Category: security

Security by obscurity’s false promise

Suppressing public knowledge of security flaws is not the way to fix a software problem.

Yesterday’s post looked at how security needs to be a fundamental part of connected systems like cars and home automation, an article in The Guardian shows how auto manufacturers are struggling with the challenge of making their products secure.

In the UK, Volkswagen has obtained an injunction restraining a University of Birmingham researcher from divulging security weaknesses in Porsche, Bentley, Lamborghini and Audi cars.

A mark of desperation is when a company has to go to court to suppress the details of a software security breach, it almost guarantees the bad guys will have the virtual keys while the general public remain ignorant.

Over time it backfires on the company as customers realise their products aren’t secure or safe.

The real problem for Volkswagen is a poor implementation of their security systems. It was inevitable that a master code would leak out of repair shops and dealerships.

While the law is useful tool, it isn’t the best way to fix software security problems.

Similar posts:

Our hackable lives – why IT security matters.

Now our cars, homes and security systems are hackable we have to start taking IT security seriously.

Two stories this week illustrate the security risks of having a connected lifestyle. Forbes magazine tells in separate pieces how modern car systems can be overriden and how smarthomes can be hacked.

Smarthome system security is a particular interest of mine, for a while I was involved in a home automation business but I found the industry’s cavalier attitude towards keeping clients’ systems secure was unacceptable.

The real concern with all of these stories is how designers and suppliers aren’t taking security seriously. In trading customer safety for convenience, they create serious safety risks for those using these system. It’s as if nothing has been learned from the Stuxnet worm.

A decade ago, a joke went around about what if General Motors made cars like Microsoft designed Windows. Like all good stories, it had a lot of truth to it. Basically, the software industry doesn’t do security particularly well; there are developers and vendors who treat security as a basic foundation for their work, but they are the exception rather than the rule.

That may well be a generational thing as today’s young developers and future managers are more aware of the risks of substandard security in the age of the internet.

Rather than seeing security as something that is bolted on to a product when problems arise, this generation of coders are having to treat security as one of the fundamental foundations of a new system.

What is clear though is that the builders of critical systems are going to have take security far more seriously as embedded computers connected to the internet of machines become commonplace in our lives.

Similar posts:

Blocking the bad guys – listeners’ questions from ABC Nightlife

Answers to listeners questions on Tony Delroy’s ABC Nightlife tech spot.

Last night’s ABC Nightlife looked at how email is evolving but most of our callers were concerned with configuring their email, anti-virus programs and blocking adverts on the web.

The audio of the program is available through the ABC website.

As usual, it’s tough to answer all the questions on live radio so here’s the ones from listeners Tony and I said we’d get back to.

Ad blockers

Website owners are desperately trying to find ways to make money from their sites, unfortunately its proving difficult so we’re seeing increasingly intrusive ads trying to distract us while we surf the web.

A number of Tony’s callers asked about adblocking programs to get rid of these irritating ads and there’s a few paid and free solutions available for computer users.

The most popular solution is Adblock, a plug in available for Firefox, Chrome, Opera and Android. The developers have a handy video guide to installing and configuring their product.

For Internet Explorer users, Simple Adblock is a plug in that should work with their browser.

Be aware with ad blocking programs that they may change the layout of the sites you visit so be prepared for some strange looking pages.

Also keep in mind that website owners are desperately trying to find ways to pay the bills, so you won’t stop the more cunning ads or sponsored content that pretends to be real news. You might also put a few online media sites out of business.

Anti-Virus programs

One common question from Nightlife listeners are what anti virus programs should they use.

Probably the simplest for Windows users is Microsoft Security Essentials or the free AVG Anti-Virus. For OSX Users, Clam AV and Sophos’ Free Anti Virus for Mac will do the job.

If you have Norton or McAfee anti virus programs on your Windows PC, then getting rid of the software is not straightforward. After uninstalling the software, you’ll have to run their removal tools which are available from the Symantec (Norton) or McAfee websites. Read the instructions carefully.

Switching to Hotmail

A curious thing about Microsoft is how they like to irritate loyal customers with interface changes that leave everyone confused. Hotmail users are among the latest victims after the company migrated them to the Outlook.com platform.

Deborah called in to ask how she could switch back to Hotmail from Outlook.com – sadly the official line from Microsoft is “you can’t”. It appears that all of the work arounds to get Hotmail back have also been closed down and the old service is no more.

For Deborah, the choice is to either get used to Outlook.com or investigate other online mail services like Gmail or Yahoo!.

The next ABC Nightlife will be on in around five weeks. Hope you can join us then.

Similar posts:

Are executives out of touch with IT trends?

Two business briefings raise a worrying question about the technical literacy of business executives.

Yesterday was media briefing day with a number of vendor events, including a very nice lunch with IBM, on the state of the technology industry.

One thing that was particularly striking with IBM Truth Behind The Trends survey was just how out of touch many of the executives quoted in the report seem to be with responses on topics like malware and Bring Your Own Device being firmly behind the curve.

This was borne out at the earlier media roundtable with online security company Websense where they described some of the challenges facing Chief Information Officers in making company boards and senior managers aware of technology security risks.

What surprised most of the journalists in the earlier briefing was just how clueless many of the executives seem to be about online business risks, those who went along to the following IBM briefing realised why – managers genuinely don’t understand how the internet and business technology is evolving.

That should worry investors as markets are changing rapidly and managers who don’t recognise, let alone understand, the shifts happening are jeopardizing the their business’ futures.

Why exactly business leaders are so out of touch is something we look at tomorrow where we examine the background of Australia’s CEOs.

Similar posts:

Exploiting the weak points

The Great ATM Heist illustrates weaknesses in outsourcing business processes

The Great ATM Heist, where a crime gang subverted the credit card system, could well be the digital equivalent of the Great Train Robbery of the 1960s.

While the logistics of the operation are impressive with hundreds of accomplices across twenty countries, the real moral from the story comes from how the gang targeted outsourced credit card processing companies to adjust cash limits.

Again we see the risks of throwing your problems over the fence, a system is only as reliable or secure as the weakest link and, regardless of how tight commercial contracts are, outsourced services can’t be treated as someone else’s concern.

No doubt banks around the world will be having a close look at their systems and how they can trust other organisations’ outsourced operations.

Similar posts:

Securing the security system

The hacking of a Google building management system shows how important it is to take security seriously.

How vulnerable building management systems can be hit me ten years ago when working at an expensive Sydney harbourfront home a decade ago.

The householder – a rich banker – had spent millions on physical security to insulate his family from the outside world. Yet anybody could dial in and monitor what was happening in the house through the building’s CCTV and management systems.

Not only were the building’s CCTV and management systems were open to the net, but that the system’s serve ran on an antiquated and unsecured version of Windows 2000 that shared the home network with a couple of enthusiastically downloading teenagers.

It was a matter of time, perhaps hours, before the system was compromised with worm or virus. The security implications were enormous.

Even the banker’s business was vulnerable as a targeted hack into the home would allow people to monitor traffic on the network and intercept work related messages.

What was really shocking however was how the system vendor and integrator who’d installed it simply didn’t care about the client’s security problems.

So the news that one of Google’s Sydney offices BMS is exposed to the net shouldn’t be a surprise. Building Management Systems, as we saw with the rich banker’s house, are notorious for their poor security.

For Google this security breach is embarrassing although the responsibility for this flaw lies firmly with the building owner who should have made sure their systems are locked down and properly secured. You can’t throw this problem over the fence.

One wonders just how widespread these problems are with other industrial systems like SCADA devices and other remotely operated equipment.

Internet connected systems have been around now for twenty years, there are no longer any excuses for not taking these issues seriously.

Image courtesy of Tacluda through RGBStock

Similar posts:

Lessons from the Associated Press Twitter hack

The effects of a fake update from a hijacked Twitter account is a timely warning about the risks of online security and social media.

Today’s hack of the Associated Press Twitter account that sent out a fake report about the White House being attacked raises a number of issues about how business and the media industry use social media.

Attracting most of the attention is the stock market ‘flash crash’ triggered by the fake report where automated programs responded to unexpected selling on the exchanges.

This in itself is an example of a risky over reliance on technology by well paid people who should know better. There are a number of other risks that everybody, particularly business people should learn from the Associated Press hijack.

Twitter as a news channel

Without any verification, people started selling stocks based on a report spread through Twitter. This is understandable as Twitter has become the modern news ticker tape.

Also understandable is how news organisations could pick it up, most newsrooms are under resourced and journalists are under pressure to break news. This opens opportunities for misinformation to spread.

The real risk with the fake report was if it had been picked up by a mainstream media outlet or found its way onto the wire services. Fortunately this time it didn’t.

One clear lesson from this is social media postings are not a source of truth, they have to be checked and verified. This is something advocates for using social media as a disaster management tool need to keep in mind.

Think before you tweet

During the search for the Boston bombers, social media users went feral and it shows how false information can spread very fast.

For those of us using Twitter – or any other social media channel – we have to be careful about what we post and who we identify as lives can be damaged and misinformation spread.

Thinking before we tweet or post makes it harder for rumours and misinformation to spread.

Introduce strong social media policies

Almost certainly the Associated Press Twitter account was hijacked because the single person in charge of the @AP account clicked on a spam link and gave away the account’s password.

Social media sites don’t do a good job with their security which makes it difficult for businesses to monitor and control access to accounts.

While the services have to tighten their acts, companies need to be sure that they have security procedures in place and the right people maintaining their business accounts.

Hire the right people

Competing wire service Reuters discovered the importance of having the right person running their social media presence having fired its deputy social media editor for inappropriate tweets during the Boston Bombing scare.

Putting the intern or the youngest person in the office in charge of social media is a beginner’s mistake, a more serious error is to put a loose cannon in charge of the company’s online presence.

Given the potential business risks involved with social media, it’s necessary to put someone trusted and responsible in charge of what appears under the company’s name.

At the very least management has to do proper due diligence on the person they put in charge of their social media accounts.

Securing your business

Associated Press’ problem is typical of many businesses that don’t have tight security policies, the UK Department for Business, Innovation and Skills recently released a report finding that over 85% of British business have had some sort of security breach in the previous year.

Given the risks posed by poor computer security, managers have to take the integrity of their systems seriously.

Those who caught out by Associated Press’ hijacked Twitter stream learned  important lessons about computer security, online trust and verifying information. All of us should be aware we can be caught out in the same way.

Similar posts:

  • No Related Posts