“Still, the worst thing about Mirai is that it leverages the horrible security decisions made by a handful of manufacturers of Internet-connected devices.”
This sentence is really an understatement by the author Sean Gallagher in an article published on Arstechnica. It speaks to the global problem in attitude manufacturers have toward security and making secure products. Now a days one would think everyone would have the realization that if something connects to the internet, it is now open game for attack. That’s the world we live in. Let me be really clear—if a device connects to the internet, or is internet aware, it is open for attack. The Mirai IoT botnet attack that occurred last week did nothing more than put a period on that sentence.
Recall the Mirai attack managed to control millions, yes millions, of devices that connect to the internet. Now to be fair, traditional thinking probably permitted that.
You may be asking right now, “What the heck is the Internet of Things?” IoT, as it is also called, is what we call all of our gadgets that are internet aware. These are gadgets that can talk to each other, and to us humans, across the internet. Things like smart TVs, refrigerators, those smart doorbells, surveillance video cameras, sensors, DVRs, some routers, and other devices. When we buy these devices many of us take them home, or to the office, plug them in and they just work.
The world has a new app that actually gets people off the couch and into the world. These game players actually have to walk and are secretly getting exercise. I wonder if the game maker has a secret agenda to get exercise into people. It just might work. What on earth is going on out there? I’ve already fielded a couple of questions about the security of this app, and of the safety. So I pulled some details together.
A Joseph Bernstein article pointed out that Pokémon Go can tell a lot of things about you based on your movement as you play: where you go, when you went there, how you got there, how long you stayed, and who else was there. And, like many developers who build those apps, Niantic keeps that information.
There has been much written and talked about in the news regarding the open letter Apple’s CEO Tim Cook wrote about the FBI’s request for Apple to install a back door into the iPhone. When I first read that letter I shook my head and believed that was the wrong decision. I mean the FBI is only trying to follow any lead the investigations bring with the San Bernadino terrorist case. Their goal is to protect us and keep us safe.
But then I decided to take a step back and think about this from other angles. Maybe Apple is actually taking the right stand to protect us and keep us safe. I would think with a pretty strong certainty the FBI could hire some deeply skilled hackers, I mean Information Security Professionals, who could leverage their hacking techniques to gain access into the phone. Continue Reading
It’s not enough that we have to be careful and watch out for bad emails trying to lure us into clicking links that can steal our information. Now it seems we need to step it up and look out for the social networking profiles too. There are bad actors taking the time to actually create social profiles that look convincingly real. These profiles have been found on LinkedIn, Facebook and others. I have personally seen these come through my Facebook and LinkedIn profile. What tipped me off was the fact I thought I had already been “friends” or accepted connections to a person, when I saw another request come through. Turns out it was not that person, but someone trying to make me think it so. Continue Reading
There are tons of articles out there now talking about the security breach at the OPM. One such article from the Wall Street Journal points out an attack vector coming in from a third party vendor. Wow.
I think in this day and age of computing there really is no excuse for when breaches occur. It’s one thing to have the latest and greatest tools in place and the right mix of human analysts looking the data over. It’s quite another to leave the doors open with old or outdated technology.
How does a government organization, or even a regular commercial business, get these things fixed? The answer is very simple. Criminalize the data loss and hold CEO’s or top government brass accountable; meaning they will be prosecuted for some kind of criminal liability.
Wouldn’t that change the focus on how information security is implemented? If you, as top boss, knew you could go to jail because you didn’t put enough of a priority on securing the data you work with, don’t you think you would make different decisions?
The other day, the president of RSA, made the comments that he believes security has failed. He goes on to admonish defense-in-depth strategies as not keeping up with the need.
I’ve been thinking about what Amit Yoran has said and I’d like to say I disagree with his comments and belief.
It’s interesting. I stepped off the INFOSEC wagon in 2010 after I was severed from my job. I didn’t want to relocate to New Jersey or Texas so they let me go. When that happened I realized how burned out I was from technology and managing. So, I decided to open a business following my other passion of holistic wellness. Fast forward to today. I’m back on the wagon of doing Information Security and I’m loving it. I started a new position this past February and found drawn to the job as it was scoped out; and the company made me a really fair offer right out the gate. That says a lot about a company I think. Continue Reading
A friend forwarded an interesting article to me yesterday. It was posted on the BBC News web site reporting "Up to 1.7m people’s data missing." Of particular note in this article:
"EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information."
I read an interesting article in the latest SANS Ouch, Vol. 5 No. 10. It points out the results of a couple of surveys done by McAfee which show many of the 378 computer users interviewed by phone were undereducated when it comes to recognizing threats the Internet poses to their computers and to their personal privacy. Go take a look the article and follow the links to the full report.