By Ben Dickson (@bendee983) as written on techcrunch.com
Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would’ve laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance.
Welcome to the era of the Internet of Things (IoT), where digitally connected devices are encroaching on every aspect of our lives, including our homes, offices, cars and even our bodies. With the advent of IPv6 and the wide deployment of Wi-Fi networks, IoT is growing at a dangerously fast pace, and researchers estimate that by 2020, the number of active wireless connected devices will exceed 40 billion.
The upside is that we are able to do things we never before imagined. But as with every good thing, there’s a downside to IoT: It is becoming an increasingly attractive target for cybercriminals. More connected devices mean more attack vectors and more possibilities for hackers to target us; unless we move fast to address this rising security concern, we’ll soon be facing an inevitable disaster.
IoT Vulnerabilities Open Up New Possibilities To Hackers
Some of the more frightening vulnerabilities found on IoT devices have brought IoT security further up the stack of issues that need to be addressed quickly.
Earlier this month, researchers found critical vulnerabilities in a wide range of IoT baby monitors, which could be leveraged by hackers to carry out a number of nefarious activities, including monitoring live feeds, changing camera settings and authorizing other users to remotely view and control the monitor.
In another development, it was proven that Internet-connected cars can be compromised, as well, and hackers can carry out any number of malicious activities, including taking control of the entertainment system, unlocking the doors or even shutting down the car in motion.
Wearables also can become a source of threat to your privacy, as hackers can use the motion sensors embedded in smartwatches to steal information you’re typing, or they can gather health data from smartwatch apps or health tracker devices you might be using.
Some of the most worrisome cases of IoT hacks involve medical devices and can have detrimental — perhaps fatal — consequences on patients’ health.
What Is being Done To Secure The IoT?
The silver lining is that IoT security, previously ignored, has now become an issue of high concern, even at the federal government level. Several measures are already being taken to gap holes and prevent security breaches at the device level, and efforts are being led to tackle major disasters before they come to pass.
After the Jeep Cherokee hack, automaker Fiat scrambled to have the problem fixed and quickly issued a safety recall for 1.4 million U.S. cars and trucks to install a security update patch. The whole episode also served as a wakeup call for the entire IoT industry.
Now security firms and manufacturers are joining ranks to help secure the IoT world before it spins out of control. Digital security company Gemalto is planning to use its experience in mobile payments to help secure IoT devices. Gemalto will be offering its Secure Element (SE) technology to automotive and utility companies. SE is a tamper-resistant component that gets embedded into devices to enable advanced digital security and life-cycle management via encryption of and access-control limitation to sensitive data.
Microsoft also is entering the fray, and has promised to add BitLocker encryption and Secure Boot technology to the Windows 10 IoT, the software giant’s operating system for IoT devices and platforms such as the Raspberry Pi. BitLocker is an encryption technology that can code entire disk volumes, and it has been featured in Windows operating systems since the Vista edition. This can be crucial to secure on-device data. Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer. Its implementation can prevent device hijacking.
The IoT security issue has also given rise to new alliances. A conglomeration of leading tech firms, including Vodafone, founded the Internet of Things Security Foundation, a non-profit body that will be responsible for vetting Internet-connected devices for vulnerabilities and flaws and will offer security assistance to tech providers, system adopters and end users. IoTSF hopes to raise awareness through cross-company collaboration and encourage manufacturers to consider security of connected devices at the hardware level.
“The opportunity for IoT is staggering,” said John Moor, a spokesperson for IoTSF. “However, there are ever-real security challenges that accompany those opportunities.” Moor stressed the importance to address security from the start. “By creating a dedicated focus on security,” he promised, “our intention is simple — drive excellence in IoT security. IoTSF aims to be the home for providers, adopters and beneficiaries of IoT products and services.”
Other companies are working on setting up platforms that will enable large networks of IoT devices to identify and authenticate each other in order to provide higher security and prevent data breaches.
There also is research being conducted to enhance IoT security through device and smartphone linking. The effort is being led by experts at the University of South Hampton, who believe smartphones can help overcome IoT devices’ limits in user interfaces and complexities in networking.
What More Needs To Be Done?
While the effort to tackle security issues regarding IoT devices is laudable, it isn’t enough to ensure that we can leverage the full power of this new technology in a secure environment.
For one thing, the gateways that connect IoT devices to company and manufacturer networks need to be secured as well as the devices themselves. IoT devices are always connected and always on. In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system.
Also of concern are huge repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits. In the wake of massive data breaches and data theft cases we’ve seen in recent years, more effort needs to be made to secure IoT-related data to ensure the privacy of consumers and the functionality of businesses and corporations.
There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business. Proper safeguards must be put in place to prevent updating interfaces from becoming security holes themselves.
What is evident is that the IoT will become an important part of our lives very soon, and its security is one of the major issues that must be addressed via active participation by the entire global tech community. Will we be able to harness this most-hyped, emerging technology that will undoubtedly revolutionize the world, or will we end up opening a Pandora’s Box that will spiral the world into a new age of mayhem and chaos? Let’s hope for the former.
With Microsoft’s Enterprise Mobility Suite, Godiva has access to information when and where they need it, enabling them to deliver the ultimate chocolate experience for every single one of their customers.
About GODIVA:
Since 1926 GODIVA has been the premier maker of the fine Belgian chocolate. Learn more.
3 Obvious Reasons You Need A Backup & Disaster Recovery Plan
You need to protect your company data from security threats and hackers. Did you see how cheating site Ashley Madison was breached by hackers who exposed "secure" user data?
Natural disasters do occur and 90% of companies that experience one week of data downtime go out of business within 12 months.
Systems do crash, data gets erased or corrupted, viruses attack.
With vast quantities of vital data moving through your business, even with limited resources and budget, it is critical for an organization to have a true business continuity and disaster recovery plan in place. This is the only solution to deliver an advanced insurance policy against loss of data and downtime.
Managed Solution provides a Business Continuity/Backup & Disaster Recovery Service to protect data from loss and prevent costly downtime in the event of a catastrophic server failure. Learn more.
China hacked into the federal government’s network, compromising four million current and former employees' information. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information. (Alice Li/The Washington Post)
Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S., and the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.
The hack was the largest breach of federal employee data in recent years. It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months.Last year, Russia compromised White House and State Department e-mail systems in a campaign of cyberespionage.
The OPM, using new tools, discovered the breach in April, according to officials at the agency who declined to discuss who was behind the hack.
Other U.S. officials, who spoke on the condition of anonymity, citing the ongoing investigation, identified the hackers as being state-sponsored.
One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyberespionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said.
The intruders in the OPM case gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information, agency officials said. OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-
deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.
“Certainly, OPM is a high-value target,” Donna Seymour, the agency’s chief information officer, said in an interview. “We have a lot of information about people, and that is something that our adversaries want.”
The personal information exposed could be useful in crafting “spear-phishing” e-mails, which are designed to fool recipients into opening a link or an attachment so that the hacker can gain access to computer systems. Using the stolen OPM data, for instance, a hacker might send a fake e-mail purporting to be from a colleague at work.
After the earlier breach discovered in March 2014, the OPM undertook “an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks,” Seymour said. “As a result of adding these tools, we were able to detect this intrusion into our networks.”
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,” Director Katherine Archuleta said in a statement.
In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clearances, officials said.
By contrast, in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said. OPM officials declined to comment on whether the data affected in this incident was encrypted or had sensitive details masked. They said it appeared that the intruders are no longer in the system.
“There is no current activity,” an official said. But Chinese hackers frequently try repeat intrusions.
Seymour said the agency is working to better protect the data stored in its servers throughout the government, including by using data masking or redaction. “We’ve purchased tools to be able to implement that capability for all” the data, she said.
Among the steps taken to protect the network, the OPM restricted remote access to the network by system administrators, officials said. When the OPM discovered the breach, it notified the FBI and the Department of Homeland Security.
A senior DHS official, who spoke on the condition of anonymity because of the ongoing investigation, said the “good news” is that the OPM discovered the breach using the new tools. “These things are going to keep happening, and we’re going to see more and more because our detection techniques are improving,” the official said.
FBI spokesman Josh Campbell said his agency is working with DHS and OPM officials to investigate the incident. “We take all potential threats to public- and private-sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace,” he said.
The intruders used a “zero-day” — a previously unknown cyber-tool — to take advantage of a vulnerability that allowed the intruders to gain access into the system.
[Why the Internet’s massive flaws may never get fixed]
China is one of the most aggressive nations targeting U.S. and other Western states’ networks. In May 2014, the United States announced the indictments of five Chinese military officials for economic cyberespionage — hacking into the computers of major steel and other companies and stealing plans, sensitive negotiating details and other information.
“China is everywhere,” said Austin Berglas, head of cyber investigations at K2 Intelligence and a former top cyber official at the FBI’s New York field office. “They’re looking to gain social and economic and political advantage over the United States in any way they can. The easiest way to do that is through theft of intellectual property and theft of sensitive information.”
Rep. Adam B. Schiff (Calif.), ranking Democrat on the House Intelligence Committee, said the past few months have seen a massive series of data breaches affecting millions of Americans.
“This latest intrusion . . . is among the most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses,” he said. “The cyberthreat from hackers, criminals, terrorists and state actors is one of the greatest challenges we face on a daily basis, and it’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”
Colleen M. Kelley, president of the nation’s second-largest federal worker union, the National Treasury Employees Union, said her organization “is very concerned” about the breach. “Data security, particularly in an era of rising incidence of identity theft, is a critically important matter,” she said.
“It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks,” she said.
According to a survey of CIOs, security spending is increasing at double the rate of overall investment. 75% of individuals use only three or four passwords across all their accounts. Passwords are not always secure. Windows 10 introduces an alternative to password with Microsoft Passport and Windows Hello.*
Stay on the offense against cybercrime by protecting yourself with Windows 10.
If you’re one of the millions of users of a Samsung Galaxy phone, you might be a potential target for a malicious hacker.
A report released on 6/17/15 by NowSecure, a security firm located in Chicago, found that a glitch in Swift, the keyboard software used by default on all Samsung Galaxy devices could allow a remote attacker to compromise your phone.
This particular bug makes the phone vulnerable to what is known as a “man in the middle” attack. The Swift software consistently sends requests to a server, checking for updates. To someone with the right knowhow, though, it’s possible to impersonate Swift’s server and send through software that can be used to gain control of the device.
The main problem with this vulnerability is that there’s no real solution. The Swift keyboard is so integrated into Samsung’s software that it cannot be removed or disabled — even if it is switched out with a different keyboard app. Steering clear of unsecured Wi-Fi networks will make you less likely to be targeted, but it won’t render you invulnerable.
Swift runs with elevated permissions, giving it pretty much free rein around the phone. This means that a hacker that worms his way into it can also access the Galaxy’s microphone and camera, track the user’s location or listen to their calls. They can even install apps.
NowSecure claims to have made Samsung and Google’s Android team aware of this vulnerability in late 2014, and Samsung reportedly has made a patch available to network providers. It’s not clear, though, whether providers have pushed out the patch to users yet. Many networks have a record of being notoriously slow to push through updates and security patches, and NowSecure’s tests found a number of Galaxy phones on different carriers were still vulnerable as of Tuesday.
If you’re of a more technical bent, you may be interested in seeing the details of NowSecure’s report on their blog. If you’re of a less technical bent, you might want to check with your carrier and try to avoid insecure Wi-Fi networks.
Article by: Andrew Lumby, MSN
[vc_row][vc_column][vc_column_text]
What is EMS? The Enterprise Mobility Suite is the comprehensive cloud solution to address your consumerization of IT, BYOD, and SaaS challenges. The suite is the most cost effective way to acquire all of the included cloud services:
Microsoft Azure Active Directory Premium
Microsoft Intune
Microsoft Azure Rights Management
What are the benefits of EMS?
Enable your people to be productive across the broad array of devices they love with access to the applications they need.
Unify your IT environment with a common identity across on-premises and the cloud, and deeply integrated capabilities for mobile device management (MDM).
Protect your data with a comprehensive set of access control and data protection capabilities.
Azure AD Premium enables:
Self-service password reset for your people, to reduce helpdesk calls
Multi-factor authentication options for greater security
Group-based provisioning and single sign on for over 1000 SaaS apps
Machine learning-driven security reports for visibility and threat management
Robust sync capabilities across cloud and on-premises directories
Microsoft Intune enables:
Mobile application management across devices
Broad device support for Windows, Windows Phone, Apple iOS, and Android devices
Selective wipe of apps and data for greater security
Azure Rights Management enables:
Information protection from the cloud or in a hybrid model with your existing on-premises infrastructure
Integration into your native applications with an easy-to-use SDK
Find guidance and tools to help you successfully deploy the products and services included in the Enterprise Mobility Suite - contact Managed Solution at 800-550-3795.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” said Sen. Carl Levin, D-Mich., the committee’s chairman. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”
The report found that Chinese hackers successfully broke into U.S. Transportation Command contractors’ computer systems at least 20 times this past year. The investigation found that TRANSCOM, which is responsible for moving troops and equipment around the world, was only aware of two of those security breaches. The committee included a provision in its version of the National Defense Authorization Act for Fiscal Year 2015 directed at addressing reporting gaps and improving the way in which the Department disseminates information about cyber intrusions into the computer networks of operationally critical contractors.
- With cyber security threats constantly popping up in the news today, it is essential to have protocols in place to protect data
- Information-sharing rules can increase security and prevent a breach
- It’s important for IT security professionals to understand and explain all security policies to staff so suspicious behavior can be reported as soon as threats occur
How can Managed Solution help? Managed Solution can partner with your IT staff or act as your IT team, making it easy to leverage us as little or as much as you need. We provide industry specific technology solutions that blend certified technology, best practices, and an extensive knowledge of compliance requirements. Fill out the form below or call us at 800-550-3795 to speak with an expert.
If you’re one of the millions of users of a Samsung Galaxy phone, you might be a potential target for a malicious hacker.
On September 17, the United States Senate Committee on Armed Services released information describing an investigation on Chinese hackers.
