X

Connect (X)

Tag Archives: cybersecurity

Facebook: A Hacker’s Dream

By Ernest Worthman, AWT Exec. Editor, IEEE Sr. Member

It is funny how quickly all the hoopla around Facebook and the rest of the social media platforms has died down and given way to new happenings. I was really hoping for some meaningful results out of all the congressional and media frenzy around that. But alas, it was not to be.

For all that transpired, we are no further ahead in social media security than we were before. Oh, there have been some minor changes, as they now have to delete your data if you ask, and supposedly, the end-user licensing agreements (EULAs) are more obvious. I know I read every one of those notices and the data they referred to, didn’t you?

In the end, the problem still lies with the users. Facebook, other social media platforms, and everyone else in general, has fiduciary responsibility to protect data on their network. As opposed to deliberate and calculated top-shelf black hat-based hacks, social media hacks are much less sophisticated and are “hacks of opportunity.”

It was, pretty well, made clear that there is way too much data on Facebook and that has become a hackers’ dream. A recent study just confirmed what we already knew – the more your data is out there, the greater chance that you will be hacked. Duh…you don’t have to hit me over the head with a wet noodle to make me get that, but it seems the majority of social media users do
not. The more data that is out there, the more dark-side opportunity is out there, as well.

Now that the obvious has been presented, to get the discussion started, let us drill down a bit.

I have, from time to time, talked about liability, and who should be liable for what. Unfortunately, stupidity is not a crime so there are some sliding scales here. However, you cannot use that excuse for every hack or breach that occurs because some dummy put a picture on Facebook of a cool credit card design, and did not redact the numbers. Social media, by its nature, is a fertile hunting ground for hackers, and they know it.

For example, besides typical search engine optimization (SEO) poisoning, cyber-criminals use social networks such as Twitter and Facebook to spread scams based on search interest. Another breach involves malvertising. This is the case where social media sites put advertising on their pages that contain some sort of e-threat. Facebook’s ad platform also hosts fraudulent and malicious ads from web categories that seem to copy spam patterns. The list goes on and on and these are exactly the type of schemes that need to be contained by the social media platforms. They have the technology, just no reason to implement it, since it might “inconvenience” users or slow the system – nonsense.

However, the thing that irks me the most, and the primary reason I do not use social media, is that social media sites have a nasty habit of tracking you. That means that everywhere you go through the Facebook interface, for example, becomes a possible security breach if Facebook does not secure the I/O of that site – and it does not, even after all of what just transpired. That falls on the responsibility side of the provider, not the user. Europe saw this years ago and has recently heaped even more responsibility on the app owner. Unfortunately, we are not doing the same.

As the Internet of Everything/Everyone (IoX) evolves, the amount of personal data that will be out there is incomprehensible. Of late, Amazon is putting together technology that will allow your washing machine to, automatically, order detergent when you are almost out – transparent to the user, except for the notification that it was done.

This is only the tip of the smart “x” iceberg, alone. The connected hunting ground is becoming, virtually, unlimited. In addition, Amazon and everyone else is deeply plugged into social media so there is a vector for cross-pollution there.

The debate over social media security is far from over. Truthfully, I do not see any real solutions out there except to make the social media sites responsible for damages caused by their lack of security. Swallow the bullet, Facebook, Twitter, Pinterest, Path, Roamz and the rest. Yes, you will be slower, yes, you will be clumsier, yes, you might be frustrating, but yes, our data will be safer – and yes, people will get used to it.

It took Facebook’s Privacy Issues to Finally Wake up the Security Ecosystem

By Ernest Worthman, AWT Exec. Editor, IEEE Sr. Member

The latest noise about Facebook and privacy has stirred up a hornet’s nest – finally. It is not, like, it is any big surprise. Cybersecurity experts have, for years, been warning us that our private data from social media sites like Facebook is being siphoned off by any number of entities for a variety of purposes – and legally. But even on social media sites, posts are one thing but the private part of our data should remain private. Yet it seems that most of them, and us, just are not listening.

In one sense, what happened to them is no more than a carbon copy of the many breaches in recent history –  the IRS, Equifax, Aetna, FedEx, Underarmour, Saks Fifth Avenue, Panera Bread,  and hundreds more – big and small. And all Facebook’s COO Sheryl Sandberg could say was, “We know at Facebook we did not do enough to protect people’s data.” Of all the companies in the world, Facebook should have known better.

Whether it was 87 or 87 million records, the compromised numbers do not matter. What matters is that entities, from Panera Bread to Facebook to the Social Security Administration to the IRS, all have a fiduciary responsibility to secure their data. Some do better than others.

Social media sites are different from banks, retailers, services and the like. On social media, we want to let others know who we are and what we are doing. Such sites contain a lot more of our data than the others. We can limit who sees that data from the outside, but from the inside, it’s all nice and tidily packaged for the site and anyone who hacks the site can capture the data.

Social media sites have been puking up our data at alarming rates; and to an astounding number of third-party companies, like, and different from Cambridge Analytica. And these companies have come up with all kinds of ways to massage that data and sell it for marketing purposes. So it is to their advantage to have the user put up as much information as possible. The rest is history.

These data suckers and their methodologies are wide and deep. A while back I had written about Smart TVs that inserted short, ultrasonic sounds into television commercials and web pages. Then, special software is placed onto your computers, tablets, and smartphones that will pick up these “inaudible” signals, and, via cookies, send what it learns back to data mining companies like SilverPush. These companies, in turn, sell the data to its customers, who use that data, in the same way as everybody else, to micro-target the user.

This is a bit more nefarious, yet not illegal. But there was little attention paid to this back then. It seems that it takes a Silicon Valley wunderkind to really get the attention of Washington.

The Facebook debacle seems to have been the straw that broke the camel’s back, so to speak. Seems like Bank America, Target, Equifax, and others just were not important enough to get the attention Facebook got – that says a lot about our priorities. Then there was a tremendous amount of chest thumping by Congress, most of whom had no clue as to what Facebook even is, or that privacy is even an issue, as was evidenced by their questioning of Zuckerberg. That, to me is more concerning than the Facebook case, itself.

But today, the privacy issue is so far out of the gate, that it seems unlikely that there will be any significant changes in the wings. Maybe some minor regulations like empowering users to delete their account or remove (and I mean really remove) data. But there is no way Congress is going to cripple the billions (and soon to be trillions) of cyber advertising dollars and the fast-growing industry behind them.

However, what Congress needs to do is put some regulations out there that, a) make these companies be upfront about what they can do with your data. And, not buried in some convoluted EULA that nobody, except Washington lawyers, can understand. And, b) let us control our data! That means when we want to remove it, it gets removed – all of it and permanently! Not just relegating it to some archive somewhere where the company can retrieve it at a moment’s notice or some hacker can find it.

One thing I have to agree with is that we own some of this privacy invasion. With social media, we are all too willing to put stuff out there that is way too private. We let some of this happen, and so we share some of the blame.

But in the end, no one has the right to offer up our data without us having a thorough understanding of what is being done, and how, as well as keeping it secure from malfeasants. Let us hope that Congress sees that too.


Ernest Worthman
Executive Editor/Applied Wireless Technology
His 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT. His technical writing practice client list includes RF Industries, GLOBALFOUNDRIES, Agilent Technologies, Advanced Linear Devices, Ceitec, SA, and others. Before becoming exclusive to publishing, he was a computer consultant and regularly taught courses and seminars in applications software, hardware technology, operating systems, and electronics. Ernest’s client list has included Lucent Technologies, Jones Intercable, Qwest, City and County of Denver, TCI, Sandia National Labs, Goldman Sachs, and other businesses.  His credentials include a BS, Electronic Engineering Technology; A.A.S, Electronic Digital Technology. He has held a Colorado Post-Secondary/Adult teaching credential, member of IBM’s Software Developers Assistance Program and Independent Vendor League, a Microsoft Solutions Provider Partner, and a life member of the IEEE. He has been certified as an IBM Certified OS2 consultant and trainer; WordPerfect Corporation Developer/Consultant and Lotus Development Corporation Developer/Consultant. He was also a first-class FCC technician in the early days of radio.

Dark Web Coupled with IoX Promises Big Problems

By Ernest Worthman, AWT Executive Editor, IEEE Sr. Member

Of late, there has been an increase in the noise around the “dark web” and how it is beginning to show up in the wireless ecosystem. Things that were once relegated to basement, off-grid dark web activities with a cloak-and-dagger computer and wired Ethernet connections have stratified to wireless.

I have discussed that from time to time, but this recent uptick in attention made me decide it was time to do an update on how the scene has evolved in light of the emergence of the internet of everything (IoX) and the new wireless ecosystem that makes every wireless device a mini-computer.

For those who may not be familiar with the dark web, it is the underground side of the internet and web we all use and love. It is, typically, known for nefarious, illegal, immoral, and many other malicious practices and activities. However, there is a lesser-known side to the dark web that is not evil.

Stepping back a moment, there has always been an underground – for just about everything. In my youth, before the Internet, I used to love the British underground music scene, which was far from evil. If you go back a couple of hundred years, there was the Underground Railroad used to ferry slaves to freedom; again, far from evil.

Today, there is a slew of underground activities that range from the mildly annoying to the egregious, such as backdoors around rules and regulations. Then there is the truly ugly part of the underground, such as illegal weapons. In the end, the dark web offers just about anything you can imagine.

However, if it were not for the dark web groups such as human rights activists, journalists, the military, and law enforcement would not have a vehicle for constructive activities. This is the good side of the dark web, without which the side of right may go unheard. It serves to stand against injustice, bad rules and regulations, unfair practices, and dozens of other valuable causes.

Therefore, I am a fan of the good side of the underground. Its attraction is that it allows one to operate in total anonymity, without being tracked. On the bad side, surfers can access web sites that sell drugs weapons, and they can even hire assassins. One such black-market site, Silk Road, has been on and off for years. A while back, there was a crackdown by the FBI on it, and similar sites, but it is an ongoing battle; even more so as wireless networks proliferate and offer better performance. And, they are harder to track in the wireless world. With the emerging 5G and IoX ecosystems, imagine the implications if malicious dark web players can use it has access to the autonomous interconnect of the IoX.

Using the dark Internet/web is remarkably simple. All one has to do is find an alternate browser such as Tor, short for “The Onion Router” (which, by the way, was developed by the U.S. Naval Research Laboratory as a way to protect the communications of the U.S. military). What Tor does is to reroute your device through a series of other IP addresses and bounces around anonymously until it reaches a destination. Say, I am in Denver, (I really am not, but that is where Tor says I am, as I write this). My traffic was routed through Germany, Sweden, and Russia. You think I am in Denver; hah, fooled you, I am really in Australia! What it looks like to the website I am visiting is that I am in Russia. Moreover, all this while driving (just kidding). So imagine how easy it is for malfeasants to do that too!

The scary part is that no one really knows the extent of it. That makes the potential security risk extremely dangerous. Today, the Internet is not nearly as autonomous as it will be when it becomes the IoX, with networks being run by automated software, (utilizing virtualization, AI and the like). With billions and billions of autonomous devices hanging on the IoX, the ability of the dark web to cause havoc is multiplied by orders of magnitude, and hackers can have us chasing our tails.

On top of that, these networks are so cloaked with encryption and anonymity, that it is virtually impossible to find them, even if it’s possible to relay back to the originator.

So, anybody got any ideas? Ping me and let’s talk (but remember, I’m on the other side of the world)

EDITOR’S NOTE: Ernest really is not in Australia, at least not physically anyway.

Are Cars the Next Cybersecurity Victims?

By Ernest Worthman, AWT Executive Editor, IEEE Sr. Member

As the connected world extends its tentacles into every corner of the wireless world, with that comes the specter of compromise. So it begins with the connected car.

Even though vehicle-to-everything (V2X) communication is still in its infancy, the emerging cellular V2X (C-V2X) platform becomes just one more cybersecurity vector that needs to be addressed. And, just because vehicles are now autonomous and connected, that does not mean they are any safer from the same nefarious threats that other types of networks face. After all, is not the connected car space just another version of a connected device network? As soon as the car becomes externally connected, you can bet hackers will be at the starting gate as well.

Hackers are adding connected cars to their target database because they are no different than any other connected network. Hacking them offers the same incentives as hacking a computer or smartphone.  But cars add a critical element – life safety. That changes the game.

Why? Because the business of malevolence is both ubiquities and significant. Ransomware, for example, has become a multi-billion-dollar industry alone. And can you imagine if you are driving and someone takes over your vehicle, threatening to run you off a bridge unless you pay a ransom? I suspect just about everybody would cave at that point.

Given that vector, I just hope that the connected car industry places a significant value on lives and that

cybersecurity is not an afterthought. They must be secured from the moment they leave the assembly line. As well, cars must be a non-issue when it comes to keeping their security current. That means the hardware and software must be agile and top-shelf; that updating is secure, constant and exacting. That becomes a challenge for devices that can have a 20-year lifespan.

And what about when the car is de-commissioned, or stolen, or abandoned? Or even turned over to a valet? All of these become major hooks in the design of vehicular security.

There is, however, a silver lining with this that does not scale across other segments: life safety. Connected cars, more than, probably, any other industry segment, raise the level of awareness about security. Most people are now becoming aware that security is something to be cognizant of and vehicles top that concern list. With vehicles there is also the cost factor. If one is going to spend upwards of $30,000 for something they may keep for a decade or two, they want to know it is secure. But, even if it is just a two-year turnover, a car is different from an appliance, or media device – the investment is still sizeable.

And, it is not just about individual cars. The other vector in this segment is fleet and commercial use. Here is where teleoperation enters the picture. Uber, Lyft, trucking, taxis, delivery services, and any number of other applications that require higher-level control than just a driver. It is an interesting theory that a hacker, or worse, a terrorist, would be able to take control of an entire fleet of vehicles.

Looking ahead, the connected car space has many more variables than fixed connected devices. The V2X platform includes sub-platforms such as vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V). if properly addressed, these sub-platforms can be an asset to cybersecurity as layers of security.

For example, say a vehicle were hijacked. If the network and security is properly designed and deployed,  communications between it and the infrastructure and other vehicles is monitored (which should be the standard). If the hijacked vehicle’s actions, or communications are outside of the norm, these other platforms can alert whomever, or whatever, needs to be advised. It is quite possible that the hijacked vehicle can be remotely disabled or sequestered. Of course, this all assumes that security is a primary consideration and is properly implemented. On the other hand, such a platform can be utilized by the dark side as well. It is a complex issue.

The connected car is not the only risk factor. When cars are connected to other things, city infrastructures for example, it brings up the specter of additional vulnerabilities. If an individual can hack the car and use it to infiltrate other networks or nodes, it is not that unrealistic that they can dominate the city and create all kinds of elevated risks. It is possible that vehicles are infecting other computers related to the infrastructure, such as becoming a gateway to hacking traffic lights, for example.

Finally, let us not forget that connected cars will act much like personal mobile devices storing private information. Visa, for example, has experimented with a credit card solution that would transform vehicles into the ultimate mobile payment devices. Herein lies another security consideration.

In the end, V2X security will need to be built-in from the ground up, maintained and monitored 24/7/365. OEMs need to insure all connection points within a vehicle are properly authenticated so only trusted services are allowed to conduct communications. Encryption of sensitive data or packages going to or from the vehicle is a requirement. And there are many more considerations.

It is too early to know how this is all going to shake out. There are just so many factors that need to be part of the final solution. Regardless, however, security needs to be in the driver’s seat.


Ernest Worthman
Executive Editor/Applied Wireless Technology
His 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT. His technical writing practice client list includes RF Industries, GLOBALFOUNDRIES, Agilent Technologies, Advanced Linear Devices, Ceitec, SA, and others. Before becoming exclusive to publishing, he was a computer consultant and regularly taught courses and seminars in applications software, hardware technology, operating systems, and electronics. Ernest’s client list has included Lucent Technologies, Jones Intercable, Qwest, City and County of Denver, TCI, Sandia National Labs, Goldman Sachs, and other businesses.  His credentials include a BS, Electronic Engineering Technology; A.A.S, Electronic Digital Technology. He has held a Colorado Post-Secondary/Adult teaching credential, member of IBM’s Software Developers Assistance Program and Independent Vendor League, a Microsoft Solutions Provider Partner, and a life member of the IEEE. He has been certified as an IBM Certified OS2 consultant and trainer; WordPerfect Corporation Developer/Consultant and Lotus Development Corporation Developer/Consultant. He was also a first-class FCC technician in the early days of radio. Ernest Worthman may be contacted at: eworthman@aglmediagroup.com.

Special Report: 2018 Predictions for 5G, Security, Blockchains (Part 1)

By Ernest Worthman IEEE Senior Member

Dear Reader,

This is the time of year many of us editorial types stare deeply into our crystal balls to talk about what we think will happen next year.  What makes this both interesting, and fun, is to observe the topics and the sometimes widely differing opinions and positions we take when we discuss this.

Many of these tend to be similar – a short, high-level, flyover across a wide landscape of many topic and there are a ton. That is useful, since it puts a quick read on these topics so one can get a quick picture of them.

Therefore, not wanting to be left out, I thought I would throw my hat in the ring. However, I am looking to narrow the field down to maybe a half-dozen, or so, of these topics, that promise to be the most disruptive, I want to look at them with a bit more depth, and address, what I believe, to be the one or two biggest spoilers that will affect their trajectory and traction. Then, at the end of the year, revisit and see how well, or poorly I did.

Cheers,

Ernest Worthman
Executive Editor
Applied Wireless Technology

5G: When Will Hype Become Reality?

There was a lot of talk in 2017 that 2018 will see 5G appear. Depending upon from whom you get your information, it is anywhere from already being here to being several years out; this in spite of the 3GPP ratification of the Non-Standalone (NSA) 5G New Radio (NR) specification.

I have been somewhat critical of the NSA-NR spec. While it offers a set of bounds that can be used as early guidelines, unless it becomes a very well adhered to spec and the NSA has the goal of becoming “S,” it can cause more problems than it solves. Lets’ be honest, it was only created because of the pressure to keep 5G on target.

We will see some 5G movement in 2018. The trick is to continue to separate the hype from reality. The fact remains that mmWave 5G is still in the development and trial stage and that segment, along with enhanced mobile broadband (eMBB), will not be out in 2018. What we will be seeing is fixed wireless in the mmWave spectrum and some 5G-like deployments at lower frequencies where propagation is well understood.

However, there are spoilers:

·      Show me the money – while some companies, like Qualcomm, are willing to develop 5G (or 5G-like) products, not everybody is in the same boat. There are many possible use cases for 5G, but most companies are not willing to throw a lot of money at it until they are reasonably convinced they are going to get some ROI. While everybody wants 5G, it is still a bit nebulous as to what, when, how and where.

·      While the need for additional spectrum and densification is definitely an issue, there are several advancements and emerging platforms/technologies, in existing systems, that are picking up some of the slack (carrier aggregation, small cells, MIMO, network slicing, network functions virtualization and software defined networks, etc.). These can be applied, to some degree or another, to 4G networks. There is also some new spectrum coming on line (not enough, but it helps).

·      Second spoiler is NSA-NR. It is also nebulous, even though a rather impressive list of companies has signed up for it, because some of the big players are absent. How many of those, if any, will commit to it in 2018 is yet to be seen.

So, while 5G will, certainly, be a hot topic in 2018. Exactly how far and what segments of the platform will deploy, however, is uncertain.

Security: Increasing Awareness in 2018 but Little Action

Security is a universal concern. I do not see a universal shakeup in the security segment in 2018 unless there is a major breach of some sort. By that I mean an attack on some critical infrastructure component (power, transportation, satellites, the internet, etc.). Luckily, this country’s infrastructures are fairly well secured at a high level, but much of its hardware is old and patched. This works against the best efforts to secure it, and offers many opportunities for compromise.

It is also fairly decentralized and segmented (unlike smaller European, Asian and African, etc., countries where everything and its control is in one place) so even a major attack isn’t likely to bring the entire segment down. However, attacks are becoming more sophisticated, and 2018 is likely to see much wider and more coordinated attempt to disrupt major infrastructure. That will permeate across a much larger attack surface. The worst-case scenario is a coordinated attack against many individual entities to produce an order of magnitude greater end result.

On the commercial side, a recent statistic claims that 90 percent of businesses do not feel they are adequately prepared for a cyber-attack. Of that, 70 percent say they cannot either find or allocate sufficient resources to fully staff and fund the security vector. Therefore, this sector is beginning to look to cloud computing as a both a permanent and temporary solution.

The residential sector has a slightly different challenge While a breach on a business levies a substantial cost and affect a large cross section of people and resources, a breach on a consumer target is much more contained and affects far few components, initially. Moreover, the majority of such attacks are because these grades of devices just do not come with anything other than basic, easily compromised security, if any.

Security will gain orders of magnitude of eyeballs in 2018. It will become more and more visible as other technologies, platforms and ecosystems evolve, but it will remain behind the curve unless a pandemic or catastrophic cyber breach of unprecedented proportion occurs.

Major spoiler here is inaction. Many entities (both people and organizations) still do not see security as a top priority – simply because it has not happened to them. There are some exceptions; military, government, cloud players, etc. who are on it more than others are. However, for consumer, medical, smart home and devices and platforms used by players who are not as on it, ratchets up the level that can be exploited.

Whether 2018 makes significant strides in cybersecurity is anybody’s guess. It really depends on how cybersecurity is, or is not, taken seriously by ALL segments, industries, players and platforms. Considering the movement in both 5G and the Internet of Everything/Everyone (IoX), until that happens, the risk to the whole is much greater than the risk to the parts.

Blockchains and Cryptocurrency: The New Frontier

The biggest disrupter of 2018 will be blockchains, mainly due to the proliferation and movement of cryptocurrency.

Anybody who has followed the wild ride of Bitcoin has to recognize that cryptocurrency will cause a major disruption in the currency landscape. This has just begun and 2018 will see a myriad of changes come about. Not that hard currency is going away any time soon, but cryptocurrency will become a force to reckon with. 2018 will see cryptocurrency gain significant traction and widespread acceptance.

Blockchains are the engine behind cryptocurrencies; thusly they will see significant traction, as well. From the IEEE’s electronics360: In short, a blockchain consists of one digital ledger that is distributed across the network (the blockchain). All transactions are logged with the time, date, amount and participants, and grouped together with other transactions that happen within a certain time frame. Those transactions are identified with a mathematical computer-generated code, and linked to the previous block of transactions.

A blockchain’s characteristics include:

  • Blockchain’s key characteristics are what give bitcoin and similar networks the potential to disrupt, completely, the status quo in a number of industries including banking and finance, real estate, law and health care.
  • It is decentralized so no one entity can control its value through, say, changes in monetary policy.
  • A merchant account can easily be set up in seconds without the typical bureaucracy and subsequent fees and questions.
  • It is anonymous. Transactions are not linked to personally identifiable information.
  • It is transparent. Everyone in the blockchain has the same information in the form of a distributed ledger. The technology is open source so anyone can see how it works.

There is a huge fog of uncertainty around these platforms, especially with mobile payments. Not what they are but how they are going to fit into today’s society. These are uncharted waters for the mainstream, although there is a wealth of knowledge of their functionality in certain area (the dark web, for example).

The next 12 months will see the traditional financial infrastructure take a hard look at cryptocurrencies. Banks and regulators realize they are here to stay so M&A’s will begin to broaden. As well, applications will begin to appear and the benefits of them will become attractive to many players. Security will improve, wallets will replace exchanges and rules and regulation will be a top priority. How long it will take for all of this to play out is unknown. For example, the latest 451 Alliance report on digital wallets shows slowing of adoption, of them by consumers.

The spoiler here is the chaos in the platform and how long it will take these issues to sort out. The coming year may not, likely, see this segment move as fast as some predict.  The reasons for that is that there are literally hundreds of different cryptocurrencies out there and more on the way. How to apply a universal set of rules and create order from chaos, in the segment, is a real challenge. 2018 will start to sort that out. Additionally, a significant spoiler vector is the lack of regulation. That is a major issue that has to be resolve before cryptocurrencies go mainstream.

Nevertheless, cryptocurrencies are here to stay. It is just a matter of when they go mainstream.