Tag: security

Accountability and security

Experian’s massive data breach shows why we, and our governments, have to start taking security seriously.

Security writer Brian Krebs has followed up last year’s story that US credit reporting agency Experian had been selling personal data to Singaporean based identity thieves with the guilty plea from the scheme’s architect.

Krebs points out that the leader of the identity thieves, Vietnamese national Hieu Minh Ngo, could access up to 200 million consumers’ records.

It’s almost impossible to say how much theft, fraud and misery was inflicted on innocent Americans who had their personal details misused by Ngo’s customers.

The amazing thing is it appears that Experian’s executives or shareholders will not suffer any sort of penalty – civil or criminal.

In an age where companies are collecting masses of data on everyone, it’s inconceivable that those trusted to store and protect that information – particularly credit reporting agencies – seem beyond any accountability for failing in their core responsibilities.

There’s also the aspect of undermining the US credit system; if merchants and consumers find they can’t trust credit reporting agencies, then offering or getting credit becomes far more difficult and risky.

Until the management of companies like Experian are held accountable for their incompetence, any talk of safeguarding privacy is empty. It’s why we should treat claims that our data is held safely by government agencies or businesses with a great deal of caution.

Bill Gates and the fight for trustworthy computing

Microsoft’s task of securing its software was a huge undertaking, one that isn’t over yet.

Microsoft’s task of securing its software was a huge undertaking, one that isn’t over yet.

One of the great, and possibly under recognised, business achievements of the computer age was Bill Gates’ recognition that Microsoft’s online strategy was flawed shortly after releasing Windows 95. A few years later he had to repeat the task when the company found its products were almost dangerously insecure.

In a sprawling account of the company’s response to the security problems at the turn of the century, Life In The Digital Crosshairs, describes how Microsoft’s engineers responded to their then CEO’s call for Trustworthy Computing.

The problems at the time were vast, compounded by Microsoft’s failure to take security seriously – the first version of Windows XP came out without a firewall which ensured thousands of users were quickly infected by the computer worms rampant on many ISPs networks at the time.

As the story tells, it was a long difficult task for Microsoft to change complex and interdependent computer code involving 8,500 of the company’s engineers.

One suspects the cultural challenges were even greater in getting the managers supervising the army of engineers to understand just how serious the security threat was to Microsoft’s users.

The biggest challenge though was Microsoft’s own product line; because the company hadn’t ‘baked’ security into its software, key products like Microsoft Office relied on lax security practices to work properly.

Office and Windows also had the problem of legacy code and applications; one of Microsoft’s selling points over Apple and other competitor systems was that the company took pride in supporting older hardware and software, this in itself creates security risks when programs designed in the MS-DOS days still want to write to the system kernel.

For Microsoft the journey isn’t over, although the shift to cloud computing has changed – and simplified – the company’s security quest by making legacy issues in Office and Windows less important.

Microsoft and Gates’ success in seeing off the threats posed by the internet gave the company another decade of computer industry dominance, however dealing with security issues was nowhere near successful.

In the end however it wasn’t security issues that saw Microsoft lose its dominance; the internet eventually prevailed as Apple revolutionised mobile computing while Amazon and Google improved cloud services.

With Bill Gates reportedly finding himself getting more involved in the company he founded, the challenges of both the internet and security are two that he’s going to be very familiar with. It will be interesting to see what we write about Microsoft in 2022.

A breach of trust

In business, trust is essential as security company RSA is discovering

“Today I’m happy not to have an RSA Conference badge on me;” Mikko Hypponen, head researcher of Finnish security company F-Secure told the inaugural TrustyCon conference in San Francisco yesterday.

Hypponen was referring to what was one of the world’s most prestigious information security conferences hosted by industry vendor RSA.

RSA are known to many corporate computer users for their SecurID authentication tags; the little key fobs that give a passcode for secure networks that illustrate this post.

Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers.

However the killer blow for RSA’s reputation was an article in Reuters at the end of last year claiming the US National Security Agency had paid the company $10 million to weaken its security protocols.

The company denies this but the damage was done, as Hypponen says “When a security company can’t be trusted, what do they have left?”

How the RSA lost the trust of security professionals is a good lesson for all of us; our businesses rely upon the goodwill of our customers and our peers. If we betray their trust, we’re hurting ourselves.

 

Trusting the computer security industry

There’s something wrong in the way the tech security industry sells its product

I’ve been sceptical of computer security vendors for a long time and it’s interesting that even as threats evolve, the suspicion remains.

That suspicion comes from running an IT support business though the turn of the century virus epidemic, it’s hard to take the same companies whose products failed to detect the malware — and in some cases made problems worse.

At the annual Tech Leaders Kickstart event today, I found that old hostility bubbling up as a series of security vendors warned us of the terrible threats in cyberland and how their product would solve most, if not all, of our problems.

The irritating thing with their pitches is that none of them would articulate how the threats are evolving, or give real time examples.

Not that there’s any shortage of real time examples with corporate security disasters like Sony and Target as great case studies of what can go wrong. Indeed, there’s very good reasons for businesses and every computer user to take security seriously.

There’s something missing in the way tech security is sold and articulates the industry articulates its message.

Tech security in a tough world

Even the professionals are struggling to keep up with a rapidly changing IT world, which is why businesses should start taking computer security seriously.

Network giant Cisco Systems released its 2014 Annual Security Report last week which should make sobering reading for every business manager and owner.

If you’re looking at a career change, the survey even suggests a possible new job.

Over two million of Cisco’s customers were examined in the survey and every single company had evidence of their systems being compromised in some way, from staff visiting suspicious websites to full scale hacker break-ins.

Keeping up with change

The survey points out IT security risks are evolving quickly as business technology becomes more complex and it’s hard for even industry professionals to keep up with the pace of change.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Chief Security Officer of Cisco, John Stewart, told a media briefing yesterday.

That concern was reinforced by Stewart’s colleague Levi Gundert, technical lead at Cisco’s Threat Research Analysis and Communications (TRAC) group.

“It’s not about are you going to be compromised,” said Gundert. “the question is how long is it going to take you to detect and shorten the remediation window?”

If even the world’s biggest corporations are struggling what can smaller organisations do to control the risk?

Disable Java

The biggest computer security risk is Java software. Cisco found a shocking 91% of software exploits were related to the application, “2013 was the year of the Java exploit.

It was a bad year for Java.” Says Gundert. It should also be noted that the first successful malware targeting Apple Macs, the Flashback Trojan, was a Java exploit.

The best way to deal with this risk is keep Java off your systems, the problem with that advice is many business applications – and games if you have a home office or kids use your computer – need the software to run.

If you have to use Java packages, make sure you have the latest version running on your systems.

Keep your systems up to date

It’s not just Java that is a risk, Cisco identified Adobe PDFs and Microsoft Office vulnerabilities as being other threats.

It’s important that all systems – Mac, Windows or any other operating systems – are kept up to date with the latest patches.

Lock down office systems

Except when your computers are being updated, there’s no reason for office computers to be running in Administrator mode.

Day to day use should be done in restricted user profiles; on a Windows machine, workers should be logged on as standard users, while on Macs they should be managed users, the only time an Administrator needs to be logged on is when maintenance is being done.

Watch those mobiles

The IT security industry has been watching smartphones for a while and 2013 started seeing large scale malware appearing on mobile devices, although it’s still small scale compared to PCs.

Cisco’s survey found only 1.2 percent of web based malware coming from mobile devices with almost all the infections being on Android systems.

Most of these Android infections were game add-ons downloaded from unofficial Android app stores so the message is to stick to the official, trusted services for Android apps.

Website risks

Another risky area for businesses identified by Cisco identified are websites being compromised and hijacked.

The software on these needs to be updated to the latest versions just as office computers should be.

Often, disused websites and blogs aren’t updated, the ABC discovered last year that abandoned, neglected websites are a great way for hackers and malware distributors to launch attacks or spread problems.

So if you have older websites or blogs, shut them down and redirect the domains to operating addresses.

For those operational websites password security needs to be beefed up as Cisco found ‘brute force’ attacks – where automated systems try every conceivable password combinations – were up threefold in 2013.

Professional skills shortage

A big problem facing the IT industry is a worldwide skills shortage: “There are essential a million jobs across the globe that can be filled but we don’t have trained people to fill them,” says Cisco’s Stewart. “We’ve got a dearth of talent and skills.”

For smaller businesses that means it’s harder to find someone to fix problems when they happen, for both business managers and owners it’s smarter to reduce the likelihood of having a problem rather than scrambling to find an IT professional to help after the event.

The good news from Cisco’s survey is if you’re thinking of a career change, or you have a teenager moping around looking for a job, then IT security could be the answer.

For everyone else, as business and the world in general becomes more connected the security of the systems our world is coming to depend upon is something we have to take more seriously.

InfoSec’s looming labor shortage

A looming shortage of IT security experts is one example of new jobs being created.

For the last few days I’ve been reading Cisco’s 2014 annual security report and trying to decide exactly which parts are suitable for this site, Networked Globe and the various other outlets I write for.

One of concerns Cisco raises in their study is the labor problem facing the information security (InfoSec) community with a shortage of a million workers this year.

Even when budgets are generous, CISOs (Chief Information Security Officers) struggle to hire people with up-to-date security skills. It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe. Also in short supply are security professionals with data science skills—understanding and analyzing security data can help improve alignment with business objectives.

“There are essential a million jobs across the globe that can be filled but we don’t have trained people to fill them,” Cisco’s Chief Security Officer John Stewart told a media conference yesterday. “We’ve got a dearth of talent and skills.”

As governments tighten up laws on liability for data breaches and privacy lapses a lot of businesses will be fighting to find people with the right skills to fix their problems or help them manage various technology and security risks.

So if you have a teenager moping around the house wondering what to do for a job, or you’re looking for a career change, becoming an IT security expert might be the answer.

Just as we see many jobs disappear in the face of technological change, we see new ones appear. This is a good example.

2014 – the year privacy and security will be defined

Security will be the big technology story of 2014

Happy New Year – 2013 might have been a disappointing year for tech, but for many it was a weird, wild roller coaster ride. Hopefully that ride is going to result in some very interesting destinations in 2014.

It’s tempting to make predictions about 2014 and wise heads prefer not to – what I’d refer to is a failed prediction from 2011, that that year would be remembered as the year of the security breach.

That was wrong. 2012 was worse and 2013 continued the trend of ever increasing corporate glitches and finished the year with two massive security breaches at Target and Snapchat. 2014 promises to be a year when the stakes become higher.

And then there were Edward Snowden’s revelations. Everyone who’s worked in or reported on the tech sector knew security agencies had the ability to snoop on the data of anyone they thought might be of interest, but few of us thought they would have engaged on such massive sweeps of the planet’s personal and business data.

Snowden’s leaks and the fallout from them have a long way to play out and the big story is going to be how the US justice system reacts to the creation of a surveillance state.

In countries like Australia that lack the US’ constitutional protections, fighting the constant spying of government agencies is probably a lost cause unless an economic collapse sees the authorities running out of money to operate their comprehensive monitoring programs.

What we can be certain of in light of ongoing privacy breaches by governments and businesses that the technology world is going to obsessed about security. That’s probably going to be the big, ongoing story for 2014, even if the mainstream media outlets focus on big TVs and the latest smartphone.

So Happy New Year and play nice on the internet. The Feds are watching.

Balkanising the internet

Breaking up the internet into different standards would be a backward step, but it might happen.

Could the current internet spying scandals result in the internet become fragmented into different national empires?

Over dinner with President Obama with fourteen other tech industry leaders, Yahoo!’s CEO Marissa Mayer warned that US spying threatens to ‘Balkanize the Internet’, Bloomberg reports.

Mayer has reasons to be worried, the scale of the US National Security Agency’s multiple programs monitoring internet traffic around the world has surprised even the most hard bitten commentator and it is already affecting US technology sales to China.

Coupled with  revelations that Britain’s GCHQ was tapping the subsea cables themselves in concert with US agencies almost every national government is now pondering the fact that, as an invention of the US military, the internet itself is open to being misused by its creators.

The Internet’s critical economic role

As online communications become more critical to nation’s economies and security it’s understandable that governments would be considering how to make their networks more hardened to interception or interference and creating whole new protocols outside current standards is one way of doing that.

With the industrial sector increasingly being connected through the internet of machines the stakes suddenly become much higher, as the Iranian government discovered with the Stuxnet worm that crippled the country’s nuclear research program.

After Stuxnet every country and business with critical systems exposed to the internet is now working on hardening those systems from similar attacks.

Until recently, almost all the profits from the internet’s growth have gone to US technology companies so its not a surprise that Facebook chief Sheryl Sandberg and Google chairman Eric Schmidt were with Mayer when she expressed her concerns to President Obama.

Balkanising the web

A balkanisation of the internet along national lines and industrial sectors is bad for US business which already struggles to get traction in non-Western markets like China and India.

The irony is though that Yahoo!, Google and Facebook are all trying to balkanize the internet themselves in locking users into their own networks.

While that’s a concern for internet users, it appears those commercial walled gardens don’t seem to be working.

The failure of commercial walled gardens

Yahoo!’s attempt to monopolise their corner of the web has clearly failed and it’s appearing that Google’s attempts to take over social media are failing despite forcing YouTube users onto Google+ while Facebook is beginning to buckle under the sheer weight of its own News Feed.

Common wisdom about internet markets is that you have to be the number one provider in your niche to succeed, what we may well be seeing is those niches are smaller than we thought and leadership in one sector doesn’t automatically guarantee success in another.

As Deloitte’s Eric Openshaw told this blog last week, ““one way or another, these things can be problematic in the short run but typically over time they are resolved.”

Tesla, Edison and Jonathan Swift

One of the reasons for the internet being one of the most successful technologies is that it was standardised relatively early, it didn’t have the battles over industry standards like the AC versus DC electricity arguments between Edison and Tesla, or the insanity of different railway gauges plaguing countries and international trade.

Jonathan Swift parodied these technological arguments in Gulliver’s Travels where the main point of contention between the warring empires of Lilliput and Blefuscu was over which end boiled eggs should be cracked.

It would be a great economic loss if security concerns or commercial opportunities saw the internet follow those examples and saw the online world carved up into many little empires.

Should it happen, we deserve a future Jonathan Swift to parody us mercilessly.

Walls of Constantinople by Bigdaddy1204 through Wikimedia

Discussing Cryptolocker and Internet of Things security on ABC Radio

This morning with Linda Mottram on ABC 702 I’ll be discussing Cryptolocker ransomware and the security of the Internet of Machines.

If you missed the program, you can listen to the segments through Soundcloud.

Tuesday morning with Linda Mottram on ABC 702 I’ll be discussing Cryptolocker ransomware, the security of the Internet of Machines and the tech industry’s call for less internet surveillance.

It’s only a short spot from 10.15am and I’m not sure we’ll have time for callers, but one of the big takeaways I’ll have for listeners is the importance of securing your systems against malware, there’s also some security ideas for business users as well.

We’ll probably get to mention the ACCC’s warnings on smartphone apps and the current TIFF bug in Windows as well.

If you’re in the Sydney area, we’ll be live on 702 from 10.15, otherwise you can stream it through the internet.

Microsoft and the zero day Tiff

The Windows TIFF exploit is a good reason for being careful with your email attachments.

One of the most dangerous things in computer malware is the Zero Day Exploit where an error in a program is used by the bad guys before it can the hole in software can be fixed.

A particularly irritating zero day exploit is the TIFF bug in Windows systems where users using Microsoft products can be fooled into opening what appears to be an image file but what turns out to be something more malicious.

Even more irritating with this bug is that Microsoft aren’t going to fix the problem in Windows XP systems until January’s patch Tuesday which means many people will be susceptible to this problem for nearly two months.

Zero day exploits are a good reason why every computer user needs to have an up to date virus checker and to take basic precautions before surfing the web or downloading email.

For Windows users it might be worthwhile taking extra care with email attachments for the next few weeks.

Potentially unwanted applications – what are we are installing on our smartphones?

Do we really understand what we are installing on our smartphones? Sophos Labs thinks potentially unwanted applications or PUAs are a growing problem.

One of the notable things about the technology industries is there are always new terms and concepts to discover.

During a visit to Sophos’ Oxford headquarters last month, the phrase ‘Potentially Unwanted Applications’ – or PUAs – raised its head.

PUAs come from the problem application developers have in making money out of apps or websites. The culture of free or cheap is so ingrained online that it’s extremely hard to make a living out of writing software.

As result, developers and their employers are engaging in some cunning tricks to get customers to download their apps and then to monetize them, particularly in the Android world which lacks the tight control Apple exercises over the iOS App Store.

“What’s interesting about Android,” says Sophos Labs’ Vice President President Simon Reed, “is it’s attracting aggressive commercialisation.”

The fascinating thing Reed finds about this ‘aggressive commercialisation’ is where the distinction lies between malware and monetisation and when does an app or developer cross that line.

Reed’s colleagues Vanja Svajcer & Sean McDonald explore where that line lies in a paper titled Classifying PUAs in the Mobile Environment which they submitted to the Virus Bulletin Conference last October.

In that paper Svajcer and McDonald discuss how these applications have developed, the motivations behind them and the challenge for anti virus companies like Sophos and Kaspersky in categorising and dealing with them.

The authors also flag that while the bulk of the revenue generated by these apps comes from advertising, there are serious privacy risks for users as developers try to monetize the data many of these packages scrape from the phones they’re installed on.

Svajcer and McDonald do note though that potentially unwanted applications aren’t really anything new, we could well classify many of the drive by downloads that plagued Windows 98 users at the beginning of the century as being PUAs.

What we do need to keep in mind though that what is driving the development of PUAs is users’ reluctance to pay for apps and that it’s going to take a big change in customer attitudes for this problem to go away.

For businesses, this is something managers are going to have to consider as they move their line of business applications onto mobile devices, as Marc Benioff proposed at the recent Dreamforce conference.

Sophos’ Simon Reed believes potentially unwanted apps won’t be such a problem in the workplace however. “Consumers may have a different tolerance towards PUAs than commercial organisations,” he says.

The prevalence of PUAs on mobile devices does underscore though just how careful organisations have to be with who and what can access their data. It’s another challenge for CIOs.

The ghost in the internet of machines

What happens when your internet connected egg tray gets a virus?

A funny thing happened two hours out of Auckland, the cabin crew on the Air New Zealand flight to San Francisco announced the inflight entertainment system had to be rebooted.

In the thirty minutes it took for the system to reset and reload, various in-seat functions such as the cabin call button and light switch froze, it was a basic example of how complex systems interact with each other.

The benefits of a connected egg tray involve the device telling us when more eggs are needed, but what happens when the thing tries to tell your online shopping service that you need 200 dozen?

As the internet of things develops and business systems become more automated, complexity is going to become greater and more subtle. Understanding and managing the risks that extend from that is going to be essential for both public safety and the economy.

“The Internet of Things creates a whole new range of attack surfaces” Cisco Systems’ Enterprise Group Vice President Rod Soderbery told the Internet of Things conference in Barcelona last month.

One of those many ‘attack surfaces’ identified by Fraser Howard, Principle Researcher of Sophos Labs are the dozens of household devices from smart TVs to internet connected egg holders that are beginning to appear in homes.

Almost all these devices will have flaws in their firmware and yet almost no vendor has an interest in maintaining or patching the firmware of this equipment.

“Consumers have no way of managing this problem” says Fraser as it’s almost impossible for householders to upgrade their systems and consumer electronics manufacturers have a poor track security track record.

“There’s a long history of companies with mass market items which deal with things like important items like credentials where they have not had a single thought about security,” says Fraser.

Security is one the many challenges facing the internet of things along with to manage rogue devices in grid networks. There’s a lot of work to be done in ensuring systems aren’t disrupted by an outlier sensor or critical information disclosed by a poorly secured or out of date smart device.

As connected egg trays start talking to the supermarket, we have to be confident that we aren’t going to come home to find our connected device hasn’t delivered a pallet load of fresh eggs or that it hasn’t given away our banking details to an organised crime ring.