Category: security

Tech security in a tough world

Even the professionals are struggling to keep up with a rapidly changing IT world, which is why businesses should start taking computer security seriously.

Network giant Cisco Systems released its 2014 Annual Security Report last week which should make sobering reading for every business manager and owner.

If you’re looking at a career change, the survey even suggests a possible new job.

Over two million of Cisco’s customers were examined in the survey and every single company had evidence of their systems being compromised in some way, from staff visiting suspicious websites to full scale hacker break-ins.

Keeping up with change

The survey points out IT security risks are evolving quickly as business technology becomes more complex and it’s hard for even industry professionals to keep up with the pace of change.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Chief Security Officer of Cisco, John Stewart, told a media briefing yesterday.

That concern was reinforced by Stewart’s colleague Levi Gundert, technical lead at Cisco’s Threat Research Analysis and Communications (TRAC) group.

“It’s not about are you going to be compromised,” said Gundert. “the question is how long is it going to take you to detect and shorten the remediation window?”

If even the world’s biggest corporations are struggling what can smaller organisations do to control the risk?

Disable Java

The biggest computer security risk is Java software. Cisco found a shocking 91% of software exploits were related to the application, “2013 was the year of the Java exploit.

It was a bad year for Java.” Says Gundert. It should also be noted that the first successful malware targeting Apple Macs, the Flashback Trojan, was a Java exploit.

The best way to deal with this risk is keep Java off your systems, the problem with that advice is many business applications – and games if you have a home office or kids use your computer – need the software to run.

If you have to use Java packages, make sure you have the latest version running on your systems.

Keep your systems up to date

It’s not just Java that is a risk, Cisco identified Adobe PDFs and Microsoft Office vulnerabilities as being other threats.

It’s important that all systems – Mac, Windows or any other operating systems – are kept up to date with the latest patches.

Lock down office systems

Except when your computers are being updated, there’s no reason for office computers to be running in Administrator mode.

Day to day use should be done in restricted user profiles; on a Windows machine, workers should be logged on as standard users, while on Macs they should be managed users, the only time an Administrator needs to be logged on is when maintenance is being done.

Watch those mobiles

The IT security industry has been watching smartphones for a while and 2013 started seeing large scale malware appearing on mobile devices, although it’s still small scale compared to PCs.

Cisco’s survey found only 1.2 percent of web based malware coming from mobile devices with almost all the infections being on Android systems.

Most of these Android infections were game add-ons downloaded from unofficial Android app stores so the message is to stick to the official, trusted services for Android apps.

Website risks

Another risky area for businesses identified by Cisco identified are websites being compromised and hijacked.

The software on these needs to be updated to the latest versions just as office computers should be.

Often, disused websites and blogs aren’t updated, the ABC discovered last year that abandoned, neglected websites are a great way for hackers and malware distributors to launch attacks or spread problems.

So if you have older websites or blogs, shut them down and redirect the domains to operating addresses.

For those operational websites password security needs to be beefed up as Cisco found ‘brute force’ attacks – where automated systems try every conceivable password combinations – were up threefold in 2013.

Professional skills shortage

A big problem facing the IT industry is a worldwide skills shortage: “There are essential a million jobs across the globe that can be filled but we don’t have trained people to fill them,” says Cisco’s Stewart. “We’ve got a dearth of talent and skills.”

For smaller businesses that means it’s harder to find someone to fix problems when they happen, for both business managers and owners it’s smarter to reduce the likelihood of having a problem rather than scrambling to find an IT professional to help after the event.

The good news from Cisco’s survey is if you’re thinking of a career change, or you have a teenager moping around looking for a job, then IT security could be the answer.

For everyone else, as business and the world in general becomes more connected the security of the systems our world is coming to depend upon is something we have to take more seriously.

2014 – the year privacy and security will be defined

Security will be the big technology story of 2014

Happy New Year – 2013 might have been a disappointing year for tech, but for many it was a weird, wild roller coaster ride. Hopefully that ride is going to result in some very interesting destinations in 2014.

It’s tempting to make predictions about 2014 and wise heads prefer not to – what I’d refer to is a failed prediction from 2011, that that year would be remembered as the year of the security breach.

That was wrong. 2012 was worse and 2013 continued the trend of ever increasing corporate glitches and finished the year with two massive security breaches at Target and Snapchat. 2014 promises to be a year when the stakes become higher.

And then there were Edward Snowden’s revelations. Everyone who’s worked in or reported on the tech sector knew security agencies had the ability to snoop on the data of anyone they thought might be of interest, but few of us thought they would have engaged on such massive sweeps of the planet’s personal and business data.

Snowden’s leaks and the fallout from them have a long way to play out and the big story is going to be how the US justice system reacts to the creation of a surveillance state.

In countries like Australia that lack the US’ constitutional protections, fighting the constant spying of government agencies is probably a lost cause unless an economic collapse sees the authorities running out of money to operate their comprehensive monitoring programs.

What we can be certain of in light of ongoing privacy breaches by governments and businesses that the technology world is going to obsessed about security. That’s probably going to be the big, ongoing story for 2014, even if the mainstream media outlets focus on big TVs and the latest smartphone.

So Happy New Year and play nice on the internet. The Feds are watching.

Balkanising the internet

Breaking up the internet into different standards would be a backward step, but it might happen.

Could the current internet spying scandals result in the internet become fragmented into different national empires?

Over dinner with President Obama with fourteen other tech industry leaders, Yahoo!’s CEO Marissa Mayer warned that US spying threatens to ‘Balkanize the Internet’, Bloomberg reports.

Mayer has reasons to be worried, the scale of the US National Security Agency’s multiple programs monitoring internet traffic around the world has surprised even the most hard bitten commentator and it is already affecting US technology sales to China.

Coupled with  revelations that Britain’s GCHQ was tapping the subsea cables themselves in concert with US agencies almost every national government is now pondering the fact that, as an invention of the US military, the internet itself is open to being misused by its creators.

The Internet’s critical economic role

As online communications become more critical to nation’s economies and security it’s understandable that governments would be considering how to make their networks more hardened to interception or interference and creating whole new protocols outside current standards is one way of doing that.

With the industrial sector increasingly being connected through the internet of machines the stakes suddenly become much higher, as the Iranian government discovered with the Stuxnet worm that crippled the country’s nuclear research program.

After Stuxnet every country and business with critical systems exposed to the internet is now working on hardening those systems from similar attacks.

Until recently, almost all the profits from the internet’s growth have gone to US technology companies so its not a surprise that Facebook chief Sheryl Sandberg and Google chairman Eric Schmidt were with Mayer when she expressed her concerns to President Obama.

Balkanising the web

A balkanisation of the internet along national lines and industrial sectors is bad for US business which already struggles to get traction in non-Western markets like China and India.

The irony is though that Yahoo!, Google and Facebook are all trying to balkanize the internet themselves in locking users into their own networks.

While that’s a concern for internet users, it appears those commercial walled gardens don’t seem to be working.

The failure of commercial walled gardens

Yahoo!’s attempt to monopolise their corner of the web has clearly failed and it’s appearing that Google’s attempts to take over social media are failing despite forcing YouTube users onto Google+ while Facebook is beginning to buckle under the sheer weight of its own News Feed.

Common wisdom about internet markets is that you have to be the number one provider in your niche to succeed, what we may well be seeing is those niches are smaller than we thought and leadership in one sector doesn’t automatically guarantee success in another.

As Deloitte’s Eric Openshaw told this blog last week, ““one way or another, these things can be problematic in the short run but typically over time they are resolved.”

Tesla, Edison and Jonathan Swift

One of the reasons for the internet being one of the most successful technologies is that it was standardised relatively early, it didn’t have the battles over industry standards like the AC versus DC electricity arguments between Edison and Tesla, or the insanity of different railway gauges plaguing countries and international trade.

Jonathan Swift parodied these technological arguments in Gulliver’s Travels where the main point of contention between the warring empires of Lilliput and Blefuscu was over which end boiled eggs should be cracked.

It would be a great economic loss if security concerns or commercial opportunities saw the internet follow those examples and saw the online world carved up into many little empires.

Should it happen, we deserve a future Jonathan Swift to parody us mercilessly.

Walls of Constantinople by Bigdaddy1204 through Wikimedia

Silos and security in the internet of things

Is vendor lock in a bigger risk than security in the internet of machines?

Last week Deloitte launched its list of  500 fastest growing Asia-Pacific Technology companies.

At the Australian media briefing on the list and the company’s predictions for the telecommunications market in 2014 Deloitte’s Jolyn Barker and Eric Openshaw discussed the some of the implications of the report.

During the briefing Openshaw was asked about the risks of vendors creating their own Internet of Things standards to lock customters into proprietary platforms.

Openshaw isn’t convinced, “over time when technologies develop out of significant players in an attempt to create or extend a vertical stack, over time the market tends to revolt against that.”

“There’s usually one or two forces working against that, either the market revolts against it and insists on a new standard or the stack is too successful and regulators will come in and say ‘we don’t like your stack, dismantle it’ .”

His view is that in the long term issues of vendor lock-in and proprietary platforms fix themselves. “One way or another, these things can be problematic in the short run but typically over time they are resolved.”

Where Openshaw does see risks with  lying in the security of machine to machine technologies.

“The security aspect just can’t be overstated in terms of how important it is,” says Openshaw. “When we have demonstrations now of being able to hack a pacemaker, that’s a problem.”

“So the security issues on these networks is important.”

The interplay between the software, network protocols and security is going to be complex and may well be what makes or breaks some vendors products.

It’s still early days to fully appreciate all the risks with the internet of machines, but securing networks and devices will be one of the most important tasks ahead for the industry.

Discussing Cryptolocker and Internet of Things security on ABC Radio

This morning with Linda Mottram on ABC 702 I’ll be discussing Cryptolocker ransomware and the security of the Internet of Machines.

If you missed the program, you can listen to the segments through Soundcloud.

Tuesday morning with Linda Mottram on ABC 702 I’ll be discussing Cryptolocker ransomware, the security of the Internet of Machines and the tech industry’s call for less internet surveillance.

It’s only a short spot from 10.15am and I’m not sure we’ll have time for callers, but one of the big takeaways I’ll have for listeners is the importance of securing your systems against malware, there’s also some security ideas for business users as well.

We’ll probably get to mention the ACCC’s warnings on smartphone apps and the current TIFF bug in Windows as well.

If you’re in the Sydney area, we’ll be live on 702 from 10.15, otherwise you can stream it through the internet.

Potentially unwanted applications – what are we are installing on our smartphones?

Do we really understand what we are installing on our smartphones? Sophos Labs thinks potentially unwanted applications or PUAs are a growing problem.

One of the notable things about the technology industries is there are always new terms and concepts to discover.

During a visit to Sophos’ Oxford headquarters last month, the phrase ‘Potentially Unwanted Applications’ – or PUAs – raised its head.

PUAs come from the problem application developers have in making money out of apps or websites. The culture of free or cheap is so ingrained online that it’s extremely hard to make a living out of writing software.

As result, developers and their employers are engaging in some cunning tricks to get customers to download their apps and then to monetize them, particularly in the Android world which lacks the tight control Apple exercises over the iOS App Store.

“What’s interesting about Android,” says Sophos Labs’ Vice President President Simon Reed, “is it’s attracting aggressive commercialisation.”

The fascinating thing Reed finds about this ‘aggressive commercialisation’ is where the distinction lies between malware and monetisation and when does an app or developer cross that line.

Reed’s colleagues Vanja Svajcer & Sean McDonald explore where that line lies in a paper titled Classifying PUAs in the Mobile Environment which they submitted to the Virus Bulletin Conference last October.

In that paper Svajcer and McDonald discuss how these applications have developed, the motivations behind them and the challenge for anti virus companies like Sophos and Kaspersky in categorising and dealing with them.

The authors also flag that while the bulk of the revenue generated by these apps comes from advertising, there are serious privacy risks for users as developers try to monetize the data many of these packages scrape from the phones they’re installed on.

Svajcer and McDonald do note though that potentially unwanted applications aren’t really anything new, we could well classify many of the drive by downloads that plagued Windows 98 users at the beginning of the century as being PUAs.

What we do need to keep in mind though that what is driving the development of PUAs is users’ reluctance to pay for apps and that it’s going to take a big change in customer attitudes for this problem to go away.

For businesses, this is something managers are going to have to consider as they move their line of business applications onto mobile devices, as Marc Benioff proposed at the recent Dreamforce conference.

Sophos’ Simon Reed believes potentially unwanted apps won’t be such a problem in the workplace however. “Consumers may have a different tolerance towards PUAs than commercial organisations,” he says.

The prevalence of PUAs on mobile devices does underscore though just how careful organisations have to be with who and what can access their data. It’s another challenge for CIOs.

Greetings from the scammers

While the online scams evolve, the venal stupidity of victims doesn’t

The notorious “419 scams” have been around since the early days of the consumer internet.

419 scams are the elaborate internet frauds that try to convince people they unexpectedly come into money. Once a gullible victim takes the bait, they are duped into paying a range of ‘facilitation fees’ and costs that drains their saving.

The term 419 scam comes from the Nigerian criminal code that covers this crime, which was appropriate as most — although not all — of these emails originated from the country.

For a while in the early 2000s, internet users became used to receiving a few 419 scam emails every day but by the middle of the decade they largely dried up as the even the most gullible and greedy idiots became wise to the schemes.

That’s not to say they have completely vanished, this morning quite a distasteful one landed in my inbox.

Greetings,
I wish to seek your assistance to execute a business deal. I am Paul Williams a Contract Agent based in London. I require your consent to present you as next of kin to a client of mine, who died along with his wife and Two kids in the Asian Typhoon Haiyan in the Philippines leaving behind a large sum of money without a next of kin. With your co-operation and information available to me you can make a claim on the funds as the next of kin to my deceased client. After release of the funds to you by the financial institution where it is lodged, we can share according to a percentage we agree upon. If you may be of assistance, please reply for further co-operation.
Best Regards,

Paul Williams.

It’s unlikely that Paul Williams exists and even if he did it’s unlikely he’d have anything to do with this unsavory scam that most people would immediate bin when they receive it.

Binning the message was my reaction as well, but as I was about to, it occurred to me that there are enough venal, stupid people in the world who would agree to be involved in such a deal.

No doubt if you asked them they’d say defrauding the deceased family’s estate is a victimless crime as the money would only end up with the government anyway, these people would swear blind they are honest, honourable folk and no doubt they would think they are rather clever.

It’s worth reflecting that dishonest, venal and somewhat dim people do occasionally get their come-uppance in today’s world.

Will the internet’s insecurities damage economic growth?

Online security problems are chronic and costing our economies billions claim researchers.

“No country is cyber-ready” warns Melissa Hathaway, author the Cyber-Readiness Report.

Hathaway’s warning is that the economic benefits of the internet are being lost to the various vulnerabilities in our information infrastructure.

Dutch research company TNO claims that the Netherlands lost up to 2% of their GDP to cybercrime in 2010 and Hathaway claims similar losses are being incurred in other developed countries.

Supporting Hathaway’s views at a function in Sydney today, Cisco System’s Senior Vice President and Chief Security Officer, John Stewart, made a frightening observation about corporate networks.

“Every single customer we have checked with, and these are the Fortune 2000, has high threat malware operating in their environment – every single one of them.”

So the bad guys are in our networks and causing real economic damage. The question for businesses and governments is how do we manage this threat and mitigate any losses?

On our more intimate level, how do we manage our own systems and online behaviour to limit our personal or business losses?

Hathaway makes the point that the internet was never intended to do the job we now expect it to do and as consequence security was never built into the net’s design.

Today, we rely upon the internet regardless of its lack of inbuilt security. With everyone from governments through to organised crime and petty scammers wanting to peek at our data, we have to start taking security far more seriously.

On the internet, the Feds know what breed of dog you are

The downfall of Silk Road’s alleged founder is a lesson on how fragile our privacy and online security are

The arrest of alleged Silk Road founder Ross Ulbricht – also known as the Dread Pirate Roberts – has attracted plenty of media attention.

What’s particularly notable is the FBI is claiming Ulbricht made a basic mistake in posting to a website under his real name that gave his identity away.

If true, Ulbricht’s trivial mistake illustrates how easy it is for any determined investigator to find someone’s identity online from the trillion points of data we all create in the connected world.

Anyone who wants to be truly anonymous on the web has to work extremely hard to protect their identity. Most of us aren’t prepared to trade convenience for security, particularly given the massive effort required.

Even if we could protect our online habits, the use of credit cards, loyalty plans and even driving our cars still it almost impossible to escape the watch of a determined investigator.

In the early days of the web, it was said “on the internet, no-one knows you’re a dog.” Today the feds can figure out not only what breed of dog you are, but what your name is and your favourite brand of dog food.

The modern panopticon we live in is a very efficient machine and it’s difficult to hide from society’s gaze. It’s why we need to rethink privacy and information security.

Image of Presidio Modelo by Friman through Wikimedia.

A trillion points of data

As shopping centres, social media services and police forces collect greater amounts of information about us, we need to understand and manage the risks involved.

Last night, current Affairs program Four Corners had a look of the risks to families in the age of Big Data.

Earlier in the day I had the opportunity to speak on ABC 702 Sydney with the program’s reporter, Geoff Thompson, to discuss some of the issues and take listeners’ calls about Big Data and security.

What stood out from the audience’s comments is how most people don’t understand the extent of how data is being shared. The frightening thing is the Four Corners program itself understated the extent of how information is being distributed around the internet.

Looking beyond social media

Social media sites like Facebook are an obvious and legitimate area of concern with most people not understanding the ramifications of the terms and conditions of these services, however Big Data is a far more that what you share on LinkedIn or Instagram.

A major point of the program was how the New South Wales police force’s Automatic Number Plate Recognition (ANPR) equipment stores photographs of car license plates.

One of the applications of ANPR shown during the program was how an officer can be warned that a vehicle has owned by someone potentially dangerous or used in a suspicious situation, allowing them to be more cautious if they decide to pull a car over. Probably the greatest application is getting unregistered, uninsured or unlicensed drivers off the road.

Those sorts of usage is the positive side of Big Data and its role in reducing the road toll, the example also illustrates how data points are coming together with the internet of machines as traffic lights, road signs and cars themselves are communicating with each other and those police databases.

When that information is put together there’s a lot valuable intelligence and that’s why people are concerned that the NSW Police are storing millions of apparently useless images of car number plates with the time and location of the photographs.

These technologies aren’t just being used in shopping centres; instore mobile phone tracking combined with the same numberplate recognition the police use watching who is entering the carparks makes it possible to predict buying patterns and target offers to shoppers.

Couple that information with store loyalty cards and add in rapidly developing facial recognition, retailers have a very powerful way of monitoring how their customers behave.

“What instore analytics does is it takes the same kind of capablities that e-commerce sites have had for more than a decade and apply them to brick and mortar stores,” says Retail Next’s Tim Callen. Using the store’s CCTV system the company applies facial recognition software to track shoppers’ behaviour.

Securing the data feeds

The immediate concern is the security of this data, we’ve covered the hackable baby monitor and the Four Corners program examined Troy Hunt’s exposure of security flaws in Westfield Shopping Centres’ Find My Car App. Similar security concerns surround government databases like the NSW Police’s numberplate store.

As we’ve seen with the repeated data breaches of 2011, the management of big and small organisations like Sony or Stratfor don’t take security seriously. It’s hard to recall any senior public servant being held accountable for a security breach by their department.

A billion points of data

On their own, each of these data points means little but for a motivated marketer, tenacious police officer or determined stalker pulling those separate information sources together can pull together an accurate picture of a person’s private information, habits and beliefs.

Almost all the collectors of this data claim this information is anonymised or isn’t personal information, unfortunately there’s mismatch between the definition of private data and reality as number plates and mobile phone MAC addresses are not considered private, however they provide enough insight for an individual to be identified.

That aspect isn’t understood by most people, the final caller to the ABC Radio spot asked why she should be bothered worrying about privacy – it doesn’t matter.

As French politician Cardinal Richelau said in the Seventeenth Century, If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him

Today we each have six million points of data that can hang us, in a decade it could easily be a billion. We need to understand and manage the risks this presents while enjoying the benefits.

Security and the hackable baby monitor

Poor internet security on a baby camera should remind us of the importance of keeping your network secure.

Imagine a baby monitor that can be hacked, that’s the story that Forbes magazine tells about the Foscam baby monitors that can be owned by anybody using the Shodan search engine to find unsecured video devices.

Like all similar stories, the Foscam monitors’ weaknesses are born out of good intentions, the idea is parents can keep an eye on their children across the internet.

The problem, as always, is convenience and ease of use trumped security with Foscam making it easy for parents to by having trivial, if any, security on their devices.

It’s a lesson that should have been learned a million times, yet manufacturers continue to disregard the risks of poor security on internet connected devices.

As these internet connected devices become critical to business and public safety, this lack of security won’t be acceptable.

Slowly, companies like Foscam are being forced to take security seriously — hopefully consumers will accelerate the process by voting with their wallets.

In the meantime, it might be a good idea to make sure your home or business router has a good firewall before setting up internet connected devices.

Whose priorities do IT departments really care about?

A survey of IT managers shows that business risk and customer security are not their greatest concerns

Earlier this week mobile security company Imation showed off their latest range of Ironkey encrypted USB sticks and portable hard drives.

Accompanying the launch was a presentation from Stollznow Research on how Australian companies are managing data with a comparison against similar surveys carried out in the UK, US, Canada and Germany.

Of the 207 senior decision makers in Australian medium to large businesses surveyed, there were some interesting results on the attitudes of the nation’s IT departments and CIOs.

In the field of confidence about the security of their networks, Australian IT managers came out a lot more paranoid than their foreign counterparts with only 38% of Aussies confident their office data is protected from loss or theft against 73% overseas.

That result is encouraging as the internet and the world of IT security has a habit of severely punishing those with a false sense of security.

What was particularly notable though with the Imation research was what IT managers considered to be the consequences of a security breach.

consequences-of-data-breach

Around the world, IT managers see the headache of cleaning up the mess and bad media coverage as being the biggest consequences of a data breach. Customers come fourth in priority and even then the only concern is losing clients rather than the effects it could have on those people’s lives.

One of the tragedies of the continued Sony data breaches in 2011 was the leaking of credit card details. Many of those customers on pre-paid cards were young or low-paid workers who quite possibly lost all the money in their compromised accounts – debit cards don’t have the same protections against fraud as credit cards.

Even more terrible are the effects on those who become victims of identity fraud as consequence of a data breach. Letting that sort of information out is a fundamental betrayal of trust by organisations with sloppy security.

Interestingly over a third of respondents feared losing their jobs as a result of data being breached, in a perfect world it would be higher although we don’t live in a period where those accountable take responsibility for their actions.

What’s more likely in many smaller businesses is that a data breach could be the entire organisation to fold, something that should worry anyone running a startup or small business.

It may be true that many CIOs and IT managers aren’t too worried about the business effects of a data breach or system outage which shows that security – both physical and digital – are the job of everyone in an organisation, not just one department or executive.