iPad Accounts Exposed: Finally Someone Got It Right

Perhaps you heard some news about 100k+ iPad user emails and other info getting exposed?  Well turns out that the leak happened due to an unprotected AT&T web server, not due to any flaws related to Apple’s iPad.  What’s interesting about this story is not the data leak itself, but rather how it seems that all the media outlets are reporting this as “the most serious Apple security flaw to date” when really if you had to point fingers AT&T gets that honor this time, not Apple.  Even media outlets with the technical chops to know better are getting this story wrong.

Here’s a link from Advisen, who ironically is the least technical resource on my daily read list, but were the only ones so far who reported this story correctly, enjoy:


A Little Man Bites Dog: Digital River Gets Data Hacked


Company gets hacked into. These days stories like are pure man bites dog (no surprise here), but what did interest me here (a la man bites dog) is the fact that investigators involved suspect that the hack may have been an inside job.  It’s refreshing to see that insider threats are getting some spotlight, and hence the awareness level of this type of enterprise threat will increase.

Ok, marketing hat on now (skip the rest of this post if you really want to).  This is the exact threat that our LOCKBOX Data Protection Platform aims to solve (the site is still under development so please excuse the temporary mess).  Our LOCKBOX system secures data in such a way that only the owner of a virtual LOCKBOX (i.e. you) can access the data inside that LOCKBOX.  Even we, the developers and maintainers of LOCKBOX, can’t access data that have been placed inside someone’s LOCKBOX, which would have mitigated a risk of some internal going rogue.

Anyhow, again it’s great to see threats like these are coming to light more and more.


LOCKBOX Secure File Transfer Services Sneak Peak

Hi everyone, if you don’t already have a LOCKBOX beta account and wanted to take a sneak peak at our Secure File Transfer service, head on over to http://www.golockbox.com.  We’ve got some more interim information about the service along with some screenshots at the bottom.  Thanks,


“Security issues won’t stop cloud ‘tidal wave'”

That was a quote from Barry Briggs, CTO for Microsoft’s internal IT department, from the article at http://www.techflash.com/seattle/2010/05/microsoft_cto_cloud_computiing_an_inevitable_tidal_wave.html.  In the article Mr. Barry was asked what he thought might slow down the growth or adoption of clouds and he brought up the topic of cloud security and some of the security question marks around this topic.  If you ever wondered what those security questions are check out the PDF here http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.

I read this while developing our secure online file transfer and storage platform called LOCKBOX and the assessment section was very good, especially for people who are in the process of creating a cloud adoption strategy or just determining if they should at all.  Enjoy,


Impacta and Microsoft Corporation work together in April 2010 (and December 2009) to protect online customers

Impacta was once again recognized by Microsoft Corporation in the month of April 2010 (and this past December  2009) for helping them to find vulnerabilities in their online services and protecting their customers through responsible reporting.

Check out Microsoft’s security researcher acknowledgement page for more information.


LOCKBOX Beta 1 is Launched!

“OK … here comes the pain …” –Scarface

In August 2009, I booted up the home computer to offload some photos taken during a recent trip across Europe only to find (to my “delight” of course) that both primary and backup drives had failed. Failed drives on a home computer. No big deal normally; however entombed in those drives were all of my digital photos since 2001 and for a photo “nut” like myself, this was a big deal.  I spent 10+ hours over the course of two days setting up another computer, searching for discontinued computer parts, installing operating systems and in the end thankfully I got all of those photos back.

Necessity: The Mother of All Inventions and How the Idea Behind LOCKBOX was Born …

Looking back, I am glad that both my primary and backup drive failed at the same. I am glad that I almost lost all of my digital photos. Why? Because I learned the hard way that I never ever want to be in that position again. No thanks. I pass.  And if I think about it, even if I had multiple backup drives, those would not help (knock on wood) if say my house was burglarized while I was on vacation, or what if the  house burned down (knock on wood again).

So that got me inspired to dive into cloud-based storage some more and some of the interesting security, privacy and reliability challenges storing data in the cloud. For instance, how would you protect data on a system that is not even yours?  How do you protect your data if someone on the inside goes rogue. If you want to exchange data with someone on the cloud, could you do it securely and more importantly easily (if you know anything about deploying PKI you feel pain right now, and if you don’t, trust me you don’t want to know)?  Pssss, what’s more interesting is that most of the current players I’ve seen aren’t really doing much or don’t know how to meet those challenges, and hence we developed the LOCKBOX platform.  So in one sentence:

LOCKBOX is highly secure and reliable data protection platform for professionals and businesses who want to keep their customer data safe.

And on top of this platform you can easily build all sorts of interesting reliable data protection services.  For now that’s all I’ll say about LOCKBOX.  If you want to sign up for our limited beta 1 release, head on over to http://www.golockbox.com/beta/Default.aspx.  And with that said, I am proud to announce that the beta 1 release of LOCKBOX is released!


Impacta donates 10% of its 2009 revenue to local charities

2009 was yet another amazing year for Impacta, so I am proud to announce that we donated nearly 10% of gross profits for 2009 to local and non-local charities. Giving back to the community has always been a key tenet of Impacta’s core values, and we look forward to giving again in 2010.


Kevin Lam of Impacta receives 2010 developer security Microsoft MVP Award

Over the weekend I learned that I had received a developer security Microsoft Most Valuable Professional (MVP) award, and I just have to say what an honor this is.  Working with MSRC to resolve vulnerabilities, contributing to the WCF security guide, etc., all that was already fun for me — but when you get an award for something you love doing anyways, now that’s really something!

Thanks Microsoft!


What a Year 2009 Was!

Hey All,

With 2010 arriving soon, just wanted to give thanks to our customers and say what a great year 2009 was for this company.  When I look back on 2009, here are some of the highlights that come to mind:

  • Delivering some really outstanding results to our customers (we never talk about specific findings, but boy did we find and patch up some awesome vulnerabilities!)
  • Continuing our efforts in working with Microsoft to further protect their customers
  • The development of our proprietary ‘LOCKBOX’ security technology for clouds and spinning off another company around it (more news on this end of month 02/2010).
  • Donating slightly over 10% of our 2009 gross revenue back to local and non-local charities

Finally, none of this happens without our customers and supporters, so big thanks again go out to them.  Alright 2009 you’re done — see you all on the other side.


Sorry, I No Speak (Security) …

Last week I came across two stories about PayChoice (a payroll processing company) and the United States National Security Agency (NSA) getting hacked and really didn’t think twice about them.  Every organization is susceptible to online risk regardless of best-efforts employed, in-house expertise yada yada. A trip to Vancouver, British Columbia this past weekend however got me thinking deeper about those stories and the lessons we can all (security experts and non-security experts alike) can learn.

First, the lesson to be learned  is NOT ‘if security-expert organizations like the NSA and PayChoice can’t get security right, we’re all doomed.’  That’s not what we’re looking for here.  As an aside, good ‘security’ requires many different moving parts working together, great ‘security’ even more.  The question I am more interested in is why hasn’t security guidance, process and tools been better adopted by now? Why are vulnerabilities like SQL injection still possible even for the NSA and PayChoice, or any organization for that matter, especially with the wealth of guidance and tools available?  Here’s my opinion on one reason why and it can be best illustrated by an anecdote from my Vancouver weekend. Here’s what happened …

“My Friend Would Like Soft Tofu, Not Fried, and No BBQ Pork …”

After going out Saturday night, my friends and I headed over to a tucked-away 24 hour Chinese food joint to get a late-night snack.  There I was trying to order a customized dish for a non-Asian friend and was having no luck. I would try to order in Cantonese and our waitress would respond, “sorry I no speak (Cantonese)”.  Then I tried in English, same result: “sorry, I no speak (English).”  Our waitress spoke a different Asian language (not to mention my Cantonese is less than perfect) so beyond shaking and nodding our heads and simple hand gestures, we just could not communicate effectively with each other. A friend who could communicate with our waitress stepped in, our orders were taken and we got the food we wanted.

“Sorry, I No Speak (Security)”

If it hadn’t been for my other friend who could speak the language that the waitress taking our order understood, it would have been unrealistic to expect her to bring the food that we wanted, you know the soft tofu, not fried and no BBQ pork. I might have been lucky and got exactly what I wanted, but that would have been rare.

I think the same goes for security, especially in application security. If we’re asking developers to create more secure software, build more secure Web sites, but we’re not speaking in the language that they (developers) understand, it’s unlikely we’ll get what we want (i.e., more secure software). 

When I think about security guidance training for instance, most training that I’ve seen is heavy on the attack information and light on the secure development information (i.e., the stuff that developers understand, and perhaps care about). And if I really think about, most of the time the presenter isn’t a developer themselves! The same goes for tools.  With the exception of code scanners, most of the ‘secure development tools’ available are really watered-down attack tools that.  Cross-site scripting and SQL injection scanners?  Socket fuzzing tools?  All great tools, but are these really the best tools to help developers?  Are they really focused towards developers and better, will they really use them? To be honest, I do know of a handful of developers that actually do use the security guidance and tools available to them, but I suspect if we want to see wider more in-depth adoption we need a slight perspective shift.



Get every new post delivered to your Inbox.