Category: security

Attack of the killer drones

In the age of drones it’s going to take more than fences to keep out today’s technologically savvy trespassers.

We’ve heard much about the benefits of fun about drones – remote control aircraft – but what about the security and safety issues of the device. At the Black Hat Security conference today Jeff Melrose of the Yokogawa industrial controls company described the risks posed when bad people use these devices.

With typical consumer drones having a range of up to five kilometers the idea of an attacker needing to be physically close to their target no longers applies. A drone, as Melrose points out, can  can tailgate workers easier than people and even navigate within offices.

Fences are no barrier as Melrose showed with a camera equipped drone being able to fly up to valve within a gas field and then read its meter. The drone doesn’t even need to have to make it back, it could be landed on a roof where it quietly record its surroundings for weeks.

Put more than a camera on a drone, say a wireless packet sniffer or a jamming device and the possibilities for mischief are endless. Melrose illustrated this by starting his presentation with a video of The Killer Drone, a flying chainsaw developed by a pair of Finnish farmers.

Scarier still, was Melrose demonstration of the ‘target tracking’ technology included on the latest consumer drones by chasing one of his research assistants across a lawn. Despite the assistant’s best efforts to escape, the aircraft was able to follow her.

Despite the scary aspects of drone spying, vandalism and harassment the devices aren’t invulnerable. The two Finnish farmers had their drone brought down by a balloon and all the risks – from chainsaws to signal jammers – that drones present they themselves are vulnerable to.

Melrose’s demonstration shows how the physical security world is changing a drones become commonplace. Fences, padlocks and ‘keep out’ signs are not enough to keep today’s generation of technologically savvy trespassers.

Jeff Melrose’s presentation was a thought provoking view of how the threat landscape is changing and that risks evolve with technology.

Paul travelled to Las Vegas as a guest of Nuix

Crowdsourcing the security world

Crowdsourcing security testing is proving to be a winning business

Following the success of their Hack the Pentagon project, the US Department of Defense is to extend the project across its network.

Run over four weeks earlier this year, the pilot program reportedly generated t138 unique bug reports and paid out $71,200 to hackers.

The company running the pilot, Hacker One, is one of a group of companies organising bounty hunts for the hacking community.

Casey Ellis, the CEO of competing service Bugcrowd, describes his business as being “essential a community of thirty thousand hackers from around the world.”

“The whole idea is to identify where the vulnerabilities are discovered and fixed before the bad guys,” he says. “your guys who you are paying by the hour are plenty smart but they are competing with a crowd of bad guys who think creatively.”

Ellis explained how services like Bugcrowd allow clients like the US Department of Defense to manage the risk and administrative aspects of running a security competition, making it easier for large organisations to run crowdsourced projects like this.

Much has been written about crowdsourcing but it’s commercial fields like security testing where tapping the wisdom of the community really pays off. For some consulting firms, these services could turn out to be real threats.

Probing the weakest links of the banking system

The Bangladeshi bank hack was a lucky escape but it is an early warning about securing our networks.

The breach of the Bangladeshi banking network has been shocking on a number of levels, not least for the allegations the institutions were using second hand network equipment with no security precautions.

Fortunately for the Bangladesh financial system the hackers could spell and so only got away with a fraction of what they could have.

Now there are claims the SWIFT international funds transfer system may have been compromised by the breach, which shows the fragility of global networks and how they are only as strong as the weakest link.

As the growth of the internet shows, it’s almost impossible to build a totally secure global communications network. As connected devices, intelligent systems and algorithms become integral parts of our lives, trusting information is going to become even more critical.

The Bangladeshi bank hack was a lucky escape but it is an early warning about securing our networks.

Update: It appears the hackers were successful in getting malware onto the network according to Reuters but, like their main efforts, were somewhat crude and easily detected. One wonders how many sophisticated bad actors have quietly exploited these weaknesses.

Reaping the security dividend

Digital disruption is driving boards and executives into realising the value and importance of cyber security, Cisco claims.

Boards and executives have finally got the message about security John Stewart, Chief Security and Trust Officer at Cisco.

For most of the computer era security has been seen as an inhibiter to innovation and speed to market, but now with most businesses finding they face a three year time frame to transform in face of digital disruption Stewart says corporate managments now see security of their products as being a valued feature.

Stewart bases his view on an online survey, Cybersecurity as a Growth Advantage, where Cisco polled 1,014 senior executives with extensive cybersecurity responsibilities in 10 countries and 11 in-depth interviews with senior executives and cybersecurity experts.

From this, Cisco found a third of businesses now sees security as being a competitive advantage.

Digital disruption drives the shift

Stewart puts this down to boards and senior executives realising how widespread digital disruption is, “it’s highly unlikely Weight Watchers saw the disruption coming from Fitbit,” he muses. “In fact it’s hard to see how anyone could have seen that coming.”

As a consequence of these widespread and often unexpected disruptions, corporate leaders are trying to shore up their existing positions against unforeseen competitors by shifting to digital platforms as quickly as they can.

“We have to do digital and if we are going to do digital we have to have strong cybersecurity controls,” says Stewart in explaining why cybersecurity is an important part of this strategy.

Security as a cornerstone

“By making cybersecurity a cornerstone of their businesses, security-led digital organizations are able to innovate faster and more effectively, because they have significantly greater confidence in the security of their digital capabilities,” Stewart says.

Certainly managers are worried about the risks of going digital with Cisco reporting many businesses have put projects on hold due to concerns about security risks, “a lack of cybersecurity strategy can cripple innovation and slow business, because it can hinder development of digital offerings and business models.”

According to Cisco’s findings, seventy-one percent of executives said that concerns over cybersecurity are impeding innovation in their organizations. Thirty-nine percent of executives stated that they had halted mission-critical initiatives due to cybersecurity issues.

Encouraging moves

While the possibility that corporate leaders are taking cyber security seriously is encouraging, that change is yet to be seen in the marketplace, particularly in the consumer Internet of Things market where being first trumps security, design considerations or even basic safety.

The real test for how important cybersecurity really is remains in the marketplace — will customers pay more for secure products?

One sense that in Cisco’s marketplace of enterprise customers where security failures could have expensive, embarrassing and possibly catastrophic consequences, customers will pay more for trustworthy devices. In the consumer field it may well be different.

Probably the most important finding from Cisco’s survey is that businesses are now understanding security has to be designed into products and processes rather than being bolted on as an after thought. If that is true, then we have come a long way.

Open sourcing the IoT

Increasingly it appears open source software is the way to avoid IoT vendor lock in

With vendors shutting down connected devices and restricting data feeds, customers demanding open source software and open standards may be essential to safeguard against companies misusing their power over the IoT.

Last night I had dinner with a group of executives from US telco CenturyLink. During the the evening, conversation turned to the use of US and Chinese routers and the risks of government mandated backdoors in both countries’ equipment.

My thought during that conversation is concerns about software backdoors are a compelling argument for these devices to run open source software, making it harder – although not impossible – for hidden nasties harder to be built into systems.

Google Nest becomes evil

Overnight that argument for open source became stronger in my mind with the news Google Nest were to shut down the Revolv home automation hubs the company bought two years ago.

Google aren’t just stopping support for these devices, they are going to render them useless to their owners. It’s a remarkable move that undermines any confidence customers can have in Google’s hardware offerings.

While Revolv isn’t the first and will be far from the last Internet of Things device to be abandoned by its vendor, its fate indicates the importance of keeping as much of the ecosystem as open as possible – the less vendor lock there is, the less hostage you are to rapacious manufactures.

Locked out of the subscription economy

As we’ve seen with Amazon in the past, the ‘subscription economy opens users to the risk they can be locked out of their data or purchased apps. Now we’re seeing how vendors can lock users out of the products entirely.

With connected cars and homes now becoming common, this is something that should concern buyers. As we see everything from door locks to smoke detectors and kettles being connected to the Internet of Things, the risk of being at the mercy of an unreasonable vendor or malfunctioning software becomes greater.

At least with an open source model, it’s easier to build workarounds when faced with an uncooperative supplier and, in a world full of poorly designed IoT products, it’s possible for the community to review the software and understand its bugs.

The security aspect of open platforms is also critical for the IoT as we’re already seeing a plethora of unpatched devices where vendors have long lost interest in supporting the older products.

Open interoperation

More importantly, open platforms make it easier for devices to work together, something that is critical in connected buildings or industries. At the moment the IoT is a mish mash of competing standards and formats.

Over time it won’t be surprising to see the market demanding more open source applications and data feeds – indeed we’re seeing this happen with artificial intelligence platforms – the proprietary model brings in too many risks and makes the IoT far more complex.

While open source software won’t solve problems such as APIs and data feeds being closed or changed, it does give more power back to users and communities. It’s not hard to understand why vendors though would resist these moves.

Warning against the connected car

The FBI and US Department of Transport warn of risks in the connected car.

A year after hackers demonstrated the risks of connected cars, the FBI and the US Department of Transportation have warned consumers of the risks in internet connected vehicles.

This warning comes as automobile manufacturers are pushing their new breed of motor cars as being software platforms rather than vehicles and calls into question how well security and safety are being designed into their products.

One of the recurrent features of these sort of warnings is how regulators, manufacturers and software designers try to push the risks back onto consumers rather than the companies designing these systems.

Officials said that while not all car hacking incidents result in safety risks, consumers should take the appropriate steps to minimize their own risks.

It’s hard to see what consumers can really do, as most of these systems are ‘black boxes’ protected by strict terms preventing users from seeing, let alone understanding, the software running the vehicles. Customers have to trust the manufacturers to do the right thing.

For the Internet of Things, and connected cars, to be successful they have to deliver value to consumers and have the confidence of the market. Right now many of these features seem to do neither.

 

Bringing cybersecurity into the mainstream

The corporate world is taking security seriously says Cisco’s Chief Security and Trust Officer, John Stewart

“Cybersecurity is out of the dungeon and now selling itself as a business service,” says Cisco’s Chief Security and Trust Officer, John Stewart.

Stewart was discussing his company’s security challenges at a Cisco Live briefing at their Melbourne conference yesterday.

The shift to security as a business service follows the pattern of computerisation in business believes Stewart, “at first businesses said you can’t keep important documents on computers, then they said you could only keep important data on computers”

For Stewart, the fact c-level execs recognise the importance of cybersecurity is a positive sign that indicates organisations are taking IT and communications security seriously.

When asked what keeps him up at night, Stewart said it was worries about infrastructure security, the Ukrainian power network’s experience after an attack from a seriously motivated group of hackers indicates just how serious this is.

Interestingly Stewart remains focused on the risks of security breaches, as the Internet of Things rolls out it may well be the integrity of data streams becomes a far greater focus for system administrators and security officers.

Paul travelled to Cisco Live in Melbourne as a guest of Cisco

Thinking differently about Cyber Security

We need to think differently about cyber security in order to protect our networks says a former British intelligence officer.

“I get quite frustrated with the cybersecurity industry” says Andy France, Deputy Director of Cyber Defence Operations at British Intelligence Agency GCHQ. “We have to think differently.”

France was speaking at the Telstra Cyber Security Forum at the company’s Sydney experience centre yesterday where he outlined how organisations are rethinking about protecting their data.

“What we haven’t realised is just like the Bronze Age, the Stone Age, the Industrial Age and the Internet Age, we have to think differently about what that means to in terms of security and privacy. We have to think differently about how we build systems.”

The biggest problem France sees in the industry itself are the lack of skills to build those secure systems, a situation he believes is partly created by the sector’s credentialism gaining certifications is several orders of magnitude more bureaucratic than becoming a fighter pilot.

In contrast the bad guys who France splits into five groups – script kiddies, hacker collectives, crime syndicates, hackers for hire and nation states – have no such concerns about certificates and accreditation.

“You have serial collectors of letters after their names,” he states. “We’re putting an artificial bar against the people with the new thought processes that are going to help us address this problem.”

“It feels like the criteria has been set up to create a nice little market so we can control day rates,” French says, “in a world where we’re screaming out for talent and need people to come along who are interested and challenged by the subject.”

Apart from the trap of credentialism, the real concern for businesses and users should be the integrity of data in France’s opinion. We need to be certain information is accurate, a problem that will be exacerbated as businesses processes are automated around data streams being connected by the Internet of Things.

France suggests three principles should underlie an organisation’s data defences; having systems in place to spot early indications of a problem, obey the five ‘knows’ and understanding your network.

Understanding your network, what France calls the ‘defender’s advantage’, is the most essential task of all for someone protecting their organisation’s data. “Is someone knows your network better than you then that should be a criminal offense,” he states. “To get the defender’s advantage in place you need to understand your network.”

“Technology in itself with not keep you safe.” French says and describes security as being subject to Pareto’s Law where most vulnerabilities are mundane background noise, “we need to have a balance where technology looks after the 80% and we have the people and processes in dealing with the unexpected 20%.”

“It’s certainly not going to get any better,” French warns about the trends for cyber security in 2016. For most companies and system administrators it’s going to be a matter of being alert and having the processes in place to deal with the unexpected.

Telstra’s five ‘knows’ of security

Can data security be reduced to five rules?

Telstra, Australia’s incumbent telco, held their Cyber Security Summit in Sydney today looking at the issues facing organisations in protecting their networks and data.

One of the recurring themes speakers raised were the ‘five knows’ that Telstra’s security people believe are the core of business security.

Those ‘knows’ sound simple but in truth in they are hard to carry out in even a small, simple network;

  • Know the value of your data
  • Know who has access
  • Know where the data is
  • Know who is protecting the data
  • Know how well that data is being protected

With these five rules we’re moving into Donald Rumsfeld territory of ‘known unknowns’. In most organisations the honest answer to these questions is “we don’t fully know”, some data that’s seen as irrelevant by management could be a goldmine for a competitor or malicious actor while a relatively junior staffer could be saving critical documents on an external drive or consumer cloud service with a weak password.

Managing those knowns, or unknowns, is a tough task and one that needs to be tempered by realism.

In truth no system administrator has full knowledge of their network, for organisations real security comes from having strong leadership, robust processes and delivering the products and services demanded by the public.

Technology will help deliver those products and services while helping strong leaders implement robust process but ultimately a secure organisation needs good management, not better tech.

From the cyber security point of view, Telstra’s forum had many useful thoughts and we’ll look at more aspects regarding security that came up in the sessions later in the week.

Hacking the power grid through air conditioners

Air conditioners are the latest internet connected devices to raise security concerns

Another example of the unintended consequences of poor security in the Internet of Things is Wired’s story about the possibility of hacking the power grid by accessing smart air conditioners.

In the US, electricity companies offer deals where consumers get reduced bills in return for the utility being able to throttle the usage of air conditioners during peak power periods.

Those devices turn out not to be well secured which opens the possibility of malicious actors causing brownouts or service interruptions in a targeted areas.

Sadly this story isn’t isolated, too many connected devices have poor security that opens up the a range of risks to homeowners, businesses and the community at large.

 

BlackBerry’s last smartphone

The BlackBerry Priv is probably the company’s last smartphone as it pivots to being a security provider

Having written about BlackBerry’s ambitions in the marketplace for The Australian last week, it wasn’t surprising to be invited to the company’s Down Under launch of their Priv handset earlier today.

The event illustrated some brutal realities about mobile phone market and BlackBerry’s efforts to build on its strengths in the enterprise security space.

With 2.7 billion dollars of cash reserves, the company has seven years of breathing space at its current loss rates although it’s notable the stock market values the company at $3.5bn, implying investors value the business’ operations at a measly $800 million.

Given the collapse in BlackBerry’s handset business from twenty percent of the market at the beginning of the decade to an asterix today, that pessimism from investors isn’t surprising and underscores why the company is recasting itself as an enterprise security provider.

Five major acquisitions in the last 18 months have demonstrated how BlackBerry is attempting to recast its business; security services like Good Technology and Secusmart through to warning software like At Hoc have seen the company bolster its range of offerings.

Blackberry-software-chart

Coupled with the recent acquisitions are its own longstanding messaging and secure communications services combined with the QNX software arm that promises a far more reliable Internet of Things than many of the current operating systems being embedded into smart devices.

The Android smartphone system itself is bedevilled with dangerous apps running on outdated software and where BlackBerry hopes their PRIV handset can attract enterprise users conscious of the need to secure their employees’ devices.

For BlackBerry though, the PRIV being shipped with the Android operating system is a capitulation to the smartphone market’s stark reality where there is only demand for two products and outside players like BlackBerry or Windows are destined to wither away.

While the PRIV is a nice, albeit expensive, phone and the slide out physical keyboard is nice to use, the device seems to be a desperate attempt by the company to stay in the smartphone market.

As an outside observer it’s hard to see the justification for BlackBerry continuing as a phone manufacturer, there may be some intellectual property value from the development of the devices – although it should be noted the company only valued its IP assets at $906 million in November 2015.

While the PRIV is a perfectly good Android phone it will probably be the last smartphone BlackBerry makes, the challenge for the company’s management now is to tie together the software assets it has into a compelling suite of products for the enterprise sector.

In an age where devices of all types are going to be connected, the market for ensuring their security should be huge. Catering to that market should be BlackBerry’s greatest hope of survival.

Securing the drones

British and American spies were able to hack into Israeli and Syrian military drones. What hope is there for ordinary computer users?

While we assume military equipment has far higher levels of IT security, it isn’t always the case reports Ars Technica.

Allegedly the US National Security Agency and Britain’s GCHQ were able to intercept the video feeds of Israeli and Syrian drone aircraft using off the shelf software. While it appears security has become more sophisticated on this equipment, it is a concern that data feeds can be monitored from military equipment.

This is even more concerning given the reliance of software and telemetry systems in modern weapons. The troubled F-35 project shows just how complex computer code has now become in military equipment and it is safe to say some of those bugs will create weaknesses in the systems.

For those of us with more modest security needs, all is not lost though as Rob Joyce, the NSA’s hacker-in-chief, has given some useful tips on how to protect your systems. These are worth following although Joyce is quite clear that you’ll have to work hard to stay ahead of a sophisticated and persistent cyber-enemy.