Category: security

Jailbreaking the Internet of Things

Jailbreaking the smarthome opens some complications for the Internet of Things

The news that hackers have turned their attention to Nest thermostats raises some delicious possibilities for the Internet of Things.

Jailbreaking smartphones has been normal for years as people circumvent restrictions to add features or software and there’s no reason that this can’t be done to smart thermostats, light bulbs or kettles.

Almost all the smart devices being deployed have processors and capabilities far greater than what’s needed to carry out their designed purpose, so an imaginative hacker can do some interesting things with a jailbroken home automation system.

Using your kettle to control your lights or fridge to open your garage door is a bit of gimmick but there’s plenty of potential for doing some cool, and mischievous, things.

While hacking the smart home for kicks might be relatively harmless, tinkering with industrial devices could have unintended and disastrous consequences. It’s another example why security is one of the top concerns as the Internet of Things is rolled out.

Similar posts:

  • No Related Posts

Security in the age of connected kettles

We need to start demanding more of our government and business leaders in enforcing online security

A few weeks back I gave a presentation to the Australian Seniors Computer Clubs Association as part of Staying Safe Online Week.

The presentation, Security In The Age of Connected Kettles, looked at where we are today with online security and some of the challenges facing individuals, businesses and communities as threats become more pervasive with cloud computing, personal technology and the internet of things while the people creating these risks become more professional.

Overall, it’s not a cheery scenario and I end with a call to action that we have to start insisting business, public sector and political leaders start taking online security seriously as a public safety issue.

Over ten slides we covered where we are today in personal and small business online security and some of the challenges facing individuals as computing moves onto the cloud and smartphones.

The ongoing online safety battle

Online safety is evolving as we move from PCs to tablets and smartphones, today the risks are increasingly appearing on our mobile devices although the desktop computer and email scams remain the biggest risk.

It’s increasingly about the money

A change to the security landscape in recent times has been the rise of professional malware. While a decade ago most of the hacks and viruses we saw were the work of people demonstrating their skills or causing mischief, today there is big money in compromising computers and capturing data.

The rise of ransomware

One of the best examples of the professionalisation of the internet’s bad guy is the rise of ransomware.

Ransomware locks your computer with a demand for payment to release your data; if you don’t pay you lose all your information.

Many of the online threats though are far more subtle; the theft of data from Target, compromises of Sony’s customer databases and ongoing security breaches illustrate how the risks are far greater than just on our desktop.

Smartphone lockups

Ransomware has moved off personal computers onto smartphones with both Android and Apple systems being attacked.
The ‘hacked by Oleg Pliss’ message is a good example of how Apple’s products are just as much at risk as other companies’ platforms.
Also the ‘hacked by Oleg Pliss’ lockup shows how the security aspects of cloud computing services are going to become more important to the average person.

Security basics

The basic advice for the average user remains the same;

  • Strong passwords
  • Don’t use common passwords
  • Be careful what you click on or visit
  • Keep your systems up to date
  • Have good security software

However times are changing and many security issues are out of the average person’s control.

Lessons from Heartbleed

The Heartbleed Open SSL bug illustrated the limits of individuals in protecting their information. As a bug in the secure socket layer software, the Heartbleed Bug could expose sensitive data on websites using the service.

The disappointing thing with Heartbleed is that people following good security policies were vulnerable.

Probably the biggest threat with Heartbleed however is the Internet of Things, where relatively simple devices – the connected kettle – could expose security credentials.

The Target hack

Another example of how security is beyond the control of the individual user is the Target hack. Hackers found their way into the US department store’s network though an airconditioning contractor. From there, they were able to steal millions of customer payment details.

The Target hack is one of dozens of similar coporate security compromises and this will continue until security is taken seriously by company directors and regulators.

A pocket sized security breach

As the Oleg Pliss hack showed, smartphones are not immune to security breaches.

With our phones gathering increasingly more data on our behaviour, protecting the data they gather is going to become one of the biggest challenges facing us.

Rich data

Smartphones are not just gathering location data, as technologies like iBeacons roll out more information is being gathered from more sources.

When we go shopping, attend a football game or visit the doctor these technologies are collecting information on our personal habits and behaviour.

Not a generational issue

One of the myths around security and privacy is that concerns revolve around the generations.

The idea that only older people care about privacy or that younger folk understand technology is a myth.

Unfortunately however our political and business leaders come from a segment of society that doesn’t care about or understand the technology or issues.

If meaningful change is to be made in securing our information, then we’re going to have to demand our business and political leaders take these issues seriously.

Similar posts:

  • No Related Posts

The online security pains of a growing business

Stratfor’s humiliating computer hack is a lesson for all businesses about IT security

Possibly the most embarrassing of the outbreak of computer hacks in late 2011 was the breaching of prominent geopolitical analysts Strategic Consulting, also known as Stratfor.

The Daily Dot dissects what went wrong for Stratfor based on a leaked report from Verizon Business who carried out a “forensic investigation” of the hack which the company claims cost them $3.8 million in damages.

While the monetary damages were substantial for a relatively small company, Stratfor’s reputation was probably the greatest casualty as customers’ credit card details were exposed and the firm’s confidential files were distributed by Wikileaks.

The tragic thing is that none of this would have happened had Stratfor followed basic IT security practices, something that every business should be following.

Don’t store credit card details

Probably Stratfor’s biggest mistake was storing customers’ credit card details – there is no reason for saving your clients’ payment details. Ever.

If you’re accepting credit cards, organise a payment service to handle that work for you as they know what they are doing and take most of the management hassles, security and fraud risks.

In most cases, these companies’ fees are no more than manual processing fees that Stratfor and most businesses manually processing payments get hit with anyway.

Password policies

Another basic mistake was that passwords were shared and kept simple; there is no excuse for giving staff the same password to access confidential or critical files and systems.

Similarly, there wasn’t a ‘need to know’ policy; that is, that an analyst has no reason to have access to HR files and the receptionist no need to be looking at sales figures. Sensitive data should only be accessible to those who need it for their day-to-day work.

Remarkably, Stratfor didn’t have any properly configured firewalls and on many computers didn’t have up to data anti-virus protection. All of this made it easy for hackers to get into the network and access confidential information.

The online pains of growing a business

In some respects it’s possible to feel sorry for Stratfor’s management, the report is a classic example of a business that outgrew the IT structure for a one or two person operation founded by men who didn’t understand the risks of the internet.

Today there’s no excuse not to have systems locked down or to lack a company culture that recognises data security as being essential in the modern business world.

Stratfor’s hack was a spectacular example of what could go wrong, but it’s a warning for all businesses about the importance of security in a connected world.

Similar posts:

  • No Related Posts

Fear in the cloud – the loss of trust in online business

Should online businesses, particularly cloud services and social media platforms, begin to worry they’ve lost the trust of the community?

Today I spoke about online safety to the Australian Seniors’ Computer Clubs Association about staying safe online.

Hopefully I’ll have a copy of the presentation up tomorrow but what was notable about the morning was the concern among the audience about security and safety of cloud services.

The ASCCA membership are a computer savvy bunch – anyone who disparages older peoples’ technology nous would be quickly put in their place by these folk – but it was notable just how concerned they are about online privacy. They are not happy.

Another troubling aspect were my answers to the questions, invariably I had to fall back on the lines “only do what you’re comfortable with”  and “it all comes down to a question of trust.”

The problem with the latter line is that it’s difficult to trust many online companies, particularly when their business models relies upon trading users’ data.

Resolving this trust issue is going to be difficult and it’s hard to see how some social media platforms and online businesses can survive should users flee or governments enact stringent privacy laws.

It may well be we’re seeing another transition effect happening in the online economy.

Similar posts:

  • No Related Posts

ABC Nightlife – security, dropping off the grid and 4D printing

Apple Security, the Heartbleed bug and dropping off the grid are the topics of the May 2014 ABC Nightlife spot

Paul Wallbank joins Tony Delroy on ABC Nightlife across Australia from 10pm Australian Eastern time tonight to discuss how technology affects your business and life.

For the May 2014 spot we looked at computer security, specifically Apple ransomware and The Heartbleed bug along with dropping off the grid, 4D printing and the future of design.

To protect from the Oleg Pliss ransomware – or any similar problems – have a strong password, enable the screen passkey and enable two factor authentication.

Join us

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on the night on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

Tune in on your local ABC radio station from 10pm Eastern Summer time or listen online at www.abc.net.au/nightlife.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Similar posts:

  • No Related Posts

A bot named Willy and the risk of trusting data

Allegations of Bitcoin market manipulation are a reminder of the risks in blindly trusting data.

For two years we were captivated by spectacular rise of the Bitcoin virtual currency. Allegations those gains were a result of market fixing raise important questions about the integrity of our data networks.

The Coin Desk website discusses how the Mt Gox Bitcoin exchange was being ramped by computer bot network nicknamed Willy.

Rampant market ramping – where stock prices are pushed up to attract suckers before those in know sell at a profit – has a proud financial market history; during the 1920s US stock boom, fortunes were made by inside players before the crash and its subsequent banning in 1934.

So it wouldn’t be a surprise that some smart players would try to ramp the Bitcoin market to make a buck and using a botnet – a network of infected computers – to run the trades is a good technological twist.

Blindly trusting data

The Willy botnet though is a worry for those of us watching the connected economy as it shows a number of weaknesses in a world where data is blindly trusted.

As Quinn Norton writes on Medium, everything in the software industry is broken and blindly trusting the data pouring into servers could be a risky move.

The internet of things is based upon the idea of sensors gathering data for smart services to make decisions – one of those decisions is buying and selling securities.

Feeding false information

It’s not too hard to see a scenario where a compromised service feeds false data such as steel shipments, pork belly consumption or energy usage to manipulate market prices or to damage a competitor’s business.

Real world ramifications of bad data could see not only honest investors out of pocket but also steel workers out work, abattoirs sitting on onsold stocks of pig carcasses or blackouts as energy companies miscalculate demand.

The latter has happened before, with Enron manipulating the Californian electricity market in the late 1990s.

When your supply chain depends upon connected devices reporting accurate information then the integrity of data becomes critical.

Like much in the computer world, the world of big data and the internet of things is based up trust, the Mt Gox Bitcoin manipulation reminds us that we can’t always trust the data we receive.

Similar posts:

  • No Related Posts

Limits of the black box business

Many of the leading tech companies hide beyond mysterious algorithms or impassive customer support. That may prove to be their weakness.

One of the paradoxes of the modern tech industry is that while its leaders preach openness and collaboration, their own businesses are mysterious unaccountable black boxes.

This website has often looked at how the Silicon Valley business model leaves users and partners exposed to arbitrary enforcement of vague policies and indifferent customer service.

A good example of the black box business model is eBay’s major security breach where it appears millions of users have had their personal and banking details compromised. Instead of informing customers immediately, the company’s management hid the problem and hoped stonewalling inquiries would make the problem go away.

Lacking accountability

In the black box business model, not being accountable is the key – we see it with Amazon’s bullying of book publishers, Google’s high handed identity policies and Facebook’s puritan censorship.

Those high handed attitudes to customers’ and users’ rights is born out of arrogance; all of these company’s managements, and the corporate bureaucrats who enforce the policies, believe their hundred billion dollar businesses are untouchable.

Such arrogance might though be ill-founded as each of these businesses is less than twenty years old and, while they themselves have deeply disrupted existing industry models, there is no reason why their own market dominance and huge cash flows can’t be usurped by new technologies or challengers.

In age where trust is the greatest currency, hiding beyond a block box of algorithms and impassive customer support may not turn out to be a successful management strategy.

Similar posts: