IoT’s Ticking Time Bomb

The Internet of Things is making major headway in consumer product categories — but it turns out it’s bringing its share of headaches along for the ride.

It shouldn’t be particularly surprising that security could be a potential issue around IoT, of course.  But recent evaluations point to the incidence being more significant than first thought.

That’s the conclusion of research conducted by management consulting firm Altman Vilandrie & Company. Its findings are based on a survey of ~400 IT decision-makers working at companies that have purchased some form of IoT security solutions.

According to the Vilandrie survey, approximately half of the respondents reported that they have experienced at least one IoT-related security intrusion or breach within the past two years.  The companies included in the research range across some 19 industry segments, so the issue of security doesn’t appear to be confined to one or two sectors alone.

What’s more, smaller firms experienced higher relative “pain” caused by a security breach. In the Vilandrie survey, companies with fewer than $5 million in annual revenues reported an average loss of $255,000 associated with IoT security breaches.

While that’s substantially lower in dollar amount to the average loss reported by large companies, the loss for small business as a percentage of total revenues is much greater.

More findings from the Altman Vilandrie research study can be accessed here.

What does the Equifax data breach tell us about the larger issue of risk management in an increasingly unpredictable world?

It’s common knowledge by now that the data breach at credit reporting company Equifax earlier this year affected more than 140 million Americans. I don’t know about you personally, but in my immediate family, it’s running about 40% of us who have been impacted.

And as it turns out, the breach occurred because one of the biggest companies in the world — an enterprise that’s charged with collecting, holding and securing the sensitive personal and financial data of hundreds of millions of people — was woefully ill-prepared to protect any of it.

How ill-prepared? The more you dig around, the worse it appears.

Since my brother, Nelson Nones, works every day with data and systems security issues in his dealings with large multinational companies the world over, I asked him for his thoughts and perspectives on the Equifax situation.

What he reported back to me is a cautionary tale for anyone in business today – whether you’re working in a big or small company.  Nelson’s comments are presented below:

Background … and What Happened

According to Wikipedia, “Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.”

Founded in 1899, Equifax is one of the largest credit risk assessment companies in the world.  Last year it reported having more than 9,500 employees, turnover of $3.1 billion, and a net income of $488.1 million.

On September 8, 2017, Equifax announced a data breach potentially impacting 143 million U.S. consumers, plus anywhere from 400,000 to 44 million British residents. The breach was a theft carried out by unknown cyber-criminals between mid-May 2017 until July 29, 2017, which is when Equifax first discovered it.

It took another 4 days — until August 2, 2017 — for Equifax to engage a cybersecurity firm to investigate the breach.

Equifax has since confirmed that the cyber-criminals exploited a vulnerability of Apache Struts, which is an open-source model-view-controller (MVC) framework for developing web applications in the Java programming language.

The specific vulnerability, CVE-2017-5638, was disclosed by Apache in March 2017, but Equifax had not applied the patch for this vulnerability before the attack began in mid-May 2017.

The workaround recommended by Apache back in March consists of a mere 27 lines of code to implement a Servlet filter which would validate Content-Type and throw away requests with suspicious values not matching multipart/form-data. Without this workaround or the patch, it was possible to perform Remote Code Execution through a REST API using malicious Content-Type values.

Subsequently, on September 12, 2017, it was reported that a company “online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected [sic] by perhaps the most easy-to-guess password combination ever: ‘admin/admin’ … anyone authenticated with the ‘admin/admin’ username and password could … add, modify or delete user accounts on the system.”

Existing user passwords were masked, but:

“… all one needed to do in order to view [a] password was to right-click on the employee’s profile page and select ‘view source’. A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.”

The reporter who broke this story contacted Equifax and was referred to their attorneys, who later confirmed that the Argentine portal “was disabled and that Equifax is investigating how this may have happened.”

The Immediate Impact on Equifax’s Business

In the wake of these revelations, Equifax shares fell sharply:  15% on September 8, 2017, reducing market capitalization (shareholder value) by $3.97 billion in a single trading day.

Over the next 5 trading days, shares fell another 24%, reducing shareholder value by another $5.4 billion.

What this means is that the cost of the breach, measured in shareholder value lost by the close of business on September 15, 2017 (6 business days), was $9.37 billion – which is equivalent to the entire economic output of the country of Norway over a similar time span.

This also works out to losses of $347 million per line of code that Equifax could have avoided had it deployed the Apache Struts workaround back in March 2017.

The company’s Chief Information Officer and Chief Security Officer also “retired” on September 15, 2017.

Multiple lawsuits have been filed against Equifax. The largest is seeking $70 billion in damages sustained by affected consumers. This is more than ten times the company’s assets in 2016, and nearly three times the company’s market capitalization just before the breach was announced.

The Long-Term Impact on Equifax’s Brand

This is yet to be determined … but it’s more than likely the company will never fully recover its reputation.  (Just ask Target Corporation about this.)

Takeaway Points for Other Companies

If something like this could happen at Equifax — where securely keeping the private information of consumers is the lifeblood of the business — one can only imagine the thousands of organizations and millions of web applications out there which are just as vulnerable (if not as vital), and which could possibly destroy the entire enterprise if compromised.

At most of the companies I’ve worked with over the past decade, web application development and support takes a back seat in terms of budgets and oversight compared to so-called “core” systems like SAP ERP. That’s because the footprint of each web application is typically small compared to “core” systems.

Of necessity, due to budget and staffing constraints at the Corporate IT level, business units have haphazardly built out and deployed a proliferation of web applications — often “on the cheap” — to address specific and sundry tactical business needs.

“Kid’s Day” at Equifax’s Argentine offices. Were the kids in command there, one is tempted to wonder …

I strongly suspect the Equifax portal for managing credit report disputes in Argentina — surely a backwater business unit within the greater Equifax organization — was one of those.

If I were a CIO or Chief Security Officer right now, I’d either have my head in the sand, or I’d be facing a choice. I could start identifying and combing through the dozens or hundreds of web applications currently running in my enterprise (each likely to be architecturally and operationally different from the others) to find and patch all the vulnerabilities. Or I could throw them all out, replacing them with a highly secure and centrally-maintainable web application platform — several of which have been developed, field-tested, and are readily available for use.

__________________________

So, there you have it from someone who’s “in the arena” of risk management every day. To all the CEOs, CIOs and CROs out there, here’s your wakeup call:  Equifax is the tip of the spear.  It’s no longer a question of “if,” but “when” your company is going to be attacked.

And when that attack happens, what’s the likelihood you’ll be able to repel it?

… Or maybe it’ll be the perfect excuse to make an unforeseen “early retirement decision” and call it a day.

__________________________

Update (9/25/17):  And just like clockwork, another major corporation ‘fesses up to a major data breach — Deloitte — equally problematic for its customers.

The Connected Home

It doesn’t take a genius to realize that the typical American home contains more than a few digital devices. But it might surprise some to learn just how many devices there actually are.

According to a recent survey of nearly 700 American adults who have children under the age of 15 living at home, the average household contains 7.3 “screens.”

The survey, which was conducted by technology research company ReportLinker in April 2017, found that TVs remain the #1 item … but the number of digital devices in the typical home is also significant.

Here’s what the ReportLinker findings show:

  • TV: ~93% of homes have at least one
  • Smartphone: ~79%
  • Laptop computer: ~78%
  • Tablet computer: ~68%
  • Desktop computer: ~63%
  • Tablet computer for children age 10 or younger: ~52%
  • Video game console: ~52%
  • e-Reader: ~16%

An interesting facet of the report focuses on how extensively children are interfacing with these devices. Perhaps surprisingly, TV remains the single most popular device used by kids under the age of 15 at home, compared to other devices that may seem to be more attuned to the younger generation’s predilections:

  • TV: ~62% used by children in their homes
  • Tablets: ~47%
  • Smartphones: ~39%
  • Video game consoles: ~38%

The ReportLinker survey also studied attitudes adults have about technology and whether it poses risks for their children. Parents who allow their children to use digital devices in their bedrooms report higher daily usage by their children compared to families who do not do so – around three hours of usage per day versus two.

On balance, parents have positive feelings about the impact technology is having on their children, with ~40% of the respondents believing that technology promotes school readiness and cognitive development, along with a higher level of technical savvy.

On the other hand, around 50% of the respondents feel that technology is hurting the “essence” of childhood, and causing kids to spend less time playing, spending time outdoors, or reading.

A smaller but still-significant ~30% feel that their children are more isolated, because they have fewer social interactions than they would have had without digital devices in their lives.

And lastly, seven in ten parents have activated some form of parental supervision software on the digital devices in their homes – a clear indication that, despite the benefits of the technology that nearly everyone can recognize, there’s a nagging sense that downsides of that technology are always lurking just around the corner …

For more findings from the ReportLinker survey, follow this link.

Legislators tilt at the digital privacy windmill (again).

In the effort to preserve individual privacy in the digital age, hope springs eternal.

The latest endeavor to protect individuals’ privacy in the digital era is legislation introduced this week in the U.S. Senate that would require law enforcement and government authorities to obtain a warrant before accessing the digital communications of U.S. citizens.

Known as the ECPA Modernization Act of 2017, it is bipartisan legislation introduced by two senators known for being polar opposites on the political spectrum: Sen. Patrick Leahy (D-VT) on the left and Sen. Mike Lee (R-UT) on the right.

At present, only a subpoena is required for the government to gain full access to Americans’ e-mails that a over 180 days old. The new ECPA legislation would mean that access couldn’t be granted without showing probable cause, along with obtaining a judge’s signature.

The ECPA Modernization Act would also require a warrant for accessing geo-location data, while setting new limits on metadata collection. If the government did access cloud content without a warrant, the new legislation would make that data inadmissible in a court of law.

There’s no question that the original ECPA (Electronic Communications Privacy Act) legislation, enacted in 1986, is woefully out of date. After all, it stems from a time before the modern Internet.

It’s almost quaint to realize that the old ECPA legislation defines any e-mail older than 180 days as “abandoned” — and thereby accessible to government officials.  After all, we now live in an age when many residents keep the same e-mail address far longer than their home address.

The fact is, many individuals have come to rely on technology companies to store their e-mails, social media posts, blog posts, text messages, photos and other documents — and to do it for an indefinite period of time. It’s perceived as “safer” than keeping the information on a personal computer that might someday malfunction for any number of reasons.

Several important privacy advocacy groups are hailing the proposed legislation and urging its passage – among them the Center for Democracy & Technology and the Electronic Frontier Foundation.

Sophia Cope, an attorney at EFF, notes that the type of information individuals have entrusted to technology companies isn’t very secure at all. “Many users do not realize that an e-mail stored on a Google or Microsoft service has less protection than a letter sitting in a desk drawer at home,” Cope maintains.

“Users often can’t control how and when their whereabouts are being tracked by technology,” she adds.

The Senate legislation is also supported by the likes of Google, Amazon, Facebook and Twitter.

All of which makes it surprising that this type of legislation – different versions of which have been introduced in the U.S. Senate every year since 2013 – has had such trouble gaining traction.

The reasons for prior-year failure are many and varied – and quite revealing in terms of illuminating how crafting legislation is akin to sausage-making.  Which is to say, not very pretty.  But this year, the odds look more favorable than ever before.

Two questions remain on the table: First, will the legislation pass?  And second, will it really make a difference in terms of protecting the privacy of Americans?

Any readers with particular opinions are encouraged to weigh in.

The downside dangers of IoT: Overblown or underestimated?

In recent weeks, there has been an uptick in articles appearing in the press about the downside risks of the Internet of Things (IoT). The so-called “Weeping Angel” technique, which essentially allows hackers to turn a smart television into a microphone, is one eyebrow-raising example included from the CIA files released by WikiLeaks recently. Another is the potential for hacking into the systems of autonomous vehicles, enabling cargo to be stolen or the vehicles themselves to be held for ransom.

Some of it seems like the stuff of science fiction – or at the very least a modern form of cloak-and-dagger activity. Regular readers of the Nones Notes blog know that when we’re in the midst of a “collective angst” about a topics of this nature, I like to solicit the views of my brother, Nelson Nones, who has been in the fields of IT and operations management for decades.

I asked Nelson to share his perspectives on IoT, what he sees are its pitfalls, and whether the current levels of concern are justified. His comments are presented below:

Back in 1998, I was invited to speak about the so-called “millennium bug” (also known as the “Y2K bug”) at a symposium in Kuching, Malaysia. It was a hot topic at that time, because many computer systems then in use hadn’t been designed or built to deal with calendar dates beyond the end of the 20th century.  

The purpose of my presentation was to educate the audience about the nature of the problem, and how to mitigate it. During the question-and-answer session which followed, a member of the audience rose and began to speak rather hysterically of the threat which the millennium bug posed to civilization as we knew it.  

His principal concern was the millions of embedded sensors and controllers in use throughout industry which were not programmable and would therefore need to be replaced. In his view, very few people knew which of those devices were susceptible to the millennium bug, or where they were running.  

As a result, he felt that many flawed devices would go undetected, causing critical infrastructures such as power generation plants, electricity grids and aircraft to fail.  

Needless to say, his dire predictions did not come to pass and humankind sailed into the 21st century with barely a murmur. This isn’t to say that the millennium bug wasn’t a real threat – it certainly was – but rather that providers and users of information technology (IT) mostly did what was necessary to prepare for it.  As Britain’s Guardian newspaper reported in April 2000, “In truth, there have been bug incidents … none of this, however, adds up to global recession, or infrastructure collapse, or accidental nuclear war, as the most heated prophets were anticipating.”  

It is for similar reasons that I take much of today’s hype over security vulnerabilities of IoT with more than a pinch of salt. 

It’s worth noting that, technologically speaking, IoT isn’t really very new at all. As the prophet of doom at my 1998 symposium (correctly) observed, sensors, software, actuators and electronic controllers have been integral components of automated industrial systems for the past thirty years at least.   

What’s new is that these technologies have begun to be accepted and deployed by consumers. I say “begun” because I don’t know anyone who has actually rigged a “smart home” to work in the all-encompassing way breathlessly envisioned by purveyors of home automation technology; but I do know people who use the technology for specific purposes such as home security, thermostat control and recording TV programs.  

Just last week I spoke with someone who is beta testing a self-driving Tesla automobile, but he confessed that he still won’t take his hands off the wheel because he doesn’t really trust the self-driving technology yet.  

What’s also new is that businesses are extending their use of sensors and controllers well beyond the confines of plants, factories and warehouses. For example, trucking companies routinely use global positioning system (GPS) sensors to monitor fleet locations in real-time.  

Aircraft engine makers such as Rolls-Royce and GE rely on management and monitoring systems to transmit information from sensors to ground stations for real time analysis, during flight.  Many problems which are detected in this manner can be instantly corrected during flight, by relaying instructions back to controllers and actuators installed on the engine.  

The common denominator for what’s new is the use of existing Internet infrastructure; hence the “I” in “IoT.”  

In earlier times, sensors, software and electronic controllers could communicate only through local area networks (LANs) which were physically isolated and therefore impermeable to external attacks. But when those devices are connected to the public Internet, in theory anyone can access them — including cyber-criminals and governments engaged in sabotage or espionage, or who want to hold things for ransom, surreptitiously watch live feeds, or deploy botnets for distributed denial of service (DDoS) attacks.  

It is clear, therefore, that the root causes of privacy and security concerns arising from increasing IoT usage are mainly network security lapses, and not the things themselves.

Ensuring the highest possible degree of network security is no easy task. Above and beyond arcane technical details such as encryption, installing network firewalls, and opening and closing of ports, it means deploying multiple layers of defenses according to specific policies and controls, and that requires skills and knowledge which most consumers, and even many businesses, do not possess. 

Still, one doesn’t have to be a network geek to implement basic security mechanisms that far too many people overlook. In search of easy pickings, cyber-criminals usually prefer to exploit the huge number of unlocked doors begging for their attention, rather than wasting time trying to penetrate even slightly stronger defenses.   

For example, many people install wireless networks in their homes but forget to change the default router password and default network name (SSID) – or they pick a password that’s easy to guess. In addition, many people leave their network “open” to anyone having a wireless card by failing to implement a security key such as a WPA, WPA2 or WEP key, or by choosing a weak security key.   

An attacker can discover those lapses in a matter of seconds, or less, giving them full administrative authority and control over the compromised network with little risk of detection. This, in turn, would give the attacker immediate access to, and remote control over, any device on the network which is switched on but does not require authentication; for example, network printers, data storage devices, cameras, TVs and personal computers (PCs) which are not configured to require a user logon. 

Plugging those security holes doesn’t require specialist knowledge and shouldn’t take more than an hour for most home networks. Recognizing the security concerns, an increasing number of hardware and software vendors are preconfiguring their products in “full lockdown” mode, which provides basic security by default and requires users to apply specialist knowledge in order to open up their networks as necessary for greater convenience.  

This is precisely what Microsoft did over a decade ago, with great success, in response to widely publicized security vulnerabilities in its Windows® operating system and Internet Explorer browser. 

It’s all too easy to imagine the endgames of hypothetical scenarios in which the bad apples win by wresting control over the IoT from the good guys. But just like the millennium bug nearly two decades ago, it is wiser to heed the wisdom of Max Ehrmann’s Desiderata, published back in 1927:  

“Exercise caution in your business affairs, for the world is full of trickery … but do not distress yourself with dark imaginings.”  

Going forward, I’m confident that a healthy dose of risk intelligence, and not fear, will prove to be the key for successfully managing the downside aspects of IoT.

_________________________

So those are Nelson’s views on the Internet of Things. What about you?  Are you in agreement, or are there aspects about which you may think differently?  Please share your thoughts with other readers.

Ad fraud: It’s worse than you think.

It isn’t so much the size of the problem, but rather its implications.

affaA recently published report by White Ops, a digital advertising security and fraud detection company, reveals that the source of most online ad fraud in the United States isn’t large data centers, but rather millions of infected browsers in devices owned by people like you and me.

This is an important finding, because when bots run in browsers, they appear as “real people” to most advertising analytics and many fraud detection systems.

As a result, they are more difficult to detect and much harder to stop.

These fraudulent bots that look like “people” visit publishers, which serve ads to them and collect revenues.

faaf

Of course, once detected, the value of these “bot-bound” ads plummets in the bidding markets.  But is it really a self-correcting problem?   Hardly.

The challenge is that even as those browsers are being detected and rejected as the source of fraudulent traffic, new browsers are being infected and attracting top-dollar ad revenue just as quickly.

It may be that only 3% of all browsers account for well over half of the entire fraud activity by dollar volume … but that 3% is changing all the time.

Even worse, White Ops reports that access to these infected browsers is happening on a “black market” of sorts, where one can buy the right to direct a browser-resident bot to visit a website and generate fraudulent revenues.

… to the tune of billions of dollars every year.  According to ad traffic platform developer eZanga, advertisers are wasting more than $6 billion every year in fraudulent advertising spending.  For some advertisers involved in programmatic buying, fake impressions and clicks represent a majority of their revenue outlay — even as much as 70%.

The solution to this mess in online advertising is hard to see. It isn’t something as “simple and elegant” as blacklisting fake sites, because the fraudsters are dynamically building websites from stolen content, creating (and deleting) hundreds of them every minute.

They’ve taken the very attributes of the worldwide web which make it so easy and useful … and have thrown them back in our faces.

Virus protection software? To these fraudsters, it’s a joke.  Most anti-virus resources cannot even hope to keep pace.  Indeed, some of them have been hacked themselves – their code stolen and made available on the so-called “deep web.”  Is it any wonder that so many Internet-connected devices – from smartphones to home automation systems – contain weaknesses that make them subject to attack?

The problems would go away almost overnight if all infected devices were cut off from the Internet. But we all know that this is an impossibility; no one is going to throw the baby out with the bathwater.

It might help if more people in the ad industry would be willing to admit that there is a big problem, as well as to be more amenable to involve federal law enforcement in attacking it.  But I’m not sure even that would make all that much difference.

There’s no doubt we’ve built a Frankenstein-like monster.  But it’s one we love as well as hate.  Good luck squaring that circle!

The financial goals — and worries — of affluent consumers: It turns out they’re more similar than different from the broader population.

But gender differences do exist …

acIn this year’s U.S. presidential election campaign, there’s been a good deal of attention paid to so-called “working class” voters. No doubt, this is a segment of the electorate that’s especially unhappy with the current state of affairs in the country.

But what about other population groups?

As it turns out, affluent Americans are worried about many of the same things as well. A recent survey of affluent Americans conducted by the Shullman Research firm reveals that their worries are fundamentally similar to other Americans.

Here’s what survey respondents revealed as their to worries:

  • Your own health: ~36% of respondents cited as a top worry
  • Your family’s health: ~31% cited
  • Having enough money saved to retire comfortably: ~30%
  • The economy going into recession: ~28%
  • Terrorism: ~27%
  • Inflation: ~23%
  • The price of gasoline: ~22%
  • Being out of work and finding a good job: ~20%
  • Political issues / warfare around the world: ~15%
  • Taking care of elderly parents: ~15%

[One mild surprise for me was seeing how many respondents cited “the price of gasoline” as a source of worry, considering not only the recent easing of those prices as well as the affluence level of the survey sample.]

Generally speaking, the research found few gender differences in these responses, but with a few exceptions.

Men were more likely to cite “inflation” as a concern (28% for men vs. 18% for women), whereas women were more likely to consider “the economy going into recession” as a concern (30% for women vs. 26% for men).

Where there’s more divergence between genders is in how people’s identify their top financial goals. Here’s how the various goals tested by the Shullman research ranked overall:

  • Having enough money for daily living expenses: ~57% citied as a top financial goal
  • Having enough money for unexpected emergency expenses: ~56%
  • Having enough income for retirement: ~46%
  • Reducing my debt: ~41%
  • Improving my standard of living: ~40%
  • Remaining financially independent: ~39%
  • Becoming financially independent: ~33%
  • Keeping up with inflation: ~30%
  • Providing protection for family members if I die: ~29%
  • Purchasing a home: ~19%
  • Providing for my children’s college expenses: ~19%
  • Providing an estate for my spouse and/or children: ~16%

Obviously, some of the goals that rank further down the list are more applicable to certain people at certain stages in their lives — whether they’re just getting started in their career, raising young children and so forth.

But I was struck at how many of these supposed “affluent” respondents cited “having enough money for daily living expenses” as a top financial goal. Wouldn’t more people have already achieved that milestone?

Another interesting finding: With many of the goals, women place more importance on them than do men:

  • 63% of women versus just 50% of men consider “having enough money for daily living expenses” to be a top financial goal.
  • 63% of women versus just 47% of men consider “having enough money for unexpected emergency expenses” a top financial goal.
  • 48% of women versus just 33% of men consider “reducing debt” a top financial goal.
  • 45% of women versus just 34% of men consider “improving their standard of living” a top financial goal.
  • 36% of women versus 30% of men consider “becoming financially independent” a top financial goal.

caOne explanation for the differences observed between men and women may be the “baseline” from which each group is weighing their financial goals. But since the survey was limited to affluent consumers, one might have expected that the usual demographic characteristics wouldn’t apply.  Perhaps the differences are rooted in other, more fundamental characteristics.

What are your thoughts? Please share them with other readers.

More information and insights from this study can be accessed here (fee-based).