Aug 072016

I’ve spent the last week in Las Vegas attending the Black Hat and DefCon security conferences. Among much of the discussion about protecting oneself against the misuse of technology, one thing that stood out was the focus on the Internet of Things.

Listening to some of the discussions and speaking to various people, it’s increasingly clear the consensus is the IoT is effectively unsecurable – the range of devices connected to the internet is just too great to be protected.

Compounding the problem are the plethora of poorly designed devices where security is, at best, a vague afterthought along with an older generation of equipment that was never intended to be connected to the public facing internet.

Given many of these devices are going to be critical to business and individual lifestyles, their reliability and quality of the data gathered by them is going to increasingly come into question and the systems that rely upon them are going to need ways to validate the information they receive.

Perhaps this is where machine learning and artificial intelligence are going to be valuable in watching for anomalies in the information and flagging where problems are happening within networks.

As those networks become more essential to society, we’re going to have build more  redundancy and robustness into our systems, the key component though may be trust.

Aug 052016
Computer security is evolving in a time of social media

One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.

At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.

In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.

The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.

Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.

For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.

Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.

Galperin and Quintin have three conclusions from examining these attacks.

  • Attacks don’t need to be sophisticated to work
  • None of this research is sexy
  • The tools and actors are not sophisticated

While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.

As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.

We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.

Aug 042016

We’ve heard much about the benefits of fun about drones – remote control aircraft – but what about the security and safety issues of the device. At the Black Hat Security conference today Jeff Melrose of the Yokogawa industrial controls company described the risks posed when bad people use these devices.

With typical consumer drones having a range of up to five kilometers the idea of an attacker needing to be physically close to their target no longers applies. A drone, as Melrose points out, can  can tailgate workers easier than people and even navigate within offices.

Fences are no barrier as Melrose showed with a camera equipped drone being able to fly up to valve within a gas field and then read its meter. The drone doesn’t even need to have to make it back, it could be landed on a roof where it quietly record its surroundings for weeks.

Put more than a camera on a drone, say a wireless packet sniffer or a jamming device and the possibilities for mischief are endless. Melrose illustrated this by starting his presentation with a video of The Killer Drone, a flying chainsaw developed by a pair of Finnish farmers.

Scarier still, was Melrose demonstration of the ‘target tracking’ technology included on the latest consumer drones by chasing one of his research assistants across a lawn. Despite the assistant’s best efforts to escape, the aircraft was able to follow her.

Despite the scary aspects of drone spying, vandalism and harassment the devices aren’t invulnerable. The two Finnish farmers had their drone brought down by a balloon and all the risks – from chainsaws to signal jammers – that drones present they themselves are vulnerable to.

Melrose’s demonstration shows how the physical security world is changing a drones become commonplace. Fences, padlocks and ‘keep out’ signs are not enough to keep today’s generation of technologically savvy trespassers.

Jeff Melrose’s presentation was a thought provoking view of how the threat landscape is changing and that risks evolve with technology.

Paul travelled to Las Vegas as a guest of Nuix

Jun 192016
Computer security is evolving in a time of social media

Following the success of their Hack the Pentagon project, the US Department of Defense is to extend the project across its network.

Run over four weeks earlier this year, the pilot program reportedly generated t138 unique bug reports and paid out $71,200 to hackers.

The company running the pilot, Hacker One, is one of a group of companies organising bounty hunts for the hacking community.

Casey Ellis, the CEO of competing service Bugcrowd, describes his business as being “essential a community of thirty thousand hackers from around the world.”

“The whole idea is to identify where the vulnerabilities are discovered and fixed before the bad guys,” he says. “your guys who you are paying by the hour are plenty smart but they are competing with a crowd of bad guys who think creatively.”

Ellis explained how services like Bugcrowd allow clients like the US Department of Defense to manage the risk and administrative aspects of running a security competition, making it easier for large organisations to run crowdsourced projects like this.

Much has been written about crowdsourcing but it’s commercial fields like security testing where tapping the wisdom of the community really pays off. For some consulting firms, these services could turn out to be real threats.

Apr 252016
businesses based on debt are now going bankrupt

The breach of the Bangladeshi banking network has been shocking on a number of levels, not least for the allegations the institutions were using second hand network equipment with no security precautions.

Fortunately for the Bangladesh financial system the hackers could spell and so only got away with a fraction of what they could have.

Now there are claims the SWIFT international funds transfer system may have been compromised by the breach, which shows the fragility of global networks and how they are only as strong as the weakest link.

As the growth of the internet shows, it’s almost impossible to build a totally secure global communications network. As connected devices, intelligent systems and algorithms become integral parts of our lives, trusting information is going to become even more critical.

The Bangladeshi bank hack was a lucky escape but it is an early warning about securing our networks.

Update: It appears the hackers were successful in getting malware onto the network according to Reuters but, like their main efforts, were somewhat crude and easily detected. One wonders how many sophisticated bad actors have quietly exploited these weaknesses.

Apr 142016

Boards and executives have finally got the message about security John Stewart, Chief Security and Trust Officer at Cisco.

For most of the computer era security has been seen as an inhibiter to innovation and speed to market, but now with most businesses finding they face a three year time frame to transform in face of digital disruption Stewart says corporate managments now see security of their products as being a valued feature.

Stewart bases his view on an online survey, Cybersecurity as a Growth Advantage, where Cisco polled 1,014 senior executives with extensive cybersecurity responsibilities in 10 countries and 11 in-depth interviews with senior executives and cybersecurity experts.

From this, Cisco found a third of businesses now sees security as being a competitive advantage.

Digital disruption drives the shift

Stewart puts this down to boards and senior executives realising how widespread digital disruption is, “it’s highly unlikely Weight Watchers saw the disruption coming from Fitbit,” he muses. “In fact it’s hard to see how anyone could have seen that coming.”

As a consequence of these widespread and often unexpected disruptions, corporate leaders are trying to shore up their existing positions against unforeseen competitors by shifting to digital platforms as quickly as they can.

“We have to do digital and if we are going to do digital we have to have strong cybersecurity controls,” says Stewart in explaining why cybersecurity is an important part of this strategy.

Security as a cornerstone

“By making cybersecurity a cornerstone of their businesses, security-led digital organizations are able to innovate faster and more effectively, because they have significantly greater confidence in the security of their digital capabilities,” Stewart says.

Certainly managers are worried about the risks of going digital with Cisco reporting many businesses have put projects on hold due to concerns about security risks, “a lack of cybersecurity strategy can cripple innovation and slow business, because it can hinder development of digital offerings and business models.”

According to Cisco’s findings, seventy-one percent of executives said that concerns over cybersecurity are impeding innovation in their organizations. Thirty-nine percent of executives stated that they had halted mission-critical initiatives due to cybersecurity issues.

Encouraging moves

While the possibility that corporate leaders are taking cyber security seriously is encouraging, that change is yet to be seen in the marketplace, particularly in the consumer Internet of Things market where being first trumps security, design considerations or even basic safety.

The real test for how important cybersecurity really is remains in the marketplace — will customers pay more for secure products?

One sense that in Cisco’s marketplace of enterprise customers where security failures could have expensive, embarrassing and possibly catastrophic consequences, customers will pay more for trustworthy devices. In the consumer field it may well be different.

Probably the most important finding from Cisco’s survey is that businesses are now understanding security has to be designed into products and processes rather than being bolted on as an after thought. If that is true, then we have come a long way.

Apr 052016

With vendors shutting down connected devices and restricting data feeds, customers demanding open source software and open standards may be essential to safeguard against companies misusing their power over the IoT.

Last night I had dinner with a group of executives from US telco CenturyLink. During the the evening, conversation turned to the use of US and Chinese routers and the risks of government mandated backdoors in both countries’ equipment.

My thought during that conversation is concerns about software backdoors are a compelling argument for these devices to run open source software, making it harder – although not impossible – for hidden nasties harder to be built into systems.

Google Nest becomes evil

Overnight that argument for open source became stronger in my mind with the news Google Nest were to shut down the Revolv home automation hubs the company bought two years ago.

Google aren’t just stopping support for these devices, they are going to render them useless to their owners. It’s a remarkable move that undermines any confidence customers can have in Google’s hardware offerings.

While Revolv isn’t the first and will be far from the last Internet of Things device to be abandoned by its vendor, its fate indicates the importance of keeping as much of the ecosystem as open as possible – the less vendor lock there is, the less hostage you are to rapacious manufactures.

Locked out of the subscription economy

As we’ve seen with Amazon in the past, the ‘subscription economy opens users to the risk they can be locked out of their data or purchased apps. Now we’re seeing how vendors can lock users out of the products entirely.

With connected cars and homes now becoming common, this is something that should concern buyers. As we see everything from door locks to smoke detectors and kettles being connected to the Internet of Things, the risk of being at the mercy of an unreasonable vendor or malfunctioning software becomes greater.

At least with an open source model, it’s easier to build workarounds when faced with an uncooperative supplier and, in a world full of poorly designed IoT products, it’s possible for the community to review the software and understand its bugs.

The security aspect of open platforms is also critical for the IoT as we’re already seeing a plethora of unpatched devices where vendors have long lost interest in supporting the older products.

Open interoperation

More importantly, open platforms make it easier for devices to work together, something that is critical in connected buildings or industries. At the moment the IoT is a mish mash of competing standards and formats.

Over time it won’t be surprising to see the market demanding more open source applications and data feeds – indeed we’re seeing this happen with artificial intelligence platforms – the proprietary model brings in too many risks and makes the IoT far more complex.

While open source software won’t solve problems such as APIs and data feeds being closed or changed, it does give more power back to users and communities. It’s not hard to understand why vendors though would resist these moves.