Archive for breach

The Top 10, Top 10 Predictions for 2017

2017.jpgThe time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

8 Predictions About How the Security Industry Will Fare in 2017 – An eWeek slideshow looking at areas like IoT, ransomware, automated attacks and the security skills shortage in the industry. Chris Preimesberger (@editingwhiz), who does a monthly #eweekchat on twitter, covers many of the worries facing organizations.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyber attacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Catastrophic botnet to smash social media networks in 2017 – At the halfway point the Mirai botnet rears its ugly head and ZDNet explains how Mirai is far from the end of social media disruption due to botnets. With botnets-for-hire now available, there will be a significant uptick in social media botnets which aim not only to disrupt but also to earn money for their operators in 2017. Splendid.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 security predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!

Bonus Prediction!

Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

ps




Is 2016 Half Empty or Half Full?

Updating passwords is a huge trend in 2016

july16.jpg

With 2016 crossing the half way point, let's take a look at some technology trends thus far.

Breaches: Well, many databases are half empty due to the continued rash of intrusions while the crooks are half full with our personal information. According to the Identity Theft Resource Center (ITRC), there have been 522 breaches thus far in 2016 exposing almost 13,000,000 records. Many are health care providers as our medical information is becoming the gold mine of stolen info. Not really surprising since the health care wearable market is set to explode in the coming years. Many of those wearables will be transmitting our health data back to providers. There were also a bunch of very recognizable names getting blasted in the media: IRS, Snapchat, Wendy’s and LinkedIn. And the best advice we got? Don’t use the same password across multiple sites. Updating passwords is a huge trend in 2016.

Cloud ComputingAccording to IDC, public cloud IaaS revenues are on pace to more than triple by 2020.From $12.6 billion in 2015 to $43.6 billion in 2020. The public cloud IaaS market grew 51% in 2015 but will slightly slow after 2017 as enterprises get past the wonder and move more towards cloud optimization rather than simply testing the waters. IDC also noted that four out of five IT organizations will be committed to hybrid architectures by 2018. While hybrid is the new normal remember, The Cloud is Still just a Datacenter Somewhere. Cloud seems to be more than half full and this comes at a time when ISO compliance in the cloud is becoming even more important.

DNS: I’ve said it before and I’ll say it again, DNS is one of the most important components of a functioning internet. With that, it presents unique challenges to organizations. Recently, Infoblox released its Q1 2016 Security Assessment Report and off the bat said, ‘In the first quarter of 2016, 519 files capturing DNS traffic were uploaded by 235 customers and prospects for security assessments by Infoblox. The results: 83% of all files uploaded showed evidence of suspicious activity (429 files).’ They list the specific threats from botnets to protocol anomalies to Zeus and DDoS. A 2014 vulnerability, Heartbleed, still appears around 11% of the time. DevOps is even in the DNS game. In half full news, VeriSign filed two patent applications describing the use of various DNS components to manage IoT devices. One is for systems and methods for establishing ownership and delegation of IoT devices using DNS services and the other is for systems and methods for registering, managing, and communicating with IoT devices using DNS processes. Find that half full smart mug...by name!

IoT: What can I say? The cup runneth over. Wearables are expected to close in on 215 million units shipped by 2020 with 102 million this year alone. I think that number is conservative with smart eyewear, watches and clothing grabbing consumer’s attention. Then there’s the whole realm of industrial solutions like smart tractors, HVAC systems and other sensors tied to smart offices, factories and cities. In fact, utilities are among the largest IoT spenders and will be the third-largest industry by expenditure in IoT products and services. Over $69 billion has already been spent worldwide, according to the IDC Energy Insights/Ericsson report. And we haven’t even touched on all the smart appliances, robots and media devices finding spots our homes. Get ready for Big Data regulations as more of our personal (and bodily) data gets pushed to the cloud. And we’re talking a lot of data.

Mobile: We are mobile, our devices are mobile and the applications we access are mobile. Mobility, in all its iterations, is a huge enabler and concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. The Digital Dress Code has emerged. With 5G on the way, mobile is certainly half full and there is no empting it now.

dc-logo.jpg

Of course, F5 has solutions to address many of these challenges whether you’re boiling over or bone dry. Our security solutions, including Silverline, can protect against malicious attacks; no matter the cloud -  private, public or hybrid - our Cloud solutions can get you there and back; BIG-IPDNS, particularly DNSExpress, can handle the incredible name request boom as more ‘things’ get connected;and speaking of things, your datacenter will need to be agile enough to handle all the nouns requesting access; and check out how TCP Fast Open can optimize your mobile communications.

That's what I got so far and I'm sure 2016's second half will bring more amazement,questions and wonders. We'll do our year-end reviews and predictions for 2017 as we all lament, where did the Year of the Monkey go?

There's that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. I think you need to understand what state the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's your answer!

ps 




Backseat Drivers, Your Wish Has Come True

Posted in security, f5, silva, intelligent devices, control, mobile, malware, breach, iot, things, sensors by psilva on January 27th, 2016

Excuse for speeding 10 years from now: ‘Officer, it was the software.’

When I was in college, I would drive the 1040 miles from Marquette Univ. in Milwaukee to my parent’s house in Rhode Island for things like summer vacation and semester break. It seemed to take forever, especially through Pennsylvania where the state speed limit at the time was 55mph. I always tried to complete it straight through yet would inevitably start the head drop and would fall asleep at some rest stop in Connecticut, about 3 hours from my goal. This is back when they still had toll booths on the Connecticut turnpike.

As an adult, my family has driven the 2000 miles from California to Minnesota to visit family. In both instances, I wished I could simply doze off, take a little nap, stay on the road and awake a couple hundred miles closer to the destination. Yes, we alternated drivers but that also meant I wasn’t driving. For some reason, I had a much easier time falling asleep while holding the steering wheel than in shotgun position.

Soon, you just might be able to notch that seat in recline or even stretch out in the back – do I hear third row - while your car continues on its merry way. Deutsche Telekom and Nokia conducted the first demonstration of car-to-car communication over a high speed cellular connection with close to 5G performance. And they did it on the recently inaugurated Digital A9 Motorway Test bed - Germany’s Autobahn. The cars connected over a regular LTE service optimized for rapidly moving vehicles. They used a cellular network since it is already in place and didn’t need to negotiate a digital handshake to connect.

Nokia says that its technology cut the transmission lag time to under 20 milliseconds, versus today’s limit of 100+ milliseconds, give or take. And it is counting the relay time from one car to another, via a central cloud. This was simply a test to see how self-driving cars could communicate while travelling at high speeds. These connected cars will have a lot of data chatter but outside our earshot.

There is also growing attention to automobile vulnerabilities as more of these driverless cars start to appear on our roads. Recorded Future has a great graphic showing some of the attacks and exploits against automakers, vehicles and components since 2010.

timelinelogo1.png

Just like our applications, there is a growing list of the types of connected vehicle focused hackers. From researchers to criminals to insiders to competitors and even nation states are all trying to target these vehicles for their own purposes. And they all have their own motives as you can imagine. TechCrunch has an excellent article Connected Car Security: Separating Fear From Fact which digs into the short history of car vulnerability research along with the various players and what they are digging for.

Meanwhile, Ford Motors announced that they will begin testing self-driving cars at a Michigan facility called Mcity. A fake town with stores, crosswalks, street lights and other scale structures to test the software and sensors controlling the car. They’ve also announced that whatever driver data is generated (which can be up to 25GB and hour) is the customer’s data. Ford says they will only share it with the customer’s informed consent and permission.

And lastly, a Google self-driving car was lit-up by a CHiP in Mountain View for going too slow – 24mph in a 35 zone. Too bad no one was at the wheel to sign for the ticket. The officer quickly realized that he pulled over an autonomous car and asked the human passenger about the speed settings while reminding him of the CA Vehicle Code. This model tops out at 25mph for safety reasons and no ticket was issued.

And in the future, remember this: ‘Officer, it was the software.’

ps

Related:

This article originally appeared 11.19.15 on F5.com

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



The Breach of Things

Posted in security, f5, silva, cybercrime, humans, breach, iot, things by psilva on September 9th, 2014

Yet another retailer has confessed that their systems were breached and an untold number of victims join the growing list of those who have had their data was stolen. This one could be bigger than the infamous Target breach. I wonder if some day we'll be referring to periods of time by the breach that occurred. 'What? You don't remember the Target breach of '13! Much smaller than the Insert Company Here Breach of 2019!' Or almost like battles of a long war. 'The Breach of 2013 was a turning point in the fight against online crime,' or some other silly notion.

On top of that, a number of celebrity's private photos, stored in the cloud (of course), were privately stolen. I'm sorry but if you are going to take private pictures of yourself with something other than a classic Polaroid, someone else will eventually see them.

Almost everything seems breach'able these days. Last year, the first toilet was breached. The one place you'd think you would have some privacy has also been soiled. Add to that televisionsthermostatsrefrigerators and automobiles. And a person's info with a dangerous hug. Companies are sprouting up all over to offer connected homes where owners can control their water, temperature, doors, windows, lights and practically any other item, as long as it has a sensor. Won't be long until we see sensational headlines including 'West Coast Fridges Hacked...Food Spoiling All Over!' or 'All Eastern Televisions Hacked to Broadcast old Gilligan's Island Episodes!'

As more things get connected, the risks of a breach obviously increase. The more I thought about it, I felt it was time to resurrect this dandy from 2012: Radio Killed the Privacy Star for those who may have missed it the first time. Armed with a mic and a midi, I belt out, karaoke style, my music video ‘Radio Killed the Privacy Star.’ Lyrics can be found at Radio Killed the Privacy Star.

Enjoy.


https://link.videoplatform.limelight.com/media/?mediaId=485cad6cd3a8440ead67a8a2a04e309a&width=560&height=420&playerForm=e654e4bff58a4a4f8a92c4c7a99dd587

http://link.videoplatform.limelight.com/media/?mediaId=485cad6cd3a8440ead67a8a2a04e309a&width=560&height=420&playerForm=e654e4bff58a4a4f8a92c4c7a99dd587




The Reach of a Breach

It comes as no surprise that the CEO of Target has resigned in the wake of their massive data breach. The 2nd executive, if I remember correctly, to resign due to the mishap. Data breaches are costly according to the most recent Ponemon 2014 Cost of Data Breach Study: United States and the main reason for the steep increase in costs is 'the loss of customers following the data breach due to additional expenses required to preserve the organization's brand and reputation.' The cost of each lost or stolen record, on average, increased from $188 to $201 per record from 2012 to 2013 - a 9% increase.

But that's not all, In 2013, there appeared to be 'an abnormal churn rate' of 15% of customers abandoning companies, especially those in financial services, hit by a breach says Ponemon. I'm always curious about that. I usually avoid stores that have been recently compromised wondering if something is lingering yet think, they gotta be on high alert, especially with law enforcement involved. Maybe it's as safe as it ever will be.

A recent Courion survey of IT security executives showed that 78% of respondents say they're anxious about the possibility of a data breach at their organization. If there were a massive security breach at these companies, 58.8% said 'protecting the privacy of our customers' would be top priority and 62.7% would lament about 'negative publicity affecting the company brand' due to the breach. Maybe that's the problem. They're more worried about their image than they are of protecting our info. It's the 58.8% you want to shop at.

Reaching for more, Symantec’s Internet Security Threat Report (ISTR), Volume 19, shows a big change in cybercriminal habits, revealing the bad guys are plotting for months before pulling off the huge heists – instead of popping quick hits with smaller bounty. One big is worth fifty small. In 2013, there was a 62% uptick in the number of data breaches exposing more than 552 million identities. That's about 10% of the planet's population, give-or-take.

And finally, there have been a few companies that have gone out of business due to a leakage but a few months ago a data breach also closed some Seattle area Catholic schools. According to the Seattle Archdiocese, at least three Roman Catholic parishes and the Archdiocese’s chancery offices had been targeted by a tax-fraud scheme. In order to allow those who were victims time to contact the appropriate institutions during school hours, they cancelled classes. How's that for reach.

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



A Decade of Breaches

Posted in , security, f5, application security, silva, DoS attack, banking, cybercrime, hackers, breach, data loss, family by psilva on April 24th, 2014

Whales Not Included

Megaptera_novaeanglia_jumping.jpgBeing from the Hawaiian Islands, the annual gathering of the Kohola (humpback whales) is always a spectacular view. They can get over half their body out of the water and administer a cannonball body slam splash like you've never seen before. Most of the internet thinks they breach to either see what's up (so to speak), let other whales know they are around (if the haunting squeal isn't doing it) and most common, to relieve the body of lice, parasites and barnacles.

While nature's breaches are unmatched, many internet security breaches are run of the mill leakages.

The Verizon 2014 Data Breach Investigation Report (DBIR) found that over the last 10 years, 92% of the 100,000 security incidents analyzed can be traced to nine basic attack patterns. The patterns identified are:

  • Miscellaneous errors like sending an email to the wrong person
  • Crimeware (malware aimed at gaining control of systems)
  • Insider/privilege misuse
  • Physical theft or loss
  • Web app attacks
  • Denial of service attacks
  • Cyberespionage
  • Point-of-sale intrusions
  • Payment card skimmers

The really cool thing about the 9 attack patterns is that Verizon has also charted the frequency of incident classification patterns per industry vertical. For instance, in financial services 75% of the incidents come from web application attacks, DDoS and card skimming while retail, restaurants and hotels need to worry about point-of-sale intrusions. Utilities and manufacturing on the other hand get hit with cyber-espionage. Overall across all industries, only three threat patterns cover 72 percent of the security incidents in any industry.

figure19_DBIR.jpg

Once again, no one is immune from a breach and while media coverage often focuses on the big whales, the bad guys are not targeting organizations because of who they are but because a vulnerability was found and the crooks decided to see if they could get more. This means that companies are not doing some of the basics to stay protected. For the 2014 analysis, there were 1,367 confirmed data breaches and 63,437 security incidents from 50 global companies.

For the most part, the fixes are fairly basic: Use strong authentication, patch vulnerabilities quickly and encrypt devices that contain sensitive information. I've barely scratched the surface of the report and highly suggest a through reading.

ps

Related

Photo: Protected Resources Division, Southwest Fisheries Science Center, La Jolla, California.

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Malware costs $491 Billion in Perspective

A recent joint study from IDC and the National University of Singapore (NUS) predicts that companies around the globe will spend around $491 billion in 2014 for fixes and recovery from data breaches and malware. The sponsor, Microsoft, also noted that pirated software tweaked with intent is a common method of getting inside. Consumers will likely spend $25 billion as a result of those security threats. $491 billion is a lot of change and in the spirit of Mobile Threats Rise 261% in Perspective, I wanted to know what else costs $491 billion.

Apparently, quite a few things!

U.S. motorists may spend a record $491 billion for gasoline this year. Expensive oil and increased exports have kept our fuel prices high this year. We are still under the 2008 average gas price record but we will still spend more due to gas going up sooner in the year and staying high longer. I know I've seen $4.11 here in California where the average is $3.94. While the winter blend production does bring some relief, don't expect major drops due to higher global demand along with the various feuds in the world.

Back in 2005, the US House of Representatives passed a $491 billion defense bill. This was when we were still in Iraq and the only reason I find this interesting is that the cyber-war can now cost as much as real wars. Not really apple to apples admittedly, but I often talk about how our digital worlds are colliding integrating with our physical lives. Either way, the costs can be very real.

Now at the 3 year mark of the Fukushima meltdown, property damage so far has been assessed at approximately US$200 billion but some estimates show that the total burden will be $491 billion. While one could never put a price on the 19,000 people lost from the earthquake and tsunami, it is kinda spooky that breaches and malware are on par with nuclear disasters.

According to the Global Business Travel Association (GBTA) Foundation business travel was responsible for about 3% of U.S. GDP in 2012 or $491 billion. Essentially, every dollar of business travel spending generated about $1.28 in GDP. Of the $491 billion total, $208 billion accrued directly to businesses that served travelers or meeting attendees.

In 2011 the European chemical industry contributed to 20.9% of the world’s chemical sales valued at €2353 billion, generating € 491 billion of revenues and employing 1.16 million people.

In 2012-13, India's total imports was $491 billion according to their Finance Minister.

And finally, the Earth is 491 billion feet from sun, give or take.

The malware market is on par with the likes of defense budgets, nuclear disasters, overall energy consumption and an entire country's import bill. It is often hard to quantify such large dollar amounts but when compared to the other $491 billion items, you can get a real sense of the magnitude.

ps

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



So Where Do We Go From Here?

Posted in security, f5, silva, privacy, banking, cybercrime, identity theft, malware, breach by psilva on March 5th, 2014

If you are who you say you are.

I've been travelling the last few weeks shooting some videos for VMware PEX and RSA. When that happens, my browser tabs get crowded with the various stories I'm interested in but will read later. This time they all seemed to hover around Identity Theft. When I got home, in my awaiting physical mail was a letter from Target. I also returned something to a national hardware store and the cashier tried to crumple my credit-card-info-having receipt into a trash can. Kismet.

Let's take a look...

The FTC recently announced that Identity Theft is the #1 complaint in 2013, for the 14th consecutive year. Is that a record? While down slightly from 2012, it still accounted for 14% of the 2 million overall complaints. This is down from 18% in 2012. Florida, followed by Georgia and California were the worst hit states for ID theft. The IRS has also named Identity Theft as their #1 Dirty Dozen Tax scam for 2014.

Speaking of California, 7.5 million of the over 110 million breached Target accounts were Californians. California is one of the few states that require disclosure when more than 500 accounts are compromised. The first year California required reports, 2012, there were 131 breaches reported...in 2013 that rose to 170. The other interesting thing about California breaches is that many target smaller companies. In 2012, half of the reported breaches came from companies with fewer than 2500 employees and almost a third were businesses with less than 250 employees. Being small and relatively unknown is no shield.

Also in Southern California, the Feds busted a couple guys running a Tijuana-based identity theft ring. These dudes broke into a U.S. based mortgage broker's servers and siphoned off mortgage applications which included most of the borrower's personal info: name, birthday, SSN, DL number, tax info, the works. They then used that info to open credit lines and, with the info they had, were able to change access to the people's brokerage accounts. From there, transferring money to other accounts was a snap. From Dec 2012 thru June 2013 they stole personal data on 4200 individuals.

Javelin Strategy and Research released their annual 2014 Identity Fraud Study stating that in 2013, a new instance of identity fraud occurred every 2 seconds. 1 Mississippi, 2 Mississippi. Another. There was 13.1 million identity fraud victims on 2013. While the people number is going up, the actual money stolen, according to Javelin, in going down. They estimated that the total cost of identity fraud in 2013 to be around $18 billion, more than $3 billion less than 2012. 2004 holds the record at $48 billion. Attackers are now focusing on opening new accounts rather than piggy backing existing credit cards. Account take-over's, particularly for utilities and mobile phones are the new free-bees. Most of the stolen info appears to be from corporate breaches and about 1/3 of those who receive a breach letter actually becomes a theft victim. Your debit card also seems more valuable than your social security number. 46% of consumers with breached debit cards became victims verses only 16% of breached SSNs.

And in an interesting twist, the top complaint against debt collectors is mistaken identity. Trying to collect a debt from the wrong person was by far, the most common complaint to the Consumer Financial Protection Bureau (CFPB). I know this all too well since over the last 3+ years, we've been getting debt collection calls looking for a certain person. We tell them that we've had our phone number for years and stop calling. Few months go by, the debt gets sold to another collector and we get calls again. It got so bad that this person's own mother called to tell her son that the dad was in the hospital and probably wouldn't make it. About 2 weeks later we got a call from another family member looking to talk about the father's death. This guy was running from debt so much so, that his own mother couldn't get a hold of him when dad was on his death bed. Now that's bad.

So where do we go from here? Will we all need that personal chip installed on our left earlobe to verify identity? The payment terminal says, 'Please listen for verification.' Riff-raff will then be all like, 'Oh, listen to this cool song,' as they plug the bud into your ear only to suck the data off your PID chip. You didn't hear? That's our IPv6 Personal Identity Chip inserted into every newborn starting in 2025.

Oh, it will happen.

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



The Icebox Cometh

Will the Internet of Things turn homes into a House of Cards?

Our homes are being invaded...but not with critters that you'd call an exterminator for.  Last summer I wrote Hackable Homes about the potential risks of smart homes, smart cars and vulnerabilities of just about any-'thing' connected to the internet.  (I know, everyone loves a bragger)  Many of the many 2014 predictions included the internet of things as a breakthrough technology? (trend?) for the coming year.  Just a couple weeks ago, famed security expert Bruce Schneier wrote about how the IoT (yes, it already has it's own 3 letter acronym) is wildly insecure and often unpatchable in this Wired article.  And Google just bought Nest Labs, a home automation company that builds sensor-driven, WiFi enabled thermostats and smoke detectors. 

So when will the first refrigerator botnet launch?  It already has.

Last week, Internet security firm Proofpoint said the bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks.  The first cyber attack using the Internet of Things, particularly home appliance botnets.  This attack included everything from routers to smart televisions to at least one refrigerator.  Yes, The Icebox!  As criminals have now uncovered, the IoT might be a whole lot easier to infiltrate than typical PCs, laptops or tablets.

During the attack, there were a series of malicious emails sent in 100,000 lots about 3 times a day from December 23 through January 6.  they found that over 25% of the volume was sent by things that were not conventional laptops, desktops or mobile devices.  Instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and that one refrigerator.  These devices were openly available primarily due to the fact that they still had default passwords in place.

If people don't update their home router passwords or even update the software, how are they going to do it for the 50+ (give or take) appliances they have in their home?  Heck, some people have difficulty setting the auto-brew start time for the coffee pot, can you imagine the conversations in the future?  'What's the toaster's password?  I need to change the bagel setting!'  Or  'Oh no!  Overnight a hacker replaced my fine Kona blend with some decaf tea!'  Come on. Play along!  I know you got one you just want to blurt out!

I understand this is where our society/technology/lives are going and I really like the ability to see home security cameras over the internet but part of me feels, is it really necessary to have my fridge, toaster, blender and toilet connected to the internet?  Maybe the fridge alerts you when something buried in back is molding.  I partially get the thermostats and smart energy things but I can currently program my thermostat for temperature adjustments without an internet connection.  I push a few buttons and done. Plus I don't have to worry about someone firing up my furnace in the middle of July. 

We have multiple locks on our doors, alarm systems for our dwellings, security cameras for our perimeter, dogs under the roof and weapons ready yet none of that will matter if the digital locks for our 'things' are made of dumpling dough.  Speaking of dumplings, the smart-steamer just texted me with a link to see the live feed of the dim sum cooking - from inside the pot! 

My mind just texted my tummy to get ready.

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Bricks (Thru the Window) and Mortar (Rounds)

Posted in security, silva, banking, customer, cybercrime, malware, breach by psilva on January 15th, 2014

...or I've been Breached.

There was a time when people differentiated between stealing from a physical store and pilfering data from a network.  Throughout the years there have been articles talking about the safety/risks of shopping online vs. shopping at a retail outlet.  You could either get carjacked in the parking lot and have your wallet stolen on Black Friday or your browser hijacked and your digital identity stolen on Cyber Monday.  There are probably many people who exclusively shop one way or another due to their own risk assessment of each...ignoring whatever convenience, interaction, price, constraints, gratification, availability or any other perceived beneficial metric on the Franklin T-scale tied to the specific activity.

Now we've learned that the recent Target breach was due to malware being installed on the point of sale devices.  Wait, what?  A 'cyber' crime within a retail bricks environment?  Isn't anything sacred?  Well no, and this is really not anything new.  ATMs and point of sale devices have been targets for a while due to the simple fact that they run on an operating system.  A potentially vulnerable operating system.  In 2012, thieves broke into Barnes and Noble's keypads and grabbed a bunch of credit cards.  Subway also had it's PoS devices infiltrated.  There will be more.

Online shopping has risen 300% since 2004 and continues to grow.  comScore reports that desktop sales on Black Friday grew 21% ($1.1 Billion) and Cyber Monday grew 18% ($1.7 billion).  Yet, with all the mouse orders we accomplish on any given day, according to the Dept. of Commerce, it still only amounts to 6% of all U.S. retail sales.  You'd think that it would be much higher but major purchases, like automobiles for instance, are still (mostly) purchased in person.  The shift, however, will certainly grow as more people rely on mobile as a primary purchase sidekick and... as always, the bad guys are going to focus on where they can get their take.  In this interesting TED talk, security expert Mikko Hypponen says that we are more likely to be a victim of an online crime than a real world stick up.

That includes an increase of blended attacks.

We've seen it a thousand times - plant something on the inside and siphon from the outside; launch a network based attack as a diversion to go after the app data; do a little social engineering surveillance to become one of them; and of course the classic, knock out the guards, put on their outfits and walk in while nobody notices.

There is still much to uncover about this latest breach but I can't help feeling that more retailers, as has been reported, will be screaming, 'This PoS device is a PoS

Nice how I worked that in huh?

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]




« Older episodes ·