Larry Ponemon

User growth has become a key indicator of a company’s financial growth and sustainability. Even a company’s revenues can take a back seat to its user base as a metric that predicts future success. While it may have taken the telephone 70 years to reach 50 million users, in today’s fast-paced world companies can reach that same number in a matter of months.

As the user-base becomes a new form of currency, driving valuations of companies around the world higher and faster than ever before, it is becoming increasingly important to protect the integrity of these users. Information about who users are, what they do and how they do it is incredibly valuable. If not adequately protected this information can be (and is being) exploited.

The purpose of this report is to understand the scope of registration fraud, and how this epidemic is impacting companies and their users. It offers a glimpse into how companies verify and protect their users, and the damage that can be done when fraudulent users and fake accounts are allowed to exist within a user base.

Thanks to a sponsorship from Telesign, We surveyed 584 U.S. and 414 UK individuals who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. Eighty-nine percent of these respondents say their organization considers its user base a critical asset with an average value of $117 million.

However, account fraud is becoming more prevalent because most organizations have a difficult time ensuring bona fide users and not bad actors are authenticated during the registration process. Only 36 percent believe they are able to avoid fraudulent registrations. Moreover, once fake users are registered, they spam legitimate users and often create more fraudulent accounts. Fake users also steal confidential information as well as engage in phishing, social engineering and account takeover.

The findings reveal why companies are vulnerable to the threats of fake users:

• The authentication process is difficult to manage, according to 69 percent of respondents, allowing fake users to infiltrate the user base.

• Fifty-eight percent of respondents say user convenience is most important to their fraud prevention strategy and 42 percent of respondents say ease of use is critical. Only 21 percent say security is important.

• The majority of respondents (54 percent) say a phone number is enough to stop fraudulent registrations and protect account access.

• Companies seem to be unwilling to crack down on fraudulent registrations. Forty-three percent of respondents say their company doesn’t worry about the registration of fake accounts to avoid friction in the registration process. Most companies do not have a formal method for determining whether a potential user is real.

• Only 39 percent of respondents say their company is vigilant in determining that each user account belongs to a real person.

• Only 25 percent of respondents believe the traditional username and password(s) is a reasonably secure authentication method for their users. However, 94 percent of respondents say they use passwords or PINs and 79 percent use email addresses to create an account(s).

To read the rest of the report findings, please download the PDF from Telesign.com

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on.  This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you.  The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him.  That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros.  Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual.  Computer networks are designed so such passwords cannot be retrieved, even by system administrators.  They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course.  That details in the New York Times story could be wrong.  A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor.  Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague.  So be vigilant about your passwords.  And when you change companies, change your password habits.

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.

You couldn’t get nine out of 10 Americans to agree that the sky is blue.  So it’s remarkable that nine out of 10 say they have lost control over how their personal information is collected and used by corporations, a new survey released Wednesday by the Pew Research Center has found. Virtually the same number feel like it would be “very difficult” to remove inaccurate information about them online. And roughly two-thirds believe the government should do more to regulate advertisers and how they use personal information.

On the other hand, more than half said they were willing to share “some information” about themselves in order to use online services for free, and about one-third say that surveillance can be beneficial for society.

The results show Americans’ feelings about privacy are varied and subtle, said Lee Rainie, director of the Internet Project and a co-author of the study.

“Far from being apathetic about their privacy, most Americans say they want to do more to protect it,” Rainie said. “It’s also clear that different types of information elicit different levels of sensitivity among Americans.”

The slew of data breaches at major retailers over the past year have put privacy concerns front and center in Americans’ minds. Credit monitoring, transaction alerts and general vigilance of where you share your data and who you share it with are all part of keeping your data footprint limited. It won’t necessarily prevent identity theft or fraud(two consequences of sharing your personal information broadly), but it can make dealing with it easier. Any large, unexpected changes in your credit score could be signs of new-account fraud. (You can use free online tools – including those at Credit.com – to monitor your scores for any changes in your credit scores. You can also get free credit reports once a year at AnnualCreditReport.com.)

Other findings in the poll, which questioned a representative cross section of Americans:

When they want to have anonymity online, few feel that is easy to achieve. Just 24% of adults “agree” or “strongly agree” with the statement: “It is easy for me to be anonymous when I am online.”

• 61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.”
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites
• Generally, people trust old technology more than new for privacy. People trust old-fashioned telephones more than social media or text messages, for example. They even trust landline phones more than cellphones.
• 36% “agree” or “strongly agree” with the statement: “It is a good thing for society if people believe that someone is keeping an eye on the things that they do online.”

Privacy law expert Chris Hoofnagle, a teacher at Berkeley Law school was reviewed the study, noted that attitudes about surveillance were linked to citizens’ education levels.

“A sizable minority agrees with the idea that surveillance is beneficial for society. This group was characterized as younger and less well educated, with each step in more education resulting in less agreement of its beneficence,” he said. “I think there are very interesting class dynamics in privacy privacy and it is something that the Digital Trust Foundation is going to start funding research around this question in 2015. A question to ask here is why does this group find beneficence in surveillance? Could it be because they are heavily surveilled and simply do not have a choice over the matter?”

Here’s a few more of Hoofnagle’s observations.

“Trust in communications channels is based both on the age of technology and legal protections. The oldest and most legally protected technology (ECPA warrant standard) is the landline phone, followed by wireless phones. Email and text go over the wire in plain text, making them technologically inferior, and they are less protected as they fall under the SCA. Chat is the strange one—it is a newer technology, and so perhaps less trusted for that reason. But some chat is very strongly protected (iMessage).  And of course, no one should feel secure on social media sites because Facebook is crawling with investigators and Facebook itself is a privacy threat.

“Finally…many others have found that Americans are skeptical of both private-sector and government collection of information. (These) results are consistent with surveys going back to the 1980s that finds distrust of both government and commercial data practices.”

It’s a question I think about a lot: Are we moving towards a world that’s safer or more dangerous?  More or less secure? This week, the “less secure” side scored another goal. Light bulbs can be hacked.  Doing so seems like a rather silly science fair project until you think about what it really means.

London-based security firm Context has taken an interest  in fragility of the Internet of Things, as we all should.  As a refresher, the Internet of Things simply means wireless chips will soon be placed in many items in your home, and these will all talk to the Internet and each other.  It’s not science fiction; it’s more like George Jetson. Whiz-bangy light bulbs sold by a firm named LIFX are among the first Internet of Things products. The bulbs talk to each other, and can be controlled with a smartphone.  Neat, I guess, in a chia pet sort of way. (Click on! Click off!)

Context took the things apart and found that a hacker could trick the bulbs into surrendering control to a stranger.  Essentially, bad guys can hop on the bulb users’ WiFi network and take control of the bulbs.  If you look at the firm’s website, you’ll see how much trouble it went to in order to turn a victim’s lights on and off.  Also neat, I guess.  The hack comes with a strong mitigating factor; the hacker must be within 30 meters of the target to start the surprise disco effect.  So state secrets are not at stake.

But here’s what you should think about.  LIFX seems like a responsible enough outfit. It isn’t Yo, that’s for sure.  The bulbs actually came loaded with AES (Advanced!) encryption. So the engineers actually thought about this problem. But the bulbs all shared the same underlying encryption key. Hack one, hack them all. That’s what Context did.

LIFX, by all accounts, reacted quickly to the hack and has issued a fix. Great, I guess. Happy ending?  Not by a long shot. I promise you, this pattern will repeat itself again, and again, and again.  There is no model currently that requires firms inventing cool stuff to make it safe. Features first, safety last. If ever.

Therefore, our world will soon be full of really creative devices full of fatal flaws.  It’s always been this way — features over safety — but when vulnerabilities were limited to personal computers, there were some real-world limits on how much trouble consumers could get into.  When the threats are in everything, as they will be with the Internet of Things, watch out.  Here’s a thought exercise.  What happens when it’s not the light bulbs, but rather the power outlets, that are “smart” and can be hacked?

This is why I made much ado about the nothing piece of software called Yo that had its 15 minutes of fame a few weeks ago.  Quick refresh: Yo is Twitter in two characters. Participants send single, two-character messages using Yo. It got a flurry of attention, allegedly a flurry of investment, and then hackers figured out they could download all personal information anyone had given Yo.   The firm that made Yo bragged that it was programmed in a day. The Internet of Things will be full of gadgets programmed in a day, full of basic, serious flaws, unless something changes.

Larry Ponemon

An unnamed natural gas company hired an IT firm to test its corporate information system. POWER Magazine reported, “The consulting organization carelessly ventured into a part of the network that was directly connected the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours.”

As stories like these become more common, we wanted to study how well utility firms are preparing for what seems like the inevitable: a major, successful attack.  The answer is a mixed bag.

This month, we release the results of Stealth Research: Critical Infrastructure, sponsored by Unisys. The purpose of this research is to learn how utility, oil and gas, alternate energy and manufacturing organizations are addressing cybersecurity threats.

Among the more alarming findings: 67 percent of those surveyed said they’d suffered at least one security compromise, but yet one quarter don’t actually know who’s in charge of security.

As the findings reveal, organizations are not as prepared as they should be to deal with the sophistication and stealth of a cyber threat or the negligence of an employee or third party. In fact, the majority of participants in this study do not believe their companies’ IT security programs are “mature.” For purposes of this research, a mature stage is defined as having most IT security program activities deployed. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.

Key findings of this research

Most companies have not fully deployed their IT security programs. Only 17 percent of companies represented in this research self-report that most of their IT security program activities are deployed. Fifty percent of respondents say their IT security activities have not as yet been defined or deployed (7 percent) or they have defined activities but they are only partially deployed (43 percent). A possible reason is that only 28 percent of respondents agree that security is one of the top five strategic priorities across the enterprise.

The risk to industrial control systems and SCADA is believed to have substantially increased. Fifty-seven percent of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk. Only 11 percent say the risk has decreased due to heightened regulations and industry-based security standards.

Security compromises are occurring in most companies. It is difficult to understand why security is not a top a priority because 67 percent of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. Twenty-four percent of respondents say these compromises were due to an insider attack or negligent privileged IT users.

Upgrading existing legacy systems may result in sacrificing mission-critical security. Fifty four percent of respondents are not confident (36 percent) or unsure (18 percent) that their organization would be able to upgrade legacy systems to the next improved security state in cost effective ways without sacrificing mission-critical security.

 Many organizations are not getting actionable real-time threat alerts about security exploits. According to 34 percent of respondents, their companies do not get real-time alerts, threat analysis and threat prioritization intelligence that can be used to stop or minimize the impact of a cyber attack. If they do receive such intelligence, 22 percent of respondents say they are not effective. Only 15 percent of respondents say threat intelligence is very effective and actionable.

More than half, hit. The majority of companies have had at least one security compromise in the past 12 months. Sixty-seven percent of companies represented in this research have had at least one incident that led to the loss of confidential information or disruption to operations. Twenty-four percent of security incidents were due to a negligent employee with privileged access. However, 21 percent of respondents say they were not able to determine the source of the incident.

Who’s in charge? When asked if their company has dedicated personnel and/or departments responsible for industrial control systems and SCADA security, 25 percent say they do not have anyone assigned,. The majority (55 percent) say they have one person responsible

Out of control. Nearly one-third of respondents say that more than a quarter of their network components are outside their control, including third party endpoints such as smartphones and home computers are outside the direct control of their organization’s security operations.