vulnerability – Digital Dark Matter

October 12, 2018

Don’t think I want to bluescreen my car!

Well this is a little scary! The tradition with security vulnerability in software and computer hardware has been ‘ship it and fix it later’. For the most part this worked. It was responsive to business and it also realistically didn’t matter a great deal. Yes, your computer application might have a security vulnerability which may or may not be exploited by a bad actor, but even if it was the impact was generally minimal. If it did happen to impact you then you could “purchase support” at a reasonable price and everyone wins (that was probably a bit cynical of me.

However, today more and more lives are depending upon the same vulnerable technology. Will the same methodology of ‘fix it later’ work when we are talking about medical monitoring equipment or vehicles in busy highways? Somehow I think we are talking about a tipping point here where a new paradigm of how we approach this problem needs to be found and found very fast.

Hopefully markets and sense will prevail and find a solution, but if we look at this historically I think we might be in for a rough time.

https://www.nytimes.com/2018/10/11/opinion/internet-hacking-cybersecurity-iot.html

February 18, 2018

The spy among us

An interesting and balance article about the potential risks for digital assistants. With Amazon Echo now available in Australia we have the gamut of choice when it comes to our digital assistants.

While I don’t think any of the products on offer today necessarily create a significant risk, they do introduce a vulnerability that can be exploited. You will be providing a cloud enabled device with a lot of information about yourself. You are also relying on security practices of the company that provides the digital assistant. As recent years have shown, few if any companies can claim to be perfect in the area of data protection.

The one thing that I think will be on the horizon with these that we haven’t seen as yet is the introduction of these devices into the business world. I personally can’t conceive of a justification for them today, but if you think back a few years we could probably have said the same about WiFi and the iPad!

Looking forward to this brave new world.

https://worldview.stratfor.com/article/surveillance-operative-lurking-living-room

February 18, 2018February 18, 2018

Olympics Fall Victim to Cyber Attack

Well I guess at least it wasn’t due to news footage shot in the events Security Operations Centre displaying critical passwords in the background which I believe happened at a previous similar type of event.

It will be interesting to see the analysis of this one if/when it becomes available. From all accounts they survived this due to the attacker not taking action rather than anything else.

Goes to show you that cyber security will underpin pretty much everything these days.

https://www.nytimes.com/2018/02/12/technology/winter-olympic-games-hack.html

January 29, 2018

The price of IT Security is eternal vigilance

There was a time when IT systems didn’t really have that much of an impact beyond the boundaries of the Department or company they support. Certainly their loss was annoying, possibly news worth but ultimately problems would be solved and life would go on. Today that is no longer the case.

Technology has been embraced to make life generally easier, reduce costs and obtain outcomes faster. This is a good thing of course, but any implementation needs to come with the realization that the in the age of information, the new currency is information and people will work to steal it.

The answers to these problems are unfortunately complex and ever changing which all departments and organisations (not only the AEC) are learning daily, but regardless of the technology or the environment involved, it will generally come back to first principles; people, process and technology. Get that balance correct and while you will still a large and ongoing task, you will have a solid foundation.

http://www.afr.com/news/auditorgeneral-slams-australian-electoral-commission-over-poll-security-20180122-h0m7xr

January 29, 2018

Meet the plot to the next Speed sequel…..

With the Amazon Echo set to launch in Australia next month it is a good time to take stock of how much integration is really a good thing. The article doesn’t really provide any revelations that would surprise anyone familiar with cyber security, but a cyber attack while sitting at your desk will have a less kinetic effect than a cyber attack while you are travelling at 80km/h on a busy highway.

I don’t think that security should be a reason to never consider a technology, but a real security by design approach should always be the focus in today’s environment.

https://www.nytimes.com/2018/01/25/business/amazon-alexa-car.html

January 14, 2018January 15, 2018

The cost of security

An interesting article describing the direct (and not what you would necessarily expect) business cost of cyber security in relation to these new bugs.

Not sure if litigation is necessarily and answer that will help anyone with these problems.

https://www.economist.com/news/business/21734482-even-if-hackers-do-not-exploit-two-new-chip-flaws-there-will-be-economic-consequences-spectre

January 8, 2018

More Regulation Please?

An interesting op-ed piece. While I wouldn’t necessarily say that regulation (government or otherwise) is always the answer (other than to bolster the compliance industry), there is a point to be made here.

Are we reaching a tipping point like that experienced after the Enron fallout where a more holistic and measure approach to this problem needs to be mandated?

A data breach today is less likely to be an annoyance and more likely to have potentially significant and devastating real world consequences. The hit list of recent events in this regard identified in the article clear demonstrates that the problem is just getting bigger.

https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html

January 4, 2018

Happy New Year, Happy New Devastating Vulnerabilities

Another year and another critical vulnerability (ies) that impact the very infrastructure we live upon. Spectre and Meltdown have hit the press today . The NY Times has written a fairly well balanced article (https://www.nytimes.com/2018/01/03/business/computer-flaws.html) and hopefully other media will give it the same responsible attention, but somehow I doubt it.

Giving vulnerabilities catchy names and logos is a little bit of a double-edged sword I think. It certainly raises serious issues and gives them the attention they need, but it also creates a bit of link-bait fodder which doesn’t help things that much when the issue needs a serious and rational approach to a solution. But it is the world we live in I guess.

For those interested, the papers relating to the two vulnerabilities can be found under their own registered domain (!) https://meltdownattack.com/