• Background Image

    News & Updates

    Updates

August 10, 2018

Haventec at the Gartner Security & Risk Management Summit 2018

Haventec CEO, Robert Morrish, will be presenting at the Gartner Security & Risk Management Summit 2018 in Sydney on 21 August 2018.

He will examine some of the most challenging security risks of the modern digital era and discuss how decentralised security can be applied to protect companies against many of these risks. Rob will use a number of industry-related case studies.

https://www.gartner.com/en/conferences/apac/security-risk-management-australia

April 3, 2018

BrisSEC 2018 Securing Business: a new paradigm in sensitive information management

Businesses can improve data security and privacy by adopting decentralised approaches to sensitive information management said Robert Morrish, CEO of Haventec, at the Australian Information Security Association’s BrisSEC18 Securing Business conference.

Watch Robert Morrish’s presentation on 23 March 2018 “Decentralised security – a new paradigm in sensitive information management” to learn more about how decentralised data security approaches address major  challenges including:

  • Identity vulnerability — eliminate traditional attack vectors; remove risk of mass account breach; simplify and secure user experience
  • Evolving perimeter — protect channels and services; reduce risks of attack points; enable adoption of external solutions
  • Increasing legislation — prevent exploitation of critical data; reduce exposure to liability; return control of data to end users

 

March 23, 2018

FST conference: Future-proofing organisations against threats with decentralised security

Many organisations still rely on the username/password authentication method for their systems developed in the 1960s. This outdated method is causing major problems explained Robert Morrish, CEO of Haventec, at FST Media’s Future of Security conference in Sydney.

Watch Robert Morrish’s presentation on 15 March 2018 “Future-proofing organisations against threats with decentralised security” to learn more about:

  • The threat landscape of traditional security practices – what are the weaknesses in the current approach?
  • Global regulatory and legislative drivers, and the implications to your business
  • How decentralised security addresses these problems

February 13, 2018

Indonesia-Australia Digital Forum 2018: Haventec and future proof authentication

Cyber security is an important consideration in all business collaborations noted Robert Morrish, CEO of Haventec, in his presentation on future proof authentication at the Digital Forum in Jakarta.

Watch Robert Morrish’s presentation here:

Exploring the increasing opportunities for collaboration between Indonesia and Australia in the digital sector, the Digital Forum aims to deepen and expand cooperation between thought leaders and practitioners from the Indonesian and Australian government, private sector and academia.

Participants discussed the possibilities and challenges of the digital age and considered opportunities to develop new partnerships.

Robert Morrish presented during the Cyber Security stream (other streams Creative Industries, Digital Health, FinTech and Start-ups, and Smart Government), explaining some of the major cyber security challenges organisations face worldwide including:

  • Traditional security practices damaging customer relationships
  • Compliance with data security and privacy laws
  • Central stores of identity (including usernames/passwords) are especially vulnerable

He also outlined the benefits of decentralising security with Haventec Authenticate:

  • Create seamless frictionless customer experiences
  • Make the end user feel safe in every transaction
  • Protect the organisation from data breach
  • Eliminate exposure to liability
  • Reduce cyber security risk
  • Simplify operations and reduce cost
December 12, 2017

Smart Buildings Summit 2017: building security in the spotlight

Who is responsible for managing the cyber risks of a smart building? “The short answer: anyone who controls access,” explained Robert Morrish, Haventec CEO, during his presentation on cyber security at the Smart Building Summit 2017.

Held  at Sydney University 28-29 November 2017, the Smart Building Summit brought together senior executives from Commercial Real Estate, Facilities Management, developers and construction companies, architecture and design firms and IoT to discover new strategies and hear new trends supporting smart buildings.

All access points need proper security

“Access points are the major security risks if they are not properly secured,” noted Morrish. “They can be used to attack building services, steal personally identifiable information that puts tenants and their clients at risk, as well as expose valuable intellectual property such as strategic plans and financial information.”

“Wi-Fi networks that allow simple login and/or guest login are the most vulnerable. Any WiFi network provided for casual users should only allow monitored and white-listed access to general internet services and not allow access to sensitive systems.”

Morrish identified three main cyber security focus areas for smart building owners and managers:

  1. Citizens and guests
  2. Building systems
  3. Critical infrastructure

“Corporate databases containing Personally Identifiable Information (PII) are especially attractive targets,” warned Morrish. “These databases are often linked to web-based transaction gateways and CRM systems; and extra risks appear when real estate owners’ IT networks are connected to their tenants’.”

Building systems can potentially be hacked to launch attacks on tenants, said Morrish, describing how remote attacks on climate control and access systems might cause physical harm or hold people hostage by locking them in.

Similarly, attackers might circumvent access and surveillance systems to enter restricted areas, or damage communication, evacuation and fire protection infrastructure.

A Grant Thornton October 2017 report ‘The hidden cost of smart buildings: Understanding cyber risk for asset managers and owners’ also warns:

“If a building shuts down due to its security and systems being compromised, whether it be exposure of tenant data, break down of power supply, or restricting access to the building — the reputational damage could put the continuity of the asset owner’s organisation at risk.”

Protecting privacy is a challenge for all industries

“Public trust in any organisation is instantly eroded when its supposedly ‘secure’ digital and physical environments are breached, exposing personal customer data,” stated Morrish in a May 2017 update from Haventec on Australia’s Data Breach Notification Regulation.

“The personal cost to each individual might vary incident by incident, but ultimately it amounts to significant reputational damage for the organisation that allowed the breach to happen.”

“The published research on breaches of sensitive data indicates that most companies are not aware they have been breached and become aware of a breach months after it has occurred. The best stance is to assume that breaches will happen – and address the challenge now.”

Rex Kelly, Associate Director at property management firm JLL agreed cyber security needs to be a major priority for the industry. In a post to his peers shared during the event he shared key points from Morrish’s presentation and added a direct challenge: Smart Buildings: Are you ready?“.

 

November 16, 2017

SecurityBriefAU interviews Robert Morrish about decentralised security

Robin Block of SecurityBrief Australia sat down with Haventec’s Robert Morrish to talk about decentralised security, the implications of Quantum IT, and the market for Haventec’s technologies.

Read the full interview on Security Brief Australia.

(In the excerpt below, Robert Morrish explains why encryption isn’t enough.)

Robert Morrish, CEO of Haventec: “The problem with traditional data security is that key stores are often on the very networks they are protecting, and the perimeters of networks have all but disappeared with BYOD, cloud applications and SaaS solutions. So when hackers target an organisation they have plenty of ways of getting in — and they are highly focused, funded and motivated to do that, because as soon as they get to the key store they can unlock and steal even more valuable data quickly and easily.”

“The necessary question is: how do we store data in a way that is actually safe? Encryption is the common answer, but it is insufficient. Computing capabilities are advancing to the point that most current encryption will be rendered useless within a few years. Right now people are stealing encrypted data knowing they won’t have to wait long for a way to break into it.”

“Haventec aims to futureproof organisations against the threats of hackers using quantum computing. We had independent testing done by David Hook, who wrote cryptography for Android, and his first report said our identity management product Authenticate was built on quantum resistant attack architecture — which we knew, but it was great to hear in an independent review.”

“We don’t use central key stores. Our products encrypt data, deconstruct the data, and then distribute it into multiple locations — meaning a hacker has to approach multiple locations simultaneously within a very limited timeframe to launch an attack before we change everything around.”

“Our Sanctum product decentralises sensitive information such as PCI, so whenever you unlock a crypto vault on Sanctum, we actually destroy the old vault, create a new one and then deconstruct it.”

“For our Authenticate product, we decentralise user identity into three parts. The hacker has to come after our server, your device and the secret that is in your head. That last piece of information is never stored or transmitted in its raw form, and changes every time you interact with us. We have basically made it really expensive and really hard — if not impossible — to go after one account, let alone millions, and we have made it completely impossible to have a central network breach. Losing a million accounts in one go won’t happen with our system.”

Read the full interview on Security Brief Australia.

Topics discussed in the full interview include:

  • The main verticals Haventec is looking at as expansion opportunities
  • Haventec’s cloud and on-premise delivery models
  • Future growth opportunities
November 16, 2017

Australia-Israel leaders round table on cyber security

Haventec participated in the Australian delegation to the Leaders’ Roundtable on Cyber Security in Jerusalem, Israel, on 30 October 2017 along with government, academia and industry representatives from Australia and Israel.

The round table provided an opportunity to exchange views on challenges and best practice responses in the field of cyber security, including:

  • Frameworks and processes to support innovation
  • Best practice on government supporting and developing local cyber security ecosystems companies, innovation and research
  • Education and awareness on the ‘Internet of Things’, particularly in ensuring consumers are better able to use smart devices intelligently and securely
  • Application of international laws and norms in cyberspace.
  • The need to encourage students to strive for careers in cyber and science, technology, engineering and maths (STEM).

The meeting in Israel closed out the Australian Government’s Cyber Security Awareness Month in October.

Australia’s PM Malcolm Turnbull and Israel’s PM Benjamin Netanyahu pledged deeper cooperation on cyber-security in the fight against global terror threats.

November 7, 2017

Risky Business podcast: “Haventec’s solution is a bit more out there”

Popular security podcast Risky Business coined a novel description for Haventec’s Sanctum product during its 6 November 2017 show: ‘distributed “crypto magic” credit card storage’.

In an all-Australian edition of the Snake Oilers product pitch show that also featured Kasada, Risky Business asked Haventec CEO Robert Morrish to give elevator pitches for Authenticate and Sanctum.

The host, Patrick Gray, seemed particularly interested in how Sanctum works, describing the private transaction security product as: “really interesting to people in the payment card processing space”.

“Basically [Haventec] has come up with a way to split credit card info into a few pieces so it can be stored in a distributed way,” described Gray. “Part of the info with the user, part with the merchant and part with the processor. It’s a better approach than tokenisation, and will drastically reduce the liability and costs that comes with storing huge amounts of card data on the processor side. Oh, and they’ve solved the chargeback problem on that one too.”

Risky Business security podcast logo

Listen to the full Snake Oilers #3 episode of Risky Business here.

October 26, 2017

Quantum Computing’s impact on security: special report

Things are moving so fast in the quantum computer field that it’s hard to gauge what is the current state of the art.
The news that Microsoft has been making major advances in the field, for example, is more about the practicality of writing software and providing production grade hardware components for what is at its core still very much an experimental technology.
On the other hand, the recent news that Russian researchers have broken the 50 qubit threshold is of major significance to security professionals.
This article is an attempt to shed some light on the current state of the art in quantum computing and to give some background and context so that someone with limited technical knowledge can understand the main issues.
Questions I’ll address include:
  1. What is Quantum Computing in simple terms?
  2. Why can’t everybody build their own quantum computer?
  3. Why is Quantum Computing particularly powerful in breaking encryption?
  4. What is the significance of the 50 qubit threshold?
  5. What are the ramifications for the next 3-5 years?
  6. How does Haventec fit into this future?

What is Quantum Computing in simple terms?

Traditional computers use switches made of silicon that are either on or off (binary). Quantum computers use subatomic particles that can be in multiple states at once. An excellent way of explaining this phenomenon is that a qubit can be thought of like an imaginary sphere.
Whereas a classical bit can be in two states – at either of the two poles of the sphere – a qubit can be any point on the sphere. This means a computer using these bits can store a huge amount more information using less energy than a classical computer. With quantum computers and position on the sphere can be used to as a value.
Additionally, each sphere can have multiple values at the same time. To illustrate, a traditional 20-bit data string can have any value from 0 to 2^20 or 1,048,576. But remember that is 20 bits to represent just 1 value.
A 20 qubit computing device can handle 1,000,000 values at the same time!  As a layman to me it appears that quantum computers are not as flexible as traditional computers but once they get their teeth into a problem, they really get a move on – which is great for big conundrums like molecular calculation but very dangerous when it comes to code breaking.
We’ll go into this later but it is reported that a 28 qubit computer was used to break a public key using a factoring algorithm and achieved in 1 hour what it would take 78 million standard computer hours to accomplish. Thankfully 128-bit keys are used very little these days.
 
Note: DWave is a company that uses a simplified approach to quantum computer design that allows it to boost a very high qubit capacity, but is not considered competitive with traditional quantum computer designs.

Why can’t everybody build their own quantum computer?

The physics around quantum computing and the computation are complex.
The big issue seems to be the unstable nature of qubits. From what I understand you need to get the qubits very cold to make them stable (i.e. run the computer at a fraction of a degree above absolute zero or -273.15 C) and you still need to do a lot of error checking even then to make sure you are getting reliable results.
You can’t do this stuff with a homemade freezer and a server cluster in your garage. Only sizeable enterprise level or state level resources can play in this field, which has its pros and cons:
  • Pro: The technology is beyond your garden variety organised crime or black hat hacker group
  • Con: Even these large organisations are just as likely to fall prey to hack attacks where the resources are still at least temporarily accessible by attackers.

Why is Quantum Computing particularly powerful in breaking encryption?

Today’s most popular encryption relies on related keys known as asymmetric keys. Commonly this type of encryption is called public key encryption.
Symmetric keys (where the password is the same for both sending and receiving parties) are pretty safe from quantum attack in assessments so far, but any type of asymmetric key system (where public/ private key PAIRS are used) that uses factorisation and large prime numbers are easy work for quantum computers.
The basic weakness is that if you know the public key of a key pair, the incredible power of a quantum computer allows it to use brute force to determine the private or secret key in a flash. This is very serious. For example, as I mentioned in the previous heading, a quantum computer was used to break a public key in 1 hour what it would normally take 78 million standard computer hours to accomplish! When you read the article you will find that this achievement was accidental but it underscores the incredible power that is bearing down on us if we want to protect our privacy and our personal information.
The encryption that protects every client-server connection on the internet today is called TLS version 1.2 (usually you will see HTTP(s) in the URL if you are using TLS) and it uses factor based public keys. It is estimated that 120 qubit computers could break every HTTPS connection made today in 2 seconds or less.
Nothing you do online – your passwords, your bank accounts, your emails – none of it, would be secure. A new version called TLS 1.3 is being rolled out to try and move to a quantum resistant non-standard factorisation dependent approach.

What is the significance of the 50 qubit threshold?

For some time the turning point for quantum computers to start to outperform supercomputers has been a 50 qubit quantum computer. This point is known as the point of “Quantum Supremacy” and was achieved recently by a Russian researcher and team from Harvard University. More particularly the advance means that an approach to encryption cracking called “Shor’s Algorithm” can be used to very efficiently break standard public key encryption in a way that is beyond standard or classical computers and even supercomputers. From here the acceleration of capability will be an order of magnitude.

What are the ramifications of Quantum Computing for the next 3-5 years?

So, in summary, there are a few limiting factors on how dangerous Quantum computer will be in their use to attack encryption over the next 3-5 years.
  1. The technology is VERY finicky to control so will be only usable in the short term by large organisations such as IBM or nation states and their agencies such as the NSA.
  2. Using a very much research-oriented technology for a concerted encryption breaking exercise in the short term is not a priority for any of the players at the moment.
  3. As soon as a quantum computer shows reliable progress in breaking a standard public key system with today’s standard key length, agencies such as the NSA and their Russian and Chinese counterparts will start to throw significant resources into production-ising the technology for a critical eavesdropping advantage.
  4. With the above in mind, there is a reason to believe that there are many initiatives TODAY in preparation for reliable encryption cracking. For example, any secure communications in use today can be recorded then stored for decryption as soon as the technology arrives.
    • With this in mind, it would be prudent to not store critical data that will have long-term value outside of 2-4 years using anything but quantum-resistant encryption such as symmetric keys or POST-quantum public key encryption.
    • Also, it would be prudent to design information systems to ensure that as few as possible quantum exploit holes exist in your system architecture. Lots of advances will be made in quantum-resistant encryption over coming years, so you should ensure it is easy to find and keep your encryption protocols updated.
  5. Also be ready for some major advances to accelerate the technology in an unexpected way. For example, quantum stabilization at higher temperatures will allow thousands of more researchers to work with quantum computers. Even as I write this article researchers in Japan have radically increased the performance of quantum computers by cycling information in a continuous loop of qubits. Things will happen sooner rather than later. Note: within days of writing this a room temperature approach was devised. Amazing.
  6. Another reality to consider is that the illegal use of quantum capability will become more of a possibility over time. The ability for a hacker to penetrate a quantum computer centre and use it for hacking activities is a very real possibility and should not be discounted.

 An example of a pervasive quantum weakness is the Bitcoin blockchain. While the blockchain itself uses quantum resistant algorithms and a user’s public key is not recorded as part of the blockchain, the fact is that a user’s public key is disclosed to blockchain miners for use in verifying the signed transaction data.

If an adversary was to record these interactions with miners of Bitcoin then they could come back with the help of a relatively little amount of time using a quantum computer to empty every wallet ever used on the Bitcoin blockchain where the owner has made a payment from their wallet and has left a balance of coins in their wallet. The only current remediation is to change your wallet key pair every time you want to pay someone. You have to do this by moving the unused coin to a completely new wallet. Scary stuff.

How does Haventec fit into this future?

As part of our hardening and intrusion testing regimen, Haventec has worked with some of the best cryptographic minds in the world including the designer of Android’s cryptographic technologies and white hat hackers from some of the world’s top intrusion testing firms. We can supply details under confidentiality agreements.
This advantage exposed us to some of the realities of the quantum world even way back when we first engineered Haventec’s core technology. For example, we are not dependent on any specific flavour of public key technology and can easily switch in POST quantum encryption as it becomes available. We also use a number of non-public key based encryption techniques such as advanced obfuscation, symmetric key encryption and single-use keys such as one time codes.
The simple fact that Haventec allows every enterprise to securely communicate with every one of their customers without storing or using a single password is an example of how forward-thinking the design is. Even though we currently do rely on TLS for our client-server connections, none of our communications contains any information that is usable after the current or next transaction.
Our client-side data security storage called Sanctum is also symmetric key based, where the key is rotating with every use. All of Haventec’s technologies are quantum-resistant from the ground up.
June 20, 2017

Real estate data can now be protected by bullet-proof cybersecurity

GlobeSt.com | 16 June 2017 A collaboration between Haventec and AMP Technologies will deliver cybersecurity and an integrated data platform in one, reports real estate industry publication GlobeSt.com

Haventec’s CEO Robert Morrish and AMP Technologies’ CEO Neel Naicker spoke with GlobeSt about how real estate data can now be protected by bullet-proof cybersecurity that is user-friendly, cuts costs and gives companies peace of mind.

“Users need to leverage data to take action, but you need to protect your data or it will destroy you,” Naicker told GlobeSt.com. “We needed a venue to be ahead of the data.”

Haventec’s technology “eliminates hackers’ motivation because there’s nothing to steal”, said Morrish, “Authenticate is an internationally patented device that allows the user’s identity to be reconstructed on the fly using encryption technology.”

The technology including Haventec Authenticate was showcased at the Realcomm 2017 conference in San Diego on 13 June during a Cybersecurity Forum attended by industry thought real estate and cybersecurity leaders.