Paul Wallbank – Brilliant Communications

Category: security

  • On the internet, the Feds know what breed of dog you are

    On the internet, the Feds know what breed of dog you are

    The arrest of alleged Silk Road founder Ross Ulbricht – also known as the Dread Pirate Roberts – has attracted plenty of media attention.

    What’s particularly notable is the FBI is claiming Ulbricht made a basic mistake in posting to a website under his real name that gave his identity away.

    If true, Ulbricht’s trivial mistake illustrates how easy it is for any determined investigator to find someone’s identity online from the trillion points of data we all create in the connected world.

    Anyone who wants to be truly anonymous on the web has to work extremely hard to protect their identity. Most of us aren’t prepared to trade convenience for security, particularly given the massive effort required.

    Even if we could protect our online habits, the use of credit cards, loyalty plans and even driving our cars still it almost impossible to escape the watch of a determined investigator.

    In the early days of the web, it was said “on the internet, no-one knows you’re a dog.” Today the feds can figure out not only what breed of dog you are, but what your name is and your favourite brand of dog food.

    The modern panopticon we live in is a very efficient machine and it’s difficult to hide from society’s gaze. It’s why we need to rethink privacy and information security.

    Image of Presidio Modelo by Friman through Wikimedia.

    Similar posts:

    • No Related Posts
  • A trillion points of data

    A trillion points of data

    Last night, current Affairs program Four Corners had a look of the risks to families in the age of Big Data.

    Earlier in the day I had the opportunity to speak on ABC 702 Sydney with the program’s reporter, Geoff Thompson, to discuss some of the issues and take listeners’ calls about Big Data and security.

    What stood out from the audience’s comments is how most people don’t understand the extent of how data is being shared. The frightening thing is the Four Corners program itself understated the extent of how information is being distributed around the internet.

    Looking beyond social media

    Social media sites like Facebook are an obvious and legitimate area of concern with most people not understanding the ramifications of the terms and conditions of these services, however Big Data is a far more that what you share on LinkedIn or Instagram.

    A major point of the program was how the New South Wales police force’s Automatic Number Plate Recognition (ANPR) equipment stores photographs of car license plates.

    One of the applications of ANPR shown during the program was how an officer can be warned that a vehicle has owned by someone potentially dangerous or used in a suspicious situation, allowing them to be more cautious if they decide to pull a car over. Probably the greatest application is getting unregistered, uninsured or unlicensed drivers off the road.

    Those sorts of usage is the positive side of Big Data and its role in reducing the road toll, the example also illustrates how data points are coming together with the internet of machines as traffic lights, road signs and cars themselves are communicating with each other and those police databases.

    When that information is put together there’s a lot valuable intelligence and that’s why people are concerned that the NSW Police are storing millions of apparently useless images of car number plates with the time and location of the photographs.

    These technologies aren’t just being used in shopping centres; instore mobile phone tracking combined with the same numberplate recognition the police use watching who is entering the carparks makes it possible to predict buying patterns and target offers to shoppers.

    Couple that information with store loyalty cards and add in rapidly developing facial recognition, retailers have a very powerful way of monitoring how their customers behave.

    “What instore analytics does is it takes the same kind of capablities that e-commerce sites have had for more than a decade and apply them to brick and mortar stores,” says Retail Next’s Tim Callen. Using the store’s CCTV system the company applies facial recognition software to track shoppers’ behaviour.

    Securing the data feeds

    The immediate concern is the security of this data, we’ve covered the hackable baby monitor and the Four Corners program examined Troy Hunt’s exposure of security flaws in Westfield Shopping Centres’ Find My Car App. Similar security concerns surround government databases like the NSW Police’s numberplate store.

    As we’ve seen with the repeated data breaches of 2011, the management of big and small organisations like Sony or Stratfor don’t take security seriously. It’s hard to recall any senior public servant being held accountable for a security breach by their department.

    A billion points of data

    On their own, each of these data points means little but for a motivated marketer, tenacious police officer or determined stalker pulling those separate information sources together can pull together an accurate picture of a person’s private information, habits and beliefs.

    Almost all the collectors of this data claim this information is anonymised or isn’t personal information, unfortunately there’s mismatch between the definition of private data and reality as number plates and mobile phone MAC addresses are not considered private, however they provide enough insight for an individual to be identified.

    That aspect isn’t understood by most people, the final caller to the ABC Radio spot asked why she should be bothered worrying about privacy – it doesn’t matter.

    As French politician Cardinal Richelau said in the Seventeenth Century, If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him

    Today we each have six million points of data that can hang us, in a decade it could easily be a billion. We need to understand and manage the risks this presents while enjoying the benefits.

    Similar posts:

    • No Related Posts
  • Security and the hackable baby monitor

    Security and the hackable baby monitor

    Imagine a baby monitor that can be hacked, that’s the story that Forbes magazine tells about the Foscam baby monitors that can be owned by anybody using the Shodan search engine to find unsecured video devices.

    Like all similar stories, the Foscam monitors’ weaknesses are born out of good intentions, the idea is parents can keep an eye on their children across the internet.

    The problem, as always, is convenience and ease of use trumped security with Foscam making it easy for parents to by having trivial, if any, security on their devices.

    It’s a lesson that should have been learned a million times, yet manufacturers continue to disregard the risks of poor security on internet connected devices.

    As these internet connected devices become critical to business and public safety, this lack of security won’t be acceptable.

    Slowly, companies like Foscam are being forced to take security seriously — hopefully consumers will accelerate the process by voting with their wallets.

    In the meantime, it might be a good idea to make sure your home or business router has a good firewall before setting up internet connected devices.

    Similar posts:

  • Whose priorities do IT departments really care about?

    Whose priorities do IT departments really care about?

    Earlier this week mobile security company Imation showed off their latest range of Ironkey encrypted USB sticks and portable hard drives.

    Accompanying the launch was a presentation from Stollznow Research on how Australian companies are managing data with a comparison against similar surveys carried out in the UK, US, Canada and Germany.

    Of the 207 senior decision makers in Australian medium to large businesses surveyed, there were some interesting results on the attitudes of the nation’s IT departments and CIOs.

    In the field of confidence about the security of their networks, Australian IT managers came out a lot more paranoid than their foreign counterparts with only 38% of Aussies confident their office data is protected from loss or theft against 73% overseas.

    That result is encouraging as the internet and the world of IT security has a habit of severely punishing those with a false sense of security.

    What was particularly notable though with the Imation research was what IT managers considered to be the consequences of a security breach.

    consequences-of-data-breach

    Around the world, IT managers see the headache of cleaning up the mess and bad media coverage as being the biggest consequences of a data breach. Customers come fourth in priority and even then the only concern is losing clients rather than the effects it could have on those people’s lives.

    One of the tragedies of the continued Sony data breaches in 2011 was the leaking of credit card details. Many of those customers on pre-paid cards were young or low-paid workers who quite possibly lost all the money in their compromised accounts – debit cards don’t have the same protections against fraud as credit cards.

    Even more terrible are the effects on those who become victims of identity fraud as consequence of a data breach. Letting that sort of information out is a fundamental betrayal of trust by organisations with sloppy security.

    Interestingly over a third of respondents feared losing their jobs as a result of data being breached, in a perfect world it would be higher although we don’t live in a period where those accountable take responsibility for their actions.

    What’s more likely in many smaller businesses is that a data breach could be the entire organisation to fold, something that should worry anyone running a startup or small business.

    It may be true that many CIOs and IT managers aren’t too worried about the business effects of a data breach or system outage which shows that security – both physical and digital – are the job of everyone in an organisation, not just one department or executive.

    Similar posts:

  • Security by obscurity’s false promise

    Security by obscurity’s false promise

    Yesterday’s post looked at how security needs to be a fundamental part of connected systems like cars and home automation, an article in The Guardian shows how auto manufacturers are struggling with the challenge of making their products secure.

    In the UK, Volkswagen has obtained an injunction restraining a University of Birmingham researcher from divulging security weaknesses in Porsche, Bentley, Lamborghini and Audi cars.

    A mark of desperation is when a company has to go to court to suppress the details of a software security breach, it almost guarantees the bad guys will have the virtual keys while the general public remain ignorant.

    Over time it backfires on the company as customers realise their products aren’t secure or safe.

    The real problem for Volkswagen is a poor implementation of their security systems. It was inevitable that a master code would leak out of repair shops and dealerships.

    While the law is useful tool, it isn’t the best way to fix software security problems.

    Similar posts: