Advances in medical technology are making people’s lives better every day and the future looks even brighter … and darker, if we don’t get the security right. Here’s a link to a piece I wrote for the IBM blog on the subject I hope you find useful.

applesecurity-100257043-primary.idgeApple released iOS 9 this week. Hurray! But some (most) of you are thinking it might be wise to watch from the sidelines on this and let the bleeding edgers endure the initial onslaught of headaches that we all know can result from a software upgrade of this significance. There’s certainly a case to be made for this more circumspect approach.

However, if you are really concerned with caution, you might want to think again. The reason is that iOS 9 fixes over 100 security vulnerabilities that are lying around inside the bowels of its predecessor. That’s enough bugs to call in an exterminator, which is what iOS 9 could be.

One of the more interesting scenarios involves an exploit that abuses AirDrop to install malware on a mobile device. Here’s a video that demonstrates the attack.

Of course, with new mobile OS’s come the possibility of even newer bugs, but the point is that the cat is out of the bag on the old ones. The bad guys know about them and will be looking to take advantage. The new bugs are yet to be discovered.

That may not be the most comforting thought but look at it this way. If you knew there were copies of the keys to your house be circulated among the cat burglar community, would you want to sit tight and hope none of them figured out where you lived or change the locks? New locks still might be able to be picked but at least you make the job harder for the bad guys.

broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

I recently wrote about a vehicle hacking demonstration which exposed serious vulnerabilities in a 2014 Chrysler Jeep Cherokee in “Hack my ride.” As expected, the threat extended well beyond that specific make and model and resulted in the recall of 1.4 million vehicles that were affected by the vulnerability.

Don’t feel smug because you don’t drive one of those models because the hits keep coming…

Here’s one that affects GM’s OnStar system, specifically, the mobile app that allows for remote access of vehicle functions. As you can see in this video below, it is possible to create a good deal of havoc with little more than about $100’s worth of equipment.


When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting.

The consequences?

a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

The good news? This one should be fixable with a patch to the mobile app.

The bad news? Expect to see more of these sorts of car hacks to come.

4223373030_7ca4c19a61_oEver told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. wi_fi_sense-618x336

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Speaking in São Paulo

Posted: August 3, 2015 in Uncategorized


For my Brazilian friends (or any others who want to go to there), I’ll be presenting at the CSO Summit in São Paulo on September 3, 2015. Here’s a description of the talk:

Understanding the IT Threatscape
With security concerns at an all-time high—thanks in part to heavy media coverage of several large consumer attacks—incidents have become a mainstream conversation, from the boardroom to the living room. The IBM X-Force research team studies and monitors the latest threat trends including vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content. Some recent findings from that research will reveal trends in the nature, type and volume of attacks organizations are currently facing. This session will focus on some of those insights and demonstrate technology that IBM offers for exploring these threats in greater detail and collaborating with other IT security professionals to leverage the power of social networking in formulating a solid defense.

For more info on the event:


Hack my ride

Posted: July 23, 2015 in Uncategorized

I wrote about the issue of car hacking about 6 months ago. Since then, the predictable has happened. The threat has been shown to be even worse through a new proof of concept hack that allowed a 2014 Jeep Cherokee to be remotely, wirelessly controlled from 10 miles away. In this controlled demonstration, the driver knew he was going to be hacked but still experienced a combination of weird and frightening scenarios including:

  • radio turning on spontaneously blaring music and can’t be turned down or off
  • windshield wipers (complete with washer fluid spray) operating on their own
  • engine slowing to a crawl
  • losing control of the steering wheel
  • horn honking on its own

An article in covers the demo in more detail. To watch a video of the “thrill ride” take a look here.

Car Hacking Demonstration

Car Hacking Demonstration

Crazy stuff, huh?

Before you dismiss this threat because you don’t drive that model of vehicle, bear in mind that the guys behind this hack believe that there are many more models as well. One estimate has the number at more than 470,000 vehicles vulnerable to this particular exploit alone.

Why these internal systems would ever be accessible remotely is the question that automakers need to answer. At a minimum there should be an “air gap” separating these systems:

  • vehicle control system
  • entertainment system
  • monitoring system

Only the latter should be remotely accessible and even that one is debatable.

The bottom line here is that we are in the early days of Internet of Things (IoT) and vehicle/computer integration. Unfortunately, the focus seems to be on building the functionality and taking care of security as an afterthought. Things are likely to get worse before they get better so buckle up and be prepared for a rough ride…