Cyber threats loom anew on the Internet of Things

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.compasscayman.com/journal/2015/09/02/Cyber-threats-loom-anew-on-the-Internet-of-Things/

Looming darkness is an apt metaphors for contemplating the twilight world
of cyber crime and the ongoing contest with hackers, identity thieves,
credit-card hijackers and the legions trolling for personal information.

The threats from cyber intruders are persistent, stubborn and reconstituted
almost daily. James Pearse, solutions architect at Cayman’s Ignition Group
of Technology Companies, describes five main threats that have emerged in
the past year.

Chief among them may be ransomware, in which a hacker simply moves into
your PC, like a demonic possession, then offers to sell it all back to you
at a hefty cost, leaving the victim permanently “spooked” and without
security guarantees.

“There is a huge proliferation of this on the cloud,” says Pearse. “They
can take all your data and then use your machine to attack others. Yes,
there can be a profit [motive] to this, but really it’s mostly malicious.”

Most intriguing, however, is the Internet of Things, which is growing
exponentially as designers build interactivity and data storage into
hundreds of common products. Estimates range from 26 billion to 50 billion
devices that will be connected to the Internet by 2020.

Home thermostats, heating and air-conditioning; refrigerators that track
inventory; the family car using on-board computers to regulate speed,
operate rear-view cameras and “blind-spot” alarms, to parallel park and
even to tint windows; smart meters to manage electricity consumption;
Bluetooth devices, and myriad uses in manufacturing, environmental sensing,
urban planning and health monitoring “are all Internet-connected, and all
created without any security whatever in mind,” Pearse says. “People can
just break into them, and this is just going to grow because people want to
be connected.”

Driverless theft, he warns, is not far distant: “I could hack into your car
and start it without being anywhere near it,” he says.

More familiar is simply cyber theft, Pearse says, inspired by new ways of
making payments. “It’s huge in the U.S. and U.K. You just hold up your card
and a device reads it. But it’s without any signatures. Anyone can use it
to call up your financial information, all sorts of details.”

Similarly, he points to near field communications, when two devices “talk”
in the sense that, placed adjacently, they instantly transfer information,
possibly “all of it, all my personal information,” as the capacity of such
technology as smarphones continues to grow.

“You want to set up a business, so you invest a lot of money in a till
system and clip-on card readers. You just take one of them, plug it in,
write a code and skim all the details” of every card that has been swiped
though the device.

Fourth, Pearse names the relatively straightforward “insecure passwords,”
in which users use the same word for every service. A single hack gives
intruders access to everything.

Two-factor authentication is one answer, Pearse says, requiring two
passwords derived from a list of six-digit codes that change randomly every
30 seconds.

“Lots of companies don’t use this, though, leaving them wide open,” he
says, pointing to last year’s hack of Target stores. The company outsourced
its security to a third party, which used a single password for everything,
he says.

Finally, something as simple as “careless or uninformed employees” is as
great a threat as anything else.

“I copy company information to my PC from my company phone so I can work at
home, but then I lose my phone and someone hacks it. Someone at a legal
firm uses a drop box to take information home and loses the company’s
device. Bring Your Own Device is used to combat this, with all the
information encrypted on your own laptop, for example,” Pearse says.

The problems can be solved, although he does not dispute that anything that
can be done electronically can, by and large, be undone electronically,
although algorithms that embed electronic keys can offer nearly unbreakable
ciphers.

Mobile device management is one idea, two-factor authentication is another,
and then there’s the “kill pill” by which a company can send a program
wiping everything from a remote personal device.

Meanwhile, Microsoft has discontinued support for Windows XP – as of April
8, 2014 – and Server 2003 – as of July 14 this year – refusing more
security “patches,” motivating users to move to newer, more secure
programs.

“A lot of individuals and businesses, however, are still using XP and 2003,
leaving themselves open to attack,” Pearse says.

He points to innovative new companies like London’s Darktrace, formed in
2013 by former MI6, FBI and CIA operatives, who have developed algorithms
to track even the slightest irregularity in a company’s computer network.
Richard Branson’s Virgin Trains calls it a game changer.

“They create a ‘honey pot,‘” says Pearse, describing Darktrace, “and if
anyone gets into the system, they go straight into the honey pot and you
can find them. These algorithms hunt for even the most subtle changes in
the network – data being copied, information being transferred, emails that
have not been previously accessed – it flags all the changes.

“There is so much information on the Web, and people are naive,” Pearse
says. “They just don’t understand the magnitude of online banking, of
Facebook, the cloud” – and pretty much every time anyone logs on to the
Internet.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!