Beame.io Finally Releases the Beame-Gatekeeper and Mobile Authenticator

April 9th, 2017 Company News

Beame.io launches a new tool, a framework, and a fresh look at the deployment of Public Key Infrastructure (PKI).

Beame.io has launched the first global, delegated authorization/authentication mechanism, one with the ability to create unlimited TLS certificates. This can help software developers,  mobile app developers, and IoT vendors create, manage and provision device identities. Unlike any of its competitors, Beame’s system resolves the question of device access since any Crypto-ID can be made globally available as an HTTPS server.

What’s in the release? A set of software products, intended to allow the creation of private networks with global, PKI-based, authenticated access:

Beame-gatekeeper can help in a large variety of use cases for authenticated local and remote access or certificate provisioning.  The Beame.io mechanism gives you the security of a private CA while using a public TLS mechanism. This allows the use of browsers against provisioned endpoints, without the need to install a private root in the operating system. Each device is recognized based on its own public key and FQDN combination.

This can be used by a wide variety of users from those who are implementing their first IoT project, to those implementing a large scale credentialing system for a major insurance carrier.

Any HTTP/HTTPS service can be installed behind the beame-gatekeeper.

This, in essence, creates an easy system to allow access to devices on a private network, without port forwarding, or NAT, or UDP hole punching, but only to those that can prove possession of a cryptographic key.

You can download and try beame-gatekeeper now. All of the components that you install are open source and the certificates you get from Beame are currently free. Your feedback is very valuable for us, so please let us know how beame-gatekeeper works for you.

login-and-app

Hack all the Journalists: How we stumbled upon the usernames and md5 hashes of all the journalists, past and present, at Wired.com

March 15th, 2017 Company News
On February 26th, 2017, Beame.io found and responsibly disclosed a major security breach to Wired.com.
Wired.com security vulnerability, data breach, password hash leak reported by Beame.io

Wired.com security vulnerability, data breach, password hash leak reported by Beame.io

We were on www.wired.com looking for an email address for a journalist and discovered something very disturbing. We understand from Wired that they have since done their best to mitigate the damage so our writing this up should not cause them to suffer any further breaches related to this.

 

All it took was one right click- “Inspect” and we could have owned all of Wired.com’s publications without anyone knowing. Post articles, pretend to be authors, bring “fake news” to a whole new level of maliciousness. Now, since we are a cybersecurity firm and not a hacker group, we didn’t do that. 
This is a pretty big deal because of what we discovered: usernames, MD5 hashes of their WordPress passwords, and email addresses, among other things are out in the open, for anyone to see.  Anyone with a few thousand dollars worth of equipment could get the passwords that these hashes derive from and completely compromise Wired.com, which has millions of readers and frequently posts about cybersecurity issues.
Wired.com security vulnerability, data breach, password hash leak reported by Beame.io

Journalist credentials and details hiding in plain sight in the JSON on Wired.com

Here is an easier to read version of the same:

Wired.com security vulnerability, data breach, password hash leak reported by Beame.io

Formatted User Data JSON

Our team here ran about 100 of their author pages, and found this information for all of them. It also includes people’s email addresses and their registration date, so you can see people’s user account seniority on the website, too. The screenshot is below.

 

Now, we were certainly not going to go around flipping these hashes, but we told Wired.com that “you probably already know that anyone with malicious intent and a $5,000 rig would be able to do so easily.” [Edit: Wired.com has disclosed the breach since we posted this, and the link to that is here.]

 

Here is the Wired.com response:
Wired.com security vulnerability, data breach, password hash leak reported by Beame.io

Wired.com response to Beame.io

Why does this matter?

Usernames and passwords are the real issue here, not the fact that Wired.com happened to use them for authentication. The future is already here in the form of new tools to prove the identity of users, servers, IoT devices, and mobiles. There will be no more central databases of sensitive databases that can be breached, leaked, or hacked.

Today, decentralized identity is a reality. Beame.io pioneered using unique cryptographic credentials on user devices for seamless and secure authentication, login, remote access, and everything else that our personal and professional lives depend on. Beame.io is the first provider of cryptographic identity as a service. It’s available as open source developer tools here.

The Beame-Fatekeeper, or: How We Built a Personal Recon Device Using Kismet and Beame.io

March 13th, 2017 Company News

Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types. Kismet is now able to support multiple types of capture devices. They can augment the data with SDR-based and Ubertooth One, a monitoring tool for what’s going on in your wireless space. Kismet is used widely in wireless penetration testing. The Kismet team has made significant strides in the last few months, including porting it to the wifi Pineapple and moving towards a web interface.

kis-new-main

The previous version of Kismet

Kismet and Beame.io

The bleeding edge version of Kismet

Beame.io is a provider of cryptographic identity services and open source tools, such as the beame-insta-SSL and the beame-gatekeeper and authenticator. Fun fact, the meaning of Kismet in English is “fate,” hence our cute modification of the “beame-gatekeeper” to “beame-fatekeeper” for this project’s name.

Beame.io Crypto-ID, cryptography, cryptographic identity services, crypto-id sdk, beame-gatekeeper, beyond vpn

What’s the connection between the two? Well, since Kismet became available through a web browser, Beame.io was able to install it on Raspberry Pi and access it over publicly trusted SSL.

Why is this cool? Now the Raspberry Pi is self-sustainable, all it requires is internet access. Also, the HTML interface looks good from mobiles.

When coming home from the Beame.io R&D Center last night, I started looking at this on the mobile device before going to sleep. I discovered that the wired device MAC addresses are broadcast through the wireless access point to anybody listening. Now, why would it do that?
Read more ⟶

Beame.io on How to Actually Secure the IOT

March 1st, 2017 Fresh Perspectives

Sophia Tupolev of Beame.io recently gave this talk at the Google Campus for Peerlyst’s inaugural meetup in Tel Aviv.

How to Create Multiple Credentials with beame-sdk

February 26th, 2017 Development Notes

Understanding the Beame.io Network’s Credential Hierarchy

How to Create Multiple Credentials with beame-sdk

Overview

The Beame.io credentialing system allows you to create an infinite number of cryptographic identities (publicly trusted TLS certificates), divide them into logical subgroups and delegate the authorization process downstream. These credentials can be used for building trust between different system components, such as servers, mobile devices, IoT devices, and end-users. These logical subdivisions allow the creation of an application-specific virtual private encrypted network, irrespective of how systems are connected. They grant the correct permissions to the appropriate user.

General Principles and Definitions

The network graph can grow infinitely both in depth and in width. Let’s consider the following diagram, (Figure 1: Understanding Credential Structure).Read more ⟶

We’re exhibiting at HIMSS 2017! Meet us there.

February 19th, 2017 Company News

Image uploaded from iOS

The Beame.io team is getting ready to exhibit at HIMSS 2017 in Orlando, Florida! We’ll be at Booth 8072 at the Orange County Convention Center from Monday, February 20th – Wednesday 22nd, 2017. Our favorite HIMSS hashtag is definitely #HITsecurity, since our Crypto-ID is used in hospitals for secure remote access and more.

Update! Here are some pictures from Day 1 at HIMSS!

Beame.io at HIMSS 2017 | Crypto-ID | Cryptographic Identity Services | beame gatekeeper | beyond VPN | secure remote access

Beame.io at HIMSS 2017 | Crypto-ID | Cryptographic Identity Services | beame gatekeeper | beyond VPN | secure remote access

Beame.io at HIMSS 2017 | Crypto-ID | Cryptographic Identity Services | beame gatekeeper | beyond VPN | secure remote access

Beame.io at HIMSS 2017 | Crypto-ID | Cryptographic Identity Services | beame gatekeeper | beyond VPN | secure remote access

Beame.io at HIMSS 2017 | Crypto-ID | Cryptographic Identity Services | beame gatekeeper | beyond VPN | secure remote access



Is TLS Sufficient for Authentication?

January 10th, 2017 Fresh Perspectives

Beame.io Cartoon 1

Public Key Infrastructure (PKI) is the strongest form of cryptographic authentication today and Transport-Layer Security (TLS) is widely-accepted as a great PKI implementation. If that’s true, then why isn’t TLS deployed universally in authentication?

Let’s consider one of the most powerful web attacks – a man-in-the-middle (MITM) using forged SSL certificates. In order for a MITM attack to work on encrypted traffic, the man-in-the-middle must possess a public or private certificate trusted by the target device. The problem is aggravated by the fact that any Certification Authority (CA) trusted by the device can sign any domain name. Nobody wants to risk their identity being stolen with a forged certificate.

Read more ⟶

Apple Delays ATS Compliance – Secure Your Apps Anyway with Crypto-ID SDK

December 27th, 2016 Development Notes

 

ats-twitter-1

Apple was set to begin enforcing App Transport Security in iOS applications and their servers on January 1st, 2017, but extended the deadline at the last minute. According to Apple’s Developer Portal,

“App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.”

The company obviously ran the ATS adoption rates and exception rates of App Store programs and decided they simply cannot enforce it right now because too many apps would be non-compliant. Is this sort of what do you do when you learn that 75% of your employees failed a drug test?

Apple had two great ideas with ATS: an attempt to retire the usage of older versions of TLS and specific type of certificate signatures, and enforce the usage of HTTPS.  As a platform developer, it is important for Apple to protect application users and their devices.  So what went wrong?

Read more ⟶

Super-Strong Primary ID – Cryptographic Identity on Mobile Devices

December 22nd, 2016 Fresh Perspectives

screen-shot-2017-01-10-at-2-03-34-pmWho has access to your company’s servers? The requirement for secure access rights in the enterprise eclipses the authentication technology in use today. Passwords are obsolete and SMS for multi-factor authentication is deprecated. Single-sign on increases the risk of breaches of centralized identity storage. Connected devices pose a threat of their own, since IoT devices and their data do not have trusted identities.

Identifying the connected human and device in a trustworthy way is a pressing universal need. The connected human needs to move effortlessly in and out of protected physical and virtual environments. The connected device needs to realize its market potential. Fortunately, the science of cryptography lies at the heart of the answer to this problematic paradigm.Read more ⟶

Beame.io Chooses GlobalSign’s High-Scale Digital Certificate Services to Turn any Device into a Secure Server

November 29th, 2016 Company News Press

Users can now deploy SSL certificates to any device without a public IP

BOSTON – Nov. 29, 2016 – GMO GlobalSign (www.globalsign.com), a leading provider of identity and security solutions for the Internet of Everything (IoE), and Beame.io Ltd, a security framework and trust provider for the connected world of the future, are enabling users of any device, such as mobile phones, laptops, IoT devices, etc., to establish a secure HTTPS connection to a browser. The provisioning to remote servers happens through Beame.io’s open source framework, made up of several software development kits (SDKs).

Beame.io is using GlobalSign’s short-lived Organization Validated (OV) digital certificates to enable users to protect their data and privacy with a connection established through the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol. The digital certificate remain valid for as long as the user needs a secure session, which could range from a span of minutes to months. A key benefit of short-lived certificates is that the fast expiration makes using a compromised certificate for an attack less likely.

“Most communication lacks encryption. The solution is simple: to give an identity to everything. Beame.io and GlobalSign are returning the control of identifying credentials to the hands of the user,” says Beame.io’s CEO, Zeev Glozman.

Beame.io makes it possible to assign hostnames to mobile devices and issue them matching short-lived GlobalSign SSL certificates. This provides secure, time-limited, global access to credentials or information. Beame.io allows for the creation and management of a private, secure application network on-demand, preventing unauthorized connections at the network layer. Beame.io provides proof of possession of a unique cryptographic key used together with multi-factor authentication, allowing application and device developers to easily implement asymmetric credentialing for end-to-end encryption anywhere.

Using GlobalSign’s high volume SSL and PKI certificate service, Beame.io is able to issue certificates without any user involvement. From the start, GlobalSign expects to issue millions of certificates for Beame.io’s customers.

From an end-user’s perspective, the Beame.io framework powers a range of uses in the boardroom, living room, doctor’s office, and beyond. Identity can be associated with internet-connected devices in the home for trustworthy, authenticated information transfer such as video feeds from a baby monitor or a security camera. Next, patient identity can be associated with mobile phones for seamless authentication at the doctor’s office. Additionally, patients will be able to share their medical files with their doctors from their mobile devices rather than being given temporary access to their files by their healthcare providers. Finally, in the enterprise, mobile phones can carry their owner’s identity and replace passwords, serving as a second or higher level of authentication. The mobile phone can identify a user to Single Sign On and can log him or her into the Active Directory. That’s because with Beame.io technology, the personal, mobile, or IoT device can act as a fully functional, publicly accessible server with a globally trusted GlobalSign SSL certificate.Read more ⟶