Tag: security

Insurers and the internet of things

Microsoft’s partnership with American Family Insurance shows how insurers are adopting the Internet of Things, is the community ready for real time monitoring of risk?

Earlier this week, Microsoft Ventures announced a partnership with American Family Insurance in an accelerator for home automation services.

The insurance industry has an obvious interest in the Internet of Things (IoT) as constant monitoring allows them to make more accurate assessments of risk and quickly adjust policies or premiums when circumstances change.

“We are focused on helping early stage companies bring new products and services to market that can make our policyholders’ homes and lives safer,” Microsoft’s media release quotes Dan Reed, American Family Ventures’ Managing Director as saying.

For consumers and the public at large, there a serious implications of constant monitoring by insurance companies, marketers and government agencies.

As Business Insider points out, Google already holds a massive amount of data on us all with Apple, Amazon, Facebook and Microsoft not far behind.

One of the key questions of the next decade is ‘do we we want our smart smoke detectors spying on us?’ and, if so, do we want it giving that data straight to the insurance company?

The online security pains of a growing business

Stratfor’s humiliating computer hack is a lesson for all businesses about IT security

Possibly the most embarrassing of the outbreak of computer hacks in late 2011 was the breaching of prominent geopolitical analysts Strategic Consulting, also known as Stratfor.

The Daily Dot dissects what went wrong for Stratfor based on a leaked report from Verizon Business who carried out a “forensic investigation” of the hack which the company claims cost them $3.8 million in damages.

While the monetary damages were substantial for a relatively small company, Stratfor’s reputation was probably the greatest casualty as customers’ credit card details were exposed and the firm’s confidential files were distributed by Wikileaks.

The tragic thing is that none of this would have happened had Stratfor followed basic IT security practices, something that every business should be following.

Don’t store credit card details

Probably Stratfor’s biggest mistake was storing customers’ credit card details – there is no reason for saving your clients’ payment details. Ever.

If you’re accepting credit cards, organise a payment service to handle that work for you as they know what they are doing and take most of the management hassles, security and fraud risks.

In most cases, these companies’ fees are no more than manual processing fees that Stratfor and most businesses manually processing payments get hit with anyway.

Password policies

Another basic mistake was that passwords were shared and kept simple; there is no excuse for giving staff the same password to access confidential or critical files and systems.

Similarly, there wasn’t a ‘need to know’ policy; that is, that an analyst has no reason to have access to HR files and the receptionist no need to be looking at sales figures. Sensitive data should only be accessible to those who need it for their day-to-day work.

Remarkably, Stratfor didn’t have any properly configured firewalls and on many computers didn’t have up to data anti-virus protection. All of this made it easy for hackers to get into the network and access confidential information.

The online pains of growing a business

In some respects it’s possible to feel sorry for Stratfor’s management, the report is a classic example of a business that outgrew the IT structure for a one or two person operation founded by men who didn’t understand the risks of the internet.

Today there’s no excuse not to have systems locked down or to lack a company culture that recognises data security as being essential in the modern business world.

Stratfor’s hack was a spectacular example of what could go wrong, but it’s a warning for all businesses about the importance of security in a connected world.

Building an internet we’re not ashamed of

How do we build an internet we’re not ashamed of asks developer and writer Maciej Ceglowski

Late last month writer, painter and software developer Maciej Ceglowski spoke at the design and technology conference, Beyond Tallerand in Dusseldorf.

The Internet with a Human Face is his closing keynote for the conference – let’s try to kill that kill that awful term ‘locknote’ for closing presentations – and is a wonderful overview of the unintended consequences of the internet we’re now seeing emerge.

Maciej compares the internet’s effects with that of the motor car in the Twentieth Century – the rise of the automobile totally changed society in ways our great grandparents couldn’t have expected.

Unexpected consequences

In many respects the changes were positive; the age of the motor car saw massive increases in living standards through the second half of the century. However the immediate downside of those efficient supply chains were equally massive increases in obesity rates, suburban alienation and urban sprawl.

A similar thing is happening with this wave of technological changes; as Maciej describes in our presentation, our views of how the web was going to evolve is turning out to be very different to what we expected.

One great example is in small business advertising where we expected online channels would democratise marketing. Instead the exact opposite has happened.

Maciej’s view is far broader than just the relatively trivial problem of small business advertising, particularly with the ‘Internet never forgetting’ with the concentration of the industry in one of the world’s great earthquake zones as another major risk.

Building an internet we’re not ashamed of

Ultimately, though Maciej sees the problems facing the internet industry as a design problem.

“I have no idea how to fix it. I’m hoping you’ll tell me how to fix it. But we should do something to fix it. We can try a hundred different things. You people are designers; treat it as a design problem! How do we change this industry to make it wonderful again? How do we build an Internet we’re not ashamed of?”

While being ashamed is a big call, and probably unfair in that it’s like blaming Henry Ford for 2014 childhood obesity rates in Minnesota, Maciej has flagged that there are real adverse unintended consequences to the way the internet is evolving.

All of us involved in the industry need to recognise those adverse effects and start acting to fix these problems.

ABC Nightlife – security, dropping off the grid and 4D printing

Apple Security, the Heartbleed bug and dropping off the grid are the topics of the May 2014 ABC Nightlife spot

Paul Wallbank joins Tony Delroy on ABC Nightlife across Australia from 10pm Australian Eastern time tonight to discuss how technology affects your business and life.

For the May 2014 spot we looked at computer security, specifically Apple ransomware and The Heartbleed bug along with dropping off the grid, 4D printing and the future of design.

To protect from the Oleg Pliss ransomware – or any similar problems – have a strong password, enable the screen passkey and enable two factor authentication.

Join us

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on the night on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

Tune in on your local ABC radio station from 10pm Eastern Summer time or listen online at www.abc.net.au/nightlife.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Limits of the black box business

Many of the leading tech companies hide beyond mysterious algorithms or impassive customer support. That may prove to be their weakness.

One of the paradoxes of the modern tech industry is that while its leaders preach openness and collaboration, their own businesses are mysterious unaccountable black boxes.

This website has often looked at how the Silicon Valley business model leaves users and partners exposed to arbitrary enforcement of vague policies and indifferent customer service.

A good example of the black box business model is eBay’s major security breach where it appears millions of users have had their personal and banking details compromised. Instead of informing customers immediately, the company’s management hid the problem and hoped stonewalling inquiries would make the problem go away.

Lacking accountability

In the black box business model, not being accountable is the key – we see it with Amazon’s bullying of book publishers, Google’s high handed identity policies and Facebook’s puritan censorship.

Those high handed attitudes to customers’ and users’ rights is born out of arrogance; all of these company’s managements, and the corporate bureaucrats who enforce the policies, believe their hundred billion dollar businesses are untouchable.

Such arrogance might though be ill-founded as each of these businesses is less than twenty years old and, while they themselves have deeply disrupted existing industry models, there is no reason why their own market dominance and huge cash flows can’t be usurped by new technologies or challengers.

In age where trust is the greatest currency, hiding beyond a block box of algorithms and impassive customer support may not turn out to be a successful management strategy.

Securing the industrial internet

GE’s acquistion of Wurldtech is another example of just how seriously engineering companies are taking security in the internet of things, hopefully those building consumer systems are paying attention too.

One of the big concerns with connecting devices to the public internet is security, particularly when equipment that was never intended to be on the net is suddenly wired up.

When the world’s computers started to be connected to the Internet in the mid-1990s it became apparent very quickly that most of the operating systems then in use were hopelessly vulnerable to security problems.

The worry is the same thing will happen today with the Internet of Things, particularly with household equipment which – if the PC industry’s experience is anything to go by – will open up whole new fields of risk to homeowners.

While having your kettle or home networked hacked could be painful, it’s nothing compared to the risks of infrastructure or vital equipment being compromised.

So GE’s acquisition of security company Wurldtech is an important development as it focuses on the software aspects of its products and the Industrial Internet – GE’s own term for the internet of things.

Techcrunch’s Ron Miller has a good run down on GE’s purchase of Wurldtech where Neil McDonnell, the CEO of the acquired business, describes the company’s two pronged approach to security.

First, they do testing to discover vulnerabilities in the system and they certify sites that are secure. Secondly, they provide specific security solutions around a system such as a substation or pump.

For GE, Wurldtech will help them secure existing infrastructure and equipment that’s being connected to the net, what they learn should also help designers of the next generation of equipment build security into their products.

GE’s acquistion of Wurldtech is another example of just how seriously engineering companies are taking security in the internet of things, hopefully those building consumer systems are paying attention too.

Privacy by design

How can businesses protect customers’ privacy, Intel Security’s Michelle Dennedy discusses how to bake privacy into your organisation

“Know your data” is the key tip for businesses concerned about privacy says Michelle Dennedy, Chief Privacy Officer for Intel Security, formerly McAfee.

“It’s really important to go back to basics,” says Michelle. “We’re trying to do bolt-on privacy, just like we did with security years ago. I think it’s time to take a good look at the policy side, which id called Privacy By Design, thinking about it at early states and being consumer-centric.”

“We at McAfee call it ‘Privacy Engineering’; looking at the tools. methodologies and standards from the past, adding current legislative requirements and business rules then turning them into functional requirement.”

Michelle, who is also co-author of the Privacy Engineering Manifesto, was speaking to Decoding The New Economy as part of Privacy Awareness Week.

A key part of the interview is how Michelle sees privacy evolving in a global environment, “if you’d asked me in 2000 where we’d be today I’d have told you it would be like the 1500s when we were dealing with shipping lanes. We would have treaties, it would harmonised and we’d understand that global trade is a hundred percent based upon sharing.”

“We have instead decided to become a set of Balkanized nations.”

For individual businesses “know thy data,” is Michelle’s main advice. “Know what brings you risk, know what brings you opportunity.”

In Michelle’s view, businesses need to balance the opportunities against the risks and treat customers data with respect as the monetisation policies of many online platforms don’t recognise users’ costs in time and data sold.

As businesses find themselves being flooded with data, protecting it and respecting the privacy of customers, users and staff is going become an increasing important responsibility for managers.

It’s worthwhile understanding the privacy laws as they apply to you and making sure your systems and staff comply with them.

Heartbleed, kettles and design – ABC 702 Mornings

The Heartbleed bug and the connected kettle are the topics of today’s 702 Sydney segment with Linda Mottram

This morning from 10.20am on 702 Sydney I’m talking to Linda Mottram about the Heartbleed bug, connected kettles and dropping off the grid. It’s crowded twenty minutes and I’m not sure how much we’ll cover.

Heartbleed is the main topic of the segment and it’s a big issue that not only exposes a weakness in secure computing but also points out problems with the Internet of Things and the open source model of developing software.

One of the quirky stories of the last few weeks has been the iKettle, a connected kitchen appliance. Do we need one and what happens to your cup of tea if the internet drops out.

3D printing is changing the world of manufacturing but designers are now looking at 4D printing, what is it and how might it change the world of design.

If we get time we’ll also look at the possibilities of dropping off the all seeing grid with the story of a security researcher who tried to hide her pregnancy from the Internet.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on 1300 222 702 or post a question on ABC702 Sydney’s Facebook page.

If you’re a social media users, you can also follow the show through twitter to @paulwallbank and @702Sydney.

Bleeding hearts and internet security

No technological revolution is simply or without problems, securing information is one of the great challenges of today’s revolution and Heartbleed is a reminder of that.

The big tech news story of the last two days has been the Heartbleed security flaw, that might have compromised users’ passwords and other details.

Given the nature of the bug where a server can tricked into giving away bits of what’s stored in its memory, it’s hard to say exactly what has been compromised – on most sites you’d be very unlucky to have your password on banking details in the system at the precise millisecond a malicious attacker exploited the bug – but the risks are still real.

While webmasters and system admins around the world are frantically patching their systems, for the average user the best advice is to wait before changing your passwords as if the bad guys already have your details you’d have probably used them by now and changing your logins on a vulnerable server might actually increase the risk of crooks stealing your information.

The Internet of Things

The longer term risks with Heartbleed are actually in embedded systems and the Internet of Things; many systems will have hard coded implementations of the buggy software which may never be patched and these devices may be give up much richer data than a web server would.

It’s another illustration of how difficult the task of keeping embedded technologies up to date and how to secure the Internet of Things.

Open source blues

While there’s no shortage of similar security lapses in commercial software, the Heartbleed saga is going to concentrate the minds of open source community on how to tighten peer review and audit version updates.

Most open source projects are staffed by small groups of time poor volunteers, making auditing and quality control harder. That key parts of the internet and computer industries rely on these underfunded, and often unappreciated groups is a weakness for the entire sector.

No technological change is simple or without problems and securing information is one of the great challenges of today’s tech revolution and Heartbleed is a strong reminder of that, hopefully we’ll learn some lessons about building robust systems.

Windows XP and patches

The Heartbleed security certificate bug is an illustration of how tough life is going to become for Windows XP users in the near future.

It’s notable that the long flagged end of Microsoft’s support for Windows XP happened the day before the Heartbleed bug, one of the most worrying security flaws we’ve seen was publicly revealed.

One of the questions that has bugged many of us in the industry – pardon the pun – is whether Microsoft would back down on its insistence they would not issue security patches for Windows XP when a major exploit became public.

With between 15 and 30% of the world’s desktop computers still running XP and  6,000 websites  reportedly running on the superseded system, it’s hard not to see how Microsoft could justify not sending out an update should an exploit the size of the Heartbleed bug become apparent.

As it is, there may be some argument for updating some of the security certificates in the Windows XP and the older versions of Internet Explorer in the light of the Heartbleed bug, we’ll wait to see on that.

While Heartbleed doesn’t directly affect Windows XP computers, it’s still a reminder that life is going to get tough for those running an unpatchable operating system.

Can the community secure the Internet of Things?

Can the community secure the internet of things? Cisco’s Christopher Young believes so.

As more devices become connected Cisco Systems hopes the security issues can be addressed by the developer community.

“The Internet of Everything is not only turn every company into a technology company but its going to force every company to truly become a company that delivers security,” says Christopher Young, Senior Vice President of Cisco’s Security Business Group.

Speaking at the Australian Cisco Live! Conference in Melbourne today, Young described how business is going to have to change the way it treats the data it collects from sensors.

“Not just in consumer security,” continues Young. “If I’m using technology or I’m delivering a service that’s leveraging technologies like cloud or connected devices and creating information about individuals or organisations through these connected devices then a consumer or enterprise is going to expect a level of security.”

Young sees three major ways that security is becoming more challenging for organisations; changing business models, a dynamic threat landscape and increasing complexity.

The latter point is the area that focuses many executive’s attention in Young’s experience with audiences he speaks to nominating complexity and fragmentation as their greatest concern.

“They get so many products and so many devices and so many tools and so much complexity they really don’t know, in so many cases, where to focus their efforts.”

Young cites Cisco’s Chief Security Officer, John Stewart, that the most fundamental security defence is getting the basics right.

Earlier this year at the release of the company’s 2014 security report, Stewart spoke to Networked Globe on how businesses are struggling with the complexity they face.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Stewart said.

This problem ties into the other areas that Young identifies, particularly the ‘industrialisation’ of the malware world.

“We have more well funded, more innovated, more determined adversaries than we’ve ever had as an industry.

“It used to be some high school kid in his room trying to infect a bunch of machines with viruses or some guy from Nigeria sending you an email asking you for a hundred bucks and he’ll give you a thousand bucks later.

“The world we live in today has nation states and criminal syndicates and very well funded, very sophisticated attackers so hacking has become an industrialised activity.” Young says, “here’s supply chains involved, there’s support agreements written; the bad guys will even sell each other a contract.”

Young’s views echo those of Sophos Labs’ Vice President Simon Reed who said last year that “now there’s money involved, there’s serious effort, the quality of malware has gone up.”

Part of the solution Young sees involves getting the community involved which is the motivation behind the Cisco Security Challenge announced last week.

“You can only just guess and imagine what all the different security challenges will look like in a world that’s just starting to get formed.”

“Let’s get the community involved in trying to solve some of the problems that we know are going to be inherently introduced by IoE.”

Using data laws to create an economic advantage

Will the EU data laws give European business a competitive advantage?

Yesterday I posted piece on Business Spectator about Australia’s new privacy regulations, little did I know that the European Union Parliament was about to release its own.

The EU regulations look interesting and certainly seem on  first look to be far more comprehensive than Australia’s effort that I describe as a toothless, box ticking exercise.

A notable aspect of the EU’s announcement of the new rules is its claim that the updated regulations are expected to generate €2.3 billion in economic benefits each year.

Whether the EU’s rules prove to be an economic cost – as Australia’s effort will almost certainly turn out to be – or a competitive advantage remains to be seen, however the European Parliament is certainly making a case for data security and privacy protection as being an important selling point in a highly competitive digital world.

The competitive advantages between countries and continents in the 21st Century will be vary different to those that determined the economic winners of the previous two centuries.