IoT regulations: fact or fiction?

New gadgets and, increasingly, connected homes, vehicles and even smart cities open up a whole host of possibilities. Connected devices now control entire homes and offices, including door locks, children’s toys, cameras and medical products. All are available and connected through the Internet, making access very convenient for the user but also for the bad guys.

The Internet of Things (IoT) has poor cyber reputation. Manufacturers often don’t install appropriate data access safeguards on their products and consumers fail to change default passwords or update the pre-installed software on their network.

This is why the UK Government has introduced a new code of practice for manufacturers of smart devices that connect to the IoT. The code is voluntary, but large manufacturers, including HP and Hive Centrica, have already signed up. However, this will not be enough to truly bring cyber security rules to all devices now available.

Non-binding guidelines are helpful, but unlikely to make substantial changes. Most of the IoT manufacturers are located abroad in developing countries and will continue to focus more on costs than on customers’ privacy or security. Most manufacturers do not even adhere to the bottom line of security, such as strong passwords. We have even tested devices where the master reset does not remove any previous entries, such as wifi passwords, allowing the next owner of a device to take the wifi details from the device and use them to hack into the previous owner’s network.

Imagine, the multitude of wifi kettles being sold on online auction sites, all still holding their former owners’passwords – very scary!

In California, the state government has made it mandatory for IoT devices to be secure. Under its Security of Connected Devices Bill, weak default passwords are illegal and all devices must have unique default passwords that automatically for the user to change the password when the user installs them.

Read the full article in Network Security Magazine here on page 20

 

Using simulated disaster management to tackle the security skills gap

With the increasing need for cyber security professionals, organisations are turning to new ways to address the skills gap facing the security sector

Academic qualifications, such as Cyber Security & Computer Forensics BSc (Hons) and Cyber Security MSc, provide cyber security professionals with the necessary knowledge for their career, but nothing compares to real-world experience when dealing with potential network threats.

There is a line in a Star Wars film: “I should think that you Jedi would have more respect for the difference between knowledge and wisdom.” This is just as true in cyber security, where experience is equally as important as qualifications.

“When you are in a disaster recovery situation, you do not want the new person trying out the wings,” says Bruce Beam, chief information officer at (ISC)².

Unfortunately, the number of cyber security positions outweighs the number of available cyber security professionals. The demand for cyber security professionals has outpaced supply in recent years, due to emerging threats and organisations increasing the amount of business they conduct online.

According to a study, the number of organisations that reported shortages in the cyber security skills of their staff has increased over the past four years. In 2014, approximately 23% of organisations indicated this was a challenge, but this has now risen to more than 50%. Much of this rise has been due to the increasing workload of cyber security teams.

Continuing professional development (CPD) has been used to ensure that skills remain relevant. However, some training is purely academic and offers little real-world experience. “It is not like training someone to be a welder and giving them the basic skillset,” says Beam.

In order to overcome this challenge, organisations are turning to various ways to provide their cyber security interns with the necessary experience to tackle the online threats facing organisations. One way has been through mentoring schemes, where organisations assign an intern to an experienced cyber security professional. Mentoring allows a company to preserve their staff’s experience against retirement and poaching, however a drawback is that it can inadvertently reinforce bias.

Simulated disaster management

Some organisations are turning to simulated disaster management scenarios in order to provide their staff with the experience they need. Just as fire drills are used to assess how personnel respond to a potential incident, simulating critical failures allows organisations to see how their staff respond to such events.

“I always go back to my military training and one of the things we learned was to train like you are going to fight, because you will fight like you train,” says Beam.

Simulations allow cyber security personnel to experience critical failures, without any risk to the actual network or company data. These simulations can vary from disaster recovery scenarios to white hat hackers probing a company’s network defences to see how their IT teams respond to the perceived threat.

“Too many organisations talk about disaster recovery, but never really test it and make sure it is working the way they think it is working,” says Colin Tankard, managing director of Digital Pathways.

Simulated disaster management provides a replica of an organisation’s network architecture, thus providing a real-world experience, thereby making responses second-nature.

This allows cyber security teams to use the security tools that they would use in a genuine situation and to experience the network setup and traffic. In order to be effective, disaster scenarios need to be accurately simulated, including advanced, evolving threats, targeted malware and ransomware.

A more complex version of simulated training is to use white hat hackers to probe the network defences to see how soon the cyber security team are aware and how they respond to the threat. “I have heard of white hat teams spying on organisations to see where they can get in,” says Tankard. “That has been very successful for companies as they have seen how their people are reacting.”

Read the full article in Computer Weekly here

Connectivity in the smart city

Smart buildings and cities are becoming less of a rarity, attracting both tech-savvy entrepreneurs and established businesses.

The smart city environment fosters thriving communities, where businesses can excel and their people can work happily, achieving their full potential. More than this, they help businesses to cut costs, streamline operations and increase profit margins.

One of the key factors in today’s productive workplace is access to a fast, secure and reliable Internet connection. In fact, it is usually among the top ‘wish list’ items for prospective tenants.

Without it, productivity can decrease, communication, both external and internal, is compromised, stress ensues and profits can drop. But how can businesses be sure, when deciding upon a smart city space, that your connectivity will be all they need it to be?

Certified connectivity

According to Emma MacLeod of Hurley Palmer Flatt, a building services and engineering consultancy, connectivity certification is an increasingly sought-after element for prospective tenants.

MacLeod said: “Companies such as Wired Score and Honeywell provide systems that allow criteria to be measured, so that tenants can have an overview of a building’s connectivity, which can also be compared against others.

“This type of information can be used as part of an active marketing strategy in order to attract prospective tenants, as well as providing reassurance. Such certification allows for better understanding of performance, together with the promotion and improvement of digital infrastructure.”

Cybersecurity

Whilst good connectivity is a priority, how many businesses consider how secure their Internet connection is?

Cybersecurity certification could be helpful, given the increasing number of cyber-attacks we now see. For example, I wonder how many people stroll the corridors of a building searching out an unsecured Wi-Fi router to log on to? What if an unauthorised person gains entry to floors where they may be able to obtain access to a network: are they able to view all of the information, or have good data security and physical access systems been installed? Are all of the packets of data that are travelling around the ‘backbone’ of the network encrypted? How about a shared access communications room? Security of cable control and management systems is critical since, once on to the ‘backbone’ of a system, untold damage can be done by eavesdropping on network cabling.

It is also good practice to offer two types of Internet connection, one for those employed by the company and one for its guests. This way, the business is able to manage the areas visitors can access, protecting any sensitive information, which is particularly pertinent now given the arrival of the GDPR.

Read the full article here

Marriott hit by hack but where was their log management?

Marriott International Inc is the latest hack to be announced and this one could be the largest breach in corporate history.

Details of some 500 million guests were accessed from the company’s reservation database at its Starwood unit. This included passport numbers, mailing and email addresses and even some credit card details.

The breach reputedly happened in 2014, which begs the question, why was no one checking the logs? Was there no log management system, were their system administrators negligent in their duty, or worse still, the incident ignored?

A log management system collects data from servers, computers, routers, applications, databases etc. and generates information on what is happening in each system. All this diverse information is gathered together and, by looking at the trends or events happening on each system, an administrator can detect unusual behaviour, identifying a possible hack.

If these incidents go unchecked, a hacker has a free journey around the entire network, gaining access to more and more valuable resources such as personal data.

According to Colin Tankard, Managing Director of data security company, Digital Pathways, “when a hack occurs there are usually three stages. First, the primary hacker gains access and takes what they want. Second, the way- in to the network is shared by the primary hacker to their colleagues and community. They then ‘pick over the bones,’ much like a vulture does after the lions have had their fill. Finally, login details are shared openly to all hackers on various websites and then all the wannabe hackers come in to ‘have a party’ inside the network. The most damage is often done at this point.”

The second question to raise is, where were the encryption keys being stored?

According to Marriott the data was encrypted but the encryption keys were taken, so the data could be read.

“There should always be separation of duties between administrators and security as well as encryption key storage and the systems the encryption is being used on,” says Tankard. “ Any system that does not have this in place has a major flaw in its data security strategy. I always advise that encryption keys should be stored in a High Security Module (HSM) administered by the security team.

“The HSM is a server which creates encryption keys, stores them and when needed by an application, passes the encryption key for use. The key is never stored permanently in the application” explains Tankard.

He adds, “it is also very important to change the encryption key on a regular basis, this is called key rotation.

“There is simply no cutting corners when it comes to data security, especially in today’s climate where cyber-criminals are on the increase and strident legislation, such as GDPR, is in place.

“Where personal data is being stored, robust data security systems must be in place but not only this, they must be managed in a responsible and timely way.”

Read the full article here in Global Security Magazine

The Future of Network-Connected Device Security

The proliferation of poorly secured network-connected devices has prompted the UK government to publish new best practice guidelines. Do these go far enough?

Wireless functionality has improved workplace efficiency and organisations are no longer restricted by cabling access. Unfortunately, many of these devices are poorly secured and rarely have their firmware updated.

The vulnerabilities in internet of things (IoT) devices have led to smart devices being part of botnets and incidents such as cardiac devices being vulnerable to hackers.

“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically,” says John Sheehy, vice-president of ioActive. “Compromised devices can be used by threat actors for anything from listening in on conversations and harvesting sensitive data, to cryptomining and jumping to traditional IT systems.”

Incidents where hackers have been able to exploit poor device security to obtain sensitive data have resulted in significant reputational damage, as happened to vTech in 2016. Such incidents could now – under the Data Protection Act 2018 – see companies fined.

As such attacks have become more frequent, the UK government has decided to step in. Earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) published the Secure by Design report and later the Code of Practice for Consumer IoT Security – a guidance document advising on the best practices for securing IoT devices.

These guidelines are currently voluntary and are broken down into thirteen steps, as follows:

  1. No default passwords – all IoT device passwords should be unique and not resettable to any universal factory default value.
  2. Implement a vulnerability disclosure policy – all companies that provide internet-connected devices should provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

To read all 13 steps click here to read the full article in Computer Weekly.com

Guideline benefits

For all of the challenges that come with this, organisations can nonetheless benefit from following such guidelines. In a survey by Bain and Co, it was discovered that executives would be prepared to spend 22% more on IoT devices that were proven to be secure.

“If a product has followed these guidelines, and has been independently checked, then people would pay more,” says Colin Tankard, managing director of Digital Pathways.

This increase in income could be used by manufacturers to offset the costs associated with following these best practice guidelines. Furthermore, reputation of the company would be protected by having secured their devices appropriately.

Can you trust one free app to keep all your passwords safe?

How to navigate the world of virtual storage vaults as hackers target providers.

A password manager can be a vital tool to keep your personal information out of the hands of online criminals – giving you a single log-in to an app that saves you having to remember lots of different codes.

Once you have signed in, you can use the app to store passwords for all your online accounts securely, or even log in to them directly from the password manager itself.

But there is a potential dark side to this technology as it could be a target for hackers.

If a fraudster were able to steal your master password, they could gain access to key financial details all at once. So should you trust a password manager to keep your information safe?

The apps use software to store all an individual’s passwords in a ‘virtual bank vault’. They are then accessed via the single hard-to-crack master password.

Experts including the National Cyber Security Centre – part of the Government Communications Headquarters intelligence service (GCHQ) – believe a password manager makes an individual’s data more secure.

But it has not stopped criminals targeting these password vaults. Last year, password manager LastPass discovered a flaw in its software that was fixed without it affecting the service. In 2015, it also had to fend off a cyber attack.

Password manager OneLogin also ‘detected unauthorised access’ last year but it was able to block it in time.

Colin Tankard, of Harlow-based data security company Digital Pathways, says a password manager does not offer bullet-proof security because it will always be a target for hackers.

Read the full article in The Mail Online here

The chilling email threatening to share embarrassing information that is ‘driving people to suicide’

“It breaks up perfectly stable relationships and causes untold misery”

A shocking email is reportedly being sent round to random victims threatening that embarrassing information will be shared online unless large sums of money are paid.

The ransom messages are even believed to be leading some victims to the brink of suicide, according to cyber security expert Colin Tankard.

He told the Mail on Sunday that the hackers are claiming to have set up malware on particular porn websites that have recorded what is happening on a person’s computer screen, while also recording them via webcam.

In one particular incident, a member of the public was warned that unless they made a “donation” of $3000 (or £2300), the embarrassing material would be leaked online to their contact list.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

There doesn’t appear to be any set group that is being targeted, with victims being selected at random.

Tankard added that in these situations, the worst thing that you can do is to pay the demand as it could then lead to that person’s contact details being put on a ‘sucker list’.

As reported by the Mirror Online, Colin Tankard said: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

It is thought that around £30 million per year could be made from threatening innocent people.

One person who was randomly targeted by the scam was Mail on Sunday journalist Sarah Hartley, who said: “Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.”

The scam involves two payments to the sum of £500 or more that is paid in anonymous bitcoins, which creates problems in trying to track down the hacker.

Read the full article here in Essex Live

How trustworthy is AI?

Artificial intelligence (AI) and machine learning (ML) are two very hot buzzwords within the broader waves of technological change that are sweeping through our world under the banner of the Internet of Things (IoT). And, although their benefits look good, there is a fear that AI programs could go rogue and turn on us – or even be hacked by other AI programs.
Researchers from Harvard University demonstrated how medical systems using AI can be manipulated by an attack on image recognition models, getting them to see things that were not there. The attack program finds the best pixels to manipulate in an image to create adversarial examples that will push models into identifying an object incorrectly
and thus cause false diagnoses.

Another doomsday scenario came from the RAN Corporation, a US policy think-tank that described several scenarios in
which ML technology tracks and sets the targets of nuclear weapons. This would involve AI gathering and presenting intelligence to military and government leaders, who make the decisions to launch weapons. If the AI is compromised, it could be fooled into making the wrong decision.

Hackers love artificial intelligence as much as everyone else in the technology space and are increasingly tapping AI to
improve their phishing attacks. Anup Gosh, a cyber-security strategist, recently reported: “The evidence is out there that machines are far better at crafting emails and tweets that get humans to click. Security companies that fight these bad guys will also have to adopt machine learning.”

An AI security arms race is likely to be coming, as hackers’ ML-powered attacks are met with cyber-security professionals’
ML-powered countermeasures. A new concern around AI is in regard to regulation, specifically the General Data Protection Regulation (GDPR). Is it permissible to let a user give an application permission to make automated decisions on their behalf? If yes, will it be accompanied by a comprehensible explanation of how the AI makes decisions and how these decisions may impact that user? It could be a problem for companies developing AI that is so advanced nobody fully understands how it makes decisions. It is hard to know how all this will play out in practice. From a technical perspective,
the level of granularity GDPR requires in explaining automated decisions is unclear. Until this is known, some innovators may choose to forge ahead with super algorithms. Others, worryingly, may ban European citizens from using some highly valuable functionality.

 

Read the full article here on page 20 of Network Security Magazine.

‘Pay the ransom – or watch me wreck your life’

‘Pay the ransom – or watch me wreck your life’: Chilling new fraud email that says you’ve been filmed on an adult website

  • The ‘ransom’ email explains that you have been caught viewing an adult website
  • The email includes key private details, such as secret passwords for a bank
  • Criminals are frightening victims into handing over £500 or more in Bitcoins

At first, the message seems harmless – an email pops up on your screen that could be from a friend or colleague.

But click on it and your blood will run cold. Because what follows is a string of vicious threats to destroy your life unless you hand over money.

The ‘ransom’ email explains that you have been caught viewing an adult website – captured on your computer’s camera.

To add credibility to the sting, the email includes key private details, such as your phone number and secret passwords for a bank or shopping account.

The effect is chilling, as Sarah Hartley, a Mail on Sunday journalist, found out for herself when she was targeted recently.

‘Like most journalists, I am as tough as old boots and used to dealing with all sorts. Yet what horrified me most about receiving such an email is that it breached my work firewall,’ she says.

‘That was my fault – the email name had looked credible. It came from a common female name and I had assumed it was a public relations adviser. So I clicked on the option to permit.

‘But when I read it I flushed hot and cold from head to toe – I was stunned by the sheer nastiness of the words. [see below].

‘If the person had been standing in front of me I felt they would have been wielding a knife. Adding to my sense of fear was that the email included a password I use for an online shopping account. A barrier had been broken.’

Hartley adds: ‘Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.

‘I would have been mortified to know my friends and work colleagues might be contacted in this way. The language was perfect – no hieroglyphics or request to send money to a Nigerian bank account – and that is what made it plausible.’

Hartley ignored the email. But criminals are frightening victims into handing over £500 or more in anonymous Bitcoins.

If they do not pay up, the blackmailer says they will share the details they have on the web.

Millions of computer users are being targeted in the sinister wave of ransom scams reputed to be cheating innocent people – targeted at random – out of at least £30million a year.

Personal information the blackmailers use to add credence to their claims can be bought for as little as £3 over the ‘dark web’ or ‘harvested’ using gadgets that can be purchased for about £40.

Colin Tankard is a cyber security expert who has been targeted himself by such criminals.

He says: ‘Ransomware can destroy lives.

‘There have been instances when people have committed suicide as a result of the horrible threats made.

‘It breaks up perfectly stable relationships and causes untold misery.’

Tankard, managing director of Harlow-based Digital Pathways, adds: ‘Part of the awfulness of such cyber attacks is that these emails are often sent randomly.

‘The criminal has no idea what a recipient has been doing – just making a guess.

‘Paying up is the worst thing a victim can do. You are then put on a ‘sucker list’.’

This means your name will be added to lists of people deemed susceptible to crime, which are then traded among criminals – invariably leading to victims receiving further demands for money.

Menacing language is used to make a victim feel insecure and vulnerable to the prey.

Tankard says: ‘Wording usually goes as follows, “While you were watching videos, your internet browser started out functioning as a remote viewer having a keylogger which gave me accessibility to your screen and web cam. After that, my software program obtained all your contacts.”

‘Then, “Well, in my opinion, $1,000 is a fair price for our little secret. You’ll make the payment by Bitcoin.”

Read the full article here in The Mail on Sunday

Chilling ransom attacks

Chilling ransom attacks threatening to share embarrassing information ‘driving people to suicide’

Victims are told compromising material will be shared unless they cough up huge sums of money

Chilling ransom messages being sent to random victims are costing them thousands of pounds and even driving some to the brink of suicide, according to reports.

Shocking emails sent to victims warn that compromising material will be used against them unless they hand over vast sums of cash.

In some cases, hackers claim claims that malware is set up on porn sites, meaning they have recorded what’s happening on a person’s screen while recording them on a webcam.

One such demand, the Mail on Sunday reports, says that unless the user gives a “donation” of $3,000 – £2,300 – the material will be sent to their contacts.

Cyber security expert Colin Tankard told the newspaper: “There have been instances when people have committed suicide as a result of the horrible threats made.

“It breaks up perfectly stable relationships and causes untold misery.”

Victims tend to be selected at random and the sender does not have compromising material.

Mr Tankard said paying up is the worst thing someone can do in this situation, as this means they could be put on a ‘sucker list’.

This means they could be targeted again.

It is thought that innocent people could be ripped off to the tune of £30million per year.

Mail on Sunday journalist Sarah Hartley, who was targeted by ransomware, said: “Although I knew I had not been watching pornography, the way I was threatened – that a video of me would be passed on to contacts if I dared breathe a word – was horribly menacing.”

People are persuaded two pay sums of £500 or more in anonymous bitcoins, making it hard to track down the scammer.

Famous examples include the WannaCry virus, which impacted more than 200,000 computers, including those used by the NHS.

Some victims paid up more than £100,000 to unlock their machines.

Read the full article here in The Mirror