Posted on

Meet the plot to the next Speed sequel…..

With the Amazon Echo set to launch in Australia next month it is a good time to take stock of how much integration is really a good thing. The article doesn’t really provide any revelations that would surprise anyone familiar with cyber security, but a cyber attack while sitting at your desk will have a less kinetic effect than a cyber attack while you are travelling at 80km/h on a busy highway.

I don’t think that security should be a reason to never consider a technology, but a real security by design approach should always be the focus in today’s environment.

https://www.nytimes.com/2018/01/25/business/amazon-alexa-car.html

Posted on

A master key for all

The topic of law enforcement access to encrypted devices has again reached the media (http://www.smh.com.au/world/fbi-chief-calls-phone-encryption-a-major-public-safety-issue-20180109-h0fwz1.html). Something that seems to appear with increasing regularity.

The ironic thing here is that if the various calls from different governments were successful in implementing some form of backdoor to encryption, they would be in just as much trouble as the public who are railing against such changes. Probably more. I am certain the inevitable vulnerabilities and flaws introduced by such changes would be targeted to government information with more devastating impact than that of the average Joe/Jane Citizen.

This is a complex issue and unfortunately one that gets sidelined by emotive arguments from both camps. The ‘for’ camp usually cite the issues of terrorism and child protection (the two most unassailable arguments and rarely addressed directly by opponents). The ‘against’ camp usually cite privacy and government overreach into the lives of its citizens (a valid argument of course, but not one that addresses the mains issues).

I don’t disagree that there realistically needs to be something done. Information is becoming predominately digital and law enforcement does have a job to do which at times is hindered by the ubiquity of strongly encrypted devices.

However, the calls to implement a form of backdoor into existing crypto technology will only weaken the foundation of strong and secure Internet communications and transactions. The very communications and transactions that underpin the function of a lot of contemporary society.

The creation of backdoors or ‘master keys’ will create a weakness that will need to be strongly controlled and highly protected. Any compromise of this mechanism would have the impact of potentially destroying the confidentiality of all data/devices/systems protected by that crypto system. As we have seen over recent years, the ability of organisations or governments to protect their most valuable information is never assured. All this approach would do is create a crown jewel target that would the sort after prize of cyber criminals and foreign intelligence services alike (if only we had some way to securely encrypt such a target…. oh wait!).

This current article raises some details trying to support its argument. The FBI was unable to gain access to the content of 7,775 devices in fiscal year 2017. This certainly represents an element of frustration I would suspect for investigators who are pursuing their cases. The article does fail to address a couple of points however.

Of those 7,775 devices that were inaccessible and their associated investigations, how many of those investigations failed due to that lack of ability to access the data. Namely, how many criminals avoided conviction because of the encryption on the devices? A device is an element of an investigation and I would suspect in very few cases the only avenue of approach to the investigation. While access to the data is likely critical in a number of those cases, the raw figure being presented as a ‘public safety issue’ is not really a valid argument.

Ever since encryption was first used by nation states for communications there has been attempts to break the various codes that have been used. Where it hasn’t been possible to read the information being transmitted there have been other methods developed to gain as much insight as possible. The analysis of signals transmission itself can elicit useful information. Basically, the presence of communication and the recipient can also be used to further the cause of an investigation without necessarily knowing the content of the message.

Moves by law enforcement and governments to state their case for this in an emotive and urgent nature will not lead to a rational discussion of viable solutions. There is risk here that in their pursuit of capability a great damage may be done to the underlying confidentiality mechanism that the world relies heavily on.

Certainly, I would agree there is a need for this capability, but it is not solely a technical discussion. It requires equal parts engagement of stakeholders involving strong legislative protections as well as support from relevant technology stakeholders.

There are solutions to this problem. And I do hope that we reach the one that is right for all.

Posted on

Meet the new threat same as the old threat

One of the many prediction articles I suspect we will see in coming days.

http://www.smh.com.au/technology/innovation/swarm-cyber-attacks-crypto-currency-stealing-malware-predicted-for-2018-20180107-p4yyaz.html

The main message we can take away from this is that those wanting to attack systems will use new technology to help them do that, just as those that are wanting to defend systems from attack will use new technology to prevent those attacks. Nothing that startling revealed here, just the continuation of the arms race that has been going on for some years now.

Certainly a concerning future, but not a surprising one.

Original source for the article can be found here: https://blog.fortinet.com/2017/11/14/fortinet-fortiguard-2018-threat-landscape-predictions

 

Posted on

More Regulation Please?

An interesting op-ed piece. While I wouldn’t necessarily say that regulation (government or otherwise) is always the answer (other than to bolster the compliance industry), there is a point to be made here.

Are we reaching a tipping point like that experienced after the Enron fallout where a more holistic and measure approach to this problem needs to be mandated?

A data breach today is less likely to be an annoyance and more likely to have potentially significant and devastating real world consequences. The hit list of recent events in this regard identified in the article clear demonstrates that the problem is just getting bigger.

https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html

Posted on

Happy New Year, Happy New Devastating Vulnerabilities

Another year and another critical vulnerability (ies) that impact the very infrastructure we live upon. Spectre and Meltdown have hit the press today . The NY Times has written a fairly well balanced article (https://www.nytimes.com/2018/01/03/business/computer-flaws.html) and hopefully other media will give it the same responsible attention, but somehow I doubt it.

Giving vulnerabilities catchy names and logos is a little bit of a double-edged sword I think. It certainly raises serious issues and gives them the attention they need, but it also creates a bit of link-bait fodder which doesn’t help things that much when the issue needs a serious and rational approach to a solution. But it is the world we live in I guess.

For those interested, the papers relating to the two vulnerabilities can be found under their own registered domain (!) https://meltdownattack.com/

Posted on

The New World Order of Privacy

I suspect we will be seeing more of these types of articles in coming months and years. This is essentially the same type of problem that impacts other areas of security from secure software development to encryption; we develop an assurance method and then research (legitimate or otherwise) finds the flaws. The problem I see is that unlike secure software development and encryption, de-identification methods don’t have the same level of maturity. With the current environment of data (especially personal data) being of high value, we are going to need to mature these methods very quickly

http://www.smh.com.au/technology/innovation/australians-health-records-unwittingly-exposed-20171218-p4yxt2.html

Posted on

Article: Privacy in the digital age is only possible if we act now

Recent article published by Charlie Lewis in Crikey discussing the state of affairs that is information security and privacy in the digital age.

Privacy in the digital age is only possible if we act now 

I think the last paragraph highlights the key issue we have here; privacy advocates don’t seem to be able to agree on the most appropriate way forward.

There should also be some acknowledgement in this discussion that in many ways this discussion is too little too late. So many major businesses rely on the collection and trade of personal information. If we were make any meaningful change in this area, those companies would require a new income and business model.

I am afraid that we have long ago given away our rights for privacy in exchange for convenience.

(Note: new Crikey articles are behind a paywall for the first two weeks after publishing)

Posted on

Security Awareness Training. What’s it all about?

No one likes doing this, and general security professionals tend to not like providing it. Unfortunately it is a much maligned and underestimated part of protecting the security of the organisation. You will generally (eventually) patch your systems, upgrade your software and your hardware. But you will often leave your users alone after forcing them into a room with a PowerPoint slide deck that most will probably not pay much attention to.

in the times when I have had to give this type of training I have found that the one key is making the material relatable to the user. Put simply, the “what’s in it for me” principle.

Users care about their job and they often don’t necessarily see security as being part of their job. Forcing it to be part of their job is one approach, but it usually isn’t effective.

If you use the “what’s in it for me” principle you adapt the material to be relevant to their own use of IT at home.

Try turning:

“You need to ensure that the password you use to the corporate HR system is complex and unique”

into something like this:

“Hackers are constantly trying to gaining access to any accounts that contain personal information. They use tools which try every password combination in quick succession. Just like in this demo

[spin up prepared Kali box running Jack the Ripper or password hacking tool of your choice]

So to protect your social media account, or your bank account or our corporate HR system you need to make sure you have a strong password; and this is how you create one…….

This way users have a greater motivation to pay attention because it concerns something personal to them. The fact that they are likely to also apply it to the corporate system is the added bonus here.

At the recent Australian Cyber Security Centre Conference (ACSC 2017), the Chief Information Security Officer from Airbus Group, Stephen Lenco, gave an interesting session on the approach that he underwent to ensure cyber security awareness was ingrained in Airbus Group staff. The two areas of focus were on communication and connecting with the users. This is ably demonstrated in a number of the security awareness training videos they produced.

This is just one example. If you search on YouTube you will find a number of additional examples.

So basically, security awareness training is primarily an exercise in communication. You need to ensure that not only the content you need is present, but the message is getting through to your audience.