A breach of trust

In business, trust is essential as security company RSA is discovering

“Today I’m happy not to have an RSA Conference badge on me;” Mikko Hypponen, head researcher of Finnish security company F-Secure told the inaugural TrustyCon conference in San Francisco yesterday.

Hypponen was referring to what was one of the world’s most prestigious information security conferences hosted by industry vendor RSA.

RSA are known to many corporate computer users for their SecurID authentication tags; the little key fobs that give a passcode for secure networks that illustrate this post.

Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers.

However the killer blow for RSA’s reputation was an article in Reuters at the end of last year claiming the US National Security Agency had paid the company $10 million to weaken its security protocols.

The company denies this but the damage was done, as Hypponen says “When a security company can’t be trusted, what do they have left?”

How the RSA lost the trust of security professionals is a good lesson for all of us; our businesses rely upon the goodwill of our customers and our peers. If we betray their trust, we’re hurting ourselves.

 

Similar posts:

  • No Related Posts

Tech security in a tough world

Even the professionals are struggling to keep up with a rapidly changing IT world, which is why businesses should start taking computer security seriously.

Network giant Cisco Systems released its 2014 Annual Security Report last week which should make sobering reading for every business manager and owner.

If you’re looking at a career change, the survey even suggests a possible new job.

Over two million of Cisco’s customers were examined in the survey and every single company had evidence of their systems being compromised in some way, from staff visiting suspicious websites to full scale hacker break-ins.

Keeping up with change

The survey points out IT security risks are evolving quickly as business technology becomes more complex and it’s hard for even industry professionals to keep up with the pace of change.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Chief Security Officer of Cisco, John Stewart, told a media briefing yesterday.

That concern was reinforced by Stewart’s colleague Levi Gundert, technical lead at Cisco’s Threat Research Analysis and Communications (TRAC) group.

“It’s not about are you going to be compromised,” said Gundert. “the question is how long is it going to take you to detect and shorten the remediation window?”

If even the world’s biggest corporations are struggling what can smaller organisations do to control the risk?

Disable Java

The biggest computer security risk is Java software. Cisco found a shocking 91% of software exploits were related to the application, “2013 was the year of the Java exploit.

It was a bad year for Java.” Says Gundert. It should also be noted that the first successful malware targeting Apple Macs, the Flashback Trojan, was a Java exploit.

The best way to deal with this risk is keep Java off your systems, the problem with that advice is many business applications – and games if you have a home office or kids use your computer – need the software to run.

If you have to use Java packages, make sure you have the latest version running on your systems.

Keep your systems up to date

It’s not just Java that is a risk, Cisco identified Adobe PDFs and Microsoft Office vulnerabilities as being other threats.

It’s important that all systems – Mac, Windows or any other operating systems – are kept up to date with the latest patches.

Lock down office systems

Except when your computers are being updated, there’s no reason for office computers to be running in Administrator mode.

Day to day use should be done in restricted user profiles; on a Windows machine, workers should be logged on as standard users, while on Macs they should be managed users, the only time an Administrator needs to be logged on is when maintenance is being done.

Watch those mobiles

The IT security industry has been watching smartphones for a while and 2013 started seeing large scale malware appearing on mobile devices, although it’s still small scale compared to PCs.

Cisco’s survey found only 1.2 percent of web based malware coming from mobile devices with almost all the infections being on Android systems.

Most of these Android infections were game add-ons downloaded from unofficial Android app stores so the message is to stick to the official, trusted services for Android apps.

Website risks

Another risky area for businesses identified by Cisco identified are websites being compromised and hijacked.

The software on these needs to be updated to the latest versions just as office computers should be.

Often, disused websites and blogs aren’t updated, the ABC discovered last year that abandoned, neglected websites are a great way for hackers and malware distributors to launch attacks or spread problems.

So if you have older websites or blogs, shut them down and redirect the domains to operating addresses.

For those operational websites password security needs to be beefed up as Cisco found ‘brute force’ attacks – where automated systems try every conceivable password combinations – were up threefold in 2013.

Professional skills shortage

A big problem facing the IT industry is a worldwide skills shortage: “There are essential a million jobs across the globe that can be filled but we don’t have trained people to fill them,” says Cisco’s Stewart. “We’ve got a dearth of talent and skills.”

For smaller businesses that means it’s harder to find someone to fix problems when they happen, for both business managers and owners it’s smarter to reduce the likelihood of having a problem rather than scrambling to find an IT professional to help after the event.

The good news from Cisco’s survey is if you’re thinking of a career change, or you have a teenager moping around looking for a job, then IT security could be the answer.

For everyone else, as business and the world in general becomes more connected the security of the systems our world is coming to depend upon is something we have to take more seriously.

Similar posts:

Sharks patrol these waters

You can’t expect an anti-virus program to fully protect IT systems, the risks are far more pervasive.

The announcement that the New York Times was attacked by Chinese hackers after exposing the financial details of the nation’s Premier doesn’t come as much of a surprise to anybody following either China or computer security issues.

One of the realities of modern computing is that systems are constantly being compromised, the complexity of IT networks is so great that even the best security experts can be caught off guard.

Securing our networks

In such an environment the normal business and home computer user has little chance against sophisticated criminal or government sponsored attacks, by the Chinese or any other spy agency.

One example of how badly wrong things can go for an organisation is the hacking of security advisory firm Stratfor in 2011, this illustrated how small business practices of having relatively open networks and poor password security can have serious consequences.

The issue is not how we fortify our systems against intruders, but how we manage the risk. A useful analogy is how supermarkets deal with shoplifters – they can’t eliminate the problem, but they can manage it in ways that control losses.

Businesses, governments and home users have a range of things they can do to make it harder for hackers to get into a system and limit what they can access if determined one gets in.

The limits of anti-virus

Another aspect in the story that doesn’t surprise is the poor performance of the New York Times’ anti-virus software. According to Forbes, Symantec only caught one malware program out of the 45 installed by the hackers.

I have an entirely rational hatred of Symantec. While running an IT support business, their products were the bane of our lives and we encouraged users to choose alternative security software because of the unreliability of many of Symantec products, particularly the once proud Norton brand that was aimed at home and small business users.

At the time of the great malware epidemic in the early 2000s, Norton Anti-Virus had a huge market share and it proved to be worse than useless against the various forms of drive by downloads and infected sites that were exploiting weaknesses in Microsoft Windows 98 and XP systems.

Windows weaknesses

The common culprit was Windows ActiveX scripting language that Microsoft had introduced to standardise its web features. While a good idea, Microsoft made ActiveX a fundamental part of Windows and gave the features full access into the inner workings of the system.

Sadly Symantec made the decision to run all their security software on ActiveX as well.

As ActiveX was the main target for malware writers it meant that Norton AntiVirus or their Security suite would crash in a heap once a computer became infected and the Symantec software would actively interfere with attempts to cleanup a compromised system.

Making matters worse was Symantec’s subscription policies which cut customers off from vital updates and their bizarre policy of not including important upgrades in their automated updating function.

The failures of tech journalism

All of these factors made Symantec a loathed product in our office. It wasn’t helped by a generation of tech journalists who wrote gushing stories about Symantec, gave their products favourable reviews despite the company’s lousy reputation and consulted their employees for expert comment.

It wasn’t tech journalism’s finest hour. What really grates is the number of these folk still peddling nonsense about IT security and anti-virus software.

That distrust of Symantec continues to this day and those of us who struggled with their products a decade ago are not surprised at their poor performance on the New York Times’ network.

State sponsored risks

In defense of Symantec, the Chinese hackers are very good and its unlikely any security software would stand up to a sustained and determined attack from them or their counterparts in the US and Israeli governments.

We should also note that government agencies trying to get into systems is not just something done by the Chinese, US and Israelis; every government in the world is engaging in these activities against foreign businesses and their own citizens.

So we have to accept that these breaches and attacks are a real threat to any computer and any organisation. It may well be should build our security strategies around the assumption the bad guys are already in the system rather than believe we can build a giant electronic fort to keep the bad guys out.

One thing is for sure, you can’t rely solely on anti-virus software to secure your IT systems.

Similar posts:

Tracks in the ether

Smartphones, the web and tracking technologies are giving governments and businesses more power than ever.

Bureaucrats dream of tracking every person or asset under their purview and the rise of technologies like smartphones,  Global Positioning Systems (GPS) and Radio Frequency IDentity (RFID) chips are giving them more power than ever.

Two stories in the last week illustrated how these technologies are being used by authorities to monitor people; a school district in the United States is fighting a student who refuses to wear an RFID enabled identity card and Saudi immigration authorities are now sending text messages to guardians of travellers, mainly women, leaving the country.

In Saudi Arabia, the law prohibits minors and women from leaving the country without the permission of their adult male guardians. As the Riyadh Bureau website explains, to streamline the permission process Saudi authorities enabled online pre-registration for travellers so now male guardians can grant assent through a website rather than dealing with the immigration department’s paperwork every time their spouse or children wants to travel.

When the spouse or child passes through immigration, the guardian receives an SMS message saying their ward is about to leave the country. One assumes the male can withdraw that approval on receipt of the text.

The Saudi application is an interesting use of the web and smartphones to deliver government services and probably not what Western e-gov advocates are thinking of when they agitate for agencies to move more functions online.

More ominous is the story from the US where Wired Magazine reports Andrea Hernandez, a Texan student, is fighting her local school over the use of RFID enabled identity cards that track pupils’ attendance.

John Jay High School’s use of RFID tags is a classic case of bureaucrat convenience as electronic cards are far easier to manage and monitor than roll calls or sign-ins.

Incidentally John Jay High School has over 200 CCTV cameras monitoring students’ movements, as district spokesman Pascual Gonzalez says, “the kids are used to being monitored.”

The problem is that RFID raises a range of privacy and security issues which the bureaucrats either haven’t thought through or have decided don’t apply to their department.

Notable among those issues is that “has a bar code associated with a student’s Social Security number”. It never ceases to amaze just how, despite decades of evidence, US agencies and businesses keep using an identifier that has proved totally unsuited for the purposes it was developed for.

Probably the most worrying point from the Texan story is how school officials tried to suppress the story, offering Ms Hernandez’s father a compromise on the condition he “agree to stop criticizing the program and publicly support it.”

That urge to control criticism and dissent is probably the thing all of us should worry about when governments and businesses have the ability to track our movements.

In this respects, the Texas education officials are even more oppressive than Saudi anti-women laws. Something we should consider as more of our behaviour is tracked.

Similar posts: