Hacking

SPOTLIGHT ON SECURITY

Wristband Heads Off Password Headaches

Has software glut got you down? Do you reuse passwords because creating unique ones for all your online accounts would cause a memory overload? If your answer to those questions is yes, you may be interested in a bit of jewelry called the “Everykey,” by a startup with the same name.

Everykey is a wristband that, combined with software and the cloud, removes the need to remember the countless log-in credentials we use every day.What’s more, it will work with electronic locks, too — like car doors.

The bracelet uses Bluetooth to authenticate you to a variety of devices — iOS, OS X, Windows, Android and Ubuntu Linux — and it works with popular Web browsers Chrome, Firefox and Safari.

Bluetooth Twist

When you open a Web page that asks for login, Everykey’s software will reach into the cloud and pull down the credentials for the page and log you in automatically — much the way a password manager like LastPass works.

Everykey sends out a short encrypted Bluetooth message every second so your device knows you’re in its vicinity.

“One benefit of our product over others is that ours can unlock the device itself, whereas a traditional password manager can only enter passwords at websites,” Everykey CEO Christopher Wentz told TechNewsWorld.

A nice twist is that the Bluetooth used by Everykey can access multiple devices simultaneously. Ordinarily, a Bluetooth device can be paired with only one device at a time.

“We’ve filed a patent for a unique way for Bluetooth to communicate with an unlimited number of devices at once,” Wentz said. “It’s our own inventive way of handling Bluetooth communication.

Wentz, who developed the idea while an undergraduate at Case Western University, has launched a Kickstarter campaign to get Everykey into production. He hopes to raise US$100,000 by Nov. 29 and begin shipping product in March 2015. As of Tuesday morning, the project was within $7,000 of reaching its goal.

Everykey will retail for $100, but Kickstarter participants can pre-order it for $50.

Hacking Apps

A sobering report recently released by Arxan Technolgies found that 97 percent of the 100 top paid apps for Android phones and 87 percent of the 100 top iOS apps have been hacked.

The figure for paid iOS apps increased substantially from 2013: from 56 percent to 87 percent.

The numbers were slightly lower but no less disturbing for the top 20 free apps: 80 percent for Android and 75 percent for iOS.

Based on Arxan’s definition, “hacking” an application needn’t be malicious. For example, Arxan considers cloning or repackaging an app as hacking.

While Arxan acknowledges that some cloning and repackaging is relatively harmless to users, it found more than 50 percent of cloned apps were malicious and posed serious risks to users.

“Typical risks include information theft and identity theft,” Arxan Technical Director Jonathan Carter told TechNewsWorld.

“The likelihood of the attacks will increase as mobile app consumption increases,” he explained.

“The impact will increase, too,” Carter continued, “as we do more and more sensitive things on our mobile apps — like mobile financial transactions, credit card processing, and other kinds of sensitive information processing.”

Not Safe for Work

From time to time, IT folks complain about what some see as the greatest security threat to an organization: its employees. A survey released last week by GFI Software doesn’t do anything to discredit that notion.

The study of 1,010 employees at U.S. companies with fewer than 1,000 people took the pulse of the workers’ knowledge of their company’s acceptable use policies.

The policies are often ignored, which has resulted in lost productivity at many firms. For example, the surveyors found that one-third of U.S. businesses have experienced a network disruption caused by non-work related employee Web usage.

What’s more, 10 percent lost sensitive company information as a result of such usage.

Failure to follow acceptable use policies also can impact a company’s IT budget. One in four people, the survey found, had to have the IT department fix their machine as a result of non-work related browsing.

“Even though the company owns the devices, and it would love for employees to do work-related stuff, what we found was they’re doing work and non-work related stuff,” GFI General Manager Sergio Galindo told TechNewsWorld. “That puts the company at risk.”

“Companies need to be clear on their acceptable use policies,” he said. “Employees need to understand that their computer is a corporate device.”

The surveyors also found this shocking tidbit: More than a third of the respondents (36 percent) said they wouldn’t hesitate to steal company information when leaving their company, for whatever reason.

Breach Diary

  • Nov. 16. U.S. State Department reveals it has shut down its unclassified email systems and public websites after discovering a breach of those systems.
  • Nov. 17. Survey by Incapsula finds DDoS attacks costs organizations $40,000 an hour with half of attacks lasting between six and 24 hours.
  • Nov. 18. Home Depot estimates pre-tax net expenses to company during its current fiscal year attributable to data breach that compromised 54 million customer payments cards to be $34 million.
  • Nov. 19. BitSight reports decline in security performance at more than half of U.S. retailers over the last year. Its study of 300 retailers showed 58 percent of them experienced an average security performance decline of 90 points based on a system that uses malware traces and other signs of compromise to measure performance.
  • Nov. 19. U.S. Senate kills bill that would have ended NSA’s daily collection of all citizens’ phone data.
  • Nov. 19. Lookout estimates NotCompatible mobile malware has infected from four to 4.5 million Android phones in the United States. Malware ropes phones it infects into botnets that can be used for sending spam, ordering blocks of tickets from TicketMaster and other outlets, and breaking into WordPress accounts.
  • Nov. 20. WordPress releases version 4.0.1 of its software to address a number of security flaws including a critical cross-site scripting vulnerability that could be exploited by an attacker to take control of a website.
  • Nov. 21. Target asks federal judge to reject $5 million in claims by banks resulting from data breach that compromised credit card information for 40 milion customers of the retailer.
  • Nov. 21. Paypal patches 18-month-old vulnerability in its service that could be used by an attacker to execute commands on the system remotely.

Upcoming Security Events

  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 3. The Essential Elements of an Optimized Security Operations Center. 1 p.m. ET. Webinar sponsored by IBM/Trusteer. Free with registration.
  • Dec. 3. How to Speed Up Detection of Advanced Attacks. 2 p.m. ET. Webinar sponsored by Threattrack. Free with registration.
  • Dec. 4. Cyber Response in Q4: Special Considerations for End-of-the-Year Priorities. Noon ET. Webinar sponsored by RSA Conference. free with registration.
  • Dec. 4. Detecting and Deciphering Sophisticated Malware C2 for Intelligence Gain. 1 p.m. ET. Black Hat webinar. Free with registration.
  • Dec. 5. Be an Onion not an Apple. 9 a.m.-4 p.m. ET. Capital Technology University, 11301 Springfield Rd., Laurel, Maryland. Workshop sponsored by Cybersecurity Forum Initiative. $195/seat.
  • Dec. 9. ISIS Use of Cyber. 4 p.m.-7:30 p.m. Enterprise Hall, GW Virginia Science & Technology Campus, 44983 Knoll Square, Ashburn, Va. Free with RVSP.
  • Dec. 10. Fill the Security Gaps in Your Firm’s Mobile Deployment. 1 p.m. ET. Webinar sponsored by Lacoon Mobile Security. Free with registration.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.
  • Dec. 9. The Modern DDoS Attack: Learn How Companies are Responding. Noon, ET. Webinar sponslored by Arbor Networks. Free with registration.
  • Jan. 19, 2015. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
  • March 24-27, 2015. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels