Cyber Risks: If we don't care, they don't care?

This is a follow-up to my previous posts.  In Creating Cyber Risks which discusses the pervasiveness of  computer related security risks and our headlong charge of adding to these risks.  Later, in Who is Responsible for Internet Security, I discussed the landscape of the various technical areas of potential Cyber weaknesses and who is responsible for keeping the things up-to-date.

Almost at the same time, two different articles came to my attention.  Microsoft has released released a report that tracks the trends of whether home computer users are applying good practice security measures.

There is a disturbing trend in the above graphic which shows a steep decline in the number of users that are are using the basic security capabilities of their computers and networks or keeping their applications software up-to-date.  If this is the case, what are the odds that they are keeping the more hidden elements current (e.g., device drivers, BIOS, etc.)?

Although this is disturbing, the presumption here is that the updates provided by a vendor actually improve the stability and security of an operating system or application.  However, as described in this report, Microsoft Update Quality Issues, this may not be true.  These updates are related not just to functionality improvements but also security improvements.  Pushed automatically to millions of machines at a time, these patches can cause virtually immediate new zero-day vulnerabilities that hackers are staged ready to exploit based on the known vendor path schedule.

So, we really have two problems and in each there really is no party other than the user that suffers.  If a user does not care to take best-practice measures to secure their systems, then an attack is more likely to be successful in either disabling computers or stealing information.  As discussed in Creating Cyber Risks, could enable a hacker to steal your money as well as enter your home.   Problem 1: User is responsible.

The second is that even if we do take care and score a perfect Microsoft Computing Safety Index (MCSI) score, the actual vendor provided updates can cause vulnerabilities.  Problem 2: Vendor takes no responsibility or liability - User is responsible.

So, if we don't care, will the vendors care to put our their best effort for Cyber-related issues?  And, if we do care, will marketplace embarrassment and corporate user agitation make the vendors care?

Who is responsible for Internet privacy and data theft?

We commonly blame the “Internet”.  Typical telecommunications law holds that a communications service provider is not responsible for the content of what is carried over their network.   Even if organized crime, terrorist organizations, or even groups planning an assassination use a conference bridge service, the service providers involved are not held responsible or liable.

However, this apparently does not extend to the providers of content, or for providers that enable the storage of content that is publicly accessible.  The simplest example is the storage and distribution of copyrighted material.  In these cases, both USA and international laws enable some pretty rapid responses to both shut down the service as well as prosecute the providers.  This also extends right to the home for people that have downloaded copyrighted material, even though that are not acting as a service for others.  Other laws, such as HIPPA (Health Insurance Portability and Accountability Act) which deals with the use and disclosure of personal health information.

However, there are other elements between the user and their data:

• Computer hardware (workstation, tablet, smartphone, etc.)
• Computer operating systems (Windows, iOS, Android, etc.)
• Computer applications (whether they run on the “client” or in the “Cloud”)
• and now Computer Identity services (Google, Facebook, etc.)

In general, we have held harmless the manufacturers of hardware, operating systems, and applications.  The largest exception, in general, are hardware warranties.  We generally expect imperfect software with defects that do not significantly impact our ability to use the software (or with (“work-arounds”).  Larger software problems are solved as part of some sort of software maintenance agreement, with periodic patches from the software company.

Even if we assume that our data is safe on our own device or protected in the Cloud, the “larger” problem stems around unauthorized use of your personal property.  That is, your computer, smartphone, tablet, or Cloud service is hacked in a manner that makes it appear like legitimate data requests are coming from you.  The question who is really responsible and who does or should have a liability?

The general computer case is where the end-user owns the entire stack of hardware and software of the connected endpoints.  This can include desktops, laptops, and tablets) and what is necessary to ensure security.  Responsible users deploy Anti-Virus, Anti-Malware, Anti-Phishing, and Application-specific Firewalls.  Here, the customer is responsible, if they so choose, to keep their computer up-to-date.

However, even with all that, the computer (or smartphone) user is still vulnerable.  So, other than the user who else could be responsible?  Some possibilities are:

• Internet Service Providers
• Only responsible for getting bits from the Internet to and from the customer’s computer.  
• They make no representation of whether the bits represent a security attack or not.  They try hard to deal with certain types of bad sites and traffic, but only at what is considered commercial best practice.
• They take no liability on the accuracy of the Domain Name System (DNS).
• Computer Hardware
• The computer manufacturer, which in generally is an integrator of other manufacturers components, puts standard commercial elements together.
• These elements may have their own risks, for example interface devices and their closely associated device driver software or even the BIOS firmware.  In general, the computer manufacturer is responsible for making these patches available, with the owner of the computer responsible for the installation.
• They may bundle and operating system (Windows, iOS, Linux, Android, etc.) which, in general, has a set of risks.  The operating system provider is responsible for making patches, and the use is responsible for the installation.
• Operating System Vendor
• Much of the focus on vulnerabilities are placed at the doorstep of the Operating System vendor.  We are accustomed to “patch Tuesday” which mostly pushes out security related updates.
• Host-based Application Provider
• Similar to the Operating System, the application owner generally makes security patches available. There are many cases for the actual cause of a security-related patch. These include ones that are related to the operating system, how the computer is operated (do all applications run as “root”), and of course defects in the application itself (these include security-related applications such as Anti-Virus, etc.)
• Cloud-based Application Provider
• Services in the “Cloud” are clearly the full responsibility of the service provider.  They are responsible to protect their infrastructure (which they may get from another provider, complicating the situation) and updated their service to address vulnerabilities.  Much of the time this is done without any intervention or notification to the user of these services.  

The combination of companies, integration, and the owner or operator of the computer leads to a complexity that has enabled many different vectors for security-related attacks by the proverbial ‘hacker”.  In fact, even if one of the individual companies could be held liable for a security defect, the environment is so complex that it would be very difficult to prove that it was not the owner or operator’s fault.  There are some exceptions, where the hardware manufacturer is also the hardware provider, and in the case of Apple holds significant control over user applications, but this really not a significant reduction in complexity.

The following table provides an expanded list of the components of a standard desktop, laptop, tablet, or phone and the various technology elements that contribute to security and privacy of a user’s data.

Element	Example	Issue	Provider Action	Customer Notification	Customer Action	Frequency
Chips	Microprocessor	User mode compromise of protected execution mode	Next chip version	Generally none	None or device replacement	Device Breakage of Obsolescence Time
Basic Firmware	Motherboard BIOS	Malicious code insertion	Clean BIOS code download	Generally none.  Potentially from an non-industry standard workstation provider application	Attempt re-burn BIOS	Almost never for the life of the device
Basic Firmware	Device BIOS (e.g., Graphics Card)	Malicious Code insertion	Clean BIOS code download	Generally none.  Potentially from an non-industry standard workstation provider application	Attempt re-burn BIOS	Almost never for the life of the device
Device Drivers	Operating System Device drivers (e.g., display, WiFi, LTE, Bluetooth,, printers, etc.)	Malicious Code insertion and potential operating system compromise	Device company update or provider update	Generally none.  Potentially from an non-industry standard workstation provider application	Search for updates  Generally not-automatically initiated.	Very infrequently
Operating System	Windows, iOS, Android	Malicious Code insertion and potential operating system compromise	Operating System provider	Automatic Updates	Generally none (after selection of automatic installation option)	Very frequently
Applications	Authoring tools, browsers	Use application security defects to enable access to user files.  If the application is root-level then compromise of operating system objects	Application Provider	For desktops some manual and some automatic.  Generally via non-industry standard  application specific approach For tablets and phones, updates are generally provided via a standard process	Generally none (after selection of automatic installation option)	Moderate frequency

Here are some real examples of vulnerabilities that run from chips to systems:

In this case, there is a chip flaw that could enable non-privileged code to take control of computer: http://www.kb.cert.org/vuls/id/649219

And, another case, more targeted to laptops and smartphones:

http://www.theinquirer.net/inquirer/news/2232383/major-security-flaw-found-in-samsung-s-exynos-chip

An example where a hacker can attempt to download malicious code masked as a legitimate BIOS update: http://www.kb.cert.org/vuls/id/912156

Device drivers also have vulnerabilities that can lead to the hijacking of a users computer: http://www.kb.cert.org/vuls/id/957036

So, when it comes down to it, who is responsible?  Given the complexity of the total system from chips to Cloud applications, what would be the impact of law or regulations that attempted to hold someone responsible for a user’s data?  It appears that there are so many potential exploits that the root cause analysis and number of cases would more than swamp the legal system to determine fault.

One final observation.  User authentication and authorization are now moving to systems that are in a completely different trust domain.  The example in the figure uses Facebook to access a cable service providers customer website.  Maybe at one time the worst issue would be that a hacker could get our upcoming (and of course too large) bill.  But now, they can have your telephone records, voicemail, and even access to the the web-based home security and automation system.

Creating Cyber-Related Risks - We are getting good at it!

There is not a day that goes by that there is not some discussion of Cyber or computer risks. For the largest part, it seems that the discussion is focused on the risk of information being hacked from government and government contractor systems. For example:

• China Hacking a Defense Contractor?
• Did China Hack Australia Spy HQ Plans?

However, risks are more than hacking. There are other risks in the use of computers that we are adding on a day-to-day basis. Examples include:

• Personal information shared both overtly and unknowingly on Social Networking sites such as Twitter, Facebook, Google+, etc.
• Use of feature-rich business productivity services such as Google Apps for business.
• Vehicle "telematics" systems such as OnStar.
• Web accessible home security and energy management systems.
• The nascent start of autonomous vehicles for consumers

Each of these risks alone are interesting, but taken together they form a comprehensive set of vulnerabilities that means an attack can come from just about anywhere in the world and strike at just about any time.

Let’s take them in order from above:

People are putting a tremendous amount of information into services such as Facebook, LinkedIn, Google+, etc. Much of this is personal information such as birthdays, home locations (current and past), education, contact information, presence and location information. These systems are now starting to include so call “two-factor” authentication to prevent unauthorized access to a person’s account - which should be a positive step in security. So, what are the risks:

• This does absolutely nothing to stop the use of the information the user has already and continues to place in the system.
• It also does not stop criminals who target and “social engineer” the user into “friending”, exposing the personal information to essentially the world.
• I’m apparently on vacation or at a restaurant or bar, so come rob my house.
• I placed enough information for the criminal to social engineer their way into other systems the victim may use. It may even be enough information to do a complete “Identity Theft” operation.

Business are moving in drive to the “Cloud”. In fact, I am writing this using Google Docs on my corporate Google Apps for Business account. The environment holds our email, calendars, selected documents, and messaging environment. Again, two-factor authentication can be used to secure access to the system, for a user or especially those that are administrators. Google constantly works to make their service more useful, attractive, and “sticky” to their customers. For example, the Google Now service, fully integrated into our employee’s smartphones (for those that use Android), searches their calendars, knows where they are, tells them when they should leave where they are to get to their next appointment, check them in for an upcoming airplane flight, as well as information based other items of interest to the employee. There are several risks again:

• Unsurprisingly, for a user that is exploiting all the features of Google Apps, a compromised account provides a treasure trove of business and personal information, as well as essentially near-real time information of their location
• Potential for access, on demand, by government investigators, such as the ominous (in my opinion) demands on Google to provide warrant-less access to customer accounts (see, Judge Tells Google To Five the FBI Customer Data)
• In fact, just one account may not be compromised as the controls put into place by the Cloud service providers are apparently not all they need to be (see, BT Moves From Cloud Provider Based on Hacking Vulnerabilities)

The evolution of remote capabilities being embedded in the common car is transforming the relationship between car owner, their car, and the car manufacturer. No longer is the car just a sale to the customer with the potential of after sale service, the sale is now one that contains a growing list of services. Enabled by virtually continuous access to 3G and soon 4G wireless, there are services that:

• Provide vehicle service information back to the manufacturer
• Provides GPS and Cell Tower information to a services provider for navigation and traffic information
• Enables a car that is reported stolen to be disabled
• Enables an owner via a smartphone or tablet to open the car’s doors, start the car, and other functions

The risks here are profound. Insider threats, backdoors in the service provider’s systems, vulnerabilities in smartphone security, means that virtually any car can be stolen, tracked, or disabled remotely. In addition, as with the use of Cloud-based business services, information on a car’s travels may be demanded from the service provider by the government. Combined with your Cloud business information, someone is always able to track where you have been, where you are, and where you are going.

The more recent “oh my goodness” is the use of Internet-based home management systems. These systems, which are now being packaged by Cable and Telecom companies, as well as the traditional home security services, not only control the whether a home’s alarm system is active or turned-off, but also the heating and cooling system, cameras, and some can even open door locks. With the convenience of a mobile App, with a few swipes or presses you are in control. Of course, so it anyone that is able to take control of your smartphone, your security account, and certainly staff at the service providers operation centers (which makes me think of where these may be located). Again, like other well publicized cases, attacks on service providers have yielded access to thousands of user accounts.

A couple of scenarios:

• You may think it is cool that you can make sure the lights are on in your house and the air conditioning is turned back on to prepare for your arrival from a long vacation, but what you may find is that the doors of the house are open and your valuables gone
• You may think that you have the privacy of your own home, but what you really have is the government, a robber, a spy on your personal or business life, doing a bit of snooping without your knowledge.

Finally, I end on talking about autonomous cars. Lately, we have been entertained in the news on how far this technology has gone. Just a decade ago, these were lumbering vehicles moving only a few miles-an-hour on a course safely tucked away from the potential to harm anything or anyone. Now, these are moving through cities and highways navigating around work zones and what would appear to be difficult driving situations. In light of the progress, the Federal Government wants States to be a bit apprehensive (see, Caution Urged in Allowing Autonomous Cars).

In this case, it probably does not take a Cyber attack to gum-up the works. With a little ingenuity, paint, signs, and fake barriers, I wonder how hard it would be to fake the car into deciding that the road is under construction and the detour leads directly through my house.  Think of the damage that a "terrorist" could do on the D.C. Capitol Beltway (all without a firearm, fertilizer, or other items normally associated with an "act of terror").

All combined, we are creating a Cyber and Computer risk environment that is all around us. It is not clear how to even begin to deal with the combination business risk, U.S. Constitutional issues, business risk, personal property risks, national security risks that may become a security whack-a-mole - especially if being directed by a foreign (or domestic) adversary for money or power.

Bandwidth use increases, revenue not so much...

I have been tracking my home’s bandwidth usage for over the past two years. My original concerns were twofold. First, usage seems to relentlessly increase, and second, many Internet Services Providers (ISPs) had a bandwidth cap of around 50 GBytes. per month.

I estimated that the “Bandwidth Bomb” for me would go off sometime in 2013 and it did, with some troughs, but I clearly would have exceeded my ISP’s acceptable use policy of no more than 250 GBytes transferred per month. Comcast’s Website assured me that the cap was generous enough and that only an exceedingly small percentage of users would ever have to worry about the Comcast bandwidth police.

As an amazing coincidence, just as I predicted I would exceed the cap, Comcast changed its policy and “Note:enforcement of the 250GB data consumption threshold is currently suspended”. So, at least for the time being, I can enjoy 2013 without a home bandwidth worry in the world.
So what about the first issue above, how did my home’s traffic change over the past couple of years? First let’s see what changes happened at the Kaplow home. We are now the owners of three iPhones and an Android Pad. When in the home, these connect to my home WiFi network. My own phone, also an Android-based phone stays happily on Verizon’s wireless LTE network as I have still have a grandfathered unlimited bandwidth plan.

The Xbox also go smarter with an upgrade that includes Kinect. The youngest son discovered its use not only as an game console and Netflix player, but also as a party-line (if you know what that is) for a couple of hours every day playing cooperative games (of course after all his homework is done and done well). There were no significant changes to the laptop inventory.

Let’s look at the bandwidth trends at my house. The first set of bars represent the four month average from September through December in each year. The data shows a 77% increase from 2010 and an additional 83% into 2012. So from 2010 to 2012 the last third of the year’s usage increased 325%!

Looking at the total year 2011 and 2012, this represents an average that went from 111 to 182 Gbytes per month or a 65% increase. If this trend continues, to continue the same business margins, my ISP has to wring costs from their infrastructure or raise prices. Alternatively, they could find a way to make money on other services. Currently, some of the infrastructure is covered via the bundle of TV and voice services. With streaming content from providers other than the cable company itself, will we see a trend that mimicked that the traditional telephone company saw people turning off their telephone for “naked” DSL Internet service, with people turning off or significantly reducing their TV content?

There are also additional pressures on cable (or even services provided by the traditional local phone service provider) revenues:

• Verizon is offering home phone service delivered over their mobile network. This takes away one of the “bundle” revenue elements. 
• Satellite services. This takes away the broadcast channel elements, putting even more pressure on access on-demand material over the Internet.
• Wireless providers in general. With the continued build-out of 4G LTE services, there will likely be a growing number people that just use a wireless provider for their home service. Much of this is just a pricing plan away (with of course, within the limits of the available spectrum, etc.).

So, the potential trend of reduced services revenue combined with increased Internet use means that it is likely that Internet service costs will increase if only to enable cable and other wire provider companies to maintain their revenue - with an unknown hit to margins. On the other hand, they may have to hold the line on pricing, if only to keep their customer base in the face of competition.