Posted on

Social Media or Information Warfare?

Ok, so it was only 30 million accounts and not 50 million…..that’s ok then!

Interesting conjecture as to who was behind the attack. Further evidence I think that identifies FaceBook as no longer being a social media platform but a tool for Cyber Enabled Information Warfare. Whether you use it illegally like these threat actors have or go in as a legitimate customer and pay the money, it is undeniable the power that this tool can provided beyond sharing cat pictures.

https://www.databreachtoday.com/facebook-clarifies-extent-data-breach-a-11598

Posted on

Don’t think I want to bluescreen my car!

Well this is a little scary! The tradition with security vulnerability in software and computer hardware has been ‘ship it and fix it later’. For the most part this worked. It was responsive to business and it also realistically didn’t matter a great deal. Yes, your computer application might have a security vulnerability which may or may not be exploited by a bad actor, but even if it was the impact was generally minimal. If it did happen to impact you then you could “purchase support” at a reasonable price and everyone wins (that was probably a bit cynical of me.

However, today more and more lives are depending upon the same vulnerable technology. Will the same methodology of ‘fix it later’ work when we are talking about medical monitoring equipment or vehicles in busy highways? Somehow I think we are talking about a tipping point here where a new paradigm of how we approach this problem needs to be found and found very fast.

Hopefully markets and sense will prevail and find a solution, but if we look at this historically I think we might be in for a rough time.

https://www.nytimes.com/2018/10/11/opinion/internet-hacking-cybersecurity-iot.html 

Posted on

Information Warfare at a Competitive Price

I guess this really shouldn’t be a surprise that this happened. We already knew that FaceBook were conducting experiments on users judging emotional responses to positive/negative articles in newsfeeds. At the time I don’t think many really extrapolated this as a possible end result however.

What FaceBook has done isn’t (I don’t believe) inherently wrong, it has simply put a power information warfare tool in the hands of those who want to buy it with few controls to govern its usage . Whether this was intentional or not will never be known of course, but the fact remains the capability has been created and is now in the wild.

This article isn’t particularly in depth on the issues this brings up but it does describe a very simple example of why this capability matters and why something should really be done about controlling its usage.

https://www.newyorker.com/news/news-desk/cambridge-analytica-and-the-perils-of-psychographics

Posted on

The spy among us

An interesting and balance article about the potential risks for digital assistants. With Amazon Echo now available in Australia we have the gamut of choice when it comes to our digital assistants.

While I don’t think any of the products on offer today necessarily create a significant risk, they do introduce a vulnerability that can be exploited. You will be providing a cloud enabled device with a lot of information about yourself. You are also relying on security practices of the company that provides the digital assistant. As recent years have shown, few if any companies can claim to be perfect in the area of data protection.

The one thing that I think will be on the horizon with these that we haven’t seen as yet is the introduction of these devices into the business world. I personally can’t conceive of a justification for them today, but if you think back a few years we could probably have said the same about WiFi and the iPad!

Looking forward to this brave new world.

https://worldview.stratfor.com/article/surveillance-operative-lurking-living-room

Posted on

Olympics Fall Victim to Cyber Attack

Well I guess at least it wasn’t due to news footage shot in the events Security Operations Centre displaying critical passwords in the background which I believe happened at a previous similar type of event.

It will be interesting to see the analysis of this one if/when it becomes available. From all accounts they survived this due to the attacker not taking action rather than anything else.

Goes to show you that cyber security will underpin pretty much everything these days.

https://www.nytimes.com/2018/02/12/technology/winter-olympic-games-hack.html

Posted on

Web 2.0 Redux

I think this comes down to a case of properly recognizing your IT asset and securing it appropriately.

The introduction of social media (also known as Web 2.0 back in the day) into government was in my view mostly reactive and an attempt to ‘be hip with what the kids are doing these days’. Things have certainly matured over the years and for the political classes social media is a very valid medium to communicate with the public and most handle the messaging side of it very well.

Where I think things have gone a little astray is understanding its value as an IT asset. Social media accounts for most platforms were never developed with the intent of being an official channel of communication for any organisation or political entity. The security originally was at a level appropriate to a personal internet service. All the major platforms have of course adapted to the new environment and introduced better security measures to protect their product (note, not users or customers….product, but that is another conversation entirely). But technology without process will never succeed.

Organisations and public figures need to understand that security of their ICT systems also include the systems that don’t actually belong to them.

https://www.theaustralian.com.au/national-affairs/politicians-warned-to-use-higherlevel-security-on-social-media-accounts/news-story/78ee468e47e5fa042b3d74a22dcf9e29

Posted on

The price of IT Security is eternal vigilance

There was a time when IT systems didn’t really have that much of an impact beyond the boundaries of the Department or company they support. Certainly their loss was annoying, possibly news worth but ultimately problems would be solved and life would go on. Today that is no longer the case.

Technology has been embraced to make life generally easier, reduce costs and obtain outcomes faster. This is a good thing of course, but any implementation needs to come with the realization that the in the age of information, the new currency is information and people will work to steal it.

The answers to these problems are unfortunately complex and ever changing which all departments and organisations (not only the AEC) are learning daily, but regardless of the technology or the environment involved, it will generally come back to first principles; people, process and technology. Get that balance correct and while you will still a large and ongoing task, you will have a solid foundation.

http://www.afr.com/news/auditorgeneral-slams-australian-electoral-commission-over-poll-security-20180122-h0m7xr 

Posted on

In 2018, you don’t listen to your phone, your phone listens to you!

This article. while probably not much of a surprise – we have seen this type of thing before, does highlight a couple of valuable points to consider.

Your phone is essentially a listening device that permits you to make phone calls. There is a denial by the agency that this took place, but given the research behind this and the fact that if you search for spying/eavesdropping apps in the Google Play store you will find a selection of spying apps that you can purchase today, I think that is reasonable to assume this is more than plausible. If you are a nation state or just needing to conduct sensitive business discussions, phones can pose a risk.

Your users are your weakest link. No matter what sophisticated countermeasures you put in place they will always be undone by a user wanting to see the animated dancing bunny or some other cool thing on the Internet. Security awareness training can help, but it is sometimes not sufficient these days. Analyzing the environment the users are in and adjusting security controls appropriately is sometimes needed.

Don’t trust the app store. Google has had major issues over the years but Apple is not immune either. Both are getting better, but so too are the attackers.

https://www.nytimes.com/2018/01/18/technology/lebanese-intelligence-spy-android-phones.html