As regular readers of the EiQ blog know, we’re suspicious of the Internet of Things (IoT), the massive collection of Internet-connected devices that don’t fall into the traditional “computer” category. From “smart” energy meters, to in-car technology, to Internet-connected home appliances, the IoT is an incredibly broad spectrum of technologies that can gain value – in some cases, significant value, in other cases, more dubious – by connecting to other devices and networks.
Not too many years ago, Microsoft Corporation was viewed somewhat suspiciously in the information security community for what was perceived to be a lackadaisical approach to patching their software and (in particular) their Windows operating systems. Fast-forward to today, and Microsoft is recognized almost universally as having one of the most effective and timely security patching programs in the industry. Of course, Microsoft isn’t the only OS vendor to experience known vulnerabilities; although Apple for many years boasted that it’s software “doesn’t have security holes”, the fact is that the venerable OSX operating system, while a very mature BSD UNIX variant, still encounters periodic security issues which – to their credit – Apple addresses through frequent patch deployments. Even Linux, which runs so much of the Internet’s infrastructure, periodically has major security issues discovered in its supporting software, including a major vulnerability discovered just last week within systemd, a critical piece of software that provides name resolution services.
22 years ago, Irish actor Pierce Brosnan took his first turn as MI-6’s perennial agent James Bond. In that particularly great outing, everyone’s favorite international spy took out a satellite network known as GoldenEye, spearheaded by two satellites named Mischa and Petya. While the fictional GoldenEye satellites delivered an electro-magnetic field (EMF) of radiation that took out all electronics within a 30-mile radius, this week the world was hit with a real Petya: the “GoldenEye” strain of the ransomware that was at the root of last month’s massive WannaCry outbreak.
In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The technology world was rocked late last week with the arrival of the “WannaCry” malware payload. “WannaCry” is ransomware: it encrypts files with strong encryption, and then notifies the victim that they can “recover” their files for a payment using Bitcoin (which is an extremely difficult-to-track blockchain-based payment system). While the New York Times has reported that victims in nearly 100 countries have been affected so far by this fast-moving malware, the most significant impact so far has been identified within the U.K.’s National Health Services (NHS), which was forced to reallocate patients to unaffected facilities due to the “WannaCry” outbreak.
Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.
For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Most of us think about information security in terms of what hackers, malware, and other bad actors can do to compromise our systems and data. And while that’s certainly a critical concern, we sometimes forget about another aspect of information security: protecting our privacy. The privacy debate is one that has raged for many years. Today it is often equated with government intrusion, and while this is certainly a legitimate macro-level concern, there are other sinister threats that can be realized when we lose our digital privacy; identity theft, cyberstalking and online bullying, and physical assault due to location disclosure from digital assets (think geolocation inside of devices and geotagging metadata within digital media) are all real-world risks if we don’t protect ourselves. And while privacy and security are not the same thing, good security definitely improves privacy.
Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)