A Nigerian internet service provider said Tuesday that a configuration error it made during a network upgrade caused a disruption of key Google services, routing traffic to China and Russia.
Prior to MainOne’s explanation Tuesday, there was speculation that Monday’s 74-minute data hijacking might have been intentional. Google’s search, cloud hosting and collaborative business tools were among services disrupted.
“Everyone is pretty confident that nothing untoward took place,” MainOne spokeman Tayo Ashiru said.
The type of traffic misdirection involved can knock essential services offline and facilitate espionage and financial theft. They can also be used to block access to information by sending data into internet black holes. Experts say China, in particular, has systematically hijacked and diverted U.S. internet traffic.
But the problem can also result from human error. That’s what Ashiru said happened to MainOne, a major west African ISP. He said engineers mistakenly forwarded to China Telecom addresses for Google services that were supposed to be local. The Chinese company, in turn, sent along the bad data to Russia’s TransTelecom, a major internet presence. Ashiru said MainOne did not yet understand why China Telecom did that, as the state-run company normally doesn’t allow Google traffic on its network.
The traffic diversion into China created a detour with a dead end, preventing users from accessing the affected Google services, said Alex Henthorn-Iwane, an executive at the network-intelligence company ThousandEyes.
He said Monday’s incident offered yet another lesson in the internet’s susceptibility to “unpredictable and destabilizing events. If this could happen to a company with the scale and resources available that Google has, realize it could happen to anyone.”
The diversion, known as gateway protocol hijacking, is built into the internet, which was designed for collaboration by trusted parties—not competition by hostile nation-states. Experts say it is fixable but that would require investments in encrypted routers that the industry has resisted .
ThousandEyes said the diversion at minimum made Google’s search and business collaboration tools difficult or impossible to reach and “put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance.”
However, most network traffic to Google services—94 percent as of Oct. 27—is encrypted, which shields it from prying eyes even if diverted. Google said in a statement that “access to some Google services was impacted” but did not further quantify the disruption.
Google said it had no reason to believe the traffic hijacking was malicious.
Indeed, the phenomenon has occurred before. Google was briefly afflicted in 2015 when an Indian provider stumbled. In perhaps the best-known case, Pakistan Telecom inadvertently hijacked YouTube’s global traffic in 2008 for a few hours when it was trying to enforce a domestic ban. It sent all YouTube traffic into a virtual ditch in Pakistan.
In two recent cases, such rerouting has affected financial sites. In April 2017, one affected MasterCard and Visa among other sites. This past April, another hijacking enabled cryptocurrency theft .
This is going to be a basic introduction to elliptic curve cryptography. I will assume most of my audience is here to gain an understanding of why ECC is an effective cryptographic tool and the basics of why it works. My goal is to explain it in a general sense, I will be omitting proofs and implementation details and instead focusing on the high-level principles of what makes it work.
What It’s For?
ECC is a way to encrypt data so that only specific people can decrypt it. This has several obvious real life use cases, but the main usage is in encrypting internet data and traffic. For instance, ECC can be used to ensure that when an email is sent, no one but the recipient can read the message.
ECC is a type of Public Key Cryptography
There are many types of public key cryptography, and Elliptic Curve Cryptography is just one flavor. Others algorithms include RSA, Diffie-Helman, etc. I’m going to give a very simple background of public key cryptography in general as a starting point so we can discuss ECC and build on top of these ideas. Please by all means go study more in depth on public key cryptography when you have the time.
As seen below, public key cryptography allows the following to happen:
The graphic shows two keys, a public key and a private key. These keys are used to encrypt and decrypt data so that anyone in the world can look at the encrypted data while it is being transmitted, and be unable to read the message.
Let’s pretend that Facebook is going to receive a private post from Donald Trump. Facebook needs to be able to ensure that when the President sends his post over the internet, no one in the middle (Like the NSA, or internet service provider) can read the message. The entire exchange using Public Key Cryptography would go like this:
Donald Trump Notifies Facebook that he wants to send them a private post
Facebook sends Donald Trump their public key
Donald Trump uses the the public key to encrypt his post:
“I love Fox and Friends” + Public Key = “s80s1s9sadjds9s”
Donald Trump sends only the encrypted message to Facebook
Facebook uses their private key to decrypt the message:
“s80s1s9sadjds9s” + Private Key= “I love Fox and Friends”
As you can see this is a very useful technology. Here are some key points.
The public key can be sent to anyone. It is public.
The private key must be kept safe, because if someone in the middle were to get the private key they could decrypt the messages.
Computers can very quickly use the public key to encrypt a message, and the private key to decrypt a message.
Computers require a very long time (millions of years) to derive the original data from the encrypted message if they don’t have the private key.
How it Works: The Trapdoor Function
The crux of all public key cryptographic algorithms is that they each have their own unique trapdoor function. A trapdoor function is a function that can only be computed one way, or at least can only be computed one way easily (in less than millions of years using modern computers).
Not a trapdoor function: A + B = C
If I’m given A and B I can compute C. The problem is that if I’m given B and C I can also compute A. This is not a trapdoor function.
“I love Fox and Friends” + Public Key = “s80s1s9sadjds9s”
If given “I love Fox and Friends” and the public key, I can produce “s80s1s9sadjds9s”, but if given “s80s1s9sadjds9s” and the Public Key I can’t produce “I love Fox and Friends”
In RSA (Probably the most popular public key system) the trapdoor function relies on how hard it is to factor large numbers into their prime factors.
Public Key: 944,871,836,856,449,473
Private Key: 961,748,941 and 982,451,653
In the example above the public key is a very large number, and the private key is the two prime factors of the public key. This is a good example of a Trapdoor Function because it is very easy to multiply the numbers in the private key together to get the public key, but if all you have is the public key it will take a very long time using a computer to re-create the private key.
Note: In real cryptography the private key would need to be 200+ digits long to be considered secure.
What Makes Elliptic Curve Cryptography Different?
ECC is used for the exact same reasons as RSA. It simply generates a public and private key and allows two parties to communicate securely. There is one major advantage however that ECC offers over RSA. A 256 bit key in ECC offers about the same security as 3072 bit key using RSA. This means that in systems with limited resources such as smartphones, embedded computers, cryptocurrency networks, it uses less than 10% of the hard disk space and bandwidth required using RSA.
ECC’s Trapdoor Function
This is probably why most of you are here. This is what makes ECC special and different from RSA. The trapdoor function is similar to a mathematical game of pool. We start with a certain point on the curve. We use a function (called the dot function) to find a new point. We keep repeating the dot function to hop around the curve until we finally end up at our last point. Lets walk through the algorithm.
Starting at A:
A dot B = -C (Draw a line from A to B and it intersects at -C)
Reflect across the X axis from -C to C
A dot C = -D (Draw a line from A to C and it intersects -D)
Reflect across the X axis from -D to D
A dot D = -E (Draw a line from A to D and it intersects -E)
Reflect across the X axis from -E to E
This is a great trapdoor function because if you know where the starting point (A) is and how many hops are required to get to the ending point (E), it is very easy to find the ending point. On the other hand, if all you know is where the starting point and ending point are, it is nearly impossible to find how many hops it took to get there.
Public Key: Starting Point A, Ending Point E
Private Key: Number of hops from A to E
See remaining text and images in the original article here.
It’s very rare these days that a hotel will give you a real key when you check in. Instead, most chain hotels and mid-sized establishments have switched over to electronic locks with a keycard system. As researchers from F-Secure have discovered, these electronic locks may not be very secure. Researchers from the company have managed to create a “master key” for a popular brand of hotel locks that can unlock any door.
The team began this investigation more than a decade ago, when an F-Secure employee had a laptop stolen from a hotel room. Some of the staff began to wonder how easy it would be to hack the keycard locks, so they set out to do it themselves. The researchers are quick to point out this has not been a focus of F-Secure for 10 years — it took several thousand total man-hours, mostly in the last couple years.
F-Secure settled on cracking the Vision by VingCard system built by Swedish lock manufacturer Assa Abloy. These locks are used in more than 42,000 properties in 166 countries. The project was a huge success, too. F-Secure reports they can create a master key in about a minute that unlocks any door in a hotel. That’s millions of potentially vulnerable hotel rooms around the world.
The hack involves a small handheld computer and an RFID reader (it also works with older magnetic stripe cards). All the researchers need to pull off the hack is a keycard from a hotel. It doesn’t even have to be an active one. Even old and invalid cards have the necessary data to reconstruct the keys that unlock doors. The custom software then generates a key with full privileges that can bypass all the locks in a building. Many hotels use these keys not only for guest rooms, but also elevators and employee-only areas of the hotel.
F-Secure disclosed the hack to Assa Abloy last year, and the lock maker developed a software patch to fix the issue. It’s available for customers to download now, but there’s one significant problem. The firmware on each lock needs an update, and there’s no guarantee every hotel with this system will have the resources to do that. Many of them might not even know the vulnerability exists. This hack could work for a long time to come, but F-Secure isn’t making the attack tools generally available. Anyone who wants to compromise these locks will have to start from scratch.
WikiLeaks just released internal documentation of the CIA’s massive arsenal of hacking tools and techniques. These 8,761 documents — called “Vault 7” — show how their operatives can remotely monitor and control devices, such as phones, TVs, and cars.
And what’s worse, this archive of techniques seems to be out in the open, where all manner of hackers can use it to attack us.
“The CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.” — WikiLeaks
WikiLeaks has chosen not to publish the malicious code itself “until a consensus emerges on… how such ‘weapons’ should be analyzed, disarmed and published.”
But this has laid bare just how many people are aware of these devastating hacking techniques.
“This archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” — WikiLeaks
Disturbingly, these hacks were bought or stolen from other countries’ intelligence agencies, and instead of closing these vulnerabilities, the government put everyone at risk by intentionally keeping them open.
“[These policy decisions] urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” — the operative who leaked the data
First, I’m going to break down three takeaways from today’s Vault 7 release that every American citizen should be aware of. Then I’ll give you actionable advice for how you can protect yourself from this illegal overreach by the US government — and from the malicious hackers the government has empowered through its own recklessness.
Takeaway #1: If you drive an internet-connected car, hackers can crash it into a concrete wall and kill you and your family.
I know, this sounds crazy, but it’s real.
“As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.” — WikiLeaks
We’ve known for a while that internet-connected cars could be hacked. But we had no idea of the scope of this until today.
Like other software companies, car manufacturers constantly patch vulnerabilities as they discover them. So if you have an internet-connected car, always update to the latest version of its software.
As Wikileaks makes more of these vulnerabilities public, car companies should be able to quickly patch them and release security updates.
Takeaway #2: It doesn’t matter how secure an app is — if the operating system it runs on gets hacked, the app is no longer secure.
Since the CIA (and probably lots of other organizations, now) know how to compromise your iOS and Android devices, they can intercept data before it even reaches the app. This means they can grab your unencrypted input (microphone, keystrokes) before Signal or WhatsApp can encrypt it.
One important way to reduce the impact of these exploits is to open source as much of this software as possible.
“Proprietary software tends to have malicious features. The point is with a proprietary program, when the users don’t have the source code, we can never tell. So you must consider every proprietary program as potential malware.” — Richard Stallman, founder of the GNU Project
You may be thinking — isn’t Android open source? Its core is open source, but Google and handset manufacturers like Samsung are increasingly adding closed-source code on top of this. In doing so, they’re opening themselves up to more ways of getting hacked. When code is closed source, there’s not much the developer community can do to help them.
“There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” — John Chambers, former CEO of Cisco
By open-sourcing more of the code, the developer community will be able to discover and patch these vulnerabilities much faster.
Takeaway #3: Just because a device looks like it’s turned off doesn’t mean it’s really turned off.
One of the most disturbing exploits involves making Smart TVs look like they’re turned off, but actually leaving their microphones on. People all around the world are literally bugging their own homes with these TVs.
The “fake-off” mode is part of the “Weeping Angel” exploit:
“The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.” — Vault 7 documents
The leaked CIA documentation shows how hackers can turn off LEDs to make a device look like it’s off.
You know that light that turns on whenever your webcam is recording? That can be turned off, too. Even the director of the FBI — the same official who recently paid hackers a million dollars to unlock a shooter’s iPhone — is encouraging everyone to cover their webcams.
Just like how you should always treat a gun as though it were loaded, you should always treat a microphone as though it were recording.
What can you do about all this?
It’s not clear how badly all of these devices are compromised. Hopefully Apple, Google, and other companies will quickly patch these vulnerabilities as they are made public.
There will always be new vulnerabilities. No software application will ever be completely secure. We must to continue to be vigilant.
Here’s what you should do:
Don’t despair. You should still do everything you can to protect yourself and your family.
There is worldwide concern over false news and the possibility that it can influence political, economic, and social well-being. To understand how false news spreads, Vosoughi et al. used a data set of rumor cascades on Twitter from 2006 to 2017. About 126,000 rumors were spread by ∼3 million people. False news reached more people than the truth; the top 1% of false news cascades diffused to between 1000 and 100,000 people, whereas the truth rarely diffused to more than 1000 people. Falsehood also diffused faster than the truth. The degree of novelty and the emotional reactions of recipients may be responsible for the differences observed.
In a post on its engineering blog, Github said, “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach that peaked at 1.35Tbps via 126.9 million packets per second.” Then, yesterday, Arbor Networks announced that record had been broken by a 1.7 TB attack!
2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. It’s easier and more affordable to use third-party cloud services than for every enterprise to have to maintain their own datacenters on their own premises.
2017 was a huge year for data breaches. Even laypeople to the cybersecurity world heard about September’s Equifax breach because it affected at least 143 million ordinary people. Breaches frequently happen to cloud data, as well.
In May 2017, a major data breach that hit OneLogin was discovered. OneLogin provides identity management and single sign-on capabilities for the cloud services of over 2,000 companies worldwide.
“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount,” said OneLogin CISO Alvaro Hoyos.
Sometimes data lost from cloud servers is not due to cyber attack. Non-malicious causes of data loss include natural disasters like floods and earthquakes and simple human error, such as when a cloud administrator accidentally deletes files. Threats to your cloud data don’t always look like clever kids wearing hoodies. It’s easy to underestimate the risk of something bad happening to your data due to an innocent mistake.
One of the keys to mitigating the non-malicious data loss threat is to maintain lots of backups at physical sites at different geographic locations.
3. Insider threats
Insider threats to cloud security are also underestimated. Most employees are trustworthy, but a rogue cloud service employee has a lot of access that an outside cyber attacker would have to work much harder to acquire.
From a whitepaper by security researchers William R Claycomb and Alex Nicoll:
“Insider threats are a persistent and increasing problem. Cloud computing services provide a resource for organizations to improve business efficiency, but also expose new possibilities for insider attacks. Fortunately, it appears that few, if any, rogue administrator attacks have been successful within cloud service providers, but insiders continue to abuse organizational trust in other ways, such as using cloud services to carry out attacks. Organizations should be aware of vulnerabilities exposed by the use of cloud services and mindful of the availability of cloud services to employees within the organization. The good news is that existing data protection techniques can be effective, if diligently and carefully applied.”
4. Denial of Service attacks
Denial of service (DoS) attacks are pretty simple for cyber attackers to execute, especially if they have control of a botnet. Also, DDoS-as-a-service is growing in popularity on the Dark Web. Now attackers don’t need know-how and their own bots; all they have to do is transfer some of their cryptocurrency in order to buy a Dark Web service.
“Ordering a DDoS attack is usually done using a full-fledged web service, eliminating the need for direct contact between the organizer and the customer. The majority of offers that we came across left links to these resources rather than contact details. Customers can use them to make payments, get reports on work done or utilize additional services. In fact, the functionality of these web services looks similar to that offered by legal services.”
An effective DDoS attack on a cloud service gives a cyber attacker the time they need to execute other types of cyber attacks without getting caught.
5. Spectre and Meltdown
This is a new addition to the list of known cloud security threats for 2018. The Meltdown and Spectre speculative execution vulnerabilities also affect CPUs that are used by cloud services. Spectre is especially difficult to patch.
“Both Spectre and Meltdown permit side-channel attacks because they break down the isolation between applications. An attacker that is able to access a system through unprivileged log in can read information from the kernel, or attackers can read the host kernel if they are a root user on a guest virtual machine (VM).
This is a huge issue for cloud service providers. While patches are becoming available, they only make it harder to execute an attack. The patches might also degrade performance, so some businesses might choose to leave their systems unpatched. The CERT Advisory is recommending the replacement of all affected processors—tough to do when replacements don’t yet exist.”
6. Insecure APIs
Application Programming Interfaces are important software components for cloud services. In many cloud systems, APIs are the only facets outside of the trusted organizational boundary with a public IP address. Exploiting a cloud API gives cyber attackers considerable access to your cloud applications. This is a huge problem!
Cloud APIs represent a public front door to your applications. Secure them very carefully.
Over the past few days we’ve covered major new security risks that struck at a number of modern microprocessors from Intel and to a much lesser extent, ARM and AMD. Information on the attacks and their workarounds initially leaked out slowly, but Google has pushed up its timeline for disclosing the problems and some vendors, like AMD, have issued their own statements. The two flaws in question are known as Spectre and Meltdown, and they both relate to one of the core capabilities of modern CPUs, known as speculative execution.
Speculative execution is a performance-enhancing technique virtually all modern CPUs include to one degree or another. One way to increase CPU performance is to allow the core to perform calculations it may need in the future. The different between speculative execution and “execution” is that the CPU performs these calculations before it knows whether it’ll actually be able to use the results.
Here’s how Google’s Project Zero summarizes the problem: “We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.”
Meltdown is Variant 3 in ARM, AMD, and Google parlance. Spectre accounts for Variant 1 and Variant 2.
“On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”
Intel is badly hit by Meltdown because its speculative execution methods are fairly aggressive. Specifically, Intel CPUs are allowed to access kernel memory when performing speculative execution, even when the application in question is running in user memory space. The CPU does check to see if an invalid memory access occurs, but it performs the check after speculative execution, not before. Architecturally, these invalid branches never execute — they’re blocked — but it’s possible to read data from affected cache blocks even so.
The various OS-level fixes going into macOS, Windows, and Linux all concern Meltdown. The formal PDF on Meltdown notes that the software patches Google, Apple, and Microsoft are working on are a good start, but that the problem can’t be completely fixed in software. AMD and ARM appear largely immune to Meltdown, though ARM’s upcoming Cortex-A75 is apparently impacted.
Meltdown is bad, but Meltdown can at least be ameliorated in software (with updates), even if there’s an associated performance penalty. Spectre is the name given to a set of attacks that “involve inducing a victim to speculatively perform operations that would not occur during correct program execution, and which leak the victim’s conﬁdential information via a side channel to the adversary.”
Unlike Meltdown, which impacts mostly Intel CPUs, Spectre’s proof of concept works against everyone, including ARM and AMD. Its attacks are pulled off differently — one variant targets branch prediction — and it’s not clear there are hardware solutions to this class of problems, for anyone.
What Happens Next
Intel, AMD, and ARM aren’t going to stop using speculative execution in their processors; it’s been key to some of the largest performance improvements we’ve seen in semiconductor history. But as Google’s extensive documentation makes clear, these proof-of-concept attacks are serious. Neither Spectre nor Meltdown relies on any kind of software bug to work. Meltdown can be solved through hardware design and software rearchitecting; Spectre may not.
When reached for comment on the matter, Linux creator Linux Torvalds responded with the tact that’s made him legendary. “I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed,” Torvalds writes. “And that really means that all these mitigation patches should be written with ‘not all CPU’s are crap’ in mind. Or is Intel basically saying ‘We are committed to selling you shit forever and ever, and never fixing anything? Because if that’s the case, maybe we should start looking towards the ARM64 people more.”
It does appear, as of this writing, that Intel is disproportionately exposed on these security flaws. While Spectre-style attacks can affect all CPUs, Meltdown is pretty Intel-specific. Thus far, user applications and games don’t seem much impacted, but web servers and potentially other workloads that access kernel memory frequently could run markedly slower once patched.
From home appliances to health applications and security solutions, everything we use at home – and outside of it, is getting connected to the Internet, becoming the Internet of Things (IoT). Think about how many connected devices you have at home: tablets, laptops, e-readers, fitness devices, smart TVs – how about your thermostat, light bulbs, refrigerator and security system? Our home has effectively become a connected home, with an average of 12 things connecting to our home Wi-Fi network, transmitting data and delivering added value. But as connected home appliances continue to grow, so too will the cybersecurity risks.
Consumers have been fast to adopt IoT devices on the promise that they can improve our lifestyles. These things track and optimize our energy consumption, facilitate our daily tasks, improve our health and wellness, keep us secure and empower us with the freedom and data to do other things better. But from a security point of view, this unregulated, insecure and fragmented market represents a clear and present danger to individuals and society as a whole, from the cyber to the physical realm.
To protect connected homes, a multi-faceted approach is recommended, combining a firewall blocking mechanism with machine learning and artificial intelligence to detect network anomalies. Millions of IoT devices are already compromised and we recommend communication service providers (CSPs) to initiate deployment of cybersecurity solutions today in parallel to their own R&D plans. By providing cybersecurity solutions through partnerships, they can begin to protect their vulnerable clients today and establish a market leadership position.
The declining costs to manufacture chips that can store and transmit data through a network connection have enabled thousands of organizations and startups to bring IoT products to market. But the current lack of standards and security certifications, coupled with fierce market competition to deliver affordable IoT products, have made cybersecurity an expense that manufacturers prefer others to deal with.
The lack of experience and incentives in the IoT supply chain to provide secure devices has created a tremendously vulnerable IoT landscape. In fact, according to recent findings by Symantec, IoT devices can become compromised within two minutes of connecting to the Internet1. Legislation has been too slow to deal with the current threat, and although there are public initiatives to drive cyber awareness among consumers, we do not expect any tangible changes soon.
There are many attack vectors and vulnerabilities to worry about in the Connected Home. From poor design decisions and hard-coded passwords to coding flaws, everything with an IP address is a potential backdoor to cyber crimes. Traditional cybersecurity companies reacted slowly and failed to provide defense solutions to the expanding universe of IoT devices. However, novel approaches with Artificial Intelligence and Machine Learning – such as analyzing and understanding network behaviors to detect anomalies, are now available to defend against these new threats.
With all its challenges and opportunities, consumer IoT is destined to disrupt long-established industries, making it a space one cannot afford to ignore. One such long-established industry is precisely the one powering the revolution: the CSPs providing the broadband. By and large, telecommunication companies have failed to monetize the data running through their home gateways, missing out in big opportunities. We believe that the connected home, especially cybersecurity, is a low-hanging fruit that communication service providers can and should pick before it’s too late.
Home security and safety-related appliances are top revenue drivers in the connected home landscape, and telecom companies are well positioned to enter this market and rebrand themselves as innovative and secure companies interested in the well-being and privacy of their customers. By leveraging their existing assets, such as the home router, telecoms can provide holistic solutions that include cybersecurity, data management and customer support – giving them a unique advantage over their competitors. Consumers would much rather trust their CSPs to continue managing their data than giving it away to foreign or unknown companies. It is time for Internet Service Providers to reclaim their value as a Service Provider, else they risk missing out in this revolution as broadband continues to become commoditized.
Stories of hacked IoT devices abound, a quick search online will lead you to scary stories, from spying Barbie dolls2, to TV sets monitoring you3 and creeps accessing baby cameras4. Most ironic and worrying of all are the security threats inherent in best-selling security systems, which can allow hackers to control the whole system, due to lack of encryption and sufficient cybersecurity standards5.
The cyber and physical risks intensify the more devices we connect: The volume of granular data that all these connected things generate when combined can provide a very detailed profile of the user, which can be used for identity theft and blackmail.
Once an unprotected IoT device gets hacked, a skilled hacker can proceed to infect other devices in the network via “lateral movement”. By jumping from one device to another, a hacker can gain complete control of a connected home. Because this threat comes from within the network, it is important to have a security solution that provides network visibility, creates device profiles and detects anomalies through machine learning and artificial intelligence.
There have been enough stories in the news for the average consumer to be aware of cyber threats, they know security is important and that they don’t have it, but they lack the resources to properly protect themselves. IoT manufacturers should be held accountable to prioritize security, but until that happens, the responsibility and opportunity falls on CSPs to protect the consumers.
What makes the IoT ecosystem a potentially deadly cyber threat is the combined computing and networking power of thousands of devices which, when operated together as a botnet, can execute massive Distributed Denial of Service (DDoS) attacks and shut down large swaths of the Internet through a fire hose of junk traffic. The IoT ecosystem represents a totally different level of complexity and scale in terms of security and privacy.
In October 2016, we got a taste of this structural risk when the infamous Mirai botnet attacked the DNS company Dyn with the biggest DDoS attack ever reported: more than 1 terabit per second (Tbps) flooded the service, temporarily blocking access to Netflix, Twitter, Amazon, PayPal, SoundCloud, New York Times and others. The Mirai botnet used enslaved IoT devices -nearly 150,000 hacked cameras, routers and smart appliances, to inadvertently do its criminal bidding, and most of the infected devices remain out there, with their users oblivious to the fact.
The way Mirai malware spreads and attacks is well known: it scans the web for open Telnet and SSH ports, browsing for vulnerable devices using factory default or hard-coded usernames and passwords, then uses an encrypted tunnel to communicate between the devices and command and control (C&C) servers that send instructions to them. Since Mirai uses encrypted traffic, it prevents security researchers from monitoring the command and data traffic.
The source code for Mirai was posted soon after on the Hackforums site6, enabling other criminals to create their own strains of the malware. It is not necessary to have an “army” of thousands of infected devices to cause harm. Mini-DDoS botnets, with hundreds of compromised nodes, are sufficient to cause temporary structural damage and reduce the chances of getting caught -expect more of these attacks in the future.
Capturing vulnerable devices to turn them into botnets has become a cyber crime gold rush, with an estimated 4000 vulnerable IoT devices becoming active each day7, and criminals selling and renting botnets in the dark net at competitive prices to cause harm. Although simple to understand, this sort of malware is hard to detect because it does not generally affect device performance, so the average user cannot know if their device is part of a botnet – and even if they did, it’s often difficult to interact with IoT devices without a user interface.
Stakeholders should take proactive steps that can prevent future incidents by addressing the lack of security-by-design in the IoT landscape. The Mirai malware was a warning shot, and organizations must be prepared for larger and potentially more devastating attacks. Because of market failures at play, regulation seems like the only way forward to incentivize device manufacturers to implement security in their design, but doing so could stifle innovation and prove disastrous to the ecosystem. It is because of this delicate balance that we believe service providers are perfectly positioned to seize this problem as an opportunity to become market leaders in the emerging field of IoT cybersecurity.
The frequency of cyber threats is increasing as the IoT landscape continues to expand. Gartner predicts that by 2020, addressing compromises in IoT security will have increased security costs to 20% of annual security budgets, from less than one percent in 20158. The threats to consumers and society are numerous, but joint cybersecurity and cyber-hygiene efforts by manufacturers, legislators, service providers and end users, will mitigate the inherent risks discussed in this paper.
Until that happens, service providers are uniquely positioned and encouraged to begin offering cybersecurity services to their consumers through their home gateways: the main door of the home network. Communication Service Providers that provide home network security and management solutions today can become the preferred brand for Smart Home solutions and appliances, leading IoT market adoption while preventing the cyber risks associated with it.
Netonomy has developed a solution that is available today for service providers interested in providing a layer of security to their consumers and become a trusted market leader in the emerging IoT landscape. Because it is cloud-based, this solution can be instantly deployed across thousands of routers at a low cost and bring immediate peace of mind to consumers.
Netonomy’s Solution: Netonomy provides a simple, reliable and secure network for the connected home. Through a minimal-footprint agent installed on the home router, we provide a holistic solution to manage the connected home network and protect it from internal and external security threats. Our unique technology can be deployed on virtually all the existing home gateways quickly and at a minimal cost, providing ISPs and router manufacturers with better visibility into home networks and a premium service that can be sold to customers to make their connected future simple, reliable and secure.
In 2015 a government contractor placed confidential, NSA data on his personal computer. This computer was using the Russian-based security solution, Kaspersky Labs. Allegations have been surrounding Kaspersky Labs, regarding inappropriate ties to the Russian government, as well as collusion with the hackers who conducted the NSA breach in 2015.
Recently, news broke of a modification to Kaspersky Labs security products, to search for not only malware but broad key words as well. These broad key words can be used to identify specific documents located on a device. Although the key words used in the NSA hack were not released, they were likely “top secret” or “confidential”. It is believed this alteration within the security software, is what led to the successful breach of confidential data from the NSA contractor in 2015.
In a statement to Ars Technica, U.S. officials reported,
“There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this.”
It is quite clear; these alterations must have been made by someone. That particular person is likely a Kaspersky official. Although, Kaspersky Labs continues to deny any involvement.
Not the First Suspicion…
However, this isn’t the first time U.S. government officials believed this could be possible. The U.S. intelligence agencies reportedly spent months studying and experimenting Kaspersky software. The goal was to see if they could trigger it into behaving as if it had discovered classified materials on a computer being monitored by U.S. spies. It is because of those studies, officials were persuaded Kaspersky was being used to detect classified information.
Conventional wisdom has long held that locking down your router with WPA2 encryption protocol would protect your data from snooping. That was true for a long time, but maybe not for much longer. A massive security disclosure details vulnerabilities in WPA2 that could let an attacker intercept all your precious data, and virtually every device with Wi-Fiis affected.
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:
Our attack is not limited to recovering login credentials (i.e. e-mail addresses and passwords). In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):
Key reinstallation attacks: high level description
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Key reinstallation attacks: concrete example against the 4-way handshake
As described in the introduction of the research paper, the idea behind a key reinstallation attack can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.
In our opinion, the most widespread and practically impactful attack is the key reinstallation attack against the 4-way handshake. We base this judgement on two observations. First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies. Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past. In turn, this causes all encryption protocols of WPA2 to reuse keystream when encrypting packets. In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases (e.g. English text can still be decrypted). In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted.
The ability to decrypt packets can be used to decrypt TCP SYN packets. This allows an adversary to obtain the TCP sequence numbers of a connection, and hijack TCP connections. As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.
If the victim uses either the WPA-TKIP or GCMP encryption protocol, instead of AES-CCMP, the impact is especially catastrophic.Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Moreover, because GCMP uses the same authentication key in both communication directions, and this key can be recovered if nonces are reused, it is especially affected. Note that support for GCMP is currently being rolled out under the name Wireless Gigabit (WiGig), and is expected to be adopted at a high rate over the next few years.
The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client. Finally, most of our attacks also allow the replay of unicast, broadcast, and multicast frames. For further details, see Section 6 of our research paper.
Note that our attacks do not recover the password of the Wi-Fi network. They also do not recover (any parts of) the fresh encryption key that is negotiated during the 4-way handshake.
Android and Linux
Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key. This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.
Assigned CVE identifiers
The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.
Although this paper is made public now, it was already submitted for review on 19 May 2017. After this, only minor changes were made. As a result, the findings in the paper are already several months old. In the meantime, we have found easier techniques to carry out our key reinstallation attack against the 4-way handshake. With our novel attack technique, it is now trivial to exploit implementations that only accept encrypted retransmissions of message 3 of the 4-way handshake. In particular this means that attacking macOS and OpenBSD is significantly easier than discussed in the paper.
We would like to highlight the following addendums and errata:
Addendum: wpa_supplicant v2.6 and Android 6.0+
Linux’s wpa_supplicant v2.6 is also vulnerable to the installation of an all-zero encryption key in the 4-way handshake. This was discovered by John A. Van Boxtel. As a result, all Android versions higher than 6.0 are also affected by the attack, and hence can be tricked into installing an all-zero encryption key. The new attack works by injecting a forged message 1, with the same ANonce as used in the original message 1, before forwarding the retransmitted message 3 to the victim.
Addendum: other vulnerable handshakes
After our initial research as reported in the paper, we discovered that the TDLS handshake and WNM Sleep Mode Response frame are also vulnerable to key reinstallation attacks.
In Figure 9 at stage 3 of the attack, the frame transmitted from the adversary to the authenticator should say a ReassoReq instead of ReassoResp.
We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released once we had the time to clean up their usage instructions.
We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we have had a chance to prepare the code repository for release). We remark that the reliability of our proof-of-concept script may depend on how close the victim is to the real network. If the victim is very close to the real network, the script may fail because the victim will always directly communicate with the real network, even if the victim is (forced) on a different Wi-Fi channel than this network.
If you ask two researchers what is the problem with Bluetooth they will have a simple answer.
“Bluetooth is complicated. Too complicated. Too many specific applications are defined in the stack layer, with endless replication of facilities and features.” Case in point: the WiFi specification (802.11) is only 450 pages long, they said, while the Bluetooth specification reaches 2822 pages.
Unfortunately, they added, the complexity has “kept researchers from auditing its implementations at the same level of scrutiny that other highly exposed protocols, and outwards-facing interfaces have been treated with.”
Lack of review can end up with vulnerabilities needing identification.
And that is a fitting segue to this week’s news about devices with Bluetooth capabilities.
At Armis Labs, Ben Seri and Gregory Vishnepolsky are the two researchers who discussed the vulnerabilities in modern Bluetooth stacks—and devices with Bluetooth capabilities were estimated at over 8.2 billion, according to the Armis site’s overview.
Seri and Vishnepolsky are the authors of a 42-page white paper detailing what is wrong and at stake in their findings. The discovery is being described as an “attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them.”
They are calling the vector BlueBorne, as it spreads via the air and attacks devices via Bluetooth. Attackers can hack into cellphones and computers simply because they had Bluetooth on. “Just by having Bluetooth on, we can get malicious code on your device,” Nadir Izrael, CTO and cofounder of security firm Armis, told Ars Technica.
Let’s ponder this, as it highlights a troubling aspect of attack: Lorenzo Franceschi-Bicchierai at Motherboard:
“‘The user is not involved in the process, they don’t need to be in discoverable mode, they don’t have to have a Bluetooth connection active, just have Bluetooth on,’ Nadir Izrael, the co-founder and chief technology officer for Armis, told Motherboard.”
Their white paper identified eight vulnerabilities: (The authors thanked Alon Livne for the development of the Linux RCE exploit.)
Yesterday, the Trump Administration released a statement indicating that Kaspersky Lab, one of the largest security companies in the world, would no longer be allowed to sell its products or services to the federal government. At the time, it wasn’t clear why the government had taken this step, and the CEO of Kaspersky Lab, Eugene Kaspersky, has strenuously argued that his company is being treated as a pawn in a game of chess between the US and Russia.
Kaspersky told ABC News that any concerns about his product were based in “ungrounded speculation and all sorts of other made-up things,” before adding that he and his company “have no ties to any government, and we have never helped nor will help any government in the world with their cyberespionage efforts.”
Now last claim looks particularly dubious. According to emails obtained by Bloomberg Businessweek (and confirmed by Kaspersky Lab as genuine), Kaspersky’s ties to the Russian FSB (the successor to the KGB) are much tighter than have previously been reported. It has allegedly worked with the government to develop security software and worked on joint projects that “the CEO knew would be embarrassing if made public.”
It’s common — in fact, it’s practically essential — for security firms to work closely with their own governments, both in terms of providing security solutions and in actively monitoring for threats or suspicious activity. But there’s a difference between working with the federal government of your nation and acting as an agent working on behalf of that government. These leaked emails, seem to show the company slipping over that line.
The first part of the described project was a contract to build a better DDoS defense system that could be used by both the Russian government and other Kaspersky clients. Nothing unusual about that. But Kaspersky went farther, and agreed to some extremely unusual conditions. According to ABC News’ report, Kaspersky wrote that the project contained technology to protect against filter attacks, as well as implementing what researchers call “Active Countermeasures.”
But there’s more to the story. Kaspersky also provided the FSB with real-time intelligence on the hackers location and and sends experts to accompany the FSB on its investigations and raids. ABC’s source described the situation as, “They weren’t just hacking the hackers; they were banging on the doors.”
Certain members of Congress and US government intelligence agencies have both warned against using Kaspersky Lab in any sensitive government or business setting. This could easily explain why. Installing software that can phone home to a company affiliated with the FSB could be a major problem should hackers come calling. Kaspersky also sells a secure operating system, KasperskyOS, designed to run on critical infrastructure, factories, pipelines, and even self-driving cars. The US Defense Intelligent Agency has reportedly circulated internal memos warning of the risks of using Kaspersky’s system, even as the company continues to deny that any connection between itself and Russia actually exists.
One More Thing…
Some will argue that this is mere political theater. After all, didn’t AT&T, Yahoo, Microsoft, Google, and a number of other companies comply with onerous requests made in dubious circumstances from the NSA and FBI? The answer, of course, is yes. But there are meaningful differences here: To the best of our knowledge, no one from Microsoft or AT&T ever did a ride-along on a raid to capture a suspect. It’s also a fact that more than one company fought hard against being forced to provide such evidence, capitulating only when all of the court cases and appeals had failed.
There may not be much practical difference between the end product delivered by a company that takes a job willingly and one that takes it only under duress, but there is a moral difference. Whether its Tim Cook going to court to protect user privacy or Google promptly encrypting all of its traffic, including within the data center, more than a few US companies have taken (or tried to take) strong stances against such spying. That doesn’t make them perfect. It may not even make them worthy of praise. But it does highlight a meaningful difference between what happened in Russia and what’s happened in the United States.
Unless you have been living under the proverbial rock, you probably heard about a number of Internet of Things (IoT) attacks this fall, beginning with KrebsOnSecurity, then OVH, then the DDoS attack on Dyn DNS. All of this started with a bot called Mirai, and involved IoT devices. Why is this important? By 2020, it is estimated that the number of connected devices is expected to grow exponentially to 50 billion. A survey by HP indicates that about 70% of these devices have vulnerabilities, making them the perfect targets for botnets like Mirai.
Below is a collection of 10 blogs written by industry experts on this topic, that will help you fully understand the implications of this botnet and what it means for the future of connected devices.
Internet of Things or Internet of Threats? IoT is the ability for devices to be connected the Internet and communicate with other devices – think a thermostat knowing automatically when to heat your home without you having to take an action. While these smart devices may seem like a brilliant idea that can save you time and money, there are also risks associated with them. This blog will walk you through the two-part dilemma that is faced when it comes to using these devices and provide a background of the IoT.
Nine Questions to Ask to Determine IoT Device Safety: If you’re familiar with the IoT, then you’re aware of some of the risks that come with connected devices. From January 5-8, consumers and reporters alike will be flooding Las Vegas, Nevada for the Consumer Electronics Show to learn more about new devices making their debut in 2017. This blog by APAC Security Evangelist David Hobbs will provide nine questions you should ask the manufacturers (regardless of whether you are a consumer or reporter) about the safety of these devices.
BusyBox Botnet Mirai – the warning we’ve all been waiting for? Radware’s EMEA Security Evangelist, Pascal Geenens, takes us back to where it began – the attack on KrebsOnSecurity. As he states, “The most concerning fact, and the genius of Mirai, resides in its simplicity for victimizing IoT devices.” This blog will outline how the Mirai botnet works.
The deplorable state of IoT security: Following the public release of Mirai, the security community began to grow extremely concerned about the potential for additional attacks of that nature. In his second blog, Pascal discusses how the state of IoT security presents a prime opportunity for more attacks.
How Friday’s Massive DDoS Attack on the U.S. Happened: DNS servers are a like a roadmap to the internet and help users find the websites they are looking for. When an attacker ties up all of the DNS’s resources, legitimate clients are unable to resolve their request. Radware’s ERT Researcher, Daniel Smith, outlines how the attack on Dyn DNS happened in this blog.
Let’s discuss facts: An insight into Mirai’s source-code: After three major cyber-attacks, speculation abounded on who the attackers were, what their motivation was, the exact attack vectors and the traffic volumes. In this blog post, Radware’s Snir Ben Shimol discusses what we know to be the facts about these attacks.
Is Heat Your Thermostat’s First Priority? Remember that smart thermostat that we mentioned? A hacker performed a DDoS attack on a heating distribution system that controlled the heating of two large apartment blocks in Finland back in November, shutting off heat for 20,000 residents. In the Dyn DNS attack, it was discovered that a handful of connected devices, mainly IP cameras, DVRs and routers, were the ones infected by Mirai and used in the attack. In this blog, Pascal discusses how that relates to your smart devices, like thermostats, and whether you should be concerned.
Cyber Security Predictions: Looking Back at 2016, Peering Ahead to 2017: What do we see on the docket for 2017? We correctly predicted in the 2015–2016 Global Application and Network Security Report that we would see the rise of the Internet of Things, which spawned the largest DDoS attack in history. Radware’s Vice President of Security Solutions, Carl Herberger, discusses our predictions for 2017 in this blog post.
The conversation is still going on the record-breaking volume of the Mirai botnet attack, and doesn’t show signs of slowing. Many security executives have been warning about IoT threats such as this for years, and now the world is finally paying attention.
As we go into 2017 our IoT Analytics team is again evaluating the main IoT developments of the past year in the global “Internet of Things” arena. This article highlights some general IoT 2016 observations as well as our top 8 news stories, with a preview for the new year of opportunities and challenges for global IoT businesses. (For your reference, here is our 2015 IoT year in review article.)
In 2016 the main theme for IoT was the shift from hype to reality. While in 2015, most people only heard about IoT in the media or consumed some marketing blogs, 2016 was different. Many consumers and enterprises went out and started their own IoT endeavors or bought their own IoT devices. Both consumer IoT and enterprise IoT enjoyed record uptake, but also saw some major setbacks.
A. General IoT 2016 observations
A1. Consumer IoT
Millions of consumers bought their first IoT Device in 2016. For many of them this was Amazon Echo (see below for more details).
Image 1: The Amazon Echo Dot was a consumer IoT 2016 success (left hand side) while other devices didn’t always convince (e.g., Nest thermostat – right hand side)
Unfortunately many consumers also realized that marketing promises and reality are often still disparate. Cases of disappointed users are increasing (For example a smart thermostat user who discovered that his thermostat was disconnected for a day).
Some companies were dissolved in 2016 (like the Smart Home Hub Revolvin April – causing many angry customers), others went bankrupt (like the smart watch maker Pebblein December) or didn’t even come to life at all (such as the augmented reality helmet startup Skullythat enjoyed a lot of publicity, but filed for bankruptcy in August without having sold a single product).
A2. Enterprise IoT
On the enterprise/industrial side of things, IoT 2016 will go down as the year many firms got real about their first IoT pilot projects.
A general wake-up call came in September when a massive cybersecurity attack that involved IoT devices (mainly CCTV cameras) shut down DNS provided Dyn and with it their customer’s websites (e.g., AirBnB, Netflix and Twitter). While this kind of attack didn’t directly affect most IoT companies, its implications scared many IT and IoT decision-makers. As a result, many IoT discussions have now shifted towards cybersecurity solutions.
B. Top 8 IoT 2016 Stories
For us at IoT Analytics, the IoT Security Attack on Dyn servers qualifies as the #1 story of the year. Here are our top takeaways from IoT 2016:
1. Biggest overall story: IoT Security attack on Dyn servers
The Dyn DDoS attack was the first large-scale cybersecurity attack that involved IoT devices – Dyn estimates that 100,000 infected IoT devices were involved. As a first-of-a-kind, it sent shockwaves through corporate IT and IoT.
Chinese CCTV system manufacturer, Hangzhou Xiongmai Technology Company, was at the core of the attack. Its cameras (among others) were infected with the so-called Mirai malware. This allowed the hackers to connect to the infected IoT devices and launch a flood of well-timed massive requests on Dyn servers – which led to the shutdown of their services.
2. Biggest Consumer IoT Success: Amazon Echo
Launched in June 2015, the Amazon Echo Smart Home Voice Control was undoubtedly the consumer IoT success story of the year. Recent data provided by Amazon reveals that device sales explodedby 9x (year-on-year vs. last Christmas).
Amazon sold more than 1 million Echo devices in December 2016
Our app-based Smart Home models confirm this trend suggesting that Amazon sold more than 1 million Echo devices in December 2016 and close to 4 million devices throughout the whole of 2016.
With these gains, Amazon has suddenly become the #1 Smart Home Hub and is leading the paradigm shift towards a voice-controlled automated home. Google jumped on the same train in October by releasing Google Home; Microsoft Home Hub is expected to follow in 2017.
3. Most overcrowded space: IoT Platforms
When we launched our coverage of IoT Platforms in early 2015, little did we know that the topic would soon become the hottest IoT area. Our count of platform providers in May 2016 showed 360 platforms. Our internal research is now well over 400. IoT Platforms is also well placed in the Gartner Hype Cycle 2016.
Companies have realized that the value of IoT lies in the data and that those that manage this data will be the ones capturing a large chunk of this value. Hence, everyone is building an IoT platform.
The frightening part is not necessarily the number but rather the fact that the sales pitches of the platform providers all sound like this: “We are the only true end-2-end platform which is device-agnostic and completely secure”.
4. Largest M&A Deal: Qualcomm/NXP
While we can see a massive expansion of global IoT software/analytics and platform offerings, we are also witnessing a consolidation among larger IoT hardware providers – notably in the chip sector. In October 2016, US-based chipmaker Qualcommannounced it would buy the leader in connected car chips NXP for $39B, making it the biggest-ever deal in the semiconductor industry.
Other large hardware/semiconductor acquisitions and mergers during IoT 2016 include Softbank/ARM ($32B) and TDK/Invensense ($1.3B)
5. Most discussed M&A Deal: Cisco/Jasper
In February, Cisco announced that it would buy IoT Platform provider Jasper Technologies for $1.4B. Journalists celebrated the acquisition as a logical next step for Cisco’s “Internet of Everything” story – combining Cisco’s enterprise routers with Jasper’s backend software for network operators and hopefully helping Cisco put an end to declining hardware sales.
6. Largest startup funding: Sigfox
Sigfox already made it into our 2015 IoT news list with their $100M Series D round. Their momentum and the promise of a global Low Power Wide Area Network led to an even larger funding round in 2016. In November, the French-based company received a record $160M in a Series E that involved Intel Capital and Air Liquide among others.
Another notable startup funding during IoT 2016 involved the IoT Platform C3IoT. The Redwood City based company received $70M in their Series D funding.
7. Investment story of the year: IoT Stocks
For the first time IoT stocks outperformed the Nasdaq significantly. The IoT & Industry 4.0 stock fund (Traded in Germany under ISIN: DE000LS9GAC8) is up 17.5% year-on-year, beating the Nasdaq which is up 9.6% in the same time frame. Cloud service providers Amazon and Microsoft are up 14% for the year, IoT Platform provider PTC is up 35%. Even communication hardware firm Sierra Wireless started rebounding in Q4/2016.
Some of the IoT 2016 outperformance is due to an increasing number of IoT acquisitions (e.g., TDK/Invensense). At the beginning of 2016 we asked if the underperformance of IoT stocks in 2015 was an opportunity in 2016. In hindsight, the answer to that question is “Yes”. Will the trend continue in 2017?
8. Most important government initiative: EU Data Protection policy
In May, the European Union passed the General Data Protection Regulation (“GDPR”) which will come into effect on 25 May 2018. The new law has a wide range of implications for IoT technology vendors and users. Among other aspects:
Security breaches must be reported
Each IoT user must provide explicit consent that their data may be processed
Each user must be given the right to object to automated decision making
Data coming from IoT Devices used by children may not be processed
C. What to expect in 2017:
War for IoT platform leadership. The large IoT platform providers are gearing up for the war for IoT (platform) leadership. After years of organic development, several larger vendors started buying smaller platform providers in 2016, mainly to close existing technology gaps (e.g., GE-Bitstew, SAP-Plat.one, Microsoft-Solair)
War for IoT connectivity leadership. NB-IoT will finally be introduced in 2017. The new low-power standard that is heavily backed by major telco technology providers will go head-to-head with existing LPWAN technology such as Sigfox or LoRa.
AR/VR becoming mainstream. IoT Platform providers PTC (Vuforia) and Microsoft (Hololens) have already showcased a vast range of Augmented Reality / Virtual Reality use cases. We should expect the first real-life use cases emerging in 2017.
Even more reality and less hype. The attention is shifting from vendor/infrastructure topics such as what the next generation of platforms or connectivity standards will look like and towards actual implementations and use cases. While there are still major developments the general IoT audience will start taking some of these technology advancements for granted and focus on where the value lies. We continue to follow that story and will update our list of IoT projects
Our IoT coverage in 2017: Subscribe to our newsletter for continued coverage and updates. In 2017, we will keep our focus on important IoT topics such as IoT Platforms, Security and Industry 4.0 with plenty of new reports due in Q1/2017. If you are interested in a comprehensive IoT coverage you may contact us for an enterprise subscription to our complete IoT research content.
The end of year or beginning of year is always a time when we see many predictions and forecasts for the year ahead. We often publish a selection of these to show how tech-based innovation and economic development will be impacted by the major trends.
A number of trends reports and articles have bene published – ranging from investment houses, to research firms, and even innovation agencies. In this article we present headlines and highlights of some of these trends – from Gartner, GP Bullhound, Nesta and Ovum.
Artificial intelligence will have the greatest impact
GP Bullhound released its 52-page research report, Technology Predictions 2017, which says artificial intelligence (AI) is poised to have the greatest impact on the global technology sector. It will experience widespread consumer adoption, particularly as virtual personal assistants such as Apple Siri and Amazon Alexa grow in popularity as well as automation of repetitive data-driven tasks within enterprises.
Online streaming and e-sports are also significant market opportunities in 2017 and there will be a marked growth in the development of content for VR/AR platforms. Meanwhile, automated vehicles and fintech will pose longer-term growth prospects for investors.
The report also examines the growth of Europe’s unicorn companies. It highlights the potential for several firms to reach a $10 billion valuation and become ‘decacorns’, including BlaBlaCar, Farfetch, and HelloFresh.
Alec Dafferner, partner, GP Bullhound, commented, “The technology sector has faced up to significant challenges in 2016, from political instability through to greater scrutiny of unicorns. This resilience and the continued growth of the industry demonstrate that there remain vast opportunities for investors and entrepreneurs.”
Big data and machine learning will be disruptors
Advisory firm Ovum says big data continues to be the fastest-growing segment of the information management software market. It estimates the big data market will grow from $1.7bn in 2016 to $9.4bn by 2020, comprising 10 percent of the overall market for information management tooling. Its 2017 Trends to Watch: Big Data report highlights that while the breakout use case for big data in 2017 will be streaming, machine learning will be the factor that disrupts the landscape the most.
Key 2017 trends:
Machine learning will be the biggest disruptor for big data analytics in 2017.
Making data science a team sport will become a top priority.
IoT use cases will push real-time streaming analytics to the front burner.
The cloud will sharpen Hadoop-Spark ‘co-opetition’.
Security and data preparation will drive data lake governance.
Intelligence, digital and mesh
In October, Gartner issued its top 10 strategic technology trends for 2017, and recently outlined the key themes – intelligent, digital, and mesh – in a webinar. It said that autonomous cars and drone transport will have growing importance in the year ahead, alongside VR and AR.
“It’s not about just the IoT, wearables, mobile devices, or PCs. It’s about all of that together,” said Cearley, according to hiddenwires magazine. “We need to put the person at the canter. Ask yourself what devices and service capabilities do they have available to them,” said David Cearley, vice president and Gartner fellow, on how ‘intelligence everywhere’ will put the consumer in charge.
“We need to then look at how you can deliver capabilities across multiple devices to deliver value. We want systems that shift from people adapting to technology to having technology and applications adapt to people. Instead of using forms or screens, I tell the chatbot what I want to do. It’s up to the intelligence built into that system to figure out how to execute that.”
Gartner’s view is that the following will be the key trends for 2017:
Artificial intelligence (AI) and machine learning: systems that learn, predict, adapt and potentially operate autonomously.
Intelligent apps: using AI, there will be three areas of focus — advanced analytics, AI-powered and increasingly autonomous business processes and AI-powered immersive, conversational and continuous interfaces.
Intelligent things, as they evolve, will shift from stand-alone IoT devices to a collaborative model in which intelligent things communicate with one another and act in concert to accomplish tasks.
Virtual and augmented reality: VR can be used for training scenarios and remote experiences. AR will enable businesses to overlay graphics onto real-world objects, such as hidden wires on the image of a wall.
Digital twins of physical assets combined with digital representations of facilities and environments as well as people, businesses and processes will enable an increasingly detailed digital representation of the real world for simulation, analysis and control.
Blockchain and distributed-ledger concepts are gaining traction because they hold the promise of transforming industry operating models in industries such as music distribution, identify verification and title registry.
Conversational systems will shift from a model where people adapt to computers to one where the computer ‘hears’ and adapts to a person’s desired outcome.
Mesh and app service architecture is a multichannel solution architecture that leverages cloud and serverless computing, containers and microservices as well as APIs (application programming interfaces) and events to deliver modular, flexible and dynamic solutions.
Digital technology platforms: every organization will have some mix of five digital technology platforms: Information systems, customer experience, analytics and intelligence, the internet of things and business ecosystems.
Adaptive security architecture: multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.
The real-world vision of these tech trends
UK innovation agency Nesta also offers a vision for the year ahead, a mix of the plausible and the more aspirational, based on real-world examples of areas that will be impacted by these tech trends:
Computer says no: the backlash: the next big technological controversy will be about algorithms and machine learning, which increasingly make decisions that affect our daily lives; in the coming year, the backlash against algorithmic decisions will begin in earnest, with technologists being forced to confront the effects of aspects like fake news, or other events caused directly or indirectly by the results of these algorithms.
The Splinternet: 2016’s seismic political events and the growth of domestic and geopolitical tensions, means governments will become wary of the internet’s influence, and countries around the world could pull the plug on the open, global internet.
A new artistic approach to virtual reality: as artists blur the boundaries between real and virtual, the way we create and consume art will be transformed.
Blockchain powers a personal data revolution: there is growing unease at the way many companies like Amazon, Facebook and Google require or encourage users to give up significant control of their personal information; 2017 will be the year when the blockchain-based hardware, software and business models that offer a viable alternative reach maturity, ensuring that it is not just companies but individuals who can get real value from their personal data.
Next generation social movements for health: we’ll see more people uniting to fight for better health and care, enabled by digital technology, and potentially leading to stronger engagement with the system; technology will also help new social movements to easily share skills, advice and ideas, building on models like Crohnology where people with Crohn’s disease can connect around the world to develop evidence bases and take charge of their own health.
Vegetarian food gets bloodthirsty: the past few years have seen growing demand for plant-based food to mimic meat; the rising cost of meat production (expected to hit $5.2 billion by 2020) will drive kitchens and laboratories around the world to create a new wave of ‘plant butchers, who develop vegan-friendly meat substitutes that would fool even the most hardened carnivore.
Lifelong learners: adult education will move from the bottom to the top of the policy agenda, driven by the winds of automation eliminating many jobs from manufacturing to services and the professions; adult skills will be the keyword.
Classroom conundrums, tackled together: there will be a future-focused rethink of mainstream education, with collaborative problem solving skills leading the charge, in order to develop skills beyond just coding – such as creativity, dexterity and social intelligence, and the ability to solve non-routine problems.
The rise of the armchair volunteer: volunteering from home will become just like working from home, and we’ll even start ‘donating’ some of our everyday data to citizen science to improve society as well; an example of this trend was when British Red Cross volunteers created maps of the Ebola crisis in remote locations from home.
It’s clear that there is an expectation that the use of artificial intelligence and machine learning platforms will proliferate in 2017 across multiple business, social and government spheres. This will be supported with advanced tools and capabilities like virtual reality and augmented reality. Together, there will be more networks of connected devices, hardware, and data sets to enable collaborative efforts in areas ranging from health to education and charity. The Nesta report also suggests that there could be a reality check, with a possible backlash against the open internet and the widespread use of personal data.
We’re constantly reminded of the risks that come with bad passwords, yet many people persist in using obvious and easy-to-crack names, words, and patterns. Want to know if you’re at risk?
Identity theft is a serious problem: Millions of Americans are falling prey to cybercrime every year, and with more and more of our lives online the risk only increases. The key to protecting your online identity starts with the most commonly used part of accessing internet services: The password.
Using secure passwords can be difficult—I know I’m guilty of using the same password over and over again, something that has recently come back to bite me as I get email after email telling me someone has tried logging in to my accounts.
One of the fundamental rules of good password creation is to use words that other people don’t. The study found that of 50,000 passwords surveyed, there were several that were far more common than others. Love, star, girl, angel, and rock came in at the top five: If you’re guilty of including one of them it’s time to make some changes.
Dictionary attacks remain one of the most common ways hackers crack passwords in systems that don’t lock accounts out after a few tries. They simply compile lists of the most commonly used passwords and brute force accounts until they come up with a match.
It’s not just common words that are causing leaks: 42 percent of the passwords surveyed contained usernames, real names, or other publically available information. The most common offenders of name usage in passwords? Lisa, Amy, Scott, and Mark.
The demographics of getting hacked
Using your own name, your username, a pet’s name, or any other identifying feature is the perfect way to ensure you’re a target, but there are several other risk factors that can make you an easy mark.
Men are more likely to be hacked, but only by a few points (male = 53 percent; female =47 percent). Perhaps surprisingly, the most common age group of password hacking victims is 25- to 34-year olds. The study says that a possible cause is that this age group grew up along with the internet and in the earliest years weren’t taught the importance of good password use.
Wondering which website has the least secure users? AOL, Yahoo, and Hotmail are the most likely places to find passwords containing a username or real name.
How to stay safe
The password is a ubiquitous, and entirely unreliable, security method. Cracking methods are constantly becoming more sophisticated, machines used to perform brute force attacks keep getting faster, and there’s no solution for the weakest part of the system: The humans using it.
Truly secure passwords need to be long, random, and changed frequently. The best way to do that is by using an encrypted password management app. These apps store credentials to any number of websites, can create secure randomized passwords, and use a single sign-on to unlock your accounts.
You can remove all the Amy, love, Scott, star, and 123s from your passwords you want but if you make them out of names and words you’re still a predictable human. Security means using a machine to trick a machine.
The 3 big takeaways for TechRepublic readers
Nearly half of passwords surveyed contained a username or real name. The most common were Amy, Lisa, Scott, and Mark.
The most commonly hacked age group is the 25-34 year old range, which many may find surprising. Growing up in the early days of the internet, the study argues, has led many people to become complacent.
The most effective way to secure internet accounts is with a randomized password containing upper- and lowercase letters, numbers, and symbols. This is best done using a password manager that can generate and securely store passwords.
Artificial intelligence, machine learning, and smart things promise an intelligent future.
Today, a digital stethoscope has the ability to record and store heartbeat and respiratory sounds. Tomorrow, the stethoscope could function as an “intelligent thing” by collecting a massive amount of such data, relating the data to diagnostic and treatment information, and building an artificial intelligence (AI)-powered doctor assistance app to provide the physician with diagnostic support in real-time. AI and machine learning increasingly will be embedded into everyday things such as appliances, speakers and hospital equipment. This phenomenon is closely aligned with the emergence of conversational systems, the expansion of the IoT into a digital mesh and the trend toward digital twins.
Three themes — intelligent, digital, and mesh — form the basis for the Top 10 strategic technology trends for 2017, announced by David Cearley, vice president and Gartner Fellow, at Gartner Symposium/ITxpo 2016 in Orlando, Florida. These technologies are just beginning to break out of an emerging state and stand to have substantial disruptive potential across industries.
AI and machine learning have reached a critical tipping point and will increasingly augment and extend virtually every technology enabled service, thing or application. Creating intelligent systems that learn, adapt and potentially act autonomously rather than simply execute predefined instructions is primary battleground for technology vendors through at least 2020.
Trend No. 1: AI & Advanced Machine Learning
AI and machine learning (ML), which include technologies such as deep learning, neural networks and natural-language processing, can also encompass more advanced systems that understand, learn, predict, adapt and potentially operate autonomously. Systems can learn and change future behavior, leading to the creation of more intelligent devices and programs. The combination of extensive parallel processing power, advanced algorithms and massive data sets to feed the algorithms has unleashed this new era.
In banking, you could use AI and machine-learning techniques to model current real-time transactions, as well as predictive models of transactions based on their likelihood of being fraudulent. Organizations seeking to drive digital innovation with this trend should evaluate a number of business scenarios in which AI and machine learning could drive clear and specific business value and consider experimenting with one or two high-impact scenarios..
Trend No. 2: Intelligent Apps
Intelligent apps, which include technologies like virtual personal assistants (VPAs), have the potential to transform the workplace by making everyday tasks easier (prioritizing emails) and its users more effective (highlighting important content and interactions). However, intelligent apps are not limited to new digital assistants – every existing software category from security tooling to enterprise applications such as marketing or ERP will be infused with AI enabled capabilities. Using AI, technology providers will focus on three areas — advanced analytics, AI-powered and increasingly autonomous business processes and AI-powered immersive, conversational and continuous interfaces. By 2018, Gartner expects most of the world’s largest 200 companies to exploit intelligent apps and utilize the full toolkit of big data and analytics tools to refine their offers and improve customer experience.
Trend No. 3: Intelligent Things
New intelligent things generally fall into three categories: robots, drones and autonomous vehicles. Each of these areas will evolve to impact a larger segment of the market and support a new phase of digital business but these represent only one facet of intelligent things. Existing things including IoT devices will become intelligent things delivering the power of AI enabled systems everywhere including the home, office, factory floor, and medical facility.
As intelligent things evolve and become more popular, they will shift from a stand-alone to a collaborative model in which intelligent things communicate with one another and act in concert to accomplish tasks. However, nontechnical issues such as liability and privacy, along with the complexity of creating highly specialized assistants, will slow embedded intelligence in some scenarios.
The lines between the digital and physical world continue to blur creating new opportunities for digital businesses. Look for the digital world to be an increasingly detailed reflection of the physical world and the digital world to appear as part of the physical world creating fertile ground for new business models and digitally enabled ecosystems.
Trend No. 4: Virtual & Augmented Reality
Virtual reality (VR) and augmented reality (AR) transform the way individuals interact with each other and with software systems creating an immersive environment. For example, VR can be used for training scenarios and remote experiences. AR, which enables a blending of the real and virtual worlds, means businesses can overlay graphics onto real-world objects, such as hidden wires on the image of a wall. Immersive experiences with AR and VR are reaching tipping points in terms of price and capability but will not replace other interface models. Over time AR and VR expand beyond visual immersion to include all human senses. Enterprises should look for targeted applications of VR and AR through 2020.
Trend No. 5: Digital Twin
Within three to five years, billions of things will be represented by digital twins, a dynamic software model of a physical thing or system. Using physics data on how the components of a thing operate and respond to the environment as well as data provided by sensors in the physical world, a digital twin can be used to analyze and simulate real world conditions, responds to changes, improve operations and add value. Digital twins function as proxies for the combination of skilled individuals (e.g., technicians) and traditional monitoring devices and controls (e.g., pressure gauges). Their proliferation will require a cultural change, as those who understand the maintenance of real-world things collaborate with data scientists and IT professionals. Digital twins of physical assets combined with digital representations of facilities and environments as well as people, businesses and processes will enable an increasingly detailed digital representation of the real world for simulation, analysis and control.
Trend No. 6: Blockchain
Blockchain is a type of distributed ledger in which value exchange transactions (in bitcoin or other token) are sequentially grouped into blocks. Blockchain and distributed-ledger concepts are gaining traction because they hold the promise of transforming industry operating models in industries such as music distribution, identify verification and title registry. They promise a model to add trust to untrusted environments and reduce business friction by providing transparent access to the information in the chain. While there is a great deal of interest the majority of blockchain initiatives are in alpha or beta phases and significant technology challenges exist.
The mesh refers to the dynamic connection of people, processes, things and services supporting intelligent digital ecosystems. As the mesh evolves, the user experience fundamentally changes and the supporting technology and security architectures and platforms must change as well.
Trend No. 7: Conversational Systems
Conversational systems can range from simple informal, bidirectional text or voice conversations such as an answer to “What time is it?” to more complex interactions such as collecting oral testimony from crime witnesses to generate a sketch of a suspect. Conversational systems shift from a model where people adapt to computers to one where the computer “hears” and adapts to a person’s desired outcome. Conversational systems do not use text/voice as the exclusive interface but enable people and machines to use multiple modalities (e.g., sight, sound, tactile, etc.) to communicate across the digital device mesh (e.g., sensors, appliances, IoT systems).
Trend No. 8: Mesh App and Service Architecture
The intelligent digital mesh will require changes to the architecture, technology and tools used to develop solutions. The mesh app and service architecture (MASA) is a multichannel solution architecture that leverages cloud and serverless computing, containers and microservices as well as APIs and events to deliver modular, flexible and dynamic solutions. Solutions ultimately support multiple users in multiple roles using multiple devices and communicating over multiple networks. However, MASA is a long term architectural shift that requires significant changes to development tooling and best practices.
Trend No. 9: Digital Technology Platforms
Digital technology platforms are the building blocks for a digital business and are necessary to break into digital. Every organization will have some mix of five digital technology platforms: Information systems, customer experience, analytics and intelligence, the Internet of Things and business ecosystems. In particular new platforms and services for IoT, AI and conversational systems will be a key focus through 2020. Companies should identify how industry platforms will evolve and plan ways to evolve their platforms to meet the challenges of digital business.
Trend No. 10: Adaptive Security Architecture
The evolution of the intelligent digital mesh and digital technology platforms and application architectures means that security has to become fluid and adaptive. Security in the IoT environment is particularly challenging. Security teams need to work with application, solution and enterprise architects to consider security early in the design of applications or IoT solutions. Multilayered security and use of user and entity behavior analytics will become a requirement for virtually every enterprise.
The malware that powered one of the worst denial of service cyberattacks of the last few years has infected internet-connected devices all over the world, reaching as many as 177 countries, according to security researchers.
Imperva, a company that provides protection to websites against Distributed Denial of Service (DDoS) attacks, is among the ones who have been busy investigating Mirai. According to their tally, the botnet made of Mirai-infected devices has reached a total of 164 countries. A pseudonymous researcher that goes by the name MalwareTechhas also been mapping Mirai, and according to his tally, the total is even higher, at 177 countries.
“Most indiscriminately spread malware will show up allover the globe,” MalwareTech said in a Twitter message.
Mirai was used to build a botnet that hit the website of security journalist Brian Krebs with a large DDoS attack last month. A hacker who goes by the name Anna-senpai released the source code of the malware at the beginning of October, but it’s unclear who really is behind it.
Mirai isn’t really a fancy piece of malware, but it’s effective and spreads quickly because it targets Internet of Things (IoT) devices that are extremely easy to hack. These devices, mostly DVRs and surveillance cameras, use default and predictable passwords, such as “admin” and “123456”, “root” and “password,” or “guest” and “guest,” among others.
Thanks to these bad passwords, and the Mirai malware, the Internet of (hackable) Things has truly gone global.
A huge online attack enabled by Internet-connected devices illuminates a problem keeping security experts awake at night.
When the website of security expert Brian Krebs recently went down, it wasn’t bad luck—it was the result of a huge surge of data: 620 gigabits per second. And now we know where it came from. It was an army of Internet-connected devices, being used as slaves to take down servers.
According to the Wall Street Journal, as many as one million security cameras, digital video recorders, and other connected devices have been employed by hackers to carry out a series of such attacks. When corralled together, these pieces of hardware can be used as a so-called botnet, collectively sending data and Web page requests to servers with such ferocity that they’re overwhelmed and ultimately crash.
It’s a powerful new way of putting an old idea into practice. Attackers have long installed malware on PCs to have them act as bots that they control, and more recently home routers and printers have been used to the same ends. But as Internet-connected devices proliferate in our homes and offices, the potential number of devices to draw upon is increasing dramatically.
The scale of the new set of attacks is unprecedented. According to the BBC, this recent spate has been able to barrage servers with data at rates of over a terabit per second. In addition to Krebs’s site, the targets have included the servers of French Web hosting provider OVH. The attacksmay have been carried out by the same botnet.
The news raises fresh concerns about the security of Internet of things devices. Purpose-built to be controlled over the Internet, such devices have been billed as the future of sensing and control to businesses and domestic users alike—from connected video cameras and speakers to smart thermostats and lightbulbs. While initially slow to gain popularity, they are proliferating as they’ve become increasingly user-friendly.
But there’s a problem. Many such devices are purchased, installed, and then used without much further attention being paid to their configuration. That means that they may never be updated, leaving huge scope for their exploitation by hackers if they contain a security flaw. (They invariably do.) Who, after all, bothers to update a lightbulb?
Earlier this year, the National Security Agency’s hacking chief, Rob Joyce, sounded caution over these kinds of devices. Their security is “something that keeps me up at night,” he said at the time.
The social and economic impact of technology is widespread and accelerating. The speed and volume of information have increased exponentially. Experts are predicting that 90% of the entire population will be connected to the internet within 10 years. With the internet of things, the digital and physical worlds will soon be merged. These changes herald exciting possibilities. But they also create uncertainty. And our kids are at the centre of this dynamic change.
Children are using digital technologies and media at increasingly younger ages and for longer periods of time. They spend an average of seven hours a day in front of screens – from televisions and computers, to mobile phones and various digital devices. This is more than the time children spend with their parents or in school. As such, it can have a significant impact on their health and well-being. What digital content they consume, who they meet online and how much time they spend onscreen – all these factors will greatly influence children’s overall development.
The digital world is a vast expanse of learning and entertainment. But it is in this digital world that kids are also exposed to many risks, such as cyberbullying, technology addiction, obscene and violent content, radicalization, scams and data theft. The problem lies in the fast and ever evolving nature of the digital world, where proper internet governance and policies for child protection are slow to catch up, rendering them ineffective.
Moreover, there is the digital age gap. The way children use technology is very different from adults. This gap makes it difficult for parents and educators to fully understand the risks and threats that children could face online. As a result, adults may feel unable to advise children on the safe and responsible use of digital technologies. Likewise, this gap gives rise to different perspectives of what is considered acceptable behaviour.
So how can we, as parents, educators and leaders, prepare our children for the digital age? Without a doubt, it is critical for us to equip them with digital intelligence.
Digital intelligence or “DQ” is the set of social, emotional and cognitive abilities that enable individuals to face the challenges and adapt to the demands of digital life. These abilities can broadly be broken down into eight interconnected areas:
Digital identity: The ability to create and manage one’s online identity and reputation. This includes an awareness of one’s online persona and management of the short-term and long-term impact of one’s online presence.
Digital use: The ability to use digital devices and media, including the mastery of control in order to achieve a healthy balance between life online and offline.
Digital safety: The ability to manage risks online (e.g. cyberbullying, grooming, radicalization) as well as problematic content (e.g. violence and obscenity), and to avoid and limit these risks.
Digital security: The ability to detect cyber threats (e.g. hacking, scams, malware), to understand best practices and to use suitable security tools for data protection.
Digital emotional intelligence: The ability to be empathetic and build good relationships with others online.
Digital communication: The ability to communicate and collaborate with others using digital technologies and media.
Digital literacy: The ability to find, evaluate, utilize, share and create content as well as competency in computational thinking.
Digital rights: The ability to understand and uphold personal and legal rights, including the rights to privacy, intellectual property, freedom of speech and protection from hate speech.
Above all, the acquisition of these abilities should be rooted in desirable human values such as respect, empathy and prudence. These values facilitate the wise and responsible use of technology – an attribute which will mark the future leaders of tomorrow. Indeed, cultivating digital intelligence grounded in human values is essential for our kids to become masters of technology instead of being mastered by it.
Wireless keyboards transmit every keystroke to your computer, via a low-power radio signal. Is it possible for a hacker to intercept that signal, to steal your passwords and other sensitive data? In some cases, yes. Should you panic? Maybe. Here’s what you need to know…
Is Your Keyboard Secure?
Tech news is pretty slow during the dog days of summer, so it’s a perfect time to grab headlines by beating dead horses. That’s what happened at the end of July, when the tech media suddenly exploded with headlines like these:
“Flaws in wireless keyboards let hackers snoop on everything you type” … “Radio Hack Steals Keystrokes from Millions of Wireless Keyboards” … “It’s Shockingly Easy to Hack Some Wireless Keyboards” … and “Hackers can pick off, inject wireless keyboard keystrokes from 8 vendors, maybe more”.
I suppose they needed to write about something besides the July 29 end of free Windows 10 upgrades, if only for a day.
The brief uproar originated from Atlanta-based Bastille Networks. Bastille specializes in “software and sensor technologies to detect and mitigate threats affecting the Internet of Things,” particularly wireless things such as keyboards, mice, security cameras, etc. Founded in March, 2014, Bastille is a startup struggling for name recognition. It found some in the flurry of FUD (fear, uncertainty, and doubt) that its latest report unleashed.
The gist of that report is that wireless keyboards from at least eight manufacturers either lack encryption entirely or implement it so badly that it does not stop hackers from injecting keystrokes into a user’s computer. Bad guys can take over your machine from a distance of up to 250 feet, Bastille claims, or record your login credentials and other sensitive information as you type it.
Nothing New Under the Sun
The thing is, this vulnerability of wireless input devices has been known for years; here is an article on the subject from 2007. Yet I have not seen a single example of any user who has been hacked via a wireless keyboard or mouse.
Only three vendors – Anker, GE, and Kensington – have responded to Bastille’s alarm about their products. All of them are dutifully grateful to Bastille for bringing this matter to their attention. Anker and Kensington also state that they have received no complaints involving the issue. Anker has withdrawn its vulnerable product from the market, and will exchange existing products for another (presumably secure) one — if the original product is still under warranty.
Only Kensington states that it has released a new product with AES encryption, the Pro-Fit Wireless Desktop Set. http://goo.gl/rY0tS7 with a $29.95 list price. That’s not bad at all for a wireless keyboard and wireless mouse combo. I have seen rip-offs on Amazon that want $249 for similar encrypted wireless keyboards alone.
In the end, Bastille has done the world a service by forcing at least one major manufacturer to implement encryption on its wireless input devices. The vulnerability will probably continue to be ignored by most other vendors, and by users who value low price over high security.
Should You Replace Your Keyboard?
There is no evidence that hackers have been exploiting this vulnerability, despite it being well known for over ten years. But then again, identity theft is rampant, and the cause cannot always be determined with certainty. I was checking into a hotel last week, and I noticed that the desk clerk was using a wireless keyboard. Hopefully it was a secure model that didn’t broadcast my home address, driver’s license and credit card number to that sketchy guy hanging out in the lobby with a laptop.
If you’re a home user with a wireless keyboard on the naughty list mentioned above, the chances that you’ll be targetted by hackers within a 250-foot radius seem pretty slim to me. But if you work in a business where you deal with sensitive customer data, you should consider swapping out your vulnerable wireless keyboards for a wired model, or get one that implements the wireless feature securely.
Do you use a wireless keyboard? Your thoughts on this topic are welcome. Post your comment or question below…
PC and tablet warriors who must access files and applications for work and for play tolerate their password rituals whether dozens or more times a day. Painful as entering passwords may be—forgetting some passwords, hitting the wrong keys trying to enter on others, leaving caps lock on—they offer security.
Passwords are necessary if you want to join life on the Internet. “If you are someone who spends a lot of time on the Internet, you probably have a ton of different ids at different websites, and if you follow along advice, a ton of different passwords as well. More than likely, you are also using a password manager, because it is difficult for us to remember all of this detail accurately all the time,” said Aamir Siddiqui in XDA Developers.
For those who do use password managers, the interesting development now is that Dashlane, a password management business, and Google have put their heads together to set up an open source API project. This is aimed at making app logins for Android users simple yet secure.
The Open YOLO project as it is called will let apps access your password manager of choice. This is an easy to remember name for the undertaking—Open YOLO (You only Login Once).
Associate Editor Steve Dent in Engadget said that “you can log into apps automatically with no typing or insecure autofill. Dashlane is spearheading the venture in cooperation with other password managers…” Jose Vilches inTechSpot spelled out how this is going to work.
“The main idea is to allow any app built using the OpenYOLO API to access passwords stored in password managers that support the standard. Presumably once you sign in to whatever compatible password manager is on your device, you’ll be automatically signed in to the apps on your device without having to input your password multiple times.”
(Steve Dent remarked how “Details are light on how it works, but we assume you’d log in once to your password manager then get access to all apps that support Open YOLO.”)
The Dashlane blog posted on August 4 by Malaika Nicholas announced the project. Actually, other “leading password managers” are also getting involved in the collaboration, she said.
The blog described this as an open API for app developers. It gives Android apps the ability to access passwords stored in the user’s favorite password manager, and logs the user into those applications.
Vilches inTechSpot said that “OpenYOLO won’t be limited to Dashlane or eventually even Android for that matter…The company also hopes to make the API available on other platforms over time.”
Meanwhile, Gabriel Avner in Geektime covered the question of what good are password managers. Do you really want them in your life?
“For those who are perhaps a bit less security conscious (read paranoid) and are unfamiliar with password managers, they provide a nifty way to generate and store strong passwords without the need to remember them by heart or write them down on slips of paper.”
Avner also said, “Understandably, not everyone is comfortable with the idea of forking over all of your passwords to a single database that if cracked could expose them to unwanted intrusions of privacy or harm. However the alternative to password managers is not really much of an option.”
Ben Schoon in 9to5Google said that Google will likely be releasing more information on this API in the near future.