Tag: digital identity

Why so much data?

New Year is coming, and usually, during this period, people assess what they did during the previous year. As a person with skills and experience in the defensive part of cybersecurity, I am always quite sensitive about sharing information, contracts, and legal documents with anyone, including institutions. During the last year on multiple times, I had to present official documents and explanations of why and how I did something. On one of the occurrences, I had to deliver around 20, again 20 papers to prove my right. Some of the documents did not relate to the right I wanted to execute, but the institution tried to enforce on me their policy. The representatives in the office even told me that I should trust the institution and that this was the first time someone asked for their data retention period, how they will assure that they will destroy the documents after that period and why they need the data at all.

During the last year, all of these experiences triggered the following questions in my mind – Is my data safe in any institution? Will it be in a safer place if I take care of my data, but not an institution? Can an ordinary person achieve a better level of security than an institution? 

The diagram shows a standard SSD storage system architecture used in almost all database systems. Because of its unique way of storing information, the standard secure delete procedures do not erase the data securely. Special tools are needed for this action, and we could only hope that the institution SysOps department is qualified enough to erase the information properly

For all of these questions, the answers are usually – it depends on the level of expertise of the defending side. So it largely depends on the professionals the institution hired. To strengthen my statement, I can list several case studies that showed how attackers could penetrate even institutions and leak data:

  • Bank Hack: During a regular penetration testing exercise, a team of white hats managed to penetrate multiple office branches of a substantial French bank. Only in one of the offices did the employees ask the penetration expert to identify himself and ask the headquarters whether they sent anyone.
  • Government Taxes Authorities Hack: A couple of years ago, a hacker managed to leak multiple gigabytes of data from the Bulgarian Taxes Agency. The security hole had been opened for an extended period, reported numerous times, and no one took action to close it.
  • Universities Hack: At the beginning of 2021, multiple US universities, including members of the Ivy League, were hacked, and the personal information and documents of their students, lecturers, and professors were leaked to the public.

In conclusion, I think we could safely assume that taking care of our data is our right and responsibility. I am happy to delegate this responsibility only to legal professionals (lawyers, notaries, and judges). They work with confidential documents every day and know how a data leak can affect people. In any other case, sharing data with 3rd parties must come with at least a declaration for their data retention practices and how they destroy the data (there are security practices for doing that correctly). 

How cryptocurrencies can help small communities?

One of the things I like the most about the cryptocurrencies model is that it gives an alternative. An alternative to the standard financial model, where you have a centralized certification authority and issuer, which issues new coins, banknotes, or whatever is the name of the payment object for the payment system. One big problem with that system is that it leads to centralization and naturally converts the places with issuer rights (aka central banks) into cosmopolitan districts. The traditional banking system gives them much more economic power than the smaller and more rural communities.

In comparison with cryptocurrencies, everyone can open a bank. We even can choose whether to have a distributed or centralized issuing model. In Bitcoin, for example, the issuing model is a distributed one, and this choice regularly leads to significant fluctuations in the exchange rates with the standard fiat-based currencies. Additionally, there is a cap on the number of Bitcoins, which can be issued, and this way, there is no realistic option for fighting inflation or even speculations. Having that in mind, I think we could agree that the Bitcoin model is far from ideal and could only play a digital alternative for gold, which automatically means that Bitcoin is not a currency in the traditional sense.

On the diagram, you can see a standard blockchain architecture, where the ledger is distributed, leading to distributed transaction signing and verification

Let’s analyze what will happen with the other model of a centralized issuer and no cap for issuing new coins. Still, it is essential to note that the transaction verification will remain distributed, such as in Bitcoin, but we will centralize only the issuing part. For sure, the model will need a legal way to inject itself into the standard fiat financial model and play nicely with it. At the same time, if we want to increase the local communities’ economic power, we shall need a solid local legal government-based entity doing the coin generation. And such a legal entity is the local area municipality.

Such an idea will effectively transform every municipality into a local central bank issuing new coins based on the economic stats for the metropolitan area governed by it. Additionally, at the moment, all the taxes are sent to the centralized bank. Once per year, the government decides how to distribute these taxes to all different city areas’ budgets. As an alternative, with the proposed model, we could choose to receive 30% of our income in the local municipality cryptocurrency and even pay our taxes on this 30% to the local municipality-based bank. Furthermore, the municipality could use this money to plan its budget.

In conclusion, cryptocurrencies can give us quite interesting financial alternatives. For sure, the exchange rates system between the different local municipality-based currencies will be an exciting problem to solve. However, we should keep in mind that we are already solving this problem globally, and we could take inspiration from how it is already solved. Some smaller cities and towns already tried issuing their cryptocurrencies. But, without the local taxes part, such endeavors are not economically viable and will not lead to any mass scale change.

Is vaccination certification the way to go?

We are almost two years into the COVID-19 world, and we saw a good number of ways to control the pandemic. We now have vaccines, which will hopefully become better and better with time, and finally, the pandemic will be over. With the bright light in the tunnel, there are some disadvantages to our privacy. Many governments decided to issue digital vaccination certificates and grant access to part of the locked-down social services such as cinemas, bars, hotels, concerts, etc. However, we need to understand that such a solution comes with its burden, especially if it is not appropriately designed.

But what are the different methods of actually issuing a digital certificate for any data? We need a CA (certification authority) to sign somehow our data. In the paper world, this happens using the signature and the stamp of a notary. In the digital world, the certificate is signed by a computer machine using modern cryptography methods. There are different mediums for this digitally signed certificate, and I shall cover them in a shortlist:

On the diagram, you can see a standard NFC solution technical diagram. The reader is sending energy and data using electric magnetic fields. The NFC data storage is passive and usually does not have a battery.
  • A printed certificate with QR code: For many years, the aviation industry has used QR codes for authentication purposes and a faster onboarding experience. The QR code contains a signed data read by the boarding gate, and if adequately verified, the gate allows the passenger to pass through. This method gives good privacy from a privacy point of view, but you will need to keep the paper with you constantly. And this is especially true in the case of a vaccination certificate. Additionally, everyone can read the QR code.
  • A digital record based on your data: Almost every person on the Earth has a personal identification number issued by his/her country of origin. The government could use this data to base the vaccination certificate on it and record your number of shots into an online server. However, this is the most terrible method in terms of privacy, because usually vaccination plan is personal data and must have a proper authentication mechanism defending it.
  • NFC-based certificate: Modern digital ID cards use this technology to keep a signed copy of your data. This way, everyone with an NFC reader can read the data from your card and verify it using the stored digital x509 certificate. As opposed to the paper solution, the NFC one is reprogrammable, which means we could reuse the same card/chip to update the data with more medical information, and everything stays locally in the card. This option is the best in terms of privacy. However, you will need an NFC reader-protected purse or backpack to keep the data safe.

In conclusion, digital vaccination certificates can help governments control the pandemic. However, there are many privacy issues in the long term, which could affect the general population. For example, what happens if hackers manage to collect data for everyone, whether vaccinated or not, and create illegal lists with people, which employers can later use to decide whether to hire or not a given candidate. There are already cases with illegal chronic diseases-based lists distributed on the black market. We could easily see a similar future for our vaccination passports data.

Why You [Don’t] Need a VPN in 2021?

In 2021, the VPN users are in their billions, with an average user growth of 8%. According to a recent study conducted in early 2021, 50% of the respondents claimed to be using a VPN regularly to access usually restricted entertainment content. These VPN users were predominantly younger, and 62% identified as male by gender. Geographically users in the Asia-Pacific region make up a majority of all those who access a VPN with 30%, compared with Europe and North America, who combined made up 32% of those accessing a VPN worldwide.

VPNs are getting pushed as a must-have multi-service product. Are they?

VPN stands for Virtual Private Network, and it gets used for a variety of things. It can protect your online privacy by hiding your traffic and location. It masks your IP address making it easier to bypass censorship and geo-blocks. But its primary purpose is to provide your organization an encrypted tunnel to your enterprise network.

On the diagram, you can see how different users connect to a VPN (black is for the local user network, and red is for the connection to the VPN). After that, the VPN server redirects your connection to the website you want to use. The website will see your IP as the VPN’s IP (blue connections).

A remote-access VPN creates a connection between individual users and a remote network.

Remote access VPNs use two key components: Network Access Server (NAS), a dedicated server, or a software application on a shared server connected to the business’s internal network. And the second component is VPN client – software installed on a user’s computer or mobile device.

VPN protocol secures the data you input when registering on websites and creating accounts. It ensures that even if attackers manage to sniff data from you, they will need more resources to decrypt it. Some VPNs even block malicious ads, trackers, and websites that stealthily download malware on your device without you even realizing it. That’s how VPNs get advertised, and on the surface, all that sounds useful, right? The critical thing is, you don’t need a VPN to do everything listed above.

With all that they do, many people wonder if VPNs are even legal. VPNs are legal in most countries, with only a few exceptions. Places that either regulate or outright ban VPNs are China, Iraq, North Korea, Oman, Russia, and the UAE, to name a few. A downfall of using a VPN is that your connection speed will suffer slightly. Many will also admit that setting up a VPN, especially for some specific business needs, could be time-consuming and may challenge your tenacity.

A negative aspect of VPNs is that while you may be keeping your data encrypted and safe from hackers, that doesn’t apply to the VPN company. Whichever provider you’re using, it has access to all of your information – location, IP address, which sites you frequent, all manner of sensitive data. Do you think it wise to trust a company with such private information?

You can ensure your online security without turning to the services of a VPN. There are a few key steps to follow.

As already mentioned, make sure only to visit secure websites – starting with HTTPS:// instead of HTTP://. Next, two-factor authentication is your best friend when logging into a site. Add an extra layer of protection. Physical keys are an excellent option for that task. They vary in price, but there are affordable options. If you can’t manage to get one, use an SMS or email authentication. Use whatever you can to ensure a two-step verification when accessing sites. It can save you a ton of trouble. A username and password aren’t enough.

Another helpful step to ensure security is not to use shared devices. Sharing a laptop or a PC with a third party is a terrible idea as it can open the floodgates to malware, keyloggers, and who knows what else. And, lastly, update regularly. That may sound like a no-brainer, but people tend to postpone updates indefinitely. Don’t do that. Timely updates go a long way.

But, if you want to use VPN, please use providers, which offer VPN over Tor and anonymous registration. They must take payments in cryptocurrencies as well. This setup provides you some privacy and a way to avoid firewalls. However, this setup can be categorized as a grey or black hat technique in many countries and could bring you troubles.

Does Your VPN Protect From Cybercriminals, or Invite Them In?

The Coronavirus pandemic forced a variety of new adjustments on people. Most offices had to close down, and workers had to turn to their home offices to do work. Schools, universities, most places of education did the same and introduced home learning. Most entertainment outlets were no longer accessible either – the movies, theatres, concerts, everything got canceled or delayed. Home computers and laptops became an essential piece of technology at home. We use them for work, study, and fun. But can you trust them to be secure enough not to lead to trouble? You might be thinking, ”Well, I have a VPN, I’m safe.” But are you?
What is a VPN, and what does it do? VPN stands for virtual private network, and its general role boils down to two words – connectivity and security. A VPN extends a private network across a public network and allows users to exchange data across shared or public networks as though their devices connect directly to the private network. VPNs shield your original IP address and protect your data. If you join a VPN to your router, it covers all your devices connected to said router. Like, phone, PC, laptop, gaming console, smart TV, and other IoT devices.

On the diagram, you can see a standard VPN network configuration. The blue lines represent encrypted tunnels from different networks to your company infrastructure. After packet inspection with the red line, your Firewall sends the traffic to your VPN server. Finally, the VPN server decrypts the traffic and sends it to your local corporate network.

In Corona-times, VPNs are a godsend for employees who aim to reach and use corporate resources. They connect to the company VPN and go about their daily business. The question is, do they use a company device to do their work, as a company PC or laptop, or do they use a home one? That makes all the difference. If you connect the company VPN on your home network, you expose your company to malware. Think about it. What if you, or a family member, carelessly clicked on something they shouldn’t have, and now malware lurks on the PC that you’re connecting to your corporate network?
Another issue with that scenario is what type of VPN the home-office employee turns to exactly? Is it a consumer VPN server based in a different country? That’s risky.
Employees find themselves in a completely new situation, unique to both them and their employer. What had previously gotten used only on rare occasions or emergencies is now used on a regular day-to-day basis, given that 100% of the workload gets done from home. That makes workers vulnerable to targeted attacks. There are already examples of that. According to Sultan Meghji, CEO of Neocova (a cloud-based suite of banking solutions company), several bank CFOs became victims of criminals and state-based attackers.
Cybercriminals are on the lookout for easy targets. They search for open WiFi and encryption that they can break easily. Don’t be that easy target! An excellent way to up your home cybersecurity is to update your router. Ask yourself whether the router you use daily is older than your phone. If yes, replace it ASAP.
Another way to keep the office and home systems safe is education. Employers should educate their employees on cybersecurity and the best practices to implement for the most protection.

Cybersecurity tactics for small teams – Physical Security – part 1

In the next couple of months, I shall write series of articles covering the topic of cybersecurity on a limited budget. The idea is to show you different methodologies for how to keep you safe without spending too much. The articles will cover various topics such as physical, computer, and mobile security. Additionally, as part of this series, I shall publish two articles covering business security and public image preservation. A final overview article will summarize all written and consist of a sample budget to cover your cybersecurity needs. It will be a good reference for startup and SME organizations. They can use it to establish or upgrade their cybersecurity defenses.

Different authors wrote many books and articles on keeping your computer and mobile phone safe for the past couple of years. Unfortunately, most of these writings ignored one fundament of cybersecurity. Without properly secured hardware devices, all of your defenses are meaningless. Of course, other authors wrote whole books on physical security, but no one covered it from a cybersecurity perspective. This article aims to cover this perspective and give an exemplary workflow of achieving adequate protection on a tight budget.

You can see a sample dependency graph of how an organization must structure its cybersecurity defenses on the diagram. As you can see, everything starts with physical security, and after that, you build more pieces on this fundament.

So let’s start it. 

There are multiple online threats to your security, and let’s start with them. During my time working in different companies, I saw many people neglecting these threats. Fortunately, these mistakes did not lead to escalation. But let me list them and give a short explanation of how they can affect you.

  • Social Platforms: Sharing your life is an excellent way to keep in touch with your friends and relatives. At the same time, it opens possibilities for hackers to monitor you. Monitoring is essential for other types of attacks. Usually, hackers execute these attacks in the following phases.
  • Shared Travel: Shared travel is a new way of traveling around. It increases comfort and lowers down the price of travel. At the same time, travelers organize the travel in public social media groups. Everyone can join this group and monitor when you travel. Such information is valuable, mainly if attackers target your home or office space.
  • Cyberstalking: Your online persona can trigger destructive emotions, and usually, this evolves into cyberstalking. It is essential to limit down exposure to such threats because they can end up into physical ones.
  • Navigation Devices: Using online navigation is lovely in terms of comfort, but most navigation software collects a considerable amount of data. Hackers can correlate this data to your real persona and monitor your life and travel plans.

As you can see from the list, different parties can monitor a good number of your online activities. With enough time and resources, these parties can execute future attacks on you. For real estates, we can create a similar list:

  • Social platforms: The situation is the same as in the previous paragraph. Attackers can execute multiple attacks using the information gathered by your social media accounts.
  • Smart Home Assistants: Smart assistants are hardware devices placed in your home. Usually, they have always turned on microphones to catch your commands and execute different orders regarding your house. At the same time, they can be hacked and used to monitor your activities.
  • Camera arrays and sensors: These days, many people install cameras and sensors attached to the Internet. Without proper cybersecurity protection, attackers can use these hardware devices to monitor your activities.
  • Laptop and smartphones: Same is true for laptops and smartphones without a proper security defense. Hackers can use them for monitoring your activities.

Intruders can use all of the upper threats to execute next-stage attacks on your real estate. Another aspect of your physical security is the security of your vehicle (car, truck, and other vehicles). As vehicles become more and more intelligent and automated, their vulnerability to hacks increases. Next are the common threats you can face with intelligent vehicles:

  • WiFi Access Points: Modern cars have WiFi access points in them. Or in simple words, this is a network router, which is part of your car’s computer. This router can be hacked and used for malicious activities.
  • Smart Locks: The current trend in the automotive industry is making cars more and more intelligent, including their locks. Of course, this is a wrong decision in cybersecurity because the makers increase the penetration surface with new functions and capabilities. Some of these locks use older encryption protocols, not updated with years.
  • Autopilot: Most modern e-cars support autopilot as a feature. Autopilot is a fancy name for a sophisticated computer program, which drives the car for you. And being a program, autopilot runs on a computer, and this computer can be hacked and used for malicious activities.
  • Real-time Updates: Newer car models receive constant updates on the fly. They follow the process your operating system uses to update itself. How secure this process is rarely publicly disclosed.

Next part is – here.

Is Identity-Based Passwordless Authentication the Way to Go?

User identity and security have continuously been reinforced in the organization by the use of strong passwords. User accounts tend to be restricted based on specific passwords typed. However, that has changed due to the technology rise that has wiped away the traditional password methods. Although some organizations still prefer passwords, authentication is slowly evolving to be passwordless due to convenience and efficiency purposes. Identity-based passwordless authentication is the focus of organizations and IT migration.

Passwordless authentication helps curb the insecurity that is common with organizations. The trends in cybercrime require that organizations implement robust measures of security in helping minimize the consequences.

Most technology-driven organizations have already implemented identity-based passwordless authentication. One popular method is biometric authentication as the main component of identity-based passwordless authentication. It integrates the biological features to develop some of the most effective solutions for signing into information systems and corporate portals. Significantly, a better approach to the management of user profile security and accessibility is by leveraging the biometric features and integration with IT to help promote a seamless process of identification. However, it is essential to ensure that the biometric data stays on your device and is adequately encrypted. In another case, once stolen, anyone can reuse it. Other methods use directly public and private key cryptography to achieve the same results.

You can see a sample passwordless authentication based architecture on the diagram. Users use a gesture to unlock a hardware device and different apps use the private key stored in this hardware device to sign a random token. Later this signature is verified on the server.

The uniqueness and strength of restricted access are robust in passwordless protection. Its features help in the promotion of quality and proper protection techniques, which are vital. Considering diverse approaches and key organizational security management measures, organizations have opted for identity-based passwordless authentication.

Cybersecurity is a significant concern, with hackers targeting high-profile organizations and creating weak points while accessing sensitive information. According to recent research, technological migration has been towards passwordless identification. The users do not have to use password authentication to access the organizational profiles. Necessarily, integration and passwordless leverage are vital in implementing the proper security protocols to achieve the desired security goals.

The feasibility of identity-based passwordless authentication is another competitive advantage. Passwords are tedious. Every time you enter them, you waste time as a significant impediment to a flawless work process. Most employers prefer passwordless authentication because they implement strategic and focused measures to improve access levels and ensure necessary and fundamental elements.

Passwords are the primary targets for hackers since they only have to master the keywords and process execution, which results in cracking of the security architecture. Biometric technology is the best way to focus and help advance its security needs, mainly by implementing efficient identification processes.

According to attackers’ behavior analytics, a strategy to reduce the attacks is by sensitizing people to implement passwordless authentication. Natural features are unique, and the level of security provided by investing in such technology is excellent. Howerer, the future will show whether it will help to improve safety and to meet various businesses’ needs regarding cybersecurity solutions.