Editorials – from the CTO
While the article (referenced below) is an interesting read, it is another extension of the traditional Container-Related Asset Protection (CRAP) security approach, but targeted to protect IoT. This is not necessarily a bad thing, in that at least IoT will have something, whereas today that sector has nothing.
This still will not provide protection for digital assets that may interact with, or be used by, the IoT device(s). Consider this example: you have images on a USB drive or personal website you want to play on a smart TV in your hotel room. You have no idea to what systems that TV is connected. From the perspective of the TV owner, the device may well be secure, but from the content of the I/P represented by your photos (which is what REALLY matters), no way in hell. Was the nighttime security guard legitimately given access rights by the hotel to make sure no one was playing any content (that the hotel isn’t profiting from) on that TV, and is now capturing your personal photos for whatever reason?
Or, you download your cycle data from your smart thermostat to compare it with your electricity bill and have it e-mailed to you by the thermostat. How does that data (showing the precise times you spend away from your home) get protected all the way through the world outside the thermostat and ensure that no one but you can read intercepted copies of that data (perhaps after you’ve read it and archived it to your e-mail server)?
So, while this may provide more targeted protection for devices in the IoT world, it will likely provide another attack surface, and once hackers find their weakness and learn to hack something that is in 50 million […]
You may recall that I have said many times that encryption is pointless because the protected asset eventually has to be decrypted somewhere and the hacker can simply get the asset from the decrypted location? Below is an article I wrote based on my previous discussions on this subject…
The first group of “cybersecurity experts”
There are two kinds of “cybersecurity” experts. One kind, as represented by IBM, CA, Symantec, Intel/McAfee, and FireEye, knows very little about the actual cybersecurity problem domain but a whole lot about extorting money from captive customers and the ignorant public in the name of “cybersecurity” without ever solving it (because solving the true underlying cybersecurity problem would make their lucrative business model also go away). Their cybersecurity failures are splashed all over the headlines these days, but they’ve managed to keep their names and associations with the crimes out of the press and off the websites though onerous contract stipulations with their customers forbidding their customers/victims from revealing the vendors’ identities and involvement in breaches.
The process this first group of guys engage in is known to industry professionals as “churning”, and relies primarily on ancient Container-Related Asset Protection (AKA, “CRAP”) technologies Band-Aided over with, or sometimes bundled with, pop-culture-inspired fads as apps. These technologies tend to aggregate ever-larger groups of otherwise-unprotected digital assets (files) into silos or containers (you would recognize these silos and containers as browsers, operating systems, file systems, servers, server farms, or the cloud) and protect them while stationary and in those silos/containers (as though that means anything in an increasingly-mobile world). In so doing, they make the rewards to hackers for breaching those silos/containers ever more profitable, worthwhile, and attractive, to the extent that now state actors (Russia, China, the Ukraine and other Baltic states, North Korea, India, Iran, Israel, the U.S, […]
I am not sure why this is suddenly news now (WPA2 key reinstallation attacks have been known to the hacker community for years), but if you didn’t already know, nothing “encrypted” in a Wi-Fi connection is secure. The only encryption that works has to be unique to each individual digital asset!
F. Scott Deaver
I keep hearing people claim they are waiting on AI to solve the cybersecurity problem for them… All I can say is “good luck with that!”:
F. Scott Deaver
The Afghanistan poppy problem is perhaps more analogous to cybersecurity. If you are not familiar with the issue, here’s a short course from a reliable source: http://www.pbs.org/wgbh/frontline/article/why-eradication-wont-solve-afghanistans-poppy-problem/.
How do either of these analogies relate to cybersecurity? Because they demonstrate you cannot apply post facto regulation to a human enterprise that has existed for decades (or centuries) in which powerful, well-entrenched interests have established an absolute dependency upon things remaining as they are, and upon which even the rank-and-file players within the industry are dependent. The cybersecurity industry we know today is controlled by players who have controlled it for decades, and this year alone are expected to profit from it into the hundreds of billions of dollars (in the aggregate). The problem domain itself (losses from cybertheft) is expected to reach two trillion dollars this years, and six trillion dollars by 2021 (per Gartner and others). This means all of these companies taking billions in profits annually from consumers have been doing so without solving the problem one whit, and that continued growth of their markets (and stock prices) with very little invested in effective technology is completely dependent upon at least the perceived threat vector growing to the expected $6 trillion dollar uninhibited (by us).
If our technology solves, as expected, the bulk of the cybersecurity problem, the threat vector virtually disappears, and along with it all those billions of dollars in profits being made today as we speak by not solving the problem, and being made by powerful corporations with huge political foot prints. That’s not to mention the power and wealth of the state actors increasingly invested on the other side of the coin, who would like things to remain as they are to keep the act of hacking as easy and profitable as it is […]
Will this idiocy never stop?!? First, Blue Cross and Blue Shield (and apparently, other insurance companies) are sending out USB devices en masse and telling people to put those USB sticks into their devices…. Which means all a hacker has to do now is send out similar notices with his own malware on cheap USB drives to infect any computer he/she wishes. I can’t BEGIN to tell you how ridiculous this is!:
Next, because of all the numb-nuts out there doing these kinds of things, corporations are now shutting down USB ports on devices altogether:
So of course, the next thing that happens is someone re-purposes the old dongle as an “identity” security device…. using the USB port (the most hackable interface on a device)!:
Hackers are thrilled, because they need only simulate the appearance of one of these USB “security” devices to use the USB ports now re-enabled by some corporations for “security” purposes to, again, hack any device they wish…
Just so you know, hackers can purchase custom USB flash drives in small capacities in bulk for as little as twenty-five cents or less, with another nickel for custom printing. The hard part was(!) to get people into the habit of sticking USB drives from outside sources into their devices… Thanks to the folks above, that problem has now been solved (sigh). As to how cheaply flash devices can be had:
To illustrate how someone could easily game their way onto any Fortune 500 company device they wish (we’ll assume for our purposes here the Fortune 500 company uses Blue Cross Blue Shield as their health insurer) , the hacker first need only to identify an employee with the access they want and then use a faked Blue Cross Blue Shield […]