Category: security

Rigging the Internet of Things

The Internet of Things offers many new opportunities for hackers

Hackers are infiltrating public companies to gain an edge on Wall Street warns a story on financial website Finextra.

This is not news, companies’ networks have been the target of insider traders since the early days of corporate computing. What is different today though are the nature of the risks as Chinese and even North Korean hackers are probing networks containing vast amounts of information to find weaknesses and confidential information.

For insider traders, it may be the internet of things turns out to be a boon. By hijacking delivery or supply data, traders may have an advantage over the market.

Things could get very nasty if those hackers subtly alter the data, say over reporting production yields, so a company gives the wrong income guidance based on faulty information.

Security is one of the big issues facing the internet of things sector and the consequences of poorly protected sensors or systems could be immense when governments, businesses and communities come to rely on a stream of data they can trust.

The bad guys are only just starting to explore the possibilities of the connected world.

Similar posts:

  • No Related Posts

Burning user trust

How Whisper burned its users trust with false security and privacy promises

The Guardian today has a stunning expose on the Whisper social media network and its practice of tracking users.

In trying to sell its services to the Guardian, the company showed that it was betraying their promises of anonymity to its users.

Whisper’s behaviour is particularly disgraceful given the service’s promise of user confidentiality and their changing of their terms of service only shows the company’s struggle to understand ethics.

No social media service can afford to burn user trust in the way Whisper has.

If you’re going to promise users anonymity and security then you better deliver. Whisper has failed

 

Similar posts:

  • No Related Posts

Apple’s security challenge

As Apple move into the internet of things, they are going to have to take cloud security more seriously.

This week’s news about celebrities’ personal photos being stolen from their iCloud accounts would be irritating Apple ahead of their September 9 media event.

Unfortunately for Apple they seemed to have walked into this by making things convenient for users rather than enforcing strong security measures.

As Arik Hesseldahl in Re/Code describes, this breach was probably due to Apple not encouraging two factor authentication and not limiting the number of password guesses.

The latter is particularly irritating as it shouldn’t be hard for a system to pick when a brute force attack — a computer guessing a password millions of times a second — is being staged against a user.

It’s also trivial to limit the number of guesses as most other services do.

For users, the best protection is to have complex passwords which reduces the effectiveness of brute force attacks. It’s also worthwhile being careful with your personal nudie photos.

The consequences of having your iCloud account compromised are more than just losing your embarrassing photos, Wired’s Mat Honan had his entire digital life hijacked through this method two years ago.

With Apple aspiring to control the smarthome and smartcar markets, the consequences of accounts being breached becomes exponentially greater. These are issues Apple and the rest of the internet of things industry need to take seriously.

Hopefully at Apple’s big media event next week, some brave journalist will stand out of the assembled masses of sycophant hacks and ask CEO Tim Cook some hard questions about security on the shiny new iDevices.

Similar posts:

  • No Related Posts

The messy business of metadata

At present we’ve defined metadata too broadly and private information too narrowly which allow governments and businesses to overreach

“We kill people based on metadata,” former US National Security Agency director Michael Hayden told a panel at John Hopkins University last year.

That statement brings sharply into focus the current Australian debate about Telcos being mandated to retain metadata. This information is powerful and can be used in ways not expected by the community.

How metadata is used depends upon how it is defined; one of the worrying parts of the Australian debate is just how nebulous the definition of ‘metadata’ is.

Defining metadata

The basic definition of metadata is that it is ‘data about data’, every packet of data that’s transmitted across the internet is wrapped in information to help the network deliver it to its intended location in a useful form.

Strictly speaking this is where the glib ‘address on the envelope’ line so beloved by clueless politicians promoting data retention comes in; this information is useful but not private as anyone can see it.

That view underlies the defining metadata case, the 1979 US Supreme Court’s Smith v Maryland case, that held telephone numbers are not private information as they’ve been disclosed to the phone company.

Metadata everywhere

With the rise of digital technologies, metadata became much more than just phone numbers and addresses; digital cameras encode photographs with EXIF information that includes details of the date, time camera, shutter speed, focal length and increasingly the location where the photo was taken.

The smartphone you might take that photo with is logging into base stations which telcos are tracking, this is one of the applications law enforcement agencies regularly use to catch criminals, and increasingly near field communications like BlueTooth are being logged by everything from toll gates to bus shelters to track phone usage.

Every email sent has dozens of lines of metadata describing the servers, routing and software used in sending it. Only a tiny fraction of a Twitter message is the 140 character content, the rest is metadata.

This site has hundreds of lines of metadata to tell your browser how to display it and your browser itself is storing dozens of cookies that tell other sites where you’ve been – all of this is metadata.

When we add the Internet of Things to the metadata debate things get even more complex. As home devices, smartcars and wearable technology generating packets of data, it becomes far easier for governments and private enterprise to stitch together a complete picture of an individual even without looking at the actual content of the packets.

The risks for service providers

As Australian ISP iiNet raised in an excellent submission to the Senate committee on data retention, collecting all of this data creates costs and risks for service providers as they have to store, manage and protect massive amounts of data.

Most of that data will never be looked at, but agencies want the information stored because they can. The bizarre thing is that under Australian law, specifically section 313 of the Telecommunications Act, is that a public servant – not just a a law enforcement officer – only has to ask for the information.

For most people the dangers of government surveillance are remote however all of this information is also available to private organisations ranging from health insurers to credit checking bureaus; the real debate is just how much data do we want others to have on our private lives.

At present we’ve defined metadata too broadly and private information too narrowly.

What’s notable in every discussion about increasing government or police powers is the mantra of getting the laws to catch up with technology.

In the case of metadata it may well be the definition of individual rights has to catch up with modern technology, not the powers of government.

Similar posts:

Hacks on a plane

That avionic systems could be vulnerable to hacking is a wake up call for the internet of things industry.

One of the great concerns about the internet of things is what happens when older computer technology that was never designed to be connected to the net is exposed to the online world.

A presentation to the Black Hat Conference in Las Vegas this Thursday by researcher Ruben Santamarta promises to show some of the vulnerabilities in aircraft avionic systems.

Today’s aircraft are extremely smart devices with the downsides shown in the tragedy of AF447 where an Air France jet plunged into the Atlantic Ocean when two undertrained pilots didn’t understand what their plane was doing as it encountered severe ice conditions in a storm.

With aircrew increasingly dependent upon computers to help them fly planes, the risks of bugs or security weaknesses in aircraft systems is a serious issue and with the continued mystery of MH370’s fate adds an element of speculation that a glitch of some form was responsible for its disappearance.

It wouldn’t be the first time a passenger plane came to grief because of a computer error; most notably Air New Zealand flight 901 crashed into Antarctica’s Mount Erebus during a 1979 sightseeing trip due to wrong information being loaded into the navigation system.

The internet adds numerous risk factors to aircraft – Santamarta’s hack allegedly works through in plane WiFi systems – particularly given these avionics systems haven’t been designed to deal with unauthorised access into their networks.

Should Santamarta’s demonstration prove feasible, it will be an important warning to the aviation industry and the broader Internet of Things community that security is a pressing issue in a world where critical equipment is connected.

Similar posts:

  • No Related Posts

The internet of insecure things becomes a problem

Security with the internet of things is becoming a serious issue warns HP

Following yesterday’s posts on BlackBerry, security and the Internet of Things, HP Fortify released a report saying seventy percent of IoT devices are vulnerable to hackers.

The list of weaknesses is chilling and illustrates why IoT security is an issue that has to be resolved now.

It may well be that John Chen, BlackBerry’s CEO, has backed the right horse for his company.

Similar posts:

  • No Related Posts

Smartphone safety and online trust – ABC Nightlife technology

The July ABC Nightlife radio segment looks at how elusive the truth can be online along with smartphones and sight impaired tech.

Smartphones for the vision impaired, malware on portable devices and online trust were the topics of the July technology spot on  Tony Delroy’s Nightlife along with why a restaurant claims Google sent it broke and how we can’t always trust what we hear online.

If you missed the show, you can download the program from the website.

For sight impaired smartphone users both Doug and Nick called in to suggest Vision Australia’s services. The organisation has a page dedicated to smartphone and tablet resources.

Nick and Peter asked about malware protection for Android smartphones. Both Intel’s McAfee Mobile Security and Sophos’ Mobile Security for Android are free for home users.

The next spot is scheduled for 4 September, if you have any topics you’d like to discuss contact me or the Nightlife producers.

Similar posts:

  • No Related Posts