Tag Archives: Security

Android, Contributed, Editorial, Health, iOS, Mobile

Is Privacy Our Sole Concern With Contact Tracing Technology?

Leave a comment

This week the Guardian reported an alleged ‘standoff’ between the NHSX (the digital innovation arm of the NHS) and tech giants Google and Apple regarding the deployment of contact tracing technology aimed at curbing the spread of the Covid-19 virus. The debate is on two predominant issues; first, the base technology to be used and second, how the data will be stored.

Sidestepping the first issue which sees Google and Apple aiming to implement their feature directly on a device’s operating system while the NHSX version requires a downloadable dedicated application, this article will focus on the issue of privacy arising from the second issue.

In essence, Apple and Google have insisted that if there is to be any collaboration between the NHSX and them for the purposes of contact tracing the storage of all data will have to be decentralised. The NHSX, on the other hand, is pushing for centralised storage of data.

What’s the difference?

Before deciding on one system or another, it’s best to understand the basics of the distinction between these systems.

A centralised system has a single storage point and controller of the data collected. The central controller of the data may grant access to other users but remains ultimately responsible for the system as a whole. A centralized system is relatively easy to set up and can be developed quickly. Such a system is very useful where continuous modifications to the parameters of the system are expected or where the use of the data needs to be adapted for different purposes.

In contrast, a decentralised system has multiple controllers of data all of whom collect and store copies of the data on their respective systems. This system allows for quicker access to data and less risk of downtime as a fault with one controller will not necessarily affect the others.

The third form known as a distributed system in which there is no single central owner at all and instead gives collective ownership and control to each user on the network is unlikely to be used by either party.

Each system has its advantages and disadvantages and to make a decision between a centralised and a decentralised system the NHS and the tech giants will need to take into consideration a range of issues including:-

  1. The overall effectiveness of the technology;
  2. The adaptability of the system to the shifting demands of research;
  3. The cost of deployment and maintenance;
  4. Whether or not the system is a security risk for the user;
  5. Whether there are compliance concerns.

Why is a decentralised system so important?

Google and Apple have been clear that the reason for a proposed decentralised system is to avoid the risk of mass government surveillance presently or in the future. This is a genuine concern as the data being collected will be directly related to a user’s location and medical history. Although not absent from criticism, this position is the preferred option and has been supported by academics and numerous civil rights groups including the Electronic Frontier Foundation and the American Civil Liberties Union. 

Still, the European position is split with the seven governments supporting the project known as the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) which proposes a centralised repository of data and a growing following for the Decentralised Privacy-Preserving Proximity Tracing (DP-3T) advocating a decentralised system.

The NHS itself may not be intent on surveillance however being publicly funded draws immediate speculation to its government links. In addition, both the NHS and the UK government have had a poor record of handling large scale IT projects such as the failed £11bn National Programme for IT, scrapped in 2011 and the plans for a paperless NHS by 2018 which could not even take off.

What about the NHS position?

Unfortunately, the focus on privacy risks coupled with the NHS’s bad track record in the field of technology projects have detracted from the core issue at hand – What does the NHS need right now to curb the spread of the Covid-19 virus?

Ross Anderson, an advisor to the NHS on its contact tracing application highlighted the problem with a decentralised system:-

…on the systems front, decentralised systems are all very nice in theory but are a complete pain in practice as they’re too hard to update. We’re still using Internet infrastructure from 30 years ago (BGP, DNS, SMTP…) because it’s just too hard to change… Relying on cryptography tends to make things even more complex, fragile and hard to change. In the pandemic, the public health folks may have to tweak all sorts of parameters weekly or even daily. You can’t do that with apps on 169 different types of phone and with peer-to-peer communications.

(https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/)

The Covid-19 virus took approximately 2 months to infect 100,000 UK residents and the spread has shown few signs of a slowing infection rate. Time is critical in this situation and correspondingly, flexibility in adapting to the constantly changing nature of the infection is a necessity. Decentralised systems do not allow for rapid evolution.

In addition, we should consider that unlike centralised systems, decentralised systems are often unencrypted. While trying to prevent a government from carrying out surveillance, the Google and Apple system may inadvertently open itself up to more security problems than expected. In fact, they have themselves admitted this risk stating that nothing is “unhackable”.     

As a second consideration, the API that Google and Apple will release will likely have strict limitations on the type of data that may be collected. For example, the NHS would not be able to gather a list of every person a user has been in contact with based on user proximity. Instead, it will utilise a more manual version of contact tracing involving sending every phone in the system a list of other phones that have been reported as contagious, and asking the user whether they have “seen this user” Such a system relies heavily on user verification which is often incorrect or simply disregarded.

Key location data which may be used for developing population flow maps and anticipating the further spread of the virus will likely not be made available under Google and Apple’s current proposal. It is also important to note that data from contact tracing could be used beyond the scope of curbing the spread of the virus i.e. for decisions on directing the flow of emergency aid, development of temporary healthcare facilities, deployment of healthcare equipment and personnel.   

What has been going on elsewhere?

Contrasting the UK’s situation, the Asian experience, having less stringent data protection regulations, have taken remarkably different approaches to Europe in general.

Hong Kong, for example, introduced the mandatory use of an electronic wristband connected to a smartphone application to enforce quarantine for arrivals from overseas. Users refusing to adopt this requirement are refused entry into the country.

South Korea won praise for both tracking and publishing data relating to affected person’s travel routes and affected areas, the data being collected through the government’s application as well as numerous independent applications. Residents also receive numerous location-based emergency messages and are not allowed to opt-out of this function.

China’s measures, which have come under considerable question, see a private entity collaboration through the Alipay Health Code. Citizens are given a ‘traffic light’ status that determines the restrictions that will be imposed on them. Although the exact basis for determining a person’s status is not known the status has widespread application including restriction of access to certain public facilities and payment systems.

Privacy concerns of these measures aside, all these countries have seen a considerable reduction in the spread of the Covid-19 virus. While it would be premature to suggest that this is solely attributable to the contact tracing measures implemented there is no doubt that the quick and extensive deployment of the technology has contributed to the battle against the virus’ spread which begs the question:

Is privacy getting in the way?

In 1890, Brandais and Wallace, pioneers of modern day privacy wrote:-

…To determine in advance of experience the exact line at which the dignity and convenience of the individual must yield to the demands of the public welfare or of private justice would be a difficult task…

The UK and indeed Europe are at this juncture and need to decide on the cost of the compromise as the death toll and infection rate continue to increase. History reminds us that the greatest privacy and surveillance violations occurred when the world was focused on a raging war and in fact it is times like this that we must be most vigilant about rights.    

Business, Computers, Contributed, Mobile

How ethical hacking can improve your security posture

Leave a comment

*This article is contributed by Myles Hosford, Head of Security Architecture, ASEAN, AWS*

Cybersecurity professionals see some threat actors or outside-parties as the enemy. However, challenging this mindset is important; you can better protect your organization against outside-parties if you understand how they think and operate. With this in mind, businesses around the globe have turned to hackers to test security infrastructure and develop stronger, more robust security practices.

Before integrating penetration testing into your security policy, it is important to understand the different types of hackers that exist. Each group has differing motivations, and you must be clear on which of their skills can be used to your organization’s advantage.

Black hat

Photo by Luca Nardone from Pexels

Black hat hackers are cybercriminals motivated by personal or financial gain. They range from teenage amateurs to experienced individuals or teams with a specific remit. However, over recent years, several high profile blackhat hackers have refocused on using their cyber skills to protect organizations. An example is Kevin Mitnick aka Condor, who was just sixteen years old when he gained access to a Department of Defense computer.  Following this and numerous other hacks, Mitnick spent five and a half years in prison. Upon his release set up his own company, Mitnick Security Consulting, which now runs penetration tests for clients.

The issue of whether to work with a previous black hat hacker is a contentious one. Some, including David Warburton, senior threat evangelist at F5 Networks, believe that hiring ex-hackers is critical in staying ahead of the threat landscape. However, others are concerned about allowing this group access to corporate systems and customer data. The latter group should, however, consider other approaches to working with hackers. 

White hat

Photo by Reza Rostampisheh on Unsplash

Often referred to as ethical hackers, white hat hackers are employed by organizations to look for vulnerabilities in security defences. Despite using the same tactics as black hat hackers, this group has permission from the organization making what they do entirely legal. While they use their knowledge to find ways to break the defences, they then work alongside security teams to fix issues before others discover them.

Many of the biggest organizations in the world, including General Motors and Starbucks, are turning to white hat hackers to help identify fault lines and proactively enhance security posture. White hat hacking can offer an interesting and lucrative career path for people with technical skills. Drawing attention to the important role white hat hackers play can encourage more talented individuals to take a positive path instead of becoming black hat hackers.

Nurturing talent

There are many programmes in place to find, encourage and support the next generation of white hat hackers. An example, supported by AWS, is r00tz Asylum, a conference dedicated to teaching young people how to become white-hats. Attendees learn how hackers operate and how cybersecurity experts defend against hackers. The aim is to encourage people with technical expertise to use it for good in their career.  By equipping aspiring cybersecurity professionals with knowledge and skills, they can bake security into infrastructure, from the ground up. AWS’s support for r00tz is our chance to give back to the next generation, providing young people who are interested in security with a safe learning environment and access to mentors.

Building on solid foundations

Photo by Ramin Khatibi on Unsplash

For those responsible for maintaining customer trust and protecting data, an end to end approach to security is critical. As we have seen, working with ethical hackers is a powerful way to view security posture from a cyber-criminal’s perspective to identify and tackle vulnerabilities. However, it’s also important to remember that security needs to be baked in throughout an organization’s infrastructure. This is where partnering with a cloud platform can be beneficial; the best of these are developed to satisfy the needs of the most risk-sensitive organizations. Cloud platforms also offer automated security services, which can proactively manage security assessments, threat detection, and policy management. In so doing, these platforms take on a lot of the heavy lifting for security professionals, including ethical hackers.

Business, Computers, Editorial

[Cisco 2019 CISO Report] A Good Year For Malaysia

Leave a comment

CISO stands for Chief Information Security Officer. From that description alone, we believe you would know what this report is about then. If you still do not; Cisco did a study for the cyber security field for 2019 by interviewing about 2,000 Chief Information Security Officers (CISO) or security professionals all over Asia Pacific. You would be glad to know also that about 10% of the participants in the study are Malaysian. While that does not change the nature of the study, the sample size should mean that there is some accuracy in the general scheme of things.

Source: Cisco

The Big Numbers

The big numbers for Malaysia are 44% of threat alerts are investigated, 46% of the recognised threats are neutralised, and 27% have faced downtime of longer than 24 hours due to a cyber security breach or threat. There are some good things about these numbers, and some bad things too. So it is not all roses and rainbows for Malaysia’s cyber security industry in 2019.

The first of the numbers are the investigated threats. This does not mean alerts. Receiving cyber threat alerts and investigating them are two different things. You can have threat alerts of more than 10,000 and still not investigate any of them for a number of reasons. Still, investigated threats are escalated from reported threats.

Source: Pixabay by VIN JD

According to the Malaysian numbers, 44% of threats reported in Malaysia are investigated in 2019. That is 4% more than 2018, Malaysian CISOs are busier by 4% last year 2019 than in 2018 then. That could be due to the raised number of serious threats. It could also mean that awareness to cyber threats have increased in Malaysia. So while it does sound like Malaysia is being attacked more, it also means that Malaysians are now better prepared for cyber threats or breaches.

Out of all the verified threats, nearly half of them were remediated at 46%. That number is higher than plenty of Malaysia’s neighbours and the average in Asia Pacific at 43%. The other half? Maybe those cases could be a little tougher. Still, that also means that Malaysians are capable of handling cyber security issues. This number is also an increase from 2018.

The next big number is 27% of companies declared a downtime of more than 24 hours when they get attacked. This is a large increase from 2018’s 9%. While this may not seem like a good thing, there is a bigger story that than. For one, this also means that Malaysia is plenty more digital in 2019 than 2018. This increase could also be because of the increased threat detection in 2019. The result was also a higher resolution to each identified threat.

More Vendors, More Problems?

It seems only yesterday that having multiple layers of security is a good thing. Like plenty of things, throwing money at something should solve a problem. Those were the days.

There used to be a time when organisations like banks would recommend having about 10 security vendors to layer security in all parts of their organisation. In some sense, it works; but it is very expensive, and very inconvenient for users. That is not yet considering the fact that having multiple vendors and that many layers of security increases complexity in controlling and managing the solutions.

The new way to think about cyber security then is to keep the number of vendors down to as little as required. This reduces not just complexity of workflow and simplifies management, but also increases the efficiency of managing cyber threats.

From the Malaysian numbers though, this seems to be a slightly new concept with more than 35% of the responding organisations having more than 10 vendors. While this is slightly lower than 2018’s 39%, there is still a need to reduce that number even lower. Malaysians realise that too, with 90% of respondents finding it hard to manage that many vendors at the same time. Some experts suggests that having five to six vendors at a time is enough for a holistic cybersecurity system to be in place for any organisation.

The Problem With Cybersecurity Malaysia

There are still looming problems for a country that is going through a major digital transformation though. While the progress toward a digital Malaysia and Industry 4.0 has been a steady one in the region, there are still fundamental problems that might hinder progress or create holes in the cyber armours that the CISOs have put up or tried to put up. One of these enemies to cyber security is budget.

There are times where companies might have a large constraint over budget. For most SMEs and startups, it is quite understandable. They would probably need to pool their money in things that they might find more useful to them in the shorter run. That is not saying that it is not a problem for them or the general cyber security state in Malaysia. It is still a problem, but an inevitable one.

There are cases with large organisations that has restricted their budgets to cyber security because they do not yet see the value in cybersecurity. This becomes a major issue for CISOs. Despite the consensus that more money may not mean more protection, cyber security still needs a pool of money to work with. If not enough money is being poured into the department, not much can be done. With less protection, larger organisations are more vulnerable and thus, might lose even more money.

The biggest problem with cyber security, not just in Malaysia but most of the world, is always personnel; both the lack of skilled workers and awareness of the main issue. Thing is though, CISOs all over Malaysia are also making efforts to reduce this number down with plenty of awareness and skill training of personnel all over the company. The number of skilled personnel in terms of cyber security in Malaysia is also growing continuously, which also means that it is a problem that can be solved in time.

So What do We do in 2020?

2020 is meant to be the year of progress, of near complete digital revolution. It is the year of 5G and WiFi 6, the year where data is meant to be all covering and seamless. That potentially means more cyber security risks with bigger data bandwidth and less latency. It gives software less time to react. Which means that a DDoS attack could be a big thing in 2020.

Source: Pixabay by Stefan Coders

Still, awareness is key to combating cyber attacks. With the availability of data in today’s world, having a VPN no longer cuts it. The only benefit of VPN these days is to ensure that whatever that you have accessed is not tracked by your data or service provider. You are still at risk of a cyber attack even via VPN.

The fact that you have multiple devices that are connected to the internet and each other is already a threat on their own. At every point and turn, you really have to be aware of what you are accessing on the internet and what you are vulnerable to. That allows you to be more alert on things like phishing attacks, malicious links, email scams and what not. That should be enough as the first layer of defense against common cyber attacks, maybe even big ones like ransomware and what not.

If you are planning on getting an Anti-Virus software protection on your PC, consider spending a little more than what you would pay for a generic Anti-Virus program. You might want to look into find an Anti-Virus program that covers the whole lot from spyware, adware, to even malware. That way, you are ensured of a holistic protection, at least on your own end.