Apr 112014
 
heartbleed

The big tech news story of the last two days has been the Heartbleed security flaw, that might have compromised users’ passwords and other details.

Given the nature of the bug where a server can tricked into giving away bits of what’s stored in its memory, it’s hard to say exactly what has been compromised – on most sites you’d be very unlucky to have your password on banking details in the system at the precise millisecond a malicious attacker exploited the bug – but the risks are still real.

While webmasters and system admins around the world are frantically patching their systems, for the average user the best advice is to wait before changing your passwords as if the bad guys already have your details you’d have probably used them by now and changing your logins on a vulnerable server might actually increase the risk of crooks stealing your information.

The Internet of Things

The longer term risks with Heartbleed are actually in embedded systems and the Internet of Things; many systems will have hard coded implementations of the buggy software which may never be patched and these devices may be give up much richer data than a web server would.

It’s another illustration of how difficult the task of keeping embedded technologies up to date and how to secure the Internet of Things.

Open source blues

While there’s no shortage of similar security lapses in commercial software, the Heartbleed saga is going to concentrate the minds of open source community on how to tighten peer review and audit version updates.

Most open source projects are staffed by small groups of time poor volunteers, making auditing and quality control harder. That key parts of the internet and computer industries rely on these underfunded, and often unappreciated groups is a weakness for the entire sector.

No technological change is simple or without problems and securing information is one of the great challenges of today’s tech revolution and Heartbleed is a strong reminder of that, hopefully we’ll learn some lessons about building robust systems.

Apr 092014
 
In 2001 Microsoft released Windows XP

It’s notable that the long flagged end of Microsoft’s support for Windows XP happened the day before the Heartbleed bug, one of the most worrying security flaws we’ve seen was publicly revealed.

One of the questions that has bugged many of us in the industry – pardon the pun – is whether Microsoft would back down on its insistence they would not issue security patches for Windows XP when a major exploit became public.

With between 15 and 30% of the world’s desktop computers still running XP and  6,000 websites  reportedly running on the superseded system, it’s hard not to see how Microsoft could justify not sending out an update should an exploit the size of the Heartbleed bug become apparent.

As it is, there may be some argument for updating some of the security certificates in the Windows XP and the older versions of Internet Explorer in the light of the Heartbleed bug, we’ll wait to see on that.

While Heartbleed doesn’t directly affect Windows XP computers, it’s still a reminder that life is going to get tough for those running an unpatchable operating system.

Mar 202014
 
christopher-young-cisco-systems-security

As more devices become connected Cisco Systems hopes the security issues can be addressed by the developer community.

“The Internet of Everything is not only turn every company into a technology company but its going to force every company to truly become a company that delivers security,” says Christopher Young, Senior Vice President of Cisco’s Security Business Group.

Speaking at the Australian Cisco Live! Conference in Melbourne today, Young described how business is going to have to change the way it treats the data it collects from sensors.

“Not just in consumer security,” continues Young. “If I’m using technology or I’m delivering a service that’s leveraging technologies like cloud or connected devices and creating information about individuals or organisations through these connected devices then a consumer or enterprise is going to expect a level of security.”

Young sees three major ways that security is becoming more challenging for organisations; changing business models, a dynamic threat landscape and increasing complexity.

The latter point is the area that focuses many executive’s attention in Young’s experience with audiences he speaks to nominating complexity and fragmentation as their greatest concern.

“They get so many products and so many devices and so many tools and so much complexity they really don’t know, in so many cases, where to focus their efforts.”

Young cites Cisco’s Chief Security Officer, John Stewart, that the most fundamental security defence is getting the basics right.

Earlier this year at the release of the company’s 2014 security report, Stewart spoke to Networked Globe on how businesses are struggling with the complexity they face.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Stewart said.

This problem ties into the other areas that Young identifies, particularly the ‘industrialisation’ of the malware world.

“We have more well funded, more innovated, more determined adversaries than we’ve ever had as an industry.

“It used to be some high school kid in his room trying to infect a bunch of machines with viruses or some guy from Nigeria sending you an email asking you for a hundred bucks and he’ll give you a thousand bucks later.

“The world we live in today has nation states and criminal syndicates and very well funded, very sophisticated attackers so hacking has become an industrialised activity.” Young says, “here’s supply chains involved, there’s support agreements written; the bad guys will even sell each other a contract.”

Young’s views echo those of Sophos Labs’ Vice President Simon Reed who said last year that “now there’s money involved, there’s serious effort, the quality of malware has gone up.”

Part of the solution Young sees involves getting the community involved which is the motivation behind the Cisco Security Challenge announced last week.

“You can only just guess and imagine what all the different security challenges will look like in a world that’s just starting to get formed.”

“Let’s get the community involved in trying to solve some of the problems that we know are going to be inherently introduced by IoE.”

Mar 132014
 
eu_domain

Yesterday I posted piece on Business Spectator about Australia’s new privacy regulations, little did I know that the European Union Parliament was about to release its own.

The EU regulations look interesting and certainly seem on  first look to be far more comprehensive than Australia’s effort that I describe as a toothless, box ticking exercise.

A notable aspect of the EU’s announcement of the new rules is its claim that the updated regulations are expected to generate €2.3 billion in economic benefits each year.

Whether the EU’s rules prove to be an economic cost – as Australia’s effort will almost certainly turn out to be – or a competitive advantage remains to be seen, however the European Parliament is certainly making a case for data security and privacy protection as being an important selling point in a highly competitive digital world.

The competitive advantages between countries and continents in the 21st Century will be vary different to those that determined the economic winners of the previous two centuries.

Mar 102014
 
how are we using data in our business

Security writer Brian Krebs has followed up last year’s story that US credit reporting agency Experian had been selling personal data to Singaporean based identity thieves with the guilty plea from the scheme’s architect.

Krebs points out that the leader of the identity thieves, Vietnamese national Hieu Minh Ngo, could access up to 200 million consumers’ records.

It’s almost impossible to say how much theft, fraud and misery was inflicted on innocent Americans who had their personal details misused by Ngo’s customers.

The amazing thing is it appears that Experian’s executives or shareholders will not suffer any sort of penalty – civil or criminal.

In an age where companies are collecting masses of data on everyone, it’s inconceivable that those trusted to store and protect that information – particularly credit reporting agencies – seem beyond any accountability for failing in their core responsibilities.

There’s also the aspect of undermining the US credit system; if merchants and consumers find they can’t trust credit reporting agencies, then offering or getting credit becomes far more difficult and risky.

Until the management of companies like Experian are held accountable for their incompetence, any talk of safeguarding privacy is empty. It’s why we should treat claims that our data is held safely by government agencies or businesses with a great deal of caution.

Feb 282014
 
RSA_SecurID-key-fobs-SID700-800_tokens

“Today I’m happy not to have an RSA Conference badge on me;” Mikko Hypponen, head researcher of Finnish security company F-Secure told the inaugural TrustyCon conference in San Francisco yesterday.

Hypponen was referring to what was one of the world’s most prestigious information security conferences hosted by industry vendor RSA.

RSA are known to many corporate computer users for their SecurID authentication tags; the little key fobs that give a passcode for secure networks that illustrate this post.

Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers.

However the killer blow for RSA’s reputation was an article in Reuters at the end of last year claiming the US National Security Agency had paid the company $10 million to weaken its security protocols.

The company denies this but the damage was done, as Hypponen says “When a security company can’t be trusted, what do they have left?”

How the RSA lost the trust of security professionals is a good lesson for all of us; our businesses rely upon the goodwill of our customers and our peers. If we betray their trust, we’re hurting ourselves.

 

Feb 162014
 
computer and internet security

I’ve been sceptical of computer security vendors for a long time and it’s interesting that even as threats evolve, the suspicion remains.

That suspicion comes from running an IT support business though the turn of the century virus epidemic, it’s hard to take the same companies whose products failed to detect the malware — and in some cases made problems worse.

At the annual Tech Leaders Kickstart event today, I found that old hostility bubbling up as a series of security vendors warned us of the terrible threats in cyberland and how their product would solve most, if not all, of our problems.

The irritating thing with their pitches is that none of them would articulate how the threats are evolving, or give real time examples.

Not that there’s any shortage of real time examples with corporate security disasters like Sony and Target as great case studies of what can go wrong. Indeed, there’s very good reasons for businesses and every computer user to take security seriously.

There’s something missing in the way tech security is sold and articulates the industry articulates its message.