Pratima H
INDIA: If there was one over-arching conclusion that the whole Maggi episode has lead (oops) to, it is not about the quality of processed foods or the state of water in manufacturing plants or how audits have turned into a pitiful detritus or who is less guilty or more guilty, but something else – The world, as you know it, can actually change in a matter of seven days.
For any ardent fan the question is still about something else, bigger and a tad pablum - Honest mistake or otherwise, guilty or not guilty – Would my favourite noodle brand have disclosed the truth to me proactively enough? Can I ever trust that adorable yellow packet again?
Trust is a weird negotiation, and often the winner is someone who is about to bet everything on the table. Someone who knows this close enough – the harder something is to tell, the sooner it should be told.
Incidentally, or not so incidentally, that’s not something that is happening on technology shelves either.
Take a walk.
Gluten-Loaded Recipes
Chances are that in some way or another, most of us would have encountered a fuzzy trust wrapping of one technology product after another in the last one or two years itself. TV, Laptop, Browser, OS, or even an anti-virus software – it could be anything, take your pick.
Let’s start with the latest. Smart TVs have become quite a rage for electronics'-enthusiasts and everyone is pretty excited about the wonders of intelligence embedded in the idiot box as we know it. But the excitement turned into something else when consumers of a pioneering name started feeling a strange aberration.
Smart TV turns smart by having enhanced interactivity elements and voice-recognition or data analytics as obvious ingredients therein, but it’s not so reassuring to know that all of our spoken words (TV or content related or extremely private or sensitive) can easily join the torrent of data being captured and transmitted to a third party.
Samsung came under intense scrutiny when such allegations started floating. What made the apprehension of data-snooping by a TV in your bedroom worse was the possibility of a never-before ease with which it could be used by third parties, since transmission of such data suffered encryption-related doubts. The TV seller may have all the good intention of tailoring content and convenience specifically for a viewer with the help of personal data but then can you really stop constitutionally protected information which ideally should not be accessible to even law authorities without an apt warrant, becoming an appetizer for sale to advertisers or third-parties?
Samsung’s privacy policy had laid it out that voice commands would be transmitted, and even information about the device (including device identifiers) would be relayed to a third-party service for better performance and feature-enhancement. There is that and of course, an option to disable to turn off that voice recognition feature – but do customers actually come across to reading a lengthy fine-print or interpret the consequences in good cognizance?
Samsung argued strongly that third parties are not necessarily advertisers and yet the question of hackability of devices or misuse of private data looms over.
Eavesdropping goes beyond TVs and in a world where Snowden is playing hide-and-seek, nothing more needs to be said. But what happens when you learn that a security company was voluntarily involved in a not-so-oblique spy attempt by NSA?
Not an easy to absorb surprise definitely, and something that makes it possible to understand why there was so much resistance from privacy activists and industry folks too against RSA’s conference in 2014. There was a lot of picketing and boycott cry over the scarred issue of NSA-supported cryptographic flaw in a RSA encryption tool.
Whether or how much was the company involved is another day’s rant but it can disillusion anyone easily to learn that malware is coming in the least expected disguise these days - Sometimes in security tools, and sometimes in laptops.
It almost itches to not mention the well-floated word Superfish at this point. Reported for an insidious little ad-insertion program that could highly expose personal or financial information to not-so-trusted parties, Superfish, that was installed on select Lenovo computers from 2014, received and passed on a lot of flak to the big PC brand.
Its potential altering non-encrypted traffic, hazy HTTPS encryption issues, injecting JavaScript for displays of affiliated ads on unsuspecting websites, ability to snoop around on encrypted traffic around user’s footprint on banking sites, email or social media and capability of a rogue root certificate installation in Windows (making it easy for the software to misrepresent itself as a trusted authority for every website a user visits); are just some of the criticisms that came to fore.
Its vulnerability for those "man-in-the-middle attacks," wherein a malicious party eavesdrops on supposedly trusted communications, or misconstructs transmitted information lapping up access to bank accounts, email and other sensitive data; was the last nail in its coffin.
Exploitation ease for other hackers only added to the already brimming can of worms. Lenovo did spring into action and listed models that could be affected and assured of termination of preloading the adware in January and ahead in 2015 with instructions to publish the app in tow, but the damage caused by the malicious certificate was hard to fathom.
On Lenovo’s part, it did extensive-pre-shipping testing and all it wanted was to enhance the online shopping experience for users through Superfish's software’s strength on visual search technology, but things transpired the opposite way. Customer experience and trust is precisely what was beaten to pulp in this episode, specially as the number of laptops exposed to the threat were reported to be undisclosed.
The episode is not an odd one if we see some patterns in a world dotted with names like Flame and Stuxnet. When Kaspersky Lab released a report tagged "The Equation Family", it clearly pointed that - today’s advanced versions of malware are orienting themselves towards hard drive firmware, injuring it with reprogramming the hard drive and a deeper infection of operating system, so much so that the malware can re-install itself from a hidden sector of a fully-swiped or formatted hard drive too.
Electronic Frontier Foundation or EFF has been pursuing this since 2012 and has collected or analysed malware deployed by pro-Syrian-government hackers where covert installation of surveillance tools on computers, or piling up of keystrokes, passwords, and screenshots has come to surface. Firmware-based attacks, whether spurred by state-control agencies or criminals are turning more common these days. And one small but not so insignificant reason could be this – Staining firmware has become easier than it ever was.
A Spaghetti of Conmen
Gone are the days when a hard disk, a network card, a keyboard was gyp-proof. The idea was that when a hard component like USB drive or video card comes with its own bundle of microprocessor, memory, and software then this lower-level software and operating system (better known as firmware) is not exposed to those wicked things that a software has to weather.
But in the Equation Group report, Kaspersky clearly spelled out a class of malware which can replace the firmware of almost any hard drive with a malicious copy. This can allow it to read and write files on the drive and re-exploit the system. The most staggering part of this finding – this soft bone is not limited to hard drives alone.
And when hardware manufacturers are always more inclined to clam up than share the source code for their firmware or allow for reverse engineering, the possibilities for malware can turn very different. Experts have argued that inability of a computer to see behind the firmware wall, difficulty in ascertaining whether the given firmware is the original firmware or a malicious one, detection barriers, removal impediments and the gross absence of a public security are only helping the cause of malware-makers, their bugs and zero-days.
This has again raised questions on the extent of transparency and verifiability that hardware manufacturers should support and availability of source code for any firmware and the level of control (right for code-inspection or re-engineering etc.) that a user is free and entitled to execute when it comes to computing.
Sanjay Katkar, CTO & Co-Founder, Quick Heal Technologies (P) Ltd. too, observes that most of the new gadgets or smart devices are coming up with preloaded software and apps that do include integrated Adware engines. “This impacts customer experience as a lot of these apps violate the user’s privacy. In a competitive environment, with too many players and shrinking profit margins, including such adware is often a lucrative way for vendors to notch up their source of income.”
Ask Dr J S Sodhi, AVP, CIO and Director, Amity Education Group and a really hands-on knight when it comes to everyday security battles and bigger wars, and he makes us uncomfortable first as he sketches the sheer breadth and frequency at which we are using, keyboards, mouse, webcams, microphones, scanners and printers. “Smart gadgets such as smart TV, smart fridge, smart iron, smart vacuum cleaner are in the list too. But if we tell you, that all such devices are weapons which hackers are using to steal your personal and official data from your computer systems. Obviously, you’ll be shocked!”
But Sodhi is not joking. A hacker can easily use your webcam to steal document and PDF files and it is very easy with hardware backdooring technique, he explains.
“The commonality in all such devices is that they have Integrated Circuits i.e. commonly known as ICs. You must have noticed, as soon as you plug a new keyboard in your system, it automatically install its driver. Have you ever raised a concern with yourself that where the driver software is stored in a keyboard? It is these custom ICs which are as big as your fingernails which contain the driver coding.” He jolts with some real-world scenarios again.
Hackers bind their malicious code with keyboard’s existing driver codes and re-burn on IC. Another way is to install a parallel IC with malicious codes which will again get installed automatically, when the original custom IC will be installing the drivers. Voila! A hacker’s job is done.
There are endless ways to install a backdoor in any hardware device, Dr. Sodhi cautions. “The malicious coding can be anything. It can even keep your webcam ON for 24x7 without your knowledge and you may be recorded round the clock. There are many examples of hardware backdoor and there are endless devastating situations that can take place.”
Opaque techniques are gaining ground everywhere – from devices to browsers. You may recall here how Chrome extensions also came under their share of ire recently.
It was being debated extensively that they can be transferred to another party, without a user ever being apprised of any ownership change and how malware and adware have started exploiting this possibility with extension authors, for cracking deals. It has even been surmised that owners can easily issue an ad-filled update over Chrome's update service, and transmit adware across every user of that extension.
May be Google’s throat is not be choked here but if vendors or malicious apps (that inject unwanted ads or stall a system or surfing bout or redirect forcefully to another webpage) are easily leveraging an extension system – is browsing the same as it was a few months back – smooth, non-intrusive and care free? (More so as some security folks have even assumed that wiping off doesn’t help much as signing-in to Chrome would download it again.)
Ironically, an interesting study by Google and the University of California (Berkeley and Santa Barbara campuses) depicted that adware is gaining ground and actively annoying users and when the researchers assessed (between June and October 2014), Web-page requests from computers visiting Google's websites, they found that 5.2 per cent, of the more than 100 million unique users going to Google websites were hit by spam ads that covered up actual content as well as ads that were honestly paid for.
If all this is happening – and the fear of a malicious party always lurks around our devices, hardware as well as software, our tech footprint and lifestyles (get ready for IoT yeah!) – why are we giving vendors all the drubbing here?
MSD – Must Share Disclosures
Whether it a violated laptop, TV, browser or anything else- these incidents are calling our attention to the scary shifts in threat dynamics. In some ways, there are canaries in coalmines and these backdoor situations are also raising some basic doubts yet again – how much disclosure a user is entitled to – legally and ethically? Inordinate levels of Lead in noodles or unwanted odd-ware inside tech-products - How much a Consumer can and should know?
Pavan Duggal, Advocate, Supreme Court of India, President Cyberlaws.Net and cyber law expert minces no words when he reminds that law, in its current state and form, is not adequate. “The IT Act 2000 is the only primary legislation and it is silent on issues regarding collection of data and consumer protection. There is no dedicated privacy law in place and such gaps and existing vacuum do not make it exactly easy for consumers.”
When laws are reasonably outdated, and privacy issues beg strong attention, users of technology are left confused and in thin air and ever-rising intrusions on privacy and data do not draw a happy picture for them.
Tom Scholtz, VP and distinguished analyst at Gartner reckons the dilemma for the other side well here when he notes that in many US states, there is a law on data compromise but everything boils down to actual abuse. “Unfortunately when thousands of people have to be notified, it can create unnecessary anxiety about a problem. 'Data exposed' does not always mean 'data exploited'. Any business will think of cost of disclosure and sometimes it can be a tough call choosing between a necessary evil and the cost of a brand.” He outlines how cost, context, impact and type of data can be appropriate yardsticks for thinking about a disclosure.
Concrete steps, as Duggal avers, need to be taken for pushing privacy rights and breaking silence on personal data. The legal framework in the US and Europe can be a good reference point here. “We need to fill some of our unique gaps and also take care of all stakeholders in digital and mobile systems. We are sharing so much data these days in digital form – the use by third-party providers should be clear and fair. That’s where awareness at the level of all stakeholders is also required.”
Katkar brings in another dimension as he zooms on how people too are used to installing free software and don’t seem to mind or may be are not aware of the extent of privacy breaches by these apps. “The practice of getting “free” apps is so common that users seldom realize the actual impact it has on their security and privacy. It is often too late before they comprehend that they have given the farm away. The situation is only getting worse by the day as there are new gadgets with preloaded adware and other invasive software appearing in the market.”
'Caveat Emptor' echoes from Duggal’s side as well. Most of the times it will help immensely if users are aware of what’s inside the contract. Technically, 'terms and conditions' (T&C) are provided by most service providers. But they are not always a smooth read or really easy to understand.
Even though he rues the one-sided tendency of most contracts where consumers are left with take-it-or-leave-it options, Duggal recommends that consumer has to be sharp, responsible and aware himself/herself for now. As to what vendors can (the should-list will follow) do, Duggal opines that ensuring compliance with Information Rules 2011 and following in totality can help a lot. “Taking your customers into confidence and creating a business model that weeds out unpleasant surprises for your consumers works best.”
Be upfront about long-term ramifications. Spare them of nasty surprises, he repeats emphatically. Now that sounds fresh and something that tech-vendors can actually do.
Instant Apologies are Yummy
Surprisingly enough, the grace of coming-up with a sincere apology and open communication saves a lot of heat from otherwise-unforgiving customers.
When you look at Lenovo’s statement on Superfish, it took some time but it openly explained the situation. “ In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it. We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.”
Given the long-term roots that a badware might have taken in the devices, it was being expected that Lenovo should offer affected customers a replacement device, but even a good, I-admit-it version of ‘sorry’ can suffice when customers are shaken with surprise bugs in what they bought.
As to Samsung, its privacy list on smart TVs explains SyncPlus and Interactive Marketing and tells customers that by enabling such marketing features, they may make the content and advertising being received on SmartTV and other devices more interactive. “To make these kinds of enhancements available, we provide video or audio snippets of the program you’re watching to third-party providers that use this information in order to return content or advertising “synched” to what you’re watching. These providers may receive information about your device (e.g., its IP address and device identifiers) and your interactions with the content and advertising they provide. You may disable these interactive marketing features at any time by visiting the “settings” menu.” It spells out there, adding that when someone chooses to enable Voice Recognition, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features. “If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands.You may disable Voice Recognition data collection at any time by visiting the “settings” menu. However, this may prevent you from using some of the Voice Recognition features.” It firmly warned.
Examples of new postures on being open for correction are fortunately happening in other quarters of security world too. Facebook was heard revising vulnerability disclosure policy. In another blog post about disclosure and vulnerabilities Chris Betz Senior Director, MSRC (Microsoft Security Response Center) Trustworthy Computing, was also seen confronting the Coordinated Vulnerability Disclosure (CVD) debate around disclosure timing. “Opinion on this point varies widely. Our approach and one that we have advocated others adopt, is that researchers work with the vendor to deliver an update that protects customers prior to releasing details of the vulnerability. There are certainly cases where lack of response from a vendor(s) challenges that plan, but still the focus should be on protecting customers….We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured….Let’s face it, no software is perfect. It is, after all, made by human beings.”
That’s an honest line – No software is perfect. So is the case with companies, CEOs, quality inspectors, and even customers.
Isn’t it about time and all the more necessary then to be open, clear and transparent with the consumer, no matter what’s inside? Isn’t it better to offer the customer the best, the fairest and accept in time when a mistake happens? And above all, to tell him about a complication like you tell to a friend, not as if you are lawyering up behind a ten-page T&C wall?
Now these are some pretty tricky questions and thinking honestly about them will take at least more than – just two minutes.