Power LogOn by Access Smart^® has proven itself to secure cloud application access without the high cost of ownership found in other security solutions. The cloud has helped make businesses more competitive, employees more efficient and consumers more connected. Cloud solutions are available for almost every business need: legal forms to healthcare patient records, accounting data to word-processing, CRMs to order processing.  With so much valuable data out in the clouds data, the allure is too great for cyber thieves.

Cyber attacks are becoming an epidemic. While companies are trying to add more backend security like firewalls, encryption and CAPTCHAs to protect their data, the user’s access point or “front door” is still being locked with a virtual hook and eye latch.

User name and password authentication is still the easiest and most cost effective way for users to access electronic data. The weak link, however, is how we choose and manage those passwords. As new privacy laws place security responsibilities directly on companies, they in turn try to mitigate their risks by implementing cumbersome authentication policies that force employees to circumvent security for their own convenience.

Power LogOn combines security, low cost and convenience so the three work together. Imagine implementing complex passwords with no backend server modifications and employees never have to remember or type another password!  IT can even update passwords without the user caring – or even knowing.

 “Recently, for example, large corporations like Microsoft, Google and Intuit have all announced Personal Heath Information (PHI) cloud application”, said Dovell Bonnett founder and CEO of Access Smart. “While the cost benefits may be huge to patients and care givers, the risk is also huge since all this confidential data is only secured by other cloud applications like LiveID or OpenID where the user types in their user name and password for access. Spyware, keyloggers and phishing scams have already made these access portals insecure. The first time a PHI gets hacked because of careless password management, the whole service may come down like a house of cards.”

Real security requires many different levels of authentication and authorizations. That is why Power LogOn implements the “7-levels of assurances.” Not only is the individual authenticated to the smartcard, but the smartcard is authenticated to the cloud application and the individual to the data by what Access Smart calls “Double, multi-factor authentication”.

 “If you make security cumbersome, even honest people will circuvent it for their own convenience; and if you make security too expensive to deploy, very few companies will implement it”, said Mr. Bonnett. “That’s why we developed Power LogOn and have formed alliances with a number of other security companies to address security, convenience and cost of ownership.”

Cloud computing has made it so easy to manage all our electronic data. Now Power LogOn secures access to that data. It’s time to replace the latch and upgrade to a 21^st century smartcard solution to secure your data’s front door.

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers – but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable – or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they loose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you – I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Don’t friend these people.

A tip off is you see how many people are following them it usually a very low number. You also want to be sure you have a strong anti-virus program to protect your computer.

Be careful of who you friend and if you don’t know them or they are not part of your circle don’t accept them. And no matter what don’t click onto any of their links or pictures.

SOLUTION: Invest in a secure password manager that is based on smartcard technology.

JUSTIN WILLIAMS: Twitter hacking points out need to secure information

Back in May, Twitter was hacked by someone who got into the accounts of several of the company’s employees. The hacker also gained access to the Twitter accounts of several high-profile users.

Besides just snooping around, the hacker gathered hundreds of documents from Twitter’s Google Docs account — including employee lists, credit card numbers, contracts, meeting notes and salaries. Last week those documents ended up in the hands of TechCrunch, a popular Internet blog, which posted many of the documents outlining Twitter’s business strategies and financial forecasts.

How did the hacker gain access to this information? Relatively easily, actually. He acquired a Twitter employee’s Google password, which gave him access to e-mail, Google Docs and more. He didn’t use a dictionary attack or guess the password. Instead, he used the password recovery features of Gmail which will e-mail the password to a secondary e-mail account. In this case, the secondary account was an expired Hotmail account that, when reregistered, had the recovery e-mail from Google waiting there.

While your e-mail and secrets may not be as tantalizing as Twitter’s, this episode should serve as a reminder to think hard about how secure your computing practices are.

First and foremost you want to make sure you have a good password — a mixture of letters, numbers and symbols. It also should have a mixture of upper and lowercase letters. You want to avoid common words and names because they can be cracked fairly easily by trying to log in using every word in the dictionary.

You also should have a unique password for each Web site you visit. Having a unique password per site gives you an extra layer of protection should that account be compromised because the intruder won’t be able to access any other sites you may use.

Remembering dozens of passwords isn’t practical, so I recommend using a password manager that integrates with your Web browser. On the Mac, I swear by 1Password (agilewebsolutions.com/products/1Password). I let it generate and manage all my passwords, personal information and online credit cards. I also use 1Password to fill out online forms for me through its integrated browser plug-in. RoboForm (www.roboform.com) offers an excellent alternative to 1Password for the Windows platform. It seamlessly integrates with both XP and Vista machines and works in Firefox and Internet Explorer.

Twitter’s misfortune is a reminder of good password practices, but it also may be a warning sign of what the future holds for cloud computing. The blow to Twitter would have been much less if the company had not been storing all of its sensitive documents and information in Google Docs, an online equivalent to Microsoft Office. If you can’t imagine something getting in the hands of wrongdoers, it is probably better to keep it stored locally in your home or office instead of on a server somewhere on the Internet.

Justin Williams is the owner of Second Gear, a local Web and software development firm. He can be reached at justin@secondgearllc.com.

A data thief will either employ physical means, such as dumpster diving, social engineering or a simple break-in; or via the internet. No business today can afford to be left behind technologically, meaning that in every corporate environment there are computers, networks and electronically stored information.

Electronic files are highly sought after by would-be data thieves for the wealth of personal information they contain. There are HR files, accounting information, customer and vendor lists; the list goes on and on. All of these kinds of records are full of sensitive information which can be exploited for personal gain by data thieves.

As a business owner, you are already aware of how to protect your company from a break in; however, these electronic attacks are not as well understood or protected against by the majority of companies. The alluring elements for a data thief regarding online data breaches are:

1. The thief need not be anywhere near their victim; they can even be on another continent.

2. Just about any information you would need to commit identity theft can be readily found on the web (We will not tell you what these sites are since we discourage the practice).

3. Most companies keep a large amount of sensitive information on file; much of this data is poorly secured.

4. Computers can be an easy entry point to your data, since thieves only need to find one weak point to get into your system.

Here are some of the more common computer data attack techniques used by data thieves:

1. Phishing emails – These are emails pretending to be form a legitimate company, usually asking the victim to verify personal information.

2. Spear phishing – These are emails which are sent to employees of a company purporting to be from management, asking for passwords or information about projects they may be working on.

3. Zombie computers or networks (zombies) – These are compromised computers and networks which contain software which permits data thieves access to the system. These computers may be linked there together to form what is called a botnet.

4. Botnet – Once linked together, these botnets are used to perform attacks like denial of service, pay per clicks and spam email. In many cases, the owner of the compromised systems may not know that their system is being misused this way.

5. Bogus websites – Websites which pose as legitimate sites and attempt to trick visitors into handing over personal information; this data is then used on the real site by the data thief.

6. Crackers – Programmers and other highly skilled computer experts who use their abilities to break into networks to find weaknesses to exploit.

7. Wireless network snooping – When using unprotected wireless routers, such as are often found in coffee shops, airports and some homes, hackers may be able to pry into your computer.

8. Cookie sniffing – Hackers will use cookie sniffers to examine all of the cookies you have used and will send this information (useful since people generally use the same password for many different sites) to their own systems to use this information.

9. Malicious Software – These are various types of software: hijackers, adware, Trojan horses, etc. which act against specific operating system functions, send your personal information to someone outside your system, direct you to bogus websites or any number of other malicious actions.

10. Web Page Hijackers – A small program which redirects your browser to a site other than the one you wanted to visit. This may be to a bogus website attempting to capture your personal information or an annoyance such as being redirected to a pornographic website.

11. Piggybacking Access – This is the practice of breaking into a poorly secured computer on an external network and using this access to break into another network using a legitimate connection between the two networks.

12. People Research Sites – For a fee (usually $40-$80),you can obtain personal information on nearly anyone.

13. Dictionary attack – One of the easiest ways to guess a password. A dictionary file is loaded and since no language has an unlimited number of words, this can often generate the password with relative ease.

14. Hybrid attack – A more sophisticated variant of the dictionary attack, this takes dictionary words and combines them with numbers and/or symbols in an attempt to crack a password protected system.

15. Brute force attack – A brute force attack is one in which a program systematically works through every possible combination of numbers, letters and symbols. The amount of time need to find the password all depends on the number of characters used in the password.

16. Keyloggers – A type of spyware which records every keystroke made on a computer and sends this information to a remote user. These programs are very difficult to detect with most virus and spyware scanners.

17. Network Sniffers – Applications used to capture network traffic without the knowledge of users on the network. Sniffers are helpful to hackers in finding network weaknesses; which helps them to plan other attacks on a network.

You should be aware of the risk of data breaches, but you needn’t be paranoid. There are plenty of steps you can take, such as bringing in outside IT security consultants to work with your IT department to assess your security and work to improve it. You should also make sure that all of your software is kept up to date.

Your sensitive data should be encrypted to better protect it from prying eyes. You can use security tokens in your system, such as smartcards for accessing your network and workstations. You should also make sure that each and every one of your employees is properly trained so they know what to keep an eye out for to prevent data breaches.

Here are top fifteen ways in which corporate information is stolen by physical means:

1. Dumpster Diving – Someone will physically go through trash or recycling bins searching for employee records, addresses, credit applications and other documents containing personal information.

2. Card Skimming – There are devices which are capable of recording the information from a credit card or ATM card’s magnetic strip. These devices will be used by unscrupulous employees, particularly at restaurants and other businesses where the credit card is often out of the owner’s sight.

3. Purse and wallet theft – Purses and wallets are stolen from employees in the workplace.

4. Computer theft – This is a very common tactic as of late. Computers with unencrypted data will be stolen. Account information and other sensitive data is often stored on workstation computers; data thieves are well aware of this.

5. Unlocked File Cabinets – Companies need to keep files on their employees and customers. You need to make sure that access to these documents is restricted during the day and ensure that these cabinets are securely locked at night.

6. Bribing employees – Thieves will pay employees to steal sensitive information for them; this information is then used to commit fraud and identity theft.

7. Social engineering attacks – Thieves will pose as fellow employees, landlords or others who would normally be permitted access to sensitive information. People will often give out this information to someone they are led to believe is officially allowed to receive it.

8. Mail Theft – Incoming or outgoing mail will be stolen, often from the receptionist’s desk.

9. Office Burglary – A break-in is perpetrated to steal documents and computers containing sensitive data. The true purpose of the break-in will often be covered up with the theft of other equipment or vandalism.

10. Phone Pretexting – Similar to the web-based tactic of “phishing”, data thieves will call posing as employees of a legitimate company who need to update records; many employees will unhesitatingly give out personal information about employees when targeted with this technique.

11. Shoulder surfing – Usually done by employees or consultants, passwords will be observed as they are typed by someone looking over an employee’s shoulder.

12. Desk snooping – Thieves will search a desk or work station for notes containing passwords (commonly used in most offices).

13. Customer List Selling or Renting – Some companies will rent or sell their customer’s information sans their consent or knowledge to marketing companies. Almost inevitably, this information will end up in the hands of criminals at some point.

14. Help Desk Support – Help desk personnel often fail to realize that identity thieves may call them posing as an employee having a technical issue so they will often give out a new password to someone posing as an employee. Since as many as 50% of help desk calls are for password resets (according to the Gartner Group)

15. Bogus service calls – Data thieves will sometime pose as a repair person to obtain access to a computer network. The thief may install key loggers or backdoors, or use a packet sniffer to record network communications.

As a business owner, you need to be informed of the methods employed by data thieves to gain access to company information and implement good security practices such as shredding documents, using P.O. boxes and requiring regular security training for employees. While almost nothing will prevent data thieves from trying, having good security measures in place may lead data thieves to seek out an easier target.

While businesses will sometimes spend a fortune on non-disclosure agreements to make sure that business partners do not divulge company information, they will at the same time often fail to train their own employees how to protect the company from data theft.

Having a good security system in place is a must today; but if it is cumbersome on your employees they will circumvent it, leaving your data vulnerable to attack and a faulse sense of security. A balance has to be maintained and one of the best way to create balace it to keep employees informed about security and how a data breach can threaten their work environment.

If you have any specific questions you would like me to ask, please click here to submit your questions.