Tag: security

Carbanak raises the information security stakes

The Carbanak financial heist shows how high the stakes in information security have become

“The most sophisticated attack the world has seen to date” is how Kaspersky Lab’s North American managing director Chris Doggett describes the massive Carbanak electronic bank fraud that could have cost victims up to a billion dollars.

Using a range of techniques, the Carbanak gang cracked their targets’ networks, right down to monitoring financial firm officers through their computers, and stole money through through the banks’ own ATM networks.

 

“That’s where the money is.” Was 1930s bank robber Willie Sutton’s response to being asked why he robbed banks and that is what’s driving the Carbanak gang.

For every Willie Sutton or Carbanak gang there’s a million opportunistic street muggers and script kiddies looking for stealing a few dollars from weak targets though and this is what the average small business or individual needs to be careful about.

Last week Kaspersky reported that nearly a quarter of all phishing attacks targeted financial data. The amounts being stolen are minuscule compared to Carbank’s ill gotten gains but far less work is required to crack a home or small business account.

For any large organisation that hasn’t learned from the Sony or Target hacks, the Carbank heist should be warning that information security is now a responsibility of executives and boards. All of us though have to take care with our data and systems.

In tech we trust

How much can we trust technology? A World Economic Forum panel discusses the issues.

“There is a big problem with trust today,” says cable operator Liberty Global’s Micheal T. Fries.

He was sitting on a fascinating panel at the World Economic Forum this week with Yahoo! CEO Marissa Mayer, Salesforce founder Marc Benioff and World Wide Web creator Tim Berners-Lee looks at the issue of trust in the tech world.

In a world where everyone wants access to our data, it’s a pertinent and timely discussion from people at the front line of where these issues of ethics and privacy are being dealt with.

Daily links – Chinese property developers go onto internet

Chinese internet use and smart phone manufacturers dominate today’s links along with Microsoft and Uber’s latest business changes

Today’s links have a distinctly Chinese flavour around them with a look at how the country’s smartphone manufacturers are coming to dominate their market, Tencent’s plans for global domination and how property developers are looking to the internet to save their falling sales.

Uber and Microsoft make their regular appearances to round out the links in their changes to billing and security.

Chinese property developers turn to the web

Faced with declining sales, Chinese property developers embrace – the Internet!

How Chinese smartphone makers are beginning to dominate the market

The rise of China’s smartphone makers: 10 of the top 17 smartphone manufacturers now come from China.

An interview with Tencent

Business Insider has an intriguing interview with one of the VPs of Chinese internet giant Tencent.

In his Q&A, S. Y. Lau discusses how Chinese communities are seeing their incomes rise due to the internet. One of the famous case studies of connectivity are India’s Kerala fishermen who used SMS to arbitrage their market. We may be seeing a similar story with Chinese tea farmers.

Microsoft restrict warning of patches to paying customers

In a short term money grabbing exercise, Microsoft have unveiled a plan to only inform enterprise customers of upcoming security patches. My prediction is this won’t last.

Uber cuts prices

Car hiring service Uber has cut its fares in thirty US cities while guaranteeing drivers their incomes. This is probably a move to keep competitors like Lyft at bay.

Will Sony ever learn its security lessons?

Once again Sony remind us of the importance of IT security.

For the last week the gossip and tech industry websites have been full of revelations gleaned from a massive hack into the network of entertainment company Sony.

Sadly it isn’t surprising that Sony that targeted in that hack, 2011 was described by this site as the ‘year of the hack’ and at the time I wondered when corporate managers would start taking IT security seriously.

As the most recent security breach shows, Sony’s managers certainly weren’t taking their information security seriously as alleged North Korean hackers gleefully disabled systems and downloaded confidential documents.

While Sony’s woes are deeply damaging to the company, not least for the executives caught out gossiping about movie stars, the stakes are far higher for other companies.

In Turkey its alleged a 2008 oil pipeline explosion was caused by Russian hackers while in the US, Palestinian sympathisers are accused of causing massive damage to the IT systems of the Sands Casino group.

Sony may be one of the most digitally incompetent business in history – at least in respect to IT security – but it’s important for every business to making sure their information systems and critical business systems are hardened against attacks.

Customer service and the internet of things

A Verizon and Harvard Business Review of the Internet of Things market is a useful guide to the sector’s future.

Improved customer service is the main reason for companies investing in the internet of things reports the Harvard Business Review.

Having surveyed 269 businesses for their Internet of Things: Science Fiction or Business Fact?  report commissioned by US telco Verizon, the Harvard Business Review team found 51% of companies expected improved customer service as being the main result from their IoT deployment.

Of those who have deployed IoT technologies, 62% reported they had seen improved customer responsiveness with authors citing jet engine manufacturers, share car services and stock feed companies having benefiting from their investments.

Tying together technologies that until recently have been stand alone is the key part of the returns realised by companies, allowing older monitoring systems to work better together and increase the value of the data they gather.

IoT can enable “an incredible unlocking of information about processes that companies never had before,” said Vernon Turner, senior vice president of research and IoT executive lead at International Data Corp. (IDC). Companies that take the time to review and analyze these workflows will quickly find that there are significant opportunities to be found, such as increased efficiency. But the biggest change IoT brings to consumer companies is the increased contact with customers, Turner said.

Of the IoT investments, the main area nominated for companies in the next year is asset tracking with 36% of respondents saying that will be their main focus. Combined with the 19% looking at fleet management, it shows that sector will probably the most lucrative for businesses servicing the IoT market.

Risks in the IoT

While tying together these technologies brings a lot of opportunities there’s no shortage of risks as devices that were never intended to be connected to the net are suddenly part of the global network. The survey shows some managers are aware of the risks that the IoT presents to their businesses with 46 percent citing privacy and regulatory compliance as being risks.

Another challenge facing IoT deployments is a lack of skills with two out of five respondents flagging they can’t find workers with the skillsets needed to leverage IoT data. The task of managing the volumes of data also worries a third of the managers surveyed.

The Verizon and HBR survey shows that managers and businesses are still in the early days of understanding the tasks and challenges presented by the internet of things — one suspects that were managers fully across the privacy and security implications the number of respondents flagging concerns would be close to one hundred percent.

For companies like Verizon who are catering to the M2M and IoT marketplaces this survey is a handy roadmap that lays out the market opportunities for the next two years.

Rigging the Internet of Things

The Internet of Things offers many new opportunities for hackers

Hackers are infiltrating public companies to gain an edge on Wall Street warns a story on financial website Finextra.

This is not news, companies’ networks have been the target of insider traders since the early days of corporate computing. What is different today though are the nature of the risks as Chinese and even North Korean hackers are probing networks containing vast amounts of information to find weaknesses and confidential information.

For insider traders, it may be the internet of things turns out to be a boon. By hijacking delivery or supply data, traders may have an advantage over the market.

Things could get very nasty if those hackers subtly alter the data, say over reporting production yields, so a company gives the wrong income guidance based on faulty information.

Security is one of the big issues facing the internet of things sector and the consequences of poorly protected sensors or systems could be immense when governments, businesses and communities come to rely on a stream of data they can trust.

The bad guys are only just starting to explore the possibilities of the connected world.

Apple’s security challenge

As Apple move into the internet of things, they are going to have to take cloud security more seriously.

This week’s news about celebrities’ personal photos being stolen from their iCloud accounts would be irritating Apple ahead of their September 9 media event.

Unfortunately for Apple they seemed to have walked into this by making things convenient for users rather than enforcing strong security measures.

As Arik Hesseldahl in Re/Code describes, this breach was probably due to Apple not encouraging two factor authentication and not limiting the number of password guesses.

The latter is particularly irritating as it shouldn’t be hard for a system to pick when a brute force attack — a computer guessing a password millions of times a second — is being staged against a user.

It’s also trivial to limit the number of guesses as most other services do.

For users, the best protection is to have complex passwords which reduces the effectiveness of brute force attacks. It’s also worthwhile being careful with your personal nudie photos.

The consequences of having your iCloud account compromised are more than just losing your embarrassing photos, Wired’s Mat Honan had his entire digital life hijacked through this method two years ago.

With Apple aspiring to control the smarthome and smartcar markets, the consequences of accounts being breached becomes exponentially greater. These are issues Apple and the rest of the internet of things industry need to take seriously.

Hopefully at Apple’s big media event next week, some brave journalist will stand out of the assembled masses of sycophant hacks and ask CEO Tim Cook some hard questions about security on the shiny new iDevices.

Hacks on a plane

That avionic systems could be vulnerable to hacking is a wake up call for the internet of things industry.

One of the great concerns about the internet of things is what happens when older computer technology that was never designed to be connected to the net is exposed to the online world.

A presentation to the Black Hat Conference in Las Vegas this Thursday by researcher Ruben Santamarta promises to show some of the vulnerabilities in aircraft avionic systems.

Today’s aircraft are extremely smart devices with the downsides shown in the tragedy of AF447 where an Air France jet plunged into the Atlantic Ocean when two undertrained pilots didn’t understand what their plane was doing as it encountered severe ice conditions in a storm.

With aircrew increasingly dependent upon computers to help them fly planes, the risks of bugs or security weaknesses in aircraft systems is a serious issue and with the continued mystery of MH370’s fate adds an element of speculation that a glitch of some form was responsible for its disappearance.

It wouldn’t be the first time a passenger plane came to grief because of a computer error; most notably Air New Zealand flight 901 crashed into Antarctica’s Mount Erebus during a 1979 sightseeing trip due to wrong information being loaded into the navigation system.

The internet adds numerous risk factors to aircraft – Santamarta’s hack allegedly works through in plane WiFi systems – particularly given these avionics systems haven’t been designed to deal with unauthorised access into their networks.

Should Santamarta’s demonstration prove feasible, it will be an important warning to the aviation industry and the broader Internet of Things community that security is a pressing issue in a world where critical equipment is connected.

The internet of insecure things becomes a problem

Security with the internet of things is becoming a serious issue warns HP

Following yesterday’s posts on BlackBerry, security and the Internet of Things, HP Fortify released a report saying seventy percent of IoT devices are vulnerable to hackers.

The list of weaknesses is chilling and illustrates why IoT security is an issue that has to be resolved now.

It may well be that John Chen, BlackBerry’s CEO, has backed the right horse for his company.

The strength of keeping things simple

Keeping things simple is a strength in today’s complex times.

This week I’m in New York to attend the BlackBerry Security Summit, more of which I’ll write about later although this story for Technology Spectator covers much of the news from the day.

BlackBerry is struggling to find relevance after losing its way when Apple and Android smashed their business model of providing secure, reliable and email friendly phones.

Now in post Snowden world, BlackBerry under new CEO John Chen is looking to rebuild the company’s fortunes on its strengths in security.

One of the aspects Chen’s team is emphasising is the simplicity of their software. Dan Dodge, who heads BlackBerry’s QNX embedded devices division says their operating system has a 100,000 lines of code as opposed to hundreds of millions in Windows and Android.

That weakness in the established software packages is something illustrated in today’s story about a verification problem in Android due to reuse of old code from another older product.

Simplicity is strength is Dodge’s message and that idea could probably be applied to more than software.

In the complex times we live in, simplicity could be the key to success.

Jailbreaking the Internet of Things

Jailbreaking the smarthome opens some complications for the Internet of Things

The news that hackers have turned their attention to Nest thermostats raises some delicious possibilities for the Internet of Things.

Jailbreaking smartphones has been normal for years as people circumvent restrictions to add features or software and there’s no reason that this can’t be done to smart thermostats, light bulbs or kettles.

Almost all the smart devices being deployed have processors and capabilities far greater than what’s needed to carry out their designed purpose, so an imaginative hacker can do some interesting things with a jailbroken home automation system.

Using your kettle to control your lights or fridge to open your garage door is a bit of gimmick but there’s plenty of potential for doing some cool, and mischievous, things.

While hacking the smart home for kicks might be relatively harmless, tinkering with industrial devices could have unintended and disastrous consequences. It’s another example why security is one of the top concerns as the Internet of Things is rolled out.

Security in the age of connected kettles

We need to start demanding more of our government and business leaders in enforcing online security

A few weeks back I gave a presentation to the Australian Seniors Computer Clubs Association as part of Staying Safe Online Week.

The presentation, Security In The Age of Connected Kettles, looked at where we are today with online security and some of the challenges facing individuals, businesses and communities as threats become more pervasive with cloud computing, personal technology and the internet of things while the people creating these risks become more professional.

Overall, it’s not a cheery scenario and I end with a call to action that we have to start insisting business, public sector and political leaders start taking online security seriously as a public safety issue.

Over ten slides we covered where we are today in personal and small business online security and some of the challenges facing individuals as computing moves onto the cloud and smartphones.

The ongoing online safety battle

Online safety is evolving as we move from PCs to tablets and smartphones, today the risks are increasingly appearing on our mobile devices although the desktop computer and email scams remain the biggest risk.

It’s increasingly about the money

A change to the security landscape in recent times has been the rise of professional malware. While a decade ago most of the hacks and viruses we saw were the work of people demonstrating their skills or causing mischief, today there is big money in compromising computers and capturing data.

The rise of ransomware

One of the best examples of the professionalisation of the internet’s bad guy is the rise of ransomware.

Ransomware locks your computer with a demand for payment to release your data; if you don’t pay you lose all your information.

Many of the online threats though are far more subtle; the theft of data from Target, compromises of Sony’s customer databases and ongoing security breaches illustrate how the risks are far greater than just on our desktop.

Smartphone lockups

Ransomware has moved off personal computers onto smartphones with both Android and Apple systems being attacked.
The ‘hacked by Oleg Pliss’ message is a good example of how Apple’s products are just as much at risk as other companies’ platforms.
Also the ‘hacked by Oleg Pliss’ lockup shows how the security aspects of cloud computing services are going to become more important to the average person.

Security basics

The basic advice for the average user remains the same;

  • Strong passwords
  • Don’t use common passwords
  • Be careful what you click on or visit
  • Keep your systems up to date
  • Have good security software

However times are changing and many security issues are out of the average person’s control.

Lessons from Heartbleed

The Heartbleed Open SSL bug illustrated the limits of individuals in protecting their information. As a bug in the secure socket layer software, the Heartbleed Bug could expose sensitive data on websites using the service.

The disappointing thing with Heartbleed is that people following good security policies were vulnerable.

Probably the biggest threat with Heartbleed however is the Internet of Things, where relatively simple devices – the connected kettle – could expose security credentials.

The Target hack

Another example of how security is beyond the control of the individual user is the Target hack. Hackers found their way into the US department store’s network though an airconditioning contractor. From there, they were able to steal millions of customer payment details.

The Target hack is one of dozens of similar coporate security compromises and this will continue until security is taken seriously by company directors and regulators.

A pocket sized security breach

As the Oleg Pliss hack showed, smartphones are not immune to security breaches.

With our phones gathering increasingly more data on our behaviour, protecting the data they gather is going to become one of the biggest challenges facing us.

Rich data

Smartphones are not just gathering location data, as technologies like iBeacons roll out more information is being gathered from more sources.

When we go shopping, attend a football game or visit the doctor these technologies are collecting information on our personal habits and behaviour.

Not a generational issue

One of the myths around security and privacy is that concerns revolve around the generations.

The idea that only older people care about privacy or that younger folk understand technology is a myth.

Unfortunately however our political and business leaders come from a segment of society that doesn’t care about or understand the technology or issues.

If meaningful change is to be made in securing our information, then we’re going to have to demand our business and political leaders take these issues seriously.