PINoptic CTO Blog

Biometric Scanner Cracked by Black Hats

2009-02-19T06:55:00.000-08:00

You may have seen the recent articles highlighting flaws in some of the Biometric scanner implementations from vendors such as Toshiba, Asus and Lenovo. See:

http://arstechnica.com/security/news/2009/02/black-hat-blank-face-researchers-crack-biometric-scanners.ars

It's clear from the evidence being presented there is considerable improvement to be made in the technology and therefore shouldn't be relied on as a single source of authentication. It raises concerns over the drive to implement biometrics in high security solutions such as boarder controls, when the technology is still unproven in the security market.

We at PINoptic have always viewed biometric as a technology for the future and needing more time to prove it's capabilities. We do believe it will become a dominate means of authentication in the future, but until then we recommend the use of multiple layers of authentication for access control.

Monster.com Hacked Again and Passwords Stolen

2009-01-31T03:28:00.000-08:00

What a surprise another major online website having its customer data violated and stolen. Users of Monster.com can now expect to be recruited into one of the many botnet’s, and not just into new employment. See: http://blog.absolute.com/monstercom-hack-3/

This of course isn’t the first time, or second time, but in fact the third time Monster.com has had customer information stolen. Surely someone should have learnt by now changes need to be implemented? see: http://news.bbc.co.uk/1/hi/technology/6956349.stm

The breach into major websites is seemingly still all too frequent with vulnerabilities still too common in the IT industry allowing carefully coordinated online criminals to gain access with impunity. The more complex security solutions become the more frequent it seems are the vulnerabilities allowing the criminals access. What a nightmare for the overworked underpaid IT Manager.

It’s vital to implement security throughout the organizations and provide strength in depth with a layered approach. Vulnerabilities in one solution would not necessarily expose the rest of the organization with strength in-depth. Plenty of border solutions are available from firewalls, email/spam/virus/trojan/phishing filters through to the more complex IPS gateway devices.

End point security is critical in an organization to ensure the mobile work force do not bring into the secure network perimeter malware with the ability to rapidly infect other internal users. End point security requires protection of the entry points to the system namely logon, browser, network, email and hardware. Many solutions exist but the basic of implementing a firewall, AV program and browser protection provide the quick wins with plenty of free solutions available for the SMB market.

Simple password protection solutions such as PINoptic’s One Time Password authentication system would alleviate the concerns over password security and prevent many forms of security breaches. Vulnerable websites such as Monster.com would certainly have benefited from an OTP implementation to reduce the impact of their customer data being stolen.

One Million Infected Users!

2008-11-24T14:27:00.000-08:00

This article peaked my interest earlier today given I’ve spent the last 8 years building host intrusion prevention system for a living.

http://www.pcworld.com/businesscenter/article/154378/microsoft_yanks_fake_security_software.html

While we have to applaud Microsoft for cleaning up nearly one million systems infected with W32/FakeSecSen, otherwise known as "Advanced Antivirus," "Spyware Preventer," and many other fake names, don’t we also have to ask why such large-scale infections are still occurring?

As my Gran always use to say "Prevention is better than cure".

Fake security programs have been a major arsenal for the cybercriminal as far back as 2004, helping the criminal deliver countless Trojan’s, Spyware programs and enabling phishing attacks. The interest to the team at PINoptic is the report in June 2008, MSRT sniffed out 1.2 million PCs infected with a family of password stealers.

Implementing a one-time password solution removes the threat of password stealers, especially where you have server side authentication for web applications.

Corporate and consumers alike spent vast sums on complex security applications which fail constantly to deliver the protection required. Programs which generally degrade system performance and take 10 hours to scan systems are not providing the security required, yet still they are top priority for security budgets.

It’s interesting in the case of password security how little is implemented other then “implement best practices” policies relying on users not to implement weak passwords or disclose them to friends and family. Simple one-time password authentication solutions are readily available but few IT solutions make use of this technology.

At PINoptic we aim to address this through the use of a simple visual approach to authentication, making the solution language independent and without the need for costly token devices to be distributed. A simple low cost security solution to integrate into any existing application allowing a much more secure password to be set and used in open spaces without fear of shoulder surfing.

Watch this space!

Middle Eastern Banking Fraud

2008-11-09T02:30:00.000-08:00

Have you wondered why the major banks still continue to use ageing and insecure technology such as Chip-n-Pin and ATM systems to try and protect our hard earned money? Ageing I hear you say? but it's only just been introduced, very true, however these projects take years to progress through the corporate system and consequently are out of date by the time they are implemented.

As an arms race against the bad guys it’s vital for the security of the customer for organisations (and not just banks) to ensure they keep ahead and provide sufficient security.

Why do we therefore see more and more fraud from stolen credit cards and witness the ease at which pin numbers can be obtained.

The recent discovery in the Middle East banking sector is yet another example:

http://www.theregister.co.uk/2008/09/12/uae_atm_hacking_attack/

When simple more secure solutions exist such as one time password authentication why do we still have insecure implementation of banking security? At PINoptic we hear considerable investment “skin in the game” in the current solutions, we hear the losses aren’t high enough (almost £600 million last year in the UK alone?) for the lack of will to improve security.

At PINoptic we view the customer as surely the major drive behind reducing the level of fraud. Anyone who has had payments taken illegally from their bank accounts or credit cards will know the personal inconvenience this creates.

It’s time for more secure solutions to be implemented!

France Top Man gets Hacked

2008-10-31T02:18:00.000-07:00

Did anyone see this article last week? Even in a highly security conscious country such as France the top man can have his bank account freely accessed online by hackers!

http://www.digitalcommunitiesblogs.com/international_beat/2008/10/frances-booming-online-banking.php

Why aren’t we surprised at Pinoptic? With simple username and password details required for most online banking (and a few personal details collected from the trash can) it’s no wonder online fraud continues to grow in frequency. It’s time the banks gave everyone a more secure method of authentication online to reduce the risk to us all.

Braingame to yield cognitive data

2008-09-15T07:26:00.000-07:00

We’re all aware of the popularity of Dr. Karashima’s brain training games for handheld games consoles. This summer PINoptic configured its one-time-password solution into a cognitive game which exercises the users’ perception skills, lateral thinking and dexterity. PINoptic decided to offer the game free of charge via the internet and award a prize every month for the player who progressed furthest, fastest. Interest from the public has, unsurprisingly, been intense. The first monthly prize was awarded at the end of August with another £500 up for grabs at the end of September. We’re encouraging people to compete on a regular basis. As well as providing a cognitive workout to keep those brain cells ticking it gives people the chance of winning a prize too! The marketing department have promised lots more prizes over the coming months. If you fancy a go, visit www.pinoptic-challenge.com , register as a user and be sure to let me know what you think.

The view so far - WorldComp 2008

2008-07-15T13:01:00.000-07:00

From my privileged position as co-chair and session organiser I have a good view of the big picture at WorldComp in Las Vegas. It seems from the levels of attendance and the intensity of post-presentation discussions that two areas are standing out as hot topics at this year's Security and Management conference:

Digital forensics is a field that is just transforming into a discipline with a substantial push towards process and procedure. Professor Erbacher from Utah State University explained the complexity of issues surrounding digital forensics and stressed that this is far from a solved problem. Interested parties are looking forward to his tutorial tomorrow evening.

The second hot topic, represented in half a dozen papers, is the one-time password systems of which the theoretical discussion by the PINoptic team has been the best attended session thus far. Other researchers from the US and India have also addressed this area with an excellent review of related work presented by Kenrick Mock from the University of Anchorage in Alaska. Interested researchers in this area are using the conference to establish informal relationships to make sure the advantages of the approach are best utilised commercially. Definitely an idea whose time has arrived!

With a busy schedule of talks, discussions and technical meetings still to come there's plenty more to look forward to.

Signing off for now, Mark Bedworth CTO PINoptic Ltd.

SAM'08 Kicks Off

2008-07-15T05:59:00.000-07:00

SAM '08 started and the first keynote lecture was from Dave Patterson,
Pardee Professor of Computer Science at University of California,
Berkeley.  He presented an interesting insight into computing several
years from now, but warned that the sector is facing a crisis. 
Computing power increases are no longer following Moore or 2 x Moore,
since a physical barrier has been reached.  Patterson urged more
development effort in parallel computing, especially in the area of
software capable of using the parallel processor environment.  He also
suggested that those experienced in programming for parallel computing
produce a structure embodying the tools to enable those less able, to
port their existing and new software maybe developed in a single
processor environment to make use of the power of parallel computing.

There are those who argue that parallel computing is not the solution,
but Patterson put up a convincing argument.

The start of blogging

2008-07-01T12:57:00.000-07:00

Hardly had we begun pushing PINoptic, then along came the opportunity to present 3 papers at the SAM '08 conference in Las Vegas in July 2008. This conference is one of the premier world conferences for security and access management. Peer review of our submissions produced some very positive reactions and valuable feedback on the suitability of the papers for the conference.