Internet of Lousy Things

Uploaded on 2015-03-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The world of ubiquitous connected devices is almost here, and it’s so eagerly anticipated that it becoming a reality seems inevitable. Anticipation, however, doesn’t necessarily mean that we are going to have a good time with Internet of things.

As a matter of fact, every “paradigm shift” of such a global scale brings troubles, unless the appropriate preparations have been made. With IoT it doesn’t seem to be the case: As Alex Drozhzhin at Kaspersky Daily blog wrote, “There is a flood of appliances which could be connected – and some are connected – without a second thought as to whether or not it’s necessary. Most people barely give a second thought that a hack of a smart-connected appliance could be dangerous and a lot more threatening than a simple PC hack.”

In other words, more and more appliances of various kinds arrive – home electronics, health care devices, even car washes – equipped with Internet-enabled smart control systems, and they’re remotely hackable.

The situation is pretty clear (or, rather, pretty clearly bad) with home appliances: check out the already-famous report by David Jacobi about how easily he managed to hack his own smart home to shambles. What about the business angle? The implications are serious and can get ugly.

Here’s one scenario: a coffee machine serving a meeting room, where the most confidential information is shared between people. It’s okay if this is just a “dumb” devices, operated with buttons and tumblers, and all it can do is blend the coffee beans then add boiling water and sugar, and fill the cups. But then let’s imagine it is “smart”, i.e. it is WiFi-enabled and voice controlled. “Voice controlled” means that it has a microphone built-in. WiFi-enabled means that it is a) connected to a local corporate network, b) can receive and, most likely, send data, c) remotely hackable if there are flaws in the firmware and the network isn’t protected well enough. And given all this, is it possible such a smart coffee machine could end up a CyberEspionage device one day? It is absolutely possible – unless there are “draconian” measures applied by the firmware writers to make it 

Actually every “smart” appliance that has functionality to receive data input “in background” – smart TVs, and any other device with cameras and microphones – can be used for spying (and occasionally such incidents have already happen). Recent APTs routinely use notebook cameras to take pictures of the environment without users’ knowledge and consent. One can say that it is computers, and not smart devices, but in fact any smart appliance becomes a full-blown computer with the same possibilities and lack of security as its “common” brethren. Remember the spamming fridge?

In the post linked above we wrote about yet another scenario: attackers remotely disable a climate control system at a facility with strict temperature control rules (thus blinding IR security cameras, for instance) or switch off – again, remotely – the alarm system in an office building or bank. Then armed men in ski masks come in.

Every interconnected system is as secure and reliable as its weakest point. Every new smart device added to a given network is a potential entry point for people with malicious intent. Especially given the fact that the users of “smart” devices often neglect checking the settings, leaving the default ones set (which is a blatant violation of cybersecurity basics). It’s like leaving the keys for the super-secure bank vault at the bank’s doors under the rug. Vendors of smart appliances are clearly interested in adding functionality (and thus adding value) to their devices. They may be “smart”, they may be convenient to use, and just cool to have. But are they secure enough? Not necessarily.

“In general, the problem is that those who develop home appliances and make them connected face realities of a brand new world they know nothing about. They ultimately find themselves in a situation similar to that of an experienced basketball player sitting through a chess match with a real grand master,” Drozhzhin wrote. Users may also be clueless about the hidden threats that smart devices may pose, – for them a fancy voice-controlled coffee machine is still a coffee machine, not a ready-to-settle “nest” for cyberspies. And this means that developers of the home and business-oriented smart appliances must take a better look at how secure (or, for now, insecure) their firmware is, while the businesses who deploy such devices in their own networks, should keep them in check, in “presumption of guilt” mode.
Kaspersky http://ow.ly/KINxv

Metadata Will Kill Your Privacy
 
The UK government inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata.

The inquiry finds that mass surveillance capabilities exist in the UK, but are used appropriately. The inquiry also rejects use of the term "metadata", which it feels is not helpful because it is too vague. Instead the UK prefers the term “Content-Derived Information” because it is felt a more nuanced approach to the collection of data about communications is required.

The report offers the four-level definitions of data that can be gleaned from details of an individual's electronic communications. The report goes on to say that Communications Data Plus “would encompass details of web domains visited or the locational tracking information in a smartphone” and to make the following observation about how it should be handled: “However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication.”

The report says it has no problem with UK intelligence agencies collecting communications data through intercepts and does not recommend tighter controls on its collection and use. The call for more safeguards on Communications Data Plus is therefore notable in the Australian context, as the antipodean communications data collection proposal requires no warrant for access.

The UK report also says local legislation should therefore define three levels of metadata, under the following definitions:
Communications Data should be restricted to basic information about a communication, rather than data, which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.
Communications Data Plus would include a more detailed class of information, which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.

Content-Derived Information would include all information, which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation.
It's hard to see its suggestions on a finer classification of metadata being followed, if only because the call for “greater safeguards” is vague and  hard to follow.  

The Register
 

« Despite Snowden Leaks, Internet use is Largely Unchanged
Metadata Will Kill Your Privacy »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Sysorex Government Services

Sysorex Government Services

Sysorex Government Services helps customers meet their strategic missions by providing secure, optimized IT solutions that allow them to perform more efficiently and effectively.

Cybersecurity & Infrastructure Security Agency (CISA) - USA

Cybersecurity & Infrastructure Security Agency (CISA) - USA

CISA leads the national effort to defend critical infrastructure against the threats of today and to secure against the evolving risks of tomorrow.

Aptible

Aptible

Aptible is a Platform as a Service (PaaS) that gives startups everything developers need to launch and scale apps and databases that are secure, reliable, and compliant.

Guardian Data Destruction

Guardian Data Destruction

Guardian Data Destruction provides a comprehensive suite of onsite e-data destruction services.

Blackwall

Blackwall

Blackwall (formerly BotGuard) is a security infrastructure company focused on protecting web ecosystems from automated threats, while optimizing performance for hosting environments.

Iowa Cyber Hub

Iowa Cyber Hub

Iowa Cyber Hub is a cybersecurity education partnership between Iowa State University and Des Moines Area Community College.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Digital Element

Digital Element

Digital Element is a global IP geolocation and intelligence leader with unrivaled expertise in leveraging IP address insights to deliver new value to companies.

Inspectiv

Inspectiv

Inspectiv offers a turn-key solution to continuously identify security vulnerabilities and provide security assurance.

Serbus

Serbus

Serbus Secure is a fully managed suite of secure communication, enterprise mobility and mobile device security tools.

PureSquare

PureSquare

PureSquare exist to empower people with simple solutions for their increasingly complex digital security & online privacy needs.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.