Monday, December 13, 2010

WikiLeaks Lessons: Stronger Encryption and Secured Systems

It is not yet clear, and maybe never will be, as to what went wrong with respect to information security resulting in WikiLeaks episode that has taken everyone by storm.

Was it a system failure or was it a security solution that failed the test!?!

From what I have read and know, it seems like a system failure, as there was no secured system worth its salt in place to prevent mass proliferation of important information, if not highly classified data.

Seems like someone was able to download the entire database and copy it to a portable drive and get it shipped outside the system, or upload it via the numerous online websites out there.

Or it could be a deliberate leak by informed authorities?

The most unlikely possibility is that someone hacked into the system and stole information using an online back-door.

Yet, what fascinates me is the sheer volume of the information (including the Afghan and Iraq tapes) as well as the quality of information.

How could this information be classified and yet not be encrypted, using a "for your eyes only" kind of secured solution so that only the sender and recipient could reveal and read the information. Even the Romans had a better solution and system to prevent such leaks.

Add to the fact that 3 million people already have this information.

What alarms me is not what has been leaked by WikiLeaks, but what could be out there that is even more dangerous, a potential for disaster waiting to happen, or something important that could fall in the hands of sinister people.

The Chinese are never tired of trying to get their hands on everything that can be hacked and accessed.

And if the technologically most powerful country is so vulnerable, what about the rest of the world, such as those who also possess nuclear weapons?

Wars have always been won due to the superior information gathering capacity of the adversary. Today the adversary is terrorism and neo-nationalist fervor.

When will the world adopt more secured information systems, or in other words when will most of us be able to transmit information securely?

Make it For Your Eyes only......

Tuesday, December 7, 2010

Tweet safely..


oAuth enables the third party app to pull/push the user's Twitter info without requiring them to sign in everytime.

This generally requires users to authorise the third party app.

However, if the users account is compromised, someone can automate the authorization process.

The following link explains how this happens in real life.

http://www.net-security.org/secworld.php?id=8823


To prevent your twitter account from being hacked is pretty easy. Following are some tips:

1. Never use the same password for all your websites.

2. Use a strong password which is atleast 12 character long containing a random number of alphanumeric and numeric characters.

3. Think twice before authorizing an app to use your Twitter credentials.

This is easier said done...most people cannot remember complicated passwords and tend to use the same password or simple passwords that is easy to guess or hack.

The other option is to use a password generator that generates a unique password for each of your website account. And there are many such password generators including the one we have developed which is available for free at 0pass.com and mycloudkey.com

The best way however would be if twitter offered a automatic password generator themselves so people do not have to define complicated passwords. The password generated would unique to the user's profile or device.

Such a solution would be more trusted and credible instead of a third party solution.

Monday, December 6, 2010

Your data. What about it?

I was doing an audit about my backup today.

The first thought that crossed my mind was...what if the hard drive
crashed? I have all my stuff there be it business or personal. And if
there is somthing missing its on a backup drive.

How do i manage all this data. And more important how do i make sure
all of this does not fall in the wrong hands.

Add to this, the wealth of information on my cellphone. How do i protect this.

If my disk or mobile crashes, i cannot get it repaired without
worrying about the personal stuff getting into the wrong hands.

The digital age does bring a lot of advantages but also throws back a
lot of insecurities.

The need of the hour is a secured data and information management in
the cloud that is forever accessible and strictly personal.

Something that is accessible from anywhere only by the owner, easily
organizable, automatically and intelligently archived and shareable
with your social circle.

It is high time we do away with personal storage media which can no
longer offer us data integrity or security.

Saturday, December 4, 2010

What is more important - Privacy or Security!

Privacy and Security are inter-related topics.

But what is privacy? Or what are the limits of privacy...

When I look at privacy, it means any information that I do not want to be disclosed to a second or third person, something that is personal should be protected at all cost.

But in the age of FaceBook and LinkedIn and online Job Search, I wonder if it is possible for the average online user to hide their personal information.

There is another meaning to privacy and that is no one should be able to see what is in my computer or my online account without my authorizing it first.

Now there is some thought on privacy, let me put a thought on security.

Security is something that should protect and enhance my privacy and not reduce it.

Yet, it is becoming increasingly clear that full proof security is not possible without shedding some of the privacy concerns.

For example, device based authentication is something people would not like to use because once you allow access to one device, all your devices could also be accessible. And then you never know if your computer has become a zombie controlled by some far flung chinese hacker.

But just relying on passwords has not really helped in protecting online users. Instead if the passwords are locked to the devices owned by the user, not only the security of the user is enhanced but also he becomes the sole owner of his private information.

So, the challenge is how to allow access to a user device without infringing on the privacy of the user...

One way is to not to store the information of the device and use real time device authentication.











Friday, December 3, 2010

Is identy theft really a serious issue?

I have been in the business of securing online users and properties
for the past two years.

I have thus had an opportunity to debate and discuss various issues
related to online security.

One such discussion i had with a friend last week on the topic of
credit card security with respect to using them for online
transactions.

My friend (who is CEO of a successful startup) said that after the
introduction of a PIN number in addition to the credit card number and
cvv number, the losses arising from credit card fraud had reduced from
Rs. 250 crores to Rs. 2 crores.

I sought to disagree with my friend. What do you think?

Visit blogadda.com to discover Indian blogs