broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

I recently wrote about a vehicle hacking demonstration which exposed serious vulnerabilities in a 2014 Chrysler Jeep Cherokee in “Hack my ride.” As expected, the threat extended well beyond that specific make and model and resulted in the recall of 1.4 million vehicles that were affected by the vulnerability.

Don’t feel smug because you don’t drive one of those models because the hits keep coming…

Here’s one that affects GM’s OnStar system, specifically, the mobile app that allows for remote access of vehicle functions. As you can see in this video below, it is possible to create a good deal of havoc with little more than about $100’s worth of equipment.

According Wired.com:

When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting.

The consequences?

a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

The good news? This one should be fixable with a patch to the mobile app.

The bad news? Expect to see more of these sorts of car hacks to come.

4223373030_7ca4c19a61_oEver told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. wi_fi_sense-618x336

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Speaking in São Paulo

Posted: August 3, 2015 in Uncategorized

patrocinado1

For my Brazilian friends (or any others who want to go to there), I’ll be presenting at the CSO Summit in São Paulo on September 3, 2015. Here’s a description of the talk:

Understanding the IT Threatscape
With security concerns at an all-time high—thanks in part to heavy media coverage of several large consumer attacks—incidents have become a mainstream conversation, from the boardroom to the living room. The IBM X-Force research team studies and monitors the latest threat trends including vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content. Some recent findings from that research will reveal trends in the nature, type and volume of attacks organizations are currently facing. This session will focus on some of those insights and demonstrate technology that IBM offers for exploring these threats in greater detail and collaborating with other IT security professionals to leverage the power of social networking in formulating a solid defense.

For more info on the event:

Obrigado!

Hack my ride

Posted: July 23, 2015 in Uncategorized

I wrote about the issue of car hacking about 6 months ago. Since then, the predictable has happened. The threat has been shown to be even worse through a new proof of concept hack that allowed a 2014 Jeep Cherokee to be remotely, wirelessly controlled from 10 miles away. In this controlled demonstration, the driver knew he was going to be hacked but still experienced a combination of weird and frightening scenarios including:

  • radio turning on spontaneously blaring music and can’t be turned down or off
  • windshield wipers (complete with washer fluid spray) operating on their own
  • engine slowing to a crawl
  • losing control of the steering wheel
  • horn honking on its own

An article in Wired.com covers the demo in more detail. To watch a video of the “thrill ride” take a look here.

Car Hacking Demonstration

Car Hacking Demonstration

Crazy stuff, huh?

Before you dismiss this threat because you don’t drive that model of vehicle, bear in mind that the guys behind this hack believe that there are many more models as well. One estimate has the number at more than 470,000 vehicles vulnerable to this particular exploit alone.

Why these internal systems would ever be accessible remotely is the question that automakers need to answer. At a minimum there should be an “air gap” separating these systems:

  • vehicle control system
  • entertainment system
  • monitoring system

Only the latter should be remotely accessible and even that one is debatable.

The bottom line here is that we are in the early days of Internet of Things (IoT) and vehicle/computer integration. Unfortunately, the focus seems to be on building the functionality and taking care of security as an afterthought. Things are likely to get worse before they get better so buckle up and be prepared for a rough ride…

Who doesn’t love a good sci-fi movie? They offer us a glimpse into a possible future world that may or may not ever come to actually exist but, either way, can be enormously entertaining in the process.

One of the best from my childhood was the 1968 classic (yes, I’m old) Planet of the Apes. 

pota1*** Spoiler Alert *** In the final scene the protagonist, George Taylor (played by Charleston Heston), is walking along the beach of the dystopian world his spacecraft crash landed on. This alien world is run by intelligent, talking apes who have enslaved the native human population. Taylor looks up to see a half-buried Statue of Liberty and realizes that he isn’t on some distant planet but is, instead, back on planet earth many years after he left it. His final lines are:

Oh my God. I’m back. I’m home. All the time, it was… We finally really did it. [screamingYou Maniacs! You blew it up! Ah, d*** you! God d*** you all to hell!

Dramatic stuff! My young mind was completely blown. Still is …

But what if it isn’t apes that we need to keep our eyes on? What if the plot is actually more sinister? What if the threat comes from an even more unlikely source?

COWS!!! CIXs1kCUcAAAeaT

Yes, cows. It seems Hollywood got it wrong (shocking!). Believe it or not, according to US CDC statistics you are more likely to be killed by a cow than a shark — twenty-two times more likely, in fact. All this time they’ve been standing in our fields passively chewing cud and staring at us with those cold, dead eyes …

OK, so I’m overdramatizing for effect. No, I don’t believe that cows are out to get us or that they will eventually become our overlords, but the the point is that we are often quite bad at assessing risk. Are most people more afraid of cows or sharks? According to the actual data, which one should they be more concerned about?

What does this have to do with IT security? If we are bad at assessing real world threats, why would we think that we don’t carry some of the same deficiencies into our assessment of cyber threats? My guess is we shouldn’t think that we don’t because we do.

So, the next time you hear someone trying to downplay a potential risk, it might be worth taking a second look to see if the facts support it. Otherwise, we could one day be living on … the planet of the cows!

key-470345_1280Increasingly, we are living more and more of our lives online. What used to be in person interactions are more likely to be virtual. Rather than going to the bank, you can deposit a check by taking a picture of it with your mobile phone (along with some magic from a specially-designed mobile app from the bank). Make investments from your browser. Speak with a doctor via video conference for a virtual office visit from the comfort of your own home rather than spending the morning in a waiting room full of other sick people sharing their germs. Buy that hot new gadget online and have it show up at your door a few days later.

Great stuff — and it all relies on a system of trust for verifying identities of the various parties based typically on our ability to enter a presumably “secret” password that no one else knows when prompted.

But what if you aren’t the only one who knows your password? You didn’t tell anyone what it was (please, tell me you didn’t!) and you didn’t write it down where others could read it (I know you’re smarter than that, right?). Instead, you stored it in an encrypted software password vault of some sort and gave yourself a pat on the back for this technical accomplishment.

Great! That’s what you should do. However …

… no system is perfect and that includes encrypted password stores. If you use a Mac, Keychain is a convenient choice. It makes things easier still if you have multiple Apple devices by synchronizing passwords via iCloud so that your iPhone and iPad get updated when you change a password on your MacBook.

Or you could use LastPass or 1Password, which provide similar functions across Apple and non-Apple platforms like Windows and Android. There are plenty of other similar choices too but let’s keep this discussion simple and just look at these.

Well, guess what? In the past week, stories have come to the forefront that all of these solutions are vulnerable to attack.

  • Glen Fleishman of MacWorld.com does a nice job of explaining the technical details of the LastPass hack and the protections in place to deal with the risk in this article.
  • Glen also covers the latest vulnerability disclosure in OS X and iOS that expose Keychain to hacking in this article.
  • 1Password makers tried to reassure their users in this blog post.

None of these revelations should come as a surprise. OK, so maybe you didn’t know the specifics but the point is any operational system is vulnerable. The goal should not be to eliminate all risk (although, that would be nice), but rather, to bring risks down to an acceptable level by mitigating the ones we can and avoiding or accepting the ones we can’t.

Quoting from the 1Password blog:

There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Very true. The lesson here is not that we shouldn’t use password managers. The alternative is worse. The lesson is that none of these systems are sufficient to keep everything secure. That means you have to protect your system from malware by:

  • not installing software from questionable sources
  • not clicking on attachments that you aren’t expecting
  • not using trivial passwords
  • not neglecting to install patches both to the operating system and apps
  • not storing passwords in the cloud but, instead, syncing across devices via a wired or secured wifi connection

Also, choose to set up 2-factor or 2-step authentication on the systems that support it. These typically involve sending you a text message with a seemingly random number that only you will know if you have pre-registered your phone and keep it in your possession (and free from malware too). These systems aren’t perfect either, but they make the job of cracking your castle harder for the bad guys and that’s a good thing for you and your online kingdom.