Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.

Equifax Dumpster Fire

Brian Krebs called it a dumpster fire, and I agree. I can’t add any facts to Krebs’ report on the Equifax breach. It happened, and it is bad. The current number of people said to be affected is 176 million and I doubt that number is final. Equifax’s response has not been good.

Self-dealing response

First, there was a long delay between discovery of the breach and informing the public. The delay gave several Equifax insiders an opportunity to dump shares before the inevitable fall in Equifax stock prices. More on that below.

Second, the response has been weak and possibly self-dealing. Equifax is offering a free year of credit monitoring. Many experts, including Krebs and myself, feel that an individual can do a better job of monitoring their own credit than any service if they are willing to make the effort. Credit monitoring is simply watching your accounts for unexpected activity. The services use algorithms to detect unexpected activity, but you know what is happening on your accounts better than any algorithm and you are more likely to catch something out of order than the service. But you have to review account activity frequently— daily is great, weekly is good, monthly at a bare minimum.

The nasty part of the Equifax response is that it is only for a year. The data that was stolen will be useful to crooks for years, perhaps decades. The offer, at least at this writing, is only for a year and they will start to bill you when the year is up. Yes, Equifax’s credit monitoring service may have a windfall of new paying customers a year from now.

Just a bit self-serving, wouldn’t you say?

Potential for mayhem

The credit reporting services (Equifax, TransUnion, Experian, and Innovis) collect data on credit activity and assign individuals credit ratings that your creditors use to decide risks and rates for extending credit to you. If you have a credit card, buy on credit, or have a mortgage, you have a credit rating with the reporting services and they have your data. You don’t send the information to the service, your creditors do. An individual has little control of the data collected by these services. To protect yourself, you should request a credit report at least once a year and check it for accuracy. You might find, for example, that your credit rating has been dinged because a creditor neglected to report that you paid your bill. Honest mistakes happen, and it is up to you to get them corrected.

The point here is that the data is collected without your approval. Credit ratings are not “opt in.” In fact, you can’t opt out. In my opinion, that places extra responsibility on the credit reporting services to keep the data accurate and private, although credit reporting services are largely unregulated. From the reports I have seen on the breach, Equifax was not following best security practices and I am not surprised that hackers got in. That is bad. I will not expect the picture of extent of the breach to be complete for weeks or even months to come.

This breach could force the entire credit industry to change its practices. Certainly, this is a warning shot across the bow to the other credit reporting services. The data that was stolen, names, addresses, phone numbers, credit card numbers, and driver’s license and social security numbers are everything a criminal needs to steal your identity, rack up phony credit purchases, and file a fake tax return in your name. Who knows what other damages the dark side will hatch from this treasure trove. The potential for mayhem is staggering, and the public outcry could equal that over the Enron debacle or the junk mortgage bubble, both of which inspired new regulations that changed corporate governance.

Insider trading and Sarbanes-Oxley

Now back to accusations of insider trading. I have no idea what the insiders knew or did not know, but I have some familiarity with the Sarbanes-Oxley Act which assigns criminal liability to corporate executives and officers who neglect critical security controls. The act, often called SOX, was in response to the Enron collapse of 2001. One of the security controls that SOX often demands is rapid notification of executive management of critical security lapses. If SOX applies, the corporate insiders who dumped their stock could face jail time for not knowing about the breach as soon as it was detected. If they knew about the breach, they are guilty of insider trading. If they didn’t know, they are in violation of SOX. This is something for the SEC to sort out. I find it hard to believe that they were that benighted, but the possibilities for negligence surrounding this event are goggling.

Advice

Krebs recommends that everyone should put a security freeze on their credit reports from each of the big four. I agree, but I also caution that a security freeze is a hassle; you must temporarily unfreeze and refreeze whenever you want to get a loan or open a new line of credit, but it does stop some of the most devastating attacks. Nevertheless, a freeze is not complete protection. You still must keep a hawk eye on your accounts, get your tax returns in early, and monitor your credit rating reports. That does not guarantee you won’t be hit, but it will make you safer than most.

Network Service Providers and Privacy

Advertising runs on data. It always has. Long before programmatic ads and algorithms, we saw Mercedes-Benz ads in Fortune and Chevy ads in Mechanix Illustrated. Some clever guy had figured out that Fortune readers and Mechanix Illustrated readers bought different cars. The success of an advertising outlet has always depended on the outlet’s generation of sales. Successful sales depend on finding qualified buyers.

Today, qualified buyers are spotted by their on-line habits, that now include choice of websites to visit, age, gender, physical locations, income, purchase patterns and many other factors. Based on these factors, on-line ads are targeted to narrowly identified network users. Advertisers now have masses of data and abundant computing power to process the data.

Websites as Data Sources

But the advertisers want more data, ads targeted more precisely. Who is surprised? There are two main sources of consumer data for targeted advertising. The first source is the websites we use all the time. Google and Facebook are most prominent. They know their users and use the knowledge to aim the ads they sell to their advertisers. These targeted ads are the revenue source that funds the free services these sites offer.

Network Service Providers

The other main source of buyer information is network service providers like Comcast and Verizon. Google and Facebook have in depth information on what people do while using these sites but the know very little about what is happening outside their own sites. Service providers have a wider, but shallower, view of people’s activity.

Google knows you searched on “archery” and clicked on an informational archery site. Google identifies you as a candidate for bow and arrow ads. Comcast knows something else. Inside the sports site, you clicked on a link to Ed’s Sporting Goods. Comcast might try to sell Ed ads that they will target at you. Only Ed and you bank know that you ordered a baseball and mitt, so you probably won’t get any baseball ads.

Data Brokers

A data broker might try to purchase data from Google, Comcast, Ed, and your bank. With the purchased data, they can put together an even more detailed picture of your habits. Exactly what information the data broker will get depends on the privacy policies and regulations of Google, Comcast, Ed’s Sporting Goods, and your bank.

These data brokers disturb some people, even conspiracy skeptics like me, because they seem to have little accountability. Users have the “Terms of Service” and privacy policies that govern their relationships with Google, Comcast, and their bank, but the data brokers have no direct relationship with the people profiled in their data bases. Are the brokers good or bad? We don’t know. If they misuse our data, will we ever know? Do we have any recourse? I don’t have answers to these questions yet, but I think we all need them.

The FCC and the FTC

Both websites and network service providers are subject to regulations on what they can collect, how they can collect it, and the data they can sell, but the regulations vary. Google and Facebook are subject to Federal Trade Commission guidelines, like all businesses engaged in interstate trade. Network service providers are regulated by the Federal Communications Commission as common carriers.

There are significant differences. Network service providers are treated as utilities. Utilities are services such as electrical and telephone services that people must have. Google and Facebook are businesses that consumers choose to deal with. Because people have no choice, utilities are regulated more strictly than most businesses. Are network services a utility, or just businesses? Last year, the FCC declared them to be a utility and subject to FCC regulation, but some argue that the ruling was wrong and should be corrected.

Opt-in vs Opt-out

A critical point is whether collecting consumer information should be “opt-in” or “opt-out”? If collection is opt-in, information cannot begin to be collected until the customer says it is okay. If collection is opt-out, it is okay to collect information until the customer takes the effort to say no.

Which way is best? Consumers with informed opinions generally prefer opt-in, but a lot of people don’t care and think opt-out is fine. Businesses that collect and use data tend to prefer opt-out schemes.

Business or Utility?

When network service providers were classified utilities, they became subject to opt-in rules. FTC guidelines, which apply to Google and Facebook, are opt-out. Recently, the new administration changed the FCC regulation for network service providers to opt-out, similar to the FTC guidelines. Some consumers are quite concerned.

Engineering In the Clouds

Yesterday, I began a new blog on Network World. It is called “Engineering in the Clouds,” and it calls on my experience at CA and my two earlier books, Cloud Standards and How Clouds Hold IT Together. My first blog is on some of the reasons cloud projects do not succeed. Cloud failures can occur anywhere in the hype cycle. My plan is to publish about once a month. Since privacy has been on my mind the last few days, I am thinking about clouds and privacy for my next blog.