Paul Wallbank – Brilliant Communications

Category: security

  • Burning user trust

    Burning user trust

    The Guardian today has a stunning expose on the Whisper social media network and its practice of tracking users.

    In trying to sell its services to the Guardian, the company showed that it was betraying their promises of anonymity to its users.

    Whisper’s behaviour is particularly disgraceful given the service’s promise of user confidentiality and their changing of their terms of service only shows the company’s struggle to understand ethics.

    No social media service can afford to burn user trust in the way Whisper has.

    If you’re going to promise users anonymity and security then you better deliver. Whisper has failed

     

    Similar posts:

    • No Related Posts
  • Apple’s security challenge

    Apple’s security challenge

    This week’s news about celebrities’ personal photos being stolen from their iCloud accounts would be irritating Apple ahead of their September 9 media event.

    Unfortunately for Apple they seemed to have walked into this by making things convenient for users rather than enforcing strong security measures.

    As Arik Hesseldahl in Re/Code describes, this breach was probably due to Apple not encouraging two factor authentication and not limiting the number of password guesses.

    The latter is particularly irritating as it shouldn’t be hard for a system to pick when a brute force attack — a computer guessing a password millions of times a second — is being staged against a user.

    It’s also trivial to limit the number of guesses as most other services do.

    For users, the best protection is to have complex passwords which reduces the effectiveness of brute force attacks. It’s also worthwhile being careful with your personal nudie photos.

    The consequences of having your iCloud account compromised are more than just losing your embarrassing photos, Wired’s Mat Honan had his entire digital life hijacked through this method two years ago.

    With Apple aspiring to control the smarthome and smartcar markets, the consequences of accounts being breached becomes exponentially greater. These are issues Apple and the rest of the internet of things industry need to take seriously.

    Hopefully at Apple’s big media event next week, some brave journalist will stand out of the assembled masses of sycophant hacks and ask CEO Tim Cook some hard questions about security on the shiny new iDevices.

    Similar posts:

    • No Related Posts
  • The messy business of metadata

    The messy business of metadata

    “We kill people based on metadata,” former US National Security Agency director Michael Hayden told a panel at John Hopkins University last year.

    That statement brings sharply into focus the current Australian debate about Telcos being mandated to retain metadata. This information is powerful and can be used in ways not expected by the community.

    How metadata is used depends upon how it is defined; one of the worrying parts of the Australian debate is just how nebulous the definition of ‘metadata’ is.

    Defining metadata

    The basic definition of metadata is that it is ‘data about data’, every packet of data that’s transmitted across the internet is wrapped in information to help the network deliver it to its intended location in a useful form.

    Strictly speaking this is where the glib ‘address on the envelope’ line so beloved by clueless politicians promoting data retention comes in; this information is useful but not private as anyone can see it.

    That view underlies the defining metadata case, the 1979 US Supreme Court’s Smith v Maryland case, that held telephone numbers are not private information as they’ve been disclosed to the phone company.

    Metadata everywhere

    With the rise of digital technologies, metadata became much more than just phone numbers and addresses; digital cameras encode photographs with EXIF information that includes details of the date, time camera, shutter speed, focal length and increasingly the location where the photo was taken.

    The smartphone you might take that photo with is logging into base stations which telcos are tracking, this is one of the applications law enforcement agencies regularly use to catch criminals, and increasingly near field communications like BlueTooth are being logged by everything from toll gates to bus shelters to track phone usage.

    Every email sent has dozens of lines of metadata describing the servers, routing and software used in sending it. Only a tiny fraction of a Twitter message is the 140 character content, the rest is metadata.

    This site has hundreds of lines of metadata to tell your browser how to display it and your browser itself is storing dozens of cookies that tell other sites where you’ve been – all of this is metadata.

    When we add the Internet of Things to the metadata debate things get even more complex. As home devices, smartcars and wearable technology generating packets of data, it becomes far easier for governments and private enterprise to stitch together a complete picture of an individual even without looking at the actual content of the packets.

    The risks for service providers

    As Australian ISP iiNet raised in an excellent submission to the Senate committee on data retention, collecting all of this data creates costs and risks for service providers as they have to store, manage and protect massive amounts of data.

    Most of that data will never be looked at, but agencies want the information stored because they can. The bizarre thing is that under Australian law, specifically section 313 of the Telecommunications Act, is that a public servant – not just a a law enforcement officer – only has to ask for the information.

    For most people the dangers of government surveillance are remote however all of this information is also available to private organisations ranging from health insurers to credit checking bureaus; the real debate is just how much data do we want others to have on our private lives.

    At present we’ve defined metadata too broadly and private information too narrowly.

    What’s notable in every discussion about increasing government or police powers is the mantra of getting the laws to catch up with technology.

    In the case of metadata it may well be the definition of individual rights has to catch up with modern technology, not the powers of government.

    Similar posts:

  • Hacks on a plane

    Hacks on a plane

    One of the great concerns about the internet of things is what happens when older computer technology that was never designed to be connected to the net is exposed to the online world.

    A presentation to the Black Hat Conference in Las Vegas this Thursday by researcher Ruben Santamarta promises to show some of the vulnerabilities in aircraft avionic systems.

    Today’s aircraft are extremely smart devices with the downsides shown in the tragedy of AF447 where an Air France jet plunged into the Atlantic Ocean when two undertrained pilots didn’t understand what their plane was doing as it encountered severe ice conditions in a storm.

    With aircrew increasingly dependent upon computers to help them fly planes, the risks of bugs or security weaknesses in aircraft systems is a serious issue and with the continued mystery of MH370’s fate adds an element of speculation that a glitch of some form was responsible for its disappearance.

    It wouldn’t be the first time a passenger plane came to grief because of a computer error; most notably Air New Zealand flight 901 crashed into Antarctica’s Mount Erebus during a 1979 sightseeing trip due to wrong information being loaded into the navigation system.

    The internet adds numerous risk factors to aircraft – Santamarta’s hack allegedly works through in plane WiFi systems – particularly given these avionics systems haven’t been designed to deal with unauthorised access into their networks.

    Should Santamarta’s demonstration prove feasible, it will be an important warning to the aviation industry and the broader Internet of Things community that security is a pressing issue in a world where critical equipment is connected.

    Similar posts:

    • No Related Posts
  • The internet of insecure things becomes a problem

    The internet of insecure things becomes a problem

    Following yesterday’s posts on BlackBerry, security and the Internet of Things, HP Fortify released a report saying seventy percent of IoT devices are vulnerable to hackers.

    The list of weaknesses is chilling and illustrates why IoT security is an issue that has to be resolved now.

    It may well be that John Chen, BlackBerry’s CEO, has backed the right horse for his company.

    Similar posts:

    • No Related Posts