How to Fix the Internet of Broken Things

iot-securityThe Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous blog I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Read more of this post

The Security Challenges Threatening to Tear the Internet of Things Apart

IoT SecurityThe Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-security experts designing and building connected systems the risks grow ever greater. So what can be done?

Read more of this post

Securing The Internet of (broken) Things: A Matter of Life and Death

Securing the Internet of broken thingsIf you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

There is a bug in my Apple – Part 2

Intego announces first-ever iPhone malware scanner – really?

July 12, 2011 11:49 AM ET Gregg Keizer – COMPUTERWORLD

Follow up on my previous post on the new security flaw discovered in Apple’s iPhone and iPad – see

With impeccable timing, this morning Intego announded the availability of the “first-ever iPhone malware scanner”. Sure enough I went to the Apple Store and downloaded the VirusBarrier app in my iPhone and iPad. My test drive impressions: the app still leaves to the end user the responsibility to check the attachments rather than enforcing it. It is quite clunky and may provide a false sense of security: if you tap the attachment and then release the finger a little too early, you’ll end up opening up the attachment instead of scanning it(!) Probably safer – and cheaper – not to open pdf attachment in general. And as any other consumer app, there is no centralized IT management whatsoever: no reporting and no policy enforcement. One more thing: Apple is supposedly working with Adobe to address this vulnerability and will provide an update soon. At that point this app may become simply useless … but I guess this is one of those situations where “something is better than nothing” …

A few comments from a couple of Trend Micro’s experts:

Mark Bloom, Director – Director Product Marketing @ Trend Micro : “Usage or not, they [Intego] will get a lot of brand awareness out of this…..just for that value, it was worth the development effort.”

Patrick Wheeler, Sr Product Marketing Manager @ Trend Micro : “[… Apple iOS] antimalware matters, which puts us [Trend Micro] at an advantage over MDM-only vendors like MobileIron, Airwatch, and Symantec, and allows us to talk up the differentiation for our own antimalware we get from integration with SPN.”

Oops … there is a bug in my Apple!

The new security hole found in iPhones and iPads reminds us that no platform is immune to security threats and that there is in fact a need for mobile security software for Apple products.

Not so secure after allHere we go. As it turns out Apple mobile operating system is not so secure after all. While it is common perception that iPhones and iPads are so secure that they don’t even need antimalware software, the reality is that any piece of software is potentially defective and therefore vulnerable to attacks. And Apple is no exception as shown by the recent discovery of a new security flaw affecting Apple’s best selling devices. Even worse, previously discovered security issues in iOS were limited to a minority of jail-broken devices, where end users deliberately patch the standard operating system to escape Apple’s suffocating control on device and apps – see my beer side chat on YouTube at

Read more of this post

Bombmaking and Cupcakes

When the “bad guys” are in fact the “good guys”

Spies hack al-Qaida's Inspire magazine

Friday, Jun 3, 2011 09:41 ET

Spies hack al-Qaida’s Inspire magazine: British intelligence agents replace bombmaking instructions with cupcake recipe

URL:   – PAISLEY DODDS, Associated Press

I have always been fascinated by the fine line separating good and bad in cyber security. Admittedly we tend to see the security world in black and white. On one side we have the “bad guys” doing any sort of “bad things” such as planting malware or hacking websites. On the other we have the “good guys” trying to stop them from getting away with their wrong doings. Well, as it turns out sometime the “bad guys” are in fact the “good guys” trying to stop the real bad guys from doing really bad things. Confused?Case in point: British intelligence agents hack al-Qaida’s website and replace bombmaking instructions with cupcake recipe. While it is not a surprise that intelligence organizations around the world use cybertools as part of their work, I always wondered how they maintain their leading edge, how they gain knowledge of zero day vulnerabilities and, in the end, at what extent governments are in fact indirectly funding the cybercrime underworld. Knowledge of  Zero day vulnerabilities is worth millions – if not tens of millions – in the black market. What kind of organizations do you think can afford to buy this expensive know-how? Intrigued by the topic? Speak your mind. Leave a comment.

Catching Android Tokens in the Wild

Below is my interview with Shaun Nichols of on the latest Android security flaw:

Unsecured Wi-Fi leaves Android users open to attack


Android logo

18 May 2011, Shaun Nichols  , V3

Experts are warning of the dangers of unsecured Wi-Fi connections after a group of German researchers uncovered a security flaw which could leave Android users’ contact information exposed.

Researchers from Ulm University reported that many Android handsets and tablets are currently vulnerable to attack via an unsecured Wi-Fi connection when used to access authentication tokens for Google’s Calendar, Contacts and Gallery services. The vulnerability lies in the handling of the authToken component. When the user is connected on an open Wi-Fi connection, an attacker could capture and reuse the token to access data on the Google services. “The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data,” the researchers wrote. “For Contact information, private information of others is also affected, potentially including phone numbers, home addresses and email addresses.” The flaw is found in handsets running Android versions prior to 2.3.4 and tablets running Android versions prior to 3.0. The authorisation is performed over a secure connection on newer versions which prevents harvesting of the tokens. The researchers suggest that, if possible, Android handset owners should update to the newest version for their device.

Read more of this post