Insights For Success

Strategy, Innovation, Leadership and Security

Could Google become a Cyber Insurance Underwritter?

Edward Kiledjian

Image by Pictures of Money used under Creative Commons License

Cyber-Insurance is the next great frontier for insurers as more and more companies buy protection in the age of massive and regular cyber-attacks.

More than 60 insurance carriers now offer stand-alone cyber insurance policies
— Dr. Robert Hartwig, president of the I.I.I. and an economist

PwC suggests the global cyber insurance market could grow to at least $7.5 billion in annual premiums by the end of the decade. PwC also suggests insurers need to move quickly to innovate before a disruptor such as Google enters the market.

When looking at CyberInsurance, a solid provider would have to cover the basic of an insurance policy like liability but would also have to add additional cyber specific support like:

  • Crisis Management - Covers the cost of managing the incident including customer notification, credit monitoring and implementation of a public relations campaign to rebuild the organizations reputation. Additionally they would help manage the entire response from detection to resolution through a breach coach and agreements with other cyber support functions like (call centers, mailer companies, forensic specialists, cyber extortion negotiators, etc)
  • Cyber Extortion - Covers the payment to resolve a cyber blackmail situation and provides the technical expertise to help track down the blackmailers

But Google?

We all know Google is the sultan of search and has an unmatched view of the internet as a whole. It can see into dark crevasses of the internet no one else can. 

  • Cash - Google generates more cash per quarter than most insurers (e.g. Chubb, AIG, Travelers, etc). It therefore has enough "cash" to payout customers and support them if a policy is executed.
  • Profitable - Under the new CFO, Google is working on profitability by killing many moonshots and concentrating on activities that can provide interesting returns. Obviously insurance is a numbers gave and Google can make it profitable.
  • Data Science - Insurance has always been a math problem and no one does math better than Google
  • Visibility - Three of the key metrics in the risk equation are likelihood, Impact and velocity. Most insurers make best guess estimates based on past experience with some modification for future changes. Google sees the entire attack surface of the Internet and can make very educated guesses about who is likely to be targeted, when and how. 
  • Support - More important that money, most victims look to their cyber-insurer for support during the incident. They need help understanding who is doing it (attribution), how they are doing it (reverse engineering), what else they could have compromised (Indicators of Compromise) and how to clean it up. Google has the technical experts to support companies through the entire process. Of particular interest is the reverse engineering and attribution pieces that only a handful of companies can do really well.
  • Customers - Google has a tone of consumer products and has incredible name brand recognition. Google is once again the #2 most valuable brand in the world (link).

Maybe Google

As reported in the NY Times, Sony's life insurance business is what is helping it survive. 

Life insurance has been its biggest moneymaker over the last decade, earning the company 933 billion yen ($9.07 billion) in operating profit in the 10 years that ended in March.

So Google has the motive (a renewed push for profitability) and the capability (cash and technical). The only unknown is do they have the desire? Only time will tell but I think this is something they will branch out into sooner or later

Public Mobile to launch US Roaming Add-on

GeneralEdward Kiledjian

Public Mobile is a low-cost limited network Canadian mobile service provider. It has recently announced in its forums that it will be adding a new US Roaming add-on (option) through new deals struck with T-Mobile and AT&T.

The carrier has said this is in response to comments made in its forums and will come in 10-day chunks of phone only, text only, data only or a combo plan. 

Limited data is available but we expect the options to look like this:

  1. unlimited USA talk $CAD8
  2. unlimited text $CAD8
  3. 1GB of data for $CAD20

Let's compare the data rate to the pay per use rate of $US0.10 per MB. 1GB = 1000MB = $US100. Obviously the Public Mobile rate is cheaper. You can also buy the KnowRoaming unlimited data plan for $US7.99 per day which would cost $US79.99 for 10 days of unlimited data.

Let's compare it to Roam Mobility. A 1GB data only plan good for 30 days costs $CAD21.95 which is competitive. You can get their unlimited talk+text+data plan for only $4.95 / day ($CAD49.50 for 10 days of everything unlimited). If you add the 10 days of talk, text and 1GB of Data from PublicMobile, you get $36. 

Looking at above, my recommendation is to go with Roam Mobility. For $14 more, you get unlimited data for 10 days which will likely be more attractive to most users.

Will your Android phone allow someone to hack you?

GeneralEdward Kiledjian

Image by Jared Tarbell used under creative commons license

When a new undisclosed (0 day) vulnerability is used to hack a target's device, the media jumps all over it and create a small panic. Government intelligence and organized crime are always looking for new creative ways to break into target devices and are willing to pay top dollar for new unknown hacks. Vulnerability brokers (companies that are willing to sell 0-day vulnerabilities) are paying to dollar for these rare and very in demand weaknesses. Zerodium is now paying $1.5M for a good complete IOS attack.

Although these are troubling, the truth is the majority of attacks (and malware/virus') still exploit time tested and patchable vulnerabilities. This is why keeping your computer, smartphone and tablet operating system/apps updated is so important.  This is one of the reasons Microsoft switched to an automatic forced update model with Windows 10.

Apple's products are opaque and I do not believe in security through obscurity. I wish they allowed for more scrutiny of their mobile products but when something is discovered, they release updates very quickly and make it immediately available to all supported devices worldwide regardless of the carrier it was acquired through. 

This is one of the chief complaints against Android. Most Android devices are never updated once they ship and the ones that do receive updated typically get them slowly and infrequently. Check out the Android Platform distribution statistics:  

Only 0.3% of Android devices support the latest version (Android 7.0 Nougat) 1.5 months after release. On the IOS side, 60% of devices had updated to IOS 10 a month after release.

Even top tier manufacturers like Samsung (Note 7 issue notwithstanding) only update their most recent flagship products and that is if your carrier decides to allow it. 

Right now, as I write this, I have an Apple iPhone 6s Plus and and Google Nexus 6P sitting next to me. I  love android and find many of the features in the most recent Nougat release better than comparable Apple features. Don't call me an Apple fanboy or Google hater. The moral of the story is you shouldn't buy any Android phone where the manufacturer has not committed to delivering (quickly) the OS updates and the monthly security releases

As it currently stands, the only android products I can recommend are those sold directly by Google (Nexus or Pixel).

Buy an unlocked Nexus or Pixel product directly from Google to make sure you receive all of the updates quickly. 

Questions

Q A question I will likely receive is what about [insert brand / model here]?

A I expect emails asking me about the OnePlus 3, ZTE Axon 7, HTC 10, LG V20, Motorola Moto Z, etc. None of these manufacturers have committed to providing the OS and security updates quickly. The answer therefore is no. I love the price / quality proposition of the ZTE Axon 7 and the OnePlus 3 but without a commitment to updates, its a no go for me.

Q. Aren't iPhones more secure?

A iPhone's are slightly more secure because of the way the operating system is designed and applications are sandboxed. This doesn't mean it is unbreakable and the attempted hack of Saudi human rights activist Mansoor proves it( Read this article by CitizenLab

Both platforms can be used safely if you ensure you don't break their built in security (rooting on Android and Jailbreaking on iPhone) and you ensure you only download "real" apps from the official app stores. 

A. What else can I do?

Q In addition to using the "right" device, it is important to think about your privacy and security. Use the right apps for the right job.

  • Use encrypted communications apps like Signal. Signal's encryption has been reviewed by leading cryptographers and has been given a big thumbs up.
  • When browsing the web, use Tor to protect your identity (easier on Android) with a browser like OrFox. You can even configure Facebook and Twitter (on Android) to use Tor via OrBot.
  • Every picture taken with a smartphone contains "hidden" information called Exif information. This is information like the type of camera used, the settings used to take the picture, etc. It also contains the GPS coordinates of where the picture was taken. If you send this to someone, they can extract this information and use it to pinpoint the location the picture was taken. Send it to a social media site and they will start building a travel pattern of you. Make sure you remove EXIF information, using an app, before posting. There are tones of apps, just search the app store.
  • Uninstall apps you no longer use. Remember that apps are sometimes sold and the new buyer may push out an update that adds unwanted features "like tracking or recording". If you no longer use an app, get rid of it.

What is Tor and should I use it

GeneralEdward Kiledjian

Image by Justin Mathews used under Creative Commons License

Ive written about TOR a few times but  I regularly receive emails from "newbies" asking me to describe what it is in general terms. That's what this article is about. To get things kicked off, let me share an important quote from everyone's favorite whistle blower, Edward Snowden:

I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time.
— Edward Snowdem, TheIntercept, Nov 12 2015

In an effort to grab reader/viewer attention, every-time the media mentions Tor, it is usually done in the context of a report about the "evil" & "bad"  dark-web. The truth is Tor was created by the US State Department to help global activists communicate freely while in repressive locales. 

It takes all of the data leaving your computer (or coming back), creates bundle, encrypts each one multiple times to hard code the path it will take through the TOR network until it reaches its destination. Each node that receives a bundle destined for it, will unencrypt its layer of the bundle which tells it where to send the bundle next. This layered approach is why it is called The Onion Router. Each node only knows where it will send it to next, the receiving node only knows the previous node it came from,  which makes eavesdropping or de-anonymizing TOR much more complicated. 

Tor Hidden Services are what the media calls the Dark Web. Think of a Tor Hidden Services as a website on the Tor network. When using one of these sites, the request never leaves the TOR network (never touches the normal world wide web) so it is considered even more secure. 

You can use the TOR network to browser the Dark Web or to browse the normal regular everyday world wide web

Many popular sites, understanding the need and desire for a more private web browsing experience have started creating Tor hidden services for their popular websites (The Intercept, The Guardian, ProPublica, WikiLeaks, Facebook, etc)

Tor does make your browsing experience a little more complicated. First you will notice a drop is performance (i.e. pages load noticeably slower). This slowdown is a side effect of all of the encryption/decryption and the number of hops a packages is forced through to protect your identity. Some sites mark all TOR traffic is potentially malicious and constantly challenge users to "prove their are human" using CATPCHA or a very small group of sites block inbound TOR traffic completely. 

The easiest way to try TOR on a computer is to download the TOR browser bundle directly from the TOR project website. It is a customized version of the Firefox browser that is designed not to leak data and is configured to use Tor correctly.

If you are on an Android device, then I recommend you use to create the TOR tunnel then use their customized TOR browser called OrFox

I realize most people care more about ease of use (instead of privacy). I tried Anonabox hoping it would be a good hardware TOR solution but that didn't turn out too well. I am now waiting for the Invizbox and will review it when it finally ships (another delayed project).

I believe privacy is important. If you have questions, feel free to post it in the comments section or send me a note.

 

Related:

Use Whatsapp for free next time you travel

GeneralEdward Kiledjian

Since Apple has decided to keep Apple Messages (iMessage) locked up to its platform, users the world over have chosen Whatsapp as the most common cross platform instant messaging platform. It allows you to send files and pictures. IT allows you to make Voice Over IP calls and is just an overall well designed easy to use tool.

 Whatsapp requires a data connection (3G/LTE) to work. This means using Whatsapp while travelling requires you to buy a local SIM Card (when you travel) or buy an expensive data pack from your home carrier. Until now.

I first wrote about KnowRoaming in 2013 and explained how it can save money when travelling by switching you to a cheaper local plan travelling simply by using the company's intelligent SIM sticker.

Today KnowRoaming announced that their customers will be able to use WhatsApp for free when travelling. You don't even need to buy a data plan and no data charges are levied. As long as you have an active account with some money in it and switch to their service when you travel (which is automatic when you travel), you get free Whatsapp in any country they work in (100+ countries).

This offer is available to on any of their services (Global SIM Card, Global SIM Sticker and Global Hotspot). I use the Global Sticker Option, anytime I land in a new country, their app detects it and switches me to their service.