Advances in medical technology are making people’s lives better every day and the future looks even brighter … and darker, if we don’t get the security right. Here’s a link to a piece I wrote for the IBM blog on the subject I hope you find useful.


applesecurity-100257043-primary.idgeApple released iOS 9 this week. Hurray! But some (most) of you are thinking it might be wise to watch from the sidelines on this and let the bleeding edgers endure the initial onslaught of headaches that we all know can result from a software upgrade of this significance. There’s certainly a case to be made for this more circumspect approach.

However, if you are really concerned with caution, you might want to think again. The reason is that iOS 9 fixes over 100 security vulnerabilities that are lying around inside the bowels of its predecessor. That’s enough bugs to call in an exterminator, which is what iOS 9 could be.

One of the more interesting scenarios involves an exploit that abuses AirDrop to install malware on a mobile device. Here’s a video that demonstrates the attack.

Of course, with new mobile OS’s come the possibility of even newer bugs, but the point is that the cat is out of the bag on the old ones. The bad guys know about them and will be looking to take advantage. The new bugs are yet to be discovered.

That may not be the most comforting thought but look at it this way. If you knew there were copies of the keys to your house be circulated among the cat burglar community, would you want to sit tight and hope none of them figured out where you lived or change the locks? New locks still might be able to be picked but at least you make the job harder for the bad guys.

broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

I recently wrote about a vehicle hacking demonstration which exposed serious vulnerabilities in a 2014 Chrysler Jeep Cherokee in “Hack my ride.” As expected, the threat extended well beyond that specific make and model and resulted in the recall of 1.4 million vehicles that were affected by the vulnerability.

Don’t feel smug because you don’t drive one of those models because the hits keep coming…

Here’s one that affects GM’s OnStar system, specifically, the mobile app that allows for remote access of vehicle functions. As you can see in this video below, it is possible to create a good deal of havoc with little more than about $100’s worth of equipment.


When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting.

The consequences?

a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

The good news? This one should be fixable with a patch to the mobile app.

The bad news? Expect to see more of these sorts of car hacks to come.

4223373030_7ca4c19a61_oEver told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. wi_fi_sense-618x336

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Speaking in São Paulo

Posted: August 3, 2015 in Uncategorized


For my Brazilian friends (or any others who want to go to there), I’ll be presenting at the CSO Summit in São Paulo on September 3, 2015. Here’s a description of the talk:

Understanding the IT Threatscape
With security concerns at an all-time high—thanks in part to heavy media coverage of several large consumer attacks—incidents have become a mainstream conversation, from the boardroom to the living room. The IBM X-Force research team studies and monitors the latest threat trends including vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content. Some recent findings from that research will reveal trends in the nature, type and volume of attacks organizations are currently facing. This session will focus on some of those insights and demonstrate technology that IBM offers for exploring these threats in greater detail and collaborating with other IT security professionals to leverage the power of social networking in formulating a solid defense.

For more info on the event:


Hack my ride

Posted: July 23, 2015 in Uncategorized

I wrote about the issue of car hacking about 6 months ago. Since then, the predictable has happened. The threat has been shown to be even worse through a new proof of concept hack that allowed a 2014 Jeep Cherokee to be remotely, wirelessly controlled from 10 miles away. In this controlled demonstration, the driver knew he was going to be hacked but still experienced a combination of weird and frightening scenarios including:

  • radio turning on spontaneously blaring music and can’t be turned down or off
  • windshield wipers (complete with washer fluid spray) operating on their own
  • engine slowing to a crawl
  • losing control of the steering wheel
  • horn honking on its own

An article in covers the demo in more detail. To watch a video of the “thrill ride” take a look here.

Car Hacking Demonstration

Car Hacking Demonstration

Crazy stuff, huh?

Before you dismiss this threat because you don’t drive that model of vehicle, bear in mind that the guys behind this hack believe that there are many more models as well. One estimate has the number at more than 470,000 vehicles vulnerable to this particular exploit alone.

Why these internal systems would ever be accessible remotely is the question that automakers need to answer. At a minimum there should be an “air gap” separating these systems:

  • vehicle control system
  • entertainment system
  • monitoring system

Only the latter should be remotely accessible and even that one is debatable.

The bottom line here is that we are in the early days of Internet of Things (IoT) and vehicle/computer integration. Unfortunately, the focus seems to be on building the functionality and taking care of security as an afterthought. Things are likely to get worse before they get better so buckle up and be prepared for a rough ride…

Who doesn’t love a good sci-fi movie? They offer us a glimpse into a possible future world that may or may not ever come to actually exist but, either way, can be enormously entertaining in the process.

One of the best from my childhood was the 1968 classic (yes, I’m old) Planet of the Apes. 

pota1*** Spoiler Alert *** In the final scene the protagonist, George Taylor (played by Charleston Heston), is walking along the beach of the dystopian world his spacecraft crash landed on. This alien world is run by intelligent, talking apes who have enslaved the native human population. Taylor looks up to see a half-buried Statue of Liberty and realizes that he isn’t on some distant planet but is, instead, back on planet earth many years after he left it. His final lines are:

Oh my God. I’m back. I’m home. All the time, it was… We finally really did it. [screamingYou Maniacs! You blew it up! Ah, d*** you! God d*** you all to hell!

Dramatic stuff! My young mind was completely blown. Still is …

But what if it isn’t apes that we need to keep our eyes on? What if the plot is actually more sinister? What if the threat comes from an even more unlikely source?


Yes, cows. It seems Hollywood got it wrong (shocking!). Believe it or not, according to US CDC statistics you are more likely to be killed by a cow than a shark — twenty-two times more likely, in fact. All this time they’ve been standing in our fields passively chewing cud and staring at us with those cold, dead eyes …

OK, so I’m overdramatizing for effect. No, I don’t believe that cows are out to get us or that they will eventually become our overlords, but the the point is that we are often quite bad at assessing risk. Are most people more afraid of cows or sharks? According to the actual data, which one should they be more concerned about?

What does this have to do with IT security? If we are bad at assessing real world threats, why would we think that we don’t carry some of the same deficiencies into our assessment of cyber threats? My guess is we shouldn’t think that we don’t because we do.

So, the next time you hear someone trying to downplay a potential risk, it might be worth taking a second look to see if the facts support it. Otherwise, we could one day be living on … the planet of the cows!

key-470345_1280Increasingly, we are living more and more of our lives online. What used to be in person interactions are more likely to be virtual. Rather than going to the bank, you can deposit a check by taking a picture of it with your mobile phone (along with some magic from a specially-designed mobile app from the bank). Make investments from your browser. Speak with a doctor via video conference for a virtual office visit from the comfort of your own home rather than spending the morning in a waiting room full of other sick people sharing their germs. Buy that hot new gadget online and have it show up at your door a few days later.

Great stuff — and it all relies on a system of trust for verifying identities of the various parties based typically on our ability to enter a presumably “secret” password that no one else knows when prompted.

But what if you aren’t the only one who knows your password? You didn’t tell anyone what it was (please, tell me you didn’t!) and you didn’t write it down where others could read it (I know you’re smarter than that, right?). Instead, you stored it in an encrypted software password vault of some sort and gave yourself a pat on the back for this technical accomplishment.

Great! That’s what you should do. However …

… no system is perfect and that includes encrypted password stores. If you use a Mac, Keychain is a convenient choice. It makes things easier still if you have multiple Apple devices by synchronizing passwords via iCloud so that your iPhone and iPad get updated when you change a password on your MacBook.

Or you could use LastPass or 1Password, which provide similar functions across Apple and non-Apple platforms like Windows and Android. There are plenty of other similar choices too but let’s keep this discussion simple and just look at these.

Well, guess what? In the past week, stories have come to the forefront that all of these solutions are vulnerable to attack.

  • Glen Fleishman of does a nice job of explaining the technical details of the LastPass hack and the protections in place to deal with the risk in this article.
  • Glen also covers the latest vulnerability disclosure in OS X and iOS that expose Keychain to hacking in this article.
  • 1Password makers tried to reassure their users in this blog post.

None of these revelations should come as a surprise. OK, so maybe you didn’t know the specifics but the point is any operational system is vulnerable. The goal should not be to eliminate all risk (although, that would be nice), but rather, to bring risks down to an acceptable level by mitigating the ones we can and avoiding or accepting the ones we can’t.

Quoting from the 1Password blog:

There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Very true. The lesson here is not that we shouldn’t use password managers. The alternative is worse. The lesson is that none of these systems are sufficient to keep everything secure. That means you have to protect your system from malware by:

  • not installing software from questionable sources
  • not clicking on attachments that you aren’t expecting
  • not using trivial passwords
  • not neglecting to install patches both to the operating system and apps
  • not storing passwords in the cloud but, instead, syncing across devices via a wired or secured wifi connection

Also, choose to set up 2-factor or 2-step authentication on the systems that support it. These typically involve sending you a text message with a seemingly random number that only you will know if you have pre-registered your phone and keep it in your possession (and free from malware too). These systems aren’t perfect either, but they make the job of cracking your castle harder for the bad guys and that’s a good thing for you and your online kingdom.

jc-blog-iphoneSecurity professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

IMG_1602What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.