Authentication trends for 2015


Thought I'd take a stab at what will be happening in the user authentication space this coming year:

  • Hackers will increasingly use trojans such as Citadel to target the master passwords for consumer password management applications like 1Password and LastPass. That will cause big problems for users who are successfully victimized because many of their passwords, not just one at a time, will now be compromised.
  • Hackers will also continue to attack token and SMS-based one-time password systems that are used for online banking, breaking into more bank accounts and increasing pressure on banks to retire this now-obsolete technology in favor of more secure, next-generation methods that are strengthened with features like device fingerprinting, transaction verification, and behavioral analytics.
  • More companies will have their employee and customer password databases stolen and uploaded onto public torrent sites as part of high-profile cyber attacks, as happened to Sony Pictures in 2014.
  • Heavyweights in the financial services, e-commerce, and electronics industries such as Visa, MasterCard, Google, Samsung, Microsoft, and others will start moving their customers off of passwords and onto biometric authentication, aided by the new FIDO Alliance UAF and U2F standards published in December 2014, and following the lead of trendsetters like Apple, which featured fingerprint biometrics in its new smartphone and tablet releases, and heartbeat biometrics in the new Apple Watch.
  • Emerging authentication technology companies will make a strong push to get their products to market and grow their user base. Companies to watch include ThreatMetrix, YubiKey, Entersekt and Nok Nok Labs, as well as the 200+ early stage startups in this space.

(This post originally appeared as an answer on Quora)

IoT security state of play: can we learn from history?

Originally posted on Peerlyst on 24th August 2014 In mid-2014 as Peerlyst gets off the ground, one of the biggest challenges facing the security profession is how to secure the Internet of Things. The phenomenon that’s automating everything from artificial dust motes to container ships is about to move into explosive growth mode, if that isn’t already the case. It’s great news for entrepreneurs and the global economy, but for security types this gigantic silver cloud has a distinctly dark lining. That’s because the IoT, with 40 billion devices projected to have IP addresses by 2020, is exponentially growing our attack surface. At the same time, the general level of IoT security is somewhere on a scale between embarrassing and zero. Exceptions apply, of course; the topic is now on the agenda at RSA, Black Hat, and DEF CON, and even the biggest security vendors are starting to pay attention. That’s all positive – but in terms of actual, tested and auditable security controls for IoT systems which are either implemented or on the planning horizon – we’re really looking at very little.

If we take off our white hats for a second and peer into the mysterious world of business, it’s not too hard to see why things are this way. Unless you’re someone with a keen, security-focused mind (which I expect that you are since you’re reading this), it’s more likely than not that as someone who’s bringing cutting-edge products to market, you don’t give a high priority to security until the day you get hit. That’s just human nature, and it’s also history. Think about how the mobile commerce security landscape evolved: technology first, then hypothetical threats, then credible threats, then security response. Or desktop-based e-commerce before that. The same exact thing happened.

To cite just one current example of history repeating, industrial control systems were never designed to be put on the Internet. As stand-alone systems, they were at least secure by obscurity. When they started being merged into the cyber universe, the driver was business efficiency – enterprise users’ ability to monitor their factory’s hydraulic pumps from the comfort of their own bedrooms. Nobody, including Iranian nuclear engineers, gave a thought to threats like Stuxnet, son of Stuxnet, and grandson of Stuxnet. But I bet you that now, Iran has one of the best SCADA security programs on the planet. That’s just how it always goes.

With that in mind, here’s how I think security of the IoT will play out:

Phase 1 (the past 4-5 years): IoT products and systems are brought to market with minimal security built in. All eyes (except for the keen, security focused ones) are on innovation, financial upside, and the wow factor. An incident happens here and there, but hey, cyber attacks only happen to other people. It’s quickly forgotten and Industry goes back to building the dream.

Phase 2 (where we are today): IoT deployments pick up steam. More security experts point out the risk. Researchers find exploits and show them off at DEF CON. Specialized security products are introduced, and standards groups start to form. But they’re mostly preaching to the choir, and we still haven’t seen any catastrophic cyber event in the IoT world.

Phase 3 (the next few years): IoT is now mainstream, and the inevitable wakeup call happens. Great-grandson of Stuxnet (wielded by great-grandson of Al Qaeda) takes out a power plant, derails a high-speed train, or makes some chemical factory explode. This will happen in Europe, North America, or some other developed part of the world. Now Industry wants security, and it wants it now. If you’re a security professional and have invested in acquiring skills related to IoT protection (SCADA/ICS and sensor network security, real time threat intelligence, etc.), this is when you’ll find yourself … busy.

Phase 4: “Security” will step up to the situation, and at some point it might reach equilibrium and we’ll have a “secure enough” IoT. Or, it might not and we’ll continue living in a world of perpetual cat and mouse like we are today with retailer data breaches. I don’t want to try to predict that far ahead (but please feel free to do so yourself in the Comments, if you have a take on it).

My point is, as Sting once put it, history will teach us nothing.

Micro drones for securing critical infrastructure

To be valuable as a situational awareness tool in critical infrastructure protection applications, a drone needs to be: (a) fitted with one or more sensors (cameras, microphones, chemical or radioactivity detectors, etc.), and (b) networked into an operations center or a single-user device so that its activities can be directed and monitored in real time. By extending the user's reach into remote and confined spaces, these winged robots create new possibilities for surveillance, reconnaissance, investigations, forensics, and search and rescue. And also for outbound missions such as interdiction, delivery, and remote communication.

The tinier they get, the more advantages they offer in being hard to detect and able to enter small and confined spaces, as well as spaces too dangerous for people to go into. They are also extremely inexpensive to operate. According to a January, 2014 article in the International Business Times: "The average nano drone costs about $25 per hour to run, in comparison to manned helicopters and planes, which can cost between $600 to $20,000 per hour"

There are some downsides as well, though. Their small form factor makes them highly vulnerable to sudden gusts of wind and collisions with all manner of things including other aircraft (large and small) and people. If they lose network connectivity, it's game over. The vehicles, their onboard controllers and sensors, and their supporting networks will be targets for cyber attacks. And if detected by an adversary, they could be disabled or shot down very easily. Swatted like flies, basically.

Some applications for small- and nano-sized drones in the critical infrastructure protection space include deployment to:

  • Events in progress or their aftermath, e.g. public disturbances, crimes and terrorist attacks, and natural or man-made disasters ... collapsed mines, melted nuclear reactors (some of these may be one-way trips).
  • Sporting events, VIP appearances, political rallies, and other situations where hundreds or thousands of people gather.
  • Railway tracks, yards, bridges, and tunnels; communications and power lines, wind farms, etc. to discover faulty and damaged assets, intrusions by people or animals, etc.
  • Warehouses.
  • Border areas to patrol for immigration violations
  • Lakes, reservoirs, rivers and oceans to test for pollutants.
  • Ranches, farms and forests for issues with animal herds and crops, as well as unwanted intrusions.

I'm sure you can think of some that I've missed ... there's a ton of opportunity for innovation here.

I won't even get into the privacy implications of this technology (out of scope for this blog) other than to say that privacy as we know it is truly dead and buried, and here's the proof.

I've gathered a few videos here of small drones (basically your quadcopters) and nano drones (those small enough to fit in the palm of your hand) .




Microdrones MD4-1000


Honeywell RQ-16 T-Hawk


DJI Phantom Quadcopter





The Black Hornet (with apologies for the annoying narrator)


The Hummingbird Drone (a DARPA funded project)


The Hubsan X4 H107D


I am the eye in the sky

I doubt that Alan Parsons had this in mind when he wrote that song back in the eighties.

Wide area persistent surveillance is a young, and fast-growing field of police technology devoted to making the Eye in the Sky a real thing. It tends not to get a lot of media coverage, and I suspect most of the vendors and their customers like it that way. If you read on, you'll understand why. However, there's been some coverage recently in the US, as The Washington Post, The Atlantic and PBS all ran stories on an Ohio company, Persistent Surveillance Systems, and how their platform was tested (covertly) by the police department in Compton, California (a suburb of Los Angeles). By the look of things, the tests were seen as successful.

The field of persistent surveillance was born in the Iraq and Afghanistan conflicts of the 2000s decade, developed for Allied forces to hunt down people in the service of Al Qaeda and the Taliban. With those days fading into the rearview mirror, the developers are now seeking new markets in the civilian world. The technology involves putting a cluster of very high resolution cameras into an aircraft, and then flying that aircraft for many hours at a time, at an altitude sufficient to capture pretty much everything that's going on below within the cameras' line of sight. Camera footage is fed in real time to a command center, where operators can keep watch on the general situation below. When an event is detected - a robbery or car accident for example - they can zoom down to see individual people and vehicles, begin to track their movements, and dispatch a squad care to give chase.  The systems can't yet pick out individual faces, but I'm sure it's just a matter of time before that's possible.

Police departments can keep watch over a whole city in this manner (that's the 'wide-area' part), with great accuracy, and for long stretches of time (the 'persistent' part). The system acts as a force multiplier for law enforcement agencies that use it, allowing them to detect and respond to incidents that certainly would have eluded them in the past.

As you can imagine, the users absolutely love that, and they love the economic part too,  most police agencies around the world being more or less budget constrained.  The system costs about the same to operate as one police helicopter, but with (the vendor claims) ten thousand times greater visual coverage.

So, the users wax poetic about it. And, as you can imagine, in the US this is causing a stir in the endless tug-of-war between privacy advocates and law enforcement agencies.

My take? Whether you love it or hate it, wide area persistent surveillance is the future of law enforcement, as well as other areas of emergency management - natural disasters, oil and chemical spills, and the like. Of course it will continue to be used in military scenarios as well. In some countries, laws will be enacted to put curbs on what information from these systems government officials can and cannot look at, save in a database, and use in the course of carrying out their duties. In those countries, there will be closely monitored and legally compliant use, but there will be some illegal use as well. That's because the technology will be available on the black market, in the same way as illegal firearms are. In some countries, they won't even bother with the pesky regulations, and wide area persistent surveillance systems will be operated at full force. No matter where you live, privacy, as most of us conceive it, is a thing of the past.

Expect the technology to improve a lot. We'll see miniaturization (picture one of these systems mounted on a micro drone); advancement in camera resolution and performance;  faster connection speeds; and advanced analytics software which begins to not only track activity on the ground, but predict it as well, correlating events captured through the surveillance system with other event data gathered across the IOT.

Pretty mind boggling.


Multi-factor authentication market to be worth $10.75 billion by 2020

New research from Markets & Markets predicts that the global market for multi-factor authentication products will reach US $10.75 billion by 2020, at a CAGR of 19.67 percent. Other bits and pieces from the study:

  • North America is the biggest multi-factor authentication market; followed by Europe and APAC. In ROW (rest-of-world in analyst speak), the Middle East and Africa are the largest contributors.
  • The two-factor authentication model covers almost 90% of the market for multi-factor authentication, wherein banking & finance, travel & immigration, commercial security are the major applications.
  • Three, four, and five-factor authentication models are less used when compared to two-factor authentication (well we knew that).
  • The three-factor authentications include smart card with PIN and biometric technology, smart card with two biometric technologies, PIN with two biometric technologies and three biometric authentications.
  • On the other hand, four- and five-factor authentication includes the use of smart card and PIN with more than one type of biometric technology such as face recognition, fingerprint recognition, voice recognition, and so on.
  • Three-factor authentication is mostly used in private access areas like bank lockers, secret data access, defense, travel & immigration.
  • The use of four- and five-factor authentication models is restricted to high cost projects in defense, research, and government-based applications.