Monday, January 28, 2013

Corporate security

Lots of happenings in the corporate security world lately.  Most not good.  This article and this article kind of sum it up nicely.

Most companies still do not spend enough time or effort on security, while some are just in plain denial ("hackers aren't interested in us").  In all honesty though, most companies only have the time and financial backing to focus on their specific business - not becoming security experts.  However, these companies still have to understand there are potential vulnerabilities in a lot of the common business products and  plenty of people out there willing to put forth a lot of time looking for any kinds of weaknesses to exploit.

Thursday, January 17, 2013

More news on medical devices

Some recent stories on medical devices and medical-related issues.

  • Listen to my heart beat: HeartID is biometric software that uses your heartbeat to identify you.  It can also be used to continuously monitor the user to make sure it is still the same person who originally logged in.  It's definitely an interesting idea.  You kind of wonder though how accurate this type of thing can be.  Is a normal heart beat unique enough to reliably identify a person?   Especially if you try to log in right after a big fight with your spouse or you're just not feeling well.  How accurate will this perform over the long run?
  • Medical system hacked: SC Magazine reports that researchers have discovered it is possible to hack into patient information in the Philips Xper system.  The researchers also speculate the system uses hard-coded user name and passwords.  This is probably just the tip of the iceberg with this kind of stuff.  For years, all different types of medical systems, monitors and devices were created without even an ounce of security.  Now it's catching up, and fast.  Hopefully it's not too late to get some of this corrected before things get too out of hand.  Although some would say we're almost there now.
  •  Stop checking me out:  Interesting statistics on health care record breaches. It's amazing with all the press this kind of problem has been receiving that there are still new occurrences every week.  It's not always about evil hackers breaking in and stealing the data.  How often do we see news about some laptop getting lost or some usb stick or drive with thousands of patient records misplaced or stolen?  Well, I just ran into the store to get a few things and when I came out, the laptop/drive/tape wasn't on the front seat where I left it.  Gee, really?  Tell me the data was at least password protected or encrypted?  Of course it was.  I made a really good password that nobody can guess and wrote it down on the little sticky note I taped beside the laptop touchpad.

Saturday, January 12, 2013

The connected home

This is an interesting infographic from TrendMicro.  It shows some of the household systems that can be internet connected, and what can happen if somebody happens to hack in to them.

But what about some other things they didn't mention?
  • Utility meters - gaining unauthorized access to electricity, gas or even water feeds could lead to several different homeowner problems.  At a minimum, incorrect usage levels could be reported back to the utility causing over billing headaches.  On the other end, the hacker could shut off the utility service completely.  If somebody in the home is dependent upon oxygen or some other medical device, it could potentially become life-threatening.  Even if nothing malicious is done, access to the usage data could provide hints as to when the house is unoccupied.
  • Comfort systems - I'm still not sure what the benefit to controlling comfort systems remotely really is.  Maybe it would be useful to be able to turn lights on/off periodically when you're not home so you can give the appearance of somebody there.  But when you are home, do you really want anyone outside the home fiddling with your lights?  Maybe just buy some simple light timers and call it even.  Then there is remote control of the HVAC system.  Here again, probably not something you want somebody outside the house messing with when you are home.  It could get even worse though when you're away for vacation.  If the thermostat setting was to be set extremely low or high, depending upon the season, not only could other systems in the house be damaged, but the HVAC systems themselves could be severely overworked, possibly leading to fire damage or complete mechanical failure.
  • Laptops, game systems and mobile devices - "smart" TVs aren't the only things with cameras and microphones in the house.  Remote access to any of these devices could lead to not only invasion of privacy, but potentially some embarrassing private moments.
  • Alarms and sensors - If access falls into the wrong hands, threshhold settings could be changed, rendering the sensors useless.  Same holds true if the sensors are remotely deactivated.  If the sensors alert incorrectly too many times, the monitoring company may impose extra charges on the homeowner.  I guess there is also the possibility of a malicious person running alarm tests in the middle of the night ... denial of sleep attack.

Thursday, January 10, 2013

Security calendar

I have been trying to keep up a calendar of upcoming security events on this blog.  It's at Security Events, which is linked from my home page.  If anyone knows of any conferences or industry events that I don't have listed, it would be much appreciated to send the info my way so I can post it.  My email is jb123 at jeffbsecurity dot com (without the "123").  Thanks a bunch.


Saturday, January 5, 2013

First week in Jan 2013

Here are some interesting articles I ran across this week:
  • Who cares about HIPAA: Seems Kaiser Permanente ran out of room or common sense when they decided to "contract" out data storage to a couple in a California town. Most of the records were apparently stored in a warehouse the couple shared with a party rental shop, but some records were also stored in computers at the couple's home.  We're talking about 300,000 records, containing personal and medical information.  Wow, how does stuff like this happen?
  • Give me your password: Two more states recently adopted laws barring employers from requesting login access to potential and existing employee's social networking sites.  That brings the total to 6.  I'm still not sure if it's entirely necessary, but there are apparently enough businesses out there requesting people turn over their credentials.  I guess that would be a definite red flag on a job hunt for me.  If a company is hell-bent on getting you to violate the terms of service for a social networking site, then what other shady practices are they going to coerce you into?
  • Help yourself to my data, wink, wink: This article talks about companies creating bogus data that is supposed to help protect their real data from hackers.  It's an interesting idea, but how feasible is it? If you have a big budget and a large security and IT group, maybe it's workable.  However, most small to mid-size companies have trouble just doing what they need to get by.  Security is still not a priority.  At best it's an afterthought.  So how would all these companies have the extra time and money to develop and maintain a bogus net presence alongside their operational?  Maybe just spend the extra time and money on securing the real data?  Then you don't have to run the risk of the hackers getting pissed off and devoting even more time to coming after the real data.
  • Whatever happened to common sense: This will end up high on the list of dumb things this year.  Underage kid gets drunk, drives into a parked car, drives away and then posts about it on Facebook.  Really?  Wonder how they caught you?

Tuesday, January 1, 2013

Happy New Year!

Happy 2013!! Hopefully the new year brings lots of opportunities and good health for everyone.

Here are some things that have been on my mind over the past few weeks:
  • Stop spying on me - Rental laptops that were found to have back doors and spyware installed to help track them.  Seems Aaron's lost track of a laptop and showed up at the guy's door to get payments or the laptop.  They even showed him photos from the web cam of him using the laptop.  Problem is that the guy had bought the computer outright a few months before.  Ooops!  So they can remotely turn on the web cam, see whats on the screen and watch all the keystrokes.  Wow, that's like a creeper's dream. 
  • It's ok, nobody else will ever see that video - Surprise, surprise, videos sent via Snapchat and Facebook's Poke don't always disappear.  It's an interesting idea, but you would have to think they are cached someplace in order for the video player to work.  And the various network devices along the way that forward the packets from sender to receiver NEVER store any data.  Maybe the endpoint cache just needs to be cleaned up after it's done playing?  Yeah, that's it.  If Facebook says the video disappears once it's viewed, it's gotta be true ;)
  • I said, stop spying on me - Feds want black boxes in all automobiles by 2014. This is supposedly to allow manufacturers to have access to crash data in order to see how safety features are working.  Sounds like it will be similar to the black boxes in planes.  But it seems some people are looking at this as a huge threat to privacy ... big brother tracking to see where you are going and how fast (i.e. speeding).  Fair argument, but it would be stronger if you didn't have a GPS tracking your every move and a phone and tablet running apps based upon location.