Editorials – from the CTO
As we’ve said repeatedly said as loudly as we can for more than ten years, any of the flimsy protections from Container-Related Asset Protection (CRAP) vendors you think you are getting disappear like cotton candy in the hands of a five-year-old the minute a state-sponsored hacker with infinite resources takes interest in your data:
While the article (referenced below) is an interesting read, it is another extension of the traditional Container-Related Asset Protection (CRAP) security approach, but targeted to protect IoT. This is not necessarily a bad thing, in that at least IoT will have something, whereas today that sector has nothing.
This still will not provide protection for digital assets that may interact with, or be used by, the IoT device(s). Consider this example: you have images on a USB drive or personal website you want to play on a smart TV in your hotel room. You have no idea to what systems that TV is connected. From the perspective of the TV owner, the device may well be secure, but from the content of the I/P represented by your photos (which is what REALLY matters), no way in hell. Was the nighttime security guard legitimately given access rights by the hotel to make sure no one was playing any content (that the hotel isn’t profiting from) on that TV, and is now capturing your personal photos for whatever reason?
Or, you download your cycle data from your smart thermostat to compare it with your electricity bill and have it e-mailed to you by the thermostat. How does that data (showing the precise times you spend away from your home) get protected all the way through the world outside the thermostat and ensure that no one but you can read intercepted copies of that data (perhaps after you’ve read it and archived it to your e-mail server)?
So, while this may provide more targeted protection for devices in the IoT world, it will likely provide another attack surface, and once hackers find their weakness and learn to hack something that is in 50 million […]
You may recall that I have said many times that encryption is pointless because the protected asset eventually has to be decrypted somewhere and the hacker can simply get the asset from the decrypted location? Below is an article I wrote based on my previous discussions on this subject…
The first group of “cybersecurity experts”
There are two kinds of “cybersecurity” experts. One kind, as represented by IBM, CA, Symantec, Intel/McAfee, and FireEye, knows very little about the actual cybersecurity problem domain but a whole lot about extorting money from captive customers and the ignorant public in the name of “cybersecurity” without ever solving it (because solving the true underlying cybersecurity problem would make their lucrative business model also go away). Their cybersecurity failures are splashed all over the headlines these days, but they’ve managed to keep their names and associations with the crimes out of the press and off the websites though onerous contract stipulations with their customers forbidding their customers/victims from revealing the vendors’ identities and involvement in breaches.
The process this first group of guys engage in is known to industry professionals as “churning”, and relies primarily on ancient Container-Related Asset Protection (AKA, “CRAP”) technologies Band-Aided over with, or sometimes bundled with, pop-culture-inspired fads as apps. These technologies tend to aggregate ever-larger groups of otherwise-unprotected digital assets (files) into silos or containers (you would recognize these silos and containers as browsers, operating systems, file systems, servers, server farms, or the cloud) and protect them while stationary and in those silos/containers (as though that means anything in an increasingly-mobile world). In so doing, they make the rewards to hackers for breaching those silos/containers ever more profitable, worthwhile, and attractive, to the extent that now state actors (Russia, China, the Ukraine and other Baltic states, North Korea, India, Iran, Israel, the U.S, […]
I am not sure why this is suddenly news now (WPA2 key reinstallation attacks have been known to the hacker community for years), but if you didn’t already know, nothing “encrypted” in a Wi-Fi connection is secure. The only encryption that works has to be unique to each individual digital asset!
F. Scott Deaver