Posted on

Don’t think I want to bluescreen my car!

Well this is a little scary! The tradition with security vulnerability in software and computer hardware has been ‘ship it and fix it later’. For the most part this worked. It was responsive to business and it also realistically didn’t matter a great deal. Yes, your computer application might have a security vulnerability which may or may not be exploited by a bad actor, but even if it was the impact was generally minimal. If it did happen to impact you then you could “purchase support” at a reasonable price and everyone wins (that was probably a bit cynical of me.

However, today more and more lives are depending upon the same vulnerable technology. Will the same methodology of ‘fix it later’ work when we are talking about medical monitoring equipment or vehicles in busy highways? Somehow I think we are talking about a tipping point here where a new paradigm of how we approach this problem needs to be found and found very fast.

Hopefully markets and sense will prevail and find a solution, but if we look at this historically I think we might be in for a rough time.

https://www.nytimes.com/2018/10/11/opinion/internet-hacking-cybersecurity-iot.html 

Posted on

Olympics Fall Victim to Cyber Attack

Well I guess at least it wasn’t due to news footage shot in the events Security Operations Centre displaying critical passwords in the background which I believe happened at a previous similar type of event.

It will be interesting to see the analysis of this one if/when it becomes available. From all accounts they survived this due to the attacker not taking action rather than anything else.

Goes to show you that cyber security will underpin pretty much everything these days.

https://www.nytimes.com/2018/02/12/technology/winter-olympic-games-hack.html

Posted on

Web 2.0 Redux

I think this comes down to a case of properly recognizing your IT asset and securing it appropriately.

The introduction of social media (also known as Web 2.0 back in the day) into government was in my view mostly reactive and an attempt to ‘be hip with what the kids are doing these days’. Things have certainly matured over the years and for the political classes social media is a very valid medium to communicate with the public and most handle the messaging side of it very well.

Where I think things have gone a little astray is understanding its value as an IT asset. Social media accounts for most platforms were never developed with the intent of being an official channel of communication for any organisation or political entity. The security originally was at a level appropriate to a personal internet service. All the major platforms have of course adapted to the new environment and introduced better security measures to protect their product (note, not users or customers….product, but that is another conversation entirely). But technology without process will never succeed.

Organisations and public figures need to understand that security of their ICT systems also include the systems that don’t actually belong to them.

https://www.theaustralian.com.au/national-affairs/politicians-warned-to-use-higherlevel-security-on-social-media-accounts/news-story/78ee468e47e5fa042b3d74a22dcf9e29

Posted on

In 2018, you don’t listen to your phone, your phone listens to you!

This article. while probably not much of a surprise – we have seen this type of thing before, does highlight a couple of valuable points to consider.

Your phone is essentially a listening device that permits you to make phone calls. There is a denial by the agency that this took place, but given the research behind this and the fact that if you search for spying/eavesdropping apps in the Google Play store you will find a selection of spying apps that you can purchase today, I think that is reasonable to assume this is more than plausible. If you are a nation state or just needing to conduct sensitive business discussions, phones can pose a risk.

Your users are your weakest link. No matter what sophisticated countermeasures you put in place they will always be undone by a user wanting to see the animated dancing bunny or some other cool thing on the Internet. Security awareness training can help, but it is sometimes not sufficient these days. Analyzing the environment the users are in and adjusting security controls appropriately is sometimes needed.

Don’t trust the app store. Google has had major issues over the years but Apple is not immune either. Both are getting better, but so too are the attackers.

https://www.nytimes.com/2018/01/18/technology/lebanese-intelligence-spy-android-phones.html

Posted on

Meet the plot to the next Speed sequel…..

With the Amazon Echo set to launch in Australia next month it is a good time to take stock of how much integration is really a good thing. The article doesn’t really provide any revelations that would surprise anyone familiar with cyber security, but a cyber attack while sitting at your desk will have a less kinetic effect than a cyber attack while you are travelling at 80km/h on a busy highway.

I don’t think that security should be a reason to never consider a technology, but a real security by design approach should always be the focus in today’s environment.

https://www.nytimes.com/2018/01/25/business/amazon-alexa-car.html

Posted on

Meet the new threat same as the old threat

One of the many prediction articles I suspect we will see in coming days.

http://www.smh.com.au/technology/innovation/swarm-cyber-attacks-crypto-currency-stealing-malware-predicted-for-2018-20180107-p4yyaz.html

The main message we can take away from this is that those wanting to attack systems will use new technology to help them do that, just as those that are wanting to defend systems from attack will use new technology to prevent those attacks. Nothing that startling revealed here, just the continuation of the arms race that has been going on for some years now.

Certainly a concerning future, but not a surprising one.

Original source for the article can be found here: https://blog.fortinet.com/2017/11/14/fortinet-fortiguard-2018-threat-landscape-predictions