Category Archives: IOT security

CyberSecurity: 2019 Internet Security Threat Report

Some of the high lights are:

Formjacking. Targeted attacks. Living off the land. Coming for your business.

Like flies to honey, miscreants swarm to the latest exploits that promise quick bucks with minimal effort. Ransomware and cryptojacking had their day; now it’s formjacking’s turn.

Cyber criminals get rich quick with formjacking

Formjacking attacks are simple and lucrative: cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month.

Cryptojacking Down, but not out

Ransomware and cryptojacking were go-to moneymakers for cyber criminals. But 2018 brought diminishing returns, resulting in lower activity. For the first time since 2013, ransomware declined, down 20 percent overall, but up 12 percent for enterprises.

Cloud challenges: If it’s in the cloud, security’s on you

A single misconfigured cloud workload or storage instance could cost an organization millions or cause a compliance nightmare. In 2018, more than 70 million records were stolen or leaked from poorly configured S3 buckets. Off-the-shelf tools on the web allow attackers to identify misconfigured cloud resources.

Hardware chip vulnerabilities, including Meltdown, Spectre, and Foreshadow allow intruders to access companies’ protected memory spaces on cloud services hosted on the same physical server. Successful exploitation provides access to memory locations that are normally forbidden.

IOT: Your favorite IoT device is an attacker’s best friend

Although routers and connected cameras make up 90 percent of infected devices, almost every IoT device is vulnerable, fromsmart light bulbs to voice assistants.

Targeted attack groups increasingly focus on IoT as a soft entry point, where they can destroy or wipe a device, steal credentials and data, and intercept SCADA communications.

And industrial IT shaped up as a potential cyber warfare battleground, with threat groups such as Thrip and Triton vested in compromising operational and industrial control systems.

Download full report from here

https://resource.elq.symantec.com/LP=6819?inid=symc_threat-report_istr_to_leadgen_form_LP-6819_ISTR-2019-report-main&cid=70138000001Qv0PAAS

IoTSecurity: IoT Code of Practice by UK Govt

The United Kingdom has been very pro-active in regulating the most important cybersecurity concerns. Bruce Schneier (Cyber Guru ) often suggests that it is time for the govt’s to act & regulate on the IoT devices. In recent times, U.K govt has done phenomenal job regulating following important security concerns.

Apart from regulations, The significant part is that UK govt partner with private companies to come up with solutions. Many govt’s hesitate to take other stakeholders onboard.

Who are the audiences of Code of Practice regulation?

  • Device Manufacturer
  • IoT Service Providers
  • Mobile Application Developers
  • Retailers

So, What are the security Concerns on IoT devices?

  • Consumer privacy: Many devices are more of spy devices & keep track of every user movement, private conversation, video recording etc. Experts tell us that Privacy isn’t a right anymore in today’s world & We should get over it. However, It can still be controlled with the right tools.
  • Consumer security: Biggest concern is that consumer security. The more you can connected the more you are vulnerable. Unlock home, remotely hacking home video, smart TV etc are normal nowadays.
  • Unsecured manufacturing & Retailing: Most of the IoT devices are unsecured. And, Organizations has huge controlled on it. A consumer does not have the authority to ask for more security. If someone can unlock the door because of misconfiguration, Manufacturer & service providers are not liable.
  • Used these unsecured devices in large hacking (i.e DDOS): You might be familiar with distributed denial of service. These IoT devices help to achieve that.

Code of Practice regulation applies in following types of devices

  • Connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks
  • Smart cameras, TVs and speakers
  • Wearable health trackers
  • Connected home automation and alarm systems
  • Connected appliances (e.g. washing machines, fridges)
  • Smart home assistants

Code of Practice Guidelines

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

Reference

https://www.gov.uk/government/publications/secure-by-design/code-of-practice-for-consumer-iot-security

CyberSecurity: Finished Threat Intelligence (Security Intelligence) book

Just finished another very good book on cybersecurity: Threat Intelligence. Threat intelligence is a component of security intelligence and it is way how you use tools, knowledge, risk (External or internal), security threads on your overall business.

This books answers many questions & gives a big perspective on many problems currently faces by organizations. And, Why there is no security remedy on time. Information in this book is very good organized. It starts with simple knowledge chapters to the security operations to the dark web.

My Favourite parts are:

  • About Security Threats & Risk Analysis.
  • About the security operation center. And how resources are under stress to deal with thousands of operation alerts. And most of them are false positive (i.e not valid alerts).
  • About Dark web & organized crime. And How organized crime hires hackers, execute projects etc. Little info but got some sense out of it.

Things to learn from Threat Intelligence book

  • How Threat Intelligence can help in dealing with every aspect of security?
  • How SOC (Security operation center) mitigate the risk & identify problems? And SOC can easily handle so many false positive alerts?
  • How to get to know treads, current vulnerabilities & risk analysis of fixing critical vulnerabilities?
  • How to know if threat criminals are already breached the sensitive information? In most of the cases, Organizations get to know after months or so about data breached. Book details out how national vulnerability database does not provide vulnerability info on time & how thread Intelligence tools can help you on that.
  • Some information about the dark web, deep web & organized crime. Little detail about how organized crimes are done?

Final Thought:

Every security professional should read about threat intelligence & understand the overall process. it is a must-read book.

NOTE: I can share the downloaded version but I think it would be unfair to the people who have done all the hard & good work on this books. So here is the reference & you can help yourself.

Reference

CyberSecurity: Regulations on IoT devices

A good initiative taken by the California United States on the security of IoT devices. It seems States are learning a lesson & protective their citizens. European has GDDR law to ask each & every user to accept the cookie popup appears whichever site or application you use. it basically asks for the consent from the user.

Most important point this law has a procedure and enforce manufacturer to not have a default password. This is a significant step because most of the user never change the default password and it is easy to hack. Some users even keep their device SNO as default password like home routers etc.

Impact of this Law

Automobile manufacturers sell their cars worldwide, but they are customized for local markets. The car you buy in the United States is different from the same model sold in Mexico, because the local environmental laws are not the same and manufacturers optimize engines based on where the product will be sold. The economics of building and selling automobiles easily allows for this differentiation.

But software is different. Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply. At that point, it won’t make sense to have two versions: one for California and another for everywhere else. It’s much easier to maintain the single, more secure version and sell it everywhere.

Reference

https://www.schneier.com/blog/archives/2018/11/new_iot_securit.html

Another view of the same topic:

Abstract

California has passed an IoT security bill, awaiting the governor’s signature/veto. It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.

https://blog.erratasec.com/2018/09/californias-bad-iot-law.html#.W-sLFHpKh0J

 

CyberSecurity: First Step towards cyberwar?

US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country

https://hotforsecurity.bitdefender.com/blog/us-lawmakers-propose-hack-back-law-to-allow-cyber-retaliation-without-permission-of-third-party-country-20000.html

It is more like Hollywood movies where hackers get hacked as well. And the big question is what about cyber crimes are committed by organized groups or nations not by individuals. What would happen if the USA hacks China systems and China stats hacking electric grids, water supply, nuclear plants.. list never ends.

And assume a situation where every nation is trying to hack any other nation. Scary situation but it is really happening now.

Developing countries are neither prepared for it nor would be able to do the same. For them, it is dead end situation. But never too late.

A quote from Jared Cohen 

We live in a world where all wars will begin as cyber wars… It’s the combination of hacking and massive, well-coordinated disinformation campaigns.