Category: security

Microsoft’s China crisis

Microsoft’s Chinese partner is blocking Skype messages and possibly passing user details onto PRC authorities. This security concern could damage both Microsoft and Skype.

That the Chinese Public Security Bureau is blocking your messages – and may even be reading them – would make anyone pause before they used a service.

Bloomberg Businessweek reports Microsoft Skype is doing exactly this with its Chinese customers. Anything deemed inappropriate is censored and referred to servers belonging to TOM Online, the company that runs the Skype service on behalf on Microsoft in China.

The Bloomberg story goes onto detail how one Canadian researcher is reverse engineering the Chinese blacklists, giving us a wonderful insight into the petty and touchy minds of China’s censors and political leaders.

What raises eyebrows about this story is how nonchalant Microsoft is about this issue, in a wonderful piece of corporate speak the software giant answered Bloomberg’s question with the following bland statement;

“Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.”

Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.”

Microsoft have to fix this problem quickly, glibly saying the Chinese government eavesdropping on conversations is a matter for partners is not going to be accepted by most customers.

It would be a shame should Microsoft’s Skype investment fail – Skype is a very good fit for Microsoft, particularly when the technology is coupled with the Linc corporate messaging platform, so squandering goodwill over protecting users’ conversation seems counterproductive.

One of the great business issues of this decade is the battle to protect users’ privacy. Those who don’t do this, or don’t understand the imperatives of doing so, are going to lose the trust of the marketplace.

Twenty years ago, Microsoft could have risked this. Today they can’t as they struggle with a poor response to their Windows 8 operating system and their mobile phone product.

Losing the trust of their customers may be the final straw.

Similar posts:

Would you know if you’ve been hacked?

With 200,000 new malware threats each day, keeping ahead of the online bad guys is impossible. We need to be smarter.

“I report to head office in Moscow” is a line which either means you’re in a James Bond movie or at a lunch briefing with the Russian security company Kaspersky.

While the James Bond movie would be fun, the Kaspersky lunch was an interesting briefing on their new security product.

A notable aspect of the discussion was the explosion in malware – there are over a hundred million malicious programs circulating on the internet with over 200,000 new threats every day.

“We struggle to keep up,” says Kaspersky Lab ANZ Managing Director, Andrew Mamonitis.

That a security company with 2,700 specialists struggles to keep up with the evolving threats emphasises the scale of the task facing a network administrators and IT managers.

It’s a task beyond all but the biggest companies.

Sometime ago I suggested every computer user should assume their computers are compromised and managers should work work on limiting what intruders can do to system.

With staff bringing their own devices to work, those risks are multiplied as some devices will almost certainly be infected with malware.

There are some basic things that computer users should do to make their systems harder to break however it’s almost impossible to protect against a zero-day exploit or the efforts of a sophisticated and determined hacker.

With our homes and motor cars, we realise it’s almost impossible to keep determined thieves out, so we take precautions like alarms, immobilisers and basic security such as keeping valuables out of plain view.

That attitude is what we now need with our computer technology, any hope of keeping your office server impregnable from outside attack is long gone.

Similar posts:

Sharks patrol these waters

You can’t expect an anti-virus program to fully protect IT systems, the risks are far more pervasive.

The announcement that the New York Times was attacked by Chinese hackers after exposing the financial details of the nation’s Premier doesn’t come as much of a surprise to anybody following either China or computer security issues.

One of the realities of modern computing is that systems are constantly being compromised, the complexity of IT networks is so great that even the best security experts can be caught off guard.

Securing our networks

In such an environment the normal business and home computer user has little chance against sophisticated criminal or government sponsored attacks, by the Chinese or any other spy agency.

One example of how badly wrong things can go for an organisation is the hacking of security advisory firm Stratfor in 2011, this illustrated how small business practices of having relatively open networks and poor password security can have serious consequences.

The issue is not how we fortify our systems against intruders, but how we manage the risk. A useful analogy is how supermarkets deal with shoplifters – they can’t eliminate the problem, but they can manage it in ways that control losses.

Businesses, governments and home users have a range of things they can do to make it harder for hackers to get into a system and limit what they can access if determined one gets in.

The limits of anti-virus

Another aspect in the story that doesn’t surprise is the poor performance of the New York Times’ anti-virus software. According to Forbes, Symantec only caught one malware program out of the 45 installed by the hackers.

I have an entirely rational hatred of Symantec. While running an IT support business, their products were the bane of our lives and we encouraged users to choose alternative security software because of the unreliability of many of Symantec products, particularly the once proud Norton brand that was aimed at home and small business users.

At the time of the great malware epidemic in the early 2000s, Norton Anti-Virus had a huge market share and it proved to be worse than useless against the various forms of drive by downloads and infected sites that were exploiting weaknesses in Microsoft Windows 98 and XP systems.

Windows weaknesses

The common culprit was Windows ActiveX scripting language that Microsoft had introduced to standardise its web features. While a good idea, Microsoft made ActiveX a fundamental part of Windows and gave the features full access into the inner workings of the system.

Sadly Symantec made the decision to run all their security software on ActiveX as well.

As ActiveX was the main target for malware writers it meant that Norton AntiVirus or their Security suite would crash in a heap once a computer became infected and the Symantec software would actively interfere with attempts to cleanup a compromised system.

Making matters worse was Symantec’s subscription policies which cut customers off from vital updates and their bizarre policy of not including important upgrades in their automated updating function.

The failures of tech journalism

All of these factors made Symantec a loathed product in our office. It wasn’t helped by a generation of tech journalists who wrote gushing stories about Symantec, gave their products favourable reviews despite the company’s lousy reputation and consulted their employees for expert comment.

It wasn’t tech journalism’s finest hour. What really grates is the number of these folk still peddling nonsense about IT security and anti-virus software.

That distrust of Symantec continues to this day and those of us who struggled with their products a decade ago are not surprised at their poor performance on the New York Times’ network.

State sponsored risks

In defense of Symantec, the Chinese hackers are very good and its unlikely any security software would stand up to a sustained and determined attack from them or their counterparts in the US and Israeli governments.

We should also note that government agencies trying to get into systems is not just something done by the Chinese, US and Israelis; every government in the world is engaging in these activities against foreign businesses and their own citizens.

So we have to accept that these breaches and attacks are a real threat to any computer and any organisation. It may well be should build our security strategies around the assumption the bad guys are already in the system rather than believe we can build a giant electronic fort to keep the bad guys out.

One thing is for sure, you can’t rely solely on anti-virus software to secure your IT systems.

Similar posts:

702 ABC Mornings – Hacking 102

This month’s 702 Sydney tech spot looks at how security is evolving

A number of callers asked about protecting their Facebook pages and information from hackers and spammers. Details are on the Netsmarts webpage

On 702 Sydney Mornings with Linda Mottram, we’re revisiting security and how it affects businesses and consumers after some stories of serious security breaches in everything from shops to pacemakers.

We’re looking at some pretty important issues, including how four million hotel locks are open to hackers and thieves.

Even more scary is the risk that pacemakers can be hacked. This story is a cautionary tale on good intentions being bought undone by bad security practices.

For businesses, the risk of having customers’ credit card details hacked is a serious issue. Two years ago the US fast food chain Subway had a major breach when criminals managed to break into franchisees’ Point Of Sales systems.

Recently the Australian Federal Police broke up a similar crime gang operating out of Romania.

A misconception about computer security is that all hackers are evil. The reality is most aren’t and a good example of this is Random Hacks of Kindness where geeks get together to find ways of using tech to improve society. We’ll look at last weekend’s Melbourne event.

Join us on 702 Sydney from shortly after 9.30am. We’d like to hear your views, comments or questions so call in on 1300 222 702 or SMS on 0467 922 702 or tweet with @702Sydney in the message.

Similar posts:

Ending the era of the computer password

Has the humble computer password reached the end of the line?

Earlier this year, Wired Magazine writer Mat Honan had his entire digital identity stolen from him when hackers cracked his email password and then systemically took over all of his cloud and social media accounts.

Matt writes of his experience on Wired and proposes it’s time to kill the password.

The problem with Mat’s proposal is that he doesn’t suggest an alternative.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.

Every alternative authentication method to passwords has flaws just as serious, if not worse. Many are plainly impractical.

All of them, including passwords, have the common weakness that those holding the information can’t be trusted either – one of the greatest ways for passwords to get into the wild is when incompetents like Sony give them away.

Security is evolving, in the meantime we need to keep in mind some basic rules.

  • Use different passwords for different accounts
  • Only access accounts from trusted and up-to-date computers
  • Create strong passwords for accounts that matter, like online banking and email
  • Strong passwords are multiword phrases
  • Use two-factor authentication if its available
  • Don’t link unnecessary social media and cloud accounts together
  • Be very careful

We should also remember that a skilled, motivated hacker will probably break into your account regardless of your computer security. In this respect it’s no different to the physical world where a determined criminal will get you regardless of the locks and alarms on your house.

It’s also important to remember that security is more than just evil hackers; data can be damaged or given away by a whole range of means and people breaking into systems is only one risk of many.

Computer security is an evolving field and while it might be premature to declare the password dead, we’re going to see big changes as we try to lock down our valuable digital assets.

Similar posts:

Unprotected computing practices

The news that many medical computing systems are infected with malware doesn’t suprise those working in the field

A US study finding malware is rampant on medical equipment shouldn’t come as a surprise to those running industrial computer systems in their businesses.

It’s notoriously difficult to update medical equipment or other sensitive systems as a security patch could have unintended consequences. Unlike a home or business computer, these patches have to be thoroughly tested beyond the precautions vendors take.

So it isn’t surprising that these systems aren’t kept up to date although some equipment suppliers are more tardy than they should be in updating the servers they supply.

A few years ago I came across CCTV systems running on the original version of Windows 2000 which were hopelessly compromised. This is an unacceptable situation for the customer and was more the result of vendor carelessness than any concern that customers could be affected by these unsecured machines.

Not having the latest software patches creates a weakness in any computer device as most common way viruses find their way onto networks is through systems not being updated – Australia’s Defense Signals Directorate rates unpatched systems as being the number one cause of corporate security breaches.

This is what caught out the Iranian nuclear program with the Stuxnet worm as the Siemens SCADA devices used by the Iranians were running older, unpatched versions of Windows. The designers of Stuxnet took advantage of a number of known weaknesses in the software and were able to damage the equipment being controlled by the systems.

Obviously systems should be patched wherever they can be and there’s no excuse for not patching most office and home computers. It’s also worthwhile carrying out a number of other security steps to ensure an infected computer can’t damage your network or catch a virus through your Internet connection.

The survey looking at these medical systems is a good wake up call to all of us that we need to take computer security seriously in our businesses.

Similar posts:

Posting without permissions

Facebook’s groups feature can be dangerous if you don’t check before adding people.

A client of mine once had a angry worker scream at him when she found out he’d posted photographs of all his staff on the company’s website.

“My ex is a psycho, he doesn’t know where I live or work. If he finds this, he might come around here and kill us all,” she cried.

The photos went down immediately and Kevin made sure he got explicit consent before he posted any details of his staff onto the website.

It was a valuable lesson on why you shouldn’t just post people’s details online without first asking them. We all have reasons why we’d like to keep certain facts out of the public light.

A Texan gay choir’s organiser posting the details of members onto Facebook is another reminder of why it’s a bad idea to put someone else’s details online without asking them first.

For two members of the Queer Chorus at the University of Texas, having their sexual orientation pasted on their Facebook feeds caused terrible damage with their families and it should serve as lesson to every manager, business owner or community group leader that this stuff matters.

One of the worrying features with Facebook is how other people can add you to groups without your permission – almost certainly a recipe for misunderstanding and mischief.

What’s even more unforgivable with Facebook’s conduct is the privacy settings for those groups overrides an individual’s own privacy settings.

As one of the victims said in the Wall Street Journal of when his father saw the status update, “I have him hidden from my updates, but he saw this,” she said. “He saw it.”

So even though both the individuals had chosen to lock their profiles away from public view, Facebook and the organiser of the group decided they knew better.

We shouldn’t let the administrator of the Facebook off the hook on this lapse, Christopher Acosta decided to make the group open and public. “I was so gung-ho about the chorus being unashamedly loud and proud,” he’s quoted as saying.

That’s nice when you have a tolerant family and you’re from a liberal community but for others that ‘transparency’ can lead to damaging family relations for years, if not lifetimes. In some communities the consequences could be far worse.

“I do take some responsibility,” says Mr Acosta. Which is a nice way of accepting you might have screwed somebody’s life up by doing something you didn’t understand.

Ultimately responsibility lies with the person who presses the button which causes the email or status post to be published. In this case Christopher Acosta was responsible.

To be fair to Mr Acosta, the ability to add people to Facebook groups without their permission is a deeply flawed as are those groups’ setting overriding an individual’s privacy preferences.

Facebook have to understand there are real life consequences to ‘transparency’ which can ruin careers and even cost the lives of people. The damage to families and communities can be immense.

Coming from a secure upper middle class white background, Mark Zuckerberg probably doesn’t quite understand the risks his company’s policies pose to people in vulnerable situations, hopefully some of his older and wiser advisers will explain why ‘transparency’ and ‘openness’ are not always a good idea.

Similar posts: