Bringing Cyber Risk Analytics to 28 million USA Small Businesses
This week, in partnership with the US Small Business Administration Mastercard announced a package of $250m to help small businesses – included in which my RiskRecon team at Mastercard launched an initiative to make cyber risk analytics available to all participants of the SBA Paycheck Protection Program.
Given that the majority of cyber attacks we see small businesses fall victim to are opportunistic, untargeted campaigns designed by the criminals to reel in unsolicited victims – they often rely on simplistic attack strategies – phishing emails, known vulnerabilities in common software such as WordPress and Magento, and other well-understood points of attack. These campaigns are mostly, if not completely automated, and this any vulnerable business can become a victim. The old excuse of “I don’t do anything important – I’m a small business” doesn’t protect one from compromise – the criminal’s automated systems don’t know or care – if they can hack you, they do.
Products like RiskRecon help companies understand their exposure and help steer dollars and time spent into solving the most critical problems – the problems most likely to be exploited by criminals.
By making this tech generally available I hope we can help people protect their companies better, and maybe force the criminals to change their methodologies.
You can register for this offering on Riskrecon’s website.
Mastercard Acquires RiskRecon
RiskRecon Logo
I’m pleased to announce that Mastercard has entered into an agreement to purchase RiskRecon
There’s been no secret that Mastercard has a very low opinion of cybercrime, and a belief that the massive success of “commodity cybercrime” could be somewhat mitigated if everyone had better knowledge of the cybersecurity flaws in their own environments, and also those of third parties they are deeply connected to.
Many well known cyber attacks – British Airways, Target etc were due to flaws in third-party environments, but it’s the flagship companies who are held responsible and have to “pay the price”.
RiskRecon helps people understand their first and third party risk, and provides a prioritized list of recommendations based on an AI-driven determination of the potential value of the asset in question. A severe bug on a website which only delivers static content is obviously not as critical as one on a site which has a shopping cart, or has an authentication page leading to HR information – so representing them at equal priority is not useful. RiskRecon knows the difference and helps people understand what to pay attention to first.
I am delighted to welcome Kelly White and his Riskrecon team into my group – Kelly was one of my first USA Banking customers for SafeBoot, and always treated me with respect, even though I was his “vendor” – I hope I can repay the loyalty and respect he showed me then by helping RiskRecon reach the success they deserve under Mastercard.
I’m joining Mastercard
I’m pleased to announce that Mastercard has offered me the opportunity to take the next step in my cybersecurity career – joining them in the fight to block criminals from making money from cybercrime.
Mastercard has an amazing reach across the globe – tens of millions of merchants, thousands of banks and billions of cardholders look to them to make sure cashless payments are made securely, and of course, criminals look for weaknesses and ways to exploit the global economy to make money.
Given around $600 billion of the $1.5 trillion dollars generated by cybercrime is used to further criminal activity – solving this is a problem I am beyond passionate about. Having spent the last 20 years in cybersecurity “protecting secrets”, getting closer to the problem of criminal funding is very exciting.
My new role merges standards, fraud intelligence, and cybersecurity – and I am also excited to be taking on responsibility for the infamous Mastercard DigiSec Lab.
game on!
How not to implement smarthome security – Connected A/C
Recently I added a few Mitsubishi minisplit A/C systems to my home and because I travel a lot (and I’m incredibly lazy) wanted to be able to control them from my phone (and the couch). I’ve had previous history with the Honeywell RedLink system (which requires yet-another-hub) and was pleased to find that mini-splits with native wifi connectivity are available.
My installer had never set up such “new” technology so this week he arrived with a number of tiny plug-in boxes, and the installer training video to connect up my units.
Halfway through following the steps on the video, the app presents us with an “Enter Installer Pin” challenge – cool I think, “some security at least to stop…”
what exactly?
I’ll get to that topic later – but needless to say, the pin wasn’t mentioned in the training video, nore the one-page install guide in the package.
Never to be defeated, I turn to my trusty advanced hacking toolkit and universal IoT password finder..
google.com
A search for “Mitsubishi installer pin” yields some helpful results – one, in particular, catches my eye, since it’s hosted on that vendor’s support URL
Here’s a picture of the result – note how helpfully they put the pin in bold text!
Installer Pin
So strike one and two for this vendor –
- never use a fixed pin, for anything!
- never print your passwords, especially not in public-facing documentation
I’ll let the 9999 pin pass, given it’s not in the top 10 of most common pin codes (it’s #11) – http://www.datagenetics.com/blog/september32012/
So, back to the question of what exactly the installer pin is protecting? Mostly, it’s protecting the homeowner from adding a new unit to their online account, and it’s protecting them from being able to re-link a unit if for some reason it loses connection. In my case, there were no “dangerous” options I could mess around with – and reading the documentation, it seems that the installer protected options are really a crutch for a system which should be able to learn for itself what options are present and configure itself automatically.
So for me, the “installer pin” protects my installer, otherwise, I’d be able to configure my A/C unit without him. He’s a nice guy, but I don’t want to be scheduling a site-visit every time I change my wifi password.
This seems to be a trend within the Air Conditioning industry – for example, Honeywell’s Redlink Gateway (which is effectively plug-and-play) also should only be installed by a “trained experienced service technician” – at least with these gateways the PIN is unique and printed on the bottom of the device.
As an aside, the Honeywell VisionPro Thermostat also has installer-only options protected by a code, which also is printed on the back of the clip-on device. But if you’re REALLY lazy and don’t even want to unclip it, there’s a menu option on the screen which will helpfully tell you the code.
Believe me – The Redlink gateway takes 30 seconds to install and configure, and you don’t need any “AC training” to understand how to link a thermostat to a mobile app.
Honeywell Redlink Gateway Pin Code
I’m not very tolerant of this kind of “protectionist” behaviour – how many people paid a few hundred dollars for someone to plug in a hub, or “add” their minisplit head unit to their online account – things which require no expertise, have no risk, and generally should be automatic?
How successful would Nest have been if it required a service call to install?
Did you pay for someone to add a trivial IoT device to your home? Comment below.
Buying or selling a smarthome? Watch out for amnesia!
With everyone, including Realtors talking about “smart homes” I’m not sure there’s anyone who’s involved in a home transaction who’s not aware that “smartness” is a compelling selling feature.
So much so, that the realtor company Coldwell Bankers teamed up with CNET a few months ago to define exactly “what a smart home is” – some criteria their members can use to decide whether your home is worthy of the title.
Simply, they define a smart home as one with internet-connected HVAC or security, plus something else, like connected lighting, audio, watering systems or safety systems.
Yes, a home with Sonos music and a Ring doorbell would be considered smart.
The problem is – much of the current generation of consumer smart technology is likely to be taken by the previous owner when they vacate. Read more…
It be that time o’ year again – 19th September, International Talk Like A Pirate Day
Well ye scurvy land-lubbers, it’s that day again – t’ infamous Parlay Like A Pirate day.
Tho’ its origins be clouded in mystery (well, unless you visit the website anyway) It’s become a globally celebrated phenomenon.
So much so that I be inclined t’ see how fast I could code up one o’ my infamous VBScript classes t’ help yonder less able translate their words.
Here it be in its full glory – yonder incredible, 17minute VBScript pirate speak class.
SafeSkies TSA Master Key reverse engineered
Another of the seemingly secure “TSA” approved luggage locks has fallen to good old fashioned reverse engineering.
According to SafeSkies Locks writer Steve Ragan, the key and the story behind how it was reverse-engineered using a number of store purchased locks was disclosed at a lockpicking conference.
If you remember, in 2015 a large number of TSA master keys became available after a picture of them was shared online, leading to the lockpicking community demonstrating how easy it is to convert an image into a working key. Now you can find the 3D files online to print your own. Read more…
Realtors define “smart home” – but there’s a catch.
Coldwell Banker teamed up with CNET to define what a smarthome really is – but they didn’t pay any attention to what is in my opinion the most important fact to smarthome buyers.
What technology is transferred to the new owners?
Their examples include very transitory things, like smart TVs and entertainment systems which you would normally expect to leave with the original owner.
And, they don’t cover the difficult process of how exactly do you transfer control of permanent things like your HVAC system to new owners? Do you give them your user name and password? Can they even set a new user name?
For the more complex integrated systems – is it even possible to transfer control over without giving them “your account”? – after all, you don’t want to move into your new smarthome and find you have to set up all the automation again.
Of course for the original owner, if you give someone your account – are you able to set up a new one for your new home? Does the new owner get to see all the logs from your residence? Read more…
NY State vs Microsoft – Part 5
(You can find the previous part 4 of this topic here)
This week there was another progression in the infamous and long running Microsoft vs State of NY case – the one if you remember where the New York, USA court is demanding that Microsoft Ireland aquise to a subpoena issued in the USA.
Well this week the Second Circuit court of appeals agreed with Microsoft USA that the USA had no jurisdiction over assets within Ireland:
§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.
A great writeup of the case can be found at Lawfareblog.
This case can still be raised to the Supreme Court, but since there are other legal methods for the USA to request the assistance of the law authorities in other countries, the door is finally closing on trying to impose domestic law on USA companies with assets in other countries.
The current global data economy and the 1986 Electronic Communications Privacy act are woefully out of step, but this decision is the right one to support the global technology industry.
After all – if a court in the USA can compel the release of data from Ireland, surely a court in China can compel the release of data stored in the USA?
Smarthome Survey Shows Safety Is No.1 Concern
After surveying nearly 10,000 individuals crossing every continent, it’s obvious that concerns around personal data are the most pressing issue in adoption of smart home technology – more than 90% of people had concerns about cybersecurity.
People also had strong opinions on how things should be secured, with passwords being the most disliked option. It seems the future smart home will use fingerprints, voice and even eye scans instead.
Despite these concerns though, people are generally positive about “smarting up” their living spaces – 75% of participants expect to see real benefits, and were especially interested in smarter lighting, kitchen appliances and heating systems.
And, driving good design, 82% of our participants wanted “a single integrated security package” – another reason for the smarthome industry to drive towards consolidation.
You can find more information in the Atlantic Council smart home report, at http://www.atlanticcouncil.org/publications/reports/smart-homes-and-the-internet-of-things
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments