BLOG.SECURITYBITBYBIT.COM

A Time Line and a Line in the Sand

DaBxDSSInc@gmail.com (Rogier) — Fri, 02 Sep 2011 02:14:53 GMT

If you're still in doubt how long key loggers have been actively deployed to steal data, you could start by checking www.keylogger.org
At least as far back as 2004 they were an active topic of concern in IT security.
Earlier this year IC3 issued an alert against Chinese Account Takeovers (pdf).

Various online reporting is adding continuously to the growing reports of the problem:

The FBI has for a long time told us not to do banking from any terminal connected to our networks, but even that advice is badly dated as too often key loggers arrive via drive-by downloads. The proper advice should be not to do online banking on a computer connected to the internet - in other words: don't do it at all.

Consumer Reports recently also added to the bad advice by repeating some twenty year old advice on creating long and complicated "strong" passwords, which dates back to the times when people thought passwords would be stolen by either guessing or remembering them. Then for a while we thought they would be cracked by some computer trying all combinations, still oblivious that it was much easier and quicker to surreptitiously install a key logger and send the data over the internet to someone who has good use for it.

Meanwhile if you search on ACH fraud and follow the lawsuits, and also if you study the recently updated FFIEC guidance, it is clear that the sad list of court cases, along with that recent guidance create some clarity where we can draw a line in the sand.

Evidently, banks can and should do more, as they are already doing in some parts of the world. But some parts are clearly to be done on the client-side, and preventing key-logging is one of them. If you study the various court cases, you would have to realize that installing GuardedID®, which is essentially a conclusive solution to the problem, also allows the bank client to draw a line in the sand, for now, if there were to be an issue with an account takeover, the client can at least present prima facie evidence that the breach most likely was not on their side, and thereby make it harder for the banks to defend their existing security as being somehow adequate. That defense is becoming shaky, right along with some renewed judicial interest in the difference between satisfying regulations and best practices in security.

Copyright (c) 2011, Security Bit by Bit, LLC

Why this time is different

DaBxDSSInc@gmail.com (Rogier) — Wed, 31 Aug 2011 02:44:32 GMT

I have been writing a lot - here and elsewhere - about GuardedID® and blocking key logging. Why is this so different than other things in the security space?

There is a very material reason why things are different this time. Number one is that key logging as an action is a very simple, straightforward and identifiable action on a computer, and it is a devastating threat, since it goes straight for your data, as the people would tell you who found their bank accounts cleaned out, or lost vital confidential business information to this simple tool.

There is also a very identifiable fix. There may be other "security" programs on the market that claim some success against key loggers, but we are talking about categorically stopping the possibility of key logging outright. This is a completely black and white solution.

This will have devastatingly powerful effects in decision making in the areas of security, compliance, and IT in general. People in those areas are mostly used to decisions that involve a lot of grey. Is it worth switching to a new and better firewall, or anti-virus software because it delivers 10% better performance than the solution I'm using now? Decisions like this get watered down tremendously by other budget pressures, and the shades of grey become harder and harder to tell apart, until the decision is put off till next year.

Key logging however is a clear and identifiable threat, which is largely not covered by existing security software, almost impossible to detect, and with GuardedID® there is a completely black and white, essentially 100% solution for the problem. The clear implication is that whoever hesitates with implementing this solution, after they have been given the information, make themselves directly responsible, and potentially liable, for any losses that result from not having it, for this is an all or nothing solution. You either have it or you don't.

In the larger perspective this product is also part of what must necessarily be a multi-layered security architecture, but this is one element that is not optional. There are no shades of grey here, just black and white. Did you install GuardedID® yet?

Copyright (c) 2011, Security Bit by Bit, LLC

Your Defense against Account Takeover

DaBxDSSInc@gmail.com (Rogier) — Tue, 23 Aug 2011 18:04:37 GMT

There are now continuous warnings from the authorities about account takeover attacks, and people still barely realize how easy it is or what they can do.

There seems to be some cases where banks are settling, as in the Comerica case, However there is plenty of ambivalence to go around as is evident from the Patco case: in this latter case, the court held that the customer accepted the bank's security regime as adequate by signing their account agreement.

After all, who is supposed to be the expert on banking security? The client or the bank? What's reasonable? Probably the last word has not been spoken on this, and things are changing, particular as the newest FFIEC guidance indicates where many issues are starting to be addressed, which previously were not mentioned, including key logging, and multi-factor authentication, as well as the ever important out of band, concept.

As a customer there are a lot of things you cannot change, but some that you can. The primary protection as a customer apart from all the usual security measures, is anti key logging protection, and the one viable solution is GuardedID®, because it defeats key logging at the most fundamental level. So it is a black and white solution, not a probalistic one like firewalls, or anti-virus, and because of the very specific nature of this threat, which figures is almost all major security breaches, it is the first protection we should be using on our PCs.

Copyright (c) 2011, Security Bit by Bit, LLC

In the Security of your own Home...

DaBxDSSInc@gmail.com (Rogier) — Tue, 23 Aug 2011 03:25:43 GMT

If you were walking home from the subway, and someone in an Ace-hardware uniform stopped you on the street, telling you to go into the Ace Hardware store around the corner and order a replacement lock and have it installed that night, you would laugh and go straight home.

If on the other hand you were sitting in the seeming security of your own home, or office, in front of your own computer the jury is still out what you would do, when you get that credible looking message which urges you to change your password, for your bank account, for there has been a security breach. Somehow, an alarmingly high percentage of people answer various phishing and spear phishing emails, people who normally could not be so deceived, but somehow the context is different...

Maybe it helps to think of it in graphic terms like this, for suddenly you would have to realize how unlikely it is that these messages are authentic, regardless of how good they look. It's only a bit of computer graphics...

A recent example appears on my parallel blog at our sister company, Bit by Bit, here: A Spear Phishing cum Key Logging Story
♦

Copyright (c) 2011, Security Bit by Bit, LLC

Key Logging & What it is NOT - as seen on TV

DaBxDSSInc@gmail.com (Rogier) — Mon, 08 Aug 2011 02:26:05 GMT

A key logger is not a virus, it is an actual, working program that performs a well defined function, namely to copy the keystrokes on your computer as you make them. The concept is simply enough. The key logger also usually sends the keystrokes to some other destination, where your information is then available in near real time, as you type it. The concept is simple enough, but like so many security issues, it does not seem to get people's attention because it is not very visual.

It is now: Keylogging Demo from Strikeforce

So the stats are most of the time anti-virus programs do not recognize keyloggers, and smuggling a keylogger on to your machine can happen without you noticing it.

The result is you need a specific defense against key logging, because it is a very dangerous, but also very recognizable form of malware.

So while a virus perpetrates all kinds of disruption on the target machine, the very purpose of a key logger is to just quietly perform its function without the computer user noticing anything. Because the behavior of the key logger is so specific, it can also be specifically stopped, and that is what GuardedID® is for. It makes the function of keylogging impossible on the machine where it is installed, so it does not matter if the keylogging software is old as the hills, or totally new. GuardedID® stops the behavior outright. This is a marked difference from anti-vurus systems, which try to identify viruses based on what they look like. Guarded ID® simply blocks the keylogging behavior.

The issue will start to get more attention as there are now a number of television infomercials planned for the company that developed the product. These shows started Saturday August 7th on Foxnews LA followed by Fox, Foxnews (LA, NY, CHI), ABC, CBS, ION, Travel Network and other local heavily watched channels.

With that the public will hopefully become more aware of the issue, and learn what they can do about it.

Copyright (c) 2011, Security Bit by Bit, LLC

PinPay: One Customer at a Time

DaBxDSSInc@gmail.com (Rogier) — Mon, 08 Aug 2011 01:59:16 GMT

The other day the PinPay CEO, Glenn Gearhart sent a message to various people involved with the company, and described the current process of growth, one customer at a time....

Clearly PinPay addresses a number of needs, and is finding a growing number of users. Glenn gave me permission to quote the message here. It's a classic:

quote
PinPay is continuing to grow. We are adding new participating merchants daily and now have merchants located in over 55 countries. We expect those numbers to continue to increase.

The breadth of our multi-national reach is important as it demonstrates the acceptance of PinPay for e-commence and m-commerce in the international community. We also continue to add international PinPay account users. Each day more join the service; now reaching over 107 countries and increasing.

We are in a period of raising awareness and education, by both online merchants and consumers, of the unique services and benefits provided by PinPay. As this continues to occur both sales and earnings are increasing. This is occurring with only English language and USD currency services. We expect these trends to accelerate as we add additional languages and currencies.

The evidence is that PinPay will become a major international online payment and money remittance service provider and the process to fulfill that objective is underway. We all would love for PinPay to be a major service provider right now, rather than being in-progress toward that objective; but the building of a solid and sustainable international business takes time and commitment.

The management team of PinPay’s leading independent merchant sales organization stated: “Based upon marketing analysis and customer/merchant feedback, the PinPay brand is becoming more recognized through marketing efforts and through word of mouth. This type of growth has shown to be increasing daily, based on the quick customer service response experience, the ease of account usage, unique cash type processing, the security, the comfort and payment push technology. We foresee this natural growth will continue to expand the overall revenues of PinPay, Inc.”

We all appreciate your continued support and patience in our march to reach the status of a solid growth international company.

Warmest regards,

Glenn Gearhart
CEO
PinPay
unquote

Copyright (c) 2011, Security Bit by Bit, LLC

PinPay Use Case 101: Will that be Cash or Credit?

DaBxDSSInc@gmail.com (Rogier) — Tue, 02 Aug 2011 22:00:04 GMT

Sometimes the obvious is a source of never ending amazement... anybody understands the question above, and yet, when you explain to people that PinPay is the first ever serious option for paying by cash online, sometimes their eyes glaze over... People do not recognize a solution for a problem they do not know they have. This is always one on of the great challenges in business development: just when is a need "real?"

Example: GoDaddy.com, where this site is hosted, has a payment program called Good as Gold, which is in effect a cash account for your GoDaddy.com bills and it gets you a 2% discount. So, clearly GoDaddy.com appreciates and understands the value of being paid in cash, and it has customers who prefer paying cash. Apparently, it has enough of both that it was worth developing this program. So PinPay may have a point in providing a platform that is a cash equivalent.

For online merchants the actual cost of accepting online payments in various forms is a bit hard to analyze at times. The only real way of doing it is to simply add up your total billing from your merchant account and figure out the percentage of sales, taking everything into account, various rate hikes, penalties, charge backs etc. You will see that your costs are far higher than the processing fees that you were quoted, because of the infamous fine print.

The number you get will include the cost of various forms of soft fraud, charge backs that maybe were not warranted, etc. On top of that, there is the cost of compliance and security, and the liability for having people's payment credentials on file. In short, the actual total cost of your transactions could easily be 3, 4, 5 times the basic rate that is quoted on your contract.

Because PinPay eliminates that liability - you won't have any credentials on file for a PinPay customer, as they are paying by cash (or at least the nearest online equivalent), so all you receive from them is money in your account, not payment credentials, and an authorization to charge them a certain amount. No doubt some merchants may see the benefit, and could decide to offer a discount for buying with PinPay. It simplifies their life and it lowers their cost. That does make a difference. In banker speak PinPay offers Good Funds in Real Time, most bankers don't even know what that is, for almost everything they deal with is revocable money.

Copyright (c) 2011, Security Bit by Bit, LLC

Epsilon Phishing Expeditions & Common Sense

DaBxDSSInc@gmail.com (Rogier) — Tue, 02 Aug 2011 01:17:52 GMT

More or less as predicted by various sources, including CBS news, here: Epsilon Story, the massive security breach of email marketer Epsilon is showing up everywhere in spear phishing attacks. The personalized phishing attacks are happening, and mind you with very professional appearance.

Even being fully familiar with the story, and having been warned by the institutions in question, you sort of do a double take when a message appears from an institution you do business with, complete with logo's and so on, looking just like an official email.

It brings back to mind the first rule of security we advocate on this site: common sense. Why should my bank need to verify my email address? Etc. Having said that, the burden on the user seems unreasonable, when the disguise is often so good. Still vigilance is the first requirement. Primitive man had his cave bears and sabre tooth tigers, and we have our computer hackers. The more it changes, the more it remains the same. It is time for secure email. No excuse not to have it.

Copyright (c) 2011, Security Bit by Bit, LLC

Strikeforce GuardedID® Hits the Mark

DaBxDSSInc@gmail.com (Rogier) — Thu, 28 Jul 2011 10:21:57 GMT

Some time ago I had the pleasure of being interviewed for the launch of a media campaign for one of our vendors, Strikeforce.
Here is the video - worth watching in its entirety - but I appear at 11:56 till 12:40.

Short and sweet, GuardedID® is a brilliantly simple solution, it stops key logging dead in its tracks. Most importantly, because it stops the behavior cold, by making it impossible, and therefore it also is not dependent on signatures, like a/v products, or intrusion detection.

Given the fact that key logging is involved in nearly all major security breaches, this product is one nobody wants to be without. It is no fun to find your bank account emptied, and the bank telling you it's your problem for it was legally accessed....

All good security policies should demand that people only access sensitive information with GuardedID® installed and operating. Don't fill in any online information without it, but also don't work on sensitive information on your computer without it.
An Apple version is in development, but for now this solution is limited to the Windows world. It is however one of the most simple and positive steps you could ever take to prevent identity theft. As we like to say, security is not somebody else's responsibility....

It is particularly gratifying to have watched this company through many years of development, when they were ahead of the market, just to see how this year it is all coming together for them, and at the same time the market is ready for their products, their patent filing on their out of band phone authentication, ProtectID® came through as well, just when the aging token-based authentication came under serious challenge - and it was obsolete for some time already. And with the explosion of major data breaches, which almost all started with a keylogging incident, the timing for GuardedID® could not be better.
Buy your own copy of GuardedID here

Copyright (c) 2011, Security Bit by Bit, LLC

Hello world... let's talk security

DaBxDSSInc@gmail.com (Rogier) — Tue, 26 Jul 2011 19:10:29 GMT

Systems security is endlessly fascinating, because it is a mirror of our sloppy habits which seem to come out in force in cyberspace. Computers are merely dumb machines, which excel at doing dumb things faster, and that includes multiplying any security risks. Everything becomes magnified by the power of the processing.

The general trap we fall into is that somehow we assume that out of sight is out of mind, and not only that, but we don't realize that just because issues are invisible to us, does not mean they don't exist. When they make themselves known, it usually boils down to the fact that ease of use took precedence over proper design, which is easier all the time, because designing anything has seemingly become so easy, and skill and expertise are underestimated.

Just watch people who think they can write, and spell, because they have a word processor, and spell checking. You'll see how quickly then and than become interchangeable, and the spelling checker will miss it, because the spelling is correct.

Good security is not a thing, it is a mosaic of people, habits, and technology, and it requires your active participation.
Too often, security has been an afterthought, but security is much harder after the fact: it cannot be bolted on. It should be designed in from the outset, and the newspapers are full of stories of companies that ignored that, and paid the price, often hundreds of millions, in the case of some security breaches yielding heists of millions of credit cards. And while you may certainly need a patch or some security mechanism to protect system vulnerabilities, in the long term it pays to plan ahead, so you don't become like those people who buy an alarm system promptly after they were robbed.

Copyright (c) 2011, Security Bit by Bit, LLC

Welcome

DaBxDSSInc@gmail.com (Rogier) — Mon, 25 Jul 2011 17:53:35 GMT

Welcome to my blog. Please check back soon for new entries.

Copyright (c) 2011, Security Bit by Bit, LLC