Thursday, November 19, 2015

Anonymous blunder - Anonymous hunts down ISIS social media accounts but drops the ball

Anonymous sets out to take down ISIS.  This sounds like great news, and certainly has potential if only they would have shut up about it.  But I guess that is a problem with the entire Anonymous protocol.





Sometimes, people don't get the big picture.


Hackers around the world rejoiced that ANONYMOUS took down over 5000 ISIS twitter accounts and a mix of other social media accounts the likes of Facebook.


I hung my head in shame.





Stepping on a cockroach just means a hundred more will spawn into existence.


Closing 5000 twitter accounts only means 5000 more will grow that you may not find.


Lesson in strategic defences


Whoever is behind this "anonymous" blunder actually had a brilliant idea for crowd sourcing intelligence gathering.   They just dropped the ball on what to do with this information. 


Information is power.


What should have been done, is identify the social media accounts being used by these sorry excuses for carbon based units (humans for the non star trek folks) and then hand them off to someone that can actually do something intelligent with the information.


Now you don't simply drop this on the NSA's or FBI's desk, because you want to make sure that the information is not held under lock and key within a single intelligence agency.


So what you do is gather the top 20 intelligence agencies, find their emails, and send the entire list of 5000 accounts to ALL agencies.


Now you don't use BCC to send it all off, you make sure they all know, that they all have the intel.


This way, spy agencies can do what they do.  Correlate the information, pull out the intelligence that can be pulled out and take action.


The process set forth by a faction calling themselves Anonymous is brilliant, they even supply the python scripts and the howto instructions for identifying key words (in arabic) that would signal a potential terrorist supporter.


Since Anonymous is crowd sourcing to not speakers of the language, wouldn't it be best to eavesdrop on these conversations using folks who talk the language.... yes it would.


Trust me, the intelligence agencies have access to fluent speakers of almost any language even simplified Klingon.  (rur Sargh HuS jIH)


So as a community we should remember this.  There was indeed a better way to handle this and yield much more value.


Better luck next time!


By next week, there will be 500 new twitter accounts to identify.  


All is not lost.


I for one support Anonymous against ISIS.  Just not sure where to send my check or money donation ;-)  


I just hope the media can eventually grasp that they could be telling anonymous to do a better job.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com








Monday, October 5, 2015

INTERACT systems being targeted at retailers as criminals exploit it to the tune of $5000 a shot


Organized criminals are taking assault on poorly secured Payment Terminals leaving store owners assuming the loss.

As various news agencies reported over the last few days, Interact card processing systems used in various retail operations are being targeted by criminals.  


 TVA NOUVELLES - 25 septembre 2015


At a privately held Fraud Summit that I was invited to speak last week, it became clear that this is a pretty big problem as police investigators started sharing their experiences following my talk which touched briefly on the subject.  At least 20 cases in the room.

A specific service provider (EVALON) appears to be a common target, as their default password for performing a refund to a debit card is the ever so secure 0000.

Not only is this a bad password, it is also indicated in the configuration manual available on the Internet.

The strategy is simple, two individuals go into a retail store (convenience store, restaurant, etc.) and purchases something.  When the debit machine is handed to the client, the accomplice distracts the clerk so his partner can cancel out the transaction and activate the REFUND (CREDIT) function of the system, using the 0000 password and authorizing a $5000 credit onto the criminals debit card.

The store in question will only notice the issue when they attempt to balance out the sales transactions at the end of the day.

So far, the criminals have been smart enough to only use debit cards associated with bank accounts opened with false identifies and not their own personal accounts.  

BAD DESIGN

Three things stink to high heaven with all this.

1) The most obvious.... the code being 0000 on production systems is nothing short of mind blowingly stupid.

2) When they started receiving calls from their clients claiming they where robbed of $5000, why hasn't the company supplying these devices reached out to their clients to explain to them they should change their 0000 password ?

3) And finally, the most important one.....   Why is the system design stuck in the 1800's.  Any security engineer will tell you that the device should impose a password change during the initial configuration and activation process.  This means that before the new plastic smell is gone, and before the DNA of a second person touches the device, that password should have been changed.   Default passwords forced to be changed before the system accepts its first debit / credit card is the only reasonable design.  

This is a beautiful example of lazy, low quality software engineering.

The company pushing these out the door to their "clients" is basically saying they prefer to rely on people reading the manual  and realizing the impact of not changing this code instead of locking it down right from the start.

Crossing your fingers hoping the end user gets it is not sound engineering.  Building it in a way that PREVENTS their clients from doing a stupid... stupid... thing... is the way to go.

Some retailers have nothing to worry about.  The processing architecture of many mature retailers often relies on the POS system authorizing a credit and only then will the paiement terminal process it.  Limits are often imposed to further protect against abuse/fraud.  

However, if you have an all in one independent POS/PT  that is not attached or controlled by an enterprise POS, you may be at risk.  You may want to make sure your password is of good quality, and that you have changed it at some point since spanish inquisition so ex-exployees don't still have it.



Now keep in mind that these systems have been thoroughly tested, attested and certified to be PCI-DSS compliant.  That was a joke by the way....  

As we can all see, there are three important life lessons learnt here:

1) Compliance does not mean secure.  

2) Common sense is not to be assumed. 

and 

3) Trust in your so called business partners to "do the right thing" is as ridiculous as having 1234 as your banking PIN.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com










Wednesday, September 2, 2015

Donald Trump will not be President

We live in an era where it is seemingly ok for a corporation to lie to both share holders and clients.  A world that sees executives spending more time taking care of themselves instead of their jobs responsibility. 

Corporations who spend more on covering things up as opposed to fixing root causes is becoming the norm and this is hurting our economy, and is going to get a lot worst before it gets better.

The Ashley Madison case is a perfect example.   A company built on fake profiles and robots who entice the weak male species with a few automated sexy words, and false claims of security to make everyone feel good about it.  

Enter Donald Trump, running for president.  A man that most find revolting, yet some of the things he says are actually hitting a sensitive nerve.  It is difficult to argue that we do not need more transparency and blunt truths thrown at our faces.  I recently saw a speech he gave, and I hated him through the entire speech, yet couldn't disagree with him and the topics he was covering.   Well, it was only that one speech, the rest of his verbal diarrhea is just plain annoying.

If you haven't seen this video of President Obama taking a shovel to the old Donald's face along with FOX news and a few others, then your life is missing a great humorous segment.  When he lays into Donald Trump at 3:00 into the video, many will fall off their chair.  The entire segment is worth watching.

LINK HERE

So in an age where most of our entertainment revolves around fake reality shows, fake news, fake websites and essentially fake facts.   Trump with his fake hair seems like a clear winner.

He won't be.  Not as president anyways.  But rest assured, he will be winning the lotery.

The facts remain that in "America" as so many uneducated seem to call it not realizing the stupidity involved with that geographic statement..... people may be foolish and easily manipulated, but the powerful hold each other by the balls.  And the ultra powerful control the courts.  Every election involves politicians using trends and popular opinion to win votes.  Translated that means telling the people what they want to hear without giving a second thought to the real facts.  If telling people that we will build stairs to the moon gets votes, so be it.  Forget the fact that you cannot build stairs to the moon, these facts are boring.  Note, if you do not understand the numerous technical reasons we can't have stairs to the moon, keep right on calling the United States <America>.  ;-) Mexico, Canada and all that south part of the globe really don't care.

So back on the Trump bandwagon

You would be found to be very naive if you think that Trump has not violated any rules to get to his current standing.   

He may be a public favourite, yet everyone in his party would prefer he take up basket weaving.

He is saying a lot of things that please a lot of people.  A real politician really.  Yet, many of the things he says simply do not make him worthy of a world leader position.  If you have doubts on his classy act and have a few minutes to burn, this video should close the deal for you.  Top 10 crazy Donald Trump moments

For him, this is a play that will yield him awesome benefits.  

When he stands down for whatever reason he gives the public, there will have been a deal.  A deal that could involve looking the other way on things past, present, or to come.  A deal that will be worth millions if not billions for the old Trump.

Now if I'm wrong, the outcome is even funnier.  Can we all take a moment to imagine Donald Trump negotiating international policy and sitting across from Poutine.

Love him or hate him, we do need more transparency, and in Trumps case what you see is what you get.

I would buy tickets to that show.


Monday, August 24, 2015

ASHLEY MADISON are suicides the final straw? Open letter to our privacy commissioner and a call to arms for our journalists

People are now committing suicide because their lives have been impacted by this issue and it seems that we are only looking at the hackers and never really looking at the serious lack of ethics at Ashley Madison.




Over at Ashley Madison, the original landing page is back, complete with FALSE STATEMENTS about their outstanding security!

Class Action Lawsuits are being launched and should have no issue showing the lack of ethics that management has shown and continues to show.

Ashley Madison faces $578M Canadian class-action lawsuit

Yes, you read that correctly, LACK OF ETHICS at Ashley Madison.

I realize they are selling a service that many would find lacking in ethics, yet even a hitman is expected to follow certain basic rules that evade the management of Ashley Madison.

I would like to turn this blog post into an open letter addressed to the Canadian Privacy Commissioner, the law firms that are about to take an axe to the subject, and any journalist that wishes to ask that single question that kills:

QUESTION: Ashley, you claim to have a security certification or "award" as you call it, titled "TRUSTED SECURITY AWARD", can you provide the details of this award, and can we "see" the evaluation criteria and the audit report that surely accompanies such a prestigious award.

Here is the thing.  The main landing page was just put back to what is essentially the same as before the security issue, and their are numerous FALSE claims right there, right in your face.

You cannot just make up a trusted security award and give it to yourself.




You cannot claim 39,285,000 ANONYMOUS MEMBERS when your entire member list was just leaked.

You cannot claim 100% LIKE-MINDED PEOPLE when the entire world has seen your members list and at least 175,000 have downloaded it and gone through it and found an impressive amount of fake accounts. 

You cannot claim 100% DISCREET SERVICE because you have not even yet resolved the issue I blogged about several weeks ago about any intercepted emails from Ashley Madison allowing anyone in without asking for a username and password.

You certainly cannot claim all these things when people are now jumping off bridges because of your failure.

Yet you are doing exactly that.

You're also telling us in your press releases (along with a regular infusion of bullshit) that an impressive task force of law enforcement is working on this problem.

I'm sceptical here.  No one had died up until now, and to be honest, you're a bunch of clowns running a pretty shit quality service.  Sure the front page looks good, but clearly you have not invested in security practices that would make you proud.

I find it hard to believe that all these police agencies are going to invest an incredible amount of time and effort on this case, and....if they do, I would be very VERY upset that MY tax dollars are being spent looking for someone who has just slapped you around when you keep giving me endless reasons to actually fly to Toronto and smack you around myself.  Now, certainly the fact that people are committing suicide will place the case on the top of the list, but there are two criminal activities to investigate.

1) Lacking security at Ashley Madison, yet they continue to make claims of great security
2) Criminals stole Ashley Madison data

Both these things are criminal

Bottom line, Ashley, you suck and are as much responsible for the problem as the "evil" hackers that stole "our" data.

If you want to show the world you are a trust worthy enterprise, you should publish your system logs.  The logs that show the connection IP addresses for the last login from each user account.  We already have all the user accounts, why are you shy.  Perhaps you do not want the entire world to see your system logs, fine, get creative, send them to me, I will confirm what I see and destroy them when done.  Why are you not letting REAL experts look under the hood.

I will tell you why.  Fake profiles are pretty damned easy to spot when you have ALL the information.

Terrible security is equally easy to spot.  Criminally negligent is under the same banner.

Ashley doesn't want that.

Someone needs to start asking real questions about the numerous laws and privacy regulations that have been broken over at Ashley Madison.

Ashley Madison is offering $500,000 to catch the criminals behind the attack.

Is our government going to do their job and investigate Ashley Madison to the same extent....


To the law firms going after Ashley Madison, please call me.  I have a lot of interesting information to share with you.

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com




Thursday, August 20, 2015

Ashley Madison, the list is finally out, and it is awesome

Someone could make a living writing about Ashley Madison, as it appears to be an endless source of mind blowing news.





Years from now, university professors will still be using this case, as the case to use when teaching aspiring security professionals AND senior managers how NOT to handle a security incident.

The list of screw ups is long as are the life lessons.

Here is the top stupid thing they have said or done in the last month.

Told the world not to worry, we hired the BEST security firm and have the BEST working on the problem.

Reality: The statements and their current security enhancements and posture indicate they have only mastered bold stupid statements.

They have removed their false or "made up" security certification claim, and changed their main landing page.  Oooohhh  Aaaaah impressive.

If I recall, this same bunch of BEST experts helped you make another bold claim.  A claim that made even the elderly burst in laughter.  The claim that you had located ALL your leaked information and taken it off the Internet.

First off, sending out DMCA notices only works for people who give a crap, and the underground hacking community doesn't really respond well to legal requirements.   Perhaps the fine folks at Ashley Madison have not read a paper since the Apollo moon landings.  

So yesterday, big news.  The list was leaked, as promised by the initial attackers.

One download Torrent alone has had north of 170,000 downloads.






Here it is on Pirate Bay as a Torrent Download.  (Link provided for research purposes):
https://thepiratebay.vg/torrent/12237184/The_Complete_Ashley_Madison_Dump_from_the_Impact_Team


Strange, the security experts at Ashley Madison had removed all their data from the Internet.....  


Perhaps Ashley Madison has the same problem that 4 year olds have.  They have an imaginary security friend !

The phase will pass (I guess...) and they will eventually have a REAL security professional.


For the time being, they have suspended sending weekly email updates since it was brought to their attention anyone intercepting all these juicy emails could get into everyones account....(thank you for reading my blog Ashley).

What they failed to do, is expire the links on all the old emails.  (I feel cheated here, like I'm giving you free consulting....).

So anyone with access to any of the old emails, can still click on any of the links within and get right into them accounts without ever being asked for a username and password.

Bravo !!  nice fix.

Feels like Microsoft in the early 90's.

Now looking through the Ashley Madison data, should reveal even more interesting things......  If someone had "access" to the actual Ashley Madison data dump.....

Oh wait, that would be illegal, and also, Ashley might show up in the middle of the night to hand me a DMCA take down notice.

Am I dreaming....

;-0

Let the public shaming begin.  People are going to be looking up not their friends, but their mortal enemies.

A fine example:  

Family Values Activist Josh Duggar Had a Paid Ashley Madison Account

So to all the fine clients of Ashley Madison who have no mortal enemies, sleep tight.

For the rest..... there is a billion dollar pharmaceutical industry waiting to calm your nerves.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com




Sunday, August 16, 2015

The NEW improved Ashley Madison & a few loose ends


I'm starting the week off with a few loose ends, or mixed items if you will.

ASHLEY MADISON, EVIL FONTS, AND FAKE LINKEDIN PROFILES


LET'S START WITH ASHLEY !

Well, it seems my blog is being read by the good folks at ADL.  They finally stopped making false claims on their front page about having security certifications that do not exist.

Good move Ashley.

The new front page however shows big voluptuous breasts.  I'm certain someone will complain about that.  The previous version of front page was much classier.  Personally, I don't mind the eye strain.


Previous landing page (with made up fake security certifications)





The new and improved landing page, with added eye candy




Now if you could just get rid of the fake profiles and all the prostitutes trying to "score a deal" the site would be a real asset for the cheating community ;-)

Oh wait....again.....  Did you fix that problem where anyone who intercepts your clients emails can get into their accounts without a password....   didn't think so.

So to all who see this facelift (or boob job) as a sign that everything has been "changed" and is now even more secure by a factor of 5, I leave you with this:

5 x 0 = 0

Try again Ashley.


Speaking of fakes, here are two more with a different degree of bite.

WHEN FONTS BITE
In a completely unrelated note, I stumbled on an interesting email, totally unrelated to Ashley Madison.


The latest Microsoft exploit that involves using a "special" font containing malicious code to exploit visitors of websites or folks opening documents is alive and well.
Taking a look at this suspicious email (as I have no account with this bank) reveals that someone is trying to get me to click on this font exploit.
Security researchers are curious, so I "asked a friend" to take a quick look at the system hosting this malicious code.  .UA sounds exotic, and it is.  It is a domain name registered under Ukraine.  

Big surprise, the system is owned by an unrelated company, and is in "standard" security condition.  By standard, I mean terrible. So it is being used as a victim to create more victims.





It is always interesting to see a critical vulnerability be reported, and actually see it in your inbox a few days later.

Conclusion:  Patch your systems, patch your serveurs so they aren't used  to attack someone else, train your people to not click on links from banks because banks don't send links to click on... the list is endless.

Obviously the system hosted in Ukraine is voluntarily vulnerable.  That is its mission.  It makes it a believable scape goat.

Strangely, a lot of corporations are also voluntarily vulnerable, they just don't know it.

Executives, ask yourselves this:  Would you bet your house that your IT is reasonably secure.  If your answering no and are not doing anything about it......


FAKE LINKEDIN PROFILES

I get a lot of fake invites in LinkedIn, as I'm certain most people do. 

Most of the time they are hot 20 year olds with impressive titles like VP of Marketing trying to sell me appointment setting services.

This week I got one that looked alright, yet, something was off and I couldn't put my finger on it until I accepted the invitation to connect.



Then my keen...cough...cough.. senses locked eyes on the profile picture.



Something looked off, so I screen captured the picture and uploaded it into Google Images.  Voila!  The picture is from a modelling agency.  Nothing to do with a "Lindsay Campbell" from Daigo Oil.

So don't be too quick at accepting LinkedIn invitations from people who seem out of place.

The current trend is do grow fake LinkedIn accounts and then use them for such evil as:

1) Harvesting email accounts from real profiles that are all now linked together
2) Hiding their identity since they are about to make you an offer you just can't refuse.
3) Social engineering their way to top executives
4) Posting damaging information with a fake profile associated with a competitor
5) .... the list goes on, only limited by imagination

Simple Google "fake LinkedIn profile" and you will find numerous pages depicting the problem and offering tips for spotting a fake.

Here is one example :  http://www.linkedstrategies.com/how-to-identify-a-fake-linkedin-profile-what-to-do-about-it/


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com


Tuesday, August 11, 2015

Killer Gas Gauges

Slow news week it must be my young apprentice.

Related article:  Hackers are attacking US gas stations


Breaking news: Misfits rename the equipment of local service stations to funky names.

That is what the title should have been in this news regurgitation.

Sadly, that is not what is being reported.

So hackers (there is that term again), are being reported as potentially exposing gas stations to huge risks because the telemetry system that monitors the gas level in the underground tanks is vulnerable to some form of abuse.

If we keep believing the news reporters, hackers will be able to:


  • Push out premium gas when you select the cheap stuff
  • Push out leaded gas because hackers are just that good
  • Make your wife/husband more attractive by pushing out more fumes while you pump (effect will be temporary)
  • And it seems, make the staff who refuels the tanks complete idiots.


The theory behind the "security issue" is that if we think the tank is empty, then the truck that will come to refill the underground tank will overfill it and the resulting overflow will be a "significant" danger for the lives of nearby habitants.

So when it comes to bullshit, I have seen a lot, but this extract here could become the gold standard in my future teachings;


"However, the Trend Micro researchers warn that ATG cyberattacks could still cause serious issues. Hackers can monitor one to find out when a facility is expecting the next fuel delivery or hold it hostage and ask for ransom. They can also fake fuel levels to induce overflow and put the lives of people in the area in danger."

Lets dissect this golden turd as an educational exercise.

CAUSE SERIOUS ISSUES   

So this one paragraph has at least 3 major issues.  Here they are for your entertainment pleasure:

#1 Knowing when the fuel truck is expected is not a serious issue.  Perhaps one has to understand how the fuel industry works.  Perhaps I am expecting too much from a "reporter".  Gas stations rarely run out of fuel.  That is because they know the trend.  The fuel truck already comes on a fixed schedule.  If terrorists wanted to blow one up, they do not need to hack the fuel level gauge to have the truck come and fill her up early.  They already know the truck comes each Wednesday after rush hour.  Are our terrorists now so anxious that they can't wait a few hours.

#2 Taking the gas station hostage.  Security researchers are supposed to stay off the white stuff.  I cannot envision a scenario (especially in the US) that ends well for the "hacker" who attempts to take a gas station hostage by manipulating their FUEL LEVEL READINGS.  For the love of god, my dad had an aging Buick with a broken fuel gauge for years, no one died.  Someone walk me through the SERIOUS ISSUE hidden behind this gem and how one would go about taking a service station hostage?

#3 INDUCING OVERFLOW !  This one is the icing on top of the cake.  Certainly the staff that drives the truck and connects the big huge hose to the ground has something called..... two working hemispheres ......  Perhaps they would notice that things are overflowing, and stop the pump.  Perhaps the system is already designed to stop back flow, after all, the pump you use on your car has this basic countermeasure, and spilling fuel on the ground is such an expensive waste to clean up.  And another thing, how do you INDUCE something by simply misleading someone that the fuel level is low ?

One thing fuel companies are really good at is accounting.  Surely they must "account" for fuel quantity sold versus fuel quantity in the tanks.  They probably have environmental regulations to respect with these "numbers" to prove that their underground tanks aren't leaking into the local drinking water.  I guess reporting the news only means talking to one side of the story and trying to spin it into breaking news. 

So MSN news, get real reporters who focus on the actual value of the story first.

Trend Micro, I love you guys, but you need new research guys, or someone to screen the inappropriate use of adjectives.  Because it is a fact that something which is vulnerable does not equate to a "serious" security risk.

My face is vulnerable to being slapped, and sadly, that rarely happens.

So, this is not really a news story after all.  Nothing of interest to the general public.  In fact, what the news is doing, is spreading the word that any misfit could "play" around with their local service station.

So fuel corp executives might decide to address this issue, which might not even be an issue.  The price of gas will go up a few cents to offset the cost of the entire monitoring system overhaul.  No one will have done an adequate risk analysis, they will just have acted to shut the reporters up.   

Well, I'm an optimist.  I have hope that the fuel giants have better management then we have reporters.









Friday, August 7, 2015

The $10k that Chrysler could have invested to save $140,000,000

This post is more of a humorous post, taking statistics to a new level normally only seen during election campaigns.  After all, it is Friday.

Security is rarely seen as an investment.  Yet it is exactly that.  You can also call it an insurance.  What you shouldn't call it is missing.  

We once again have a very telling example.




Imagine this scenario:  Chrysler could have invested $10k to save $140 million.

Chrysler just issued a recall on 1.4 million vehicles because a security expert (hacker) demonstrated that it was possible to bypass the....lacking security controls to access critical components of the vehicles electronics.  All this from the Internet.

Palpitating news.

Recalling 1.4 million vehicles costs money.  

It certainly costs more then $1 per car, and certainly more then $10 per car.  Probably around $100 per car.  Not accounting for the customers wasted time, if they do this service immediately instead of waiting for their next over priced oil change.  So hence, the $140 million dollar price tag of this security issue.

So now the interesting part.  How could a few thousand dollars have prevented this.

Secure Architecture Review.

As an expert, if you call me in to milk my brain for a couple hours, I charge a reasonable price.  Let's say $5000 a day.  This is reasonable because you are only bringing me in for a day or two, your taking my vast experience and applying it in its full concentration and undiluted to your most pressing problems, so in a sense it is priceless.

So in this case, certain basic things have been around in the security world for a very long time.

1) Don't build your outhouse near your well (very basic)

2) Don't use your real name on the Ashley Madison website (appropriate joke this month)

3) Segment your critical assets from your low value ones (separate Virtual Lans for asset categories)

4) Don't do your banking on your kids virus infected Windows 98 laptop

So why is my cars entertainment system on the same network as critical systems like braking ????

Having a security pro in that one important architecture meeting would have resulted in a statement saying that it is a really bad idea to have every electronic device in your car able to talk to each other.  In fact, the aviation industry has entire standards for this type of communications and also a golden rule about isolation.  This means that well documented and proven standards exist that you can either copy or inspire yourself from.

So yes, essentially, having the right skill set in that one meeting would have yielded a car that offers great security by simply respecting a few basic rules.  Rules that every competent security professional should have followed.  

So we could conclude that the right skill set was not at the right meetings.

So forget the $10k, if you paid the best of the best security professional a ridiculous salary of $250,000 a year to sit in all the important meetings, over the course of ten years, you would still have saved a whopping $137,500,000. Why.. because it is certain that at $250k a year, I wouldn't let you build your outhouse right next to your well.

And if you didn't listen to me, paperwork would exist that ensures traceability (just like in the aviation industry) that shows us which level of management accepted a risk which is clearly unacceptable.  And hopefully someone would get their outhouse cleaned out.

Sadly, in the automotive industry, which is older then the aviation industry, we still lack some of these basic elements.

This means that the individuals who contributed to these terrible decisions will not be impacted.  Having a few rough meetings is not impacted.

Today it was announced that a class action law suite is perhaps underway against Chrysler (jeep).  This means that the price tag of $140 million is going to go up.  Way up.

The shareholders should be very upset.

The board of directors should also be very upset as their primary responsibility remains to maximize return on investment.  And at this, they are failing.

Poor management decisions will not result in personal liability by over paid CEO's and other senior executives who fail at addressing these issues and continue to allow KPI's that cause more harm then good.

All these errors, some of them very expensive errors, will be paid by the shareholders.

So now the lawyers are getting involved, which will make them the real winners here.

And the sad part is that no one has actually had their car "maliciously hacked".  

Security researchers found that it could be done.  So if someone really smart takes the time to figure it out, it's possible.   That does not translate by any means into a motivation to invest that time to do it just to activate the brakes on cars for a malicious laugh.

As a security expert, I can guarantee you that given enough time, I can attack anything and win.  I still need a means to translate that into money that preferably doesn't involve showering in groups.

So researchers found a bug, that Chrysler should have found by themselves.  The bug is being addressed, and Chrysler is still going to go through a law suite.

So should they have invested in security architecture review.... or security testing ?

Yes, they should have.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com



Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...