May 142017

Last week finished with a big bang as the Wannacry ransomware attack spread around the world with a curious twist which led one New York Times columnist to suggest software companies need to take more responsibility on security.

In the meantime the world goes on companies still struggling with the definition of innovation and Facebook crushing anyone who dares to try out-innovating them.

On a lighter note, Cary Grant spend much of his Hollywood years on LSD but it all turned out well and VentureBeat asks do humans have a role in a world run by Artificial Intelligence?

The future of humans

Is there a future for humans in a world run by artificial intelligence controlled robots? Venture Beat staged a panel in New Orleans that looks at where we fit into the automated world.

Ultimately the panel concluded, it’s up to us to make some serious choices. Something we shouldn’t leave to engineers.

The ethics of driverless cars

Autonomous vehicles should give priority to occupant over passers by in the case of an emergency suggests a Mercedes Benz engineer.

Christoph von Hugo, Mercedes’s manager of driver assistance systems, probably hasn’t helped the development of autonomous vehicles with his comments but the ethics of driverless vehicles is a discussion we should be having.

Defining innovation

Innovation is very simple, it’s about trying new ideas says Pete Williams, Deloitte Australia’s chief edge officer.

“You need ideas, they need to be new, new for you. If everyone in the world is doing something and you haven’t done it and you do it for the first time, you’re innovating. You’ve got to try stuff. Not just have new ideas, you’ve got to try stuff. Innovation is something you do,” he said.

Rethinking public transport

British transport app Citymapper is to launch its own ‘popup’ bus service in London with the promise of a modern and user friendly operation. An interesting twist for a software service.

“There will be a large screen that shows riders where they are in real time, and what’s coming up on the route — similar to how its smartphone app works. And they also have USB charging ports.”

Snapchat feels the market chill

One the darling unicorns of the tech industry, Snap, reported its first results as a listed company and the results were not good as Facebook’s shameless copying of the service’s features takes its toll.

Sadly Facebook seems to be following the Amazon playbook of crushing upcoming competitors that refuse to be bought out. This is a part of a broader problem with modern American capitalism.

What is Wannacry

Security researcher par excellence, Troy Hunt, gives a full run down on the Wannacry ransomware and how to combat it.

Towards the end of his article he has a list of eight actions computer users – from major organisations to households can do to protect their systems. Depressingly these are exactly what the computer tech support industry has been telling people to do for the past twenty years.

Wannacry’s accidental hero

An anonymous British IT security researcher realised the malware has a ‘kill switch’ – so he activated it. He does have an important message for computer users though.

“This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”

An age of insecure machines

One of things that might bring down an AI controlled world is insecure machines as Wannacry shows. In the New York Times technology commentator Zeynep Tufekci suggests we can’t stop the wave of attacks taking advantage of systems running out of date software and vendors need to take responsibility.

“It is time to consider whether the current regulatory setup, which allows all software vendors to externalize the costs of all defects and problems to their customers with zero liability, needs re-examination.”

100 trips in tinseltown

Cary Grant got through his Hollywood years by microdosing on LSD claims a new documentary. When he retired from the movies he quit the speed and lived happily every after.

Interestingly, microdosing is one of the strategies used by today’s Silicon Valley workers to get by in their stressful and demanding roles. Some things never change.

Earworm of the week

May 112017

This post is part of a corporate blogging assignment for HPI and IDC covering their Secure the Future Workplace event.

Security is probably the Internet of Things’ greatest weakness and probably the first devices to illustrate the weakness were networked office printers.

For HPI, the devolved printer and hardware arm of Hewlett-Packard, those IoT weaknesses is an opportunity to showcase their products. However the security of printers is only the tip of a frightening iceberg of technology risks facing businesses and homes.

Security starts at the top

The first keynote for the morning was Simon Piff, Vice President of IDC Asia/Pacific’s IT Security Practice Business.

Simon gave an overview of the challenge of digital transformation and the risks involved.

To Simon, digital transformation has five different aspects within an organisation – Leadership, omni-experience, information, operating model and workforce transformations – all of which have different demands upon management.

One thing he sought to emphasise during his keynote is an organisation’s IT security is a top down process. “If your CEO doesn’t care about cyber-security then how are you going to execute?” He asks.

For printers he makes an important point. “They are essentially a single function server.” He says, “this is another server.”

“There haven’t been headlines about printer hacks but we are about to hear about them.”

Simon’s points about enterprise security and networked printers are something that all computer users, be they in home or business, understand – almost every connected device can be a network server. Being hacked is a real risk for everyone.

Death of the perimeter

“Don’t accept complacency,” is the key message from the second keynote speaker, Edmund Wingate.

Edmund, HP’s Vice President and General Manager of the company’s JetAdvantage Solutions division, described how securing a company’s networking perimeter and relying on firewalls was “backward looking.”

In the printer world, that the typical office device has over 250 settings alone creates risks for network administrators and security officers.

Compounding that problem is the use of proprietary software in these devices. A plethora of custom operating systems, many of them based on outdated Linux distributions, opens opportunities for an infinite range of exploits.

It’s better for the industry and vendors like HP to be open about the systems they are using and any vulnerabilities they find as otherwise governments will be forced to step into the space, warns Edmund. “The absence of standards lets things percolate too long.”

Edmund’s point about proprietary and old software are important aspects in the entire Internet of Things security discussion. That there will be billions of devices ranging from network printers to traffic cameras and connected kettles running antiquated software is a problem the entire IT industry will have to manage.

When your networked is hacked

The day’s final session was a panel featuring Simon Piff, Managing Director ANZ for IDC; Carl Woerndle, Executive Director of Elevate Security; Hugh Ujhazy, Associate Vice President, IoT Practice Lead, IDC APeJ and Edmund Wingate.

Carl was the proprietor of Distributed IT, an Australian domain registrar that was spectacularly hacked in 2011. The damage done to the business was so debilitating that it eventually forced the company out of business.

The alleged perpetrator turned out to be an unemployed Australian truck driver with no formal  IT qualifications who had 700 other companies targeted. It’s a sobering lesson on how businesses are vulnerable.

Random attackers are the norm, Hugh Ujhazy pointed out, and ransomware is another factor which wasn’t widespread when Distributed IT was hacked.

Ujhazy sees Blockchain as the opportunity to rethink security. “We are on the cusp of changing the way we deal with devices and applications,” he says.

The consensus from the panel was all enterprise networks are vulnerable to inside threats – whether they are IoT devices like network printers, disaffected individuals, malware or hackers. For executives and boards, that’s an important message on how critical security is in the modern organisation.

May 032017
the decline of voicemail and SMS text is hurting telcos

Voice authentication has become a standard in recent years but now it appears software has bitten with a Canadian startup, Lyrebird, demonstrating how they can mimic people’s speech.

Last year at one of their industry events Adobe showed off their ‘photoshop for voice‘ where anyone’s voice can be analysed and then remixed.

So voice recognition turns out not to be a foolproof as many in the security industry hoped. Like most biometric systems, anything that can be captured electronically can be spoofed or modified.

What’s notable in the Lyrebird story is how voice security companies like Nuance are deploying artificial intelligence to counter digital fakes. Once again we see security being a technological race.

Apr 112017
Computer security is evolving in a time of social media

This blog, and its predecessor, have long maintained that computers and the internet have levelled the playing field between large corporations and small business so it was interesting Telstra’s managers say that over lunch today.

Australia’s biggest telco was showing off their cloud services for small to medium businesses with a presentation from futurist Ross Dawson on the changing technology world then real world case studies from Darwin’s Abode New Homes, Canberra’s Red Robot and Melbourne’s Cargo Crew.

Narelle Craig of Cargo Crew led with one very good reason for adopting cloud services – Cryptolocker ransomware.

After an infection that locked them out of their systems and cost the business a hundred thousand dollars, they shifted their on premise software to the cloud.

It’s easy to imagine how Cargo Crew came unstuck, a basic system that met the needs of a four person company five years ago grew into an unwieldy beast servicing 25 staff today. As the business grew, the disruption of upgrading IT systems was seen as too time consuming and costly.

Until of course something happened. A ransomware infection for Cargo Crew and for Abode a fire in a neighbouring office the evening after they’d installed a new 20,000 dollar server, where thankfully they didn’t lose anything but the scare was enough for them to start looking at alternatives.

Cargo Crew’s tale is a reminder of how basic most small to medium businesses’ IT systems are and how rudimentary their IT security is. While technology does level the playing field, there are still some things smaller businesses struggle with.

Mar 022017
how are we using data in our business

Last week I wrote a piece for Fairfax Metro – the Sydney Morning Herald and Melbourne Age – looking at how government agencies and private credit companies are mining data.

That story sparked a range of interest with my doing a twenty minute segment on ABC Brisbane today on the topic which morphed into a deeper discussion on surveillance, particularly with the Australian government’s ‘metadata’ laws.

I’ll also be talking on ABC Radio Perth on Monday, March 6 about this story at 6.15am local time (9.15am Sydney and Melbourne).

In the wake of the Australian government’s Centrelink scandala national disgrace that is only getting worse – it’s worthwhile discussing exactly what data is being gathered and how it is being used.

The answer is almost everything with commercial operators like Experian pulling in data from sources ranging from credit card applications to social media services although store loyalty cards remain the richest information source.

As the Australian Tax Office spokesperson pointed out, none of this is particularly new as they have been collecting bank deposit data since the Federal government introduced income taxes in the 1930s.

The arrival of computers in 1960s changed the scale and scope of tax offices’ abilities to track citizens’ finances and gave rise to the major commercial credit bureaus.

With the explosion of personal electronics and internet connected devices in recent years along with increased surveillance powers being granted to government and private agencies, that monitoring is only going to grow.

The best citizens can expect is to have their data protected and respected with financial providers only using what is ethical and relevant in determining our access to banking and insurance products.

Politically the only way to ensure that is to make it clear through the ballot box, the question is do we care enough?

Jan 172017
Is Yahoo! recovering under new CEO Marissa Mayer

Slowly it’s dawning on government agencies how serious online data breaches can be. That can only be a good thing.

With a billion account details exposed the Yahoo! data breach announced last year was the greatest internet security failure to date.

Now Australian government agencies are worried about the scope of the breach and the number of politicians and officeholders whose credentials may have been affected.

Other government officials compromised include those carrying out sensitive roles such as high-ranking AFP officers, AusTrac money laundering analysts, judges and magistrates, political advisors, and even an employee of the Australian Privacy Commissioner.

The ramifications of this breach are far broader than just a few malcontents grabbing the contents of disused Yahoo! mail accounts or being able to hack Flickr profiles, many of the passwords will have been used on other services, compromised profiles linked to other platforms and the possible for identity fraud is immense.

With social media and cloud computing services coupled to these accounts, it’s quite possible for someone’s entire life to be hijacked thanks to one insecure service as Wired’s Matt Horan discovered a few years ago.

Just like individuals and businesses, the ramifications of careless organisations allowing private information to be stolen can be severe for governments. It’s right that Australian agencies are concerned about where this data has gone.

The official response to continued data breaches has been weak at best so it is good that suddenly agencies are having to face the consequences of the biggest one.

A widespread scare about insecure data may be what’s required to see governments start taking data security and citizen privacy seriously. That may be the positive side of the Yahoo! breach.

Oct 312016
Networks and computers connecting to the web

This is the unedited version of an article that appeared two weeks ago in The Australian.

Cybersecurity is becoming an important responsibility for executives and directors. Often shortened to ‘cyber’, it’s easy to dismiss cybersecurity as just being the latest IT industry buzzword however ensuring information systems are secure is now firmly a management issue.

Information breaches have become embarrassingly common in recent times with events ranging from Target exposing forty million of its customers’ records in 2013, a breach which cost the company $162 million dollars, through to national security embarrassments like the Snowden revelations.

Exacerbating the risks to businesses is the dependency upon information systems to normal operations and the damage from denial of service attacks such as the outage across much of the US last weekend can be debilitating and costly. The recent Australian census saga that cost taxpayers thirty million dollars, is an illustration of how costly poorly planned responses to service interruptions and security breaches can be.

Compounding the risks for Australian executives are the breach disclosure laws tabled in Federal Parliament last week which threaten 340,000 dollars fines for individuals and 1.7 million dollars for corporations that fail to act quickly on data privacy failures.

In such a high risk environment business leaders need to be proactive says Leonard Kleinman, the Asia Pacific and Japan Chief Cyber Security Advisor for security software firm RSA, “the legislation is aimed at organisations that I’d call ‘wilfully blind’ or like to employ the concept of ‘plausible deniability’.”

As that period of ‘wilful blindness’ and ‘plausable deniability’ comes to an end, executives and directors have to start taking their responsibilities in protecting data far more seriously. The challenge lies in understanding the risks.

“What a lot organisations – both private and public – haven’t done well is their ‘Crown Jewels assessment,” says Glenn Maiden, Principal Security Consultant at Canberra’s ?Shearwater Solutions. “It has to be contextualised. My crown jewels might be credit card numbers but for that may not be the interest for foreign intelligence agencies.” Then understand where the risks are for those critical data and processes.

In understanding what those ‘crown jewels’ are, it’s important to consider what is valuable within the organisation. While to the marketing team the most valuable information may be customer data, to the COO it may be ensuring continuity of service while to external parties it could be pricing details or legal correspondence.

“The things I’ve suggested in the conversations I’ve had with organisations is simple stuff; review things like your instant response strategies – can you start an investigation quickly,” says RSA’s Kleinman. “It’s probably good to review your contracts. If you have a cloud services providers that experiences a breach, how are they going to go about doing the notification?”

In a world where subcontracting and outsourcing is normal business practice, the risk from third party vendors is real and goes beyond cloud providers. The disastrous Target hack being due to an air conditioning contractor’s compromised system and Edward Snowden himself wasn’t a direct government employee.

Privacy and security breach notifications are only part of the broader cybersecurity picture though and the field is becoming more complex. Last weekend’s massive denial of service attack that compromised many US based online services was caused by the Mirai botnet, that exploits vulnerabilities in cheap internet of things devices.

With business processes becoming increasingly connected and automated, management concerns are extending to the security, integrity and reliability of devices being used in their organisation. Even if the business critical sensors being officially purchased are of high quality, everything from smartphones to connected kettles being bought into the staff tearoom could be a potential risk to the corporate network and a business’ reputation.

It would be a mistake however to think cybersecurity is purely a technology problem however. “Ultimately insider threats are about people,” says Senior Vice President of Nuix’s threat intelligence and analysis, Keith Lowry. “These are all people who used tools or technology to do what they did and they got away with it because others were focused on the technology rather than focused on the people.”

As the business world becomes more dependent upon data and connected systems, the governance of networks and their security is going to be increasingly the responsibility of business leaders.