Author Archive

Multi-factor, not just biometrics.

Posted in Computers and Internet, General, Security with tags , , , , , , , , , , , on February 5, 2018 by Will

Picture1Biometric authentication is fairly common place today.  Just about everyone knows how to use the Fingerprint scanner on most modern smartphones.  With the newer phones, facial scanning has started to take the place of the fingerprint.  And some Mobile Apps that are trying to up their security beyond the builtin platforms have included iris scanning.  Biometrics check off the “ease of use” and “strong security” check boxes most of the time.

Where it starts to fall apart is when application owners start to implement only biometrics.   For years security experts have been telling applications that they should be implementing multi-factor authentication.  This means they should be pairing two different authentication technologies from at least two different factor groupings.  As a refresher, there are three authentication factor groups, “Something You Know”, “Something You Have” and “Something You Are”.  Taking two technologies from the same factor does not mean you have multifactor, you must have at least two technologies from different factors.  Biometrics fits into the “Something You Are” factor grouping and is a single factor technology.

Today a great write up on the attack vectors that are currently plaguing the most common biometric technologies was published on DarkReading.  The attacks have been darkreadinglogoaround for a while, but they still work.  When you read the article, it impressive as to how simplistic these attacks really.  Biometrics are an advanced technology, and yet a piece of paper, or a gummy bear is all that is needed to break them.  These attacks will be mitigated and solved and new versions of the products will be released, but then that will just invite new attacks.  Nothing is completely secure from some style attack, it just takes longer to find the appropriate attack vector.

Application owners should see these attacks and think back to attacks on static passwords, and on SMS passwords and all of the other authentication attacks.  When you take one from of an authentication factor, there are probably a few different attacks against it.  However, when you start to combine the technologies across the different factors of authentication, the attacks are much harder and even some of them are next to impossible.  The best applications implement multifactor authentication in ways that only call attention to them when it is needed (or detected), and allow a user to continue to do what they need to without being impacted all the time.

Advertisements

Developer Week 2018 opens today

Posted in Computers and Internet, Conferences, General with tags , , , , , , , , , , , , , on February 5, 2018 by Will

Monday morning in Oakland, California and Developer Week 2018 has started.  Registration is going well, and my colleague, Michael Williams, and I are all setup and ready to give our talk tomorrow.  Our talk is on Tuesday from 3:00 to 4:30PM on the home-box-dw-new18second floor in room 208, Workshop Stage 5.  We’d love to fill the room and get everyone in to hear about VASCO Data Security’s latest DIGIPASS for Apps mobile SDK’s and eSignLive SDK’s.  We will take you through how to leverage the free to trial DIGIPASS for Apps API’s to help extend the your apps features and build small security steps on your way to creating a fully trusted and secure mobile app.  We will also help you with implementing a full digital signature workflow moving your app towards a complete electronic document processing implementation.  In the end we hope to leave you with information on how to use all of our technologies to enhance and speed up your mobile app strategy by giving you a number of new tools you can use in your daily development lives.

We hope to see you there, and questions are always welcome!

 

Hackathon @DeveloperWeek 2018 eSignLive by VASCO Winners!

Posted in Computers and Internet, Entertainment, General with tags , , , , , , on February 4, 2018 by Will

Congratulations to our winners!

1st Place:IMG_20180204_155613-devweek2k18-winners

Esfer – This team decided to tackle the legality of Peer to Peer payments.  They created a beautiful prototype of a mobile application where a requester could create a legal document using the eSignLive SDK and send that to the payee where the payee would then sign the document and accept the terms and complete the transaction.

2nd Place:IMG_20180204_155217-devweek2k18-second

VMatch – This team decided to make a mobile app to connect Conference Organizers with Volunteers.  It included a video conference component to interview candidates and then used the eSignLive Android SDK to create a volunteering contract with the organizer.

Great Apps!

Hackathon Day 2 – Let’s see your projects!

Posted in Computers and Internet, Entertainment, General with tags , , , , , , , , , , on February 4, 2018 by Will

Start of the @DeveloperWeek 2018 Hackaton day 2.  We saw some amazing starts yesterday, so very innovative products and cool uses of our eSignLive SDKs.  Today, weIMG_20180204_092558-esl hope to see some of these projects get to a finished state.  You can still register your project online at the show website: http://accelerate.im/challenges/179.  We will be announcing our winners this afternoon, so make sure you get those projects completed for the judges.  If you are looking for our table, we have moved to the second floor, come up and ask us anything.

On a side note, Congratulations @TomBrady MVP, GOAT, and let’s go @Patriots!

1920x1080_pats_wallpaper

$4000 in prizes this weekend, Hackathon @DeveloperWeek in San Francisco

Posted in Computers and Internet, General with tags , , , , , , , , on February 3, 2018 by Will

hackaton-banner-badgeHere we are, hanging out with a huge group of developers in SoMa.  There is a ton of cash on the line from over 20 vendors.  We are here offering $4000 in Amazon Gift cards, $2000 for the first place winner (and you can get an extra $250 if you use the mobile SDK’s) and $1000 for the second place winner (and the same extra $250 for mobile usage, and finally 4 prizes of $250 for the best Reporting Dashboards out there.  So if you’re a developer and need some cash this weekend come down and give it a shot.

Great crowd and some awesome ideas floating around.  It is awe-inspiring to watch allIMG_20180203_121513 these developers at work on different projects at once.  I had a colleague from another vendor take a trip down memory lane and just how much the tech space has changed.  We both worked for internet startups in the early 90’s during the beginning of the Internet.  Things have come a long way.  To get this many developers in one spot all working on problems and solutions that are for all different walks of life, things have certainly advanced.

There is still plenty of time and I’m sure there are plenty of problems out there that need solutions.

Google is doing their part, but it’s still not enough

Posted in Computers and Internet, Security with tags , , , , on February 2, 2018 by Will

A few weeks ago, I posted some statistics about the state of mobile application security.  Specifically a report showed that malware grew over 60% in just the last quarter of last year and the Google Play Store alone published over 9 million new mobile applications last year.

Google Developers BlogThis week Google published that they had removed over 700,000 malicious apps from the Google Play Store.  This is highly commendable, as it shows a firm commitment from Google to help improve their security image.  I think that is what everyone is overlooking, this helps improve the Android Platform security image. The removal of these apps from the closed application publishing service that Google provides is just a drop in the bucket in terms of the actual malware being Android Securitypublished for the mobile platforms.  As my colleague points out in his LinkedIn post, apps can be downloaded and installed from many different app publishing stores and often are.   The Android platform has an image of being more open, and because of this, it is also widely linked to being considered as less secure than the Apple platform.

Attacks exist on both the iOS and Android platform, and pretty much any platform that has a CPU.  With the Android platform being more open and more flexible, it is probably always going to be more open to attack, or at least publicized attacks.  With Apple and with a number of the other computing platforms out there, they are all more closed, so we are less likely to hear about the attacks until something big happens or the media gets a hold of it.

DP4Apps PhoneTaking a stance that the platform you are developing is secure enough without implementing secure controls within your own app is dangerous and negligent. Google and Apple do their part, but the entire app development community needs to be vigilant.  Understand that, while the platforms publish big numbers and clean up their images, this is more about attracting more developers to their platforms, and less about the actual security of those platforms.  Attack vectors change constantly and arrive at different platforms in many different ways, sometimes in control of the OS provider, sometimes not.  As long as developers take the time to implement all of the security controls at their disposal, perhaps your app won’t wind up on the list of breached apps next time.

Join me at DeveloperWeek in San Francisco

Posted in Computers and Internet, Entertainment, Security with tags , , , , , , , , , on February 1, 2018 by Will

Just a quick post to encourage anyone in the San Francisco area this weekend and next week to come down to the DeveloperWeek conference and meet up.

hackaton-banner-badgeOver the weekend I will be attending and helping host an event at the Hackathon.  If you want to play with some new mobile development tools or your interested in cloud digital signature products, come over and give our Hackathon a try.  There are some great prizes for the best projects.  Read more about the event and register for it over here: http://accelerate.im/challenges/179

1Artboard 1And if you can’t get out to the Hackathon, but you still want to learn more about #DevOpSec or just want to know more about the latest tools in mobile application security, come attend our discussion on Tuesday from 3 to 4:30 PM.  We will give you a run down of some of the tools we are giving free access to and then take you through some samples and answer any and all questions.  Register for the discussion and more information can be found here: http://sched.co/DGVX

It should be a great show, and there will be a lot of like minded people around.  Stop by our booth at number #203

%d bloggers like this: