that a bigger concern is recruiting - and retaining - cyber security experts within the police.

[Scotland Yard has been making a big play with cyber-crime and announced last November that it was to quadruple the number of officers tackling such crimes in the city.]

Jackson said that this was a common problem in the public sector - where money and benefits are weaker than in the private sector - but said that it could also prove tricky considering that some highly-technical staff were moving across to the NCA, “leaving a void” in the police departments that they leave.

Training replacements is also difficult. “We're still trying to train our people like its 1987 so we need to look how we train our people,” said Jackson who added that he needed people with  “multidisciplinary tech skills and a detective's investigative mentality”.

Met to introduce cyber security centre

But Jackson said that the unit - which started in October with 32 staff but which could rise to as many as 500 in future -  is improving by focusing on, amongst other things, the deployment of malware, phishing scams, network intrusions and DDoS attacks. Its mission is helped by  Sir Bernard Hogan Howe, the commissioner of police of the Metropolis, who ‘gets it' and who is looking to introduce the first fraud and cyber centre in London.

“The Met will do that,” said Jackson. “So we have a plan, it's a starting point, a significant step forward.”

“This is real police work, as I keep telling my colleagues. Ultimately it's about bad people making money,” he concluded, commenting that just this week cyber criminals involved in a bank fraud had been arrested.

In response to the news, Adrian Culley, global consultant at Damballa and a former a former Met Police Computer Crime Unit detective, told SCMagazineUK.com that Jackson's comments were proof that the policing model is outdated and not equipped for the cyber era.

“His concerns highlight that the 1827 policing model defined by the then Home Secretary, Sir Robert Peel, which has served us admirably for 187 years, is now seriously struggling to provide the policing that Digital Society and the Digital Economy now requires," he said via email.

"It should be of no surprise to anyone, but it seems to many in power, that a model which envisaged police handling the physical, tangible world of the early 19th century is now struggling. There is also a paradox here best voiced as "training our staff is expensive, and then they leave", "really, you should see the cost of not training them."

“Police units around the world are struggling with these same issues, and some pause for thought and deeper thinking is required from both the police and society.”



All Android devices believed hit by security flaw

A new class of security vulnerability that is "highly suspected" to affect all of the almost one billion Android devices in existence has been discovered by a research team from Indiana University and Microsoft.

The so-called ‘Pileup' flaw lurks inside the Android Package Management Service (PMS) which handles the many updates to the Android operating system. It allows malware installed on an Android device to grab new privileges whenever an update occurs and steal the user's sensitive data.

Criminals could insert JavaScript code to hijack the user's credentials, access their voicemails and call logs, send an SMS, change their security configuration, and start any activity regardless of permission protection.

“The Pileup vulnerabilities are critical, highly pervasive and also fundamental,” say the research team.

The opportunity to exploit the flaw is also significant, they say, as there have been 19 official Android version updates since September 2008 - one every three months - while phone providers create versions for multiple carriers and countries, with Samsung so far releasing more than 10,000 different Android versions worldwide.

The researchers say they “highly suspect that all Android devices are vulnerable to our attacks”, adding: “We systematically confirmed the presence of those security flaws on all Android official versions and all 3,522 source code versions customised by Samsung, LG and HTC across the world that we inspected. Our research also identified hundreds of exploit opportunities the adversary can leverage over thousands of devices across different device manufacturers, carriers and countries. The consequences of the attacks are dire.”

Security expert Josh Cannell, malware intelligence analyst at Malwarebytes, agreed that “this threat is important because it could allow malware that's pre-installed on a device to acquire new privileges via a system upgrade”. He told SCMagazineUK.com via email: “Obviously this is a big issue, as you don't expect, nor desire, malware to be ‘upgraded' when you're only wanting to update the OS.”

Tim Holman, president of the information security professionals association ISSA-UK, also highlighted the scale of Android problems. He told SCMagazineUK.com via email: “A big challenge for Android security researchers is keeping up with the number of custom operating systems available (there are more than 3,000 Android variants) and the number of apps available (there are now more than a million). From a hacker's perspective it's easy to drop some malware through the net, as professional security researchers simply do not have the time and resource to assess each and every permutation for vulnerabilities.”

As for security professionals, Holman said, the way most Android users install apps automatically “is a complete nightmare when employees decide to bring their own devices to work. Only a locked-down build, using known secure operating systems and applications is suitable for a commercial environment. This goes for all mobile devices, and unfortunately Android rarely fits the bill due to what users have done with it at home.”

He added: “My modus operandi is that Android devices are already compromised and I'm standing in hostile territory, unless I've built them myself!”

Josh Cannell added: “While the open and customised nature of Android is great for enthusiasts, it can sometimes be a double-edged sword. Custom ROMs (new Android versions) are great, but can they always be trusted? Make sure you do your homework before you consider using one, as it may have malicious apps with it. Also, most custom ROMs, if not all, will require users to root their phones, and if not done properly, this could leave a phone ‘bricked'.” Users should also install mobile anti-malware software, he said.

The Indiana University/Microsoft research team have reported their findings to key Android-device vendors such as Google, and are helping them fix the issues. They have also developed their own Pileup detection service, called SecUP.

The researchers added that the “Google security team informed us that they came up with a fix for the permission bug and released it to their partners”. Google is also working on solutions for the other bugs.

The research paper, ‘Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating', was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. It can be found here.

Another Android flaw

Meanwhile, Trend Micro has revealed another Android security flaw in the system that controls the data that apps can access. In a 20 March blog, Trend Micro mobile threats analyst Weichao Sun said malicious software that is already installed on an Android device could hijack the ‘permissions' granted to any legitimate apps installed after it - enabling the malware to access the supposedly protected data within the legitimate app.

Trend says it has found almost 10,000 apps at risk of this vulnerability and while refusing to name names, said these include “a popular online store leaks its online browsing history, a popular chat app leaks the user's in-app purchases, and a popular social network can have fake messages inserted via its app”.

Trend has informed Google of the problem, and Weichao Sun warned: “Developers should not rely exclusively on the protection levels when their activities/receivers/services/providers are accessed. Several functions such as getCallingUid and getCallingPackage are provided by the operating system, and can be used to identify any apps requesting the above and implement access control as needed.”



SC Congress London: Bottom-up security awareness has C-level benefits

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports - further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated - revealing at the time that most boards lack security nous.

As such, Schatz - also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 - which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage - as well as talking with employees - can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler - there's no point if I don't understand what they need,” he said.



SC Congress London: Bottom-up security awareness has C-level benefits

A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

LONDON, UK - The panel, entitled “Inside, outside, upside-down: Staying ahead of the threat” comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. It drew a heated debate, not least on insider threats.

Florentine said that insider threats, which have been in the public consciousness' since the first of Edward Snowden's revelations on the NSA and GCHQ last year, are front of mind for most businesses and he cited one example where a technical employee (at an unnamed organisation) siphoned £800,000 (US $1.35 million) of revenue in just eight months.

“Insider threats, I think, are actually one of the biggest problems,” said Florentine. “At the end of the day you have to trust somebody - but it's trust AND verify.”

Communicate with C-level

Security training awareness was also front of mind at the conference in Earl's Court, which is perhaps not surprising considering recent events. Gartner's IAM summit this week also saw analysts urge companies to trust employees, while a study from Trustwave revealed that 6 in 10 FTSE companies are mentioning cyber security in their annual reports - further proof of growing awareness.

However, this increased knowledge doesn't always translate to the board level, as a Thomson Reuters Governance study late last year indicated - revealing at the time that most boards lack security nous.

As such, Schatz - also of Thomson Reuters - said that IT departments should take board suggestions on information security risks with a pinch of salt. “Don't get totally stuck by what the executive team is saying in terms of threats.”

Brackenborough, CISO at Channel 4 and formerly of the BBC, said that companies shouldn't be too afraid to collaborate with competitors in the same field - with a specialist forum set up for cooperation in his own industry.

Saying that Channel 4 has often collaborated with other media companies on issues relating to, for example, on-demand services like ITV Player, BBC iPlayer and Demand 5 - which share the same technologies, he said that there's the benefit to “picking up the phone and having a working relationship.”

Media coverage can be beneficial

One member of the audience, a senior IT manager at the NHS, questioned the Channel 4 exec on whether the media is having a detrimental effect on security in the event of a data breach, with it also raising the likelihood of users leaking data to outside, unauthorised sources.

But Brackenborough, while acknowledging that this can sometimes be an issue, said that media coverage can actually get the C-level suite interested in protecting their personal devices, and then their workers too.

“The media publicising the issue is quite good; it suddenly hits home and the executive board know that it could happen to us. They ask ‘are we really at risk?' That's the point you can have that conversation and get executive support,” said Brackenborough.

Schatz agreed, adding that media coverage - as well as talking with employees - can “help improve the understanding of cyber security.”

But Brackenborough warned that this bottom-up security awareness training, while beneficial, can only work if the IT workers themselves understand the real business needs.

“The biggest thing for me is facilitating security as a business enabler - there's no point if I don't understand what they need,” he said.



Flying drone steals smartphone contents

British researchers have tested their invention, the Snoopy drone, over the skies of London.

Two British security researchers, Glenn Wilkinson and Daniel Cuthbert of SensePost, have built a flying drone - called Snoopy - that can steal the data from anyone below who is using a mobile device connected to an open WiFi network.

Snoopy can be hidden inside someone's pocket on the ground or, in its latest test, installed on-board a drone that flew over London and captured data from around 150 mobile devices in less than an hour. The invention highlights once more the danger of using WiFi hotspots.

Snoopy is a compact tracking, profiling and data-capture device that targets mobiles and the people who own them. SensePost first announced it in 2012 with a proof of concept and have been developing it since then.

Glenn Wilkinson, a security researcher with independent security consultancy SensePost, explained: “Snoopy can run on small computers - Raspberry Pi or BeagleBone - certain smartphones (Nokia N900) or laptops. It's designed to collect information from devices that people carry - smartphones, tablets, Google Glasses, even NFC cards and RFID tags and sync that data back to a server where it can be explored.”

Snoopy works by imitating any free WiFi network that the victim has connected to in the past and then intercepting all the data they send and receive. It can also be used to infect the user's device, either by injecting malicious web traffic or by firing exploits at the device from the Snoopy server.

Numerous drones can be deployed over a wide area, with each device uploading its data to a central server. And Wilkinson said that taking Snoopy airborne was “not just stunt hacking".

He told SCMagazineUK.com via email: “There are several benefits - data collection from a height beyond audible/visual range, very quick collection over a large area, ability to bypass physical security - walls, men with guns, etc - and autonomous searching for known devices.”

Daniel Cuthbert, who is COO at SensePost, described the “completely illegal” part of Snoopy, telling us: “If a network is an open network - and generally most people connect to open free WiFi hotspots - the Snoopy drone pretends to be that network. It connects up and we give you internet access routed through our servers and that's when the full-on interception happens. Everything that's going over your phone to the internet will be routed by our servers.”

Cuthbert gave the example of hijacking Yahoo email. “Yahoo has a terrible security record. This is one of the big internet giants and it still doesn't do enough to make us secure. If you've got personal information coming into your Yahoo account, someone can gain access to it with some drones. It's a waiting game - what information will you get emailed eventually? Could there be credit card information, could there be passwords, or other financial parts of your life? Once you know the username and password to the Yahoo account it's yours.”

WiFi dangers

The drone's development has emphasised the vulnerability of open WiFi hotpots in particular. Wilkinson told us: “The best results we have had so far are around WiFi because of inherent weaknesses in the way WiFi works, and the verbosity of the information that is sent out. The techniques we use aren't new, but the manner in which they are deployed is novel.”

Laura Aylward, senior consultant at Context Information Security, underlined the problems revealed by the device. She told SCMagazineUK.com via email: “There is always a risk that sensitive data is made available from mobile devices over a WiFi network. The use of a drone is just a rather dramatic way of highlighting the risk when users connect to untrusted access points.”

She advised: “It is possible to reduce the amount of sensitive data sent from the phone by ensuring that personal information is only entered into secure sites and enabling SSL for applications where possible. Organisations can also enforce VPNs to further protect sensitive data from mobile devices.”

Cuthbert warned: “In a normal secure environment, the company has an IT security department and there's policies that enforce the security of the device, so you can't just install any software on your mandated Windows operating system or whatever. The problem with the smartphone is that there is no such thing, so if you walk in with a phone that has got a malicious application installed and you connect to your company's internal WiFi network, you've just walked in with a Trojan device.

“I'm still not convinced on Bring Your Own Device - you're effectively taking the old secure network model and breaking it and allowing anyone to come into it. People need to be aware that these free WiFi networks often come with a big risk.”

Wilkinson and Cuthbert are demonstrating Snoopy at the Black Hat Asia cyber security conference in Singapore on 25-28 March.

In a previous test by SensePost in 2012, four people sat unnoticed in different London underground stations with Snoopy drones running for two hours, while Wilkinson sat at King's Cross station for 13 hours collecting data.

Picture: Glenn Wilkinson with Snoopy attached to a flying drone



Gene Marks: The Fate of Bitcoin Is In The Hands of Jeff Bezos

There’s a great deal of talk around the bitcoin virtual currency - both good and bad talk. Gene Marks, a small business expert and writer for outlets like Inc., Forbes, the New York Times and others, recently wrote about the one person he felt could “legitimize” bitcoin into the mainstream.

I caught up with Gene to get his take on the current state of bitcoin, why it’s getting so much attention, and why he feels Jeff Bezos is the one who could bring it to the masses. Below is an edited transcript of our conversation. To hear the full conversation, click on the audio player below the transcript.

* * * * *

fate of bitcoinsSmall Business Trends: Can you tell us a bit about your background?

Gene Marks: I run a 10-person technology firm. My firm sells 5 CRM applications and we provide all of the services around it. We are based outside of Philadelphia and have 600 clients that we serve.

I do a lot of writing. I write everyday for the New York Times and once a week for Inc. and Forbes, Entrepreneur.com, Fox Business, The Huffington Post, and Philadelphia Magazine. I get up early, I do my writing early and then I go run my business. I write about small business management, technology and topics like that.

Small Business Trends: Can you explain a little bit about what bitcoin actually is?

Gene Marks: It is a virtual currency. It is something that you and I could actually create out of thin air if we so choose and if we are smart enough to go through a very complex mathematical algorithm that people can answer and create for themselves.

Bitcoins are created everyday and they have value. They are used, exchanged and traded and now more and more are being used to purchase products from some pretty well-known websites. But the thing about bitcoin is that it’s a virtual currency. So, whether you create your own bitcoins, and believe me, it’s not easy to do, or you buy bitcoins with actual dollars and store them in a virtual savings account, you can then use them to buy things.

Bitcoins themselves dramatically have changed in value. They go up and they go down because they are unregulated and un-taxed and a lot of governments are keeping very close eyes on them. They are quite controversial as to whether or not they are something that can really be abused. That’s what a bitcoin is and it has grown significantly in popularity over the past year or two.

Small Business Trends: There are some really hardcore guys around bitcoin. They are rabid about it. It’s a relatively small community but these folks are really the true believers. What do you think it will take in order for it to go from the true believers to main street?

Gene Marks: What I wrote about in Forbes encompasses that. I believe there is one guy in the world that could legitimize bitcoin and that guy is Jeff Bezos from Amazon.

This is a virtual currency. It’s only used online and used to buy online products. Although some retailers online, most notably Overstock, are now accepting bitcoins, the world’s largest online retailer, Amazon is not doing that right now. And believe me, Jeff Bezos, the CEO of Amazon knows all about bitcoin and he knows with him blessing it, that itself would really legitimize it.

But that hasn’t happened yet. You’re the expert on Amazon, Brent, I know you are writing a book on them. Do you think that a guy like Jeff Bezos would ever want to get into this controversy?

Small Business Trends: I’m interested in why he hasn’t jumped on it yet. Because he is not averse to trying new things. Why do you think that he hasn’t done that?

Gene Marks: I don’t know Jeff Bezos as well as you do. I know you’ve researched the company and you write about the company. Right now, he’s trying to create his own market with Amazon’s own virtual currency which right now has only limited value: You can only use it to buy Amazon stuff. He’s getting his feet wet with that.

I guess his original plan is to try to expand that and make money from that. He might be very concerned with the volatility of bitcoin and whether or not he even wants to recognize it as a stable type of currency to trade. Think about it, if you and I buy a book from Amazon for 10 bitcoins, for example, and Amazon accepts those payments, what happens tomorrow if the currency falls out and 10 bitcoins to him are worth nothing?

Maybe he’s got other things to worry about right now and other risks that he wants to take. And one of the risks he does not feel like taking is a currency risk on a value of products that he’s selling?

Small Business Trends: From my perspective, it seems like what he’s trying to do is break down the barriers and make it easier for the masses to jump on board with what Amazon is doing. Maybe bitcoin is not something that regular consumers are even remotely ready for at this point. It’s fascinating to think about. How difficult would it be to overcome the bankruptcy with Mt. Gox? Is there any other way you can see bitcoin hitting the mainstream if Bezos doesn’t jump on board?

Gene Marks: There are some very well-known and well-respected supporters of bitcoin. Even Ben Bernanke, the former Fed chairman, has not dismissed the idea of bitcoin and virtual currencies in general. Marc Andreessen, a very well-known venture capitalist, has said bitcoin and other virtual currencies like it are now a part of the future.

The more people with great reputations get behind it, and the more sites that start getting behind it, it’s possible that it could happen without Amazon getting involved. But I still think Bitcoin is not going to be a reality until Amazon steps out and says, ‘We are going to accept this as currency.’

We know when he made that announcement about packages being delivered by drones. Wasn’t it Cyber Monday when he made that announcement?

Small Business Trends: It was on 60 Minutes and it was on Cyber Monday. Charlie Rose interviewed a segment with Amazon, and when they broke out the drones - Twitter went crazy.

Gene Marks: He’s a genius for thinking of that and he’s still standing by drones being a reality in the next four to five years. I think they said he’s a very good P.R. and marketing person, and knows exactly how he can get the most publicity for Amazon.com.

Bitcoin itself has been receiving so much media attention, that it might be enticing for him to jump on it, just for the attention it would get for Amazon. But it’s interesting to see what he’s going to do.

Small Business Trends: So is Bitcoin something that small businesses are going to have to pay more attention to in the next couple years?

Gene Marks: I think it will, and I’ll tell you the reason why: It’s cheaper and it’s easier. There are no transaction fees with Bitcoin. So small businesses that you and I walk into - restaurants and delis, etc. - they only have cash, and you only have credit cards. We have to pay the transaction fees. People that are buying stuff online and using a card, they’re paying fees. Bitcoin doesn’t have that, so the transaction is easier and there’s no cost. That’s a pretty big enticement.

Small Business Trends: I had the chance to speak to the gentlemen that designed Amazon’s first website. I asked him, ‘In the early days, what were you guys focused on?’ He said, ‘We weren’t focused on selling books. We were focused on giving people the trust that they could order online and get their book, and not have to worry about their credit card information being insecure.’

So they were there at the beginning of eCommerce. It would be interesting to see what sort of influence they would have on bitcoin if they jumped in. Until then, I guess we’ll just have to be looking out our windows looking for drones. 

Where can people find out more about what you are up to?

Gene Marks: MarksGroup.net is the best place.

This interview on the fate of bitcoins is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication. To hear audio of the full interview, click on the player above. 



Internet of Things - Top Ten concerns

Mark O'Neill suggests that his top ten potential vulnerabilities of the Internet of Things (IoT), need to be considered now, before mass deployment.

The Internet of Things (IoT) promises to open up new ways of doing business and communicating, from smart meters tracking electricity usage to fitness tracking wristbands, and the “connected car”.  But with IoT it's two way communication as devices transmit and receive data. This data is often private and users may not even be aware that it is being generated and transmitted. So what solutions can you put in place to mitigate the risks?

1.     Protocol Proliferation

The web was built on a relatively simple core of HTTP, HTML and Request/Response protocols which enable security architects to deploy security services across their web applications through one protocol.  But IoT protocols include CoAP, XMPP, AMQP and MQTT. Security architects now often span protocols, rather than relying purely on Web-based solutions.

2.     Initiation

Connected objects are initiating action, so a fitness tracking wristband can connect straight to a cloud service for fitness analysis.  The old Request/Response model cannot be relied upon for all message exchange patterns with other protocols forming part of the mix. Each of these protocols has its own specific message-exchange patterns, such as publish subscribe, request only, and request callback, in addition to the usual request/ response pattern. The security architect must map security protocols onto these communication protocols and their respective message-exchange patterns.

3.     Access Keys

Securing keys is fundamental to IoT security or devices will be left open to attack. Keys on connected devices can be subject to tampering while key storage on the server side introduces distribution and availability challenges. It's impossible to predict all of the different communication protocols IoT implementations will require, but they will definitely need to solve: authentication, integrity and in some cases confidentiality issues.

4.     Naming

Identifying human users is reasonably accurate using Active Directory, LDAP and application user databases, but the equivalent for all objects doesn't exist so we're still not able to consistently identify objects.  But every program must answer the question - who has access to do what? Name directories that enable assigning and managing the object's rights, roles, and groups in a “thingfrastructure” are central to addressing questions around IoT access control.

5.     Constrained Devices

Deployments are often limited by the level of device processing power. Scalability includes being able to scale back, which is just as important as increasing,  and can be just as problematic. IoT system designers cannot architect based on an assumption of the same level of processing power, storage or bandwidth characteristics of an enterprise-class network. So the security protocols of the IoT has to negotiate across a resource-constrained environment. Consider sensors in cars, or small wearable devices; these do not have high processing power but by using a gateway, high performance security layers can be deployed remotely.

6.     Time Services

Many IoT applications can't apply the time-based security protocols they rely upon, yet authentication protocols use time as a primary defence mechanism. Devices cope with threat by limiting retries eg, of password or pin. Lack of time services puts the device at a disadvantage. Logging systems report who did what, and when, but without access to time services they may tag onto alternate ways to identify events, such as incrementing an event ID counter. This approach can also report on sequences.

7.     Usability

In the IoT, subjects are usually things so reverse engineering is a threat. Devices can be disassembled to understand their behaviour and exploit them. An API management gateway can help by acting as an intermediary; clients see the gateway as the service itself, and the gateway can perform security duties that the client is unable to perform.

8.     Patching

There will be vulnerabilities so it's essential that patching is addressed. Without a human to install patches, a new approach is needed, whether through pushing updates or virtual patching. A gateway architecture can help, by initiating the download allowing “virtual patches” to be applied in front of the IoT device.

9.     Stunt Hacking

The IoT will have to deal with hacks carried out for money or for the intellectual challenge, but as applications with economic utility are increasingly deployed (such as smart grid or NFC payments), they will attract interest and need to be prepared for accordingly. Gateway layers can be employed to deliver protective measures against attack.

10.            Ugly Failure Modes

When IoT apps fail, so do real world things, like your power, your supply chain, your fleet tracking capability, and so on - and retry and restart functions may be difficult to impossible to implement.  Hece It's critical that developers clearly understand and anticipate the state of the system at the end of the failure mode - that is, the actual impact on the “thing” and the people who rely on it.

IoT is beginning to emerge as a reality, bringing numerous new security challenges which can and must be mitigated if the IoT is to deliver on its promise of networked objects. The “thingfrastructure” that enables IoT must be deployed using Gateways that enable enterprises to layer-on the necessary security.

Contributed by Mark O'Neil, vice president of innovation, Axway



SC Congress London: BYOD issues remain in post-Blackberry era

Bring Your Own Device is making waves in business, but concerns remain on how employees use personal smartphones and tablets, how they're managed and the laws to which companies must adhere.

LONDON, UK - BYOD elicits a mixed response from those in the information security industry - notable recent examples include security expert Natalya  Kaspersky dubbing it an ‘unregulated mess' and a study from Forrester revealing that IT departments are struggling to manage the deluge of devices now accessing corporate networks.

Experts speaking at the SC Congress London on Thursday weighed in on what's needed to manage these devices, given that Blackberry's influence on enterprise mobility has declined drastically, to be replaced by more consumer-oriented devices.

During a panel on Mobile Security, moderated by SC Magazine UK editor-in-chief Tony Morbin and comprising DMI CISO Rick Doten, Norton Rose Fulbright global CISO Paul Swarbrick and Morrison & Forrester UK LLP partner Ann Bevitt, it was suggested that the key to BYOD is establishing policy around what data you need to secure, to what extent.

“Protection is all based on priority, but it should be on what's the risk [to business] on a day-to-day basis,” said Doten, who added that MDM (Mobile Device Management) should only be a ‘foundation' to securing personally-owned devices.

“Think about confidential data, sales data and the different kind of risks. Understand the business, what the different parts of the business do and then apply controls and develop policies to an appropriate level.”

Technology moves on from BlackBerry

But part of the problem with enterprise management mobility is that BlackBerry is no longer the solitary mobile in the workplace, and that emerging consumer smartphones and tablets have similar functionality to modern-day PCs.

“We live in a post-Blackberry world. BBM gave us a lot of great security,” he said noting features like encryption of data-at-rest and data-in-transit. “We don't have the same [security] switches today [on mobile devices]”.

“64-bit iPhones are just as powerful as PCs. We need to consider risk the same way.” Swarbick agreed, adding: “Technology changes but the problems remain the same. I come across people moving old working practices onto new devices.”

Enterprise doesn't understand legal obligations

Another issue that has risen to prominence more recently, says privacy lawyer Ann Bevitt, is that companies are still struggling to understand that the same legal obligations apply to data breaches, whether by corporate or personal devices.

“What we're finding in this area is that there can be two very big liabilities,” said Bevitt, noting employees and data. “If you have an employee using their own device, the company is still the controller of the data…All data protection legislation and responsibilities still apply. You have to bear in mind the legal liabilities.”

Bevitt added that the recent ICO guidance on personal devices and what employees should be doing is a good thing, but urged companies to introduce policies to mitigate the risk. “It goes back to knowing business and where the risks are.”  While good practice may mitigate liability to some extent, ultimately, the enterprise remains legally liable even if the breach was due to poor user practice with their mobile.



Err, Sales Are Up And Business Is…Good?

sale meeting cartoon

Sometimes when I’m drawing a cartoon, it sparks an idea for another cartoon.

For example, I was starting to ink another sales graph cartoon and drew a few swirly lines to test out my pen tip before digging in when this little spiral got me thinking.

I drew an arrow on the end and a rectangle around it, and this cartoon idea arrive pretty much fully formed.

It actually took me more time to get the pupils in the eyes of the workers positioned just right than it did to conceive this whole scene.

Totally… worth… it.



There’s a Secret Weapon for Better Networking on Google Hangouts

If you use Google Hangouts to connect with others in your circles on Google Plus, it’s possible you’re getting only a fraction of the benefit you should be.

Social networking trainer Andy Nathan shares a secret weapon that lets you use the networking potential of Google Plus in ways you probably haven’t thought about.

The secret weapon is called the Google Hangouts On Air Community. It is a group on Google Plus of about 8,000 members who are constantly posting new upcoming hangouts. The hangouts are on a variety of topics. Some of these will doubtless be in your industry.

Nathan suggests two main ways to use this community for your benefit. First, use it to find upcoming Hangouts you can attend. Information given in these hangouts can be great. But the opportunity to engage on screen with others in your market or leaders in your industry can be even more important.

Try to get there early, Nathan advises, since the first people in a Hangout are more likely to get an opportunity to participate onscreen.

In a recent post on Web Designer Depot he explains:

“For users with free accounts, the first nine people can be on video; for hosts with pro accounts that goes up to the first fifteen people. Everyone else can only interact with the Hangout via the chat or watch on YouTube. This is still worth doing, but the bigger benefit lies in joining a group of people to talk with on the video Hangout.”

You may have an opportunity to talk with thought leaders and even come away with enough for an interview. And, of course, there’s an opportunity to connect and demonstrate your knowledge as a thought leader and influencer, too.

The other way to use this popular community is to post some of your own upcoming Hangouts there. Nathan explains how to use Google Hangouts on Air to create these events. He writes:

“This might surprise you, but with the technology available with Google’s HoA through YouTube, you can embed a video on your website and turn your hangout into a live webinar. We actually tested this during a recent hangout and everything went very smoothly.”

Inviting others to your webinars and other Hangouts using the Google Hangouts On Air Community may open your events up to a whole new audience. Some of these people may become future contacts (or even customers), too.

Image: Google

More in: