I’M a Modernist, devoted to Mies, postwar abstraction and flying. In the last year or so, I’ve been in Amman, Paris, Venice, Athens, Boston, London, Naples, Dublin, Rome, Reykjavik, Milan, Málaga, Moscow, Montreal and Memphis, to name a few.

One year, I was traveling back and forth to Paris so many times that the flight attendants recognized me.

I was traveling with an important artist and I was really trying very hard to impress him. When we boarded the plane, a flight attendant yelled out that it was great to see me. I felt really good, believing the artist would think that I must be someone special for a crew member to greet me that way.

Then the attendant asked me if I wanted a drink. It was 8:30 in the morning and I was sure the artist thought I was a drunk. Fortunately, he just found it amusing.

When Wi-Fi became available in flight, I was really excited since I thought I would be extra productive.

The first time I tried it, I was traveling to Los Angeles from New York. Since it’s a long flight, I thought I’d get a lot of work done. So I e-mailed a colleague telling him that I was in a plane but could still work.

My colleague, a notorious prankster, e-mailed me back with the subject line “Picasso,” with an attached image. The body of the e-mail said that he found the Picasso I had been looking for. I opened the attachment and my screen filled with, well, porn.

I was in the middle seat with two business types on either side of me. I was mortified. And they didn’t look amused. I slammed the laptop shut and didn’t say a word or do any work for the remainder of the flight.

Since I travel so much you’d think I would be savvier. But a lot of times I feel like I’m living out a “Seinfeld” episode.

When heading from Rome to Moscow, I had to board a shuttle bus to my plane. There were two buses: one was nearly empty; the other was really crowded. I’m not a fool. I opted for the less crowded bus. I got very comfortable and kept thinking how smart I was. That is, until I discovered the bus was taking me to a plane headed to Kuwait.

I make mistakes all the time. I had a meeting in Israel and by the time I landed in Tel Aviv, I was really tired. When I got to my hotel, all I wanted to do was go up to my room as quickly as possible and then sleep.

But since I was sure it was a Friday, I wanted to be respectful of the Shabbat laws. So I didn’t push any buttons in the elevator that would take me to my floor. I waited for the doors to close.

I must have stood there three minutes. Then a guy got on the elevator and immediately pushed the button for his floor. I gave him a dirty look. And then he told me it was Thursday, not Friday. I felt pretty foolish.

To help beat jet lag, I travel everywhere with a Pilates abdominal device. It’s a metal circle, with two plastic handles, that you use to strengthen your core. I swear some security people think it’s a weapon. I’ve had to explain what it’s used for and a few agents asked me to demonstrate.

They didn’t look impressed. But they did let me on the plane with my Pilates gear, where I proceeded to show the flight attendants just how it worked. At least they seemed impressed.

Apple’s new social media service, Ping, is already getting hit by a barrage of comment spam.

The Ping network integrates with iTunes 10 to let you follow your favorite artists and swap comments with other fans. But it took less than 24 hours for the comments sections to be swamped by phony offers for free iPhones and other hot gadgets, according to a Thursday blog from security vendor Sophos.

Sophos expressed bemusement that although it’s no secret that blogs and forums have become the new playing ground for spammers and scammers, Apple apparently has set up no spam or URL filtering in Ping, leaving the service wide open to junk comments.

Apple has implemented some degree of security in Ping–the service won’t display profile photos until they’re approved by the company–and is filtering for offensive content as well, notes Sophos, so the company should be able to kick in a spam filter. But spammers can also easily create fake accounts for Ping since the service requires no credit card or other ID to join.

Of course, comment spam has been swamping other social networks and blog sites for years. The spam messages hitting Ping are virtually the same ones that Sophos found have targeted Facebook, Google, and Twitter. These “survey” scams typically promise a free iPhone, iPad, or iPod in exchange for filling out a bogus online questionaire.

This will address the problem that many of us have of leaving a computer–either one we borrowed at a friend’s house or used at a public spot like a library–logged in to our Facebook account without realizing it. Doing so leaves it open for abuse by whoever happens to visit the site next on that machine, allowing them to use the account to send spam or masquerade as the legitimate user.

“When anyone else is in charge of your online account there is the opportunity for foul play,” Jake Brill, a product manager for Facebook’s site integrity team, told CNET. Using the new feature that Facebook is rolling out worldwide, users will be able to click on the Account tab in the upper right-hand corner of their profile page, click on “Account Settings” in the drop-down menu and see new information about account activity under the “Account Security” area.

Facebook will provide users with recent activity on their account, including the last time the account was accessed, the device used, what approximate city it was located in, and the browser and operating system on the device. It will also provide the same details for other sessions if they are active on other devices and offer the user the ability to click “end activity” to log that device off.

Often, Facebook users don’t realize that they may still be logged into their accounts if they merely closed down the browser or even if they shut down the computer. For example, if the “Keep me logged in” box is checked on the log-in page, then you must manually log out on Facebook to end the session. That box, which is standard on many popular Web sites, is unchecked by default. If the box is not checked, users must quit the browser or log out to end the session.

The new feature will help people thwart would-be account hijackers, said Andrew Walls, a research director at Gartner.

“If you suspect somebody else has your password and is able to access your Facebook account or you see a computer you don’t recognize connected to your user profile, you can kill that session,” he said. Users who suspect their account has been compromised should always immediately change their password.

Walls praised Facebook for offering users this level of insight and control into their accounts and noted that it is standard in operating systems to provide this capability to administrators who want to, for instance, monitor the VPN (Virtual Private Network) connections into the network.

“This will be adopted by a small percentage of the user base, but it’s a good step and it is needed,” he said.

The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account.

After temporarily setting aside its BlackBerry ultimatum, the Indian government has shifted its focus to Gmail and Skype, according to the AFP.

India is apparently taking issue with any communication service that doesn’t give it easy access to data. It has a problem with Google-owned Gmail’s heavy encryption and with the inability to listen in on conversations over VoIP with Skype.

“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible.”

As of this writing, India had not sent notices to comply with its tight data-availability regulations, but the AFP reports that Google and Skype may receive notices as early as Tuesday. The notes will likely require that both companies provide the Indian government with a way to access e-mails in Gmail and conversations in Skype.

The Indian government made waves recently by targeting Research In Motion’s BlackBerry devices over data accessibility. The government contends that by safeguarding e-mail, instant messaging, and Web browsing, RIM is preventing India from monitoring communications as part of national security.

Last week, RIM stood firm in opposition to India, indicating that it wouldn’t submit to the government’s September 1 deadline. India has now given RIM two months to furnish access to its data or face a ban of its service.

That nice, new computerized car you just bought could be hackable. 

Of course, your car is probably not a high-priority target for most malicious hackers. But security experts tell CNET that car hacking is starting to move from the realm of the theoretical to reality, thanks to new wireless technologies and evermore dependence on computers to make cars safer, more energy efficient, and modern. 

“Now there are computerized systems and they have control over critical components of cars like gas, brakes, etc.,” said Adriel Desautels, chief technology officer and president of NetraGard, which does vulnerability assessments and penetration testing on all kinds of systems. “There is a premature reliance on technology.” 

Illustration for a tire pressure monitoring system, with four antennas, from a report detailing how researchers were able to hack the wireless system. 

Often the innovations are designed to improve the safety of the cars. For instance, after a recall of Firestone tires that were failing in Fords in 2000, Congress passed the TREAD (Transportation Recall Enhancement, Accountability and Documentation) Act that required that tire pressure monitoring systems (TPMS) be installed in new cars to alert drivers if a tire is underinflated. 

Wireless tire pressure monitoring systems, which also were touted as a way to increase fuel economy, communicate via a radio frequency transmitter to a tire pressure control unit that sends commands to the central car computer over the Controller-Area Network (CAN). The CAN bus, which allows electronics to communicate with each other via the On-Board Diagnostics systems (OBD-II), is then able to trigger a warning message on the vehicle dashboard. 

Researchers at the University of South Carolina and Rutgers University tested two tire pressure monitoring systems and found the security to be lacking. They were able to turn the low-tire-pressure warning lights on and off from another car traveling at highway speeds from 40 meters (120 feet) away and using low-cost equipment. 

“While spoofing low-tire-pressure readings does not appear to be critical at first, it will lead to a dashboard warning and will likely cause the driver to pull over and inspect the tire,” said the report. “This presents ample opportunities for mischief and criminal activities, if past experience is any indication.” 

“TPMS is a major safety system on cars. It’s required by law, but it’s insecure,” said Travis Taylor, one of the researchers who worked on the report. “This can be a problem when considering other wireless systems added to cars. What does that mean about future systems?” 

The researchers do not intend to be alarmist; they’re merely trying to figure out what the security holes are and to alert the industry to them so they can be fixed, said Wenyuan Xu, assistant professor in the Department of Computer Science and Engineering at the University of South Carolina. “We are trying to raise awareness before things get really serious,” she said. 

There has been research done on security problems with keyless entry systems in cars. And a report in May highlighted other risks with the increased use of computers coordinated via internal car networks. For that report researchers from the University of Washington and University of California, San Diego, tested how easy it would be to compromise a system by connecting a laptop to the onboard diagnostics port that they then wirelessly controlled via a second laptop in another car. Thus, they were able to remotely lock the brakes and the engine, change the speedometer display, as well as turn on the radio and the heat and honk the horn. 

Granted, the researchers needed to have physical access to the inside of the car to accomplish the attack. Although that minimizes the likelihood of an attack, it’s not unthinkable to imagine someone getting access to a car dropped off at the mechanic or parking valet. 

“The attack surface for modern automobiles is growing swiftly as more sophisticated services and communications features are incorporated into vehicles,” that report said. “In the United States, the federally-mandated On-Board Diagnostics port, under the dash in virtually all modern vehicles, provides direct and standard access to internal automotive networks. User-upgradable subsystems such as audio players are routinely attached to these same internal networks, as are a variety of short-range wireless devices (Bluetooth, wireless tire pressure sensors, etc.).” 

Engine Control Units
The ubiquitous Engine Control Units themselves started arriving in cars in the late 1970s as a result of the California Clean Air Act and initially were designed to boost fuel efficiency and reduce pollution by adjusting the fuel and oxygen mixture before combustion, the paper said. “Since then, such systems have been integrated into virtually every aspect of a car’s functioning and diagnostics, including the throttle, transmission, brakes, passenger climate and lighting controls, external lights, entertainment, and so on,” the report said. 

It’s not just that there are so many embedded computers, it’s that safety critical systems are not isolated from non-safety critical systems, such as entertainment systems, but are “bridged” together to enable “subtle” interactions, according to the report. In addition, automakers are linking Engine Control Units with outside networks like global positioning systems. GM’s OnStar system, for example, can detect problems with systems in the car and warn drivers, place emergency calls, and even allow OnStar personnel to remotely unlock cars or stop them, the report said. 

In an article entitled “Smart Phone + Car = Stupid?” on the EETimes site in late July, Dave Kleidermacher noted that GM is adding smartphone connectivity to most of its 2011 cars via OnStar. “For the first time, engines can now be started and doors locked by ordinary consumers, from anywhere on the planet with a cell signal,” he wrote. 

Car manufacturers need to design the systems with security in mind, said Kleidermacher, who is chief technology officer at Green Hills Software, which builds operating system software that goes into cars and other embedded systems. 

“You cannot retrofit high-level security to a system that wasn’t designed for it,” he told CNET. “People are building this sophisticated software into cars and not designing security in it from the ground up, and that’s a recipe for disaster.” 

Representatives from GM OnStar were not available for comment late last week or this week, a spokesman said. 

“Technology in cars is not designed to be secure because there’s no perceived threat. They don’t think someone is going to hack a car like they’re going to hack a bank,” said Desautels of Netragard. “For the interim, network security in cars won’t be a primary concern for manufacturers. But once they get connected to the Internet and have IP addresses, I think they’ll be targeted just for fun.” 

The threat is primarily theoretical at this point for a number of reasons. First, there isn’t the same financial incentive to hacking cars as there is to hacking online bank accounts. Secondly, there isn’t one dominant platform used in cars that can give attackers the same bang for their buck to target as there is on personal computers. 

“The risks are certainly increasing because there are more and more computers in the car, but it will be much tougher to (attack) than with the PC,” said Egil Juliussen, a principal analyst at market researcher firm iSuppli. “There is no equivalent to Windows in the car, at least not yet, so (a hacker) will be dealing with a lot of different systems and have to have some knowledge about each one. It doesn’t mean a determined hacker couldn’t do it.” 

But Juliussen said drivers don’t need to worry about anything right now. “This is not a problem this year or next year,” he said. “Its five years down the road, but the way to solve it is to build security into the systems now.” 

Infotainment systems
In the meantime, the innovations in mobile communications and entertainment aren’t limited to smartphones and iPads. People want to use their devices easily in their cars and take advantage of technology that will let them make calls and listen to music without having to push any buttons or touch any track wheels. Hands-free telephony laws in states are requiring this. 

Millions of drivers are using the SYNC system that has shipped in more than 2 million Ford cars that allows people to connect digital media players and Bluetooth-enabled mobile phones to their car entertainment system and use voice commands to operate them. The system uses Microsoft Auto as the operating system. Other cars offer less-sophisticated mobile device connectivity. 

“A lot of cars have Bluetooth car kits built into them so you can bring the cell phone into your car and use your phone through microphones and speakers built into the car,” said Kevin Finisterre, lead researcher at Netragard. “But vendors often leave default passwords.” 

Ford uses a variety of security measures in SYNC, including only allowing Ford-approved software to be installed at the factory and default security set to Wi-Fi Protected Access 2 (WPA2), which requires users to enter a randomly chosen password to connect to the Internet. To protect customers when the car is on the road and the Mobile Wi-Fi Hot Spot feature is enabled, Ford also uses two firewalls on SYNC, a network firewall similar to a home Wi-Fi router and a separate central processing unit that prevents unauthorized messages from being sent to other modules within the car. 

“We use the security models that normal IT folks use to protect an enterprise network,” said Jim Buczkowski, global director of electrical and electronics systems engineering for Ford SYNC. 

Not surprisingly, there is a competing vehicle “infotainment” platform being developed that is based on open-source technology. About 80 companies have formed the Genivi Alliance to create open standards and middleware for information and entertainment solutions in cars. 

Asked if Genivi is incorporating security into its platform from the get-go, Sebastian Zimmermann, chair of the consortium’s product definition and planning group, said it is up to the manufacturers that are creating the branded devices and custom apps to build security in and to take advantage of security mechanisms provided in Linux, the open-source operating system the platform is based on. 

“Automakers are aware of security and have taken it seriously…It’s increasingly important as the vehicle opens up new interfaces to the outside world,” Zimmermann said. “They are trying to find a balance between openness and security.” 

Another can of security worms being opened is the fact that cars may follow the example of smart phones and Web services by getting their own customized third-party apps. Hughes Telematics reportedly is working with automakers on app stores for drivers. 

This is already happening to some extent, for instance, with video cameras becoming standard in police cars and school buses, bringing up a host of security and privacy issues. 

“We did a penetration test where we had a police agency that has some in-car cameras,” Finisterre of Netragard said, “and we were able to access the cameras remotely and have live audio and video streams from the police car due to vulnerabilities in the manufacturing systems.” 

“I’m sure (eventually) there is going to be smart pavement and smart lighting and other dumb stuff that has the capability of interacting with the car in the future,” he said. “Technology is getting pushed out the door with bells and whistles and security gets left behind.”

The Indian government said it will not shut down the service for at least another 60 days as it evaluates proposals RIM has offered that would allow the government to monitor wireless subscribers’ communications.

Indian officials said earlier this month that the company had until the end of August to come up with a solution that would allow them to monitor e-mails and other electronic messages from BlackBerry users in the country.

One of the latest proposals likely includes RIM placing one of its servers in India.

“It was also decided that the Department of Telecommunications would study the feasibility of all such services being provided through a server located only in India,” Onkar Kedia, a spokesman for the federal Ministry of Home Affairs, said in a statement.

RIM has been working with Indian officials to come up with a solution since earlier this month, when the government threatened to shut down the service over security concerns. Last week, RIM suggested creating an industry forum to address the government’s concerns. In this forum, RIM and other mobile companies would work with the Indian government to support “the lawful access needs of law enforcement agencies, while preserving the legitimate information security needs of corporations and other organizations in India.”

RIM has faced threats of bans in other countries as well, including Saudi Arabia and the United Arab Emirates. RIM averted a ban in Saudi Arabia by supposedly cutting a deal with Saudi officials, which reportedly also includes putting a server in Saudi Arabia that would allow the security officials to monitor communications.

RIM has been adamant that it has not compromised its core security features. And it claims it has not struck special deals with any country.

“RIM assures both its customers in India and the government of India that RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries,” the company said in a statement last week.

Governments in countries threatening to ban the service say they are concerned that the BlackBerry, which features stronger privacy safeguards than competing devices, could be used by terrorists and other criminals to avoid detection. 

The messages say “LOL is this you?” and are accompanied by a link that looks like it leads to a video on Facebook, one victim told CNET. In his case, clicking the link directed to a Web page with a “404-Page Not Found” error message and his account sent the spam out to at least one of his friends, he said.

The spam was also reported on Twitter, but at this point the outbreak seems to be minor.

A Facebook spokesman said the company is looking into the matter.

The spam message is similar to ones used in several phishing attacks on Twitter in February.

Research In Motion is hoping to find a solution to its drawn-out security battle with India by creating an industry forum to address the government’s concerns.

RIM says it wants to create a forum where the company and other mobile firms could work with the Indian government to support “the lawful access needs of law enforcement agencies, while preserving the legitimate information security needs of corporations and other organizations in India.”

RIM hopes to find a middle ground with India, which has said that if the company doesn’t loosen security on its e-mail and instant-messaging services by the end of the month, RIM’s messaging tools will be blocked by the country’s wireless service providers. The Indian government, like those of United Arab Emirates, Saudi Arabia, and Indonesia, contends that RIM’s security encryption is too strict and limits the government’s ability to monitor potentially dangerous communication.

In a statement, RIM said it believes the Indian government should value “the integrity and security of sensitive corporate information.” If the government banned the encrypted communication, RIM said, it “would severely limit the effectiveness and productivity of India’s corporations.”

RIM is staying strong in the face of the Indian government’s demands and indicated that it’s not planning on giving in.

“Singling out and banning one solution, such as the BlackBerry solution, would be ineffective and counterproductive,” the company said.

In an attempt to dispel what it called misconceptions related to its disagreement with India, RIM said that it doesn’t have a “master key” that would allow it to gain access to encrypted corporate information, and the service was built to “exclude the capability for RIM or any third party to read encrypted information.”

The company was also quick to point out that it has not inked special deals with countries around the world that have also requested access to its messaging platform, indicating that the chances of India getting RIM to bow to its pressure are slim, if not nil.

“RIM assures both its customers in India and the government of India that RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries,” RIM said in a statement.

Going forward, RIM believes that it needs the help of other companies in its industry–through its proposed industry forum–to defend against complaints like those coming from India.

“This challenge can only be truly overcome if the information and communications technology industry comes together as a whole to work with the government of India,” RIM said in a statement. “The use of strong encryption in wireless technology is not unique to the BlackBerry platform. It is unquestionably an industrywide matter.”

RIM has until the end of August to furnish the Indian government access to e-mail, instant messages, and Web browsing. If RIM declines, the country has said it will force wireless providers to shut off those services on 1 September.

Accessing the Internet via an open Wi-Fi network is risky because you have no idea who is the hot spot provider or who is connected to it. At the airport it may seem more secure to use a terminal to check your e-mail or update your Facebook status; however, according to Symantec, these terminals might not be secure at all.

Nick Johnston, senior software engineer of Symantec Hosted Services, wrote that at one Internet terminal at a large airport in England, he saw an unusual “Defense Center Installer” dialog box that turned out to be fake antivirus software, also known as “Scareware.”

Scareware is a type of malware that claims a computer is infected with viruses and tries to coerce the user into buying the full version of the software to clean the fictitious infection. It’s common for this type of malware to try to disable or uninstall legitimate antivirus software, causing Windows Security Center to warn that no antivirus software installed. As this type of software is not really a virus, it’s hard for legitimate antivirus software to detect and remove it.

The fact that the Internet terminal has this type of malware indicates that it is not protected and might be infected with other hidden, more dangerous malware such as a key logger. Unlike “Scareware,” which makes its presence known, there is no obvious indicator that a key logger is active while it silently captures users’ input. This means that usernames and passwords for airline accounts, bank accounts, Web mail, social media accounts, or any other private accounts accessed on the terminal can be stolen.

For this reason, you should exercise extreme caution whenever you are using publicly available Internet access terminals and avoid doing anything that requires you to sign on to personal or corporate accounts. The best practice is to only enter your private and important information, such as bank account, Social Security number, and so on, on computers and networks that you know. If you share computers with other people, remember to change your passwords regularly.

The security vendor Avast has received a $100m investment from private equity firm Summit Partners, in exchange for a minority stake in the company.

Avast chief executive Vince Steckler described the $100m (£64m) deal on Monday as “a vote of confidence in our disruptive ‘freemium’ business model”, which sees the vendor giving its product — including updates — for free to millions of non-corporate users.

The company’s current model is based around providing its antivirus program, which contains similar features to competitors’ paid-for offerings, to home users for free. As with rival antivirus firm AVG, this is done in the hope that those customers will then upgrade to a paid-for premium version.

Avast also provides a number of business-tailored products that attract an annual subscription fee in exchange for security features. The firm’s freemium model has already netted the security specialist approximately 100 million registered subscribers, according to a statement from the company.

“[This approach] is already upsetting the traditional antivirus market,” said Steckler. “Instead of paying for advertising or installation on new computers, Avast continues to experience dramatic growth as fans of Avast recommend our products to their friends. Freemium is the wave of the future… We have no plans to change our approach and conform to the classic retail positioning model.”

As part of Monday’s deal, Scott Collins, managing director of Summit Partners, will get a seat on Avast’s board of directors. ZDNet UK asked Avast how big Summit Partners’ minority stake was, but the company would not divulge this information.