Saturday 24 October 2015

More Action, Less TalkTalk



Another day, another over-sensationalised hack in the media. These are now becoming so common that it’s almost no longer news; just 10 minutes of fame for the victim.

However the TalkTalk attack might be slightly different. What at first appeared to be just another run-of-the-mill data theft, it now transpires that Chief Exec Dido Harding had received ransom demands from the hackers before the attack. To put this another way - Harding knew of a possible attack.

To me, this raises two questions:

1) This is not the first TalkTalk breach. So, following previous attacks and despite warnings from security testers about apparent weaknesses, why was their security not strengthened?

2) Why with an attack likely, can TalkTalk claim they don’t know if their data was encrypted?

A persistent hacker will find a way in. Achieving a 100% secure internet facing network is nigh on impossible. However, applying data encryption is lesson one, day one, in security school. Today there is no excuse for not storing data using encrypted salted hashing, or transmitting data without AES-256 encryption as a minimum.  

Have we not learned anything from all these preceding attacks? We only need to look back a few weeks to Ashley Maddison and their un-encrypted data. Instead of CEOs taking the helpless victim stance, it is time that C-level execs took responsibility for a lack of the proper level of data protection, especially customer personal identifiable data. Had the hackers stolen major intellectual property rather than just customer data, then Harding might be under more pressure from her board.
When organisations are aware of an impending attack and do not take the most basic measures to secure data then it is time for business leaders to stand up and face the repercussions for their lack of action. But instead the true victim is the ever-trusting customer who is now faced with clearing up another corporate mess.
Posted by at No comments:

Thursday 1 October 2015

Harvest Time for the IoT?



Freevolt[1], is a new commercial technology capable of harvesting energy from the background Radio Frequency (RF) waves[2], such as the wireless networks (WiFi) and broadcast networks (digital TV, 4G, etc.), that fill our air today.

This is not the first attempt to create “free” energy from the tiny amount of RF waves in the surrounding air, but Drayson Technologies have been the first to do this efficiently enough to provide commercially viable power for low energy devices, such as IoT endpoints. Not only does Freevolt provide power, but it also frees devices from the network infrastructure necessary to provide a power source. Dean Bubley, founder of Disruptive Analysis, suggests potential impacts this might have on the mobile networks that own the spectrum from which Freevolt would be harvesting, in so much as this "free" energy might actually be needed for communication or the network operators might start demanding a fee[3].

However it is doubtful this type of energy could supply critical infrastructure; where power loss is not an option. As with any network, if a malicious attacker is able to tap into the infrastructure they have the ability to disrupt it. In the case of a power network that is in the air all around us, it might be possible for an attacker to artificially boost the RF waves into providing too much power, thereby overloading the device and taking it down. Alternatively, more powerful devices could harvest all available surrounding RF signals, leaving no energy left for the intended devices. 

Are we left with a future of drive-by Denial-of-Energy attacks?

[1] http://getfreevolt.com/
[2] http://www.autovolt-magazine.com/drayon-introduces-freevolt-an-end-to-battery-charging/
[3] http://www.bbc.co.uk/news/technology-34401616
Posted by at No comments:
Subscribe to: Posts (Atom)