Blog posts by Alexei Balaganski

Blog

Did someone just steal my password?

Large-scale security breaches are nothing new. Last December we’ve heard about the American retail chain Target’s network hack , when over 40 million credit cards and 70 million addresses have been stolen. This May, eBay announced that hackers got away with more than 145 million of their customer data. And the trend doesn’t stop: despite of all the efforts of security researchers and government institutions, data breaches occur more frequently and get bigger and more costly. The average total cost of a data breach for a company is currently estimated at $3.5 million. The public has...

Blog

Operation Emmental: another nail in the coffin of SMS-based two-factor authentication

On Tuesday, security company Trend Micro has unveiled a long and detailed report on “Operation Emmental”, an ongoing attack on online banking sites in several countries around the world. This attack is able to bypass the popular mTAN two-factor authentication scheme, which uses SMS messages to deliver transaction authorization numbers. There are very few details revealed about the scale of the operation, but apparently the attack has been first detected in February and has affected over 30 banking institutions in Germany, Austria, Switzerland, as well as Sweden and Japan. The hackers...

Blog

What’s the deal with the IBM/Apple deal?

So, unless you’ve been hiding under a rock this week, you’ve definitely heard about a historical global partnership deal forged between IBM and Apple this Tuesday. The whole Internet’s been abuzz for the last few days, discussing what long-term benefits the partnership will bring to both parties, as well as guessing who will be the competitors that will suffer the most from it. Different publications would name Microsoft, Google, Oracle, SAP, Salesforce and even Blackberry as the companies that the deal was primary targeted against. Well, at least for BlackBerry this could indeed be...

Blog

Amazon Web Services: One cloud to rule them all

Since launching its Web Services in 2006, Amazon has been steadily pushing towards global market leadership by continuously expanding the scope of their services, increasing scalability and maintaining low prices. Last week, Amazon has made another big announcement, introducing two major new services with funny names but a heavy impact on the future competition on the mobile cloud services market. Amazon Zocalo (Spanish for “plinth”, “pedestal”) is a “fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that...

Blog

Is the latest attack on energy companies the next Stuxnet?

It really didn’t take long after my last blog post on SCADA security for an exciting new development to appear in the press. Several security vendors, including Symantec and F-Secure, have revealed new information about a hacker group “Dragonfly” (or alternatively “Energetic bear”) that has launched a massive cyber-espionage campaign against US and European companies mainly from the energy sector. Allegedly, the most recent development indicates that the hackers not just managed to compromise those companies for espionage, but possess the necessary capabilities for sabotage, disruption...

Blog

Managing Users in Office 365

Office 365 is a popular cloud-based office productivity service built around Microsoft Office platform. Initially released in 2011, it has gone through a major upgrade in 2013 and is currently offered with different plans for home, small business, midsize and enterprise customers. Internally, Office 365 platform uses Microsoft Azure Active Directory for identity management and, with the exception of home and small business plans, offers three identity models for different user management scenarios. Recommended approach is to always start with the simplest model and transition to the more...

Blog

Will 2014 be the year of SCADA Security awareness?

If you have attended our European Identity and Cloud Conference this May, you have probably noticed that, as opposed to the previous years, a significantly bigger part of the agenda and a substantial number of expo stands has been devoted to practical “down to earth” aspects of IT security. Multifactor authentication, encryption technologies, source code analysis, even backup - many of those topics have been previously looked down upon by strategists as boring tasks for IT engineers. Well, times have changed. Explosive growth of computing power and networks, continued erosion of...

Blog

eBay hack – could this be the last straw?

Last Wednesday, eBay Inc. has announced that their user database has been compromised, and hackers were able to get away with “encrypted passwords and other non-financial data” of more than 145 million of eBay customers. eBay has informed us that financial information has not been affected and that they have not detected any increased fraudulent activity on their platform. Still, just in case, you should change your password and they are very sorry for this inconvenience. Quite frankly, for any person working in the field of information security, this announcement raises a lot of...

Blog

Antivirus is dead, so what?

A few days ago, while announcing their new Advanced Threat Protection initiative, Piero DePaoli, Symantec’s director of product marketing has made a provocative statement , proclaiming that ‘AV is dead’. His colleague Brian Dye said that antivirus software only catches around 45% of malware attacks , and that the company is shifting its focus towards responding to attacks instead of protecting against them. Making such bold claims to promote new products or technologies is a common marketing tactic, we have even done something like that ourselves a couple of years ago, quite...

Blog

Lessons learned from the Heartbleed incident

Two weeks have passed since the day the Heartbleed Bug has been revealed to the world, and people around the world are still analyzing the true scale of the disaster. We’ve learned quite a lot during these two weeks: After Cloudflare initially expressed doubt that the bug can really leak SSL private keys, they were quickly proven wrong by security researchers. Unfortunately, there is no way to avoid reissuing and revoking all existing SSL certificates; A week ago, Bloomberg has reported that NSA may have known about the vulnerability for years and used it to gather critical...


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00