It’s a question I think about a lot: Are we moving towards a world that’s safer or more dangerous?  More or less secure? This week, the “less secure” side scored another goal. Light bulbs can be hacked.  Doing so seems like a rather silly science fair project until you think about what it really means.

London-based security firm Context has taken an interest  in fragility of the Internet of Things, as we all should.  As a refresher, the Internet of Things simply means wireless chips will soon be placed in many items in your home, and these will all talk to the Internet and each other.  It’s not science fiction; it’s more like George Jetson. Whiz-bangy light bulbs sold by a firm named LIFX are among the first Internet of Things products. The bulbs talk to each other, and can be controlled with a smartphone.  Neat, I guess, in a chia pet sort of way. (Click on! Click off!)

Context took the things apart and found that a hacker could trick the bulbs into surrendering control to a stranger.  Essentially, bad guys can hop on the bulb users’ WiFi network and take control of the bulbs.  If you look at the firm’s website, you’ll see how much trouble it went to in order to turn a victim’s lights on and off.  Also neat, I guess.  The hack comes with a strong mitigating factor; the hacker must be within 30 meters of the target to start the surprise disco effect.  So state secrets are not at stake.

But here’s what you should think about.  LIFX seems like a responsible enough outfit. It isn’t Yo, that’s for sure.  The bulbs actually came loaded with AES (Advanced!) encryption. So the engineers actually thought about this problem. But the bulbs all shared the same underlying encryption key. Hack one, hack them all. That’s what Context did.

LIFX, by all accounts, reacted quickly to the hack and has issued a fix. Great, I guess. Happy ending?  Not by a long shot. I promise you, this pattern will repeat itself again, and again, and again.  There is no model currently that requires firms inventing cool stuff to make it safe. Features first, safety last. If ever.

Therefore, our world will soon be full of really creative devices full of fatal flaws.  It’s always been this way — features over safety — but when vulnerabilities were limited to personal computers, there were some real-world limits on how much trouble consumers could get into.  When the threats are in everything, as they will be with the Internet of Things, watch out.  Here’s a thought exercise.  What happens when it’s not the light bulbs, but rather the power outlets, that are “smart” and can be hacked?

This is why I made much ado about the nothing piece of software called Yo that had its 15 minutes of fame a few weeks ago.  Quick refresh: Yo is Twitter in two characters. Participants send single, two-character messages using Yo. It got a flurry of attention, allegedly a flurry of investment, and then hackers figured out they could download all personal information anyone had given Yo.   The firm that made Yo bragged that it was programmed in a day. The Internet of Things will be full of gadgets programmed in a day, full of basic, serious flaws, unless something changes.

Larry Ponemon

An unnamed natural gas company hired an IT firm to test its corporate information system. POWER Magazine reported, “The consulting organization carelessly ventured into a part of the network that was directly connected the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours.”

As stories like these become more common, we wanted to study how well utility firms are preparing for what seems like the inevitable: a major, successful attack.  The answer is a mixed bag.

This month, we release the results of Stealth Research: Critical Infrastructure, sponsored by Unisys. The purpose of this research is to learn how utility, oil and gas, alternate energy and manufacturing organizations are addressing cybersecurity threats.

Among the more alarming findings: 67 percent of those surveyed said they’d suffered at least one security compromise, but yet one quarter don’t actually know who’s in charge of security.

As the findings reveal, organizations are not as prepared as they should be to deal with the sophistication and stealth of a cyber threat or the negligence of an employee or third party. In fact, the majority of participants in this study do not believe their companies’ IT security programs are “mature.” For purposes of this research, a mature stage is defined as having most IT security program activities deployed. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.

Key findings of this research

Most companies have not fully deployed their IT security programs. Only 17 percent of companies represented in this research self-report that most of their IT security program activities are deployed. Fifty percent of respondents say their IT security activities have not as yet been defined or deployed (7 percent) or they have defined activities but they are only partially deployed (43 percent). A possible reason is that only 28 percent of respondents agree that security is one of the top five strategic priorities across the enterprise.

The risk to industrial control systems and SCADA is believed to have substantially increased. Fifty-seven percent of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk. Only 11 percent say the risk has decreased due to heightened regulations and industry-based security standards.

Security compromises are occurring in most companies. It is difficult to understand why security is not a top a priority because 67 percent of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. Twenty-four percent of respondents say these compromises were due to an insider attack or negligent privileged IT users.

Upgrading existing legacy systems may result in sacrificing mission-critical security. Fifty four percent of respondents are not confident (36 percent) or unsure (18 percent) that their organization would be able to upgrade legacy systems to the next improved security state in cost effective ways without sacrificing mission-critical security.

 Many organizations are not getting actionable real-time threat alerts about security exploits. According to 34 percent of respondents, their companies do not get real-time alerts, threat analysis and threat prioritization intelligence that can be used to stop or minimize the impact of a cyber attack. If they do receive such intelligence, 22 percent of respondents say they are not effective. Only 15 percent of respondents say threat intelligence is very effective and actionable.

More than half, hit. The majority of companies have had at least one security compromise in the past 12 months. Sixty-seven percent of companies represented in this research have had at least one incident that led to the loss of confidential information or disruption to operations. Twenty-four percent of security incidents were due to a negligent employee with privileged access. However, 21 percent of respondents say they were not able to determine the source of the incident.

Who’s in charge? When asked if their company has dedicated personnel and/or departments responsible for industrial control systems and SCADA security, 25 percent say they do not have anyone assigned,. The majority (55 percent) say they have one person responsible

Out of control. Nearly one-third of respondents say that more than a quarter of their network components are outside their control, including third party endpoints such as smartphones and home computers are outside the direct control of their organization’s security operations.

Bob Sullivan

In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels.  Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.

Then came Heartbleed.  The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob.  Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.

What are we supposed to do now?  And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust.  If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.

“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.

To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend.  Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys.  A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.

The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts.  Crisis averted.  This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )

The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe.  Consumers always react to large credit card hacks by saying they will now buy with cash.  Most of the time, data shows, they don’t mean it.  But Target had to admit last quarter that its revenue was materially impacted by the credit card incident.  This is getting serious.

In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.

Trust.

EMV will make shoppers feel better.  That’s not a placebo. Trust is a very real thing.  In fact, it’s the only thing.

If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money.  When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.

In other words, trust is basically the currency of our time.  A tipping point on trust would create the equivalent of a run on a bank during a currency crisis.  Lack of trust can snowball.  With each “withdrawal,” the trust gap only grows.

In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.

We don’t need to plug a hole in the dam with our thumb, we need a new dam.

This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!”  But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead.  Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.

Litan, the Gartner analyst, has some good news about Heartbleed.  Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.

“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK.  There is no evidence that the criminals have used this attack vector yet.  And if these security steps are taken and upgrades are made – they won’t be able to.”

So, there’s no run on the trust bank this time.  But I guarantee that consumer patience is not infinite.  We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes?  Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.