Tag: security

Trust and the cloud

The continued stream of security revelations may shake customer confidence in cloud computing.

The revelations of how the US tech industry has entwined itself with US spy agencies continue with The Guardian reporting that Microsoft gave the NSA access to their encryption services.

For Microsoft this is very embarrassing as the company has always strongly emphasized their security, that US government agencies turn out to have the keys to those systems will worry many foreign governments and businesses.

Like everything in business, cloud computing services require trust and this continual stream of revelations will shake the trust of many customers.

It may well be that the NSA revelations will boost the fortunes of non-US companies, Swiss companies are already reporting soaring sales since the leaks began and it may be that other nations may profit from the suspicions.

While cloud computing isn’t going away, many people will be thinking seriously about the services they use and whether they can trust them.

Securing the security system

The hacking of a Google building management system shows how important it is to take security seriously.

How vulnerable building management systems can be hit me ten years ago when working at an expensive Sydney harbourfront home a decade ago.

The householder – a rich banker – had spent millions on physical security to insulate his family from the outside world. Yet anybody could dial in and monitor what was happening in the house through the building’s CCTV and management systems.

Not only were the building’s CCTV and management systems were open to the net, but that the system’s serve ran on an antiquated and unsecured version of Windows 2000 that shared the home network with a couple of enthusiastically downloading teenagers.

It was a matter of time, perhaps hours, before the system was compromised with worm or virus. The security implications were enormous.

Even the banker’s business was vulnerable as a targeted hack into the home would allow people to monitor traffic on the network and intercept work related messages.

What was really shocking however was how the system vendor and integrator who’d installed it simply didn’t care about the client’s security problems.

So the news that one of Google’s Sydney offices BMS is exposed to the net shouldn’t be a surprise. Building Management Systems, as we saw with the rich banker’s house, are notorious for their poor security.

For Google this security breach is embarrassing although the responsibility for this flaw lies firmly with the building owner who should have made sure their systems are locked down and properly secured. You can’t throw this problem over the fence.

One wonders just how widespread these problems are with other industrial systems like SCADA devices and other remotely operated equipment.

Internet connected systems have been around now for twenty years, there are no longer any excuses for not taking these issues seriously.

Image courtesy of Tacluda through RGBStock

Penny wise and pound foolish

Saving money on technology is often a bad investment as the V8 Supercars found

“We were penny wise and pound foolish” says Peter Trimble, Finance and Systems director of the V8 Supercars, about the IT setup he found when he started with the motor sport organisation 18 months ago.

The V8 Supercars were like many businesses who had outgrown their basic IT setup and were struggling as a result.

A touring organisation – “a travelling circus” as described by CEO David Malone – with 15 races in Australia, New Zealand the US has some fairly unique challenges as contractors, teams and a dispersed workforce put demands on the businesses which a basic small business system struggles to cope with.

What Trimble found at the business were employees struggling with cheap internet connections and antiquated, inadequate servers.

Focusing on the pennies and missing the bigger picture is a common problem when managements skimp on technology which leaves their staff spending more time on IT problems than getting their jobs done.

Basically the $80 a month home internet connection doesn’t cut it when you have more than two or three workers and the server that worked fine when those people were in the same office becomes a security risk when a dozen a people are trying to login over the Internet.

It wasn’t surprising the V8 Supercars management decided to go with a cloud computing service – in this case Microsoft Office 365 – and invest in proper, reliable internet connections.

What the Supercars found that being penny proud and pound foolish with IT doesn’t work for a business, office tech is an essential investment.

Paul travelled to the V8 Supercars in Launceston courtesy of Microsoft Australia. 

Microsoft’s China crisis

Microsoft’s Chinese partner is blocking Skype messages and possibly passing user details onto PRC authorities. This security concern could damage both Microsoft and Skype.

That the Chinese Public Security Bureau is blocking your messages – and may even be reading them – would make anyone pause before they used a service.

Bloomberg Businessweek reports Microsoft Skype is doing exactly this with its Chinese customers. Anything deemed inappropriate is censored and referred to servers belonging to TOM Online, the company that runs the Skype service on behalf on Microsoft in China.

The Bloomberg story goes onto detail how one Canadian researcher is reverse engineering the Chinese blacklists, giving us a wonderful insight into the petty and touchy minds of China’s censors and political leaders.

What raises eyebrows about this story is how nonchalant Microsoft is about this issue, in a wonderful piece of corporate speak the software giant answered Bloomberg’s question with the following bland statement;

“Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.”

Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.”

Microsoft have to fix this problem quickly, glibly saying the Chinese government eavesdropping on conversations is a matter for partners is not going to be accepted by most customers.

It would be a shame should Microsoft’s Skype investment fail – Skype is a very good fit for Microsoft, particularly when the technology is coupled with the Linc corporate messaging platform, so squandering goodwill over protecting users’ conversation seems counterproductive.

One of the great business issues of this decade is the battle to protect users’ privacy. Those who don’t do this, or don’t understand the imperatives of doing so, are going to lose the trust of the marketplace.

Twenty years ago, Microsoft could have risked this. Today they can’t as they struggle with a poor response to their Windows 8 operating system and their mobile phone product.

Losing the trust of their customers may be the final straw.

Would you know if you’ve been hacked?

With 200,000 new malware threats each day, keeping ahead of the online bad guys is impossible. We need to be smarter.

“I report to head office in Moscow” is a line which either means you’re in a James Bond movie or at a lunch briefing with the Russian security company Kaspersky.

While the James Bond movie would be fun, the Kaspersky lunch was an interesting briefing on their new security product.

A notable aspect of the discussion was the explosion in malware – there are over a hundred million malicious programs circulating on the internet with over 200,000 new threats every day.

“We struggle to keep up,” says Kaspersky Lab ANZ Managing Director, Andrew Mamonitis.

That a security company with 2,700 specialists struggles to keep up with the evolving threats emphasises the scale of the task facing a network administrators and IT managers.

It’s a task beyond all but the biggest companies.

Sometime ago I suggested every computer user should assume their computers are compromised and managers should work work on limiting what intruders can do to system.

With staff bringing their own devices to work, those risks are multiplied as some devices will almost certainly be infected with malware.

There are some basic things that computer users should do to make their systems harder to break however it’s almost impossible to protect against a zero-day exploit or the efforts of a sophisticated and determined hacker.

With our homes and motor cars, we realise it’s almost impossible to keep determined thieves out, so we take precautions like alarms, immobilisers and basic security such as keeping valuables out of plain view.

That attitude is what we now need with our computer technology, any hope of keeping your office server impregnable from outside attack is long gone.

Exciting but vague

A blank page for everyone is how Tim Berners-Lee sees the World Wide Web, this opens opportunities for inventors from all walks of life.

On Tuesday Tim Berners-Lee rounded off his Australian speaking tour with a City Talks presentation before 2,000 people at a packed Sydney Town Hall.

After an interminable procession of sponsor speeches, Berners-Lee covered many of the same topics in his presentations at the Sydney CSIRO workshop the previous week and the Melbourne talk the night before.

These included a call for everyone to learn some computer coding skills – or at least get to know someone who has some, wider technology education opportunities, more women in computing fields and a warning about the perils of government over-surveillance.

On government monitoring Internet traffic, Berners-Lee has been strident at all his talks and correctly points out most of our web browsing histories allow any outrageous conclusion to be drawn, particularly by suspicious law enforcement agencies and the prurient tabloid media.

Who owns the ‘off switch’ is also a concern after the Mubarak regime cut Egypt off the Internet during the Arab Spring uprising. The willingness of governments to cut connectivity in times of crisis is something we need to be vigilant against.

The web’s effect on the media was discussed in depth as well with Sean Aylmer, editor-in-chief of the Sydney Morning Herald, saying in his introduction that Berners-Lee’s invention had been the defining feature of Aylmer’s career.

While the web has been traumatic for a generation of newspapermen, Berners-Lee sees good news for journalists in the data explosion, “how do we separate the junk from the good stuff?” Asks Tim, “this is the role for journalists and editors”.

One person’s junk is another’s treasure though and the web presents one of the greatest opportunities for people to “write on their blank sheet of paper.”

When asked about what he regretted most about the web, Berners-Lee said “I’d drop the two slashes,” repeating the line from Melbourne the night before.

At each of his Australian speeches Berners-Lee has paid homage to his mentor at CERN, Mike Sendall. After Sendall passed away, his family found the original proposal for the Hyper Text Markup Language (HTML) which formed the basis for the world wide web.

“Exciting but vague” was the note Sendall made in the margins of Berners-Lee’s proposal.

Vague and exciting experiments was what drove people like James Watt and Thomas Edison during earlier periods of the industrial revolution. Tomorrow’s industries are today’s vague and strange ideas.

Sharks patrol these waters

You can’t expect an anti-virus program to fully protect IT systems, the risks are far more pervasive.

The announcement that the New York Times was attacked by Chinese hackers after exposing the financial details of the nation’s Premier doesn’t come as much of a surprise to anybody following either China or computer security issues.

One of the realities of modern computing is that systems are constantly being compromised, the complexity of IT networks is so great that even the best security experts can be caught off guard.

Securing our networks

In such an environment the normal business and home computer user has little chance against sophisticated criminal or government sponsored attacks, by the Chinese or any other spy agency.

One example of how badly wrong things can go for an organisation is the hacking of security advisory firm Stratfor in 2011, this illustrated how small business practices of having relatively open networks and poor password security can have serious consequences.

The issue is not how we fortify our systems against intruders, but how we manage the risk. A useful analogy is how supermarkets deal with shoplifters – they can’t eliminate the problem, but they can manage it in ways that control losses.

Businesses, governments and home users have a range of things they can do to make it harder for hackers to get into a system and limit what they can access if determined one gets in.

The limits of anti-virus

Another aspect in the story that doesn’t surprise is the poor performance of the New York Times’ anti-virus software. According to Forbes, Symantec only caught one malware program out of the 45 installed by the hackers.

I have an entirely rational hatred of Symantec. While running an IT support business, their products were the bane of our lives and we encouraged users to choose alternative security software because of the unreliability of many of Symantec products, particularly the once proud Norton brand that was aimed at home and small business users.

At the time of the great malware epidemic in the early 2000s, Norton Anti-Virus had a huge market share and it proved to be worse than useless against the various forms of drive by downloads and infected sites that were exploiting weaknesses in Microsoft Windows 98 and XP systems.

Windows weaknesses

The common culprit was Windows ActiveX scripting language that Microsoft had introduced to standardise its web features. While a good idea, Microsoft made ActiveX a fundamental part of Windows and gave the features full access into the inner workings of the system.

Sadly Symantec made the decision to run all their security software on ActiveX as well.

As ActiveX was the main target for malware writers it meant that Norton AntiVirus or their Security suite would crash in a heap once a computer became infected and the Symantec software would actively interfere with attempts to cleanup a compromised system.

Making matters worse was Symantec’s subscription policies which cut customers off from vital updates and their bizarre policy of not including important upgrades in their automated updating function.

The failures of tech journalism

All of these factors made Symantec a loathed product in our office. It wasn’t helped by a generation of tech journalists who wrote gushing stories about Symantec, gave their products favourable reviews despite the company’s lousy reputation and consulted their employees for expert comment.

It wasn’t tech journalism’s finest hour. What really grates is the number of these folk still peddling nonsense about IT security and anti-virus software.

That distrust of Symantec continues to this day and those of us who struggled with their products a decade ago are not surprised at their poor performance on the New York Times’ network.

State sponsored risks

In defense of Symantec, the Chinese hackers are very good and its unlikely any security software would stand up to a sustained and determined attack from them or their counterparts in the US and Israeli governments.

We should also note that government agencies trying to get into systems is not just something done by the Chinese, US and Israelis; every government in the world is engaging in these activities against foreign businesses and their own citizens.

So we have to accept that these breaches and attacks are a real threat to any computer and any organisation. It may well be should build our security strategies around the assumption the bad guys are already in the system rather than believe we can build a giant electronic fort to keep the bad guys out.

One thing is for sure, you can’t rely solely on anti-virus software to secure your IT systems.

What happens when software is wrong

A phone company software glitch puts one man’s life and the safety of thousands at risk. It reminds us that computers are not always correct.

The Las Vegas Review Journal yesterday told the story of Wayne Dobson, a retiree living to the north of the city whose home is being fingered as harbouring lost cellphones thanks to a software bug at US telco Sprint which is giving out the wrong location of customer’s mobile devices.

While it appears funny at first the situation is quite serious for Mr Dobson as angry phone owners are showing up at his home to claim their lost mobiles back.

Making the situation even more serious is that 911 calls are being flagged at coming from his home and already he has had to deal with one police raid.

While the local cops have flagged this problem, it’s likely other agencies won’t know about this bug which exposes the home owner to some serious nastiness.

That a simple software bug can cause such risk to an innocent man illustrates why we need to be careful with what technology tells us – the computer is not always right.

Another aspect is our rush to judgement,  we assume because a smartphone app indicates a lost mobile is in a house that everyone inside is a thief. That the app could be wrong, or we don’t understand the data to properly interpret it, doesn’t enter our minds. This is more a function of our tabloid way of thinking rather than any flaws in technology.

The whole Find My Phone phenomenon is an interesting experiment in our lack of understanding risk; not only is there a possibility of going to the wrong place but there’s also a strong chance that an angry middle class boy is going to find himself quickly out of his depth when confronted by a genuine armed thief.

For Wayne Dobson, we should pray that Sprint fixes this problem before he encounters a stupid, violent person. For the rest of us we should remember that the computer is not always right.

Privacy is not someone else’s problem

Modern technology tools have made privacy an issue for everyone

Early this year a storm broke out about privacy in the United States when a computer rental company was caught spying on its customers.

Technology website Ars Technica has an excellent story describing what the company was doing and the software they were using.

What the story of PC Rental agent shows is that even small businesses have the tools to run serious surveillance on their customers and some will do so simply because they can.

The days when privacy could be dismissed as the concern for a few sensitive celebrities, sports people and politicians with something to hide are over – privacy is now your problem.

ABC Nightlife December 2012

Paul joins Rod Quinn on ABC Radio Nightlife across Australia to discuss the tech issues of the day.

Paul Wallbank joins Rod Quinn to discuss how technology affects your business and life. For December 2012 we’ll be looking at business security, Windows 8 and the saga of Apple Maps.

If you missed the program, you can listen to the recording through the ABC website.

Answers to listeners’ questions and links to some of the programs we discussed, including removing Norton Anti-Virus and getting your Windows start button back, are on a later blog post.

Some of the topics we discussed included these below.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on the night on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

Tune in on your local ABC radio station or listen online at www.abc.net.au/nightlife.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Repelling the online break and enter merchants

Romanian crime gangs have broken into business systems in Australia and the US, how can you stop them from stealing your customers’ credit card data?

Last week’s bust of a gang of credit card thieves by the Australian Federal Police is a warning to businesses on the need to take computer security seriously.

In Australia a Romanian crime gang targeted small retail businesses’ computer system and stole customers’ credit card details. They would then use the data to create fake credit cards.

A year ago US Authorities broke up a similar gang who had targeted Subway computer franchises which netted the gang over $10 million before they were caught.

In both cases the gangs used remote access software that was included with their victim’s Point Of Sale (POS) equipment. Once logged into the target’s computers, the bad guys were able to install key logging and monitoring software so they could steal credit card details as they were entered into the system.

There’s a number of lessons in both the Australian and US experiences for big and small business on securing systems safely.

Use secure passwords

It’s almost boring to say this, but you need strong passwords for your systems and networks. Make sure you change all default passwords on the systems so they aren’t easily guessed or broken into.

Secure your systems

The Subway hack happened because of sloppy security, you can harden your systems by following good practices such as updating your systems, having malware protection and proper access policies.

Both the Australian and US incidents happened on Windows computers. The crooks were able to get into the computers and then install software because the victims were running in Administrator mode which allows anybody on the computer to control the system.

Daily use should be in limited user mode which stops people from installing software or changing system settings andAdministrator accounts should only be used for system maintenance and have very strong passwords which are different to the normal limited user profile.

Turn off remote access

Another common factor in the US and Australian incidents is the use of remote access software so technicians can check things and managers can login in from home and other sites.

Unless these are properly set up they are a serious security risk. Unless you or your supplier knows exactly what they are doing, these can open a door from the public Internet straight into your system.

Do not use them unless you are 100% confident in yours, or your suppliers’, ability to run these properly.

Comply with standards

Another factor in these incidents is that systems haven’t complied with the PCI-DSS security standards for card payments. Again if you don’t understand these – and they are complex – find a POS vendor or payments processor who does.

Basically, the standard requires that customers’ card details are not stored on your systems and that devices for processing payments are kept separate from other equipment in your shop or office. Following these basic rules would avoid many of the problems.

Consider cloud services

Many of the problems businesses confront with security is because they don’t have the skills or resources to deal with the ever evolving security threats.

Moving POS systems and other business critical functions onto cloud services addresses many of these issues so it is worthwhile considering ditching expensive, unreliable and sometimes insecure server or desktop based systems and move to cloud services that use tablet computers or smartphones.

Whichever choice you make, it’s important to be engaging suppliers and consultants you can trust because if your customers can’t trust you with their details, then you are out of business.

Protecting yourself on Facebook

A follow up to listeners’ questions from December’s 702 Sydney morning program

One of the topics we looked at in yesterday’s ABC 702 Morning show was how to protect yourself on Facebook.

We had a number of callers struggling with controlling spam and scams that seem to be coming from their Facebook details. To fix this, you need to lock your personal details so they can’t be seen by the public.

The detailed instructions on how to lockdown your Facebook page are available on the Netsmarts website.

Our next ABC Mornings spot will probably be in late January. We’ll let you know when it’s approaching.