Introducing Machine Learning Security Principles

Are you a manager, researcher, or novice data scientist who works with data regularly, yet can’t really understand the technobabble found in security books that are supposed to help you secure the data you work with? Machine Learning Security Principles is all about providing you with full disclosure of all of the security threats that can affect your data in a detailed way that is also understandable. The idea is to understand the threats and understand the players in the security arena so you can create a strategy that will ensure your data remains safe without feeling completely lost in the language used by most books today.

Machine Learning Security Principles looks at data from every possible perspective, which means that you’ll learn more than just collection and storage methods. It isn’t just the hackers and disgruntled employees that are the problem. You now have to deal with governments that tell you how to collect data properly and face the wrath of the pubic at large when the data is collected in a less than ethical manner, even when no laws have been broken. In addition, it’s more than just the data, it’s also the system that holds the data, the application the uses the data, and the users who enter the data that can become problematic. With this in mind, here are some things that you’ll learn when reading this book:

  • Learn methods to prevent illegal access to your system.
  • Discover detection methods when access does occur.
  • Employ machine learning techniques to determine motivations.
  • Mitigate hacker access using a variety of methods.
  • Repair damage to your data and applications.
  • Use ethical data collection methods to reduce security risks.

A major complaint with most books on the market is that there is an expectation that you’re not only an expert coder, but that all you want is to see code. That’s fine if you’re already a seasoned security expert, but then seasoned security experts really don’t need books like this one. Machine Learning Security Principles provides you with several ways to learn about security issues:

  • References to actual security break-ins and the results of them.
  • Block diagrams showing how various kinds of security issues occur.
  • Explanatory text that helps you understand what precisely can happen and how to prevent.
  • Example code that you can use to discover how various security techniques work.
  • Example data and the techniques you can use to work with it.
  • Resources that you can use to augment your security plan.
  • Online tools you can use to more fully explore security issues.

In short, Machine Learning Security Principles provides you with several methods of learning about security in an easy to use manner. It doesn’t take a one size fits all approach. Please let me know if you have any questions about my new book by contacting me at [email protected].

Old Laws, User Privacy, and Vendors Caught in the Middle

I’ve talked a number of times about researchers creating security busting software just because they can. The software often gets out into the wild where people who wouldn’t normally have a clue as to how to overcome security features can now use it to break the latest security in some product or application. Now the government is trying to force Apple (and probably other vendors) to write such software in pursuit of information hidden by encryption based on the mandates of a 227 year old law written at a time when no one had any idea that modern digital devices would even exist. The decree issued by the judge in charge of the case seems quite reasonable until you consider the fact that once Apple writes the software, it could end up in the wild, where hackers will almost certainly find ways to use it to overcome the security of legitimate users—making it impossible to ensure private information, such as credit card data, really does remain private.

The iPhone comes with some interesting security features that make it a relatively secure device. For example, tampering with certain device hardware will brick the device, which is the sort of security feature more devices should have. Modifying the security hardware should cause the device to lock down in order to protect the data it contains. The encryption that Apple offers with the iPhone is also first rate. No one but the user has the key used to unlock the encryption, which means that only the user can create a security problem by handing the key out to others.

The government is trying to change this scenario to make it easier to learn about anything it can about the data on Syed Rizwan Farook’s iPhone (one of the two San Bernardino shooters). On the surface, it seems like a good idea, if for no other reason than to potentially prevent other shootings. However, the manner in which the government has pursued the information opens the door to all sorts of abuse and then there is the matter of that software getting out into the wild. The issue here is that the law hasn’t kept up with technology, which is a recurrent problem. The government doesn’t have a law to cover the need to break encryption in a reasonable way, so it resorts to a 227 year old law that was never intended to address this need. The fact that the government is using the same law to try to force Apple to breach iPhone security in at least twelve other cases means that the argument that this is a one-off requirement doesn’t hold any water. Once Apple cooperates even once, it sets a precedent that will allow the government to force additional cooperation, even when such cooperation decidedly damages the privacy of innocent parties.

Tim Cook has rightly refused to cooperate with the government. There really is too much at stake in this case and even the government should be able to figure it out. What needs to happen is that our government needs to catch up with technology and write laws that everyone can live with to deal with the need to preserve the privacy engendered by encryption, yet make it possible for the government to obtain information needed to solve a case.

The question here is more complicated than simply managing information properly. It’s also one of keeping good technology (such as that found in Security for Web Developers) working properly and ensuring that government entities don’t abuse their positions. What is your take on the San Bernardino shooting and the information needed to pursue it? How do you feel about keeping your private data truly private? Let me know at [email protected].

 

A Fuller Understanding of the Internet of Things

You can find the Internet of Things (IoT) discussed just about everywhere today because the Internet has become pervasive. IoT is part of most business applications today as discussed in Security for Web Developers and part of any PC you build as discussed in Build Your Own PC on a Budget. It appears as part of smart TVs and Blue-ray players. In fact, you find IoT employed in a lot of places you might not have thought possible even a year ago. The point is that IoT is here to stay, especially when there are some great xfinity internet packages available, and we need to consider some of the ramifications of it on every day life.

One of the issues that hasn’t surprised me too much is the issue of security. Both my smart TV and smart Blue-ray player require me to enter a password to access the Internet through my wireless router (mostly because the router is configured to require one, whether I’m using 2.4ghz vs 5ghz range on it). So these devices do employ security to some extent. However, they remain logged on at all times, so the router is also configured to disconnect devices after a certain time. Each time I turn the devices on, I must reenter the password. It’s a level of security, but not necessarily the best security. Some devices, such as Apple Watch, lack any form of security. (In the case of Apple Watch, the device authenticates through an iPhone, so it still has some level of security, but not security that is part of the device itself.) Some industry pundits are saying that these devices will eventually kill the password, which means that some other form of primary authentication is needed.

The problem is increased by the proliferation of headless devices (products that lack any sort of display, such as a door lock, security system, or robots). In these cases, you can’t enter a password. No one is really sure how to secure these devices, but a solution really is needed and soon. Unless we find a solution, the issues surrounding intentional hacking will increase. A recent InfoWorld article, Welcome to the smart home … of horror!, emphasizes some of the sorts of things that could happen due to a lack of security.

Security and configuration problems aren’t just limited to outsiders gaining access to your home, office, business, or other location due to holes in IoT security. It also turns out that smart devices aren’t particularly smart, so sometimes you lose access to your network and its connected devices due to a combination of security and configuration issues when a failure occurs. In the ComputerWorld article, The Internet of Things: Your worst nightmare, you can hear about one person’s attempt to recover from a simple router failure. It turns out that simply replacing the router wasn’t enough-everything connected to the router needed reconfiguration and sometimes the task was less than easy to perform, though understanding your 192.168.100.1 Address can at least help with this quite often.

The world is in a age of transformation. The ride will be bumpy and the problems severe. When you consider the immensity of the things that are changing, the future looks incredibly different from anything that has gone on in the past. Not only is there IoT to consider, but the whole issue of robots and other technologies that are coming to fore. As these new technologies become part of everyday life, we have to ensure we can use them safely and that ability of someone to hurt us through them is curtailed. Let me know your thoughts about IoT security and configuration at [email protected].

Death of Windows XP? (Part 5)

Windows XP, the operating system that simply refuses to die. The title of this post should tell you that there have been four other posts (actually a lot more than that) on the death of Windows XP. The last post was on 30 May 2014, Death of Windows XP? (Part 4). I promised then that it would be my last post, but that’s before I knew that Windows XP would still command between 10 percent and 15 percent market share—placing it above the Mac’s OS X. In fact, according to some sources, Windows XP has greater market share than Windows 8.1 as well. So it doesn’t surprise me that a few of you are still looking for Windows XP support from me. Unfortunately, I no longer have a Windows XP setup to support you, so I’m not answering Windows XP questions any longer.

Apparently, offering Windows XP support is big business. According to a recent ComputerWorld article, the US Navy is willing to pony up $30.8 million for Microsoft’s continued support of Windows XP. Perhaps I ought to reconsider and offer paid support after all. There are many other organizations that rely on Windows XP and some may shock you. For example, the next time you stop in front of an ATM, consider the fact that 95 percent of them still run Windows XP. In both cases, the vendors are paying Microsoft to continue providing updates to ensure the aging operating system remains secure. However, I’m almost certain that even with security updates, hackers have figured out ways to get past the Windows XP defenses a long time ago. For example, even with fixes in place, it’s quite easy to find headlines such as, “Hackers stole from 100 banks and rigged ATMs to spew cash.”

What worries me more than anything else is that there are a lot of home users out there who haven’t patched their Windows XP installation in a really long time now. Their systems must be hotbeds of viruses, adware, and Trojans. It wouldn’t surprise me to find that every one of them is a zombie spewing out all sorts of garbage. It’s time to put this aging operating system out of its misery. If you have a copy of Windows XP, please don’t contact me about it—get rid of it and get something newer. Let me know your thoughts on ancient operating systems at [email protected].

 

Considering Threats to Your Hardware

Most of the security write-ups you see online deal with software. It’s true that you’re far more likely to encounter some sort of software-based security threat than any of the hardware threats to date. However, ignoring hardware threats can be problematic. Unlike the vast majority of software threats that you can clean up, hardware threats often damage a system so that it becomes unusable. You literally have to buy a new system because repair isn’t feasible (at least, for a reasonable price).

The threats are becoming more ingenious too. Consider the USB flash drive threat called USB Killer. In this case, inserting the wrong thumb drive into your system can cause the system to completely malfunction. The attack is ingenious in that your system continues to work as normal until that final moment when it’s too late to do anything about the threat. Your system is fried by high voltage sent to it by the thumb drive. Of course, avoiding the problem means using only thumb drives that you can verify are clean. You really can’t even trust the thumb drive provided by friends because they could have obtained the thumb drive from a contaminated source. The result of such an attack is lost data, lost time, and lost hardware—potentially making the attack far more expensive than a software attack on your system.

Some of the hardware-based threats are more insidious. For example, the Rowhammer vulnerability makes it possible for someone to escalate their privileges by accessing the DRAM on your system in a specific way. The technical details aren’t quite as important as the fact that it can be done in this case because even with repairs, memory will continue to be vulnerable to attack in various ways. The problem is that memory has become so small that protections that used to work well no longer work at all. In addition, hardware vendors often use the least expensive memory available to keep prices low, rather than use higher end (and more expensive) memory.

It’s almost certain that you’ll start to see more hardware threats on the horizon because of the way in which people work with electronics today. All these new revelations remind me of the floppy disk viruses of days past. People would pass viruses back and forth by trading floppies with each other. Some of these viruses would infect the boot sector of the system hard drive, making it nearly impossible to remove. As people start using thumb drives and other removable media to exchange data in various ways, you can expect to see a resurgence of this sort of attack.

The potential for hardware-based attacks continues to increase as the computing environment becomes more and more commoditized and people’s use of devices continues to change. It’s the reason I wrote Does Your Hardware Spy On You? and the reason I’m alerting you to the potential for hardware-based attacks in this post. You need to be careful how you interact with others when exchanging bits of seemingly innocent hardware. Let me know your thoughts about hardware-based attacks at [email protected].

 

Does Your Hardware Spy On You?

Every once in a while I encounter an article that talks about government intrusion into private organizations through means that seem more like a James Bond movie plot than reality. The latest such story appeared in ComputerWorld, “To avoid NSA, Cisco delivers gear to strange addresses.” These articles lead me to wonder whether the authors have an overdeveloped persecution complex or government agencies are really spying on the public in such overtly secretive (and potentially illegal) ways. The fact that some companies apparently believe the threat enough to ship their equipment to odd addresses is frightening. Consider the ramifications of the actions—is it even possible to feel safe ordering hardware you haven’t built yourself (or are the individual components bugged too)?

Obviously, government organizations do require some means of tracking bad guys out there. Of course, the term bad guys is pretty loose and subject to great deal of interpretation. In addition, just how much tracking is too much tracking? Would enough tracking prevent another terrorist attack or the loss of income caused by crooked company executives? There are many questions that remain unanswered in my mind (and obviously in the minds of others) over the use of various tracking technologies.

The topic of government spying, it’s legitimate and illegitimate uses, and just who the bad guy is demands a lot more attention than anyone is giving it. So, how do you feel about government tracking of everything and anything it sets its mind to spy on? Do you feel there should be limits? What do you feel about shipping things to odd addresses to avoid notice and circumvent the system (partly because the system is broken)? I’d love to hear your point of view about the use of modified computer equipment as a tool for spying on the private sector at [email protected].

 

Creating Effective Passwords

It’s like a recurring nightmare-the whole issue of passwords simply won’t go away. People continue to use really awful passwords like secret and password because they’re easy to remember and they view passwords as a pain. A user will rely on the same password for everything, so once a hacker figures the password out, every resource the user can access is wide open. To make sure everyone can access the user’s account, the password often appears on post-it notes and in other obvious places. Of course, the user never, ever changes the password so once a hacker gains access, the accounts will remain open forever. This is just the tip of the password complaint iceberg.

Microsoft and other vendors are trying to remedy the situation by using biometric data or smart cards. The problems with smart cards are that they’re easily copied and even easier to lose. A lot of organizations have tried smart cards and found them to be less than ideal. Biometric data is just as bad and requires Biometric Authentication in order to check the security of your system. There are ways of easily thwarting fingerprint scanners today. Of course, once a fingerprint is hacked, you can’t change it. Fingerprints are unique, but using just a fingerprint means that everyplace you log in effectively uses the same password. So, once someone does hack your fingerprint, they can access absolutely everything you can. To overcome the issues with a single biometric, some researchers are now suggesting the use of a Multi-Biometric Authentication System (MBAS), which is also called a Multimodal Biometric Authentication System. So, how you have a really expensive, overly complex system that is bound to have a high failure rate.

The problem with all the various lines of thought out there now is what I call the magic bullet syndrome. Someone thinks that there is a solution that will somehow thwart the bad guys. Unfortunately, history proves that the bad guys always come up with a way to storm the gates and that any wall you build will prove too low at some point. I’ve advocated the passphase system for years because you can create passwords that are both strong and easy to remember. Passphrases can be quite long, complex, and still make it easy for someone to enter correctly nearly every time. In addition, you can change passphrases with the same ease that you can a password. Changing your password or passphrase relatively often means that even if hacker does gain access to an account, it’s unlikely to remain open to them. Still, no solution is perfect, which is why security monitoring is an essential part of any security solution.

Of course, whether you use a password or a passphrase, you need to know that it’s strong enough to keep hackers at bay, at least for a while. Therein lies another problem. According a recent ComputerWorld article, many of the password strength meters out there are giving users a false sense of security. They really don’t tell you that your password or passphrase is strong enough to withstand easy attack. When creating a password or passphrase, avoid using words that are spelled precisely the same as they are in the dictionary. For example, you could replace the letter E with the number 3. Make sure the passphrase is relatively long and complex. It should include spaces (when allowed) and special characters (such as the ampersand, &). Use a combination of uppercase and lowercase letters. Include numbers. Misspell a word or two, such as “MiG00dPassphras3”. The point is that you want to make things hard on your attacker, but still easy to remember.

When all is said and done, your best defense against hackers is vigilance. It doesn’t matter whether you use passwords, passphrases, smart cards, or biometrics. If someone really wants to gain access to your account, you have to assume they’ll be successful. Don’t believe in magic bullet solutions because they really don’t exist no matter what someone might try to tell you. Make sure you change your login information on a regular basis and keep an eye on the resources you use. Report any suspicious activities that you find. In short, don’t assume that you’re safe because you really aren’t. Let me know your thoughts about passwords, passphrases, smart cards, and biometrics at [email protected].

 

 

Considering Our Future Cyber War

It’s not if a cyber war will happen, but when. Precisely what form such a war will take depends on the perpetrators and their goals. I’ve spend quite of time discussing the relative insecurity of the Supervisory Control and Data Acquisition (SCADA) systems out there. However, I’m only assuming that SCADA is going to be targeted at some point because it’s such low hanging fruit and no one seems to have any interest at all in securing. Plus, the attack would be of the sort that we’d have a hard time defending against (and possibly identifying at first as the hospitals fill with victims of some mysterious problem).

I recently read an article by John Dvorak entitled, “What if Facebook Is Hacked Next?” John makes some excellent points, but probably doesn’t go far enough. Why would an attacker stop with just Facebook? Why not attack all of the sources of social media out there, including places like LinkedIn and Twitter? The confusion created by the loss of all social media would be amazing. It could easily act as a smokescreen for some other activity even more devastating than the loss of data. While everyone is scrambling to fix their social media issues, someone could work in the background to do something truly horrible.

Actually, the attacker might not even have to do anything other than disrupt all online activities. Think about the number of jobs lost, the hit to online commerce, and the other problems that such an attack would cause. Perhaps these people are simply waiting until more brick and mortar stores close that people no longer have local resources to help in such an emergency. For example, think about the problems that the loss of online stores would have to IT professionals who maintain huge networks of computer systems. The potential for truly terrifying results is amazing.

A cyber war is coming. Just when it will arrive is the topic of much speculation, but my feeling is that it’ll come sometime soon. What sorts of security measures do you have in place? Have you done anything else to prepare? Let me know about your thoughts on cyber war at [email protected].

 

Our Borders are Porous

No, I’m not talking physical borders here—I’m talking cyber borders. I’ve talked a number of times about the relative insecurity of Supervisory Control and Data Acquisition (SCADA) systems. My biggest personal concern is how leaks in these systems can affect people with special needs. At a minimum, implanted devices used by people today are open to hacking. However, there are some reports that say that hackers could eventually become murderers. I wrote Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements with the idea that implanted devices and other aids should help people, not hurt them.

However, other sorts of devices are leaky. Just about any hacker could attack our water supply, power grid, or any other utility. A hacker could turn off your car engine by remote control, lock you into the car, and then do whatever nefarious deed seemed pleasant at the time. These posts aren’t meant to scare you as much as to inform you that the borders of your devices are wide open to attack in many cases. Yet, despite a huge number of newspaper articles, radio talk shows, government inquiries, and odd assorted other do nothing activities, surprisingly little has been done to secure anything.

It probably won’t surprise you to know that the latest casualty, in a long list of problematic devices, is the gas pump. Yep, your gas pump can turn against you. I hadn’t really thought about a gas pump as being anything particularly worthwhile to hack. Yes, you could possibly turn on the pump and get free gas or deny someone else their gas, but it really didn’t strike me as something that hackers would invest time in learning about. Actually, it turns out that gas pumps are connected to all sorts of monitors and messing with the pump can cause those monitors to go off. It doesn’t seem like alarms are anything to worry about either, but think about someone intent on disrupting the emergency services network in a city so that they can attack in some other way. While everyone is distracted with the gas pump spills that haven’t actually happened, someone could do something that would cause the city to go into overload because emergency services are already overwhelmed.

The thing that gets me about a lot of these deficiencies is that they aren’t caused by systems that are secured, but someone has manged to get into anyway. They’re caused by systems that have no security at all. That’s right—someone connected those gas pumps to the Internet so they could monitor them remotely and didn’t add any security at all. Someone who knows the right information can just walk right in and cause all sorts of mischief.

From direct attacks on our infrastructure, to feints used for distraction, to personal attacks, SCADA systems will let us down at some point. I’m surprised that we haven’t had a major issue so far. Perhaps someone is out there right now planning just the right sort of attack that’s designed to cause a maximum of damage. Until we make security a priority, these open systems will continue to pose a serious risk to everyone, whether you have special needs or not. Let me know your thoughts about insecure SCADA systems at [email protected].

 

Thinking About the Continuing Loss of Privacy

It’s easy to wonder whether there will ever come a time when humans will no longer have any privacy of any sort. In part, the problem is one of our own making. We open ourselves up to all sorts of intrusions for the sake of using technology we really don’t need. I’ve discussed this issue in the past with posts such as Exercising Personal Privacy. As people become more addicted to technology, the thinking process is affected. The technology becomes a sort of narcotic that people feel they can’t do without. Of course, it’s quite possible to do without the technology, but the will to do so is lacking.

A couple of articles that I read recently have served to highlight the consequences of unbridled technology overuse. The first, Getting Hacked Is in Your Future, describes the trend in hacking modern technology. Of course, avoiding getting hacked is simple—just stop using the technology. For example, people have gotten along just fine without remote car starts to heat their cars. Actually, it’s simply a bad idea because the practice wastes a considerable amount of gas. The point of the article is that hackers aren’t ever going to stop. You can count on this group continuing to test technology, finding the holes, and then exploiting the holes to do something horrid.

Wearable technology is also becoming more of a problem. The ComputerWorld article, Data from wearable devices could soon land you in jail, describes how police will eventually use the devices you use to monitor yourself against you. The problem isn’t the wearable technology, but the fact that many people will use it indiscriminately. Even though logic would tell you that wearing the device just during exercise is fine, people will become addicted to wearing them all the time. It won’t be long and you’ll see people monitoring every bodily function 24 hours a day, seven days a week. The use of cameras to view static locations on a street will soon seem tame in light of the intrusions of new technologies.

A reader recently asked whether I think technology is bad based on some of my recent blog posts. Quite the contrary—I see the careful use of technology as a means of freeing people to become more productive. The problem I have is with the misuse and overuse of technology. Technology should be a tool that helps, not hinders, human development of all sorts. I see technology playing a huge role in helping people with special needs become fully productive citizens whose special need all but disappears (or possibly does disappear to the point where even the technology user doesn’t realize there is a special need any longer).

What is your take on the direction that technology is taking? Do you see technology use continuing to increase, despite the problems that it can pose? Let me know your thoughts on the good uses for technology and the means you use to decide when technology has gone too far at [email protected].