Creating Cyber-Related Risks - We are getting good at it!

There is not a day that goes by that there is not some discussion of Cyber or computer risks. For the largest part, it seems that the discussion is focused on the risk of information being hacked from government and government contractor systems. For example:

• China Hacking a Defense Contractor?
• Did China Hack Australia Spy HQ Plans?

However, risks are more than hacking. There are other risks in the use of computers that we are adding on a day-to-day basis. Examples include:

• Personal information shared both overtly and unknowingly on Social Networking sites such as Twitter, Facebook, Google+, etc.
• Use of feature-rich business productivity services such as Google Apps for business.
• Vehicle "telematics" systems such as OnStar.
• Web accessible home security and energy management systems.
• The nascent start of autonomous vehicles for consumers

Each of these risks alone are interesting, but taken together they form a comprehensive set of vulnerabilities that means an attack can come from just about anywhere in the world and strike at just about any time.

Let’s take them in order from above:

People are putting a tremendous amount of information into services such as Facebook, LinkedIn, Google+, etc. Much of this is personal information such as birthdays, home locations (current and past), education, contact information, presence and location information. These systems are now starting to include so call “two-factor” authentication to prevent unauthorized access to a person’s account - which should be a positive step in security. So, what are the risks:

• This does absolutely nothing to stop the use of the information the user has already and continues to place in the system.
• It also does not stop criminals who target and “social engineer” the user into “friending”, exposing the personal information to essentially the world.
• I’m apparently on vacation or at a restaurant or bar, so come rob my house.
• I placed enough information for the criminal to social engineer their way into other systems the victim may use. It may even be enough information to do a complete “Identity Theft” operation.

Business are moving in drive to the “Cloud”. In fact, I am writing this using Google Docs on my corporate Google Apps for Business account. The environment holds our email, calendars, selected documents, and messaging environment. Again, two-factor authentication can be used to secure access to the system, for a user or especially those that are administrators. Google constantly works to make their service more useful, attractive, and “sticky” to their customers. For example, the Google Now service, fully integrated into our employee’s smartphones (for those that use Android), searches their calendars, knows where they are, tells them when they should leave where they are to get to their next appointment, check them in for an upcoming airplane flight, as well as information based other items of interest to the employee. There are several risks again:

• Unsurprisingly, for a user that is exploiting all the features of Google Apps, a compromised account provides a treasure trove of business and personal information, as well as essentially near-real time information of their location
• Potential for access, on demand, by government investigators, such as the ominous (in my opinion) demands on Google to provide warrant-less access to customer accounts (see, Judge Tells Google To Five the FBI Customer Data)
• In fact, just one account may not be compromised as the controls put into place by the Cloud service providers are apparently not all they need to be (see, BT Moves From Cloud Provider Based on Hacking Vulnerabilities)

The evolution of remote capabilities being embedded in the common car is transforming the relationship between car owner, their car, and the car manufacturer. No longer is the car just a sale to the customer with the potential of after sale service, the sale is now one that contains a growing list of services. Enabled by virtually continuous access to 3G and soon 4G wireless, there are services that:

• Provide vehicle service information back to the manufacturer
• Provides GPS and Cell Tower information to a services provider for navigation and traffic information
• Enables a car that is reported stolen to be disabled
• Enables an owner via a smartphone or tablet to open the car’s doors, start the car, and other functions

The risks here are profound. Insider threats, backdoors in the service provider’s systems, vulnerabilities in smartphone security, means that virtually any car can be stolen, tracked, or disabled remotely. In addition, as with the use of Cloud-based business services, information on a car’s travels may be demanded from the service provider by the government. Combined with your Cloud business information, someone is always able to track where you have been, where you are, and where you are going.

The more recent “oh my goodness” is the use of Internet-based home management systems. These systems, which are now being packaged by Cable and Telecom companies, as well as the traditional home security services, not only control the whether a home’s alarm system is active or turned-off, but also the heating and cooling system, cameras, and some can even open door locks. With the convenience of a mobile App, with a few swipes or presses you are in control. Of course, so it anyone that is able to take control of your smartphone, your security account, and certainly staff at the service providers operation centers (which makes me think of where these may be located). Again, like other well publicized cases, attacks on service providers have yielded access to thousands of user accounts.

A couple of scenarios:

• You may think it is cool that you can make sure the lights are on in your house and the air conditioning is turned back on to prepare for your arrival from a long vacation, but what you may find is that the doors of the house are open and your valuables gone
• You may think that you have the privacy of your own home, but what you really have is the government, a robber, a spy on your personal or business life, doing a bit of snooping without your knowledge.

Finally, I end on talking about autonomous cars. Lately, we have been entertained in the news on how far this technology has gone. Just a decade ago, these were lumbering vehicles moving only a few miles-an-hour on a course safely tucked away from the potential to harm anything or anyone. Now, these are moving through cities and highways navigating around work zones and what would appear to be difficult driving situations. In light of the progress, the Federal Government wants States to be a bit apprehensive (see, Caution Urged in Allowing Autonomous Cars).

In this case, it probably does not take a Cyber attack to gum-up the works. With a little ingenuity, paint, signs, and fake barriers, I wonder how hard it would be to fake the car into deciding that the road is under construction and the detour leads directly through my house.  Think of the damage that a "terrorist" could do on the D.C. Capitol Beltway (all without a firearm, fertilizer, or other items normally associated with an "act of terror").

All combined, we are creating a Cyber and Computer risk environment that is all around us. It is not clear how to even begin to deal with the combination business risk, U.S. Constitutional issues, business risk, personal property risks, national security risks that may become a security whack-a-mole - especially if being directed by a foreign (or domestic) adversary for money or power.