Car cyber-jacking – a new cyber evolution in driving cars

The FBI has issued a public service announcement about the dangers of cyber security threats in our vehicles.

The Internet of Things has brought with it huge potential in the new technologies, but with it also comes significant risks through connectivity.  This can take the form of either the remote control of a vehicle (extraordinary but true!), as well as stealing data from the cars’ systems – through Bluetooth, Wifi or a USB port.

Whilst there is a lot of work being done by the automotive industry to provide ever increased safety of data passaging through their vehicles, there is also a lot that a driver today needs to be increasingly aware of to minimise risk and stay ahead of danger, particularly:

1.    Ensure software is up to date
2.    Use caution when modifying vehicle software
3.    Maintaining awareness when third party devices are hooked to your vehicle
4.    Being diligent about knowing who has physical access at any time to your vehicle.

Considering this – how attractive is the perceived convenience of commercial aircraft WiFi?   Last year one of the risks identified by a major airline carrier offering wifi was the unintended exposure of the aircraft’s flight control systems.  Not a great result.

38898043_m

 

 

 

Apple vs FBI – the complete saga

Apple vs FBI
Last month the stage was set for a battle of the Titans starting on 16th March 2016 with an Order by a Federal judge in California to Apple to assist the FBI to bypass security on an iPhone owned by US San Bernardino gunman, Rizwan Farook.

Shortly after this request was received, CEO of Apple, Tim Cook published an open letter on their website explaining his concerns with the requests and calling it an ‘unprecedented step’.

The iPhone in question was a 5C with a pin lock, which enables encryption, set with limited login attempts before the phone would wipe itself. The FBI request was for Apple to update this phone with custom firmware to be created by Apple that would remove the limited login attempts. The FBI would then apply brute force login techniques to get through the pin lock.

Tim Cook stressed in his letter inviting comment from the public, that creating such software would involve rewriting their own encryption technology which would “weaken those protections and make our users less safe”.

Following the posting of the letter, numerous other technology companies came out to support Apple’s stance against the FBI request, including competitor Google’s CEO, Sundar Pichai stated “Forcing companies to enable hacking could compromise users’ privacy”.

March 21st 2016 was the date of Apple’s March event which saw the reveal of both smaller iPhones and iPad Pros. Apple kicked off the event however addressing the current conflict between them and the FBI and reinforced its stance of protecting user’s privacy and continuing to fight the FBI on this request.

Later in the day the FBI responded in a surprising way asking for an upcoming crunch hearing to be postponed with proceedings suspended at least until the following month. The FBI would then seek to use that time to test an alternate method for unlocking the iPhone that would not involve, as it had originally sought, Apple building a specially crafted version of the iOS firmware.

On March 29th 2016 the Department of Justice dropped its case against Apple, reasoning that pursuit of the case was no longer required as they had successfully, with the assistance of a third party, cracked and retrieved data out of the iPhone 5C.  They have since said that the technique used on the iPhone 5C would not work on new iPhone models.

Where it could all have been simpler

It is important to note that the terrorist’s iPhone was in fact a work phone, the terrorists personal phone having been destroyed. This entire legal back-and-forth could have been entirely avoided if the work device was enrolled in corporate Mobile Device Management at which point it could simply have been legally unlocked by the employee’s IT team.

With the FBI confirming the technique used this time would not work on the latest iPhones, we could see a similar saga arise if a newer, more secure iPhone needs to be opened up by the FBI in the future.

Is it easier and better sometimes to pay a ransom on demand?

Following Talk Talk’s moment ‘hackus horribilis’ on 21st October 2015, details are emerging not of foreign extremists potentially being behind the attack, but rather a growing cabal of youngsters aged 14-16 have been arrested and released on bail by the British police after questioning over the incident. The latest advisory from TalkTalk is that only 4% of their customer base (157,000 customers and around 15,600 accounts) were actually affected by the breach of security (though obviously if you were one of that number, you wouldn’t care about the low percentages).

TalkTalk are not on their own though:  M&S had some of its users’ details accidentally shared with other customers online last week. This followed what was described as an internal error. The website was pulled down for 2 hours whilst the problem was fixed. Nonetheless, personal data including names, dates of birth, contacts and previous orders could be seen. Meanwhile, Barclays suffered problems with customers complaining of difficulties with ATM transactions during the weekend of 21st October. This incident was put down to a “network problem” resulting in a “tech outtage” by Barclays.

And in an interesting discussion at the 2015 Cyber Security Summit in Boston, the FBI’s Assistant Special Agent in Charge of CYBER and Counterintelligence Programmes, Joseph Bonavolanta advocated that sometimes it really might pay off the criminals in ransomware attacks, where a CryptoWall infection has breached a company’s IT systems. Often this advice is because the infected organisation has no way of recovering the files.  Often, the cause of failure is due to a lack of recovery options and the company has no back up, or one that is too old to be commercially useful.  Ransomware has been gathering traction since 2013 and much of the difficulty for government security agencies is that no two Ransomware attacks are the same.

Meanwhile, the Deputy Director of the US National Security Agency (NSA), Richard Ledgett commented last week in an interview with the BBC, that as the world becomes more connected and more vulnerable, nation states have to identify their red lines which cannot be crossed by other nation sabotage (eg. the Sony attack) and that where this happened it should lead to consequences. There should be a three prong plan:  build our defences, build offences against threat in others’ networks and “have a build up of international diplomatic regimes” through which the threat of sanctions could be levied.

Post the Edward Snowden leaks, he said real damage had been done, as the disclosures had led to changed behaviours in cyber attackers targeting many organisations.  He added “Several terrorist organisations and one in particular had a mature operational plot directed against western Europe and the US“. This had hampered the NSA’s ability he said to do their job.  Arguing the rights and wrongs of surveillance in a data-filled world, Ledgett said: “I think that the way the discussion (the Snowden leaks) came about was wrong. You hear claims that he was a whistle-blower and that he tried to raise things. Those are just not true…He didn’t try.”   On the subject of transparency, Ledgett advised that it was good to have a public discussion about what the authorities are and can do, but it got harder if it involved specific operations and specific targets.

With Teresa May updating the UK Government’s powers on mass surveillance there is a difficult path to tread for those who keep us safe, and those who would have liberty at the forefront of the argument.

(Pix below Richard Ledgett Deputy Director of the NSA).

_86342462_nsa

Major headache after US cyber attack threatens 4m public sector workers

The FBI are currently investigating the latest major data incursion into the heart of US Government announced today, as hackers (believed to originate in China) are suspected of the latest large scale ‘cyber intrusion’ into US personnel records, which has sent nervous ripples around the Pentagon.

The Office of Personnel Management which holds the records for other departments of US federal workers across the States, today sent out notifications to around 4 million employees warning them that some of their personal information may have been compromised.   This includes employment details, medical records and financial information.

The security community believes that the profile of the attack emanates from either Russia or China, due to the sophistication of the attack and the type of data taken.

This goes way beyond just a criminal act and into the murky world of nation state cyber espionage. To succeed requires nation state backing and sophisticated resources.  Indications are believed to show that the penetration began 6-8 months ago.  The concern here is that some of the data belongs to individuals in high positions of trust in Government circles and may lead to them being threatened, coerced or compromised in future.

To counter this, the US Government has launched a high priority effort to make users use two factor authentication PIV cards (smartcard with chip) as a first phase defence.  A second step, is to move to separate authorised users from being able to re-configure the system or networks as part of the same process.  This would be done through creating entitlement privileged management separation processes to create more physical barriers to penetrating central systems.

Big or small, companies need to defend against increasingly sophisticated intrusions and commit to higher scrutiny of systems and investment in data defence.   There is no single fix any more.

Responsibility of the Data Controller to manage an individual’s records whether digital or manual weighs heavily on commercial businesses and organisations of every hue and sector.  Ignorance is not a defence, though good security and governance can make for a softer fall.

2000px-US-OfficeOfPersonnelManagement-Seal_svg

Transport infrastructure cyber threats loom

The UK’s next generation of signalling system using digital technology will be rolled out on intercity routes in the 2020s, but could be at risk from hacking causing a serious crash, according to Prof David Stupples, a scientific Government advisor.  Network Rail takes the threat seriously.  With UK testing through the European Rail Traffic Management System underway, Network Rail says, “We work closely with government, the security services, our partners and suppliers in the rail industry and external cyber security specialists to understand the threat to our systems and make sure we have the right controls in place”.

So what could happen? 
The new system is designed to make networks safer by reducing driver error, however if the system were hacked with malware, then the speed at which a train travelled could be overridden and the length of time it was programmed to stop could be slowed down, creating either disruption or worse, a potential accident.

With a robust security system to the outside world, the threat is deemed to be greatest from a rogue employee or an ill-informed worker, say plugging in a malware infected device.  With an aged and disconnected infrastructure, the rail networks have hitherto not been a frequent target, however as transport systems become more computerised and connected, this threat will only increase.

This comes at a time when the FBI have recently sent out a formal alert to US airlines to warn them of the dangers of their wi-fi network being hijacked, following a tweet by an independent security expert that he had successfully accessed the network through the in-flight entertainment system (IFE) .   The FBI and the US Transportation Security Administration are working fast to cover up the cracks, but this is not new news.  The concern is that an avionic network could be accessed illegally, and controls for the plane being taken over – either from someone on board or on the ground.

Technology is a wonderful thing, but only in the right hands.  The job of defencing network systems can truly be life critical, let alone business critical.  Whatever your line of business, take the time to regularly review your security systems and test it for failure.   Sometimes it only takes one incident to do irreparable damage to the public’s trust in an organisation.  Don’t let that company be yours.

logo-network-rail-large

The Week’s Technology News – 12th December 2014

 

 

Have you planned IoT into your business strategy in 2015?
Increasingly it is now possible to connect any powered device to a network.   The Internet of Things (IoT) is an enormous technical development to comprehend let alone incorporate. However, from a business point of view, the real value in IoT will not just be in the connection of ‘things’, but the opportunity (if done properly), to manage the data and bring the customer needs into focus, alongside the product or services on offer.  This suddenly makes it a transformative technology applied through hardware and software and becomes highly interesting commercially.

Cisco’s Internet Business Solutions Group estimates that next year there will be around 25 billion connected devices, which will double to 50 billion by 2020 and Gartner recently suggested that IoT is peaking now in its ‘Hype Cycle’ of expectation around the subject.

If intelligent services are applied from the insights gathered from collated data and interrogated, this has the potential to radically improve customer experience and cost savings in the long run through prompt performance, increased trust and access (given the right security procedures and policies) and bond an existing relationship more more strongly between provider and customer.

Seen in practical terms, an IoT print-enabled supplier, could remotely monitor their customer’s ink levels to advise on re-supply, simultaneously run diagnostics for updates or repairs needed and advise, upsell improved models matching day-to-day needs and immediately have higher level feedback on how the customer is physically using the equipment in real-time.

From an MSP perspective applying three simple concepts, ‘connecting’, ‘managing’ and ‘engaging’ will create a proactive environment and a more bonded relationship attracting because of the intelligent assistance given.  To get there you have to have an agile infrastructure providing quick, simple and secure connections.  Some businesses worry about how to build the infrastructure to connect their devices. There are admittedly many aspects to consider ie. storage; messaging and routing protocols; security; directories; analysis; automation; and APIs to name a few.

According to a recent global KPMG survey of technology business leaders, 20% of businesses find the concept of implementing IoT too complex looked at from the outside without expert help.  However, by utilising ready-built networks, offering fast, secure and scalable connections alongside a range of tools provided as a Platform as a Service (PaaS), businesses can concentrate their efforts on creating innovative connected products.   Now that sounds like a plan!

internet-of-things-IoT

Sony hacked again – one week later

Last week Sony Pictures Entertainment was hit by a huge cyber-attack, leaking unreleased films and 47,000 personal records.

Since then even more data has been leaked including confidential E-mails between Sony Pictures Chair, Amy Pascal and well known Hollywood film producer Scott Rudin. The e-mails in question mock Barack Obama in an exchange of racist messages, with Pascal asking producer Scot Rudin what she should ask Obama at an upcoming event.  “Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended.”

This week a new attack aimed at Sony’s PSN (PlayStation Network) took the service down on Monday. The attack came in the form of a Distributed Denial-Of-service (DDOS). Although the timing comes hot off the heels from the Sony Pictures attack they did not come from the same source. The PSN attack came from a group called Lizard Squad who boasted about the attack on their Twitter account.

With fresh information still leaking, including plans for unannounced films, Sony may be playing damage control for some time.  These events only highlight the need for stringent malware protection and tightened defences against ever increasing DDoS attacks, as well as perhaps a pertinent reminder to staff about the appropriate use of email content, which in this case could have saved several blushes.

Sony

Data breach red flags for 2015
Global information services company Experian have published their Second Annual Data Breach Industry Forecast for 2015 after reviewing cyber attacks of 3,000 organisations.  In their report, Experian details a change of attitude amongst business leaders when it comes to cybersecurity.  This will affect organisations and regulators in the year ahead.

Not only is reputation critically at stake alongside security and trust, but the demand by consumers for more communication, as well as remedies in restoring the status quo, whilst ‘data fatigue’ from an expectation of resolution against personal apathy for individuals to take more vigilant steps personally.  With almost 50% of businesses having suffered at least one data breach in 2014, the need to increase investment in security technologies and policy planning and guidelines around this is paramount and accountability goes right to the top of the Board.  A company now without a data breach response plan could be the first to fall largest victim to unscrupulous criminal targeting.

New trends are anticipated for 2015.   These are anticipated to include:
• New payment technology
• The continued rapid expansion of Cloud and e-commerce
• The consistently high value of healthcare data on the blackmarket
• Employees as one of biggest threats
• Internet of Things (IoT)

1. Payment technology   The deadline for retailers to adopt EMV (Chip and PIN) credit card technology is October 2015  if they want to accept Visa or MasterCard payments. As a result, breaches may increase as the window for hackers closes.

2. Cloud technology   With the increased adoption of Cloud technology, businesses can do much to ensure they protect theirs and their customer’s data, as the value of consumer online credentials continues to grow.  A great starting point is to take extra steps to safeguard passwords, as hackers will be seeking to target progressively more Cloud data as the volume of data explodes exponentially by companies in the Cloud.  This involves the capability and measures to re-set passwords on an enormous scale and to communicate with affected users to advise them to maintain transparency as part of maintaining trust in the relationship.

3. Healthcare data   In the US, the increased number of access points to Protected Health Information (PHI), sensitive data via electronic medical records and increasing popularity of wearable technology, makes the entire healthcare industry vulnerable and attractive for cybercriminals.  On top of this, the FBI reportedly sent a private notice in 2014 to the healthcare industry that their cyber security systems were lax compared to other sectors.  Given the budget constraints facing the healthcare sector in the UK, it would be remarkable given how many have legacy IT infrastructures and constant downward pressure on budgets, to be able to avoid breaches entirely.

4. Human error   One of the least reported issues is the impact from employee breach – either through human error or malicious endeavour.   They remain the leading cause of breaches, accounting for 59% of reported cases – and companies should therefore take the necessary steps to have policies in place to circumvent or minimise any impact.

5. Internet of Things   With the expansion of the Internet of Things, businesses will be seeking to benefit from reviewing data to optimise performance and consumerisation response.  So with more devices being created with Wi-Fi capabilities and sensors that create the opportunity for everyday items eg. car keys, alarm system or wearable devices – these will relay confidential information over the Internet and communicate with each other. Cyber attacks will therefore likely increase via data accessed from third-party vendors.

Takeaway – so, what action is required?  There will be an expectation for Board members to have a better understanding of their organisation’s data breach response plan and comprehension of new technologies and security protocols in the workplace, along with a clearly defined chain of response should such a breach occur.  Currently less than 17% of Board executives surveyed knew if their organisation had suffered a breach in the previous 12 months. Alongside this, should be security awareness training for employees as legal and regulatory scrutiny is anticipated to increase in 2015.

padlock

The Week’s Technology News – 5th December 2014

Outsourcing priorities changing
The latest Forrester Research report across 435 Europe-based IT decision makers has found that whilst 60% of European businesses are satisfied with IT infrastructure service providers, there is a subtle shift in focus from simple cost reduction desire (66%) to businesses offering  services to help increase sales and improve customer experience (71%).

The overall feedback stats should give serious food for thought to MSPs when marketing and servicing their offerings:
• 34% said cost savings were lower than expected
• 29% said service quality or delivery was inconsistent or poor
• 26% said there is a lack of innovation and/or continuous service-level improvements
• 23% said there is a lack of flexibility in changing volume, scope, business needs or pricing models
• 22% said service providers lacked a fully developed and functioning global delivery model.

“Faced with this customer demand for better, faster and more cost-effective infrastructure services, and increased competition from emerging and India-centric suppliers, Europe’s leading providers are forced to bring new offerings and delivery models to the market,” said Forrester analyst Wolfgang Benkel. “The good news is some of them are finally listening to their customers.”

Businesses which have moved to cloud services are benefiting from accessing more flexible services and MSPs need to ensure that to deliver the most for their clients they have a) the right technical skill set b) the business skills to think strategically around the business objectives of their clients and c) the experience, diligence and ability to adapt to create a more innovative approach with their offerings, in order to stand out from the crowd.

The Euro responses indicate that just meeting an SLA is no longer what is needed in the MSP marketplace and that evidencing and thinking about all ones added values will be the key to retaining customers and winning new business in 2015.

Modular mobile phone developments and corporate tailored opportunities
Google was first out of the gate with a modular mobile phone announcement with Project Ara, planned for release in 2015, but not without competition. Finland based Circular Devices has announced its own plans to create and sell a modular smart phone called Puzzlephone next year.

The Puzzlephone approach is a simpler one with the smart phone being detachable into 3 parts; the spine (the main structure including the screen), the Heart (a large piece that slots into the bottom half of the back – this includes the battery and secondary electronics) and finally the Brain (This slots into the top half of the back – includes the processor and camera).   Google’s Project Ara approach is a lot more customisable with prototypes having 8 smaller, changeable parts – compared to Circular Devices larger 3.  However, it is possible that the simpler solution could win out with users finding Project Ara a bit too complex to get their head around.

With two companies now in preparations for a modular phone launch next year, making reality from the concept is s significant step closer. These devices should appeal to tech enthusiasts and organisations.  The potential for modular phones in the workplace is huge. Organisations would be able to create their tailored smartphone using selected prioritised modules according to their business need and deploy to employees. This would both have the benefit of cutting costs on unneeded or unused features but also being able to add in requested features such as larger capacity batteries or fingerprint scanners.   Another advantage of the modular approach is when things go wrong. Currently if a particular part of a phone fails, the whole unit has to be replaced or sent off to be repaired.  With a standard modular build, fixing future issues could be as simple as swapping the faulty part with stock.   Modular phones will be arriving next year, but their success will be dependent not only the cost of the phone and its modules, but how well the platform is supported by manufacturers providing unique hardware.  Over then to the android market and the likes of Samsung, HTC and Sony for part two of this evolving story…

puzzlephones

Sony hacked again – leaking unreleased films and 47,000 personal records
Sony is no stranger to data breaches, infamously having to pull down their Playstation network in 2011 for 3 weeks after 77 million customers were potentially compromised, later to be fined by the ICO.

Now Sony Picture Entertainment is the next division to fall under cyber-attack. The attack itself appears to be malware and has been used not only to steal data, but also wipe machines at Sony.  With hugely damaging commercial potential, four unreleased films have been leaked online pre-launch with personal details of 47,000 people including Hollywood stars such as Sylvestor Stallone exposed.

Since the Sony attack, the FBI has sent an alert out to US businesses warning them of malicious software that matches up with reports from the Sony Pictures attack. The report warns of malware that overrides all data on a computer’s hard drive including the master boor record, preventing booting up successfully afterwards.  The geographical origin of the attack remains unknown, but a group calling itself Guardians of Peace is claiming responsibility.     With both the risk of data leaks and data deletion, the importance of both a truly secure infrastructure and multiple data stores is more important than ever. For Sony this is another huge wake up call for a household name, swiftly becoming synonymous with susceptibility to cyber-attacks.

sony_pictures

Radio heads up some surgical changes for 5G
The race is on to deliver the fifth generation of our mobile network.  The build in excitement around 5G may in fact be wholly worthy of the buzz, if the latest news on this joined-up superfast technology pans out, as vaunted by Professor Rahim Tafazolli of Surrey University’s 5G Innovation Centre.  This means the opportunity for properly connected smart cities, remote medical surgery, driverless cars and the “internet of things”.  The thought of stalling videos and apps and load delays becoming a mere footnote in tech history would be thrilling news.  Prof Rahim Tafazolli says, “5G will be a dramatic overhaul and harmonisation of the radio spectrum”.

The difference comes from the 5G networks transmitting data via uninterrupted radio waves bouncing off small masts with improved antenna technology.  The waves split into bands (frequencies) with each band reserved for different communications ie.  one for TV broadcast, one for mobile data, one for aeronautical signals etc.  The system has got messy with new technologies squeezed into the gaps.  Now, the regulators, the International Telecommunications Union (ITG) are restructuring parts of the radio network used to transmit data to make more space whilst simultaneously creating efficiencies in the traffic flow, whilst 3G and 4G use carries on.  The network which scientists hope will kick in by 2020, will need to cope with vastly increased levels of communication. Through The Internet of Things (IoT), devices will ‘smarten’ and dynamically switch between three TBC ‘lanes’ (bandwidths) in order to avoid frequency overload and will rely on lower latencies (timelag between action initiation and response).  Ericsson predict that 5G’s latency will be around one millisecond – unperceivable to a human and about 50 times faster than 4G.

So what?  Well 5G is anticipated to run faster, much faster. In 2013 when Samsung announced it was testing 5G at 1Gbps, journalists reported that a high-definition movie could be downloaded in less than half a minute.  A speed of 800Gbps would equate to downloading 33 HD films – in a single second. This is 100 times faster.  To do this, it will need capacity – and lots of it.  By 2020 it is thought that 50 billion to 100 billion devices will be connected to the internet.

Whilst there is great competition between the giants Ericsson and Huawei, both are investing hugely in this research phase and despite the obvious rivalry and associated costs, each is co-operating with the other to bring on the technology to enable product development to advance.   Samsung hopes to launch a temporary trial 5G network in time for 2018’s Winter Olympic Games, whilst Huawei is racing to implement a version for the 2018 World Cup in Moscow. For Managed Service Providers and businesses alike the vast potential of 5G is a major game changer, but harnessing and directing opportunity to create an ‘intelligent’ and more intuitive commercial response for customers will be the real game changer for business.

Barclays seeks (again) to improve customer experience
Barclays is leading the way again in banking technology by seeking to deliver a more personal form of assistance to its customers.  Barclays Beacon service called ‘Barclays Access’ is being trialled in Sheffied and will work through an iPhone app.  iBeacon which uses Bluetooth to detect when a person using the app enters the branch will trap personal details, information on their requirements, plus the option of a photo, to assist with speedy ID on arrival.  An iPad at the front desk picks up the alert.  All of these touch points can then alert bank staff to react promptly, discretely and courteously when a customer with an assistance need arrives at the branch to improve the overall customer experience.

Previously, Barclays pioneered customer banking transfers using only a mobile number, plus enabling some businesses to swap PINs, passwords and authentication codes for fingerprint scanners.  Technological advances have not by themselves caused massive behavioural changes to get customers to switch or stay loyal, but a combination of technology and personal intervention with insight creates a whole new level of customer care.

barclays