Taking security to cloud

The Ashley Madison hack: Insider, outsider — or it doesn’t matter

Howard Solomon Howard Solomon Published: 09/03/2015
Ashley Madison

Was the Ashley Madison hack an inside job or strictly done from the outside?

The debate rages in certain circles, with the insider theory buttressed by site CEO Noel Biderman suspecting the attacker was likely someone who at one time had legitimate access to the company’s internal networks.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told security writer Brian Krebbs. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

That seemed to be blunted somewhat last week when Avid Life Media Inc., which owns Ashley Madison and other dating sites, offered a $500,000 reward to anyone who provides information to the police that leads to the identification, arrest and conviction of the person or persons responsible for the theft of its data.

But one security analyst says the distinction is meaningless. “All cybercrime is an inside job, anyway, whether an outsider got in because you weren’t watching and stole stuff, or someone inside stole stuff because you weren’t watching,” says John Kindervag of Forrester Research.

What matters is a large amount of data — perhaps 30 GB of customer data and corporate email — was shipped out of the company without being seen.

“Don’t try to shift the blame or responsibility,” Kindervag says. In a successful attack “it doesn’t matter whether it was an insider. What matters is you were completely blind and you weren’t looking, and you weren’t paying attention.”

At this point, it isn’t clear if Avid Life Media has a marketing or a technology problem — likely both.

Biderman resigned last Friday. A statement from the company said it was by mutual consent. “This change is in the best interest of the company,” the statement said. But it came after a number of news stories suggesting there weren’t a lot of women registered on AshleyMadison.com — Gizmodo initially suggested there were only 12,000 judging by the leaked data, then backed off and said the real number couldn’t be estimated. But, the writer added, there was evidence that Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, “hoping to create the illusion of a vast playland of available women.”

There were also allegations two people had committed suicide after being identified as Ashley Madison members from the data dump.

In reply, Avid Life  Media issued a statement saying “recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated … This past week alone, hundreds of thousands of new users signed up for the Ashley Madison platform – including 87,596 women.”

Cynics suggested these women had joined to see if their partners are members.

Whether Avid Life and its sites can survive is a question. To some degree members on these sites assume (hope) for a certain level of privacy — and the company says that it “always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.”

Other companies — retailers and hospitals — have survived data breaches. There’s a difference, though: Credit card companies cover losses due to theft, few will dump a doctor because a hospital made mistakes and many people can be mollified by a sincere apology. And as one person told me, sex sells.

So assuming the company can rebuild its image, what should Avid Life’s CISO do? Start building a zero trust network, advises Kindervag. “Step one would be doing something that gains more (network) visibility and then start rebuilding their network in a way that provides the proper access control, inspection, logging. Plus information shouldn’t be stored in cleartext. Knowing just the names of people who sign up is particularly sensitive, given the fact that a lot of those people are doing something that would be considered immoral

“They need to start a systematic re-think of everything they’re doing … they were probably doing almost everything wrong”

Electronic signature concept. Man press sign key on computer keyboard.

Montreal-based e-signature firm Silanis acquired by Vasco

Danny Bradbury Danny Bradbury Published: 10/16/2015

Canadian electronic document signing company Silanis is to be acquired by e-signature and authentication firm Vasco Data Security. The deal, worth US$85 million, will enable Silanis to expand its international footprint, the company said.

Silanis sells e-SignLive, a SaaS-based electronic document signing service that has to date largely targeted U.S. and Canadian customers. Its CEO Tommy Petrogiannis said that the company differentiates itself from competitors including Docusign and RightSignature in several ways.

Firstly, the company focuses on regulated market segments and has recently started offering regional data storage to help customers remain compliant. Last November, it signed a deal to host customer data with IBM Canada.

Security and data sovereignty

IBM Canada is a separate subsidiary of IBM and it stores data on Canadian soil, meaning that its data cannot be commandeered under the Patriot Act, Petrogiannis said. Silanis is also rolling out local storage capabilities in other regions.

Silanis, which encrypts everything both in transit and at rest, is SOC2-certified, and audited every six months by KPMG. It offers companies the option to manage their own encryption keys within its Hardware Storage Modules (HSMs), and also lets them deploy its code base behind their own firewall, if regulations prevent them from putting the documents in the cloud. This is the case with NASAès Jet Propulsion Laboratory, which is a Silanis client, Petrogiannis said.

e-SignLive has relied on document signing techniques including click-to-sign, live handwritten signature capture, and fax back signing. Vasco offers two-factor authentication (2FA) with its Digipass product line, which will provide an extra level of authentication for regulated users.

Making e-signatures work for you

What should CIOs consider when folding electronic document signing into their own operations? It can certainly drive efficiencies into corporate processes by eliminating paper and speeding up document transmission. Is it legal, though?

Petrogiannis explained that electronic document signing has been legal since 2000 in Canada, and that there are only a few specific documents that must be hand-signed, such as last will and testaments. “In Canada, we were slightly ahead of the US. In 2000 it became available in pretty much all jurisdictions,” he said.

In Canada, the 2000 PIPEDA privacy law defined electronic signatures in law. It lists two types: a electronic signature, and a secure electronic signature. The secure one must be tamperproof, according to definitions laid out in Canada’s Evidence Act. Modern document management solutions take account of these requirements.

CIOs thinking of incorporating electronic document signing into their business processes should design things carefully from the outset, though. “Existing systems in place are often designed to do batch processing,” warned Petrogiannis. “The batch process typically creates packaging in the print room that then gets FedExed to the relevant organizations.”

Moving to documents that are instantly sent and signed may require companies to rethink their processes, he warned. Customers signing and returning documents electronically may want a dynamic response. “Then, you have to service your customer 24×7,” he warned.

The electronic signature market has been dynamic in the last few years. Last October, Citrix acquired RightSignature, adding electronic document signing to its portfolio. A month earlier. Kofax purchased signature verification firm Softpro.  Back in 2011, Adobe purchased web-based e-signature firm EchoSign.


Warning to app developers: Back-end providers could be a back door vulnerability

Howard Solomon Howard Solomon Published: 11/17/2015

There’s increasing pressure on application developers to churn out mobile apps as the workforce does more of their communications on smart phones and tablets. To help them a number of providers such as Amazon Web Services, Parse.com (now owned by Facebook) and CloudMine2 offer back end services in the cloud.

But a report presented by German security researchers at last week’s Black Hat Europe conference in Amsterdam warns some of those services are “alarmingly insecure” and could be a back door security risk. That’s because many apps embed hard-coded credentials, putting not only the user’s data, but the whole platform at risk, they say.

With current tools “attackers can gain access to huge amounts of sensitive data such as millions of verified e-mail addresses, thousands of health records, complete employee and customer databases, voice records, etc.,” write the researchers from the Technical University’s Center for Advanced Security Research and the Fraunhofer Institute for Secure Information Technology.

“Often, one can manipulate, and delete records at will,” their paper says. “Some BaaS (backend-as-a-service) instances even suffer from remote code-execution vulnerabilities.”

Researchers analyzed over 2 million Android and iOS applications and found over 1,000 backend credentials, many of them re-used in several applications. That lead to finding more than 18.6 million records with over 56 million individual data items.

The report serves as a warning to application developers that there are no short-cuts, no matter how big the name behind the cloud service is.  “In general, app developers need to better understand that every app has security implications,” the report concludes “which must be taken into consideration as part of the basic design of the app.”

At the same time BaaS providers should include easily usable end-to-end encryption and authentication methods into their open-source client SDKs, they add.

Cloud storage offers developers an easy way to synchronize data between devices and platforms. Often, such services also include capabilities such as user authentication, storing key-value pairs, social-media integration or push notifications. All the developer has to do is add a few lines of code to link to the service.

But a look at the top three providers — Amazon, Parse.com and CloudMine2 — found while they do have security controls “their defaults are mostly alarmingly insecure,” researchers said. “Application developers usually accept these defaults for convenience, failing to include appropriate means of protection such as access control or data encryption.

“By default, most BaaS solutions require an application only to authenticate using an ID that uniquely identifies the app, and a so-called “secret” key, used to indicate that the app uses the ID legitimately. These credentials, however, neither authenticate a device nor a user. They merely authenticate the app as such and are therefore shared between all installations of this app. As we show, adversaries can extract these two values from apps with ease, allowing them to easily forge a malicious application, which inherits the very same backend-privileges that the original application had. If the original application was able to list all records of a customer database, the impersonator can do so as well.”

Researchers created an automated tool dubbed HAVOC, which they say not only finds simply embedded credentials based on static analysis but also uses a hybrid (static/dynamic) analysis for cases where keys are computed at runtime.  The implication is if they can create that tool, so can hackers.


Symphony’s secure enterprise messaging platform has backing from Wall Street

Dave Yin Dave Yin Published: 09/17/2015

New York, NY – Could Symphony be the future of enterprise communication?

The company sure hopes so.

The self-proclaimed startup, headed by former senior Skype executive David Gurle, launched its messaging and content distribution platform and it’s one that’s received backing from over a dozen Wall Street banks and being dubbed the “Bloomberg Killer.”

Symphony’s content distribution function in action

“It was designed with compliance at heart,” Gurle told reporters at the first of several launch events in several cities across the United States, UK, and Asia.

In fact, the company takes regulation in areas such as record keeping and archiving so seriously that it has an agreement with the New York State Department of Financial Services.

The platform combines the functionality of pretty much every major form of communications tool out there, including social media platforms.

Of course, there are private and group instant messaging. Users can also create chat rooms with explicit rules on who can see, read, copy, and contribute, there is a Twitter-style follow system as well as “cashtags”, a topic generator specific to corporate acronyms preceded by a “$” sign similar to, but more specific and complementing, keywords via hashtag.  There’s even Facebook’s wall posts and like systems, integration with Google Hangouts, and even MSN messenger’s nudge function in case a colleague fell asleep at their desk.

Surprisingly, at the time of demonstration, Symphony-hosted email was not available, although Gurle promised, that is definitely coming, given its “universal” usage.

All of this sits on top of a level of security that Gurle spent much of his presentation (touting).

In essence, end-to-end encryption within each instance of Symphony gives companies the keys, meaning that even under subpoena, Symphony is only able to unable to decrypt data it hands over to authorities, in a style similar to Apple’s approach to its user data.

But the platform goes beyond that.

We mentioned at the beginning that in addition to being a secure messaging platform, Symphony also aims to be a content distributor.

In order to do so, it has partnered with financial newswire Dow Jones, corporate data provider McGraw Hill Financial and analytics technology company Selerity. The idea is that keywords in messages as well as “cashtags” can be expanded upon in a drop-down menu in the form of the latest headlines, stock, and Google and Twitter trends – the keyword being “relevant.”

Somewhere within the platform, there’s a vision.

“Tomorrow, as we talk about something, we will see relevant information come to us,” Gurle said. “There is no more search.”

For now, Symphony is working on creating partnerships, to implement, to collaborate on extending functionality, and to sell. While the financial sector is obviously the focus, Symphony is looking to expand not just into more verticals where regulations are more lax, but even, perhaps, to consumers.

“Our compliance will help us in adjacent markets,” Gurle said. “If you can do here, you can do there.”

Will Microsoft privacy deal with German service provider be followed here?

Howard Solomon Howard Solomon Published: 11/11/2015
Cloud Safe

With American legal agencies claiming they have the right to demand customer data from U.S. companies stored anywhere in the world Canadian data centres have been expanding here to get the business of organizations worried that records of customers here can be reached by U.S. subpoenas.

Those data centres may soon have new partners if companies follow the lead of Microsoft.  The software company announcing a deal Wednesday in Germany that will see telco Deutsche Telecom build two data centres next year and become the data trustee for European customers of Microsoft cloud services. To lower the odds of U.S. courts getting access to that data, Microsoft won’t be able to access records without the telco’s permission.

In other words — in theory — the data isn’t under Microsoft’s control. That’s a key factor in U.S. laws that say American companies can be compelled to produce any record under their control, regardless of the country the data is held in.

“Microsoft is pioneering a new, unique, solution for customers in Germany and Europe. Now, customers who want local control of their data combined with Microsoft’s cloud services have a new option, and I anticipate it will be rapidly adopted”,  Timotheus Höttges, Deutsche Telecom CEO said in a statement.

Will Microsoft and other U.S.-based companies — such as IBM, Hewlett-Packard or Salesforce — try the same strategy here?

Yes, says Toronto privacy lawyer Barry Sookman of the firm McCarthy Tetrault. Putting customer data under trusteeship of a third party won’t completely block a U.S. court order, he said in an interview this morning. But it will be helpful.

“If the implication is that Microsoft will not have access to data then that will likely diminish Microsoft’s obligation to comply with Patriot Act orders they provide data on European citizens,” he said. However, he cautioned, American authorities have other ways to get at the data, such as mutual legal assurance treaties with foreign countries (including Canada). But in that case U.S. authorities would need the co-operation of the country.

Earlier this year Microsoft said it will build two new data centers here — in Toronto and Quebec –to meet data residency worries.

Sookman also sees the Deutsche Telecom arrangement as a way to counter a decision last month by the Court of Justice of the European Union (CJEU), and an ongoing fight with the U.S. Justice department demanding access to Microsoft customer data held in Ireland,

The CJEU decision invalidates the EU-U.S, privacy safe harbour agreement. That agreement provides that transfers of personal data to the U.S. from European Union countries is adequately protected if safe harbour principles are followed. With that agreement struck down, personal data can’t be moved across the Atlantic, even for corporate reasons.

Sookman pointed out the CJEU decision also imperils a safe harbour agreement the EU has with Canada.

Meanwhile Microsoft and the U.S. Department of Justice have been tied in a legal fight over a demand for access to certain email held by the software company in Ireland. The case is now before an appeal court.

Microsoft CEO Satya Nadella told the Financial Times the Deutsche Telecom deal was designed “to earn both trust of our global customers and operate globally. That’s at the cornerstone of how we’ve done business and how we will continue to do business.”

In fact, at the same time Nadella announced the deal with the German telco it also said it will expand its regional datacentres in Ireland and the Netherlands to offer more Azure and Office 365 services in Europe. However, customers will have a choice of having data stored in the Deutsche Telecom facility — at a premium price yet to be disclosed.

Cost of data breaches keeps going up. Do boards care?

Howard Solomon Howard Solomon Published: 10/06/2015
money, IT expenses, saving, calculator

There are, arguably, four things one can depend on: Life, death, taxes and the increasing cost to organizations of cyber crime.

So it comes as little surprise that this year’s Ponemon Institute cost of IT security report found the average cost of defending and containing cyber attacks at 252 large organizations studied in five countries, including the U.S., had gone up 1.9 per cent to $7.7 million (all figures U.S.) this year compared to 2014.  At least one organization in the study spent $65 million.

However, in the U.S. alone the cost at 58 responding companies jumped 19 per cent to $15 million, which institute chairman Larry Ponemon admitted caught him off guard.

“Unfortunately the number are moving in the wrong direction,” he said in an interview

The study, underwritten by Hewlett-Packard Co, also revealed that of over 200 companies studied in the U.S., Germany, Japan, Russia and Australia, the average time to resolve a cyber attack – 46 days – has increased by nearly 30 per cent over the last six years. “That’s a bad fact,” Ponemon said.

Earlier this year Ponemon figured the average cost of a breach in Canada was just over CDN $5.3 million.

On average respondents faced 166 attacks a week this year among responding organizations, compared to 50 a week in 2010.

The average cost in six countries (including Brazil) of cyber defence in 2015 was more than $1.9 million.

That’s a concern, Ponemon noted, because the longer it takes to resolve the more costly an attack is. He suspects it shows attackers are getting more sophisticated.

(Organizations from Brazil were included in this study for the first time, but aren’t counted in some figures because they couldn’t be compared to previous reports).

These are average numbers, so the cost per organization ranged widely. While the report didn’t name companies studied, it is known that Home Depot recently acknowledged it has spent $232 million so far to fix its systems and cover damages from a 2014 breach, with more damages possible from lawsuits yet to be heard.

Which raises the question of whether studies on the cost of a data breach mean anything to boards, who approve CISO budgets.

“They don’t,” says Curtis Levinson, an IT security consultant and the U.S. advisor to NATO on cyber security, as long as stock prices aren’t affected.

“Home Depot spent approximately (US) $425 million cleaning up after their data breach,” he said in an interview last week, “but the key indicator is stock price — shareholder value. If you look at public organizations, when there is a data breach you’ll see their stock price will dip, but the question is how far and for how long. If it’s a week or two and them it rebounds it becomes a non-issue. Data breaches do no necessarily affect shareholder value.”

“Data breaches generally do not cause investors to dump their stocks because they know in a week or two or three it’ll be over — it’ll be business as usual.” so priority at the board sinks

Similarly, he agreed with a suggestion that so far most consumers don’t abandon their loyalty to an organization because there’s been one data breach. Home Depot, for example, is still going strong.

That’s in part because consumers don’t bear the cost of  charges on their credit cards that have been stolen, Levinson said.

For his part Larry Ponemon says he knows reports like this are used by boards and senior executives because they don’t know what breaches costs — and because in the U.S. directors are worried about their liability. “That in of itself may be helpful,” he said. And, he added, the number can help an organization benchmark itself against others.

But he also said he doesn’t disagree that boards of retail organizations so far have shrugged off the cost of breaches because customers keep spending.

To gather the statistics Ponemon researchers interviewed 2,100 people from 252 organizations with more than 1,000 staff over 11 months.

Spending counted include the cost to detect, recover, investigate and manage the incident response, as well as efforts to contain additional costs from business disruption and the loss of customers.

“We believe a better understanding of the cost of cyber crime will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack,” the report says.

The cost of cyber crime is moderated by the use of security intelligence systems, the study also concluded. Companies using security intelligence technologies were more efficient in detecting and containing cyber attacks, it said. As a result, these companies enjoyed an average cost savings of $1.9 million per incident when compared to companies not deploying security intelligence technologies.

“Findings show companies that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber crime costs that are lower than companies that have not implemented these practices. Specifically, a sufficient budget can save an average of $2.8 million, employment of certified/expert security personnel can save $2.1 million and the appointment of a high-level security leader can reduce costs by $2 million.”

Thank you for Reading this CASL PageBook


PageBooksAlign your brand with leading journalistic reviews on topics of your choice. Demonstrate your company’s expertise. Build awareness and leads.

Formatted much like a digital magazine and viewable on any device, Page Books provide you with the perfect opportunity to profile your brand and/or your expertise together with a collection of syndicated content sourced from IT World Canada media properties.

Brad McBride, VP Sales, bmcbride@itwc.ca, 416.290.0240, ext. 354
Desere Cowin, Senior Account Executive, dcowin@itwc.ca, 416.290.0240, ext. 174


Table of Contents