Hacking by sound not that simple

A recent story from Reuters kicked up a bit of a stir by claiming that hackers could use sound to steal data from a computer or network. While the story was true it turns out that it isn't the whole story and is less of a problem than the report inferred, according to cybersecurity expert Jack Wolosewicz. Here's the interview.  


Secure collaboration is a quiet trend at #52DAC

By Lou CoveyEditorial Director

While outsourcing software and design development is a common practice, the idea of putting your company’s crown jewels into the cloud for a freelancer to monkey with tends to drive sales of anti-emetics. Can you safely allow virtual strangers to access your server, or should you just suck it up and overwork your employees?

That has been a continuous conundrum of the Electronic Design Automation Industry (EDA) and its customers in the embedded software and semiconductor industries. Larger companies, like Synopsys and Intel either use internal security paradigms in the collaborative tools or work with some of the big players, like IBM and OpenText. The costs of those tools however don’t always fit in the budget for smaller companies and can be a hindrance to outsourcing companies.

What makes the whole issue more difficult is that while companies readily admit is is an important issue, not many are actually willing to talk about what they are doing about it.

At the Design Automation Conference in San Francisco this week, there was a noticeable presence of companies stating they actually do provide for secure collaboration  and were more than willing to tell you who they provided it for. One of the main players, OpenText, customers proudly proclaims their list of customers, including, in the electronics world, Alcatel-Lucent, Cirrus Logic and Renesas (see interview here).

Other players, like the recently funded Zentera, not so much. We visited Zentera’s booth at the Design Automation Conference and they were quite adamant about not saying anything substantial on the record, but their website touts a lot of partners, including Microsoft and Qualcomm.

Then you get into the realm of the EDA tool providers and the walls go up quickly. Mentor Graphics expressed surprise that one of their major customers, Qualcomm, was working with Zentera to provide secure collaboration. Synopsys and Cadence claim their own “cloud” solution, consisting of private servers stuffed in their headquarters building.

Dassault Systeme, on the other hand, was quite effusive about their Enovia collaborative platforms and focuses security according to roles, geography and hierarchy. Dassault is relatively new to the world of semiconductor design and is making a strong effort to differentiate itself from the “holy trinity” of Synopsys, Mentor Graphics and Cadence, and they have been miles ahead of the EDA industry on the issue of collaboration and security, simply because of their much broader range of customers including the mil-aerospace niches that require a standardized approach.

For third-party providers of design services these secure collaboration platforms can open doors for working with the most cutting-edge technologies that are often strapped for resources. Customers that want to integrate design environments from multiple sources can use them to integrate the external design teams into an all encompassing environment without giving up those aforementioned crown jewels. If the customer doesn’t want the additional expense, it might be worth the investment by outsourcers to adopt the collaboration platforms and work the cost into their services overall.

Outsourcing has become a zero sum game with benefits for many

This is the latest in our ongoing series of articles on outsourcing, benefits and downfalls. By Lou Covey Editorial Director

Outsourcing product design and manufacturing has become an international way of life despite the concern that it takes jobs world_of_outsourcingaway from one country in favor of another. As the practice has matured, it has become more of a zero-sum game as long as the participant realize it is best as a cooperative exercise.

The decision to outsource any part of a product lifecycle is not longer a matter of which country a company will choose, but which countries to choose. High precision work is still the realm of the United States with Western Europe a close second. Mass production of mid-quality products is an acceptable choice, even though costs are starting to rise. And Central Europe is rising as the choice for high-quality, low-cost software design.

In the end, companies have a much greater choice in how and where they choose to put together their products and services and it tends to result in jobs all around the world.

We spent some time talking to George Slawek, the managing partner of the software outsourcing company Eurocal Group , which features management , customer relations and sales in the United States, combined with software developers in Poland. We found he sees business as not either/or. He says Poland offers options not available elsewhere, but are not the be-all and end-all or options. You can listen to the 10 minute discussion here.


(Full-disclosure: Footwasher Media provides consultation to Eurocal Group on content and marketing strategy)

Data breach fatigue and NIH fuel ineffective cyber security


This is another part of our ongoing series on outsourcing services, again focusing on security  Large companies rely on the work of outsourcing providers for developing security solutions and containing breaches. By Lou CoveyNew Tech Press

News reports about data breaches are almost a daily occurrence. Companies spend millions on identity protection services for affected customers while the same type of breaches continue with no end in sight. The sheer volume of data stolen is astronomical begging the question, why isn’t anything being done?

“There is no financial reason for companies and governments to do anything about the problem because we have not seen any significant economic damage done to the companies or their customers,” said Anne Saunders of Eurocal Group, a U.S. software development company.

target_security_breachShe has a point. There have been relatively few people who have actually experienced  personal financial loss. For example, just last week, Target announced a settlement of $10 million for the breach that compromised the data of more than 100 million people -- 10 cents for each victim, not counting legal fees.

While the amount of data stolen has been massive and growing with each attack, the money spent on identity theft protection for and by those customers after any given attack is extremely low. The entire ID theft industry is currently only $3 billion annually with a projected growth rate of 0.5 percent and no measurable profit. The number of companies in the market make each slice of that pie very thin, so it’s not a business for the weak-hearted. The good news for that industry is corporations are adding budget for those purchases because, well, it’s relatively cheap.

Eurocal Group is one of many companies providing outsourcing services for companies around the world and they are finding a growing demand for the services with deep experience in cybersecurity. “If security isn’t a significant part of your development, whether it is embedded systems or web design, you’re just asking for trouble. Lucky for us, lots of companies have not been thinking about security,” Saunders said.

A battle weary market

Then there is the problem of breach fatigue.  The number of people affected by breaches is impossible to measure because of the interconnectedness of the data. One person might be affected by the Target, Anthem and Michael’s breaches and another might not be affected by any.  A recent report from Experian stated that 62 percent of consumers received at least two notifications of breaches in the past year.

Correlating to the Experian survey, market research firm Ipsos reported in December that 62 percent of consumers in the US are now concerned about the security of their data, which is an increase from 53 percent the previous year. However, 85 percent reported that they knew of no one whose data had been compromised and only 6 percent reported being the victim of a breach. So while there is growing concern, there is hardly a demand from the market to actually do something about it.

StoryWhich may be why some leading figures in the industry tell consumers they are pretty much on their own.  Herjavec Group Founder & CEO, Robert Herjavec discussed the recent and massive breach of Anthem in a recent interview with Fortune magazine. He stated that the integrated nature of health care systems requires consumers take responsibility for security. ”They must diligently check credit card records, and monitor their personal records with insurance and medical providers to mitigate the risks of credit card fraud and identify theft in the fall out of this breach.”

Don’t just do something, stand there

The U.S. government is also concerned about cybersecurity and is convening panels and study groups from Federal all the way to municipal levels. They have produced reams of legislation designed to deal with the issue, but there are two problems: 1. The legislation is designed more for show rather than actually deal with the real problems; 2. The legislation is designed to improve and control  government surveillance, rather than the security of voter data.

Better progress is being made in the European Union, especially in smaller countries in Central Europe. according to Jack Wolosewicz, CTO of cybersecurity tech startup, Certus Technology Systems. He said Europeans seem more open to security innovation than the US government and large corporations. "They tend to outsource to known companies, like RSA and Verisign, not because those are the best solutions but because, if there is a breach, they can say they went with the best known solutions. So no new ideas are considered.

Wolosewicz said the "CYA mindset" is the biggest barrier to adoption of effective security in large companies and enterprises which means smaller enterprises are more likely to be willing to look outside of the box.

“Financial services and internal corporate security is taken more seriously with big bucks being spent on 2nd factor authentication like RSA tokens,” he stated. "Expensive and outdated as they are, there is a market for that because relying on passwords alone is not a security strategy that anyone trusts any more. For mass markets, single-sign on is everywhere and browsers remember your passwords because it's easy for users, but it’s still passwords and that only increases risk."

Wolosewicz pointed out that Microsoft and Yahoo have launched initiatives to move away from passwords, so there is some movement in the right direction. "Mass markets are happy to pay for a better user experience to attract new users, but till now, better security meant worse user experience."

In the end, the major players that control what happens to the consumer data are not financially incentivized to change how things are done. Since their customers have pretty much accepted the status quo, any substantial change will have to come from non-traditional sources.

“We’ll take that business,” Saunders concluded.

Solving the weakness of password protection

This is part one of a a two-part interview with Jack Wolosewicz, CTO of Eurocal Group and founder of Certus, a security technology firm.  We talk about the inherent weakness of passwords in relation to the growing use of streaming video.

Sponsored by Blaylock EngineeringEuroCal GroupMeBox Media and Busivid.

Sony hacks may force companies to eliminate passwords

This article is the first of a year-long series of articles looking at outsourcing services and how they are no longer just a means of saving money.  We look today into the arena of cybersecurity and a startup using contract software design to create a new security paradigm.

By Lou Covey, Editorial Director

gty_computer_password_ll_131204_16x9_992The hack and subsequent terror threat of Sony Pictures laid bare the inherent weakness of cyber security in the world. Even the most powerful firewall technology is vulnerable to the person with the right user name and password (credentials).  In the case of Sony, the administration credentials were stolen through an unsophisticated phishing attack, allowing the hackers to bypass the Sony firewalls and storm the corporate castle.  This is the most common way hackers take down a system.

We have all heard stories of new technologies that overcome this basic flaw, from biometric technology to two-step verification, none of which seems is taking significant hold in the cyber world. According to Jack Wolosewicz, CTO and co-founder of Eurocal Group, corporations are reluctant to move beyond the familiar.  Articles in the Harvard Business Review and Fast Company lean toward agreeing with him.  Companies are dedicated to giving customers what they are willing to accept, not necessarily what they need, and they won’t force new paradigms on them.  But Wolosewicz says here is no such thing as a strong password.

“All passwords are weak because they are easily stolen and their complexity is irrelevant once a hacker has a copy of the password,” he explained. “This enables the hacker to masquerade as an administrator and, snap, the passwords, personal data and credit card numbers of millions of users are now in the criminal domain.”

However, Wolosewicz said, in the area of cybersecurity, that reluctance may give way to necessity. “We may be at the pain point where all of us are willing to look at something significantly different.”

Wolosewicz has a deep background in computer security and after working as CTO with the team at EuroCal Group, he realized he had the engineering resources to create a security system eliminating the password paradigm. And he could do it without the startup costs and headaches.  Certus was born.   Wolosewicz serves as the CTO of Certus, as well, managing the Eurocal engineering resources for both companies.

The Certus cryptographic protocol is based on a “one-time pad” cypher, proven unbreakable in 1945. The system creates a sonic digital handshake between a mobile phone and any device wishing to authenticate the user. If the phone is stolen or lost, the user just deactivates it. High security applications may be reinforced with 2nd factor authentication, so a lost cell phone in the wrong hands does not pose a threat.

“The Certus authentication system eliminates user credentials that can be separated from the user and misused in an attack,” Wolosewicz claimed. “It is significantly easier to use than two-factor verification and more reliable than biometrics. The cell phone has become an appendage for most of us and now it can become a universal key to the Internet. It’s keyless entry for the Web”. In payment systems applications, Certus never stores user credit card information, so even if a corporate system is somehow compromised, no credit card numbers or passwords can be stolen.

For the past few years, and going even further at this year’s CES, consumer electronic devices, from mobile phones to automobiles are filled with easily hacked technology, even if it isn’t currently activated.  There are already reports of smart TVs being used to harvest data on customers, without their knowledge, while they watch their favorite programs.  The rapidly growing popularity of streaming entertainment means a growing number of online accounts protected by the same user names and passwords for personal computing devices all of which makes individuals vulnerable to national cyber attacks.  For example, let’s say Sony does decide to release The Interview on streaming media.  It would be relatively easy right now for those same Korean hackers to collect the names and personal information of anyone who watches it.

We may have reached a pain point in electronic device security that goes so far beyond bandwidth, speed, latency, capacity and power usage it makes all those issues irrelevant to the current problem of security.

See part one of the interview.

This article sponsored by Blaylock Engineering, EuroCal Group, MeBox Media and Busivid.