Monday, October 3, 2016

World Full of Smart Gadgets



Internet Security: A World Full of Smart Gadgets
You’ve heard everyone talk about the “Internet of Things”, “smart cars”, “smart devices or gadgets”. This is just a description of the pervasiveness of computers in our everyday lives. These devices are now being connected to the Internet and this poses challenges to personal privacy and the security of the Internet.

Figure 1. Smart gadgets in a home (image by Steve Johnson, Jeff Durham BayArea News Group)
Figure 1 shows how pervasive these gadgets can become in our lives. Every room in a house will be impacted by this Internet of Things. 

What does this have to do with Virginia Tech? Well, today’s students show up on campus with at least 4-5 devices that need to be connected to the network. These include the University required computer, their smart phone, tablet, gaming consoles like Xbox, and usually a smart device like a smart TV or radio. Each of these devices is a specialized computer and unfortunately they’re not secured by the manufacturer. For example, printers, copiers and scanners have no passwords associated with them by default. Figure 1 shows how common household devices will be able to gather personal information (schedules, preferences, health) of the occupants. These devices can transmit that information to advertisers, manufacturers. 

Recently these types of devices have been taken over by hackers and used to attack other sites. Brian Krebs, a well known journalist, was the target of an internet DDOS attack that forced his www site offline for a number of days. This was in response to a series of articles he wrote about cyber criminals being captured. They retaliated by launching a massive denial of service attack against his www site. It's believed that many of the attacking hosts were “smart” gadgets. The new IoT botnet Mirai was used to launch a historically huge attack against Brian Kreb's site (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/) and is guaranteed to cause mayhem on the net.

Security experts have been warning the community about the lack of security in Internet of Things (IoT)/smart gadgets. Unfortunately, someone else heeded the warnings and took advantage of this knowledge.

Stay tuned for more.






Friday, September 30, 2016

The Internet of Cows



Glenn Fink, a security researcher at Pacific Northwest Labs, did a presentation called the “Internet of Cows” where he showed how dairy farming has become an automated, internet accessible business process. He took  the discussion one step further by saying that cows make great human surrogates in the privacy debates surrounding IoT. He showed how data from almost every single biological process of a cow (health, reproduction, location, sounds) is monitored by IoT.  Analysis of herd data allows farmers to predict the health of a cow, the optimum time for reproduction and milk production. He maintained that cows don’t object to this type of management and therefore, this is why they are well suited to study the effects of intrusive monitoring. 

It was one of those presentations that makes you go "hmmmmm". The use of "biological" Internet of Things has been well established in the animal husbandry world. As Glenn stated, we're already moving in this direction with regard to human health monitoring. The privacy implications of such monitoring should concern most  of us these days. I've always said that I don't mind external sites collecting data about me as long as a) the default is opt-out where no data is sent out b) you tell me what you're going to do with my data c) you protect my data from unauthorized access.  Obviously, this isn't the norm these days. 

Hopefully, as more "fitness" IoT devices enter the market, people will start to demand their health info be safeguarded as much as possible.  More on this later....

Monday, April 4, 2016

I'm Back

Yes, it's been a while since I've posted something here. It's been a busy, crazy year. Here are some of the things we've been doing here at VA Tech. I'll be posting some blog entries with more details on each of the items. Consider this entry to be a "headlines" blog.

1. Stacy Kaye from Silverbull.co interviewed me about being a CISO. Her article can be found here
http://www.silverbull.co/a-day-in-the-life-of-a-ciso-virginia-tech/
I will warn you that the picture in the article is my official VT photo and doesn't reflect my usual attire :-)

2. MT6D - Moving Target IPv6 Defense. A series of research projects based on Matt Dunlop and Stephen Groat's research involving dynamic address switching as a defense against DDOS attacks in IPv6. Their original research has spun off a number of secondary MT6D research. Pretty neat and exciting stuff they did. Think radio frequency hopping but instead of hopping frequencies, we hop IPv6 addresses

3. Continuous Monitoring Update - an update on our evergoing continuous monitoring project

So keep in touch for more blogs coming up here and at http://www.securitycurrent.com/en/writers/randy-marchany