Free downloadable books on Microsoft Azure

January 30, 2015

Cloud is getting bigger, Microsoft, Google and Amazon AWS are all offering great learning programs, below is a link to the Microsoft Virtual Academy and some free downloadable books on Microsoft Azure. Great start for those new to the technologies and some real value for those of us who have been in the industry longer than we care to remember.

Microsoft’s Virtual Academy has grown to include more courses, training materials, videos and an entire section of free downloadable books on Microsoft Azure.

Below is also a link to Coursera who has 11 active cloud computing courses today:



TextBlade magnetic device overturns how we do mobile typing with sensory approach

January 30, 2015

At coffee shops, in business meetings and on public transportation, we type on our smartphones as often — if not more often — as on our laptops. We’ve seen many companies introduce improvements to the touchscreen keyboard for more efficient, predictive typing on-the-go, but there is still a need for the multi-sensory experience of typing on a physical keyboard.

Post by PSFK.

Westfield Malls: How Connected Glass & Electronic Windows Engage Shoppers

January 20, 2015

Courtney Lapin talks about the power of digital interactions in retail environments

PSFK was privileged to have Courtney Lapin speak at our Future of Retail Event in San Francisco. As the Head of Retail Partnerships for Westfield Labs – the innovation arm of Westfield Malls – Lapin shared how new technologies in malls are helping online brands engage with customers in real world settings.

Great presentation – for more details please visit

Big data is the new frontier in IT – What about the storage?

January 12, 2015

Storage in the era of big data


January 9, 2015

After posting our IT predictions for next year, we decided to assign ourselves an even more challenging task. Using recent headlines from the tech press as a baseline, we tried to extrapolate ahead to the year 2025. Where might today’s stories about technology and privacy lead to in ten years if we don’t change how we manage IT security today?

In 2014, we saw many ideas more at home in sci-fi movies and novels become an everyday reality—Star Trek-like replicators in the form of 3D printers, James Bond-ish smart cars, and advanced machine intelligence courtesy of IBM’s Watson. Hold these thoughts as we now present privacy and security related news items from the future along with the questions raised by these emerging threats from our own time in 2014.

Any parallels to Orwell’s 1984 are (we hope) purely coincidental.

Hackers Uses 3D Printed Eyeball to Fool Retinal Scanner

2014: Many data points were created when President Obama got 3-D printed. Whether it’s the president’s or just an ordinary citizen’s biometrics, who should have access to the data points of heads, arms, finger, retinas, etc.?

2025: Interpol’s Cyber Security Division yesterday arrested a gang of biometric cyber thieves. They were caught using an eerily life-like plastic eyeball encased in a super-clear glass block. The thieves had previously hacked into idVault, one of the world’s largest data brokers, and 3D rendered the physical eye structure from stored retinal digital signatures …

Cyber Carjacking Ring Foiled

2014: Automakers know how you roll, but how will they use, store and protect the data collected from our increasingly smart vehicles?

2025: Working from a high-rise office building in Los Angeles, a ring of hackers had been stealing cars remotely by exploiting a new vulnerability found in automakers’ Microsoft-based telemetric controls. After owners parked their self-driving vehicles, the thieves used bots to crawl the IOE (Internet of Everything), insert special code into the navigation module, and then drive the cars to a special garage owned by the hackers. Police say they had never seen …

Data Broker idVault Sued

2014: Personalization has simplified how we locate products and services. With highly targeted advertising and content selection, are we as consumers being secretly penalized and denied access to an alternative world of ideas and options?

2025: idVault, one of the world’s largest personal information brokers, was sued in federal court yesterday. This is the largest ever class-action brought against a data broker. The suit came about when consumers in several states noticed sudden rises in their auto insurance and credit card rates soon after they had installed a free children’s game app in their car’s operating system. The app secretly was secretly sending GPS and other navigation data to idVault, which was then selling the data to financial companies …

Cell Phone Hackers Caught Impersonating Bank

2014: In today’s cellular networks, how can we ensure that we are not being monitored by third parties (private and governmental).

2025: With the cost of cell phone transmission electronics having plummeted over the last few years, 5G equipment is now within reach of ordinary citizens. Beside the new wave of private pop-up cell phone carriers offering free streaming video, hackers have also gotten into the cell phone business. Recently a hacker collective was caught using their own pirate cell phone tower to intercept calls. Their software filtered out connections to banks and brokerage house, handing off the rest to Verizon. The FBI said the hackers appeared to callers as personal bankers …

Clothes and 3D Masks Make the Hacker

2014: With the help of 3D printers and the ability to render various images when shopping, how can we realistically authenticate ourselves for even the most basic services?

2025: The smart mirror technology has improved greatly since department stores began using them in their dressing rooms a few years ago. These special mirrors now allow store customers to view inventory, select clothes, and then render images of the shopper in different virtual outfits. However, hackers were found to have penetrated one high-end department store’s firewall, stealing images and data about its customers from the embedded file servers in the smart mirrors. Using 3D printers, they generated realistic masks, and then dressed in similar outfits to their victims. Police say they almost got away with opening an enormous credit line ….


January 9, 2015

Great article from the guys at Varonis

I had the chance to talk with cyber security expert Justin Cappos last month about the recent breaches in the retail sector. Cappos is an Assistant Professor of Computer Science at NYU Polytechnic School of Engineering. He’s well known for his work on Stork, a software installation utility for cloud environments.

In our discussion, Professor Cappos has a lot to say about weaknesses with our current approach to password-based security as well as new technologies that can be applied to credit card transactions. He’s worked on his own password hash protection algorithm, known as PolyPasswordHasher, which would it make it very difficult for hackers to perform dictionary-style attacks. Cappos offers some very practical advice on securing systems.

Metadata Era: It looks like Backoff malware was implicated in the Staples attack. Though we don’t know too much about the exploit, but if it’s like other recent attackers, the hackers found it relatively enter the system through phish mail, guessing passwords, or perhaps injection attacks.

Justin Cappos: I did look around for this information, and I see a lot of people reporting, but I don’t see anybody specifically saying or speculating that perhaps it’s similar to Target or some of these breaches. Nothing concrete yet.

That’s not to say there isn’t anything a company can do to protect infrastructure—for example, to harden things, to train users not to open phishing mails, and have people choose reasonable passwords especially on sensitive systems. The problem with any of these defenses is that the attacker has to only succeed once.

Once they get in, typically they can move around, get access to other things. So businesses need to do a few different things to try to protect themselves effectively. Some of which they may already being doing, but there needs to be a strong emphasis on compartmentalization.

You mean …

So the person who does PR for the organization doesn’t, say, have direct access to financial records.

Also, it’s extremely important to have good network monitoring. You need to have a way to detect whether data is moving off our servers—is it going to places we wouldn’t expect it to be going to. Looking for things like, for example, an HVAC subcontractor who occasionally accesses the corporate network but has now suddenly found to be hoovering up data. That should be a red flag!

So once they’re in through phishing or injection, they have the credentials of an existing user, and as you pointed out, you have to start monitoring for unusual behaviors. This internal monitoring function becomes very important. Although it’s not something necessarily that companies focus their resources on.

Exactly. So imagine a quarantine. If you were to quarantine something like a thousand people, you wouldn’t put them all in the same big area, where they’d all interact. Ideally you’d want to isolate them.

At a minimum, you want to cut down on interactions. So when you do a data analysis in your organization, you want to keep track of how these isolated pockets are able to communicate and look for suspicious patterns and behaviors.

How can this be done—is this part of your research?

Not specifically for me. But it is good best practices for lots of different organizations. So the military and government use this compartmentalization approach. As do banks. They will segment information off and in some cases, have isolated networks that are not even connected to the Internet. It really depends on the sensitivity of the data and how it will impact the working style of the people.

So you’re really talking about a data governance function, in terms of what is more valuable and what requires more restrictive permissions.

I consult with lots of startups. And one of the first things I do is I say, “Tell me your worst nightmare about somebody breaking in and stealing something. What is that thing?”

For some companies, it’s data about their customers, for some it’s information about an algorithm. It varies a lot depending on the monetization strategy and what the secret sauce of the organization is.

You want to find that thing, and for larger companies, it’s probably many things, and isolate them as much as possible so it’s as hard as possible for an attacker to get that information.

Sometime it means separating functionality out across multiple servers. So for instance, if your password data is one of the most sensitive things your organization has, you can very easily have a separate server whose only function is to handle password requests, and it did this through a custom protocol that your company wrote.

You would monitor the network and if it got anything other than a password request and returned anything other than a “yes or no”, then you would know immediately that something has happened.

That takes time and takes energy, and you have to implement something a little different to make that happen. If you’re going to protect a really valuable asset, they should do this!

And if you don’t spend the time and effort for say your legacy systems, what would your recommend?

For legacy systems, there’s certainly never an excuse not to follow best practices. They absolutely should be using salting and hashing of passwords, if not something stronger, such as hardware-based authentication or PolyPasswordHasher. They need to be using strong protections for user passwords and data.

They need to be encrypting credit card information. If they’re not really in the security business, they really shouldn’t be storing credit card information, they should consider working with a 3rd party payment processor that will make it so they effectively only have tokens on their server instead of raw credit card data. They can outsource the risk and security concerns with storing credit card information in many cases.

Sure, for some companies it would make sense to outsource to payment processors. But clearly the big box retailers are doing their processing in house.

You mentioned multi-factor authentication. In theory that would have made some of the attacks we’ve seen over the last year much more difficult. Is that a fair statement?

It is. It’s not a panacea—it doesn’t solve all problems. It raises the bar for simple password attacks. It doesn’t necessarily stop people from getting in other ways—SQL injection and other vulnerabilities. Two-factor authentication will not help in that context.

Another way it often does help is to prevent the spread. So if you have a sensitive server that users have to log into with two-factor authentication, even if the attacker figures out the password for users on that server, if they don’t have the second factor they will be unable to get in. That can sometime contain the attack.

Security is almost never about perfect solutions. It’s pretty much about making it harder for the hackers, and buying yourself some time and just making it difficult enough that you no longer become a good target

Right, so it becomes too much of an investment for them and the attackers will move on to an easier victim.

In our blog, we’ve been focused lately on the flaws in authentication systems, mostly as result of SSO or Single Sign On that distributes the hash of the password throughout a system. We’ve written about Pass the Hash wherein once they attackers get the password hash they essentially can become that user. Any recommendations for this authentication problem, and are there longer term solutions?

Sure. There are three things to know about in this area.

The first is that if your organization has a good password policy and makes users choose passwords that have a reasonable degree of randomness, then breaking those passwords—through say dictionary attacks— still can be implausible. What really happens is that if you get those hashes and those passwords behind them are not amazingly well chosen, then one can break them. If they are very strong passwords—like 8 character, randomly chosen and not from a dictionary—those are pretty strong.

If you’re trying to generate passwords as a human, there are tricks you can do where you pick four dictionary words at random and then create a story where the words interrelate. It’s called the “correct horse battery staple” method! [Yeah, we know about it!]

Strong passwords do help a lot. Organizations should be encouraging their users to choose strong passwords. I think that—many experts believe—requiring users to frequently change passwords, say, every three or six months, does much more harm than good. Because users get frustrated by this and are more likely to forget their password, and so choose passwords that somewhat fit the criteria but are easy enough to remember. I wish organizations would do away with this policy, and instead choose a good initial strong password. That would dramatically increase the time it takes for hacker to crack the passwords.

By the way, should we be relying on those password strength meters?

Unfortunately, password strength meters can be fooled—you can give it a poor password that it thinks is a good password. Use it with a grain of salt!

There are lists out there of commonly used passwords—even those that use upper and lower case with symbols—and organizations should be really positive that users are not choosing anything in the popular password list. They should actively block the passwords.

That’s the first thing—focus on passwords.

The second is that organizations like Microsoft, should be really spending more time designing and improving the security of their systems with respect to password storage. The threat model and landscape has really changed in the last few years where hacker are much more aggressively going after password databases.

So I would like to see much better support from operating system vendors for things like hardware protection of passwords. I’d like to see some of the new techniques for password protection—like PolyPasswordHasher and other things like this—integrated more broadly. Anything that will slow or stop attackers.

Microsoft, by and large, has very good security—they have an excellent security team. I would just love to see them have a focus in this area, and do this in a realistic way and even provide patches for older versions, which companies like banks are still using.


It’s a password storage and protection scheme. It’s actually something that’s been done by myself and one of my students. It makes it so you have to crack multiple password in a database simultaneously to know if any of them is correct. It’s much harder for hackers to crack passwords from the hash. It’s simple to deploy–it’s a software change in the server—and it makes things exponentially harder. It’s open-source and free—available for different frameworks.

And the third part of your recommendations?

There’s something called EMV, which is a standard way to handle credit card numbers that’s commonly used everywhere else but the United States.

So there’s a chip on an EMV-based card that protects information—a tiny security computer if you will. If you swipe your card at a terminal, then all you’re doing is authorizing a transaction—you’re not giving any card information. But if you swipe a magnetic card—like what we use in the US—they really have all the information. The nice thing about EMV cards, you have to steal the cards to take advantage of it. The bar is much higher.

What information does the EMV chip give?

A way of thinking about it is that the magnetic strip technology is almost like giving someone your wallet. Basically, every time you hand someone a credit card or credit card number, you give them the ability to make transactions on your behalf. With EMV, you not giving the ability to make transactions in the future, you’re giving an authorization for the current transaction—almost like a ticket for a movie. You can’t reuse it.

Ah, so you use it once and it can’t be replayed in an attack.


If the EMV solution becomes widespread, would that prevent the retailer attacks from succeeding—there wouldn’t be anything the attackers could use again?

No security is perfect, but EMV makes it much harder. It’s not impossible, though. The amount of work you’d have to do is substantial. I wouldn’t anticipate we’d see millions of credit card stolen. It’s not a panacea, but it works well.

EMV raises the barriers and eliminate the easy hacks, which is essentially what we’ve been seeing the last year– retails hacks that required very basic techniques.

Yes, it would no longer be a problem of hackers stealing and then at their leisure moving files. Instead they would have to do real-time, live changes to the transactions. EMV is not perfect, but it makes it harder. And often times in security, harder is enough.

That’s a good way to end this. Thanks Professor Cappos.

Thank you!


January 9, 2015

Great article on Fast Company


Get every new post delivered to your Inbox.

Join 870 other followers