Had an Epiphany Yesterday

I write the news for the paper on Tuesdays, and wrote about the most hackable cars.

Autonet – the Most Hackable Cars

I pitch these type of stories constantly, and my editor rolls his eyes, okay most people roll their eyes at me, to which I always say “you’ll see”.

Because securing cars is going to be a huge thing soon, especially with all the internet connectivity coming to cars. Chevy is bringing WiFi to dashboards this summer.

The first time a car is breached and lights the news on fire, remember where you heard it first.

The story was well received by both industries (auto & security), then today a infosec buddy even texted me from across the country that his client just quoted it.

So my epiphany is this – I’m going to narrow in and specialize in this. Make myself really good at it. I’ve already decided I’m auto-for-life, and think I could excel in this vertical.

I already have over a year of history online writing about it, a reputation starting with the manufacturers, it brings my 2 favourite things together (cars and security), and I find it so fun. And bet I can find big cheques down the road in it too.

So I spent way too much time today investigating further, and check out my OBD2 reader courtesy of my neighbour!

Here we go guys… PUMPED.

20140806-214644-78404224.jpg

20140806-214643-78403016.jpg

It’s not IF You are Breached, it’s WHEN

That’s one of the oldest saying in security, because it’s true.

Thinking you are going to be forever immune is delusional.

Do you not lock your front door? Lock your car when you park it downtown? Take a different walking path at night than during the day? Why would online actions require less diligence and care?

Here’s the mean number of breaches to Canadian companies, over the last 4 years.

Note that none of them are 0.

If you are a small business owner:

You have a responsibility, especially if you are accepting people’s credit card numbers. Because you may be more of a target than you realize… think like an attacker: is it easier to go after 1 large business, that likely has security systems and staff in place? Or 10 smaller businesses, who probably have no clue and are lazy about protecting their assets?

The type of breaches Canadian companies experienced last year.

1 – one careless click, on one stupid link…
2 – how old-fashioned! Never leave your laptop unattended
3 – from the inside…
4 – lock your WiFi network. And change your router password too, how to here
5 – the counter to this attack is listening to your gut. Blog tag = social engineering

***

This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

More about that here.

 

 

How ‘Security Responsible’ are You?

TELUS has released their 6th annual study of Canadian business security practices.

The report focuses on which best practices businesses have in place, that go beyond just compliance (as in, the bare minimum forced on you by the government.)

Ideally, your business is in the quadrant with the *.

How does your small business compare?  Take this test to find out.

Give yourself a score between 0-7 (0 being terrible, 7 being excellent), then compare how you operate to other Canadian businesses.

Do you…

1 – monitor and/or have rigorous procedures to act on new threat information

2 – understand the security drivers impacting your business

3 – conduct regular security awareness training for employees

4 – involve security early and throughout the development of new infrastructure/systems

5 – communicate social media policies to their employees

6 – have and/or execute on a comprehensive mobile security strategy

7 – conduct enterprise mobility security testing and Threat Risk Assessments (TRA)

Now compare:

The more “security responsible” companies have: less breaches, retain staff longer, better managed risk, and are positioned better to take new risks (side-note from me: they have better business karma, because accepting a credit card and being careless and lazy about it is terrible.)

And ideally, you have ongoing employee training sessions, because the human is always the weakest link.

Note:

This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

The study is in its 6th year, and TELUS remains the country’s only telecom to proactively study security, and this is the only Canadian study this in-depth on a single country.

How it was conducted: 400+ security professionals were surveyed in the 2nd half of 2013, looking for both qualitative and quantitative data on how companies are executing their security strategies. Respondants were Private 48%, Government 23%, Publicly Traded 20%, and Non-profit 9%.

Blog tag = TELUS Security

 

 

Questions to Think about Autonomous Cars

When it comes to auntomous cars, I’d like to see these topics discussed more often, especially the algorithm one below.

Questions to ponder:

  • will parking spots become extinct?
  • what about securing something that is more computer than car? Protect the privacy of the vehicle’s whereabouts… or the car’s software from attack, because think that nightmare through.
  • will map-range anxiety replace spontaneous exploration and adventure?

Read it online at Autonet.

Favourite line:

Go get lost this coming weekend, while you still can.

***

I had a paragraph in there, about the ethics of programming the crash-avoidance algorithm, but it got cut.

What I said:

In an imminent crash involving two vehicles, what are the ethics behind the crash-avoidance algorithm? Aim for the larger object? Now all SUV drivers feel targeted, because they are, so will their insurance increase then? What if it’s programmed to hit the car best known for safety? Volvo owners won’t be happy about that.

***

Above Photo

That’s an Audi TTS.

Google gets a lot of press about their autonomous car, but back in 2010 Audi sent the roadster up a 14,000 foot mountain, “Pikes Peak”.

It was even able to register negative obstacles, as in, stuff that wasn’t there, like a cliff without a guard-rail.

Back to ‘Keri on Driving’ – Index

 

 

How to Clean up a Compromise

Just lifted my head. It took 3 locations, 50 km and 6 hours of laser-beam focus.

It was bad this time, really bad. Remember this from the other day? That’s me showing you barely the surface.

If you ever have to do this:

Being prepared is the key. Regular backups, and an organized file structure. Then, wipe both your computer and phone simultaneously. Otherwise, one could re-infect the other, making the entire exercise pointless.

The clean-up kicked off here.

I used to use TrueCrypt to encrypt my password manager file, but since the last cleanup a couple months ago, TrueCrypt is no longer, so I had to scramble just to get my manager open, and get at my passwords to change them. It’s always something (and this is why I’ll never endorse a security product).

Then the operation moved to here.

Change my passwords one after another, because once you start, you can’t stop. Bet I didn’t blink for 80 minutes, and I was seeing spots by the end.

80. Minutes.

And I’m very prepared for this, and very fast, seasoned.

Point is: you couldn’t do it this quickly, you couldn’t rebuild in 6 hours.

And that makes me nervous for you when this happens to you. Start to think, and operate, and organize, like you will have to one day. Because any security professional will tell you: it’s not if you get compromised, it’s when. Unlikely it’ll be this extreme and targeted, but one stupid click, on one bad link….

Because remember, cleaning up a compromise happens while under duress… palms sweaty, a scattered mind, gripping fear that my attacker will figure out what I’m doing half-way through, and take control of the accounts I haven’t yet changed. My password manager was altered a few weeks ago, it’s possible. Seems I attract the very best. L33t. I’ve wondered for a while if I’m getting air-gapped.

Scared eyes. Hand over mouth when focused, always.

One of my worst breaches…

March 2013. It was timed to happen while I was on my first international car launch with the newspaper, an already stressful situation. Just as I was about to walk out the door to dinner with the auto manufacturer, both my Twitter and Facebook accounts were compromised, both published updates not from me.

And what could I do?

I figured okay, clearly the attacker has the ability to delete everything I own, but they didn’t, so swallow the fear and go sit calmly at dinner and pretend nothing’s wrong, eat it (and certainly don’t talk about it, because if you want to clear out a room, talk about being stalked online.)

The next morning the attack continued with a phone call, as I was readying to board the plane home, informing me my cel number had been published… to my own blog.

Yup.

Back to today – crucial stuff is now locked down, my email works again.  See, I’d known I’d been compromised for weeks, but having been at this for so many years I tried something new: I gave up. Fine, you’re so curious well come on in, see what I’m up to… I’m pretty boring eh, I work too much and have no friends. But then my boss couldn’t email me anymore, and now it affects the paper and not just me, so wipe and reset.

I lift my head up, breathe, look around the food court, and all these sounds and voices start to filter in that I’ve been completely tuning out. A table of old men are looking at me bug-eyed, give ’em a wink, and drive home.

To rebuild.

Backup, transfer to other computer, download and re-install my programs, rebuild my phone, everything has to be finished tonight. Memorize a couple more 30-character long passwords. It’s a bit all-for-not though, really, because one ‘ole SQL injection into my search bar…

Because I have deadlines tomorrow for the newspaper, and what do you say, “sorry! Someone’s inside my computer guys, so there’s going to be a few holes in the auto section next week.”

I’ve done this so many times I’ve lost count, 20 anyway. It’s sad I’m this good at it, really.

Of course I have a few suspicions where this started

… obviously ex-boys, and a couple other theories, which in trying to escape from, would make me appear like an anomaly to the watchers, who clearly can’t identify a false positive… ‘independent loner who, when they speak, people listen’ is enough to get your name added to a list…

If I was at all shady, or screwing around hacking people, I wouldn’t breathe a word of this, because I’d have earned this. But I never, ever have. You think I want that karma?

Targeting me is like picking on the kid at recess who’s wearing a helmet. I’ve said the same thing since the beginning – am I better at security than the average person on the street? Yes. Compared to anyone in the industry? Nope, I’m a baby, barely a script kiddie. I blog security stuff for the housewives and average user, opposite of bleeding edge. So like, really?

Imagine living like this everyday, everything you’ve built, your life, under constant attack.

Is this really an email from a reader of my column, or a trick? Why does this Twitter account look created just to speak to me? As if that 1-follower Instagram account just liked a photo from 18 months ago. Oh, my physical address has been changed on all my domains. Can’t get into my cel account online, again. In 2010, 5 months of my calendar were deleted. Notice I stopped using Bluetooth headsets? What is it about Bluetooth? That the range is 30 feet… The military should be studying me, to see how I’m able to eat this much PTSD and still function normally. If I told you how often this bleeds into real life, you’d have nightmares too.

It’s completely out-of-hand, this obsession with me. Someone wakes up everyday, for years, opens a file with my name on it, and dedicates time and energy to messing with my life, and mind.

This stuff is so draining. So I’m taking Friday off here, talk to you Monday.

Back your stuff up this weekend, get a password manager, and change your passwords.

Here’s what mine look like:   H}aU]’&cM$B=>Q(lI!3[d?2Ri