Tag Archives: hacking

The Risk and Security of Connected Healthcare Devices

Photo of a pile of pills and medical devices.A recent Forrester Research report highlighted the security risks of connected healthcare devices and some of the implications of lax policies of manufacturers and care providers. This brings to mind for me all kinds of doomsday scenarios so I want to highlight some of the best practices in the report. These apply to the healthcare industry and other businesses.

Internet of Things

Part of the allure of the internet of things (IoT) is that many devices can be connected, including medical devices. In a recent article, author Yash Mehta highlighted some connected and potentially connected devices. On the list are monitoring devices which allow patients to be at home instead of a hospital. He also mentions companies that are developing edible IoT “smart” pills that will help monitor health issues and medication. This is an area where I would want the tightest security.

Steps for Security Planning

Start from the inside when thinking about security. Is everyone in your organization following best practices? Are you requiring passwords be changed regularly? Is everyone following this requirement or have they developed a workaround? Are there any shared accounts with a shared password? One of the biggest security holes has to do with social engineering. A hacker will pretend to be someone trustworthy to secure passwords or entrance into secure systems, then launch a widespread attack. Make sure everyone in your organization is educated and prepared for such an attempt.

Verify that the new devices have security built in from the manufacturer. This applies to health care IoT and other connected devices. It is hard to build security with no foundation. Push manufacturers to install a minimum level of threat protection in every device.

It is necessary to separate device information from actual customer details. In the case of health care, that means storing data collected from the connected device in a separate data structure than the patient data. In a retail establishment this means storing credit card information away from personally identifiable information such as customer name and address. The two can be linked via a separate ID but it should be difficult for a hacker to connect the two sources of information.

Thoughts

It is exciting to think of all of the possibilities with IoT devices but it is sobering to contemplate the security risks. All of us must consider and mitigate the risks, either as consumers or as part of an IT team building the tightest security possible. IoT devices are coming. Are you ready?

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Rule 41 and Digital Privacy Rights

Photo of wooden gavel on a black computer keyboard.Proposed changes to Rule 41 of the Federal Rules of Criminal Procedure would allow a judge to authorize a search and seizure outside of their jurisdiction. For example, a Massachusetts judge could authorize a search in Alaska or even in a foreign country. This would mainly apply to government electronic hacking efforts into computers and computer networks. The changes have been approved by the Supreme Court and will go into effect on December 1 unless challenged by Congress.

I believe this is a slippery slope that threatens the Fourth Amendment protections against unreasonable searches and seizures. What are the implications of this possible erosion of privacy on our own computers and networks?

The Fourth Amendment

The Fourth Amendment was added as part of the bill of rights in 1791 and deals with the search of homes and private property without a properly executed search warrant. It stems from the almost unlimited powers granted to British tax collectors to search homes and property for contraband that wasn’t being returned to King George in the form of taxes. Those who drafted the Fourth Amendment could not foresee 21st century technologies and interconnected systems. At issue now is whether a warrant can be issued remotely and whether one warrant can be issued for hundreds or even thousands of systems through surveillance and hacking.

No Expectation of Privacy

Senior U.S. District Judge Henry Coke Morgan Jr. recently ruled, “people should have no expectation of privacy on their home PCs because no connected computer ‘is immune from invasion.’” This is a ruling associated with a case of government takeover and surveillance of a site on the dark web for the purpose of collecting networking information of visitors. One warrant was issued for many searches, including those outside of the United States. The judge in this case argued that even that one warrant was not necessary because the defendants were engaged in illegal activity and took measures to hide those activities behind the anonymity of the dark web.

Digital Rights

Advocates such as the Electronic Frontier Foundation are challenging this ruling and filed an amicus brief in this case, but to no avail. My main question is how much privacy should we expect on our personal systems and in our transactions on the web? This case maintains that because there are so many hacking attempts we should have no expectation of privacy, even from our government. This seems like a spurious argument at best. I have written before about the notion of geographical boundaries and how those boundaries are disappearing as we engage in more electronic transactions. This case and the proposed changes to Rule 41 only accelerate the dissolution of boundaries.

Thoughts

My aim is to make you aware of the activities and rulings that could affect your right to privacy, particularly digital privacy. Is there cause for concern? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Careers in Technology: Threat Intelligence

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with random letters 3D illustration backdoor conceptI recently came across an interesting New York Times article highlighting the field of threat intelligence. Gartner expects the market for this security service to reach $1 billion next year, up from $255 million in 2013. Surely there must be job opportunities for the person with the right preparation, education, and credentials. I did more research into this technology career and came up with some interesting prospects.

Making Lemonade out of Lemons

In the article, the author cited a case of a family welding shop in Wisconsin that ran a small server for tracking orders, billings and suppliers. Their server was hacked, and they were totally unaware until a Silicon Valley security firm contacted them. The firm noticed that it had become a proxy to get to other vulnerable servers, some from very large companies. The security firm left the server in place but now closely monitors the traffic going in and out of it and can preemptively warn clients when they have been breached or are about to be compromised. Threat intelligence is really about being proactive, as opposed to reactive, and monitoring security issues or paying others to monitor them for you.

Education

For education in this field, it is best to pursue the Certified Information Systems Security Professional designation. This training is available through self study, on-site or online training which prepares you for the mandatory tests. There is even a “CISSP For Dummies” book but I am not sure I would trust my network to someone who chose that route to learn the business.

In addition to the CISSP, there are specialized courses in threat intelligence to augment the CISSP training and certification. These courses take you beyond basic intrusion detection and teach you how to battle persistent threats and how to programmatically counter these threats.

Jobs

There are jobs available in private industry for security firms that do threat intelligence and sell that information to clients. Many major corporations want to build in-house expertise in this area in order to fend off hackers and protect proprietary information. There are also government jobs available from agencies trying to get the upper hand on security threats. This expertise might have prevented the breach of the Democratic National Committee that I mentioned in last week’s blog.

Thoughts

Network and system security is becoming more critical as some of our most valuable assets are the data we store about customers, new products, proprietary processes, and partner agreements. It is essential for firms and agencies to do all they can to protect that data. That means now moving from a reactive approach to the proactive and systematic method offered by the new field of threat intelligence.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

A Hat of a Different Color

Dapper man in white fedora, face partially obscured.It used to be that computer hackers came in two shades, black hat and white hat. Black hat refers to the nefarious hacker illegally trying to exploit network and computer security holes for gain or simple malice. White hat refers to hackers trying to highlight security lapses in order to warn others and work to patch vulnerabilities. With the recent hack of Ashley Madison, it appears that there is a third type of hacker trying to right moral or political wrongs instead of or in addition to potential economic gain.

History

In the early days of hacking I read about the exploits of Kevin Mitnick. As a teenager, he hacked into the networks and systems of technology and telecommunications companies and spent over five years in prison on two different occasions after being sentenced on federal wire fraud charges. Much of his success he attributes to social engineering, or the ability to charm passwords out of unsuspecting people. Now he is an information security consultant. He is a case of a black hat turned into a white hat.

I also enjoyed the 1989 book “The Cuckoo’s Egg,” by astrophysicist Clifford Stoll, which relates the tale of tracking a hacker who broke into Lawrence Berkeley National Laboratory and used it as a jumping off point to burrow into military and defense systems. The hacker was eventually caught, with Stoll’s help, and it was discovered that he was selling stolen information to the KGB.

Computer hacking has existed since computers were connected together in a network and people sought vulnerabilities in the technology. As computer code becomes ever more complicated, it raises the possibility of errors that can and will be exploited by either the black hats for monetary gain or malice or the white hats trying to highlight the vulnerability.

Ashley Madison

The Ashley Madison hack seems at first blush to be a hack of a different color. AshleyMadison.com is a website that matches people seeking adulterous affairs. Hackers identifying themselves as The Impact Team took over the site and announced they had stolen identity information of 33 million subscribers and threatened to publish that information unless the parent company, Avid Life Media (ALM), agreed to shut down the site. It appears the hackers were angry over the content and purpose of the site but in their manifesto they also blasted the practice of ALM charging $19 to have a profile removed from the site. To prove that a profile was not completely removed from databases, they released the names of two members who had paid to be eliminated from the site.

Whether the hackers were incensed with the moral foundation of the site or the economical injustice against members, this seems to be a different type of exploit. The Impact Team could still demand ransom for the stolen information, in which case I would put them squarely in the black hat camp, or they could use this hack as a platform for their cause, whatever that may be. Either way, this will no doubt be a topic of conversation at the upcoming information security conference sponsored by the likes of Microsoft and Cisco, which is oddly named the Black Hat Conference.

Thoughts

What do you think? While hacks of this type are still clearly illegal, their aim seems to be to prove a point instead of seeking monetary gain or notoriety. I wonder what’s next? Other dating websites? Perhaps gambling sites? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Hacktivism: Is it a Forgivable Crime?

A hacktivist is defined as one who breaks into a computer or network for political or social motives. The more I read about hacktivists, the more I wonder if they are hackers cloaked in the ideals of activism, or activists borrowing a page from the hacker playbook to further their cause? In this post, I will highlight a few recent incidences of hacktivism and let you decide.

Sony Hack

The Sony hack tops the list, both for its recency and its impact. A group of hackers called The Guardians of Peace broke into Sony’s internal computers and released sensitive documents and e-mail exchanges, some of which involved Sony partners. Five movies were released to download sites, four of which had not yet been released in theaters. They blocked the release of the movie The Interview by threatening to bomb theaters that showed the film. The Interview is a comedy about a plot to assassinate North Korean dictator Kim Jong-un. Ironically, or maybe not, as of this writing the FBI is claiming the hack originated from North Korea. Was this an attempt to expose Sony’s inadequate defenses, a case of defending a country’s honor from a fictitious film, or was it plain and simple malice? Whatever the motives, The Guardians of Peace crossed the line from hacktivism to terrorism when they threatened to bomb theaters.

Africa

The hacktivist group Anonymous Africa attacked and closed down fifty websites during the 2013 Zimbabwean election, including those associated with the ruling Zanu PF party and those of the newspaper The Herald. The group claimed President Robert Mugabe’s regime dominated the Internet and airwaves and did not allow access to the opposing party. Was their attack successful? Ninety-year-old Mugabe is still in power, but the oppression in Zimbabwe was exposed, if only briefly.

Arab Spring

The Arab Spring was sparked in January 2011 by an uprising against the ruling party in Tunisia. The hacktivist group Anonymous stole Tunisian government documents and funneled them to the website Wikileaks, which published them. The documents showed a pattern of abuse by the government against the citizens. In Egypt, when citizens tried to expose government oppression and the government responded by trying to shut down the Internet, various hacktivists provided alternative methods for citizens to expose the actions taking place in their country. In these instances hacktivism was a weapon, just like bombs or guns, and hacktivists tried to win the hearts of the people and expose activities deemed to be unfair and oppressive. The same method is being used in Syria today.

Thoughts

So is hacktivism good or bad? That depends. There are definitely economic losses in politically motivated hacks, so it is not a zero-sum activity. There can be embarrassment and expense for those who are hacked. I think that these hacks may have started out with reasonable and objective motives, but more often than not they cross the line into cyber-terrorism. I believe that there are better ways to further a cause than breaking into electronic files and exposing them, preventing them from being seen, or outright stealing them.

Hacktivism is criminal, but is it justified? Let me know what you think.
Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

How Safe is the Cloud?

padlocked cloudA lot of attention lately has been paid to the security of the cloud, particularly Apple’s iCloud service. There have been recent high profile celebrity hacks resulting in the sharing of photos that were thought to be private. The question I have been reading in the last couple of weeks, even in my local newspaper, is this: Is the cloud safe? The answer, maddeningly, is yes and no. This blog post will cover the definition of the cloud and how you can make the answer to that question “yes.”

Defining the Cloud

The cloud is really just a term for offsite storage. It is a convenient place to store files, whether they are photos, contact lists, or e-mails, so that you can access them from multiple devices in multiple locations. Say, for example, you take a picture from your smartphone and wish to view those same pictures from your tablet or your laptop or share them with friends. Rather than carrying those pictures around on a hard drive to view them on different devices or show friends, those pictures are stored in a common place, in the cloud storage. The cloud goes by different names such as iCloud, Google Drive, Google+, and Microsoft OneDrive. It also goes by names such as Pinterest, Tumblr, Facebook, and Twitter. Basically it is a common place to store, retrieve, and manipulate your files. The question then becomes: What if you want to take a picture but NOT store it in the cloud?

It’s All in the Sync

The key is to understand when your device is synchronizing with the cloud or with another device. In Android, for example, there is a Google Drive app that is an interface to help you download and sync files between your Android device and the cloud. You can also swap files between Android and your Google+ account or between Android and your Dropbox or Box account using a simple app.

Developers have done their best to make these apps intuitive and user friendly, but they have also masked the complexity of moving files back and forth to the cloud or to another device. As a result, some smartphone users just push the “sync all” button, which duplicates all files to the cloud. This is great for backup, but it also means that your files are now in a less secure area than just your phone. As recent events show, there are still some vulnerabilities in the cloud, and occasionally a cloud service is breached and personal data is compromised. One answer to this is to employ an application such as Encdroid for the Android OS, which encrypts your files and makes them more difficult to hack. Another solution is to understand where your files are and how they are getting there.

Thoughts

My challenge to you this week is to review your files and take an inventory of where you are storing everything. You may have signed up for a Google+ account and forgotten about it. When you get that new Android phone, however, you can bet the good folks at Google have a record of that account and would be happy to send all of your files to be backed up there. Be a savvy technology user and make sure you understand whether you are vulnerable and in what areas. In the end, that knowledge will make you and your data safer.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.