The Internet of Things – or Everything’s on the Internet?

No Comments

Another – now not so – new term circulating over the past year or so is the phenomenon known as the, ‘Internet of Things’ or IoT. An expression many of us have become accustomed to which refers to objects, household items, appliances and – as they say – THINGS, which are connected to the internet.

Many cyber security experts have been pointing out concerns over the IoT and how we can keep ourselves protected as our fridges, TVs, light bulbs and the surprising list goes on, have the ability to fire out data and information, where no command from the user is required.

A vulnerability in LIFX smart LED light bulbs was reported via the BBC, the concern lay in the messages being transmitted between bulbs and the network. Within the light bulb – to – light bulb conversation WIFI passwords, and credentials were being passed potentially putting control of the lights into hacker’s hands. Luckily this flaw was identified by Context Security and manufacturer, Kickstarter-based brand LIFX has now patched up the issue.

If you didn’t think it could get much stranger than online lightbulbs, in a recent article I read just had to squeeze in this last item which really shows the diversity of IoT – Chopsticks! Yes, chopsticks, the kind which flash a blue light if the food it touches is fresh and safe to eat, or red if the meal is a no go! With this idea I can see the practicality, developed by the ‘Chinese Google’ – Baidu, the sensor-attached chopsticks can identify contamination levels, temperature and calories of your meal. The ‘smart-chopsticks’ come with an app to display these findings, Business Insider reported the product is not yet ready for public release but has had great results so far. Check out the YouTube video to see them in action. Although I have to say, if I was ready to tuck into my favourite meal and the little blighters flashed up red… I may find myself just reaching for a fork?!

These connected devices have been created to make our lives that little bit easier, tell us we’re out of milk, allow us to stick the heating on while in Starbucks, pop the sprinkler on, and even monitor your home surveillance from your smartphone, including the baby monitor! So, at what point in this joyful my-life-is-so-much-easier mood do we stop and think about how secure all of this data being catapulted into the network or cloud actually is?

The tale to make you STOP and think!

Well one story I read a couple of months ago on Forbes.com which should shock the blissful ignorance out of some IoT users is the story of Foscam, a global IP camera producer based in China. Foscam was also at the centre of a security story that involves two concerned (and pretty damn techie) fathers testing the operating system of the baby monitor Foscam camera. With some pretty worrying results.

Sergey Shekyan and Artem Harutyunyan, both studied software engineering at university together, before becoming neighbors (for a second time) and then Shekyan became a father and purchased a cheap baby monitor for $40. It was this low price-tag that caused him to become suspicious, a camera which could send texts and emails could not possibly be doing so correctly/safely for the low price. So the investigation began.

As I said these guys were software engineers, not security researchers or the likes. They sent requests to the operating systems to find out how easy the devices were to hack remotely, “If someone has physical access to your devices, you’re pwned,” says Harutyunyan. They made connection requests to see if they could force the camera to perform software updates, which should be refused when the devices identifies the incorrect /non-existent signature cryptographically assigned to the update. “You can’t force an update on an iPhone, for example. We figured out the Foscam will accept just about anything. But it’ll brick” Serygey told Kashmir Hill of Forbes.com. And they did ‘brick’, all ten of them

All of the above being said, they also found a French security researcher, on a Foscam forum, who had identified that any Foscam could be logged into, simply using the password, admin. Yes, really, it still happens!

With the IoT is appears the functionality, useful-ness (for lack of a better word) and promotional tactics came before the consideration of security, surprising in today’s world with 400 serious data breaches this year, as at July 2014. However, the key concern with these devices is the simplicity of configuration, including (VERY) poor passwords applied, with no real request to users to change these to more complex options.

This is just a selection of some more recent (or indeed, more shocking) examples of the security and privacy risks surrounding the connectivity being integrated into day-to-day things. Analyst group IDC predicts the growth of this market will continue resulting in an estimated 212 billion devices making up the Internet of Things by 2020.

Over hyped?

Yes, according to the Guardian article reporting that Gartner have identified IoT alongside wearable tech, consumer 3D printing and autonomous vehicles, as all being at the “peak of the Hype-Cycle”. So as the IoT hype is ‘peaks’ so will the interest of cybercriminals, ready to adapt attacks for the latest devices. It just happens to be a fridge for example as opposed to the latest iPhone device, they will find a way, as it seems they have already found a way.

HP conducted a study on 10 of the most popular devices, here’s a quick run-down of the figures;

· 60% did not use encryption when downloading software updates

· 70% of devices used unencrypted network services

· 70% of cloud/mobile devices allow attackers to view user accounts

· 80% of cloud/mobile devices failed the requirement of a sufficiently complex password

· 90% of devices gathered at least one piece of personal info (…if you ask me one is enough!)

Is there anything we can do?

Taking all of the above into account, this concept is one we are going to have to get our heads around and start planning the security landscape around the collective of online devices vastly taking over society. Hence the aim from the Open Interconnect Consortium (OIC) to boost the development of IoT, while creating a communications framework reflecting the industry standards to control the information exchanged between IoT devices.

The OIC encompasses Dell, Intel, Samsung, Amtel and others to collaborate security on devices which transmit information through an internet connection. As stated on the OIC website the benefits of having an ‘interoperable’ approach which is scalable, will become apparent for companies, developers, right down to the end users (well the end users concerned with consistent security and privacy levels).

So there is optimism with the IoT growth booming to 26bn by 2020, and with this optimism comes concern, however keep an eye on the OIC’s progress in placing industry standards. Finally if at minimum I can give you this as a basic rule, don’t cheap out on anything that is connecting to the Internet – even down to a lightbulb, well so long as you care about your personal privacy and online security.

Which I hope ya’ll do…or you’re reading the wrong blog.

Don’t let Cybercriminals catch you offside this World Cup

No Comments

As the World Cup buzz (thankfully not that of the notorious Vuvuzela’s) gets louder make sure you can protect your employees, students or other web users and most importantly yourself, from phishing, scams and other dangerous nasty stuff during and likely lingering after, this year’s World Cup in Brazil.

Phishing, malware

Kaspersky Lab’s Senior Security Researcher, Fabio Assolini revealed that in Brazil alone there are 50-60 new phishing domains detected and blocked each day. World Cup hype of course spreads far beyond the country hosting this year’s much anticipated event, resulting in multi-national concern for user safety.

Sophisticated design presents legitimate-looking web pages– often using recognisable brand graphics, such as Mastercard/Visa etc, photos of well-known personalities – prompting users to enter personal details or download malicious files. These sites can appear to be safe by using  ‘https’, the ‘S’ standing for secure is unfortunately a metric we can no longer fully trust, as cyber criminals can now purchase ‘valid’ SSL certificates from certification authorities including Comodo, EssentialSSL, Starfield and more.

Further reinforcing the impressive work of the phishers, these ‘ligit’ looking sites are also served up in mobile format, risking mobile users who click a link on their smartphone or other device. Kaspersky’s Assolini has a few good examples of these risky sites sporting professional design in his blog.

West Spam United

After nabbing a few tips to identify a devious webpage, you may think an email with your full name, address, DOB and mother’s maiden name must be the real deal, I mean they know all of this about you.

Well, unfortunately, you’d be wrong. Breached databases are spilling out from News rooms everywhere, occurring anywhere from huge organisations to SMEs. The stolen data is bought by cybercriminals who gain a wealth of personal information, and can use this to obtain a user’s trust. According to Kaspersky this is one strategy adopted by spammers, an email may state ‘You have won a ticket’ and prompt the user to download a PDF with Trojan banker.

The second option is to send an ‘Impersonal email’, again with a subject hinting at World Cup ticket prizes, or the like. These tend to direct the user to a webpage – via a link in the email – which would contain digitally-signed malware. For example, “To ‘claim’ your ticket print it off” and when clicked the link will point to a digitally-signed Trojan banker.

Send the criminals offside!!

You may think that because you’re not going to Brazil, and you’re not buying any tickets, that you are safe. Unfortunately you are wrong…very wrong. Web users whether in your home, or workplace can be at risk of malware-infected phishing sites and spam emails, these steps can help keep you right.

Interacting with ‘World Cup’ impersonating webpages in an attempt to view online content such as streaming services, can present huge risk to the network and also put great strain on bandwidth. If pages such as these are left running in the background, in a corporate or educational environment, the impact on bandwidth can impinge on business-critical tasks.

To keep Web users secure from spam and phishing this World Cup we can promote (and embrace yourself) here’s some simple tips,

1. *Broken-record-moment* Do NOT click on a link in an email if you are (even slightly) unsure as to who it was sent from, the same goes for opening attachments.

2. Websites with ‘httpS’ are generally more secure than ‘http’ but cannot necessarily be fully trusted.

3. Ensure anti-malware is installed, ensure it blacklists phishing sites, and ENSURE (most importantly) it is up-to-date.

4. Any Web or Email filter must be categorizing in real-time ensuring dangerous sites and emails (both personal and business) are blocked at the point-of-request, and the filter must offer bandwidth control.

Please excuse the Football-related puns, I couldn’t resist

Unravelling the confusion around Net Neutrality

No Comments

Recent news headlines (Business Insider) can provide us with a little intro into what ‘Network Neutrality’ (the topic in question) is, and more importantly what difference it will, or will not make to our connected online lives.

The FCC Just Approved a Proposal That Will Completely Change the Internet As We Know It

“Ignore the Complaints of Netflix’s CEO, the Internet Isn’t Ruined … Yet”

What’s it all really about?!

Net neutrality in essence is the belief that the Internet should be a free and open platform, without discrimination based on what you choose to use your bandwidth on.

I feel this is more than fair enough… it is our broadband aka our Internet after all, so I will do with it what I wish (as long as I stay within the law, again fair enough). To put this in perspective, I would not expect to have the power cut/slowed for my Xbox One, purely because my electricity provider prefers Sony and the PS4?!

So why should ISPs, for example Comcast (famously against net neutrality) have the power to decide if Netflix, for instance, is a priority, and reduce bandwidth speeds based on how they are choosing to distribute. Comcast’s affiliate company NBC could be given top priority and run like a dream, and if they choose to, they can force Netflix to run very, very slowly. Alternatively in the worst case scenario (yes there really is a worse scenario than a SLOW streaming service) they could force users to pay extra to even gain access to the sites and content they desire.

The site linked below, offers a great visual scroll-through of what ISPs give us now, with a neutral Internet, and what would happen to the way our bandwidth is served up should this open, free Internet be swiped from beneath our terrified little feet. http://www.theopeninter.net/

Changes such as these to the Internet we all know and – let’s be honest – love, we do really, could affect numerous aspects to our lives. I do not feel I am being melo-dramatic about this either, hear a thought-provoking take on net neutrality from ‘The Woz’ himself back in 2010.

“If I had to pay for each bit I used on my 6502 microprocessor, I would not have been able to build my own computers anyway. What if we paid for our roads per mile that we drove?”

And his views now?

“The early Internet was so accidental, it also was free and open in this sense… Please, I beg you, open your senses to the will of the people to keep the Internet as free as possible.” The Register, Steve Wozniak, 2014

This link will take you to an image which could be a pretty scary glimpse into what ISPs may be offering in their service packages, should Comcast and others’ get their way, note this is an exaggerated projection, yet remains horribly believable as to what could become our future broadband bill….

Charges for each different type of content you want? Not nice is it?!

So now we need to focus on the most recent dispute on net neutrality – there have been a few – and what this means for us. From what I can identify we have two options/scenarios/things that will happen anyway, out-with our control… but I will lay these out (in plain ol’ English) so we are all on the same page. Simply put by the Guardian, “The proposal either protects or undermines net neutrality, depending on how much you trust the FCC.”

1. Apply an ‘effective competition test’ in which there would be a bar where any deal must provide evidence of being “commercially reasonable” and ISPs have to achieve this level in order to prioritize specific traffic.

2. The FCC declare the Internet to be a utility, such as water or electricity, i.e. data is transmitted at an equal rate, mirroring the way our power travels across the grid, in a neutralway. This was how broadband was treated until 2002 when George W Bush separated telecoms communications from “information services”.

Unravelling the confusion around Net Neutrality

No Comments

Recent news headlines (Business Insider) can provide us with a little intro into what ‘Network Neutrality’ (the topic in question) is, and more importantly what difference it will, or will not make to our connected online lives.

The FCC Just Approved a Proposal That Will Completely Change the Internet As We Know It

“Ignore the Complaints of Netflix’s CEO, the Internet Isn’t Ruined … Yet”

What’s it all really about?!

Net neutrality in essence is the belief that the Internet should be a free and open platform, without discrimination based on what you choose to use your bandwidth on.

I feel this is more than fair enough… it is our broadband aka our Internet after all, so I will do with it what I wish (as long as I stay within the law, again fair enough). To put this in perspective, I would not expect to have the power cut/slowed for my Xbox One, purely because my electricity provider prefers Sony and the PS4?!

So why should ISPs, for example Comcast (famously against net neutrality) have the power to decide if Netflix, for instance, is a priority, and reduce bandwidth speeds based on how they are choosing to distribute. Comcast’s affiliate company NBC could be given top priority and run like a dream, and if they choose to, they can force Netflix to run very, very slowly. Alternatively in the worst case scenario (yes there really is a worse scenario than a SLOW streaming service) they could force users to pay extra to even gain access to the sites and content they desire.

The site linked below, offers a great visual scroll-through of what ISPs give us now, with a neutral Internet, and what would happen to the way our bandwidth is served up should this open, free Internet be swiped from beneath our terrified little feet. http://www.theopeninter.net/

Changes such as these to the Internet we all know and – let’s be honest – love, we do really, could affect numerous aspects to our lives. I do not feel I am being melo-dramatic about this either, hear a thought-provoking take on net neutrality from ‘The Woz’ himself back in 2010.

“If I had to pay for each bit I used on my 6502 microprocessor, I would not have been able to build my own computers anyway. What if we paid for our roads per mile that we drove?”

And his views now?

“The early Internet was so accidental, it also was free and open in this sense… Please, I beg you, open your senses to the will of the people to keep the Internet as free as possible.” The Register, Steve Wozniak, 2014

This link will take you to an image which could be a pretty scary glimpse into what ISPs may be offering in their service packages, should Comcast and others’ get their way, note this is an exaggerated projection, yet remains horribly believable as to what could become our future broadband bill….

Charges for each different type of content you want? Not nice is it?!

So now we need to focus on the most recent dispute on net neutrality – there have been a few – and what this means for us. From what I can identify we have two options/scenarios/things that will happen anyway, out-with our control… but I will lay these out (in plain ol’ English) so we are all on the same page. Simply put by the Guardian, “The proposal either protects or undermines net neutrality, depending on how much you trust the FCC.”

1. Apply an ‘effective competition test’ in which there would be a bar where any deal must provide evidence of being “commercially reasonable” and ISPs have to achieve this level in order to prioritize specific traffic.

2. The FCC declare the Internet to be a utility, such as water or electricity, i.e. data is transmitted at an equal rate, mirroring the way our power travels across the grid, in a neutral way. This was how broadband was treated until 2002 when George W Bush separated telecoms communications from “information services”.

What’s all this hype about the ‘Deep Web’?

No Comments

Bloxx CEO Charles Sweeney recently wrote for Tech Radar, “What is the Deep Web and why should you care about it?” this leading tech discussion site covers IT insights from a business point of view.

The Deep Web, or as it’s sometimes referred to, the Dark Web, is something of a hot topic at the moment. Businesses must ensure they are doing the utmost to protect their network from the bad guys, but also from their own employees and in many cases – unintentionally – even themselves. Knowledge on what is out there and the risks that could be presented to organisations as a result, is the secret to taking the first steps toward improving defences against cyber threats.

The Dark Web is not identifiable by any search engine, this being the primary intention of these sites, the content within these is not indexed by Google and the other search engine tools. The web you can search – the web we know – which you may think is vast, and extensive, is really just the ‘tip of the iceberg’. Earlier this year we created our ‘Big Web’ infographic which gives you a visual low-down of this concept, and a stack of facts about other nasties on the darker side of the Internet.
Many recent stories have cast a new bout of interest on the Deep Web, you may have picked up on news of the website ‘Silk Road’ being shut down. If not – don’t worry you are probably not alone – the short of it is, effectively this was a ‘black market’ website used within a network on the Dark Web to trade – mainly – illegal goods and services. Eventually the creator was arrested and forced to shut it down, however replicate versions of this type of site easily, and quickly go live to replace the predecessor.

This site existed on the open-source network, ‘Tor’ (The Onion Router), a tool previously rarely discussed outside of the tech community, but now features regularly on mainstream media, and causes a few headaches for the NSA. The creators of this network shun accusations it solely provides a platform for malicious and/or illegal activity, and present their argument with lists of legitimate users their service is beneficial to, including journalists and whistleblowers etc. Their claim is that this is a service to escape the surveillance we hear so much of, allowing users to browse anonymously, hence the NSA’s annoyance.

We can’t see it, so we’re not worried…

When a business thinks about Internet Security, the Web they may have never been on, and that Google cannot find, may not be a priority in their Web filtering concerns or cyber security strategy. However as discussed by Sweeney from an enterprise perspective the Deep Web presents key challenges.

Organisations require a Web content filter that controls any use of anonymous proxies, by using real-time categorization and not relying on any URL lists, to ensure employees don’t access the Deep Web at work, on purpose or accidentally (and yes, it is possible!). In addition the Tech Radar article highlights the difficulties in ‘keeping the bad guys out’, of something you cannot see.

Why the Dark Web was created, and however it is being used, it exists, so do you know all you need to know about the Internet’s malicious big brother?

_________________________________________

Download the Bloxx Infographic here.

Read the full article by Charles Sweeney, on Tech Radar.