Society and business in the 21st Century
Following yesterday’s posts on BlackBerry, security and the Internet of Things, HP Fortify released a report saying seventy percent of IoT devices are vulnerable to hackers.
The list of weaknesses is chilling and illustrates why IoT security is an issue that has to be resolved now.
It may well be that John Chen, BlackBerry’s CEO, has backed the right horse for his company.
This week I’m in New York to attend the BlackBerry Security Summit, more of which I’ll write about later although this story for Technology Spectator covers much of the news from the day.
BlackBerry is struggling to find relevance after losing its way when Apple and Android smashed their business model of providing secure, reliable and email friendly phones.
Now in post Snowden world, BlackBerry under new CEO John Chen is looking to rebuild the company’s fortunes on its strengths in security.
One of the aspects Chen’s team is emphasising is the simplicity of their software. Dan Dodge, who heads BlackBerry’s QNX embedded devices division says their operating system has a 100,000 lines of code as opposed to hundreds of millions in Windows and Android.
That weakness in the established software packages is something illustrated in today’s story about a verification problem in Android due to reuse of old code from another older product.
Simplicity is strength is Dodge’s message and that idea could probably be applied to more than software.
In the complex times we live in, simplicity could be the key to success.
The news that hackers have turned their attention to Nest thermostats raises some delicious possibilities for the Internet of Things.
Jailbreaking smartphones has been normal for years as people circumvent restrictions to add features or software and there’s no reason that this can’t be done to smart thermostats, light bulbs or kettles.
Almost all the smart devices being deployed have processors and capabilities far greater than what’s needed to carry out their designed purpose, so an imaginative hacker can do some interesting things with a jailbroken home automation system.
Using your kettle to control your lights or fridge to open your garage door is a bit of gimmick but there’s plenty of potential for doing some cool, and mischievous, things.
While hacking the smart home for kicks might be relatively harmless, tinkering with industrial devices could have unintended and disastrous consequences. It’s another example why security is one of the top concerns as the Internet of Things is rolled out.
A few weeks back I gave a presentation to the Australian Seniors Computer Clubs Association as part of Staying Safe Online Week.
The presentation, Security In The Age of Connected Kettles, looked at where we are today with online security and some of the challenges facing individuals, businesses and communities as threats become more pervasive with cloud computing, personal technology and the internet of things while the people creating these risks become more professional.
Overall, it’s not a cheery scenario and I end with a call to action that we have to start insisting business, public sector and political leaders start taking online security seriously as a public safety issue.
Over ten slides we covered where we are today in personal and small business online security and some of the challenges facing individuals as computing moves onto the cloud and smartphones.
Online safety is evolving as we move from PCs to tablets and smartphones, today the risks are increasingly appearing on our mobile devices although the desktop computer and email scams remain the biggest risk.
A change to the security landscape in recent times has been the rise of professional malware. While a decade ago most of the hacks and viruses we saw were the work of people demonstrating their skills or causing mischief, today there is big money in compromising computers and capturing data.
One of the best examples of the professionalisation of the internet’s bad guy is the rise of ransomware.
Ransomware locks your computer with a demand for payment to release your data; if you don’t pay you lose all your information.
Many of the online threats though are far more subtle; the theft of data from Target, compromises of Sony’s customer databases and ongoing security breaches illustrate how the risks are far greater than just on our desktop.
Ransomware has moved off personal computers onto smartphones with both Android and Apple systems being attacked.
The ‘hacked by Oleg Pliss’ message is a good example of how Apple’s products are just as much at risk as other companies’ platforms.
Also the ‘hacked by Oleg Pliss’ lockup shows how the security aspects of cloud computing services are going to become more important to the average person.
The basic advice for the average user remains the same;
However times are changing and many security issues are out of the average person’s control.
The Heartbleed Open SSL bug illustrated the limits of individuals in protecting their information. As a bug in the secure socket layer software, the Heartbleed Bug could expose sensitive data on websites using the service.
The disappointing thing with Heartbleed is that people following good security policies were vulnerable.
Probably the biggest threat with Heartbleed however is the Internet of Things, where relatively simple devices – the connected kettle – could expose security credentials.
Another example of how security is beyond the control of the individual user is the Target hack. Hackers found their way into the US department store’s network though an airconditioning contractor. From there, they were able to steal millions of customer payment details.
The Target hack is one of dozens of similar coporate security compromises and this will continue until security is taken seriously by company directors and regulators.
As the Oleg Pliss hack showed, smartphones are not immune to security breaches.
With our phones gathering increasingly more data on our behaviour, protecting the data they gather is going to become one of the biggest challenges facing us.
Smartphones are not just gathering location data, as technologies like iBeacons roll out more information is being gathered from more sources.
When we go shopping, attend a football game or visit the doctor these technologies are collecting information on our personal habits and behaviour.
One of the myths around security and privacy is that concerns revolve around the generations.
The idea that only older people care about privacy or that younger folk understand technology is a myth.
Unfortunately however our political and business leaders come from a segment of society that doesn’t care about or understand the technology or issues.
If meaningful change is to be made in securing our information, then we’re going to have to demand our business and political leaders take these issues seriously.
Microsoft’s partnership with American Family Insurance shows how insurers are adopting the Internet of Things, is the community ready for real time monitoring of risk?
Earlier this week, Microsoft Ventures announced a partnership with American Family Insurance in an accelerator for home automation services.
The insurance industry has an obvious interest in the Internet of Things (IoT) as constant monitoring allows them to make more accurate assessments of risk and quickly adjust policies or premiums when circumstances change.
“We are focused on helping early stage companies bring new products and services to market that can make our policyholders’ homes and lives safer,” Microsoft’s media release quotes Dan Reed, American Family Ventures’ Managing Director as saying.
For consumers and the public at large, there a serious implications of constant monitoring by insurance companies, marketers and government agencies.
As Business Insider points out, Google already holds a massive amount of data on us all with Apple, Amazon, Facebook and Microsoft not far behind.
One of the key questions of the next decade is ‘do we we want our smart smoke detectors spying on us?’ and, if so, do we want it giving that data straight to the insurance company?
Possibly the most embarrassing of the outbreak of computer hacks in late 2011 was the breaching of prominent geopolitical analysts Strategic Consulting, also known as Stratfor.
The Daily Dot dissects what went wrong for Stratfor based on a leaked report from Verizon Business who carried out a “forensic investigation” of the hack which the company claims cost them $3.8 million in damages.
While the monetary damages were substantial for a relatively small company, Stratfor’s reputation was probably the greatest casualty as customers’ credit card details were exposed and the firm’s confidential files were distributed by Wikileaks.
The tragic thing is that none of this would have happened had Stratfor followed basic IT security practices, something that every business should be following.
Probably Stratfor’s biggest mistake was storing customers’ credit card details – there is no reason for saving your clients’ payment details. Ever.
If you’re accepting credit cards, organise a payment service to handle that work for you as they know what they are doing and take most of the management hassles, security and fraud risks.
In most cases, these companies’ fees are no more than manual processing fees that Stratfor and most businesses manually processing payments get hit with anyway.
Another basic mistake was that passwords were shared and kept simple; there is no excuse for giving staff the same password to access confidential or critical files and systems.
Similarly, there wasn’t a ‘need to know’ policy; that is, that an analyst has no reason to have access to HR files and the receptionist no need to be looking at sales figures. Sensitive data should only be accessible to those who need it for their day-to-day work.
Remarkably, Stratfor didn’t have any properly configured firewalls and on many computers didn’t have up to data anti-virus protection. All of this made it easy for hackers to get into the network and access confidential information.
In some respects it’s possible to feel sorry for Stratfor’s management, the report is a classic example of a business that outgrew the IT structure for a one or two person operation founded by men who didn’t understand the risks of the internet.
Today there’s no excuse not to have systems locked down or to lack a company culture that recognises data security as being essential in the modern business world.
Stratfor’s hack was a spectacular example of what could go wrong, but it’s a warning for all businesses about the importance of security in a connected world.
Late last month writer, painter and software developer Maciej Ceglowski spoke at the design and technology conference, Beyond Tallerand in Dusseldorf.
The Internet with a Human Face is his closing keynote for the conference – let’s try to kill that kill that awful term ‘locknote’ for closing presentations – and is a wonderful overview of the unintended consequences of the internet we’re now seeing emerge.
Maciej compares the internet’s effects with that of the motor car in the Twentieth Century – the rise of the automobile totally changed society in ways our great grandparents couldn’t have expected.
In many respects the changes were positive; the age of the motor car saw massive increases in living standards through the second half of the century. However the immediate downside of those efficient supply chains were equally massive increases in obesity rates, suburban alienation and urban sprawl.
A similar thing is happening with this wave of technological changes; as Maciej describes in our presentation, our views of how the web was going to evolve is turning out to be very different to what we expected.
One great example is in small business advertising where we expected online channels would democratise marketing. Instead the exact opposite has happened.
Maciej’s view is far broader than just the relatively trivial problem of small business advertising, particularly with the ‘Internet never forgetting’ with the concentration of the industry in one of the world’s great earthquake zones as another major risk.
Ultimately, though Maciej sees the problems facing the internet industry as a design problem.
“I have no idea how to fix it. I’m hoping you’ll tell me how to fix it. But we should do something to fix it. We can try a hundred different things. You people are designers; treat it as a design problem! How do we change this industry to make it wonderful again? How do we build an Internet we’re not ashamed of?”
While being ashamed is a big call, and probably unfair in that it’s like blaming Henry Ford for 2014 childhood obesity rates in Minnesota, Maciej has flagged that there are real adverse unintended consequences to the way the internet is evolving.
All of us involved in the industry need to recognise those adverse effects and start acting to fix these problems.
