Category: security

Knowing what we don’t know

Cisco’s 2016 security report show businesses are more uncertain than ever about their network defenses. This is a good thing.

The 2016 Cisco Security report is in many ways an encouraging document, while it describes a litany of threats facing the modern business the fact managers are less confident about their defenses is a good thing.

Of the 2432 security executives surveyed 59% claimed their security infrastructure was up to date against 64 percent said the same. Acknowledging this is motivating them to improve their defenses.

For industry, the real concern is the small business sector where there’s a clear decline in the use of IT security tools. As the Target breach showed, trusted contractors and suppliers provide a weakness in an organisation’s systems that malicious actors are keen to exploit.

In Cisco’s analysis, the main reasons for SMBs lack of concern is their belief they are too small to be valuable to hackers and most of their IT management is outsourced.

A shift to the cloud shouldn’t be understated, particularly given many SMBs are shifting their IT functions onto cloud services. While this doesn’t fully protect businesses, the cloud providers certainly offer a far higher level of protection that the local plumbing contractor relying on a mom and pop computer support service.

The bad guys however are responding to that shift with Cisco reporting increased browser based and DNS attacks, both of these are useful in compromising cloud computing services which means both service providers and end users have to be vigilant about security.

At all levels of business though the lack of confidence in security has major ramifications as the Internet of Things is rolled out and common devices start being connected to fragile and often compromised networks.

The good news for vendors like Cisco is this lack of confidence could spur a new wave of business investment as companies improve their network security.

Another important aspect of CIOs and business owners not being confident about their network security is they are far less likely to assume their systems are safe or to passively accept vendor assurances about their safety.

For all of us a customers and users of these technologies, a greater focus on security by the organisations we deal with should be welcomed as well.

Anatomy of an internet exploit

The Angler exploit tells us much about the challenges of internet security

As one does on a weekend, I’m working my way through the 2016 Cisco Security Report.

There are plenty of insights on online security trends which I’ll cover in tomorrow’s blog post but one aspect that sticks out in the report is the case study on the Angler Exploit which takes advantage of hacked domain registrar accounts to create new domain names to serve phishing pages, ransomware sites and malicious advertisements.

Dealing with these sites is a major problem for network administrators and Cisco claims many of the domains registered haven’t yet been used by online criminals.

The Angler exploit shows just how complex internet security has become. The issue of trust is a complex thing and certainly no-one can trust every domain we see. That there are thousands of ‘disposable’ domains available to scammers only makes things more difficult for the average user.

The insecure internet of children’s toys

Security weaknesses in the Hello Barbie show safety is an afterthought rather than a fundamental part of designing tech products.

What could go wrong with an internet connected doll with artificial intelligence that can respond to children’s conversations?

A lot as it turns out.

The Washington Post reports the Hello Barbie has a range of vulnerabilities that could be used to eavesdrop on conversations and potentially carry out even more malicious acts.

Once again we see marketers and salespeople being ahead of the IT and security experts with the security of an Internet of Things device being seen as a bolt of afterthought rather than a basic design consideration.

Designing a secure IoT ecosystem

Ensuring the next generation of IoT devices is secure will be one of the challenges facing the next generations of designers.

Ensuring the next generation of IoT devices is secure and a good citizen of the wider ecosystem will be one of the challenges facing the next generations of designers.

Diego Tamburini, Manufacturing Industry Strategist of design software company Autodesk, spoke to Decoding The New Economy about how the IoT will change the design industry. “We’ve been designing equipment to connect to the internet for a generation,” he said. “What’s changing is that now the addition of software, electronics, networking and communication is breeding into objects that were purely mechanical.”

Melding the physical and software worlds doesn’t come without risks however, something that worries Internet pioneer Vint Cerf who foresees headlines like ‘100,000 fridges hack the Bank of America’ in an interview with Matthew Braga of Motherboard Canada.

Apart from the fact it could be a hundred million, Cerf has good reason to be worried. Most consumer IoT devices are hopelessly insecure and the recent stories of hacked cars only emphasises the weaknesses with connected household items.

Cerf and Braga make the point the ‘I Love You’ worm of the year 2000 became a crisis because the world had reached the point where personal computers were ubiquitous. A similar piece of malware in a world where everything from kettles to wristwatches are vulnerable would be exponentially worse.

These risks put a great onus on product designers, even more so given much of the functionality is based upon those devices communicating with others across the internet and cloud services, something that Tamburini emphasised.

“One important thing that is happening with thing being connected is we are not just designing things that function in a vacuum, we’re increasingly designing members of a larger ecosystem.” Tamburini states, “now we have to think of how the product will have to connect to other products and how they will collectively perform a function.”

Part of that risk is that should those devices malfunction, either deliberately as part of a botnet or malware attack, or accidentally as we saw with the connected home being disabled due to a defective smart lightbulb flooding the network with error messages, then the wider community may be affected in ways we may not expect.

Cerf believes it’s going to take a big, catastrophic hack on a grand, connected scale before a shift in security begins to happen, and before people begin to even consider that such a vulnerabilities even exist.

If that’s the case, it will be that society has ignored the clear warning signs we’ve seen from events like the Jeep hack and the Stuxnet worm, not to mention the massive privacy breaches at Target and Sony. For designers of these systems hardening them is going to be an essential part of making them fit for today and the future.

Experian, T-Mobile and third party security risk

T-Mobile’s security woes at the hands of Experian show trust cannot be outsourced

Another day, another corporate security breach (or six). This time telco T-Mobile has revealed up to 15 million customers’ data has been compromised.

Notable in this story is that T-Mobile are firmly putting the blame on credit monitoring company Experian.

For both companies this is extremely embarrassing with T-Mobile stating, “our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network.”

T-Mobile, like most telcos, sees a major opportunity in being a trusted provider of security services and this setback hurts them in a key market.

Experian on the other hand have shown their slack attitude to user data previously, having been caught selling consumer details to identity thieves.

That a company in such a privileged position as Experian can be constantly caught this way will almost certainly increase the push to see penalties for corporate data breaches start to get real teeth and the United States’ cavalier attitude to public privacy and online security will take another dent.

For T-Mobile and most other companies, the lesson is start and clear. Trust starts with your own contractors and business partners, it cannot be outsourced.

Volkwagen shows the IoT’s data weakness

The Volkswagen emissions scandal shows the data weakness in the internet of things

The Volkswagen emissions scandal has rocked the company and cost its CEO his job, but the implications of the company falsifying data to past regulators’ test has serious implications for the Internet of Things.

As the Los Angeles Times explains, Volkswagen designed software to detect when its cars were being tested. During test the software would modify the car’s performance to give a false result.

This is similar to the Stuxnet worm which sent Iranian operators false information indicating the uranium enrichment centrifuges were operating normally when in truth they were running at speeds well outside their design.

Both the Volkswagen fraud and the Stuxnet worm show how software can be used to tell lies about data. For processes and businesses relying on that data, it’s critical to know that information is reliable and correct.

Data is the raw material of the internet of things and all the value derived comes from analysing that information. If the information is false, then there’s no value in the IoT. Designing systems that guarantee the integrity of data is going to be essential as devices become more connected.

The Age of Rattling the Cage

We’re in a time where when taking risk is the lowest risk in business says VMWare CEO Pat Gelsinger

“It’s no longer the big beating the small, it’s the fast beating the slow,” says Eric Pearson, CIO of the InterContinental Hotels Group.

Pearson was quoted by VMWare CEO Pat Gelsinger in his five imperatives for digital business keynote at the VMWorld 2015 conference being held in San Francisco this week.

The five are an interpretation of the trends in a radically changing business environment where the barriers to entry have fallen dramatically, industries are globalised and the time to market for new products has collapsed.

Put together, Gelsinger believes established businesses have to be more nimble as market and industry forces are going to punish those who are too slow to adapt.

Elephants must learn to dance

Gelsinger’s initial point is the world of business is now asymmetric – incumbents have everything to lose in the face of new businesses where upstarts have nothing to lose.

Part of that asymmetry comes from the world of shared resources, which gives startups and smaller businesses access to tools that were once only available to large organisations.

An obvious example of this are the cloud computing services that is concentrating VMWare’s minds, however another good example of how shared resources will change industries is the self driving car where Gelsinger cites vehicle utilisation will go from 4% to 71%.

Gelsinger points out using a car on a pay for use basis will change the structure of our cities which in turn changes the economics of living in suburbia and the business models built around it.

Standardising the cloud

Cloud computing is at the end of its formative, experimental phase and entering into a professional era where different types of services are going to have to work together.

“We have the private cloud which is focused on IT as we know it today, pulling out costs, slow and complex applications but also has powerful governance and does what I need it to do while meeting compliance purposes,” said Gelsinger. “On the the other side we have the public cloud which is fast and is able to scale effectively but has weak governance.”

In a perverse way, it’s Edward Snowden’s revelations that are driving many businesses to maintain their own private cloud networks due to concerns about foreign powers tapping their information flows and the sovereignty of data.

The consequence of a range of different cloud environments mean they are all going to have to get along with open standards becoming more important as businesses ‘mix and match’ their requirements.

Meeting the security challenge

As the Snowden affair shows, IT Security is difficult, complex and messy and becomes more so as workers start using their mobile devices and data is pushed around the cloud.

Gelsinger sees the online security sector as being the one of the biggest opportunities for startups and one of the fastest growing costs for business, “the only thing growing faster than the spend on security is the cost of security breaches.”

While Gelisinger’s focus is on VMWare’s security proposition, the security mindset is going to have be adopted by all business people. As the Target and Ashley Madison breaches have shown, the damage that can be done by a security lapse can be crippling and is a tangible business risk that senior managements and boards need to be across.

Proactive technology

Artificial intelligence has been through a thirty year gestation and Gelsinger told of his early days as a computer engineer working on AI projects in the late 1980s. Those early days of AI were a failure as the results as the time didn’t live up to the hype.

Gelsinger sees this as the next wave of computing as it moves from being reactive to proactive as systems become able to anticipate actions based on the data they are seeing.

While this has major ramifications for the computer industry, it also promises to change management and the role of many professions.

“This is going to change human experiences,” says Gelsinger however there will be challenges as businesses strike a balance between creepy versus convenience and invasive versus valuable.

Welcome to the age of rattling the cage

Half of the firms on today’s Tech 100 list will be gone within 10 years, was the warning in Gelsinger’s final point and he focused on the need for businesses large and small to break out in order to stay relevant.

“Welcome to the age of rattling the cage,” stated Gelsinger. “A time when taking risk is the lowest risk.”

Paul travelled to VMWorld 2015 in San Francisco as a guest of VMWare

Developing the world of trustworthy data

Recent security problems start focusing the minds of those designing the Internet of Things and connected cars

Last month’s remote hacking of Jeeps through their entertainment systems was a wake up call to the technology industry as it underscored the risks of connected devices and now a series of initiatives are looking at improving the security landscape.

One of the benefits of the new top level domain regime, despite its reeking of rent seeking by the ICANN names agency, is larger companies and industry groups can improve management of their online identities and those of the services and devices their operations rely upon.

Top level security

Having their own top level domains and being able to issue security certificates for devices and services within their own walled gardens means financial institutions, hardware vendors and service providers can have more confidence in the identities of those they are dealing with.

Bloomberg Business examines how corporations are applying for domains to enhance and while the focus is on guaranteeing the veracity of their websites, the scope in having done that expands to a range of other application, particularly that of ensuring everything from bank point of sale equipment through to connected cars and kettles are authenticated.

A top level domain is only part of the answer though and for the systems to work effectively there has to be more sophisticated ways for systems to ensure they are talking to trusted parties. This need becomes particularly acute with automated systems making business decisions in milliseconds where corrupt or incorrect data can cause havoc with financial markets or supply chains.

Blockchain’s potential

Some of the work being done around Bitcoin, particularly with the use of Blockchain technology to ensure transactions are valid, is one intriguing area where researchers are looking at ensuring all parties in a connected society are genuine and trustworthy.

It’s early days yet in the development of these services and there will be many mistakes as businesses and consumers adopt services where security hasn’t been properly thought through or implemented.

As Chrysler found with the Jeep hack, the risks of getting it wrong are real and potentially fatal and it’s notable Uber has hired the researchers who discovered that vulnerability to design security for their driverless car project.

Trustworthy data

With autonomous vehicles authentication is essential, not just for the passengers or operator starting the car but for all the devices and services communicating from outside and within. As the Jeep hack showed, the braking system needs to have confidence the instructions its receiving are genuine and not coming from a malicious outsider.

Outside the car other services will be communicating, the vehicle’s navigation system needs to be confident the mapping information it’s receiving is reliable and from the genuine provider. Similarly plans to reduce the road toll using roadside devices and other cars needs to ascertain the data being transmitted about highway conditions is trustworthy.

It’s often said computers are only as smart as the data going into them – garbage in, garbage out is the classic saying of the computer industry. As we move into a world where more decisions are being made by machines, those systems are going to become more demanding that information is trustworthy.

Google’s Android problems point the way for the Internet of Things

How Google handle ongoing Android security issues will be a pointer for protecting the Internet of Things

As regular security problems are being exposed in the Android operating system, Google and Samsung have announced regular updates to their devices and software.

For long timers in the IT industry this is a return to the Microsoft days of Patch Tuesdays, the monthly bundle of updates for Windows and Office the company used to issue on the first Tuesday of each month.

While Android has nothing the like the problems Microsoft did in the early 2000s with the explosion of malware that crippled millions of users, the risks to the Google system are real with some predicting a security armageddon.

For users, there’s a serious question in the problems facing Android system in that unlike the Windows systems the rollout of updates is controlled by the telcos or handset vendors rather than the software developers.

As a consequence many older devices simply aren’t being updated leaving millions of smartphone users exposed to malware and having no way of fixing known security problems.

The problems facing Android are common across the entire Internet of Things, how Google respond the current smartphone security problems is going to be a pointer for the rest of the IoT sector.

The need for an IoT manifesto

As the internet of things rolls out, more care in the design of products and services will be needed

Last May at the ThingsCon conference in Berlin a group of European designers came together to form the IoT Manifesto.

Now vendors have the ability to put a chip into almost anything companies and designers are tempted to add connectivity simply for the sake of doing so.

In many cases this is opens up a range of security risks ranging from the screaming baby monitor to the hackable jeep.

Coupled with the security risks of your intimate devices being hacked there’s the related privacy risks as millions of devices collect data ranging from how hard you press your car’s brake pedal through to last time you burned your breakfast toast.

In an era where governments and businesses are seeking to amass even more information about us, there are genuine concerns about what that data is going to be used for and why it is being collected in the first place.

The IoT manifesto looks to manage these problems facing the sector through ten guiding design principles;

  1. Don’t believe the hype around the IoT
  2. Only design useful things
  3. Deliver benefits to all stakeholders
  4. Keep everything secure
  5. Promote a culture of privacy
  6. Gather only a minimal amount of data
  7. Be transparent about who that data will be shared with
  8. Give users control over their data
  9. Design durable products
  10. Use the IoT and its design to help people

All of the principles are laudable and it’s not hard to think that meeting the guidelines would make devices and services that aren’t just useful and safe but also simpler, cheaper and more effective.

There’s many ethical, business and safety issues facing the Internet of Things as connected devices rollout across almost every industry. The IoT Manifesto may well be a good framework in which to design them and the cloud services they’ll depend upon.

Security, smartcars and Microsoft Windows – ABC Nightlife July 2015

Security problems with smartcars and dating sites along with asking if a new version of Microsoft Windows matters any more

Security problems with smartcars and dating sites along with asking if a new version of Microsoft Windows matters any more are the topics for July’s Nightlife tech spot.

Paul Wallbank regularly joins Tony Delroy on ABC Nightlife on to discuss how technology affects your business and life.

If you missed this month’s show, you can listen to the program through the ABC website.

July’s Nightlife

A decade ago people lined up all night for a new version of the Windows operating system. Next week Microsoft will be launching Windows 10 to an indifferent market place, does what was once the world’s biggest software company matter anymore in a world of smartphones, connected cars and cloud computing?

Some of the questions we’ll be answering include.

  • So what are Microsoft announcing next week?
  • What happened to Windows 9?
  • Does Windows really matter any more?
  • The internet has changed things but not always for the better. What about connected cars being hacked?
  • Is this a bigger problem than just connected cars when we’re seeing things like kettles being wired up to the internet?
  • Of course it’s not just cars suffering problems on the Internet, adult dating site Ashley Madison has had potentially 37 million customers’ details leaked online.
  • Could this happen to any business? How do we protect ourselves?

Listeners’ questions

A few of the questions from listeners couldn’t be answered on air.

Running Flash of iPhones and iPads: Steve Jobs’ hatred of Adobe Flash was legendary and as consequence iOS devices like the iPhone and iPad don’t come with the ability to run the software. That’s a problem for those who need Flash for some packages.

The Puffin web browser gives iPad and iPhone users the ability to use Flash on their devices and is available from the iTunes store.

Securing Android: While smartphones are less prone to viruses and malware than personal computers, they still are at risk. For Android users there is no shortage of choice for security packages, some of which include;

Android power hogs: A downside with smartphone apps is they can drain battery life. One excellent feature on Android phones is the ability to easily check what’s using your juice.

  • Open device settings
  • Scroll to “about phone”
  • Click on “battery use”

Join us

Tune in on your local ABC radio station from 10pm Australian Eastern Summer time or listen online at www.abc.net.au/nightlife.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

You can SMS Nightlife’s talkback on 19922702, or through twitter to@paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

 

A series of weak links

Security continues to be a challenge for Internet of Things vendors

One of the ongoing discussions in the world of the Internet of Things are the security weaknesses in many devices that leave networks vulnerable to rogue devices or malicious hackers.

A good example of this is Craig Hockenberry’s post on his Furbo.org site on how bugs in Apple’s Bonjour software messes with networks.

While Apple won’t say what causes this issue – an ominous point in itself – Hockenberry surmises it’s due to older software in some devices that no longer have updates available, which is another problem facing the IoT.

On top of Hockenberry’s story, a piece in Threat Post reports the Open Smart Grid Protocol has serious security issues.

The writers of the package that’s installed on more than four million smart meters and similar devices worldwide decided to write their own encryption algorithm that has proved easy to break.

So the smart home which might feature both a slew of Apple devices and one of these exposed smart meters has a range of security holes that the occupier has no idea about. This hardly breeds confidence.

As the Internet of Things is rolled out, security is going to have to be at the front of developers’ and vendors’ minds. The stakes are too high for shoddy and ill thought out compromises or for vendors like Apple who rate secrecy over their customers’ security.