Targa Rally Day 3 – It All Comes Down to This

The timer.

It’s a known that racing is a dirty sport, full of shadiness. This’d be a good way to do that.

If I was a cheating puke, I’d attack this device, control it remotely to output exactly as I wished. Or cause it to malfunction, or use your imagination.


Prediction – this type of cheating is coming to racing, they’re just not there yet (as evidenced at last summer’s Indy, where I found some terribly-named WiFi networks.)

Blog tag = Predictions



Paired my Phone to a Car for the First Time


Why never

I don’t think Chrysler (or any manufacturer) is going to do anything nefarious with my information, nor will the following auto journalists to test this car, but…

1 – Your contacts database is one of your most precious files, and ideally, you have a copy on an external drive, that’s been backed up in the last couple weeks (if you say you store all your contacts in Facebook, please leave my blog.) So why be careless about where that file ends up?

2 – I don’t know what information the car copies, then saves, from my phone. Nor do I know that the data is fully deleted when I un-pair the phone. Not-knowing means not-happening.

3 – I’m still undecided if I trust the cloud, and so I don’t use it. And pairing the car means I’ve dipped my toe into the cloud.

4 – pairing usually requires Bluetooth, which I don’t use. I’ve been attacked via Bluetooth before, so I quit using it (that’s why you never see me anymore, in my beloved hands-free headsets)

So why now?

I’m conducting a test for an upcoming ‘Keri on Driving‘ column…

The test is: automakers say we’re now able to fully control our car, without removing our hands from the wheel. Okay then, let’s see.

I set up for success and chose Chrysler because their ‘UConnect’ infotainment system is one of the best available.

How I paired it

I did not pair my own phone, not a chance.

Instead, I got a pre-paid SIM card from TELUS (talk & text only, no data), and put it in the Android they gave me. I saved the contacts I chat most with, and fired it up.

What happened

1 – the car now has saved all my contacts list, and my call history 
2 – the car can now access my text messages, and can send as me

So to word it dramatically - the car now knows all your friends, whom you speak with most, and can text them. This is why you always delete your phone from a rental car, and don’t name your phone your name.

Because a possible attack: return the rental car > next guy gets in > your phone is your name > look up home address for that name > guy now knows where you are not

That’s pretty high-level, and the guy would have to be quite skilled, but still, why chance it.

Let the test begin

Figured out voice command navigation this afternoon, and how to send texts but only using the screen (think I’m doing something wrong there), audio is easy, and not sure if climate controls are even a possibility…

How nice did this photo turn out

When it launched, I reviewed this car for the paper, click here.

Short review – the 200 went from barely competing, to the one to compete against.


Had an Epiphany Yesterday

I write the news for the paper on Tuesdays, and wrote about the most hackable cars.

Autonet – the Most Hackable Cars

I pitch these type of stories constantly, and my editor rolls his eyes, okay most people roll their eyes at me, to which I always say “you’ll see”.

Because securing cars is going to be a huge thing soon, especially with all the internet connectivity coming to cars. Chevy is bringing WiFi to dashboards this summer.

The first time a car is breached and lights the news on fire, remember where you heard it first.

The story was well received by both industries (auto & security), then today a infosec buddy even texted me from across the country that his client just quoted it.

So my epiphany is this – I’m going to narrow in and specialize in this. Make myself really good at it. I’ve already decided I’m auto-for-life, and think I could excel in this vertical.

I already have over a year of history online writing about it, a reputation starting with the manufacturers, it brings my 2 favourite things together (cars and security), and I find it so fun. And bet I can find big cheques down the road in it too.

So I spent way too much time today investigating further, and check out my OBD2 reader courtesy of my neighbour!

Here we go guys… PUMPED.



It’s not IF You are Breached, it’s WHEN

That’s one of the oldest saying in security, because it’s true.

Thinking you are going to be forever immune is delusional.

Do you not lock your front door? Lock your car when you park it downtown? Take a different walking path at night than during the day? Why would online actions require less diligence and care?

Here’s the mean number of breaches to Canadian companies, over the last 4 years.

Note that none of them are 0.

If you are a small business owner:

You have a responsibility, especially if you are accepting people’s credit card numbers. Because you may be more of a target than you realize… think like an attacker: is it easier to go after 1 large business, that likely has security systems and staff in place? Or 10 smaller businesses, who probably have no clue and are lazy about protecting their assets?

The type of breaches Canadian companies experienced last year.

1 – one careless click, on one stupid link…
2 – how old-fashioned! Never leave your laptop unattended
3 – from the inside…
4 – lock your WiFi network. And change your router password too, how to here
5 – the counter to this attack is listening to your gut. Blog tag = social engineering


This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

More about that here.



How ‘Security Responsible’ are You?

TELUS has released their 6th annual study of Canadian business security practices.

The report focuses on which best practices businesses have in place, that go beyond just compliance (as in, the bare minimum forced on you by the government.)

Ideally, your business is in the quadrant with the *.

How does your small business compare?  Take this test to find out.

Give yourself a score between 0-7 (0 being terrible, 7 being excellent), then compare how you operate to other Canadian businesses.

Do you…

1 – monitor and/or have rigorous procedures to act on new threat information

2 – understand the security drivers impacting your business

3 – conduct regular security awareness training for employees

4 – involve security early and throughout the development of new infrastructure/systems

5 – communicate social media policies to their employees

6 – have and/or execute on a comprehensive mobile security strategy

7 – conduct enterprise mobility security testing and Threat Risk Assessments (TRA)

Now compare:

The more “security responsible” companies have: less breaches, retain staff longer, better managed risk, and are positioned better to take new risks (side-note from me: they have better business karma, because accepting a credit card and being careless and lazy about it is terrible.)

And ideally, you have ongoing employee training sessions, because the human is always the weakest link.


This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

The study is in its 6th year, and TELUS remains the country’s only telecom to proactively study security, and this is the only Canadian study this in-depth on a single country.

How it was conducted: 400+ security professionals were surveyed in the 2nd half of 2013, looking for both qualitative and quantitative data on how companies are executing their security strategies. Respondants were Private 48%, Government 23%, Publicly Traded 20%, and Non-profit 9%.

Blog tag = TELUS Security