Category: security

Security by obscurity’s false promise

Suppressing public knowledge of security flaws is not the way to fix a software problem.

Yesterday’s post looked at how security needs to be a fundamental part of connected systems like cars and home automation, an article in The Guardian shows how auto manufacturers are struggling with the challenge of making their products secure.

In the UK, Volkswagen has obtained an injunction restraining a University of Birmingham researcher from divulging security weaknesses in Porsche, Bentley, Lamborghini and Audi cars.

A mark of desperation is when a company has to go to court to suppress the details of a software security breach, it almost guarantees the bad guys will have the virtual keys while the general public remain ignorant.

Over time it backfires on the company as customers realise their products aren’t secure or safe.

The real problem for Volkswagen is a poor implementation of their security systems. It was inevitable that a master code would leak out of repair shops and dealerships.

While the law is useful tool, it isn’t the best way to fix software security problems.

Our hackable lives – why IT security matters.

Now our cars, homes and security systems are hackable we have to start taking IT security seriously.

Two stories this week illustrate the security risks of having a connected lifestyle. Forbes magazine tells in separate pieces how modern car systems can be overriden and how smarthomes can be hacked.

Smarthome system security is a particular interest of mine, for a while I was involved in a home automation business but I found the industry’s cavalier attitude towards keeping clients’ systems secure was unacceptable.

The real concern with all of these stories is how designers and suppliers aren’t taking security seriously. In trading customer safety for convenience, they create serious safety risks for those using these system. It’s as if nothing has been learned from the Stuxnet worm.

A decade ago, a joke went around about what if General Motors made cars like Microsoft designed Windows. Like all good stories, it had a lot of truth to it. Basically, the software industry doesn’t do security particularly well; there are developers and vendors who treat security as a basic foundation for their work, but they are the exception rather than the rule.

That may well be a generational thing as today’s young developers and future managers are more aware of the risks of substandard security in the age of the internet.

Rather than seeing security as something that is bolted on to a product when problems arise, this generation of coders are having to treat security as one of the fundamental foundations of a new system.

What is clear though is that the builders of critical systems are going to have take security far more seriously as embedded computers connected to the internet of machines become commonplace in our lives.

Blocking the bad guys – listeners’ questions from ABC Nightlife

Answers to listeners questions on Tony Delroy’s ABC Nightlife tech spot.

Last night’s ABC Nightlife looked at how email is evolving but most of our callers were concerned with configuring their email, anti-virus programs and blocking adverts on the web.

The audio of the program is available through the ABC website.

As usual, it’s tough to answer all the questions on live radio so here’s the ones from listeners Tony and I said we’d get back to.

Ad blockers

Website owners are desperately trying to find ways to make money from their sites, unfortunately its proving difficult so we’re seeing increasingly intrusive ads trying to distract us while we surf the web.

A number of Tony’s callers asked about adblocking programs to get rid of these irritating ads and there’s a few paid and free solutions available for computer users.

The most popular solution is Adblock, a plug in available for Firefox, Chrome, Opera and Android. The developers have a handy video guide to installing and configuring their product.

For Internet Explorer users, Simple Adblock is a plug in that should work with their browser.

Be aware with ad blocking programs that they may change the layout of the sites you visit so be prepared for some strange looking pages.

Also keep in mind that website owners are desperately trying to find ways to pay the bills, so you won’t stop the more cunning ads or sponsored content that pretends to be real news. You might also put a few online media sites out of business.

Anti-Virus programs

One common question from Nightlife listeners are what anti virus programs should they use.

Probably the simplest for Windows users is Microsoft Security Essentials or the free AVG Anti-Virus. For OSX Users, Clam AV and Sophos’ Free Anti Virus for Mac will do the job.

If you have Norton or McAfee anti virus programs on your Windows PC, then getting rid of the software is not straightforward. After uninstalling the software, you’ll have to run their removal tools which are available from the Symantec (Norton) or McAfee websites. Read the instructions carefully.

Switching to Hotmail

A curious thing about Microsoft is how they like to irritate loyal customers with interface changes that leave everyone confused. Hotmail users are among the latest victims after the company migrated them to the Outlook.com platform.

Deborah called in to ask how she could switch back to Hotmail from Outlook.com – sadly the official line from Microsoft is “you can’t”. It appears that all of the work arounds to get Hotmail back have also been closed down and the old service is no more.

For Deborah, the choice is to either get used to Outlook.com or investigate other online mail services like Gmail or Yahoo!.

The next ABC Nightlife will be on in around five weeks. Hope you can join us then.

Are executives out of touch with IT trends?

Two business briefings raise a worrying question about the technical literacy of business executives.

Yesterday was media briefing day with a number of vendor events, including a very nice lunch with IBM, on the state of the technology industry.

One thing that was particularly striking with IBM Truth Behind The Trends survey was just how out of touch many of the executives quoted in the report seem to be with responses on topics like malware and Bring Your Own Device being firmly behind the curve.

This was borne out at the earlier media roundtable with online security company Websense where they described some of the challenges facing Chief Information Officers in making company boards and senior managers aware of technology security risks.

What surprised most of the journalists in the earlier briefing was just how clueless many of the executives seem to be about online business risks, those who went along to the following IBM briefing realised why – managers genuinely don’t understand how the internet and business technology is evolving.

That should worry investors as markets are changing rapidly and managers who don’t recognise, let alone understand, the shifts happening are jeopardizing the their business’ futures.

Why exactly business leaders are so out of touch is something we look at tomorrow where we examine the background of Australia’s CEOs.

Exploiting the weak points

The Great ATM Heist illustrates weaknesses in outsourcing business processes

The Great ATM Heist, where a crime gang subverted the credit card system, could well be the digital equivalent of the Great Train Robbery of the 1960s.

While the logistics of the operation are impressive with hundreds of accomplices across twenty countries, the real moral from the story comes from how the gang targeted outsourced credit card processing companies to adjust cash limits.

Again we see the risks of throwing your problems over the fence, a system is only as reliable or secure as the weakest link and, regardless of how tight commercial contracts are, outsourced services can’t be treated as someone else’s concern.

No doubt banks around the world will be having a close look at their systems and how they can trust other organisations’ outsourced operations.

Securing the security system

The hacking of a Google building management system shows how important it is to take security seriously.

How vulnerable building management systems can be hit me ten years ago when working at an expensive Sydney harbourfront home a decade ago.

The householder – a rich banker – had spent millions on physical security to insulate his family from the outside world. Yet anybody could dial in and monitor what was happening in the house through the building’s CCTV and management systems.

Not only were the building’s CCTV and management systems were open to the net, but that the system’s serve ran on an antiquated and unsecured version of Windows 2000 that shared the home network with a couple of enthusiastically downloading teenagers.

It was a matter of time, perhaps hours, before the system was compromised with worm or virus. The security implications were enormous.

Even the banker’s business was vulnerable as a targeted hack into the home would allow people to monitor traffic on the network and intercept work related messages.

What was really shocking however was how the system vendor and integrator who’d installed it simply didn’t care about the client’s security problems.

So the news that one of Google’s Sydney offices BMS is exposed to the net shouldn’t be a surprise. Building Management Systems, as we saw with the rich banker’s house, are notorious for their poor security.

For Google this security breach is embarrassing although the responsibility for this flaw lies firmly with the building owner who should have made sure their systems are locked down and properly secured. You can’t throw this problem over the fence.

One wonders just how widespread these problems are with other industrial systems like SCADA devices and other remotely operated equipment.

Internet connected systems have been around now for twenty years, there are no longer any excuses for not taking these issues seriously.

Image courtesy of Tacluda through RGBStock

Lessons from the Associated Press Twitter hack

The effects of a fake update from a hijacked Twitter account is a timely warning about the risks of online security and social media.

Today’s hack of the Associated Press Twitter account that sent out a fake report about the White House being attacked raises a number of issues about how business and the media industry use social media.

Attracting most of the attention is the stock market ‘flash crash’ triggered by the fake report where automated programs responded to unexpected selling on the exchanges.

This in itself is an example of a risky over reliance on technology by well paid people who should know better. There are a number of other risks that everybody, particularly business people should learn from the Associated Press hijack.

Twitter as a news channel

Without any verification, people started selling stocks based on a report spread through Twitter. This is understandable as Twitter has become the modern news ticker tape.

Also understandable is how news organisations could pick it up, most newsrooms are under resourced and journalists are under pressure to break news. This opens opportunities for misinformation to spread.

The real risk with the fake report was if it had been picked up by a mainstream media outlet or found its way onto the wire services. Fortunately this time it didn’t.

One clear lesson from this is social media postings are not a source of truth, they have to be checked and verified. This is something advocates for using social media as a disaster management tool need to keep in mind.

Think before you tweet

During the search for the Boston bombers, social media users went feral and it shows how false information can spread very fast.

For those of us using Twitter – or any other social media channel – we have to be careful about what we post and who we identify as lives can be damaged and misinformation spread.

Thinking before we tweet or post makes it harder for rumours and misinformation to spread.

Introduce strong social media policies

Almost certainly the Associated Press Twitter account was hijacked because the single person in charge of the @AP account clicked on a spam link and gave away the account’s password.

Social media sites don’t do a good job with their security which makes it difficult for businesses to monitor and control access to accounts.

While the services have to tighten their acts, companies need to be sure that they have security procedures in place and the right people maintaining their business accounts.

Hire the right people

Competing wire service Reuters discovered the importance of having the right person running their social media presence having fired its deputy social media editor for inappropriate tweets during the Boston Bombing scare.

Putting the intern or the youngest person in the office in charge of social media is a beginner’s mistake, a more serious error is to put a loose cannon in charge of the company’s online presence.

Given the potential business risks involved with social media, it’s necessary to put someone trusted and responsible in charge of what appears under the company’s name.

At the very least management has to do proper due diligence on the person they put in charge of their social media accounts.

Securing your business

Associated Press’ problem is typical of many businesses that don’t have tight security policies, the UK Department for Business, Innovation and Skills recently released a report finding that over 85% of British business have had some sort of security breach in the previous year.

Given the risks posed by poor computer security, managers have to take the integrity of their systems seriously.

Those who caught out by Associated Press’ hijacked Twitter stream learned  important lessons about computer security, online trust and verifying information. All of us should be aware we can be caught out in the same way.

Microsoft’s China crisis

Microsoft’s Chinese partner is blocking Skype messages and possibly passing user details onto PRC authorities. This security concern could damage both Microsoft and Skype.

That the Chinese Public Security Bureau is blocking your messages – and may even be reading them – would make anyone pause before they used a service.

Bloomberg Businessweek reports Microsoft Skype is doing exactly this with its Chinese customers. Anything deemed inappropriate is censored and referred to servers belonging to TOM Online, the company that runs the Skype service on behalf on Microsoft in China.

The Bloomberg story goes onto detail how one Canadian researcher is reverse engineering the Chinese blacklists, giving us a wonderful insight into the petty and touchy minds of China’s censors and political leaders.

What raises eyebrows about this story is how nonchalant Microsoft is about this issue, in a wonderful piece of corporate speak the software giant answered Bloomberg’s question with the following bland statement;

“Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.”

Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.”

Microsoft have to fix this problem quickly, glibly saying the Chinese government eavesdropping on conversations is a matter for partners is not going to be accepted by most customers.

It would be a shame should Microsoft’s Skype investment fail – Skype is a very good fit for Microsoft, particularly when the technology is coupled with the Linc corporate messaging platform, so squandering goodwill over protecting users’ conversation seems counterproductive.

One of the great business issues of this decade is the battle to protect users’ privacy. Those who don’t do this, or don’t understand the imperatives of doing so, are going to lose the trust of the marketplace.

Twenty years ago, Microsoft could have risked this. Today they can’t as they struggle with a poor response to their Windows 8 operating system and their mobile phone product.

Losing the trust of their customers may be the final straw.

Would you know if you’ve been hacked?

With 200,000 new malware threats each day, keeping ahead of the online bad guys is impossible. We need to be smarter.

“I report to head office in Moscow” is a line which either means you’re in a James Bond movie or at a lunch briefing with the Russian security company Kaspersky.

While the James Bond movie would be fun, the Kaspersky lunch was an interesting briefing on their new security product.

A notable aspect of the discussion was the explosion in malware – there are over a hundred million malicious programs circulating on the internet with over 200,000 new threats every day.

“We struggle to keep up,” says Kaspersky Lab ANZ Managing Director, Andrew Mamonitis.

That a security company with 2,700 specialists struggles to keep up with the evolving threats emphasises the scale of the task facing a network administrators and IT managers.

It’s a task beyond all but the biggest companies.

Sometime ago I suggested every computer user should assume their computers are compromised and managers should work work on limiting what intruders can do to system.

With staff bringing their own devices to work, those risks are multiplied as some devices will almost certainly be infected with malware.

There are some basic things that computer users should do to make their systems harder to break however it’s almost impossible to protect against a zero-day exploit or the efforts of a sophisticated and determined hacker.

With our homes and motor cars, we realise it’s almost impossible to keep determined thieves out, so we take precautions like alarms, immobilisers and basic security such as keeping valuables out of plain view.

That attitude is what we now need with our computer technology, any hope of keeping your office server impregnable from outside attack is long gone.

Sharks patrol these waters

You can’t expect an anti-virus program to fully protect IT systems, the risks are far more pervasive.

The announcement that the New York Times was attacked by Chinese hackers after exposing the financial details of the nation’s Premier doesn’t come as much of a surprise to anybody following either China or computer security issues.

One of the realities of modern computing is that systems are constantly being compromised, the complexity of IT networks is so great that even the best security experts can be caught off guard.

Securing our networks

In such an environment the normal business and home computer user has little chance against sophisticated criminal or government sponsored attacks, by the Chinese or any other spy agency.

One example of how badly wrong things can go for an organisation is the hacking of security advisory firm Stratfor in 2011, this illustrated how small business practices of having relatively open networks and poor password security can have serious consequences.

The issue is not how we fortify our systems against intruders, but how we manage the risk. A useful analogy is how supermarkets deal with shoplifters – they can’t eliminate the problem, but they can manage it in ways that control losses.

Businesses, governments and home users have a range of things they can do to make it harder for hackers to get into a system and limit what they can access if determined one gets in.

The limits of anti-virus

Another aspect in the story that doesn’t surprise is the poor performance of the New York Times’ anti-virus software. According to Forbes, Symantec only caught one malware program out of the 45 installed by the hackers.

I have an entirely rational hatred of Symantec. While running an IT support business, their products were the bane of our lives and we encouraged users to choose alternative security software because of the unreliability of many of Symantec products, particularly the once proud Norton brand that was aimed at home and small business users.

At the time of the great malware epidemic in the early 2000s, Norton Anti-Virus had a huge market share and it proved to be worse than useless against the various forms of drive by downloads and infected sites that were exploiting weaknesses in Microsoft Windows 98 and XP systems.

Windows weaknesses

The common culprit was Windows ActiveX scripting language that Microsoft had introduced to standardise its web features. While a good idea, Microsoft made ActiveX a fundamental part of Windows and gave the features full access into the inner workings of the system.

Sadly Symantec made the decision to run all their security software on ActiveX as well.

As ActiveX was the main target for malware writers it meant that Norton AntiVirus or their Security suite would crash in a heap once a computer became infected and the Symantec software would actively interfere with attempts to cleanup a compromised system.

Making matters worse was Symantec’s subscription policies which cut customers off from vital updates and their bizarre policy of not including important upgrades in their automated updating function.

The failures of tech journalism

All of these factors made Symantec a loathed product in our office. It wasn’t helped by a generation of tech journalists who wrote gushing stories about Symantec, gave their products favourable reviews despite the company’s lousy reputation and consulted their employees for expert comment.

It wasn’t tech journalism’s finest hour. What really grates is the number of these folk still peddling nonsense about IT security and anti-virus software.

That distrust of Symantec continues to this day and those of us who struggled with their products a decade ago are not surprised at their poor performance on the New York Times’ network.

State sponsored risks

In defense of Symantec, the Chinese hackers are very good and its unlikely any security software would stand up to a sustained and determined attack from them or their counterparts in the US and Israeli governments.

We should also note that government agencies trying to get into systems is not just something done by the Chinese, US and Israelis; every government in the world is engaging in these activities against foreign businesses and their own citizens.

So we have to accept that these breaches and attacks are a real threat to any computer and any organisation. It may well be should build our security strategies around the assumption the bad guys are already in the system rather than believe we can build a giant electronic fort to keep the bad guys out.

One thing is for sure, you can’t rely solely on anti-virus software to secure your IT systems.

702 ABC Mornings – Hacking 102

This month’s 702 Sydney tech spot looks at how security is evolving

A number of callers asked about protecting their Facebook pages and information from hackers and spammers. Details are on the Netsmarts webpage

On 702 Sydney Mornings with Linda Mottram, we’re revisiting security and how it affects businesses and consumers after some stories of serious security breaches in everything from shops to pacemakers.

We’re looking at some pretty important issues, including how four million hotel locks are open to hackers and thieves.

Even more scary is the risk that pacemakers can be hacked. This story is a cautionary tale on good intentions being bought undone by bad security practices.

For businesses, the risk of having customers’ credit card details hacked is a serious issue. Two years ago the US fast food chain Subway had a major breach when criminals managed to break into franchisees’ Point Of Sales systems.

Recently the Australian Federal Police broke up a similar crime gang operating out of Romania.

A misconception about computer security is that all hackers are evil. The reality is most aren’t and a good example of this is Random Hacks of Kindness where geeks get together to find ways of using tech to improve society. We’ll look at last weekend’s Melbourne event.

Join us on 702 Sydney from shortly after 9.30am. We’d like to hear your views, comments or questions so call in on 1300 222 702 or SMS on 0467 922 702 or tweet with @702Sydney in the message.

Ending the era of the computer password

Has the humble computer password reached the end of the line?

Earlier this year, Wired Magazine writer Mat Honan had his entire digital identity stolen from him when hackers cracked his email password and then systemically took over all of his cloud and social media accounts.

Matt writes of his experience on Wired and proposes it’s time to kill the password.

The problem with Mat’s proposal is that he doesn’t suggest an alternative.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.

Every alternative authentication method to passwords has flaws just as serious, if not worse. Many are plainly impractical.

All of them, including passwords, have the common weakness that those holding the information can’t be trusted either – one of the greatest ways for passwords to get into the wild is when incompetents like Sony give them away.

Security is evolving, in the meantime we need to keep in mind some basic rules.

  • Use different passwords for different accounts
  • Only access accounts from trusted and up-to-date computers
  • Create strong passwords for accounts that matter, like online banking and email
  • Strong passwords are multiword phrases
  • Use two-factor authentication if its available
  • Don’t link unnecessary social media and cloud accounts together
  • Be very careful

We should also remember that a skilled, motivated hacker will probably break into your account regardless of your computer security. In this respect it’s no different to the physical world where a determined criminal will get you regardless of the locks and alarms on your house.

It’s also important to remember that security is more than just evil hackers; data can be damaged or given away by a whole range of means and people breaking into systems is only one risk of many.

Computer security is an evolving field and while it might be premature to declare the password dead, we’re going to see big changes as we try to lock down our valuable digital assets.