Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:22 PM

Insecurity The Price Of Ubiquity

The mainstream media seems enamored by the ubiquitous Internet, but it's not doing much to reveal the risks of interconnected computers.

The mainstream media seems enamored by the ubiquitous Internet, but it's not doing much to reveal the risks of interconnected computers.

Three separate incidents have brought ubiquitous Internet to my attention in the past few days. The first was on a podcast I listen to regularly, NPR's On The Media. Featured was an interview with Ray Kurzweil about his predictions about the merging of humans and networks, as well as stories about the impact on human intelligence as the Internet becomes more pervasive.

While I was still processing those stories, I found a reference in one of my mailing lists the Internet-connected coffee pot vulnerabilities discovered last year.

Then a few nights ago, I was watching an episode of CSI: NY, which featured a man dying from an exploding pacemaker. A helpful clue for the team came when they discovered his pacemaker communicated via his cell phone's data connection, his heart status backed up to a database at the manufacturer.

So here we have three unusual Internet connections -- one very real (coffee pot), one available if not widely in use (pacemaker), and one vision of the future that will likely not be too far off from what will happen.

What struck me about all three scenarios is how the products don't really seem to be focused at all on the risks of an Internet connection. The coffee maker contains, among other things, a heating element, electricity, and water. Finding a way to exploit it could result in anything from a nonfunctional machine to a fire. That certainly should warrant a bit of care when thinking about whether you really need to save the five minutes it will take to wait for your espresso as it brews.

The pacemaker connection seems to be focused on allowing a patient to have a doctor remotely monitor his heart activity. Not being a doctor, I can't say how useful this feature really is, but assuming there is truly good to be served, I can only hope that the little thing can't be adjusted by that same doctor because time has proved again and again that the doctor won't be the only one who will be able to make adjustments.

Finally, the merging of humans and the Internet is the stuff of science fiction, of course. And as a fan of science fiction, I know enough to not discount it entirely. Some people certainly feel that more constant communication is better -- the proliferation of the mobile phone, the BlackBerry, and the iPhone attest to that. The case for increased productivity as a result of such devices can be made. My brother often does work with his iPhone when he's on the train between home and office, for example, and he'd be less likely to do that on a laptop.

On the other hand, the more useful they become for business, the bigger the exposure of the business' data. I can only imagine the exposure once employees' brains are online. And I can easily imagine that the inability to separate from work would result in a substantial decrease in productivity. Of course, the big problem is to be useful, such an interface would need to be bidirectional. Then what happens when somebody hacks your CFO's brain -- not to extract current financials -- but to alter the strategic course of your business?

The trend today of considering the Internet a one-solution-fits-all-problems was confirmed by none other than Homer Simpson. In the episode in which the kids get trapped in the school because of a snowstorm, Marge wonders aloud how the kids will get home. Homer's response? "I dunno. The Internet?"

The Internet is truly an incredibly useful tool for business, but it seems to me that many of our toolkits have become hammer-based. That is, we look at problems in business and can only see nails: Internet-based solutions. Perhaps we need to be looking for other tools; some of those nails may have exploding heads.

-- Nathan Spande implemented security in medical systems during the dot-com boom and bust and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.