“Still, the worst thing about Mirai is that it leverages the horrible security decisions made by a handful of manufacturers of Internet-connected devices.”
This sentence is really an understatement by the author Sean Gallagher in an article published on Arstechnica. It speaks to the global problem in attitude manufacturers have toward security and making secure products. Now a days one would think everyone would have the realization that if something connects to the internet, it is now open game for attack. That’s the world we live in. Let me be really clear—if a device connects to the internet, or is internet aware, it is open for attack. The Mirai IoT botnet attack that occurred last week did nothing more than put a period on that sentence.
Recall the Mirai attack managed to control millions, yes millions, of devices that connect to the internet. Now to be fair, traditional thinking probably permitted that.
You may be asking right now, “What the heck is the Internet of Things?” IoT, as it is also called, is what we call all of our gadgets that are internet aware. These are gadgets that can talk to each other, and to us humans, across the internet. Things like smart TVs, refrigerators, those smart doorbells, surveillance video cameras, sensors, DVRs, some routers, and other devices. When we buy these devices many of us take them home, or to the office, plug them in and they just work.
There has been much written and talked about in the news regarding the open letter Apple’s CEO Tim Cook wrote about the FBI’s request for Apple to install a back door into the iPhone. When I first read that letter I shook my head and believed that was the wrong decision. I mean the FBI is only trying to follow any lead the investigations bring with the San Bernadino terrorist case. Their goal is to protect us and keep us safe.
But then I decided to take a step back and think about this from other angles. Maybe Apple is actually taking the right stand to protect us and keep us safe. I would think with a pretty strong certainty the FBI could hire some deeply skilled hackers, I mean Information Security Professionals, who could leverage their hacking techniques to gain access into the phone. Continue Reading
There are tons of articles out there now talking about the security breach at the OPM. One such article from the Wall Street Journal points out an attack vector coming in from a third party vendor. Wow.
I think in this day and age of computing there really is no excuse for when breaches occur. It’s one thing to have the latest and greatest tools in place and the right mix of human analysts looking the data over. It’s quite another to leave the doors open with old or outdated technology.
How does a government organization, or even a regular commercial business, get these things fixed? The answer is very simple. Criminalize the data loss and hold CEO’s or top government brass accountable; meaning they will be prosecuted for some kind of criminal liability.
Wouldn’t that change the focus on how information security is implemented? If you, as top boss, knew you could go to jail because you didn’t put enough of a priority on securing the data you work with, don’t you think you would make different decisions?
A friend forwarded an interesting article to me yesterday. It was posted on the BBC News web site reporting "Up to 1.7m people’s data missing." Of particular note in this article:
"EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information."
I figured it would only be a matter of time before something would pop dealing with information security and VP nominee Governor Palin. The news is all over the Internet by now.
If anything, this should be used as a wake up call for any and all businesses. What is the call? Don’t permit web based emails to be used from within the company or from company resources. Even in Palin’s case, it shows some general dialog between Palin and others in the Alaskan government. Additionally, information and pictures of her family were posted on the Internet.
Disaster recovery planning is something most people don’t enjoy doing. I know I don’t. For most of the DR planning I’ve done outside of the military I have found the process to be a waste of time. Why you ask?
Because after the planning is over and the document changes are finalized, the business is ready to move on to something more important. They are operating in the now and believe DR is something we will never have to use…hopefully. Cross your fingers as it were. I mean, after all, the document is done and the check mark can be placed in the box for those needing to know if we have a DR plan.
It’s been awhile longer than I like to admit for posting. I suspect I’ve been befallen like many others…staying up late night to watch the Olympics. I’ve enjoyed them more this year for some reason than in years past. Maybe I have a greater appreciation for the amount of work it takes these athletes to prepare for competition. And it’s heart breaking when they make a mistake and know it. They continue on even when they recognize their dream of medals is over.
Here’s an example of borderless, worldwide crime. Remember the TJ Maxx data breach? More details are coming out. A couple details it brings to the top:
1. Location, location, location. Meaningless with digital crime. A worldwide reach is possible right to your backyard.
2. Wireless is a threat. Configure it properly. When done right it can work. Haphazardly…watch out.
Be smart people…from the Mom and Pop shops all the way up to the huge corporations. It doesn’t matter. Secure it.
I’ve often been asked from friends and relatives about why they should ensure their own personal data is protected. After all, it is only their home computer. What could anyone possibly want from that?
I read this interesting article today on Darkreading.com. It begins with the usual issues about stolen credit card numbers. The twist comes when an investigation has found other personal information. Such as, healthcare data, airlines, financial data, and on.