As if Volkswagen didn’t have enough to worry about with the emissions scandal, European security researchers have demonstrated a proof-of-concept exploit that can allow an attacker to covertly disable airbags (and other systems) in the German manufacturer’s autos. Unlike the more dramatic wireless hacking demonstration of Jeep vehicles that caused a massive recall, this particular exploit requires actual contact with the car, either via a compromised laptop or malicious USB device connected to the vehicle’s diagnostics port. To demonstrate the hair-raising potential of this exploit, the hackers were able completely disable the airbag, but have the onboard software continue to report the system as functioning properly. For now, the hackers limited their hacking to this proof-of-concept, but they believe that with further testing and research someone could develop malicious code capable of executing more serious system disruptions while the vehicle was in motion, and perhaps long after the infecting device was removed.
What this means for you:
We are rapidly approaching a future where most of the devices upon which we rely will have embedded computers. Here’s a short list of items that already appear in homes and have this capability right now:
- Thermostats
- Burglar alarms
- Surveillance systems
- Major appliances (refrigerators, ovens, washing machines)
- Door locks
- Lighting systems
- Televisions
- Electrical meters
- Gas meters
- Fire and life-safety systems
As the researchers of the Volkswagen were quick to point out, the problem wasn’t with Volkswagen’s engineering, but a weakness in a third-party diagnostic system, an easily compromised laptop – mechanic’s don’t have special devices, they use the same gear we use – and our willingness to plug things into our devices without specialized knowledge or assurances of security and safety. Many of the items listed above are easily accessible by visitors, repairmen and sometimes complete strangers, and even though the infecting agent may be completely unaware the device they are connecting to your devices is compromised, the damage is already done once it gets plugged in. Once again, the weakest link is the human, either us or some hapless mechanic. It’s important to be aware of all the systems with which you surround yourself, as well as who is servicing them, and whether they themselves are taking the necessary precautions to stay safe.
The launch of Google Glass, though initially celebrated by the hardcore nerd crowd, was generally greeted with derision, scorn and outright hostility in some cases. After a few short months of trying to generate buzz in a largely disinterested consumer market, Google packed up its toys and went back to the drawing board. At the time, the marketing campaign was somewhat tone-deaf to the general public’s growing privacy concerns and there really weren’t many practical applications that weren’t being done better and much less conspicuously on a smartphone or tablet. As of June this year, Google has refocused their efforts on wearable technology with a new team called Project Aura, and have been quietly shopping the next generation of Glass to tech-dependent industries like energy, manufacturing and healthcare.
Like a phoenix from the ashes!
One project that has caught some media attention is a clinical trial run by Stanford to test whether or not Google Glass could provide help to autistic children. Researchers have developed software that can identify basic human emotions when a Glass wearer looks at another person’s face, a social skill that is signficantly underdeveloped or absent in those affected by autism. One component of the program is a simple game in which the wearer is directed to find someone displaying a specific emotion, for example, someone who looks “happy,” and if the child “sees” someone who has a smile on their face, they receive points. The researchers hope that by gamifying the experience and reinforcing learning with instantaneous feedback, autistic children can develop skills that will assist them with interpersonal interactions. On top of this, the device can provide constant telemetric data about the wearer themselves, allowing researchers to gather detailed information on things like eye contact and whether or not the child is gradually becoming better at locating particular emotions.
After an early trial with 40 children in a lab environment, Stanford is launching the next phase of its clinical trial by expanding the run to 100 families in their own homes. The portable, connected nature of Google Glass seems particularly well suited for these types of applications, and you can bet we are only seeing the very beginnings of their potential applications in the medical field.
Adobe Flash can’t seem to catch a break. Their most current black eye has arrived in the form of yet another zero-day exploit of a vulnerability in the latest versions (19.0.0.185 and 19.0.0.207) of the browser plug-in. According to Trend Micro’s blog, the hacking group Pawn Storm is targeting government workers via spear-phishing emails that contain links to news about current events. Instead of taking them to a legitimate news story, the links lead to compromised websites that can install malware onto the victim’s computer via the aforementioned exploit. Rather than the usual identity theft, this group seems to have a more politicized agenda and bears similarities to attacks on NATO from last year.
What this means for you:
If you are new to this blog, you may not have been briefed on the #1 Rule of Personal Technology Security: “Don’t click strange email links.” Even clients who have weathered years of me saying this sometimes let their guard down, so Rule #2 is “Be prepared for the worst,” which you should interpret as (1) having a strong firewall, (2) trusted anti-malware installed, and (3) a contingency straegy that includes backups and plans for operating without core infrastructure when things do go wrong. The sad matter of fact is that cyberattacks will get past anyone’s mental guard – we are only human after all – at which point properly installed and configured technology can act as a safety net. Note the emphasis – poorly implemented security is worse than nothing at all in some cases. When you have nothing, at least you aren’t lulled into a false sense of security. And don’t count on the (perhaps prematurely reported) death of Flash as means to improve everyone’s overall security profile. We haven’t quite seen the end of Flash just yet, and there are plenty of other platforms (Java anyone?) that could easily take its place if and when Adobe finally puts this software out to pasture for good.http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
Three major companies and a popular crowdfunding website joined the illustrious ranks of the hacked last week. At the forefront of media attention was mobile service provider T-Mobile who had to explain to nearly 15 million of its customers that anyone who had their credit checked while in the process of applying for T-Mobile service would now be enjoying the “benefits” a near perfect (for identity thieves) exposure of their data, including name, date of birth, social security number, addresses, phone numbers and even government-issued ID numbers. Online brokerage Scottstrade suffered a breach exposing nearly 5 million customers over a year ago that they didn’t even know about until informed by authorities investigating the matter. Rounding out the list of big names is everyone’s favorite business bad-boy, Donald Trump and his Trump Hotels business, of which seven luxury hotels appeared to have suffered a year-long breach in security that allowed thieves to siphon off guest credit and debit card data. And if that wasn’t enough, data thieves also managed to penetrate Patreon, a website used primarily by independent artists and entrepreneurs for fundraising, and exposed over 2 million users emails, passwords as well as their specific site activity.
What this means for you:
By this point, if you haven’t at least racked up two years or more of “free” identity theft protection from the numerous data breaches, you have been living the life of a true luddite and should share the secrets of your success (just not online, right?). What I’ve found among many of my clients, friends and family is that most have just furrowed their brows, shaken a symbolic fist at the faceless enemy/internet/corporation and more or less accepted this as a new fact of life. Many of them haven’t even taken advantage of the credit protection services offered as compensation for being a victim of one or more data breaches. As I’ve mentioned in the past, most Americans are now suffering a near textbook-perfect example of bad news fatigue, primarily because it seems like nothing can be done. But there are things you can do:
- Have a look at Have I Been Pwned to see if any of your email addresses show up. If they do, you should change your passwords, especially if the account that was “pwned” was associated with a password you use elsewhere.
- Sign up for any identity/credit protection services offered to you if they are still available. While they may not be able to prevent an attempt to use your identity, you are much more likely to catch it happening, and these companies can help recover from damage caused by the theft.
- Most critical online services such as banking and email offer two-factor authentication which can provide a much higher degree of security. Even though a hacker may have a password for your account, they won’t be able to access accounts protected by two-factor authentication.
- Understand what data you or your company is responsible for, and if you use vendors to process any of that data, make sure they are exercising proper diligence in securing their perimeter and your data. In the case of T-Mobile’s breach, credit-check vendor Experian was the source of the breach that will likely result in significant financial and reputation distress.
The launch of Windows 10 saw a marked increase in the amount of data the OS collected and sent back to the Microsoft mothership. Despite the general hue and outcry from privacy watchdogs, Microsoft actually doubled-down on this practice shortly after the Windows 10 release and extended this “feature” to Windows 7 and 8 as well. Given that Windows 10 hit 100 million installs in record time, and with a worldwide goal of 1 billion installs in 3 years, Microsoft seems to have decided to break their stony silence on the growing privacy concerns before they hit critical mass. Vice President Terry Myerson confirmed via the Windows Blog that Microsoft is collecting two types of data, and then goes on to mention a set of data they specifically don’t collect, but other platforms (ie: the competition) do.
What this means for you:
The data Microsoft collects from every Windows 7, 8 and 10 computer falls into two buckets they name as “Reliability & Performance” and “Personalization”. The first type of data has actually been collected for years: remember those blue screens of death that plagued our Windows existence? Depending on how your computer was configured, whenever that garish specter showed its ugly face, your computer was compiling an error report that could be sent to Microsoft, ostensibly to catalog and analyze your crash. Assuming enough of those reports came in on the same bug, they would construct a patch that would be rolled into one of the many OS updates applied over the years. Where in previous OS versions this data seemed to be largely compiled and ignored, Microsoft has taken a much more aggressive and proactive approach with the Windows 10 data being collected, and using it to quickly fix issues, improve performance and to add features that users are missing. The important difference now versus years previous was whether or not you had a choice in letting Microsoft see this type of data collected from your computer. From this point forward, you can only adjust the detail of data submitted, but cannot opt out (except by completely disconnecting from the internet forever). According to Microsoft, the data is anonymized, transmitted securely and can never be tracked back to a specific person or machine.
The second set of data (from which you can opt out) is used to feed Microsoft’s digital assistant Cortana (named after a videogame character from the Halo franchise). Microsoft’s answer to Apple’s Siri and Google’s Now services is still very new and untested, but shows similar promise in helping Windows 10 users get more from the new OS if they like that sort of thing. The key to these types of services is their ability to build a personal knowledge graph of the user which can be based upon just about every aspect for which a computer or mobile device is used, including location, age, gender, contact lists, favorites, browser & shopping history and so on.
Don’t want Cortana (Microsoft) creating a profile on you? Head to the Windows menu (the one they brought back in 10, remember?), click “Settings” and then “Privacy”. Get settled in to review every entry and adjust to your sense of privacy is somewhat restored, at least as far as Windows 10 is concerned.
Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
By all accounts, the launch of Windows 10 is probably Microsoft’s most successful release since Windows 95. From an IT professional’s perspective and given Microsoft’s history with OS launches, this is definitely the least troubled release since Windows 7 (2009). Despite this, I have gathered enough feedback on the upgrade process, both through my own and client experiences as well as reports from around the web, to not recommend it YET for my clients’ business machines, especially if they are operation-critical devices. While the upgrade process seems to go relatively smoothly and painlessly, the actual problems start to crop up after the process finishes and you attempt to get back to work. Historically, operating systems have never worked well on Windows machines, and while 10’s experience seems to improve on Microsoft’s track record in this area, it’s still a risky path at the moment. Unfortunately, despite my recommendation (one shared by many other pros in the business as well) to avoid upgrading your Windows 7 or 8 machine, Microsoft is essentially forcing you to download a copy anyways, whether you plan to upgrade or not.
What this means for you:
Depending on the amount of free space on your hard drive and bandwidth usage cap of your internet connection, this may be no big deal, especially if you do intend to upgrade to Windows 10 at some point. Microsoft sneaks the package onto your machine via Automatic Updates and stores the 3-6GB download in a hidden folder called “$windows.~BT” (the $ hides directories in Windows and is not a wry, insiders joke made by greedy MS programmers). It will do this even if you have been studiously ignoring the pesky system tray app that constantly reminds you that your free Windows 10 upgrade is just waiting to be installed. According to Microsoft, this is by design and ostensibly done to make the process quick and easy:
For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade.
To be fair, some folks (rather impulsively in my opinion) seem to make the decision to upgrade to Windows 10 on the fly, possibly because of the way Microsoft has relentlessly pushed the new OS.
Unfortunately, if you choose to use Automatic Updates (and you should unless your technology is managed by an in-house IT department, at which point they will make that call depending on organizational policy), then you can’t avoid this download without some messy registry hacking and fussing with your computer. I can hear some of you scoffing, “6GB? Who doesn’t have room for 6GB?!” Well, 128GB SSD laptop users for one, and I know many, many folks running older computers with smaller 250GB hard drives that are on the edge of being completely full. On top of this, many folks use cellular broadband on their laptops, and this sizeable “update” could easily push their bandwidth allotment over the edge. While I applaud Microsoft’s forced march towards a modern operating system on all Windows machines (see “The World Still Clings to Windows XP”), this heavy-handedness on top of the privacy concerns has me revising my ranking of this release lower and lower.
Though the average consumer is still many years away from seeing or using one, quantum computers are moving steadily from theory to reality, and seems to be following the same accelerated curve most other technologies follow. First theorized in the 1960’s, the field of quantum computing was formally established in the early 1980’s, but actual systems using quantum computing only appeared in this decade. Lockheed Martin purchased in 2011 what appears to be the first physical implementation of a quantum computer: the D-Wave One. Google launched its own quantum computing initiative in 2013 in joint effort with NASA, and Edward Snowden revealed in 2014 alleged plans by the NSA to build a quantum computer expressly for cracking encrypted data.
[Skip this section unless you really want a brain twister!] Quantum mechanics on its own is an incredibly dense and complex field of science, and even though quantum computing concerns itself with a specific application of quantum mechanics, it is just as inscrutable as modern computers are now to most people. In a nutshell, where modern computers process data by boiling down everything to zeros and ones (bits), quantum computers process data using qubits, which can exist as either a zero or one, or any number of infinite states in between. While you are trying to wrap your head around that one, consider this next mind-blowing fact: where traditional CPU’s solve problems by switching between one or zero (albeit very, very quickly) and testing a condition (is it 0 or 1), a quantum CPU can simulaneously solve for one and zero at the same time. Because of this capability, a quantum CPU would be vast leap forward both in speed and complexity as compared to a “traditional” CPU.What this means for you:
Scientists and security experts are justifiably concerned that quantum computers could easily crack the toughest encryption methods in use today. Encrpytion that would normally take today’s computers thousands of years to crack could, in theory, be broken within hours on a quantum computer. It’s not a long jump to suppose that the first organizations to implement quantum computers will be nation-states and large corporations, and then the race will be on to safeguard data with even stronger cryptographic algorithms. Echoing an arms race not unlike the nuclear one in decades past, modern technology is advancing at a pace that most humans will never stay ahead of, and we are relying on a small number of people in power who continually demonstrate an alarming lack of understanding of technology in general. Its important for all of us to step up our game and to focus on, at minimum, learning more about the technology we use everyday, and when we hit our limit, making sure we are protected and led by more knowledgeable people we can trust.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Under the auspice of saving battery life on laptops, Google just made good on their promise in June of this year to pause Flash elements on webpages loaded in their browser, Chrome. Though they don’t outright name what elements they are targeting *cough* advertising *cough*, as of September 1, Chrome will, by default, no longer autoplay Flash-based media on any page. If you want to punch that monkey to win a prize, you will have to click on the advertisement to get it to dance around on your screen. Now before you break out the champagne, this certainly doesn’t mean the end of web advertising by any stretch of the imagination – many of the ads you see are HTML5-based (including Google’s own AdWords platform) – but seeing as Chrome has 50% of the browser marketshare, it’s a safe bet that many, many advertisers will stop using Flash as a delivery mechanism, and given Flash’s long history of security weaknesses, this is a good thing.
What this means for you:
If you’re using Chrome as your main web browser, make sure it’s updated to the latest version, and start breathing the Flash-paused air. Firefox users have been enjoying this particular state for a little while now, as Mozilla put Flash in permanent time-out last month. If you are still using Internet Explorer (and many, many folks are required to because of various corporate applications) you can also experience a Flash-paused existence by following the steps outlined in this article.
Most importantly, if your website was designed with Flash elements (as many were up to about 2 years ago), it’s time to refresh your online presence to marginalize or eliminate the dependency on Flash. Its days are well and truly numbered.
Remember a couple weeks ago when the adultery website Ashley Madison and assorted “sibling” sites were hacked? The alleged hackers were holding the data hostage and demanding (parent company) Avid Life Media be held accountable for what the hackers claimed was the fraudulent business practice of offering website “patrons” the opportunity to pay have their data completely erased. The data has been released (including the supposedly erased data), it is now searchable thanks to websites like Have I Been Pwned, and it’s wrecking lives like, well, a proverbial home-wrecker. It doesn’t take much imagination to envision why this is happening – marriage as an institution in America has been on some fairly rough ground lately, but you don’t come to this blog for that kind of gossip…
So here’s my IT angle on the whole mess:
- Just one, simple piece of data in the wrong place at the wrong time can be a game changer. In the case of the above, finding someone’s email address in the database separate from any other context can utterly destroy trust. And this doesn’t have to be a spouse or a family member: it can be a congregant, constituent, employee, employer, customer, client, prospect, competitor, adversary or worse – a true enemy. Many have said that their accounts were created for research (I didn’t even put that in quotes), and many probably were and even have official documentation backing up that claim, but when data is released without context, the victims don’t have any control over how the data is viewed or used.
- Most agree that Avid Life Media’s IT team had more that adequate protections and data encryption in place, but like every other business, they were fighting a losing battle. As I’ve said repeatedly (as has most of the industry), the current battle against digital intrusion is a war of attrition, and the attackers have the upperhand. They only have to succeed once to win, but we, in defending our organizations, cannot stumble even once. In case you are having trouble envisioning why this is, imagine a game of soccer where you are the goalie and the hacker is the other team. It’s just you versus the entire team, and there are multiple balls in play. They only have to score once to win. You, on the other hand, can only hope to get one of the opposing team out on penalty to slow them down, but guess what? They have a rather deep bench. And there are no time outs.
- Do your employees or vendors have access to data or systems to which they shouldn’t? Some believe the hack was an inside job. Keep in mind that you have to trust someone at some point to manage your security. Though it may be difficult or even painful to examine your operations for disgruntled employees or customers, unethical or inhumane practices reap as they sow, as Avid Life Media is perhaps experiencing first hand.
- Things done on the internet can never be erased. Even if you pay someone to do so, and they make an honest attempt at it, the internet never forgets. Want to keep something secret? Keep it as far away from the internet as possible. Can’t (or won’t) do that? Count on it not being secret and at least you’ll be prepared for when it does become public. Also, there are very few levels of obscurity on the internet, in most cases, things are merely forgotten or overlooked, but they never truly disappear from view.
- Privacy and security are hard won, and increasingly so as time progresses. Expect the costs of maintaining these things to continue to rise.
With all the recent, high profile hacks it’s hard to not be a “Debbie Downer” when it comes to the current state of security and privacy – but don’t fool yourself into thinking that things aren’t as bad as they might seem. Taking a realistic view on internet privacy and security is important in achieving a balanced perspective when making decisions on what to spend (both in dollars and energy) on defending yourself and your business. It’s not the end of the world. Not nearly. But it’s rough out there, and likely to get worse before it gets better. Be prepared, be realistic: plan for the worst and hope for the best.