Sony hacks may force companies to eliminate passwordsJan 2nd, 2015 | By admin | Category: Electronic Design, Embedded Technology, Lead Article, Manufacturing, Outsourcing
This article is the first of a year-long series of articles looking at outsourcing services and how they are no longer just a means of saving money. We look today into the arena of cybersecurity and a startup using contract software design to create a new security paradigm.
By Lou Covey, Editorial Director
The hack and subsequent terror threat of Sony Pictures laid bare the inherent weakness of cyber security in the world. Even the most powerful firewall technology is vulnerable to the person with the right user name and password (credentials). In the case of Sony, the administration credentials were stolen through an unsophisticated phishing attack, allowing the hackers to bypass the Sony firewalls and storm the corporate castle. This is the most common way hackers take down a system.
We have all heard stories of new technologies that overcome this basic flaw, from biometric technology to two-step verification, none of which seems is taking significant hold in the cyber world. According to Jack Wolosewicz, CTO and co-founder of Eurocal Group, corporations are reluctant to move beyond the familiar. Articles in the Harvard Business Review and Fast Company lean toward agreeing with him. Companies are dedicated to giving customers what they are willing to accept, not necessarily what they need, and they won’t force new paradigms on them. But Wolosewicz says here is no such thing as a strong password.
“All passwords are weak because they are easily stolen and their complexity is irrelevant once a hacker has a copy of the password,” he explained. “This enables the hacker to masquerade as an administrator and, snap, the passwords, personal data and credit card numbers of millions of users are now in the criminal domain.”
However, Wolosewicz said, in the area of cybersecurity, that reluctance may give way to necessity. “We may be at the pain point where all of us are willing to look at something significantly different.”
Wolosewicz has a deep background in computer security and after working as CTO with the team at EuroCal Group, he realized he had the engineering resources to create a security system eliminating the password paradigm. And he could do it without the startup costs and headaches. Certus was born. Wolosewicz serves as the CTO of Certus, as well, managing the Eurocal engineering resources for both companies.
The Certus cryptographic protocol is based on a “one-time pad” cypher, proven unbreakable in 1945. The system creates a sonic digital handshake between a mobile phone and any device wishing to authenticate the user. If the phone is stolen or lost, the user just deactivates it. High security applications may be reinforced with 2nd factor authentication, so a lost cell phone in the wrong hands does not pose a threat.
“The Certus authentication system eliminates user credentials that can be separated from the user and misused in an attack,” Wolosewicz claimed. “It is significantly easier to use than two-factor verification and more reliable than biometrics. The cell phone has become an appendage for most of us and now it can become a universal key to the Internet. It’s keyless entry for the Web”. In payment systems applications, Certus never stores user credit card information, so even if a corporate system is somehow compromised, no credit card numbers or passwords can be stolen.
For the past few years, and going even further at this year’s CES, consumer electronic devices, from mobile phones to automobiles are filled with easily hacked technology, even if it isn’t currently activated. There are already reports of smart TVs being used to harvest data on customers, without their knowledge, while they watch their favorite programs. The rapidly growing popularity of streaming entertainment means a growing number of online accounts protected by the same user names and passwords for personal computing devices all of which makes individuals vulnerable to national cyber attacks. For example, let’s say Sony does decide to release The Interview on streaming media. It would be relatively easy right now for those same Korean hackers to collect the names and personal information of anyone who watches it.
We may have reached a pain point in electronic device security that goes so far beyond bandwidth, speed, latency, capacity and power usage it makes all those issues irrelevant to the current problem of security.