Management

The all enveloping genre that is known already as the Internet of Things is fast becoming labelled as being the fastest threats to emerge on our communal radar. Presenting a disorganised chaos of hard to own and manage assets delivering potentially the biggest and most arduous to secure threat fabrics ever seen in information technology.

Come with me on a trip as we turn the hands of time back to 1934  and to visualise a classification system still in use today, based on decisions made over eighty years ago when technology and communications were in their infancy. Lets explore why to not do something in the near future will destroy the promise of IoT before it has a chance to get started.

Attacks such as those seen on OVH, Brian Krebbs and now DynDns are the very start, without standardisation, without collaboration and concerted effort we may be judged in years to come as squandering opportunities to deliver flexible safe computing for the next generation.

In the 1920s and 1930s communications firms, telegraph companies and emerging radio broadcasters globally were all finding their communal feet. Existing legislation on commerce dating back to the late 1880s in the form of the ICC (The Interstate Commerce Commission) was originally conceived to manage and to counsel and prevent the ambitions of companies across America seeking to monopolise the pace of railtrack and to provide regulations on their running and operation.

The ICC by the 1930s did not scale to take into account the technological revolution that even in its embryonic state showed the promise of making the world smaller overnight. The Post Office with its Telegraph Rights, the ICC, and the Federal Radio Commission all wrapped up and became one with what would be known as the FCC. So in 1934 The Federal Communications Commission was born. North America all of a sudden had an all encompassing standards body, which would blaze a trail for countries all over the world to emulate.

If you turn over any piece of computer equipment in the US and for export (so globally) you will see an FCC rating, the FCC even today being the standards body responsible for standards implementation within its public safety and enforcement role, eighty two years after it’s inception.

Since then we’ve seen other standards bodies, CE - from the European Commission signifying their “New Approach” methodology for device manufacture and testing, UL - Underwriters Laboratories, the EMC standards for electromagnetic devices or EN standards around electrical manufacture and quality assurance. Other countries such as Australia and Canada have other systems too. However, the FCC has stood the test of time for everything from radio broadcast and spectrum management, emergence of telecommunications standards. However when it comes to the Internet of Things it’s legs fall off.

The majority of devices today, that make up the provisioned devices that are thought of as making up the predominance of the IoT global estate are often cheaply manufactured. They're mass produced dime a dozen fast to market appliances. Many mimicking products that are more expensive and playing catchup with cloned or copied devices. Many use commodity small footprint OS that may once have found their basis in Linux and Open Source communities but have been sufficiently bastardised and forked into an unsupportable image to satisfy the commodity hardware or storage footprint allowed for device operation.

Many of these devices are not connected to always on networks and have no methodology to autoupdate (where the supplier provides that functional capability). Many ship with default passwords that users then fail to change. Many that are connected to IPv4 networks have never had updates or the updates don’t address the serious underlying security weaknesses and the versions of SSH or promiscuous daemons or services running on them. These core issues as we have seen over the last month first with the attack on the Akamai hosted site where Brian Krebbs was taken offline, then round two hitting OVH, Freenode and others and then last Friday where DynDNS was all but taken offline in the latest iteration of this now almost predictable rush to launch DDoS, then creating a huge internet real estate impact.

And nowhere is there an applicable standards body or international body that polices devices prior to shipping or at the point of manufacture to ensure device hardening. Failure to prove off security concepts and issues with the developer / manufacturer are ever present. If this was concerning the manufacure of vehicle airbags or making a childseat the issue would be entirely addressed.

What we have are companies rushing to get devices to market for consumer consumption, be that Google with their acquired Nest and Home products, Amazon with Echo are all probably at the higher end of the marketplace appreciating their users are often not that conversant with securing anything they buy. Certainly devices from manufacters such as Eurotech, Evrythng and others embrace the use of PKI and TLS and have got the authentication right at point of design and provision. We aren’t addressing those but the plethora of companies from China to Malaysia, from Hungary to Thailand which are shipping devices with dated aged insecure OS platforms. These are almost always given less thought than the packaging that they ship in or the plastics used in manufacture. Aged versions of Busybox, twelve year old SSH vulnerabilities and services turned on that should never be listening.

The IPSO Alliance, The Industrial Internet Consortium, FiWare, Open Daylight IoDM, Hypercat, The All Seen Alliance, I could go on but I won’t, the list of “standards bodies” and consortia grows almost by the month. The one thing that is for sure is that they have one thing in common, none of them are relevant and making any impact on the root problem.

For this to be impacting it has to be done at the import/export level and we have to have government and industry backed assistance to make it happen. Turning the clock back to 1934 and working with the relevant governments and agencies will be the only way of enforcing change on commodity hardware vendors who are about the units shipped not the units hacked.

I was not present at VMWorld this week so I didn't get hands on opportunity to try and get to grips with a new technology quorum from Google, VMWare and Nvidia to bring datacentre based "thinclient on steroids" technology to the Chromebook enterprise user. You can read more information in this eWeek article from Jeffrey Burt.

I read it end to end and whilst anything that increases the adoption of Chromebooks (I now have four machines and am writing this article on one of them) in the enterprise thats great. However for Google I understand allowing fast seemless handling of enterprise apps on Nvidia CPU enabled machines with custom firmware and VMWare's Blast technology is one thing, on another hand personally its left me scratching my head.

Google have an absolute winner on its hands with the Chromebook. I ADORE MINE. My MacBook Pro's of which I have two or three now rarely ever get booted. I can now do everything I need for my Red Hat work on a Chromebook. Google Docs giving me enough power to draft documents, spreadsheets etc etc. Photoshop needs taken care of by Pixlr.com and everything else we do online anyway right ? So I don't need the apps of old, the apps of 2008, the old ways of working that held me back and restrained me from being able to work at speed.

Google. You don't need VMWare, period.

Google - you are an enormous company whose products get better and better, if you want Chromebooks to be a success in the enterprise get off your communal arses and think out the box.

We moved into a better way of working when ChromeOS was born. What you're doing here with VMWare is a death huddle. It's just Wyse terminals in shiny Chromebook form. It's 2004 all over again and it's actually saying we capitulate, we accept CIOs are that dumb to keep spending money with proprietary vendors for client software rather than develop and host software as a service in the Cloud. Frankly it's comical.

We're in the cloud for a reason, Google has the ability to actually do more in the Cloud than anyone, even Amazon - and Chromebooks are a key to that in corporate world. Only issue is I've no idea who with any muscle or vision in Google is driving enterprise ChromeOS because right now they have a bag on their head and they don't know how to talk to the press, analysts or the community at large using their kit.

 

Alessandro Pirelli who heads up the Open Hybrid Cloud team here at Red Hat gave an impassioned presentation on his take on what the industry needs to understand to succeed and how Red Hat wants to help you get there.

If you have time make sure you sit through this video, it might be the smartest thing you do all week.

A few weeks ago I sat down with senior law enforcement officers from Holland, Germany and the UK and asked them off the record the question "is there a ready role today for national crime agencies and cybercrime specialist divisions of Police forces in Europe in the Cloud age ?".

One thing was screamingly obvious that the interaction and information sharing between agencies is healthy and transparent and that's hugely beneficial to sovereign nations. However the reality is there is a gap between capability and actual delivery.

SOCA in the UK, folded into the National Crime Agency last year suffered from being seen as toothless and unable to deal in reality with cybercrime through lack of ability, lack of reach to actual sources from outside their jurisdiction (e.g mass mail spam / mail abuse and boiler office type schemes in overseas territories). We accept in Europe that there is a healthy impass between industry and law enforcement down to two clear issues,

1) Budget - even though the UK National Crime Agency has a £500m budget and interactions with intelligence partners it lacks the skillsets in depth and the tools and technologies to query data and to react at a pace thats efficient, and  industry needs to assist. The current tools and database technologies supplied by one incumbent provider are anything but helpful and if anything set UK law enforcement back by comparison to the working practices of their partners in Europe.

2) In the UK an over-reliance on agencies such as Child Exploit and Online Protection Agency (CEOP) and the Internet Watch Foundation (IWF) who are mired in being stuck between being lobbying agencies and ineffective and entirely out of touch. Whilst CEOP's continued interaction with industry partners such as Virginmedia and BT show encouraging signs it's very little too late. There is a need for a clear rethink of how take down notices and more serious protective measures can be enforced, faster, with more clarity interacting with local police forces sharing information proactively in realtime.

3) Fraud protection. The majority of online fraud happens overseas and vulnerabilities in key cornerstones of the Internet such as Heartbleed which I broke to the world now two weeks ago (no guessing who the Senior Security Developer at the Operating System vendor quoted was) are just the start. The internet glue is held together right now at managed hosting providers and internet service providers by embedded routers, switches, content delivery platforms and web hosting architectures. It could be up to three years before the least proactive ISPs who simply don't have a clue or the budget (or the kick) to fix the underlying infrastructures that provide key peace of mind to internet users, consuming service organisations and platform providers. In fact one thing that has not been identified correctly with bugs such as Heartbleed is one salient fact. Plausible deniability. A determined minimally equipped hacker today with a basic live Linux distro who wants to play merry hell quietly will do so. Don't expect to find him or her as most ISPs and Telco's haven't got staff capable of spotting them realtime. I've physically proved that this is a fact in reality.

In a past life I uncovered (with authority) a massive exploit at a major UK household name telco involving a major datacentre breach with proven exploits and a complete papertrail and audit log of intrusions and proven hops into highly protected networks previously thought segregated. As with many telco's you never hear about it because the nature of an SEC filing or public slapping from the Information Commissioner carries both a fine and red faces, as well as loss of reputation. When I then uncovered a breach in their billing platforms affecting residential customer data this was once more "lost" even though documented and brought to the attention of the board and chairman of a major household name vendor. Patched and quietly forgotten.  These things happen. They shouldn't - hopefully they happen a lot less now. I am prevented by being signatory to the Official Secrets Act to discussing far more scary real life scenarios that are in daily play today in larger infrastructures. Sadly vendor relationships and reaction need to be in a position where a reactive defensive stance should be taken ahead of time rather than faced with a major zero day exploit or data breach using publically available exploit code.

For six years I've talked about how we should practice security better. For six years I've worked with the Cloud Security Alliance and with Jim Reavis their chair. A few weeks ago I sat down with the British Standards Institute (BSI) who last summer worked with the CSA to adopt STAR and to push it to industry at least brings the UK up to speed showing, hopefully, law enforcement that they are playing behind the times and need to engage with industry better.

Relying on the badly constructed Computer Misuse Act and RIPA II is no longer good enough. If you can't communicate with industry, if you can't adopt open big data practices to analyse data and still rely on proprietary weak tools for analysis then the public suffers. If the public suffers then there is a tacit nervousness to go to the Cloud as actively as we'd like.

You can hear my interview with the BSI when I get back from the US, as to their take on why blended security controls and practical interaction between public disclosure and interaction is a great start to reacting, and to building preventative and lasting Cloud security and law enforcement. You can also listen to my interviews with Dr Udo Helmbrecht (Executive Director of ENISA) and Richard Clarke (White House Specialist Advisor on Cybercrime to the President of the United States) by following the inline links. If they take me seriously it would be nice if law enforcement woke up and changed working practices to take into account ever moving threat vectors and a larger than ever threat fabric that affects and impacts business confidence and technology investment.

Until then just cross your fingers as law enforcement are standing in the wind with their finger in the air.  Call Heartbleed a call to arms, sadly I have doubts that there is a groundswell to proactively deliver change. Let's hope that this makes someone's radar.

One salient point: We are here to help - if people reach out and ask that help is forthcoming, bury communal heads in the sand and you end up depleted in capability and unable to prosecute with mandated authority and a lot more cases thrown out in court resulting in a waste of taxpayer funded resources and costs.

Working together is smarter. Let's try.