Tag: security

Telstra’s five ‘knows’ of security

Can data security be reduced to five rules?

Telstra, Australia’s incumbent telco, held their Cyber Security Summit in Sydney today looking at the issues facing organisations in protecting their networks and data.

One of the recurring themes speakers raised were the ‘five knows’ that Telstra’s security people believe are the core of business security.

Those ‘knows’ sound simple but in truth in they are hard to carry out in even a small, simple network;

  • Know the value of your data
  • Know who has access
  • Know where the data is
  • Know who is protecting the data
  • Know how well that data is being protected

With these five rules we’re moving into Donald Rumsfeld territory of ‘known unknowns’. In most organisations the honest answer to these questions is “we don’t fully know”, some data that’s seen as irrelevant by management could be a goldmine for a competitor or malicious actor while a relatively junior staffer could be saving critical documents on an external drive or consumer cloud service with a weak password.

Managing those knowns, or unknowns, is a tough task and one that needs to be tempered by realism.

In truth no system administrator has full knowledge of their network, for organisations real security comes from having strong leadership, robust processes and delivering the products and services demanded by the public.

Technology will help deliver those products and services while helping strong leaders implement robust process but ultimately a secure organisation needs good management, not better tech.

From the cyber security point of view, Telstra’s forum had many useful thoughts and we’ll look at more aspects regarding security that came up in the sessions later in the week.

Hacking the power grid through air conditioners

Air conditioners are the latest internet connected devices to raise security concerns

Another example of the unintended consequences of poor security in the Internet of Things is Wired’s story about the possibility of hacking the power grid by accessing smart air conditioners.

In the US, electricity companies offer deals where consumers get reduced bills in return for the utility being able to throttle the usage of air conditioners during peak power periods.

Those devices turn out not to be well secured which opens the possibility of malicious actors causing brownouts or service interruptions in a targeted areas.

Sadly this story isn’t isolated, too many connected devices have poor security that opens up the a range of risks to homeowners, businesses and the community at large.

 

BlackBerry’s last smartphone

The BlackBerry Priv is probably the company’s last smartphone as it pivots to being a security provider

Having written about BlackBerry’s ambitions in the marketplace for The Australian last week, it wasn’t surprising to be invited to the company’s Down Under launch of their Priv handset earlier today.

The event illustrated some brutal realities about mobile phone market and BlackBerry’s efforts to build on its strengths in the enterprise security space.

With 2.7 billion dollars of cash reserves, the company has seven years of breathing space at its current loss rates although it’s notable the stock market values the company at $3.5bn, implying investors value the business’ operations at a measly $800 million.

Given the collapse in BlackBerry’s handset business from twenty percent of the market at the beginning of the decade to an asterix today, that pessimism from investors isn’t surprising and underscores why the company is recasting itself as an enterprise security provider.

Five major acquisitions in the last 18 months have demonstrated how BlackBerry is attempting to recast its business; security services like Good Technology and Secusmart through to warning software like At Hoc have seen the company bolster its range of offerings.

Blackberry-software-chart

Coupled with the recent acquisitions are its own longstanding messaging and secure communications services combined with the QNX software arm that promises a far more reliable Internet of Things than many of the current operating systems being embedded into smart devices.

The Android smartphone system itself is bedevilled with dangerous apps running on outdated software and where BlackBerry hopes their PRIV handset can attract enterprise users conscious of the need to secure their employees’ devices.

For BlackBerry though, the PRIV being shipped with the Android operating system is a capitulation to the smartphone market’s stark reality where there is only demand for two products and outside players like BlackBerry or Windows are destined to wither away.

While the PRIV is a nice, albeit expensive, phone and the slide out physical keyboard is nice to use, the device seems to be a desperate attempt by the company to stay in the smartphone market.

As an outside observer it’s hard to see the justification for BlackBerry continuing as a phone manufacturer, there may be some intellectual property value from the development of the devices – although it should be noted the company only valued its IP assets at $906 million in November 2015.

While the PRIV is a perfectly good Android phone it will probably be the last smartphone BlackBerry makes, the challenge for the company’s management now is to tie together the software assets it has into a compelling suite of products for the enterprise sector.

In an age where devices of all types are going to be connected, the market for ensuring their security should be huge. Catering to that market should be BlackBerry’s greatest hope of survival.

Securing the drones

British and American spies were able to hack into Israeli and Syrian military drones. What hope is there for ordinary computer users?

While we assume military equipment has far higher levels of IT security, it isn’t always the case reports Ars Technica.

Allegedly the US National Security Agency and Britain’s GCHQ were able to intercept the video feeds of Israeli and Syrian drone aircraft using off the shelf software. While it appears security has become more sophisticated on this equipment, it is a concern that data feeds can be monitored from military equipment.

This is even more concerning given the reliance of software and telemetry systems in modern weapons. The troubled F-35 project shows just how complex computer code has now become in military equipment and it is safe to say some of those bugs will create weaknesses in the systems.

For those of us with more modest security needs, all is not lost though as Rob Joyce, the NSA’s hacker-in-chief, has given some useful tips on how to protect your systems. These are worth following although Joyce is quite clear that you’ll have to work hard to stay ahead of a sophisticated and persistent cyber-enemy.

Knowing what we don’t know

Cisco’s 2016 security report show businesses are more uncertain than ever about their network defenses. This is a good thing.

The 2016 Cisco Security report is in many ways an encouraging document, while it describes a litany of threats facing the modern business the fact managers are less confident about their defenses is a good thing.

Of the 2432 security executives surveyed 59% claimed their security infrastructure was up to date against 64 percent said the same. Acknowledging this is motivating them to improve their defenses.

For industry, the real concern is the small business sector where there’s a clear decline in the use of IT security tools. As the Target breach showed, trusted contractors and suppliers provide a weakness in an organisation’s systems that malicious actors are keen to exploit.

In Cisco’s analysis, the main reasons for SMBs lack of concern is their belief they are too small to be valuable to hackers and most of their IT management is outsourced.

A shift to the cloud shouldn’t be understated, particularly given many SMBs are shifting their IT functions onto cloud services. While this doesn’t fully protect businesses, the cloud providers certainly offer a far higher level of protection that the local plumbing contractor relying on a mom and pop computer support service.

The bad guys however are responding to that shift with Cisco reporting increased browser based and DNS attacks, both of these are useful in compromising cloud computing services which means both service providers and end users have to be vigilant about security.

At all levels of business though the lack of confidence in security has major ramifications as the Internet of Things is rolled out and common devices start being connected to fragile and often compromised networks.

The good news for vendors like Cisco is this lack of confidence could spur a new wave of business investment as companies improve their network security.

Another important aspect of CIOs and business owners not being confident about their network security is they are far less likely to assume their systems are safe or to passively accept vendor assurances about their safety.

For all of us a customers and users of these technologies, a greater focus on security by the organisations we deal with should be welcomed as well.

Anatomy of an internet exploit

The Angler exploit tells us much about the challenges of internet security

As one does on a weekend, I’m working my way through the 2016 Cisco Security Report.

There are plenty of insights on online security trends which I’ll cover in tomorrow’s blog post but one aspect that sticks out in the report is the case study on the Angler Exploit which takes advantage of hacked domain registrar accounts to create new domain names to serve phishing pages, ransomware sites and malicious advertisements.

Dealing with these sites is a major problem for network administrators and Cisco claims many of the domains registered haven’t yet been used by online criminals.

The Angler exploit shows just how complex internet security has become. The issue of trust is a complex thing and certainly no-one can trust every domain we see. That there are thousands of ‘disposable’ domains available to scammers only makes things more difficult for the average user.

The insecure internet of children’s toys

Security weaknesses in the Hello Barbie show safety is an afterthought rather than a fundamental part of designing tech products.

What could go wrong with an internet connected doll with artificial intelligence that can respond to children’s conversations?

A lot as it turns out.

The Washington Post reports the Hello Barbie has a range of vulnerabilities that could be used to eavesdrop on conversations and potentially carry out even more malicious acts.

Once again we see marketers and salespeople being ahead of the IT and security experts with the security of an Internet of Things device being seen as a bolt of afterthought rather than a basic design consideration.

Designing a secure IoT ecosystem

Ensuring the next generation of IoT devices is secure will be one of the challenges facing the next generations of designers.

Ensuring the next generation of IoT devices is secure and a good citizen of the wider ecosystem will be one of the challenges facing the next generations of designers.

Diego Tamburini, Manufacturing Industry Strategist of design software company Autodesk, spoke to Decoding The New Economy about how the IoT will change the design industry. “We’ve been designing equipment to connect to the internet for a generation,” he said. “What’s changing is that now the addition of software, electronics, networking and communication is breeding into objects that were purely mechanical.”

Melding the physical and software worlds doesn’t come without risks however, something that worries Internet pioneer Vint Cerf who foresees headlines like ‘100,000 fridges hack the Bank of America’ in an interview with Matthew Braga of Motherboard Canada.

Apart from the fact it could be a hundred million, Cerf has good reason to be worried. Most consumer IoT devices are hopelessly insecure and the recent stories of hacked cars only emphasises the weaknesses with connected household items.

Cerf and Braga make the point the ‘I Love You’ worm of the year 2000 became a crisis because the world had reached the point where personal computers were ubiquitous. A similar piece of malware in a world where everything from kettles to wristwatches are vulnerable would be exponentially worse.

These risks put a great onus on product designers, even more so given much of the functionality is based upon those devices communicating with others across the internet and cloud services, something that Tamburini emphasised.

“One important thing that is happening with thing being connected is we are not just designing things that function in a vacuum, we’re increasingly designing members of a larger ecosystem.” Tamburini states, “now we have to think of how the product will have to connect to other products and how they will collectively perform a function.”

Part of that risk is that should those devices malfunction, either deliberately as part of a botnet or malware attack, or accidentally as we saw with the connected home being disabled due to a defective smart lightbulb flooding the network with error messages, then the wider community may be affected in ways we may not expect.

Cerf believes it’s going to take a big, catastrophic hack on a grand, connected scale before a shift in security begins to happen, and before people begin to even consider that such a vulnerabilities even exist.

If that’s the case, it will be that society has ignored the clear warning signs we’ve seen from events like the Jeep hack and the Stuxnet worm, not to mention the massive privacy breaches at Target and Sony. For designers of these systems hardening them is going to be an essential part of making them fit for today and the future.

Apple CEO Tim Cook on Privacy and Profits

Apple CEO Tim Cook discusses privacy, profits and cars with NPR’s All Things Considered

“Privacy is a fundamental human right”. A short, but sweet and fascinating, NPR interview with Apple CEO Tim Cook.

Cook goes onto to avoid discussing the likelihood of Apple Cars and expounds the advantages of repatriating corporate profits back to the US, something we can expect cash rich companies like Apple to start agitating for after the next Presidential election.

The interview, which is only eight minutes long, is well worth a listen as Apple positions itself against competing internet giants Google and Facebook over the topic of privacy.

 

Experian, T-Mobile and third party security risk

T-Mobile’s security woes at the hands of Experian show trust cannot be outsourced

Another day, another corporate security breach (or six). This time telco T-Mobile has revealed up to 15 million customers’ data has been compromised.

Notable in this story is that T-Mobile are firmly putting the blame on credit monitoring company Experian.

For both companies this is extremely embarrassing with T-Mobile stating, “our vendors are contractually obligated to abide by stringent privacy and security practices, and we are extremely disappointed that hackers could access the Experian network.”

T-Mobile, like most telcos, sees a major opportunity in being a trusted provider of security services and this setback hurts them in a key market.

Experian on the other hand have shown their slack attitude to user data previously, having been caught selling consumer details to identity thieves.

That a company in such a privileged position as Experian can be constantly caught this way will almost certainly increase the push to see penalties for corporate data breaches start to get real teeth and the United States’ cavalier attitude to public privacy and online security will take another dent.

For T-Mobile and most other companies, the lesson is start and clear. Trust starts with your own contractors and business partners, it cannot be outsourced.

Volkwagen shows the IoT’s data weakness

The Volkswagen emissions scandal shows the data weakness in the internet of things

The Volkswagen emissions scandal has rocked the company and cost its CEO his job, but the implications of the company falsifying data to past regulators’ test has serious implications for the Internet of Things.

As the Los Angeles Times explains, Volkswagen designed software to detect when its cars were being tested. During test the software would modify the car’s performance to give a false result.

This is similar to the Stuxnet worm which sent Iranian operators false information indicating the uranium enrichment centrifuges were operating normally when in truth they were running at speeds well outside their design.

Both the Volkswagen fraud and the Stuxnet worm show how software can be used to tell lies about data. For processes and businesses relying on that data, it’s critical to know that information is reliable and correct.

Data is the raw material of the internet of things and all the value derived comes from analysing that information. If the information is false, then there’s no value in the IoT. Designing systems that guarantee the integrity of data is going to be essential as devices become more connected.

Developing the world of trustworthy data

Recent security problems start focusing the minds of those designing the Internet of Things and connected cars

Last month’s remote hacking of Jeeps through their entertainment systems was a wake up call to the technology industry as it underscored the risks of connected devices and now a series of initiatives are looking at improving the security landscape.

One of the benefits of the new top level domain regime, despite its reeking of rent seeking by the ICANN names agency, is larger companies and industry groups can improve management of their online identities and those of the services and devices their operations rely upon.

Top level security

Having their own top level domains and being able to issue security certificates for devices and services within their own walled gardens means financial institutions, hardware vendors and service providers can have more confidence in the identities of those they are dealing with.

Bloomberg Business examines how corporations are applying for domains to enhance and while the focus is on guaranteeing the veracity of their websites, the scope in having done that expands to a range of other application, particularly that of ensuring everything from bank point of sale equipment through to connected cars and kettles are authenticated.

A top level domain is only part of the answer though and for the systems to work effectively there has to be more sophisticated ways for systems to ensure they are talking to trusted parties. This need becomes particularly acute with automated systems making business decisions in milliseconds where corrupt or incorrect data can cause havoc with financial markets or supply chains.

Blockchain’s potential

Some of the work being done around Bitcoin, particularly with the use of Blockchain technology to ensure transactions are valid, is one intriguing area where researchers are looking at ensuring all parties in a connected society are genuine and trustworthy.

It’s early days yet in the development of these services and there will be many mistakes as businesses and consumers adopt services where security hasn’t been properly thought through or implemented.

As Chrysler found with the Jeep hack, the risks of getting it wrong are real and potentially fatal and it’s notable Uber has hired the researchers who discovered that vulnerability to design security for their driverless car project.

Trustworthy data

With autonomous vehicles authentication is essential, not just for the passengers or operator starting the car but for all the devices and services communicating from outside and within. As the Jeep hack showed, the braking system needs to have confidence the instructions its receiving are genuine and not coming from a malicious outsider.

Outside the car other services will be communicating, the vehicle’s navigation system needs to be confident the mapping information it’s receiving is reliable and from the genuine provider. Similarly plans to reduce the road toll using roadside devices and other cars needs to ascertain the data being transmitted about highway conditions is trustworthy.

It’s often said computers are only as smart as the data going into them – garbage in, garbage out is the classic saying of the computer industry. As we move into a world where more decisions are being made by machines, those systems are going to become more demanding that information is trustworthy.